From owner-freebsd-net Mon Jul 17 22: 7:12 2000 Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id C174637B9F9 for ; Mon, 17 Jul 2000 22:07:09 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 25792 invoked by uid 1000); 18 Jul 2000 05:07:09 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Jul 2000 05:07:09 -0000 Date: Tue, 18 Jul 2000 00:07:09 -0500 (CDT) From: Mike Silbersack To: itojun@iijlab.net Cc: ARIGA Seiji , freebsd-net@FreeBSD.ORG, lconrad@Go2France.com, kris@FreeBSD.ORG Subject: Re: IPsec Performance (Re: Merge of KAME code) In-Reply-To: <7693.963643060@coconut.itojun.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 15 Jul 2000 itojun@iijlab.net wrote: > >Question. Is the time spent in the IPSec layer accounted to the user > >processor, or just thrown in with kernel time? > > the current IPsec code does encryption (like actual DES/3DES encryption > of the packet) in the kernel, so it will appear as kernel time. > > itojun Hm, that worries me some, as it seems to be saying that if I allow IPSEC connections from anywhere to any service, I'm leaving the box open to pummeling by anyone with an IPSEC system. On the positive side, it sounds like the openbsd guys decoupled the actual decoding from the packet receive when they implemented their hardware IPSEC engine. So, if that gets ported over here, perhaps the problem can be delt with effectievly. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message