From owner-freebsd-hackers@FreeBSD.ORG Tue Apr 28 06:36:28 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 881CA1065672; Tue, 28 Apr 2009 06:36:28 +0000 (UTC) (envelope-from jan@melen.org) Received: from foxgw.melen.org (unknown [IPv6:2001:14b8:400:f00::ffff]) by mx1.freebsd.org (Postfix) with ESMTP id 092038FC13; Tue, 28 Apr 2009 06:36:27 +0000 (UTC) (envelope-from jan@melen.org) X-Bogosity: Ham, spamicity=0.000000 Received: from despair.unknown.com (foxgw.melen.org [IPv6:2001:14b8:400:f00::ffff]) by foxgw.melen.org (8.14.2/8.14.2) with ESMTP id n3S6aQkp068463; Tue, 28 Apr 2009 09:36:26 +0300 (EEST) (envelope-from jan@melen.org) Message-ID: <49F6A3EA.3090905@melen.org> Date: Tue, 28 Apr 2009 09:36:26 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <49F5B6F8.4040808@melen.org> <49F5F4A6.8050902@freebsd.org> <20090427182917.W15361@maildrop.int.zabbadoz.net> In-Reply-To: <20090427182917.W15361@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.1 at foxgw.melen.org X-Virus-Status: Clean X-Mailman-Approved-At: Tue, 28 Apr 2009 11:37:34 +0000 Cc: freebsd-hackers@freebsd.org, Sam Leffler Subject: Re: IPsec in GENERIC kernel config X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Apr 2009 06:36:29 -0000 Hi, Bjoern A. Zeeb wrote: > On Mon, 27 Apr 2009, Sam Leffler wrote: > > Hi, > >> Jan Melen wrote: >>> Hi, >>> >>> Again when I compiled a custom kernel just to enable IPsec in the >>> FreeBSD kernel it came to my mind why is it so that the IPsec is not >>> enabled by default in the GENERIC kernel configuration file? At >>> least for me the GENERIC kernel configuration would do just fine if >>> the IPsec would be enabled in it by default. Now I have to build a >>> custom kernel just for IPsec btw IPsec is even mandatory for a host >>> supporting IPv6. >> IPsec incurs a performance hit. Fix that and it can be enabled in >> GENERIC. > > There is even a PR for this: > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/128030 > Just to understand the problem correctly I guess you are talking about performance hit on outgoing packets as the IPsec tries to find a security policy even for packets that should not be encrypted? For incoming traffic I don't see any reason for performance hit. Has anyone done any measurements on magnitude of performance loss we get from trying to match the outgoing packets for non-existent IPsec policies? I would guess that if you have zero SPD entries in your system it can't be a lot as it a matter of calling: ip_ipsec_output -> ipsec4_checkpolicy -> ipsec_getpolicybyaddr/sock -> key_allocsp which in turn searches through an empty list. Jan