[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC
ilant at mellanox.com
Wed Jun 28 08:03:49 UTC 2017
> -----Original Message-----
> From: Antony Antony [mailto:antony at phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
> > iproute2 does show it, btw:
> > # ip x s
> > src 192.168.7.11 dst 192.168.7.1
> > proto esp spi 0xe1fe6a81 reqid 16389 mode tunnel
> > replay-window 32 flag af-unspec
> > aead rfc4106(gcm(aes))
> > anti-replay context: seq 0x3ef28, oseq 0x0, bitmap 0xffffffff
> > crypto offload parameters: dev ens8 dir in
> something like the above line could be added to ipsec status output.
> I could possibly help you with this if you could test it.
This reminds me of a different thing.
With the crypto offload we easily reach 18Gbps on a single SA, and we expect to increase speed even more soon.
This means without ESN, we deplete the 2^32 sequence numbers after ~47 minutes.
I can set the SA lifetime to less than that, but it would be nicer to have the daemon set a soft limit on packet count, and then rekey just in time before the sequence numbers deplete, regardless of how fast I generate the traffic.
What do you think?
More information about the Swan-dev