On 1/7/2018 4:50 AM, Avi Cohen (A) wrote:
Thank you Shannon
1. I did not find the configuration file to config the SA/SP ?
I don't use any particular configuration file, I have a simple shell
script that does some "ip x s ..." and "ip x p ..." commands for my
testing. You can see an example of the resulting commands on one of the
last slides from the NetdevConf talk.
2. Do you know if this IPsec offload can coexist with SR-IOV ?
I haven't tested this myself yet, but I see no reason why not. The
trick, though, will be in coordinating the ipsec config with any VMs
using those SR-IOV VFs.
sln
Best Regards
Avi
-----Original Message-----
From: Shannon Nelson [mailto:shannon.nel...@oracle.com]
Sent: Wednesday, 03 January, 2018 7:22 PM
To: Avi Cohen (A); Fujinaka, Todd; Buchholz, Donald
Cc: e1000-devel@lists.sourceforge.net
Subject: Re: [e1000-devel@lists.sourceforge.net] x540 / 82599 IPsec offload -
Linux ixgbe driver
Hi folks, it's nice to hear from you all.
To your questions, Avi:
1. The Linux kernel stack didn't support ipsec when the ixgbe driver first came
out. This support was only recently (in the last year) added. My patches are
being tested by Intel before they push them up to net-next, but you are
welcome to pull them yourself for your own testing
- Don's links below will get you to them.
2. The recent XFRM work from Steffen Klassert takes care of the upper-stack
responsibilities for setting up the Tx and tearing down the Rx packets. The
offload capability does the encryption/decryption and updates the ESP fields.
3. The Intel datasheets and the code in the Mellanox driver are the references I
had available to me when implementing the changes. I also appreciate the
support I got from a few of the Intel developers.
The quick summary is that under my simple testing, the patches offload ipsec
traffic for the one encryption that Intel offers. The performance still needs
some tweaking as the code doesn't yet handle TSO or checksum offload at the
same time as ipsec offload. However, in one iperf test where the software
ipsec only gives us about 300Mbps on a 10GbE link, I've seen 7Gbps or better
with the offload turned on.
You can get more information from the slides and video of the IPsec workshop
at the recent NetDevConf:
https://www.netdevconf.org/2.2/session.html?klassert-ipsec-workshop
You can get a little more information and background from the previous
NetDevConf slides and videos.
As Don mentioned below, I've forwarded the patches to Intel's git tree and they
are currently under review and test with the Intel folks. I don't know their
current progress, but I hope to see the patches pushed into net-next soon.
Todd, perhaps you can poke at the test folks and let them know we have
customers anxiously awaiting the patches?
Thanks for your interest,
Shannon
On 1/3/2018 12:29 AM, Avi Cohen (A) wrote:
Hi Nelson
1.Can you tell what is the status of ixgbe – ipsec offload patch’s?
2.Are there any ‘numbers’ of performance tests? Ipsec in SW v.s.
ipsec in HW ?
3.Where is the code for ipsec headers insertion/removal by SW ? is
this done in ip-stack ? hooks ?
Thanks You (and Don and Todd) and Best Regards
Avi
*From:*Fujinaka, Todd [mailto:todd.fujin...@intel.com]
*Sent:* Tuesday, 02 January, 2018 10:54 PM
*To:* Buchholz, Donald; Avi Cohen (A)
*Subject:* RE: [linux.n...@intel.com] x540 / 82599 IPsec offload -
Linux ixgbe driver
We did not support IPsec offloads in Linux because the kernel
maintainers didn’t trust any crypto implementation that they couldn’t
audit and told us those patches wouldn’t be accepted. I don’t know if
that’s changed.
The implementation of IPsec offloads is being done by an Oracle
engineer and I would suggest contacting him directly with your questions.
*Todd Fujinaka*
Software Application Engineer
Datacenter Engineering Group
Intel Corporation
_todd.fujin...@intel.com <mailto:todd.fujin...@intel.com>___
*From:*Buchholz, Donald
*Sent:* Tuesday, January 2, 2018 11:15 AM
*To:* Avi Cohen <avi.co...@huawei.com <mailto:avi.co...@huawei.com>>
*Subject:* Re: [linux.n...@intel.com] x540 / 82599 IPsec offload -
Linux ixgbe driver
Hi Avi,
We have not supported IPsec Offload in 'ixgbe' in the past due to lack
of demand. However, your timing in this matter is perfect! Patches
have been submitted to the intel-wired-lan list and are currently
under review in the ixgbe development tree. We expect these to be in
the linux-4.16 kernel.
Patch series under review:
--
http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=19548
Patch series in intel-wired-lan email list:
--
https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-2017121
8/thread.html
I am copying this reply to an internal engineering list so the
development team is aware of your interest.
Unfortunately this "linux.n...@intel.com"
<mailto:linux.n...@intel.com> email address isn't well-monitored.
Please use "e1000-devel@lists.sourceforge.net"
<mailto:e1000-devel@lists.sourceforge.net>
for any additional questions about the Linux drivers for any Intel
(wired) Ethernet device.
-- https://sourceforge.net/p/e1000/mailman/
Best Regards,
- Don Buchholz
- Network SW Engineer
- Intel Corporation
- DCG/CG/ND/SW Core/Open Source
----------------------------------------------------------------------
--
Date: Sun, 31 Dec 2017 14:54:54 +0000
From: "Avi Cohen (A)" <avi.co...@huawei.com>
<mailto:avi.co...@huawei.com>
To: "linux.n...@intel.com" <mailto:linux.n...@intel.com>
<linux.n...@intel.com> <mailto:linux.n...@intel.com>
Subject: x540 / 82599 IPsec offload - Linux ixgbe driver
Hello all,
I see in the datasheet of devices x540/82599 that it supports HW IPsec
offload - but there is no support in ixgbe SW driver.
Questions:
1. Why there is no support in ixgbe ?
2. From the datasheet I understand that TX packets send to HW should
contain IPsec headers
I think this should be handled in Linux ip-stack - is there any
work done there ?
3. Is there other helpful documentation to implement SW for HW IPsec,
available ?
Thank you and bets regards
Avi
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel® Ethernet, visit
http://communities.intel.com/community/wired
