Date: Sat, 18 Oct 2008 13:25:23 -0700 From: Sam Leffler <sam@freebsd.org> To: Max Laier <max@love2party.net> Cc: freebsd-net@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: conf/128030: [request] Isn't it time to enable IPsec in GENERIC? Message-ID: <48FA4633.9090500@freebsd.org> In-Reply-To: <200810182018.13757.max@love2party.net> References: <200810181655.m9IGtxWk089117@freefall.freebsd.org> <48FA1756.1080708@freebsd.org> <200810182018.13757.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote: > On Saturday 18 October 2008 19:05:26 Sam Leffler wrote: > >> gavin@freebsd.org wrote: >> >>> Synopsis: [request] Isn't it time to enable IPsec in GENERIC? >>> >>> Responsible-Changed-From-To: freebsd-bugs->freebsd-net >>> Responsible-Changed-By: gavin >>> Responsible-Changed-When: Sat Oct 18 16:55:14 UTC 2008 >>> Responsible-Changed-Why: >>> Over to maintainer(s) for consideration >>> >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=128030 >>> >> Last I checked IPSEC added noticeable overhead. Before anyone does this >> you need to measure the cost of having it enabled but not used. >> > > It should be possible to turn IPSEC into a module - maybe only loadable on > boot to avoid locking issues. This would reduce the overhead to a handful of > function pointer checks that should not impact performance (thanks to modern > branch prediction and cache sizes). This would have to be measured as well, > of course. Maybe this should go to the project page? It's a good junior > kernel hacker project, I believe. > > I believe the most important issue are the SADB checks in the tx path. It used to be possible to do them cheaply by checking a single ptr value but now it's much more expensive. My memory is hazy as it's been a while. Sam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48FA4633.9090500>