[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC

Ilan Tayari ilant at mellanox.com
Wed Jun 28 08:03:49 UTC 2017

> -----Original Message-----
> From: Antony Antony [mailto:antony at phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC


> > iproute2 does show it, btw:
> >
> > # ip x s
> > src dst
> >         proto esp spi 0xe1fe6a81 reqid 16389 mode tunnel
> >         replay-window 32 flag af-unspec
> >         aead rfc4106(gcm(aes))
> 0xcb294e1c525e72b11f4e80bd0fffe854775e0a171660aefe0dd618ad074dc50fecf7d087
> 128
> >         anti-replay context: seq 0x3ef28, oseq 0x0, bitmap 0xffffffff
> >         crypto offload parameters: dev ens8 dir in
> something like the above line could be added to ipsec status output.
> I could possibly help you with this if you could test it.

This reminds me of a different thing.
With the crypto offload we easily reach 18Gbps on a single SA, and we expect to increase speed even more soon.

This means without ESN, we deplete the 2^32 sequence numbers after ~47 minutes.

I can set the SA lifetime to less than that, but it would be nicer to have the daemon set a soft limit on packet count, and then rekey just in time before the sequence numbers deplete, regardless of how fast I generate the traffic.

What do you think?

> -antony

More information about the Swan-dev mailing list