IPSEC

Eitan Adler lists at eitanadler.com
Sat Dec 14 19:29:09 UTC 2013 

Hi arch@,

The question below has been unanswered since Sat, Sep 14, 2013.

Are there any known concerns with enabling IPSEC?  Is there any reason
to not do so in GENERIC?

On Sun, Dec 8, 2013 at 2:02 PM, Olivier Cochard-Labbé
<olivier at cochard.me> wrote:
> On Sun, Dec 8, 2013 at 12:16 AM, Eitan Adler <lists at eitanadler.com> wrote:
>> Hi all,
>>
>> I understand this is an old thread but I do not see an answer here.
>> Can anyone answer the question below?
>>
>> On Sat, Sep 14, 2013 at 8:33 AM, Robert Millan <rmh at debian.org> wrote:
>>>
>>> Hi!
>>>
>>> Is there any particular reason (performance, stability concerns...)
>>> IPSEC support is not enabled in GENERIC?
>>>
>>> In Debian GNU/kFreeBSD we're considering enabling it in our default
>>> builds, due to increased user demand and as it is already enabled for
>>> our Linux-based flavours.
>>>
>>> However we're concerned about diverging from FreeBSD as there might be
>>> unforeseen consequences. Is there any specific concern on your side?
>>>
>>> If not, perhaps it could be considered for HEAD after 10.0 release?
>>
>>
>
> Here are my own bench result regarding forwarding speed (paquet-per-second)
> with a kernel compiled without-ipsec and with ipsec (ipsec is not enabled
> during the tests, just present on the kernel) of FreeBSD 10.0-PRERELEASE:
>
> ministat -s without-ipsec ipsec
> x without-ipsec
> + ipsec
> +--------------------------------------------------------------------------------+
> |x               +    x    +      +x  x            x           +
> +|
> |         |__________________A_____M____________|
> |
> |                 |_______________M_________A__________________________|
> |
> +--------------------------------------------------------------------------------+
>     N           Min           Max        Median           Avg        Stddev
> x   5       1646075       1764528       1725461       1713080     44560.059
> +   5       1685034       1833206       1724461     1748666.8     62356.218
> No difference proven at 95.0% confidence
>
> I didn't see negative impact of enabling ipsec (it's even a little bit
> better with it).
>
> Regards,
>
> Olivier



-- 
Eitan Adler

More information about the freebsd-arch mailing list