Re: IPSEC
On Dec 14, 2013, at 11:28 , Eitan Adler <lists@eitanadler.com> wrote:
> Hi arch@,
>
> The question below has been unanswered since Sat, Sep 14, 2013.
>
> Are there any known concerns with enabling IPSEC? Is there any reason
> to not do so in GENERIC?
>
Certainly there is always a risk of reduced stability when you mix more code into the
system. I do not know, off hand, of any bugs that would prevent us from turning this
on in GENERIC. It would be nice to know what kind of user/customer demand
you’re seeing so we could evaluate whether or not we should turn IPSec on by
default in GENERIC in the base FreeBSD.
Best,
George
> On Sun, Dec 8, 2013 at 2:02 PM, Olivier Cochard-Labbé
> <olivier@cochard.me> wrote:
>> On Sun, Dec 8, 2013 at 12:16 AM, Eitan Adler <lists@eitanadler.com> wrote:
>>> Hi all,
>>>
>>> I understand this is an old thread but I do not see an answer here.
>>> Can anyone answer the question below?
>>>
>>> On Sat, Sep 14, 2013 at 8:33 AM, Robert Millan <rmh@debian.org> wrote:
>>>>
>>>> Hi!
>>>>
>>>> Is there any particular reason (performance, stability concerns...)
>>>> IPSEC support is not enabled in GENERIC?
>>>>
>>>> In Debian GNU/kFreeBSD we're considering enabling it in our default
>>>> builds, due to increased user demand and as it is already enabled for
>>>> our Linux-based flavours.
>>>>
>>>> However we're concerned about diverging from FreeBSD as there might be
>>>> unforeseen consequences. Is there any specific concern on your side?
>>>>
>>>> If not, perhaps it could be considered for HEAD after 10.0 release?
>>>
>>>
>>
>> Here are my own bench result regarding forwarding speed (paquet-per-second)
>> with a kernel compiled without-ipsec and with ipsec (ipsec is not enabled
>> during the tests, just present on the kernel) of FreeBSD 10.0-PRERELEASE:
>>
>> ministat -s without-ipsec ipsec
>> x without-ipsec
>> + ipsec
>> +--------------------------------------------------------------------------------+
>> |x + x + +x x x +
>> +|
>> | |__________________A_____M____________|
>> |
>> | |_______________M_________A__________________________|
>> |
>> +--------------------------------------------------------------------------------+
>> N Min Max Median Avg Stddev
>> x 5 1646075 1764528 1725461 1713080 44560.059
>> + 5 1685034 1833206 1724461 1748666.8 62356.218
>> No difference proven at 95.0% confidence
>>
>> I didn't see negative impact of enabling ipsec (it's even a little bit
>> better with it).
>>
>> Regards,
>>
>> Olivier
>
>
>
> --
> Eitan Adler
> _______________________________________________
> freebsd-arch@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-arch
> To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"
Reply to:
- References:
- Re: IPSEC
- From: Eitan Adler <lists@eitanadler.com>
- Re: IPSEC
- From: Eitan Adler <lists@eitanadler.com>