From owner-freebsd-net Tue Jan 15 0:29: 3 2002 Delivered-To: freebsd-net@freebsd.org Received: from smtp018.mail.yahoo.com (smtp018.mail.yahoo.com [216.136.174.115]) by hub.freebsd.org (Postfix) with SMTP id 3F5D137B41D for ; Tue, 15 Jan 2002 00:28:57 -0800 (PST) Received: from unknown (HELO kshitij1) (203.124.128.243) by smtp.mail.vip.sc5.yahoo.com with SMTP; 15 Jan 2002 08:28:55 -0000 From: "Kshitij Gunjikar" To: Subject: Filtering on the IPsec Tunnel Date: Tue, 15 Jan 2002 14:08:42 +0530 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, What I think is that we shouldn't send all packets to IPSec. This reduces the performance of the box as IPSec algorithms are really compute intensive. Only configured tunnels to a few locations can be IPSeced. This ensures that the normal traffic which is mostly TCP traffic can be as fast as possible. (Hey, We all complain when we see our mails being downloaded slowly or web pages being loaded slowly) Also, for generic security we can use the IP filter for normal traffic. The IPSec itself does authentication so why send it to a filter? Regards Kshitij _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message