Mon, Feb 16, 2015 at 08:55:17AM +0530, Glen Kent wrote:
I wonder if Trio, EZChip and friends could do SHA in NPU, my guess is yes they could, but perhaps there is even more appropriate hash for this use-case. I'm not entirely convinced doing hash for each BFD packet is impractical.
[0] http://www.ietf.org/id/draft-mahesh-bfd-authentication-00.txt
You might want to take a look at: http://www.ietf.org/proceedings/89/slides/slides-89-mpls-9.pdf
Look at the slides 11 onwards.
Were these people doing some real implementation in-hardware or were just theoretizing? I see "prediction" label for the number of authenticated sessions -- do you have an idea what that means? And on slide 14 you have smaller session limit numbers for BFD fully implemented in hardware than for hw-assisted case (slide 12). It makes me think that this presentation should either be supplemented with talking people or there are some errors in it. Or I am completely missing some fine point here.
Doing HMAC calculation for each packet adversely affects the number of concurrent sessions that can be supported.
Without mentioning the scope (which hardware and software) this assertion is either trivial or useless, sorry. TSO, frame checksums and other stuff hadn't been implemented in-hardware for ages, but now it is here and there all the time. And /me is interested why can't BFD be done on the interface chip level: it is point-to-point on L2 for the majority of cases. -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute" Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.