tech-kern: Re: IPSEC in GENERIC

Subject: Re: IPSEC in GENERIC
To: Christos Zoulas <christos@astron.com>
From: Jonathan Stone <jonathan@Pescadero.dsg.stanford.edu>
List: tech-kern
Date: 02/20/2006 19:35:17
In message <dtdu47$vkc$1@sea.gmane.org>Christos Zoulas writes

>It is always better to err on the conservative side and blame
>yourself: "maybe I am not explaining myself clearly" as opposed
>to: "you don't seem to understand what I am saying". This shows
>the hospitality of the "home court", since you are the native
>speaker.
>
>Or course this all depends on your goals. Do you want to educate/help
>your audience or do you want to show off your knowledge and make
>everyone else look/feel like an idiot?

Christos, I think _that_ was uncalled for. 

It's a historical fact that this is not the first time someone has
proposed turning on IPsec in GENERIC kernels. Last time this idea, to
turn on IPsec in GENERIC kernels came up, we decided that turning on
IPsec adversely impacts networking performance, that this negative
impact would be noticeable when people, magazines, etc. benchmarked
NetBSD against other BSDs or Linux.  I recall concern that the typical
benchmarker might not bother to dig deep enough to see that NetBSD had
IPsec enabled: in other words, the reasons *why* NetBSD might have
lower performance than other open-source OSes wouldn't
register. Anyway, the consensus decision was that the negative impact
outweighed any benefits of having IPsec avialable in GENERIC kernels.

I've tried hard to explain that historical fact.  I've suggested a
couple of ways by which the alleged overhead might be estimated.  I've
suggested ways where, as far as i can see, any signifiant overhead
*should* be able to be eliminated.

Now doesn't that suggest to you that I'm trying to help find ways
whereeby we might turn on IPSEC in GENERIC kernels without the adverse
affects which outweighed IPsec last time the issue came up?

Yet my correspondent doesn't seem to care about any of that, he seems
to prefer to ignore it, and to repeat assertions that in *his*
opinion, IPSEC is more important and that we should overturn the prior
consensus, with no other justificaiton that *his* personal say-so.

I didn't think that was how NetBSD worked. Do you?