Date: Tue, 28 Apr 2009 09:36:26 +0300 From: Jan Melen <jan@melen.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-hackers@freebsd.org, Sam Leffler <sam@freebsd.org> Subject: Re: IPsec in GENERIC kernel config Message-ID: <49F6A3EA.3090905@melen.org> In-Reply-To: <20090427182917.W15361@maildrop.int.zabbadoz.net> References: <49F5B6F8.4040808@melen.org> <49F5F4A6.8050902@freebsd.org> <20090427182917.W15361@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Bjoern A. Zeeb wrote: > On Mon, 27 Apr 2009, Sam Leffler wrote: > > Hi, > >> Jan Melen wrote: >>> Hi, >>> >>> Again when I compiled a custom kernel just to enable IPsec in the >>> FreeBSD kernel it came to my mind why is it so that the IPsec is not >>> enabled by default in the GENERIC kernel configuration file? At >>> least for me the GENERIC kernel configuration would do just fine if >>> the IPsec would be enabled in it by default. Now I have to build a >>> custom kernel just for IPsec btw IPsec is even mandatory for a host >>> supporting IPv6. >> IPsec incurs a performance hit. Fix that and it can be enabled in >> GENERIC. > > There is even a PR for this: > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/128030 > Just to understand the problem correctly I guess you are talking about performance hit on outgoing packets as the IPsec tries to find a security policy even for packets that should not be encrypted? For incoming traffic I don't see any reason for performance hit. Has anyone done any measurements on magnitude of performance loss we get from trying to match the outgoing packets for non-existent IPsec policies? I would guess that if you have zero SPD entries in your system it can't be a lot as it a matter of calling: ip_ipsec_output -> ipsec4_checkpolicy -> ipsec_getpolicybyaddr/sock -> key_allocsp which in turn searches through an empty list. Jan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F6A3EA.3090905>