>The expanded blowfish key is large and takes a while to compute;
>recomputing it for every packet is almost certainly what kills
>performance -- expanding the key takes ~520 blowfish block
>encryptions, equivalent to encrypting a bit over 4kb of data.
>The solaris implementation of blowfish for ESP (which is in
>"solaris-current", not yet in any product) just caches the expanded
>key in per-SA state; netbsd should do likewise.

	yeah.  i'll do something in kame repository and bring that
	into netbsd.

itojun