[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

Ilan Tayari ilant at mellanox.com
Wed Jun 28 05:53:17 UTC 2017

> -----Original Message-----
> From: Antony Antony [mailto:antony at phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
> oh, few informational questions.

Hi Antony,
(Sorry for confusing you with Paul in previous email)

> 1. how to detect which esp algorithms are supported by this card?
There is no kernel API for that :/
Currently the user is supposed to be aware which algos and modes his offload-capable NIC supports.

> 2. how does it deal with add_sa for a unsupported algorithm?
If you attempt to install an SA with unsupported offload properties, it fails with -EINVAL.
User may get more info in the logs, but the daemon will get just this generic indication.

> 3. does the card support AH SA?
Our card does not currently. It is in the plans for future.
See the driver cover letter for more info:

> 4. does it support xfrm acquire, block and pass polices too?
The card currently offloads only the SADB, and not the SPD.
So all policy-related checks are still in the xfrm stack.
Acquires are not offloaded, only SAs that are supposed to have traffic on them are offloaded.

Offloading the SPD is planned for the future.

> 5. Any limits on number of SA supported? and would it return something
> like
> can't add any more message or silently fail.
The card currently supports 1 million SAs maximum.
You may not reach that limit, though, due to hash collisions.
If offloaded SA cannot be added to the hardware due to that, the add_sa will fail.

> 6. does a "ipsec restart" clear the SAs properly if pluto crash?
> _stackmanger try to do that when pluto crash.

Deleting the SA in xfrm deletes it in the NIC as well.
Flushing SAs in xfrm flushes them in the NIC as well.

The conclusion from all the above, is that on failure to add_sa with offload, we may retry add_sa without offload.
But then again some users may want to engineer their systems to only add supported SAs. They will not want to tolerate fallback to non-offload.
Maybe this could be another configuration option?

In any case maybe these things can be developed as incremental improvements to libreswan?


> thanks,
> -antony
> On Tue, Jun 27, 2017 at 06:48:26PM +0300, ilant at mellanox.com wrote:
> > From: Ilan Tayari <ilant at mellanox.com>
> >
> > Add per-connection configuration flag to enable HW offload.
> >
> > For kernel_netlink, if flag is set and connection is oriented,
> > attempt to offload on the interface's device by adding the new
> > XFRMA_OFFLOAD_DEV netlink attribute.
> >
> > Signed-off-by: Ilan Tayari <ilant at mellanox.com>

More information about the Swan-dev mailing list