[Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload on the NIC
Antony Antony
antony at phenome.org
Wed Jun 28 11:57:18 UTC 2017
I got the xfrm.h updated. I am running tests various distros. The errors
were due to the order in which in.h and in6.h were included.
On Wed, Jun 28, 2017 at 08:03:49AM +0000, Ilan Tayari wrote:
> This reminds me of a different thing.
> With the crypto offload we easily reach 18Gbps on a single SA, and we expect to increase speed even more soon.
>
> This means without ESN, we deplete the 2^32 sequence numbers after ~47 minutes.
Interesting!
> I can set the SA lifetime to less than that, but it would be nicer to have
> the daemon set a soft limit on packet count, and then rekey just in time
> before the sequence numbers deplete, regardless of how fast I generate the
> traffic.
>
> What do you think?
I think it is a nice to have. Paul added the keywords. I will see if I can
finish it.
-antony
More information about the Swan-dev
mailing list