[Swan-dev] IPSec offload API

Ilan Tayari ilant at mellanox.com
Mon Nov 28 08:31:51 UTC 2016 

Hello all,

I would like to introduce the new kernel API for IPSec crypto offload, and open discussion regarding its support in swan daemons.

This is currently just an RFC in Linux net-next, but it is stabilizing and will be submitted soon enough.
Steffen Klassert has been working on this for a while now, and I have helped with testing and the driver for Mellanox hardware.

For anyone who is interested, here is the kernel code:
https://git.kernel.org/cgit/linux/kernel/git/klassert/linux-stk.git/log/?h=net-next-ipsec-offload-api5
And a version of our driver:
https://github.com/Mellanox/ipsec-offload/tree/net-next-ipsec-offload-api3-squash
Branches get rebased and updated every once in a while.

To sum up, a new XFRM state attribute is introduced: XFRMA_OFFLOAD_DEV
Along with the following struct:

struct xfrm_user_offload {
       int                             ifindex;
       __u8                            flags;
};
#define XFRM_OFFLOAD_IPV6      1
#define XFRM_OFFLOAD_INBOUND   2

Regarding the swan daemon, we expect the user to configure HW offload explicitly (maybe per-SA, or maybe globally)
Then the daemon will apply this attribute to the XFRM states that it wishes to offload.

Note that the offloaded XFRM state needs the daemon to explicitly specify the network interface ifindex, the SA direction
(inbound or outbound), and the used L3 protocol (IPv4 or IPv6). 
A network interface needs to specify the capability flag NETIF_F_HW_ESP in order to indicate support of ESP crypto offload.
All of this may require some extra logic from the daemon.

Lastly, the offloaded XFRM state may be rejected by the driver or kernel, by returning an error from the NEWSA message.
In such a case, the daemon may wish to fall back to non-offloaded XFRM state, or do something else (configurable?)

Even if the offloaded XFRM state is accepted, the kernel might have not used the offloaded attribute.
Therefore the daemon is expected to read back the SA, if it wishes to report to the user that it is indeed offloading.

Any comments regarding this are welcome.
I would love to see support for all of this in libreswan as well.

Thanks,
Ilan.

More information about the Swan-dev mailing list