From owner-freebsd-arch@FreeBSD.ORG Sat Dec 14 19:29:09 2013 Return-Path: Delivered-To: arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5259E380 for ; Sat, 14 Dec 2013 19:29:09 +0000 (UTC) Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com [IPv6:2607:f8b0:400d:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 076C817FE for ; Sat, 14 Dec 2013 19:29:08 +0000 (UTC) Received: by mail-qa0-f44.google.com with SMTP id i13so475630qae.17 for ; Sat, 14 Dec 2013 11:29:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=UEXxUrgi4P0ayz80s+VfjJfNHHMgetunm6H3ctioAsk=; b=Su6vE8db8qOyE1tBnJ+Cz50zcPVP8+hRqaDVNXGPFSMgPHUBgNnQbp2Q/RExTjPHM5 T/Y8DNRfitrilnLo/OgRsimAFEbODeZFsh9wgSe3peEMv4GVKZC1SzYuSZnNCBlQgvYF dBGCKGP9Fbg6gObq/j5uocLl21zHDXEunD7Ns= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=UEXxUrgi4P0ayz80s+VfjJfNHHMgetunm6H3ctioAsk=; b=OlSi3lI8GpaSV/lcrQXngy0t5q1MfElRr3dPmD3ghT41KlTeLZHl0/+VQoCwurp4dU O6HRAFxvsdlqT+jQ0VgeBeZ1d7KbzsLGDQbCEmVW7BdDIBJ38IUvSgm4qlG/q30enmHW SiGi+b/EhEpmWY/AcEVJY1viMAlWwjVRa9g2xPI8tHKc6tbAiz9C0bRnZXBFTo4G4dMQ QrzZWfwiadd/xJ92yDfJECYPLpFWGUkvrLjHViEqAe+5N/xcgJnKa+tbGkmJDCqEb+Tl g2C85L+0/GmW0ZkvlSFmG7+tQKLFbYcqb4WbfEHYCYzVlcZC0ckjuC+PthoxSvaB59uy yNmQ== X-Gm-Message-State: ALoCoQnMm+PZYixW7W5j49yUJOPLFK1mZh22VYvccZNq901bsmpcGrIdWFbtzW9ajx2xVimehH5z X-Received: by 10.49.25.109 with SMTP id b13mr17518244qeg.3.1387049348116; Sat, 14 Dec 2013 11:29:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.96.86.42 with HTTP; Sat, 14 Dec 2013 11:28:36 -0800 (PST) In-Reply-To: References: <523457A1.3090606@debian.org> From: Eitan Adler Date: Sat, 14 Dec 2013 14:28:36 -0500 Message-ID: Subject: Re: IPSEC To: =?UTF-8?Q?Olivier_Cochard=2DLabb=C3=A9?= , "freebsd-arch@freebsd.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Robert Millan , "debian-bsd@lists.debian.org" X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Dec 2013 19:29:09 -0000 Hi arch@, The question below has been unanswered since Sat, Sep 14, 2013. Are there any known concerns with enabling IPSEC? Is there any reason to not do so in GENERIC? On Sun, Dec 8, 2013 at 2:02 PM, Olivier Cochard-Labb=C3=A9 wrote: > On Sun, Dec 8, 2013 at 12:16 AM, Eitan Adler wrote= : >> Hi all, >> >> I understand this is an old thread but I do not see an answer here. >> Can anyone answer the question below? >> >> On Sat, Sep 14, 2013 at 8:33 AM, Robert Millan wrote: >>> >>> Hi! >>> >>> Is there any particular reason (performance, stability concerns...) >>> IPSEC support is not enabled in GENERIC? >>> >>> In Debian GNU/kFreeBSD we're considering enabling it in our default >>> builds, due to increased user demand and as it is already enabled for >>> our Linux-based flavours. >>> >>> However we're concerned about diverging from FreeBSD as there might be >>> unforeseen consequences. Is there any specific concern on your side? >>> >>> If not, perhaps it could be considered for HEAD after 10.0 release? >> >> > > Here are my own bench result regarding forwarding speed (paquet-per-secon= d) > with a kernel compiled without-ipsec and with ipsec (ipsec is not enabled > during the tests, just present on the kernel) of FreeBSD 10.0-PRERELEASE: > > ministat -s without-ipsec ipsec > x without-ipsec > + ipsec > +------------------------------------------------------------------------= --------+ > |x + x + +x x x + > +| > | |__________________A_____M____________| > | > | |_______________M_________A__________________________| > | > +------------------------------------------------------------------------= --------+ > N Min Max Median Avg Stdd= ev > x 5 1646075 1764528 1725461 1713080 44560.0= 59 > + 5 1685034 1833206 1724461 1748666.8 62356.2= 18 > No difference proven at 95.0% confidence > > I didn't see negative impact of enabling ipsec (it's even a little bit > better with it). > > Regards, > > Olivier --=20 Eitan Adler