In message <20060220160305.GA19342@panix.com>,Thor Lancelot Simon writes:

>On Mon, Feb 20, 2006 at 07:50:22AM -0800, Garrett D'Amore wrote:
>IPsec hooks in all over the network code -- it is anything _but_ a "bump
>in the stack" implementation.  That makes it useful for more than toy
>VPN applications (unlike many BITS implementations) but also means that
>it is extremely difficult to cleanly separate out into a module, _and_
>that just including it in the kernel causes a measurable decrease in
>forwarding performance.  Which is why it's not in the kernel by default.

Thor,

If there are no SPDs (or non except the compiled-in default SPDs),
then surely the forwarding code could do an inline check the SPD
count, and if no IPsec processing is possible (because there are no
non-default SPDs, and thus no IPsec processing to do), then just skip
over all IPsec processing entirely?

Surely the overhead of comparing an int against a constant, and one
extra branch, shouldn't add _that_ much overhead. (or two checks,
if we need to check for a matching SA also?).

Am I missing something?