Date: Tue, 18 Jul 2000 00:07:09 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: itojun@iijlab.net Cc: ARIGA Seiji <say@sfc.wide.ad.jp>, freebsd-net@FreeBSD.ORG, lconrad@Go2France.com, kris@FreeBSD.ORG Subject: Re: IPsec Performance (Re: Merge of KAME code) Message-ID: <Pine.BSF.4.21.0007180004390.25407-100000@achilles.silby.com> In-Reply-To: <7693.963643060@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 15 Jul 2000 itojun@iijlab.net wrote: > >Question. Is the time spent in the IPSec layer accounted to the user > >processor, or just thrown in with kernel time? > > the current IPsec code does encryption (like actual DES/3DES encryption > of the packet) in the kernel, so it will appear as kernel time. > > itojun Hm, that worries me some, as it seems to be saying that if I allow IPSEC connections from anywhere to any service, I'm leaving the box open to pummeling by anyone with an IPSEC system. On the positive side, it sounds like the openbsd guys decoupled the actual decoding from the packet receive when they implemented their hardware IPSEC engine. So, if that gets ported over here, perhaps the problem can be delt with effectievly. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007180004390.25407-100000>