conf/128030: [request] Isn't it time to enable IPsec in GENERIC?
Sam Leffler
sam at freebsd.org
Sat Oct 18 20:43:43 UTC 2008
Max Laier wrote:
> On Saturday 18 October 2008 19:05:26 Sam Leffler wrote:
>
>> gavin at freebsd.org wrote:
>>
>>> Synopsis: [request] Isn't it time to enable IPsec in GENERIC?
>>>
>>> Responsible-Changed-From-To: freebsd-bugs->freebsd-net
>>> Responsible-Changed-By: gavin
>>> Responsible-Changed-When: Sat Oct 18 16:55:14 UTC 2008
>>> Responsible-Changed-Why:
>>> Over to maintainer(s) for consideration
>>>
>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=128030
>>>
>> Last I checked IPSEC added noticeable overhead. Before anyone does this
>> you need to measure the cost of having it enabled but not used.
>>
>
> It should be possible to turn IPSEC into a module - maybe only loadable on
> boot to avoid locking issues. This would reduce the overhead to a handful of
> function pointer checks that should not impact performance (thanks to modern
> branch prediction and cache sizes). This would have to be measured as well,
> of course. Maybe this should go to the project page? It's a good junior
> kernel hacker project, I believe.
>
>
I believe the most important issue are the SADB checks in the tx path.
It used to be possible to do them cheaply by checking a single ptr value
but now it's much more expensive. My memory is hazy as it's been a while.
Sam
More information about the freebsd-hackers
mailing list