On Tue, Apr 28, 2009 at 09:36:26AM +0300, Jan Melen wrote: > Hi, [...] > Just to understand the problem correctly I guess you are talking about > performance hit on outgoing packets as the IPsec tries to find a > security policy even for packets that should not be encrypted? For > incoming traffic I don't see any reason for performance hit.
The (more or less) same check is done for incoming packets, because we NEED to ensure that IPsec traffic comes from the appropriate IPsec tunnel, and non IPsec traffic comes without IPsec.... > Has anyone done any measurements on magnitude of performance loss we get > from trying to match the outgoing packets for non-existent IPsec > policies? I would guess that if you have zero SPD entries in your system > it can't be a lot as it a matter of calling: > ip_ipsec_output -> ipsec4_checkpolicy -> ipsec_getpolicybyaddr/sock -> > key_allocsp which in turn searches through an empty list. We (my company) already tried such a hack, which completely skips IPsec process if we know that SPD (both in and out) is empty. It works, and has the expected impact on performance loss. Yvan. _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
