Hi folks, it's nice to hear from you all.
To your questions, Avi:
1. The Linux kernel stack didn't support ipsec when the ixgbe driver
first came out. This support was only recently (in the last year)
added. My patches are being tested by Intel before they push them up to
net-next, but you are welcome to pull them yourself for your own testing
- Don's links below will get you to them.
2. The recent XFRM work from Steffen Klassert takes care of the
upper-stack responsibilities for setting up the Tx and tearing down the
Rx packets. The offload capability does the encryption/decryption and
updates the ESP fields.
3. The Intel datasheets and the code in the Mellanox driver are the
references I had available to me when implementing the changes. I also
appreciate the support I got from a few of the Intel developers.
The quick summary is that under my simple testing, the patches offload
ipsec traffic for the one encryption that Intel offers. The performance
still needs some tweaking as the code doesn't yet handle TSO or checksum
offload at the same time as ipsec offload. However, in one iperf test
where the software ipsec only gives us about 300Mbps on a 10GbE link,
I've seen 7Gbps or better with the offload turned on.
You can get more information from the slides and video of the IPsec
workshop at the recent NetDevConf:
https://www.netdevconf.org/2.2/session.html?klassert-ipsec-workshop
You can get a little more information and background from the previous
NetDevConf slides and videos.
As Don mentioned below, I've forwarded the patches to Intel's git tree
and they are currently under review and test with the Intel folks. I
don't know their current progress, but I hope to see the patches pushed
into net-next soon.
Todd, perhaps you can poke at the test folks and let them know we have
customers anxiously awaiting the patches?
Thanks for your interest,
Shannon
On 1/3/2018 12:29 AM, Avi Cohen (A) wrote:
Hi Nelson
1.Can you tell what is the status of ixgbe – ipsec offload patch’s?
2.Are there any ‘numbers’ of performance tests? Ipsec in SW v.s.
ipsec in HW ?
3.Where is the code for ipsec headers insertion/removal by SW ? is this
done in ip-stack ? hooks ?
Thanks You (and Don and Todd) and Best Regards
Avi
*From:*Fujinaka, Todd [mailto:todd.fujin...@intel.com]
*Sent:* Tuesday, 02 January, 2018 10:54 PM
*To:* Buchholz, Donald; Avi Cohen (A)
*Subject:* RE: [linux.n...@intel.com] x540 / 82599 IPsec offload - Linux
ixgbe driver
We did not support IPsec offloads in Linux because the kernel
maintainers didn’t trust any crypto implementation that they couldn’t
audit and told us those patches wouldn’t be accepted. I don’t know if
that’s changed.
The implementation of IPsec offloads is being done by an Oracle engineer
and I would suggest contacting him directly with your questions.
*Todd Fujinaka*
Software Application Engineer
Datacenter Engineering Group
Intel Corporation
_todd.fujin...@intel.com <mailto:todd.fujin...@intel.com>___
*From:*Buchholz, Donald
*Sent:* Tuesday, January 2, 2018 11:15 AM
*To:* Avi Cohen <avi.co...@huawei.com <mailto:avi.co...@huawei.com>>
*Subject:* Re: [linux.n...@intel.com] x540 / 82599 IPsec offload - Linux
ixgbe driver
Hi Avi,
We have not supported IPsec Offload in 'ixgbe' in the past
due to lack of demand. However, your timing in this matter
is perfect! Patches have been submitted to the intel-wired-lan
list and are currently under review in the ixgbe development
tree. We expect these to be in the linux-4.16 kernel.
Patch series under review:
--
http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=19548
Patch series in intel-wired-lan email list:
--
https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20171218/thread.html
I am copying this reply to an internal engineering list so the
development team is aware of your interest.
Unfortunately this "linux.n...@intel.com" <mailto:linux.n...@intel.com>
email address isn't
well-monitored. Please use "e1000-devel@lists.sourceforge.net"
<mailto:e1000-devel@lists.sourceforge.net>
for any additional questions about the Linux drivers for any
Intel (wired) Ethernet device.
-- https://sourceforge.net/p/e1000/mailman/
Best Regards,
- Don Buchholz
- Network SW Engineer
- Intel Corporation
- DCG/CG/ND/SW Core/Open Source
------------------------------------------------------------------------
Date: Sun, 31 Dec 2017 14:54:54 +0000
From: "Avi Cohen (A)" <avi.co...@huawei.com> <mailto:avi.co...@huawei.com>
To: "linux.n...@intel.com" <mailto:linux.n...@intel.com>
<linux.n...@intel.com> <mailto:linux.n...@intel.com>
Subject: x540 / 82599 IPsec offload - Linux ixgbe driver
Hello all,
I see in the datasheet of devices x540/82599 that it supports HW IPsec
offload - but there is no support in ixgbe SW driver.
Questions:
1. Why there is no support in ixgbe ?
2. From the datasheet I understand that TX packets send to HW should
contain IPsec headers
I think this should be handled in Linux ip-stack - is there any
work done there ?
3. Is there other helpful documentation to implement SW for HW IPsec,
available ?
Thank you and bets regards
Avi
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel® Ethernet, visit
http://communities.intel.com/community/wired
