On 05.11.2014 19:06, Eric L. Camachat wrote: >>> In two weeks I will enable IPSec by default, again in preparation for 11. > >> Hi, > >> recently we did some IP forwarding tests and the GENERIC kernel is >> several times faster than GENERIC+IPSEC. Even when IPSEC has no SA. > >> I didn't do test on vanilla kernel, but our kernel is able forward >> IPv4/IPv6 on rate close to 8.6 Mpps. The same kernel compiled with IPSEC >> can forward only 180 kpps. I think this problem should be solved before >> enabling it in GENERIC. > > I think this is why we need IPSEC in GENERIC to let more tests involved. > Maybe it also helps in kernel SSL encryption (key per IP vs per TCP > session).
IPSEC had unresolved bugs for years, and now all will be magically fixed. I think we need some way to enable/disable it on the fly. This may be a compromise. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
