Hi,
Bjoern A. Zeeb wrote:
On Mon, 27 Apr 2009, Sam Leffler wrote:
Hi,
Jan Melen wrote:
Hi,
Again when I compiled a custom kernel just to enable IPsec in the
FreeBSD kernel it came to my mind why is it so that the IPsec is not
enabled by default in the GENERIC kernel configuration file? At
least for me the GENERIC kernel configuration would do just fine if
the IPsec would be enabled in it by default. Now I have to build a
custom kernel just for IPsec btw IPsec is even mandatory for a host
supporting IPv6.
IPsec incurs a performance hit. Fix that and it can be enabled in
GENERIC.
There is even a PR for this:
http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/128030
Just to understand the problem correctly I guess you are talking about
performance hit on outgoing packets as the IPsec tries to find a
security policy even for packets that should not be encrypted? For
incoming traffic I don't see any reason for performance hit.
Has anyone done any measurements on magnitude of performance loss we get
from trying to match the outgoing packets for non-existent IPsec
policies? I would guess that if you have zero SPD entries in your system
it can't be a lot as it a matter of calling:
ip_ipsec_output -> ipsec4_checkpolicy -> ipsec_getpolicybyaddr/sock ->
key_allocsp which in turn searches through an empty list.
Jan
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[email protected]"
