Hello all,

I have an application over UDP passing 300 pkts per seconds full duplex to same destination always.
Running on kernel 2.6.32.27 on PPC platform.
Work perfectly, CPU usage is close to 0%.

Upon adding an IP SEC policy (ESP in transport mode), CPU usage goes 50-100% Soft IRQ context. The encryption processing seems not an issue, since null encryption and H/W acceleration has same effect.

Another interesting fact is that setting "/proc/sys/net/ipv4/xfrm4_gc_thresh" to a relatively small (0-100 instead of 3276 solves the issue.

I understood that reducing this threshold will cause garbage collector to run more frequently. However, I am not sure what is going on behind the scenes, packets are flowing as I said to same destination and even UDP port, only payload is changing (but cyclically repeats after ~100 packets).

My guess is that __xfrm4_find_bundle works harder unless garbage collector runs frequently.

The questions

1.Why garbage collector is needed when there is only 1 flow?
2.Is there any bug report / patch for xfrm package on this subject?

Thank you very much,
Alex