Date: Thu, 9 Mar 2006 15:53:03 +0100 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: Re: FAST_IPSEC and tunnelled packets processing Message-ID: <20060309145303.GB19877@zen.inc> In-Reply-To: <440FA8DC.3010006@errno.com> References: <20060307180222.GA1308@zen.inc> <440FA8DC.3010006@errno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 08, 2006 at 08:02:36PM -0800, Sam Leffler wrote: [.....] > If I recall the IPIP handling is different from KAME because there is > support for IPIP encapsulation independent of the IPsec protocols while > KAME only handles IPIP as part of the ESP tunnel configuration. As to > overhead, in practice, at least back in 4.x where this work was > originally done, the netisr dispatch was effectively shortcircuited > because the dispatch was done from the netisr thread so the net cost was > a enqueue+dequeue of the packet. I'm not sure about extraneous trips > through ip_input or not stripping headers; this stuff used to work right > but I've not looked at the code in years. There IS some code to remove the IPIP header, but it doesn't work. I just reported pr kern/94273 with a patch which solves it. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060309145303.GB19877>