IPsec in GENERIC kernel config
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Tue Apr 28 12:14:06 UTC 2009
On Tue, Apr 28, 2009 at 09:36:26AM +0300, Jan Melen wrote:
> Hi,
[...]
> Just to understand the problem correctly I guess you are talking about
> performance hit on outgoing packets as the IPsec tries to find a
> security policy even for packets that should not be encrypted? For
> incoming traffic I don't see any reason for performance hit.
The (more or less) same check is done for incoming packets, because we
NEED to ensure that IPsec traffic comes from the appropriate IPsec
tunnel, and non IPsec traffic comes without IPsec....
> Has anyone done any measurements on magnitude of performance loss we get
> from trying to match the outgoing packets for non-existent IPsec
> policies? I would guess that if you have zero SPD entries in your system
> it can't be a lot as it a matter of calling:
> ip_ipsec_output -> ipsec4_checkpolicy -> ipsec_getpolicybyaddr/sock ->
> key_allocsp which in turn searches through an empty list.
We (my company) already tried such a hack, which completely skips
IPsec process if we know that SPD (both in and out) is empty.
It works, and has the expected impact on performance loss.
Yvan.
More information about the freebsd-hackers
mailing list