[Swan-dev] IPSec offload API
Paul Wouters
paul at nohats.ca
Thu Dec 1 14:57:40 UTC 2016
On Thu, 1 Dec 2016, Ilan Tayari wrote:
> You will see ESP packets properly encapsulated. But if you use
> tcpdump -x (or -w, etc.) you will see plaintext payload inside them.
> Replay protection and UDP encapsulation are both features of the XFRM stack
> and not the crypto layer. They behave with offload just like without offload.
> You configure them the same way too, and I believe AQUIRE works the same way
> as well.
>
> Only the crypto is offloaded to the NIC. Not the whole IPSec stack.
> Although we did talk about offloading the replay protection as well, so that
> RSS can work on the inner packets. This was not implemented yet.
>
> esp4/6.c have lots of changes in these patches. Yes.
> The new mechanisms are highly integrated into this logic.
Thanks for the information! I see no issues with adding support for your
device, although one remaining question is how we can easilly detect
support for this in the kernel during runtime. Will there be a proc
value either in the nic subsystem or elsewhere that we can check for?
Paul
More information about the Swan-dev
mailing list