IPsec in GENERIC kernel config
Jan Melen
jan at melen.org
Tue Apr 28 06:36:29 UTC 2009
Hi,
Bjoern A. Zeeb wrote:
> On Mon, 27 Apr 2009, Sam Leffler wrote:
>
> Hi,
>
>> Jan Melen wrote:
>>> Hi,
>>>
>>> Again when I compiled a custom kernel just to enable IPsec in the
>>> FreeBSD kernel it came to my mind why is it so that the IPsec is not
>>> enabled by default in the GENERIC kernel configuration file? At
>>> least for me the GENERIC kernel configuration would do just fine if
>>> the IPsec would be enabled in it by default. Now I have to build a
>>> custom kernel just for IPsec btw IPsec is even mandatory for a host
>>> supporting IPv6.
>> IPsec incurs a performance hit. Fix that and it can be enabled in
>> GENERIC.
>
> There is even a PR for this:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/128030
>
Just to understand the problem correctly I guess you are talking about
performance hit on outgoing packets as the IPsec tries to find a
security policy even for packets that should not be encrypted? For
incoming traffic I don't see any reason for performance hit.
Has anyone done any measurements on magnitude of performance loss we get
from trying to match the outgoing packets for non-existent IPsec
policies? I would guess that if you have zero SPD entries in your system
it can't be a lot as it a matter of calling:
ip_ipsec_output -> ipsec4_checkpolicy -> ipsec_getpolicybyaddr/sock ->
key_allocsp which in turn searches through an empty list.
Jan
More information about the freebsd-hackers
mailing list