Subject: Re: IPSEC in GENERIC
To: Garrett D'Amore <garrett_damore@tadpole.com>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 02/20/2006 11:03:05
On Mon, Feb 20, 2006 at 07:50:22AM -0800, Garrett D'Amore wrote:
> joerg@britannica.bec.de wrote:
> 
> > But back to the original question -- this doesn't affect IPSec at all,
> > since it can't be made a module without a lot of efforts in any case.
> >   
> true, perhaps.  but if so, then why?  it seems a lot of ipsec at least
> could be -- e.g. encryption and hash routines, etc.

Except that those routines are almost always in anyway.

IPsec hooks in all over the network code -- it is anything _but_ a "bump
in the stack" implementation.  That makes it useful for more than toy
VPN applications (unlike many BITS implementations) but also means that
it is extremely difficult to cleanly separate out into a module, _and_
that just including it in the kernel causes a measurable decrease in
forwarding performance.  Which is why it's not in the kernel by default.

The other outstanding issue is that the code selected by options
FAST_IPSEC needs to grow v6 support, and the code selected by options
IPSEC needs to die.  I'd encourage anyone thinking of doing significant
work on our IPsec code to _not_ put it into something like modularizing
the KAME code, at this point!

Thor