Re: linux-ipsec: to be or not to be, that is the config question

> > Given that we now have klipsdebug to turn debugging on and off, is there

Verbosity differences should probably be under the control of klipsdebug. If it's useful to adjust it at all, it's useful to be able to adjust it at run time.

It seems to me that speed is not a significant issue if the only overhead (when debugging is switched off) is checking a flag now and then. Only if some of the flag checks are inside tight inner loops (seems unlikely), or if there is significant debug code which is run without a flag check, is there really a speed issue. If (as is usually the case) hundreds of other operations are done between flag checks, the speed price is so small that it's well worth paying. (There are always people who grudge even a fraction of a percent in overhead, but they're already used to having to custom-build their systems.)

Code size is more of an issue, especially since Linux has some limits in this area. But numbers matter. RGB, can you compare size with debugging on and off? (Or commit the compile fix and I can do that.)

> I don't think a separate option for each transform is all that useful, but

Yes, I should have mentioned that -- I agree that it's worth making the experimental/out-of-date stuff optional.

> In addition,
> we may want a switch for minimal IPSEC conformance transform inclusion.

This is the area where I hesitate. I can see a possibility of ending up with a bunch of different switches for different situations, each of which turns on a different combination of transforms, and it's not clear to me that that's really an improvement, especially since there will always be requests for just one more combination. It might be better to leave in the switches for individual transforms, but have them all default to on (subject to the experimental/out-of-date switch) and just tell people "it shouldn't normally be necessary to mess with those switches, they are present to cover special needs".

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

I'd appreciate feedback from other folks on this list -- potential users! -- who might have some idea of how much they'd want to customize things like the set of available transforms.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)