Hi Martin, On Thu, Jan 16, 2014 at 8:00 AM, Martin Sustrik <sustrik@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 16/01/14 06:47, Paul Colomiets wrote: > > > From the text, it seems that only nearest peer id is checked > > against, right? > > > > So if we have the following scheme: > > > > (many clients) -> A -> B -> (many workers) > > > > Only a single worker is used, because all clients of A look like > > single client to B, right? > > Right. Sounds like using the whole stack as a key would scale better. > > Then, there are two more problems: 1. Memory consumption may be too high, as there at least are key per each client on each device. But in reality there is a key per "path" (i.e. many paths may be used in case of many-to-many connections) 2. You need to expire keys, to free memory. Its not only a problem to choose default timeout, but also a potentially huge timeout queue Note: the point 1 also makes it easy to create DoS attack. -- Paul