[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC
Ilan Tayari
ilant at mellanox.com
Wed Jun 28 05:31:06 UTC 2017
> -----Original Message-----
> From: Antony Antony [mailto:antony at phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
>
> I guess this is could be applied. However, please hold on, lets update
> xfrm.h first.
>
> I plan to update linux26/xfrm.h with history from kernel commits.
> It should happen before this patch. Otherwise it hard to know how upto
> date
> xfrm.h is.
Thanks for the review, Paul!
Yes, I suppose xfrm.h update should come separately and before.
I don't mind rebasing and re-submitting after you do that.
Do you have an approximation when this would happen?
>
> Another comment. It would be nice to add whack option?
I'll take some time to understand whack better and come up with something.
You're talking about the command line tool, right?
>
> How would XFRM_MSG_GETSA work? I am guessing you have a running system.
> Could you share output of
>
> ipsec whack --trafficstatus
# ipsec whack --trafficstatus
006 #24: "myconn", type=ESP, add_time=1498620457, inBytes=13407272, outBytes=288772244, id='192.168.7.11'
Do you suggest adding something to GETSA flow to indicate it?
iproute2 does show it, btw:
# ip x s
src 192.168.7.11 dst 192.168.7.1
proto esp spi 0xe1fe6a81 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0xcb294e1c525e72b11f4e80bd0fffe854775e0a171660aefe0dd618ad074dc50fecf7d087 128
anti-replay context: seq 0x3ef28, oseq 0x0, bitmap 0xffffffff
crypto offload parameters: dev ens8 dir in
src 192.168.7.1 dst 192.168.7.11
proto esp spi 0x0bc2a286 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0x0e62be3e706f5558c38cec8490a41f1abbff776c1fbd8d779b69de0ab1aa718f92338a80 128
anti-replay context: seq 0x0, oseq 0x9020d8, bitmap 0x00000000
crypto offload parameters: dev ens8 dir out
>
> regards,
> -antony
>
>
> On Tue, Jun 27, 2017 at 06:48:26PM +0300, ilant at mellanox.com wrote:
> > From: Ilan Tayari <ilant at mellanox.com>
> >
> > Add per-connection configuration flag to enable HW offload.
> >
> > For kernel_netlink, if flag is set and connection is oriented,
> > attempt to offload on the interface's device by adding the new
> > XFRMA_OFFLOAD_DEV netlink attribute.
> >
> > Signed-off-by: Ilan Tayari <ilant at mellanox.com>
> > ---
More information about the Swan-dev
mailing list