Subject: FAST_IPSEC [was Re: ipv6 source address selection]
To: Arnaud Degroote <>
From: None <>
List: tech-net
Date: 09/26/2007 10:22:31
In message <>Arnaud Degroote writes
>On Tue, Sep 25, 2007 at 02:52:06PM -0700, Stone wrote:
>> In message <>Michael van Elst writes
>> >On Tue, Sep 25, 2007 at 01:55:26PM -0700, Jonathan Stone wrote:
>In NetBSD-4, you can use FAST_IPSEC and IPv6. I have pullup most of the
>current change into NetBSD-4 a long time ago.  There are still some
>issues in the implementation (the implementation doesn't work correctly
>with extension header in transport mode). Of course, the code needs to
>be tested, tested and retested in real configuration and I wait for any
>feedback good or bad :).

Thanks for the update and correction.

Are there other known gotchas besides the extension header in
transport mode?  Any Big/little endian issues?  I ask because one way
to get the testing would be to get people turning on FAST_IPSEC in

There has also been talk of turning on FAST_IPSEC by default.  But the
consensus was that before doing that, we should measure send and
receive packet rates both with and without IPsec configured; and make
sure there's negligible difference in packet rates.  (On a CPU-limited
or memory-limited system, needless to say.  send/receive rates on
10GbE would be one interesting way to measure :-))