by mail.netbsd.org with SMTP; 19 Jul 2000 08:34:25 -0000
	by theory.cs.uni-bonn.de (8.9.1a/8.9.1) id KAA05601;
	Wed, 19 Jul 2000 10:34:07 +0200 (MET DST)
Date: Wed, 19 Jul 2000 10:34:07 +0200
From: Ignatios Souvatzis <ignatios@cs.uni-bonn.de>
To: itojun@iijlab.net
Cc: tls@rek.tjls.com, tech-security@netbsd.org, tech-net@netbsd.org,
        tech-kern@netbsd.org
Subject: Re: IPsec performance
Message-ID: <20000719103407.D29090@theory.cs.uni-bonn.de>
References: <20000718125701.A11953@rek.tjls.com> <938.963955445@coconut.itojun.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <938.963955445@coconut.itojun.org>; from itojun@iijlab.net on Wed, Jul 19, 2000 at 06:24:05AM +0900

On Wed, Jul 19, 2000 at 06:24:05AM +0900, itojun@iijlab.net wrote:
> 
> >With 466MHz Celeron CPUs and decent network hardware (3c905B) the most
> >throughput I seem to be able to force through our IPsec is about 1.5MB/sec
> >(that's mega *bytes*, not bits).  Though I'm told by several people that
> >this is not atypical for a software-only IPsec implementation, I don't
> >understand _why_.
> 
> 	see KAME PR 229.
> 	http://orange.kame.net/dev/query-pr.cgi?pr=229
> 
> 	basically, blowfish uses very big intermediate data and we cant
> 	hold it on the stack.  we endup using static memory pool and
> 	hence we need spl locks.  we'll try to correct it.

Thats specific to blowfish? What should we used on underpowered machines
instead?

Regards,
	-is