by mail.netbsd.org with SMTP; 18 Jul 2000 21:24:55 -0000
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id GAA00940;
	Wed, 19 Jul 2000 06:24:05 +0900 (JST)
To: tls@rek.tjls.com
cc: tech-security@netbsd.org, tech-net@netbsd.org, tech-kern@netbsd.org
In-reply-to: tls's message of Tue, 18 Jul 2000 12:57:01 -0400.
      <20000718125701.A11953@rek.tjls.com>
Subject: Re: IPsec performance
From: itojun@iijlab.net
Date: Wed, 19 Jul 2000 06:24:05 +0900
Message-ID: <938.963955445@coconut.itojun.org>


>With 466MHz Celeron CPUs and decent network hardware (3c905B) the most
>throughput I seem to be able to force through our IPsec is about 1.5MB/sec
>(that's mega *bytes*, not bits).  Though I'm told by several people that
>this is not atypical for a software-only IPsec implementation, I don't
>understand _why_.

	see KAME PR 229.
	http://orange.kame.net/dev/query-pr.cgi?pr=229

	basically, blowfish uses very big intermediate data and we cant
	hold it on the stack.  we endup using static memory pool and
	hence we need spl locks.  we'll try to correct it.

itojun