10g IPsec ?
Eugene Grosbein
eugen at grosbein.net
Thu Nov 7 07:48:52 UTC 2019
07.11.2019 14:32, John-Mark Gurney wrote:
> Don't we have the option of doing soft re-classification? Where we
> recalculate the hash, and then do a netisr defer? I mean that'd burn
> a bunch of extra cpu cycles, but you gotta do what you gotta do.
If the host got a packet already, it can just process it without extra re-classification.
The only case I know when such re-classification can be useful is assigning M_FLOWID to the mbuf
so that lagg(4) using LACP could send it further using such M_FLOWID and maybe
distribute distinct IPsec flows over distinct ports of LAGG group.
I doubt this has much practical use :-) Generally we terminate IPsec locally
or route packets to other hosts without need to differ them from other transit traffic.
More information about the freebsd-net
mailing list