Re: reverse processing order: NAT, IPsec ?

To: tech-net%NetBSD.org@localhost
Subject: Re: reverse processing order: NAT, IPsec ?
From: Thor Lancelot Simon <tls%rek.tjls.com@localhost>
Date: Fri, 12 Jun 2009 17:58:14 -0400

On Fri, Jun 12, 2009 at 03:14:34PM -0500, David Young wrote:
> 
> I don't see why there should be a profusion of interfaces if there isn't
> a profusion already for other reasons, such as a profusion of tunnel
> interfaces.

If you can get the amount of memory used by 5,000 tunnel interfaces down
to the amount of memory used by the datastructures for 5,000 tunnel-mode
IPsec SAs and SPD entries now, most of my concern goes away.  I guess it
would also be desirable to benchmark and see that it's no slower than the
current FAST_IPSEC implementation, under load, as well.

Thor

References:
- reverse processing order: NAT, IPsec ?
  - From: Hubert Feyrer
- Re: reverse processing order: NAT, IPsec ?
  - From: David Young
- Re: reverse processing order: NAT, IPsec ?
  - From: Thor Lancelot Simon
- Re: reverse processing order: NAT, IPsec ?
  - From: David Young

Prev by Date: Re: reverse processing order: NAT, IPsec ?
Next by Date: NetBSD 5 wm promisc mode resetting interface
Previous by Thread: Re: reverse processing order: NAT, IPsec ?
Next by Thread: Re: reverse processing order: NAT, IPsec ?
Indexes:

Home | Main Index | Thread Index | Old Index