Thanks, Avi, I'll check that. In the meantime I've got a patch for the
ipv6 support that I'll probably send tomorrow after some more testing.
sln
On 1/16/2018 11:46 PM, Avi Cohen (A) wrote:
Hi Shannon
I solved the checksum issue by clearing the ip-checksum field before sending
pkt to the nic (there was a value there != 0 - I think he HW leave this field
unchanged if not set to zero)
Currently I'm working with the dpdk ipsec offload sample app.
I'll update you with the TSO issue later
Thanks Avi
-----Original Message-----
From: Shannon Nelson [mailto:shannon.nel...@oracle.com]
Sent: Monday, 15 January, 2018 7:56 PM
To: Avi Cohen (A); Fujinaka, Todd; Buchholz, Donald
Cc: e1000-devel@lists.sourceforge.net
Subject: Re: [e1000-devel@lists.sourceforge.net] x540 / 82599 IPsec offload -
Linux ixgbe driver
On 1/15/2018 2:24 AM, Avi Cohen (A) wrote:
Hi Shannon
You've mentioned that " the code doesn't yet handle TSO or checksum offload
at the same time as ipsec offload "
Why is that is this HW limitation ?
Best Regards
Avi
This is a software issue, the hardware should be fine with it. For me, it
didn't
work on the "first try", and I was seeing some odd stuff in the short bit of
debug
work that I did. I decided to put out what I did have working, and then I could
come back to the TSO and checksum work later. I should be able to work on
that in the next couple of weeks.
sln
-----Original Message-----
From: Shannon Nelson [mailto:shannon.nel...@oracle.com]
Sent: Wednesday, 03 January, 2018 7:22 PM
To: Avi Cohen (A); Fujinaka, Todd; Buchholz, Donald
Cc: e1000-devel@lists.sourceforge.net
Subject: Re: [e1000-devel@lists.sourceforge.net] x540 / 82599 IPsec offload
-
Linux ixgbe driver
Hi folks, it's nice to hear from you all.
To your questions, Avi:
1. The Linux kernel stack didn't support ipsec when the ixgbe driver first
came
out. This support was only recently (in the last year) added. My patches are
being tested by Intel before they push them up to net-next, but you are
welcome to pull them yourself for your own testing
- Don's links below will get you to them.
2. The recent XFRM work from Steffen Klassert takes care of the upper-stack
responsibilities for setting up the Tx and tearing down the Rx packets. The
offload capability does the encryption/decryption and updates the ESP fields.
3. The Intel datasheets and the code in the Mellanox driver are the
references I
had available to me when implementing the changes. I also appreciate the
support I got from a few of the Intel developers.
The quick summary is that under my simple testing, the patches offload
ipsec
traffic for the one encryption that Intel offers. The performance still needs
some tweaking as the code doesn't yet handle TSO or checksum offload at
the
same time as ipsec offload. However, in one iperf test where the software
ipsec only gives us about 300Mbps on a 10GbE link, I've seen 7Gbps or
better
with the offload turned on.
You can get more information from the slides and video of the IPsec
workshop
at the recent NetDevConf:
https://www.netdevconf.org/2.2/session.html?klassert-ipsec-workshop
You can get a little more information and background from the previous
NetDevConf slides and videos.
As Don mentioned below, I've forwarded the patches to Intel's git tree and
they
are currently under review and test with the Intel folks. I don't know their
current progress, but I hope to see the patches pushed into net-next soon.
Todd, perhaps you can poke at the test folks and let them know we have
customers anxiously awaiting the patches?
Thanks for your interest,
Shannon
On 1/3/2018 12:29 AM, Avi Cohen (A) wrote:
Hi Nelson
1.Can you tell what is the status of ixgbe – ipsec offload patch’s?
2.Are there any ‘numbers’ of performance tests? Ipsec in SW v.s.
ipsec in HW ?
3.Where is the code for ipsec headers insertion/removal by SW ? is
this done in ip-stack ? hooks ?
Thanks You (and Don and Todd) and Best Regards
Avi
*From:*Fujinaka, Todd [mailto:todd.fujin...@intel.com]
*Sent:* Tuesday, 02 January, 2018 10:54 PM
*To:* Buchholz, Donald; Avi Cohen (A)
*Subject:* RE: [linux.n...@intel.com] x540 / 82599 IPsec offload -
Linux ixgbe driver
We did not support IPsec offloads in Linux because the kernel
maintainers didn’t trust any crypto implementation that they couldn’t
audit and told us those patches wouldn’t be accepted. I don’t know if
that’s changed.
The implementation of IPsec offloads is being done by an Oracle
engineer and I would suggest contacting him directly with your questions.
*Todd Fujinaka*
Software Application Engineer
Datacenter Engineering Group
Intel Corporation
_todd.fujin...@intel.com <mailto:todd.fujin...@intel.com>___
*From:*Buchholz, Donald
*Sent:* Tuesday, January 2, 2018 11:15 AM
*To:* Avi Cohen <avi.co...@huawei.com
<mailto:avi.co...@huawei.com>>
*Subject:* Re: [linux.n...@intel.com] x540 / 82599 IPsec offload -
Linux ixgbe driver
Hi Avi,
We have not supported IPsec Offload in 'ixgbe' in the past due to lack
of demand. However, your timing in this matter is perfect! Patches
have been submitted to the intel-wired-lan list and are currently
under review in the ixgbe development tree. We expect these to be in
the linux-4.16 kernel.
Patch series under review:
--
http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=19548
Patch series in intel-wired-lan email list:
--
https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-2017121
8/thread.html
I am copying this reply to an internal engineering list so the
development team is aware of your interest.
Unfortunately this "linux.n...@intel.com"
<mailto:linux.n...@intel.com> email address isn't well-monitored.
Please use "e1000-devel@lists.sourceforge.net"
<mailto:e1000-devel@lists.sourceforge.net>
for any additional questions about the Linux drivers for any Intel
(wired) Ethernet device.
-- https://sourceforge.net/p/e1000/mailman/
Best Regards,
- Don Buchholz
- Network SW Engineer
- Intel Corporation
- DCG/CG/ND/SW Core/Open Source
----------------------------------------------------------------------
--
Date: Sun, 31 Dec 2017 14:54:54 +0000
From: "Avi Cohen (A)" <avi.co...@huawei.com>
<mailto:avi.co...@huawei.com>
To: "linux.n...@intel.com" <mailto:linux.n...@intel.com>
<linux.n...@intel.com> <mailto:linux.n...@intel.com>
Subject: x540 / 82599 IPsec offload - Linux ixgbe driver
Hello all,
I see in the datasheet of devices x540/82599 that it supports HW IPsec
offload - but there is no support in ixgbe SW driver.
Questions:
1. Why there is no support in ixgbe ?
2. From the datasheet I understand that TX packets send to HW should
contain IPsec headers
I think this should be handled in Linux ip-stack - is there any
work done there ?
3. Is there other helpful documentation to implement SW for HW IPsec,
available ?
Thank you and bets regards
Avi
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel® Ethernet, visit
http://communities.intel.com/community/wired
