conf/128030: [request] Isn't it time to enable IPsec in GENERIC?
Bjoern A. Zeeb
bz at FreeBSD.org
Fri Jan 30 12:20:06 PST 2009
The following reply was made to PR conf/128030; it has been noted by GNATS.
From: "Bjoern A. Zeeb" <bz at FreeBSD.org>
To: bug-followup at FreeBSD.org, lionel.fourquaux+fbsdbug at normalesup.org
Cc:
Subject: Re: conf/128030: [request] Isn't it time to enable IPsec in GENERIC?
Date: Fri, 30 Jan 2009 20:10:45 +0000 (UTC)
Hi,
the problem here is that enabling IPsec adds overhead to the entire
IPv4/v6 network stack handling.
A lot of people are currently working on performnce optimizations for
all kinds of different setups. All those would be hurt if IPSEC would
be on by default and they wouldn't need it. That's all kinds of
various ISP server business for example.
If we want to enable IPSEC by default on GENERIC the criteria to fix
is "it must not measurably add up to processing times/reduce pps/.."
if the connections do not use it.
/bz
--
Bjoern A. Zeeb The greatest risk is not taking one.
More information about the freebsd-net
mailing list