On Feb 20,  7:35pm, jonathan@Pescadero.dsg.stanford.edu (Jonathan Stone) wrote:
-- Subject: Re: IPSEC in GENERIC

| >Or course this all depends on your goals. Do you want to educate/help
| >your audience or do you want to show off your knowledge and make
| >everyone else look/feel like an idiot?
| 
| Christos, I think _that_ was uncalled for. 

Fine, I am sorry for misjudging your intensions.

I see the summary of this thread as:

1. The reason we don't turn IPSEC on by default is performance.
2. There is FAST_IPSEC but it does not do IPV6.
3. The KAME code is too complicated/messy and hard to separate.
4. In order to do have the best of both worlds is to compile IPSEC
   in and determine if we need to take the IPSEC complex path only
   if the number of SPD's > 0 (which was proposed by you this round).

Now can you (or someone else) step up and see if doing (4) is feasible?

christos