Subject: Re: IPSEC in GENERIC
To: Michael van Elst <mlelstv@serpens.de>
From: Jonathan Stone <jonathan@Pescadero.dsg.stanford.edu>
List: tech-kern
Date: 02/20/2006 13:27:42
In message <dtdbok$6m$1@serpens.de>, Michael van Elst writes:
>>>Do you run GENERIC kernels on your machines?
>
>>Some yes, some no. What's that got to do with the fact that IPv6 *is*
>>utterly useless to me, or that i'd like to not enable IPv6 on machines
>>which are still running GENERIC kernels?
>
>I wanted to stress that people like you (or me, or almost everybody reading)
>often do not use GENERIC kernels and whatever is in GENERIC has little
>impact on us.
>
>You may disable IPv6 as you may disable^Wenable IPSEC if that's what you
>need.
Michael, I *do* control machines which run GENERIC kernels, I want
to *keep* running GENERIC kernels, but I *do* want a way to turn off
IPv6 on those machines *without* having to build custom kernels.
Is any part of that hard to understand? I'm not understanding
why you don't understand it.
>However, GENERIC is what gets installed initially, what might be the
>only choice for some people and is necessarily the first choice for
>newcomers. Having IPSEC there is worthwhile even when it spoils
>benchmarks.
Yes, those are precisely the sorts of reasons why detuning benchmark
performance of GENERIC is widely regarded (by several senior NetBSD
developers) as being a bad idea. I recall there was quite a strong
consensus on that, last time the issue came up.
In any case, building a kernel strikes me as quite a modest burden,
compared to configuring IPsec and IKE to acutally work.
(Especially if it's the first time one is setting up IPsec.)