IPS - Linux User space, Kernel space - Where should it run?

Just a thought...

Advantages of user space:

• Easier to debug : Advantageous to developers. Note that IPS is quite complex.
  
• Faster to develop new functionalities.
• No limitation on stack size. Stack size grows with its usage.
  
• Many debugging tools available for user space applications.
  
• Swap memory can be used - So, almost all memory in the system can be used. In case of kernel space, only limited amount of memory can be used.
• Many libraries available.
  
• Upon any crash due to software, faster to bring up.

Advantages of kernel space:

• Faster packet processing :
  
• No threading overhead.
• Save on buffer copy overhead.
• Straight access to TCP/IP stack functions such as routing functions and bridging functions.
  
• No or very minimal jitter when run in softirq/tasklet context. - Very useful for VOIP traffic.
• Real time characteristics of the traffic can be maintained.
  
• Physical memory access.
• Easily portable to Real time operating systems as not much of OS capabilities are used - Advantage for vendors who need to have flexibility of operating systems.

As a developer, I prefer doing this in user space entirely. But kernel space provides its advantages, mainly on performance and low jitter. IMO, combination of user space and kernel space is needed. If it onlyL4 inspection is required for a session, then it is better handled completely in kernel space. If protocol inspection beyond L4 is required such as SIP and HTTP protocol analysis, then it is better done in user space. I prefer this kind of hybrid approach.