Date: Sun, 29 Dec 2013 07:38:16 -0800 From: George Neville-Neil <gnn@neville-neil.com> To: Eitan Adler <lists@eitanadler.com> Cc: =?windows-1252?Q?Olivier_Cochard-Labb=E9?= <olivier@cochard.me>, "freebsd-arch@freebsd.org" <arch@freebsd.org>, Robert Millan <rmh@debian.org>, "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org> Subject: Re: IPSEC Message-ID: <15DFE76D-40B7-4F56-82EC-26EB9F1D9824@neville-neil.com> In-Reply-To: <CAF6rxgmDJZVrzaNScjNqB8YJbHK2MXaYW3BVCu7DVMcZmwPiyw@mail.gmail.com> References: <523457A1.3090606@debian.org> <CAF6rxgntjNFdr8unFQC=OWCNs7-UDYJaE30v4heWh_EeOg1JGA@mail.gmail.com> <CA%2Bq%2BTcrSZitbJkPJFO501O1MVWe8o2o%2BP_S_a3q21NdPtSGewQ@mail.gmail.com> <CAF6rxgmDJZVrzaNScjNqB8YJbHK2MXaYW3BVCu7DVMcZmwPiyw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 14, 2013, at 11:28 , Eitan Adler <lists@eitanadler.com> wrote: > Hi arch@, >=20 > The question below has been unanswered since Sat, Sep 14, 2013. >=20 > Are there any known concerns with enabling IPSEC? Is there any reason > to not do so in GENERIC? >=20 Certainly there is always a risk of reduced stability when you mix more = code into the system. I do not know, off hand, of any bugs that would prevent us from = turning this on in GENERIC. It would be nice to know what kind of user/customer = demand you=92re seeing so we could evaluate whether or not we should turn IPSec = on by default in GENERIC in the base FreeBSD. Best, George > On Sun, Dec 8, 2013 at 2:02 PM, Olivier Cochard-Labb=E9 > <olivier@cochard.me> wrote: >> On Sun, Dec 8, 2013 at 12:16 AM, Eitan Adler <lists@eitanadler.com> = wrote: >>> Hi all, >>>=20 >>> I understand this is an old thread but I do not see an answer here. >>> Can anyone answer the question below? >>>=20 >>> On Sat, Sep 14, 2013 at 8:33 AM, Robert Millan <rmh@debian.org> = wrote: >>>>=20 >>>> Hi! >>>>=20 >>>> Is there any particular reason (performance, stability concerns...) >>>> IPSEC support is not enabled in GENERIC? >>>>=20 >>>> In Debian GNU/kFreeBSD we're considering enabling it in our default >>>> builds, due to increased user demand and as it is already enabled = for >>>> our Linux-based flavours. >>>>=20 >>>> However we're concerned about diverging from FreeBSD as there might = be >>>> unforeseen consequences. Is there any specific concern on your = side? >>>>=20 >>>> If not, perhaps it could be considered for HEAD after 10.0 release? >>>=20 >>>=20 >>=20 >> Here are my own bench result regarding forwarding speed = (paquet-per-second) >> with a kernel compiled without-ipsec and with ipsec (ipsec is not = enabled >> during the tests, just present on the kernel) of FreeBSD = 10.0-PRERELEASE: >>=20 >> ministat -s without-ipsec ipsec >> x without-ipsec >> + ipsec >> = +-------------------------------------------------------------------------= -------+ >> |x + x + +x x x + >> +| >> | |__________________A_____M____________| >> | >> | = |_______________M_________A__________________________| >> | >> = +-------------------------------------------------------------------------= -------+ >> N Min Max Median Avg = Stddev >> x 5 1646075 1764528 1725461 1713080 = 44560.059 >> + 5 1685034 1833206 1724461 1748666.8 = 62356.218 >> No difference proven at 95.0% confidence >>=20 >> I didn't see negative impact of enabling ipsec (it's even a little = bit >> better with it). >>=20 >> Regards, >>=20 >> Olivier >=20 >=20 >=20 > --=20 > Eitan Adler > _______________________________________________ > freebsd-arch@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-arch > To unsubscribe, send any mail to = "freebsd-arch-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15DFE76D-40B7-4F56-82EC-26EB9F1D9824>