From nobody@FreeBSD.org  Sun Oct 12 11:05:49 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 18D94106568C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 12 Oct 2008 11:05:49 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 071388FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 12 Oct 2008 11:05:49 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id m9CB5mLQ014954
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 12 Oct 2008 11:05:48 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id m9CB5mci014951;
	Sun, 12 Oct 2008 11:05:48 GMT
	(envelope-from nobody)
Message-Id: <200810121105.m9CB5mci014951@www.freebsd.org>
Date: Sun, 12 Oct 2008 11:05:48 GMT
From: Lionel Fourquaux <lionel.fourquaux+fbsdbug@normalesup.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Isn't it time to enable IPsec in GENERIC?
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         128030
>Category:       conf
>Synopsis:       [ipsec] [request] Isn't it time to enable IPsec in GENERIC?
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gnn
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 12 11:10:00 UTC 2008
>Closed-Date:    
>Last-Modified:  Sun May 18 05:02:26 UTC 2014
>Originator:     Lionel Fourquaux
>Release:        FreeBSD 7.0-RELEASE-p5
>Organization:
>Environment:
FreeBSD emris.lan 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #0: Wed Oct  1 10:10:12 UTC 2008     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
I believe there is a clear case for enabling IPsec in the GENERIC kernel:
 * freebsd-update does not (and cannot) patch custom kernels, making it harder to maintain an IPsec-enabled FreeBSD environment;
 * AFAIK, the IPsec implementation in FreeBSD is not experimental any more;
 * AFAIK, there is no reason nowadays to try to squeeze the kernel in the smallest possible file, a few more kilobytes won't cause harm;
 * IPsec in more and more an "expected" part of a full-featured network stack (it's part of the IPv6 spec, and it's available out-of-the box in other OSes, be it OpenBSD, Linux, or even Windows).
Unless there is an overwhelming reason not to do it, having IPsec support (disabled by default, but with no need for a custom kernel build) looks like a good idea.

>How-To-Repeat:
Try to enable IPsec using a GENERIC kernel.
>Fix:
According to the handbook, this require adding these lines to the GENERIC conf file.

options   IPSEC        #IP security
device    crypto

Bug report kern/97057 suggests that IPSEC_FILTERGIF is also required for pf to work correctly.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Sat Oct 18 16:55:14 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s) for consideration 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128030 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, lionel.fourquaux+fbsdbug@normalesup.org
Cc:  
Subject: Re: conf/128030: [request] Isn't it time to enable IPsec in GENERIC?
Date: Fri, 30 Jan 2009 20:10:45 +0000 (UTC)

 Hi,
 
 the problem here is that enabling IPsec adds overhead to the entire
 IPv4/v6 network stack handling.
 
 A lot of people are currently working on performnce optimizations for
 all kinds of different setups. All those would be hurt if IPSEC would
 be on by default and they wouldn't need it. That's all kinds of
 various ISP server business for example.
 
 If we want to enable IPSEC by default on GENERIC the criteria to fix
 is "it must not measurably add up to processing times/reduce pps/.."
 if the connections do not use it.
 
 /bz
 
 -- 
 Bjoern A. Zeeb                      The greatest risk is not taking one.
State-Changed-From-To: open->suspended 
State-Changed-By: bz 
State-Changed-When: Fri Jan 30 23:27:32 UTC 2009 
State-Changed-Why:  
Susepend until enough work on fixing IPsec and performance 
wise integration into the main network stack code flow 
has been/can be done. 


Responsible-Changed-From-To: freebsd-net->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Fri Jan 30 23:27:32 UTC 2009 
Responsible-Changed-Why:  
I'll take it so I'll have it in mind. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128030 
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:02:19 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128030 
>Unformatted:
