[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

Ilan Tayari ilant at mellanox.com
Wed Jun 28 05:31:06 UTC 2017 

> -----Original Message-----
> From: Antony Antony [mailto:antony at phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
> 
> I guess this is could be applied. However, please hold on, lets update
> xfrm.h first.
> 
> I plan to update linux26/xfrm.h with history from kernel commits.
> It should happen before this patch. Otherwise it hard to know how upto
> date
> xfrm.h is.

Thanks for the review, Paul!

Yes, I suppose xfrm.h update should come separately and before.
I don't mind rebasing and re-submitting after you do that.
Do you have an approximation when this would happen?

> 
> Another comment. It would be nice to add whack option?

I'll take some time to understand whack better and come up with something.
You're talking about the command line tool, right?

> 
> How would XFRM_MSG_GETSA work? I am guessing you have a running system.
> Could you share output of
> 
> ipsec whack --trafficstatus

# ipsec whack --trafficstatus                                                                    
006 #24: "myconn", type=ESP, add_time=1498620457, inBytes=13407272, outBytes=288772244, id='192.168.7.11'

Do you suggest adding something to GETSA flow to indicate it?

iproute2 does show it, btw:

# ip x s
src 192.168.7.11 dst 192.168.7.1
        proto esp spi 0xe1fe6a81 reqid 16389 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes)) 0xcb294e1c525e72b11f4e80bd0fffe854775e0a171660aefe0dd618ad074dc50fecf7d087 128
        anti-replay context: seq 0x3ef28, oseq 0x0, bitmap 0xffffffff
        crypto offload parameters: dev ens8 dir in
src 192.168.7.1 dst 192.168.7.11
        proto esp spi 0x0bc2a286 reqid 16389 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes)) 0x0e62be3e706f5558c38cec8490a41f1abbff776c1fbd8d779b69de0ab1aa718f92338a80 128
        anti-replay context: seq 0x0, oseq 0x9020d8, bitmap 0x00000000
        crypto offload parameters: dev ens8 dir out

> 
> regards,
> -antony
> 
> 
> On Tue, Jun 27, 2017 at 06:48:26PM +0300, ilant at mellanox.com wrote:
> > From: Ilan Tayari <ilant at mellanox.com>
> >
> > Add per-connection configuration flag to enable HW offload.
> >
> > For kernel_netlink, if flag is set and connection is oriented,
> > attempt to offload on the interface's device by adding the new
> > XFRMA_OFFLOAD_DEV netlink attribute.
> >
> > Signed-off-by: Ilan Tayari <ilant at mellanox.com>
> > ---

More information about the Swan-dev mailing list