From owner-freebsd-arch@FreeBSD.ORG  Sun Dec 29 15:38:21 2013
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: arch@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D39DE315
 for <arch@freebsd.org>; Sun, 29 Dec 2013 15:38:21 +0000 (UTC)
Received: from vps.hungerhost.com (vps.hungerhost.com [216.38.53.176])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id A04941D29
 for <arch@freebsd.org>; Sun, 29 Dec 2013 15:38:21 +0000 (UTC)
Received: from 65-123-255-137.dia.static.qwest.net ([65.123.255.137]:58028
 helo=[172.26.21.190])
 by vps.hungerhost.com with esmtpsa (TLSv1:AES128-SHA:128)
 (Exim 4.80.1) (envelope-from <gnn@neville-neil.com>)
 id 1VxIRX-0008HP-D1; Sun, 29 Dec 2013 10:38:19 -0500
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
Subject: Re: IPSEC
From: George Neville-Neil <gnn@neville-neil.com>
In-Reply-To: <CAF6rxgmDJZVrzaNScjNqB8YJbHK2MXaYW3BVCu7DVMcZmwPiyw@mail.gmail.com>
Date: Sun, 29 Dec 2013 07:38:16 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <15DFE76D-40B7-4F56-82EC-26EB9F1D9824@neville-neil.com>
References: <523457A1.3090606@debian.org>
 <CAF6rxgntjNFdr8unFQC=OWCNs7-UDYJaE30v4heWh_EeOg1JGA@mail.gmail.com>
 <CA+q+TcrSZitbJkPJFO501O1MVWe8o2o+P_S_a3q21NdPtSGewQ@mail.gmail.com>
 <CAF6rxgmDJZVrzaNScjNqB8YJbHK2MXaYW3BVCu7DVMcZmwPiyw@mail.gmail.com>
To: Eitan Adler <lists@eitanadler.com>
X-Mailer: Apple Mail (2.1827)
X-AntiAbuse: This header was added to track abuse,
 please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.hungerhost.com
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - neville-neil.com
X-Get-Message-Sender-Via: vps.hungerhost.com: authenticated_id:
 gnn@neville-neil.com
Cc: =?windows-1252?Q?Olivier_Cochard-Labb=E9?= <olivier@cochard.me>,
 "freebsd-arch@freebsd.org" <arch@freebsd.org>, Robert Millan <rmh@debian.org>,
 "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Dec 2013 15:38:22 -0000


On Dec 14, 2013, at 11:28 , Eitan Adler <lists@eitanadler.com> wrote:

> Hi arch@,
>=20
> The question below has been unanswered since Sat, Sep 14, 2013.
>=20
> Are there any known concerns with enabling IPSEC?  Is there any reason
> to not do so in GENERIC?
>=20

Certainly there is always a risk of reduced stability when you mix more =
code into the
system.  I do not know, off hand, of any bugs that would prevent us from =
turning this
on in GENERIC.  It would be nice to know what kind of user/customer =
demand
you=92re seeing so we could evaluate whether or not we should turn IPSec =
on by
default in GENERIC in the base FreeBSD.

Best,
George

> On Sun, Dec 8, 2013 at 2:02 PM, Olivier Cochard-Labb=E9
> <olivier@cochard.me> wrote:
>> On Sun, Dec 8, 2013 at 12:16 AM, Eitan Adler <lists@eitanadler.com> =
wrote:
>>> Hi all,
>>>=20
>>> I understand this is an old thread but I do not see an answer here.
>>> Can anyone answer the question below?
>>>=20
>>> On Sat, Sep 14, 2013 at 8:33 AM, Robert Millan <rmh@debian.org> =
wrote:
>>>>=20
>>>> Hi!
>>>>=20
>>>> Is there any particular reason (performance, stability concerns...)
>>>> IPSEC support is not enabled in GENERIC?
>>>>=20
>>>> In Debian GNU/kFreeBSD we're considering enabling it in our default
>>>> builds, due to increased user demand and as it is already enabled =
for
>>>> our Linux-based flavours.
>>>>=20
>>>> However we're concerned about diverging from FreeBSD as there might =
be
>>>> unforeseen consequences. Is there any specific concern on your =
side?
>>>>=20
>>>> If not, perhaps it could be considered for HEAD after 10.0 release?
>>>=20
>>>=20
>>=20
>> Here are my own bench result regarding forwarding speed =
(paquet-per-second)
>> with a kernel compiled without-ipsec and with ipsec (ipsec is not =
enabled
>> during the tests, just present on the kernel) of FreeBSD =
10.0-PRERELEASE:
>>=20
>> ministat -s without-ipsec ipsec
>> x without-ipsec
>> + ipsec
>> =
+-------------------------------------------------------------------------=
-------+
>> |x               +    x    +      +x  x            x           +
>> +|
>> |         |__________________A_____M____________|
>> |
>> |                 =
|_______________M_________A__________________________|
>> |
>> =
+-------------------------------------------------------------------------=
-------+
>>    N           Min           Max        Median           Avg        =
Stddev
>> x   5       1646075       1764528       1725461       1713080     =
44560.059
>> +   5       1685034       1833206       1724461     1748666.8     =
62356.218
>> No difference proven at 95.0% confidence
>>=20
>> I didn't see negative impact of enabling ipsec (it's even a little =
bit
>> better with it).
>>=20
>> Regards,
>>=20
>> Olivier
>=20
>=20
>=20
> --=20
> Eitan Adler
> _______________________________________________
> freebsd-arch@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-arch
> To unsubscribe, send any mail to =
"freebsd-arch-unsubscribe@freebsd.org"