Re: IPSEC

To: Eitan Adler <lists@eitanadler.com>
Cc: Olivier Cochard-Labbé <olivier@cochard.me>, "freebsd-arch@freebsd.org" <arch@freebsd.org>, Robert Millan <rmh@debian.org>, "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: Re: IPSEC
From: George Neville-Neil <gnn@neville-neil.com>
Date: Sun, 29 Dec 2013 07:38:16 -0800
Message-id: <[🔎] 15DFE76D-40B7-4F56-82EC-26EB9F1D9824@neville-neil.com>
In-reply-to: <[🔎] CAF6rxgmDJZVrzaNScjNqB8YJbHK2MXaYW3BVCu7DVMcZmwPiyw@mail.gmail.com>
References: <523457A1.3090606@debian.org> <[🔎] CAF6rxgntjNFdr8unFQC=OWCNs7-UDYJaE30v4heWh_EeOg1JGA@mail.gmail.com> <CA+q+TcrSZitbJkPJFO501O1MVWe8o2o+P_S_a3q21NdPtSGewQ@mail.gmail.com> <[🔎] CAF6rxgmDJZVrzaNScjNqB8YJbHK2MXaYW3BVCu7DVMcZmwPiyw@mail.gmail.com>

On Dec 14, 2013, at 11:28 , Eitan Adler <lists@eitanadler.com> wrote:

> Hi arch@,
> 
> The question below has been unanswered since Sat, Sep 14, 2013.
> 
> Are there any known concerns with enabling IPSEC?  Is there any reason
> to not do so in GENERIC?
> 

Certainly there is always a risk of reduced stability when you mix more code into the
system.  I do not know, off hand, of any bugs that would prevent us from turning this
on in GENERIC.  It would be nice to know what kind of user/customer demand
you’re seeing so we could evaluate whether or not we should turn IPSec on by
default in GENERIC in the base FreeBSD.

Best,
George

> On Sun, Dec 8, 2013 at 2:02 PM, Olivier Cochard-Labbé
> <olivier@cochard.me> wrote:
>> On Sun, Dec 8, 2013 at 12:16 AM, Eitan Adler <lists@eitanadler.com> wrote:
>>> Hi all,
>>> 
>>> I understand this is an old thread but I do not see an answer here.
>>> Can anyone answer the question below?
>>> 
>>> On Sat, Sep 14, 2013 at 8:33 AM, Robert Millan <rmh@debian.org> wrote:
>>>> 
>>>> Hi!
>>>> 
>>>> Is there any particular reason (performance, stability concerns...)
>>>> IPSEC support is not enabled in GENERIC?
>>>> 
>>>> In Debian GNU/kFreeBSD we're considering enabling it in our default
>>>> builds, due to increased user demand and as it is already enabled for
>>>> our Linux-based flavours.
>>>> 
>>>> However we're concerned about diverging from FreeBSD as there might be
>>>> unforeseen consequences. Is there any specific concern on your side?
>>>> 
>>>> If not, perhaps it could be considered for HEAD after 10.0 release?
>>> 
>>> 
>> 
>> Here are my own bench result regarding forwarding speed (paquet-per-second)
>> with a kernel compiled without-ipsec and with ipsec (ipsec is not enabled
>> during the tests, just present on the kernel) of FreeBSD 10.0-PRERELEASE:
>> 
>> ministat -s without-ipsec ipsec
>> x without-ipsec
>> + ipsec
>> +--------------------------------------------------------------------------------+
>> |x               +    x    +      +x  x            x           +
>> +|
>> |         |__________________A_____M____________|
>> |
>> |                 |_______________M_________A__________________________|
>> |
>> +--------------------------------------------------------------------------------+
>>    N           Min           Max        Median           Avg        Stddev
>> x   5       1646075       1764528       1725461       1713080     44560.059
>> +   5       1685034       1833206       1724461     1748666.8     62356.218
>> No difference proven at 95.0% confidence
>> 
>> I didn't see negative impact of enabling ipsec (it's even a little bit
>> better with it).
>> 
>> Regards,
>> 
>> Olivier
> 
> 
> 
> -- 
> Eitan Adler
> _______________________________________________
> freebsd-arch@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-arch
> To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"

Reply to:

References:
- Re: IPSEC
  - From: Eitan Adler <lists@eitanadler.com>
- Re: IPSEC
  - From: Eitan Adler <lists@eitanadler.com>

Prev by Date: Re: target FreeBSD version for Jessie
Next by Date: gdm3: stuck on GNU/kFreeBSd while "trying to open reauthentication channel",Package: gdm3
Previous by thread: Re: IPSEC
Next by thread: Re: IPSEC
Index(es):
- Date
- Thread