Re: IPSEC

To: Olivier Cochard-Labbé <olivier@cochard.me>, "freebsd-arch@freebsd.org" <arch@freebsd.org>
Cc: Robert Millan <rmh@debian.org>, "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: Re: IPSEC
From: Eitan Adler <lists@eitanadler.com>
Date: Sat, 14 Dec 2013 14:28:36 -0500
Message-id: <[🔎] CAF6rxgmDJZVrzaNScjNqB8YJbHK2MXaYW3BVCu7DVMcZmwPiyw@mail.gmail.com>
In-reply-to: <CA+q+TcrSZitbJkPJFO501O1MVWe8o2o+P_S_a3q21NdPtSGewQ@mail.gmail.com>
References: <523457A1.3090606@debian.org> <[🔎] CAF6rxgntjNFdr8unFQC=OWCNs7-UDYJaE30v4heWh_EeOg1JGA@mail.gmail.com> <CA+q+TcrSZitbJkPJFO501O1MVWe8o2o+P_S_a3q21NdPtSGewQ@mail.gmail.com>

Hi arch@,

The question below has been unanswered since Sat, Sep 14, 2013.

Are there any known concerns with enabling IPSEC?  Is there any reason
to not do so in GENERIC?

On Sun, Dec 8, 2013 at 2:02 PM, Olivier Cochard-Labbé
<olivier@cochard.me> wrote:
> On Sun, Dec 8, 2013 at 12:16 AM, Eitan Adler <lists@eitanadler.com> wrote:
>> Hi all,
>>
>> I understand this is an old thread but I do not see an answer here.
>> Can anyone answer the question below?
>>
>> On Sat, Sep 14, 2013 at 8:33 AM, Robert Millan <rmh@debian.org> wrote:
>>>
>>> Hi!
>>>
>>> Is there any particular reason (performance, stability concerns...)
>>> IPSEC support is not enabled in GENERIC?
>>>
>>> In Debian GNU/kFreeBSD we're considering enabling it in our default
>>> builds, due to increased user demand and as it is already enabled for
>>> our Linux-based flavours.
>>>
>>> However we're concerned about diverging from FreeBSD as there might be
>>> unforeseen consequences. Is there any specific concern on your side?
>>>
>>> If not, perhaps it could be considered for HEAD after 10.0 release?
>>
>>
>
> Here are my own bench result regarding forwarding speed (paquet-per-second)
> with a kernel compiled without-ipsec and with ipsec (ipsec is not enabled
> during the tests, just present on the kernel) of FreeBSD 10.0-PRERELEASE:
>
> ministat -s without-ipsec ipsec
> x without-ipsec
> + ipsec
> +--------------------------------------------------------------------------------+
> |x               +    x    +      +x  x            x           +
> +|
> |         |__________________A_____M____________|
> |
> |                 |_______________M_________A__________________________|
> |
> +--------------------------------------------------------------------------------+
>     N           Min           Max        Median           Avg        Stddev
> x   5       1646075       1764528       1725461       1713080     44560.059
> +   5       1685034       1833206       1724461     1748666.8     62356.218
> No difference proven at 95.0% confidence
>
> I didn't see negative impact of enabling ipsec (it's even a little bit
> better with it).
>
> Regards,
>
> Olivier



-- 
Eitan Adler

Reply to:

Follow-Ups:
- Re: IPSEC
  - From: George Neville-Neil <gnn@neville-neil.com>

References:
- Re: IPSEC
  - From: Eitan Adler <lists@eitanadler.com>

Prev by Date: Re: possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)
Next by Date: Re: possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)
Previous by thread: Re: IPSEC
Next by thread: Re: IPSEC
Index(es):
- Date
- Thread