jonathan@Pescadero.dsg.stanford.edu (Jonathan Stone) writes:

>In message <dtdko8$hh6$1@serpens.de>Michael van Elst writes
>>jonathan@dsg.stanford.edu writes:
>>> So, why should it be any different if I want to run lPv4, but
>>>not IPv6?
>>There is no necessity to have it different. But it is different.
>Michael, I'm trying hard, but for the life of me I cannot understand
>that sentence.  What are you trying to say?

I don't know a reason why it should be any different and I wasn't
proposing it.


>>Maybe besides your point, but it is completely on topic unless
>>you can disable IPSEC with our boot-time /etc/rc.conf mechanism.

><forced patience> Yes, of *course* our rc.conf mechanisms can disable
>the actual *use* of IPsec, sure.

I said if you could disable IPSEC from rc.conf that would make a
difference. But we all know that this doesn't work but requires a kernel
change. I did not talk about the "use of IPsec".


>And *that* is the reason for the prior consensus not to enable IPsec
>in GENERIC kernels.  If you want to overturn that consensus, I think
>you need to present rational arguments why the prior consensus was
>wrong. I've looked, and I can't find any real attempt to do that.

I have already overturned that *consensus* if there was ever one.
Apparently I disagree, so at least now there can't be a *consensus*
anymore.  So that makes it a majority but not a *consensus*.

If you can't find real attempts then I believe that is your problem.
I gave a couple of reasons. Apparently the _conclusion_ depends on
your personal opinion. I don't agree with you, so if that is hard
to understand, then yes, you do have a problem.


>How can I make it simpler?  I personally can't imagine any technical
>reason we'd not turn on IPsec in GENERIC if there was no downside,

Please remove the 'if' from the sentence. Apparently there are downsides
from either path. That's why you have to make a decision.


>But there *is* a long-standing observation that there *IS* a downside
>to adding IPsec to GENERIC kernels: overall networking performance of
>GENERIC kernels would suffer, and that the performance penalty (relative
>to other *BSD kernels which don't turn on IPsec in their default kernel)
>would show up in benchmarks, and be widely publicized, to the overall
>detriment of NetBSD.

There is a downside to not adding IPsec to GENERIC as well. However,
unlike you I do not fear "widely publicized benchmarks that show the
performance penalty against other *BSD kernels", so I see more the
advantages of having IPsec in GENERIC.


>>But your conclusion
>>is that, as far as we know, putting IPSEC in GENERIC is bad.

>No, not quite. That's not a conclusion, nor is it mine.
>It's a widley-repeated statement. I'm just repeating it, as others
>(Thor, for example) have already done in this thread.

If you believe in that statement then I suggest you make it yours.
There is no need to hide behind others.


>Once again, that's not *my* conclusion, but the consensus after
>technical discussion.

I wouldn't use the word "technical discussion" when the decision
made is more based on publicity.


>Michael, can you explain why your personal priority list should
>override the prior consensus on this issue?

You make the wrong statement that I want, that my personal priority
list overrides the prior *consensus*.


> I'm clearly not understanding you at all.


Then you may want to end this discussion. It is fruitless if
you are not understanding.


-- 
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."