Max Laier wrote:
On Saturday 18 October 2008 19:05:26 Sam Leffler wrote:
[EMAIL PROTECTED] wrote:
Synopsis: [request] Isn't it time to enable IPsec in GENERIC?
Responsible-Changed-From-To: freebsd-bugs->freebsd-net
Responsible-Changed-By: gavin
Responsible-Changed-When: Sat Oct 18 16:55:14 UTC 2008
Responsible-Changed-Why:
Over to maintainer(s) for consideration
http://www.freebsd.org/cgi/query-pr.cgi?pr=128030
Last I checked IPSEC added noticeable overhead. Before anyone does this
you need to measure the cost of having it enabled but not used.
It should be possible to turn IPSEC into a module - maybe only loadable on
boot to avoid locking issues. This would reduce the overhead to a handful of
function pointer checks that should not impact performance (thanks to modern
branch prediction and cache sizes). This would have to be measured as well,
of course. Maybe this should go to the project page? It's a good junior
kernel hacker project, I believe.
I believe the most important issue are the SADB checks in the tx path.
It used to be possible to do them cheaply by checking a single ptr value
but now it's much more expensive. My memory is hazy as it's been a while.
Sam
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
