Hi Shannon You've mentioned that " the code doesn't yet handle TSO or checksum offload at the same time as ipsec offload " Why is that is this HW limitation ? Best Regards Avi
> -----Original Message----- > From: Shannon Nelson [mailto:shannon.nel...@oracle.com] > Sent: Wednesday, 03 January, 2018 7:22 PM > To: Avi Cohen (A); Fujinaka, Todd; Buchholz, Donald > Cc: e1000-devel@lists.sourceforge.net > Subject: Re: [e1000-devel@lists.sourceforge.net] x540 / 82599 IPsec offload - > Linux ixgbe driver > > Hi folks, it's nice to hear from you all. > > To your questions, Avi: > 1. The Linux kernel stack didn't support ipsec when the ixgbe driver first > came > out. This support was only recently (in the last year) added. My patches are > being tested by Intel before they push them up to net-next, but you are > welcome to pull them yourself for your own testing > - Don's links below will get you to them. > 2. The recent XFRM work from Steffen Klassert takes care of the upper-stack > responsibilities for setting up the Tx and tearing down the Rx packets. The > offload capability does the encryption/decryption and updates the ESP fields. > 3. The Intel datasheets and the code in the Mellanox driver are the > references I > had available to me when implementing the changes. I also appreciate the > support I got from a few of the Intel developers. > > The quick summary is that under my simple testing, the patches offload ipsec > traffic for the one encryption that Intel offers. The performance still needs > some tweaking as the code doesn't yet handle TSO or checksum offload at the > same time as ipsec offload. However, in one iperf test where the software > ipsec only gives us about 300Mbps on a 10GbE link, I've seen 7Gbps or better > with the offload turned on. > > You can get more information from the slides and video of the IPsec workshop > at the recent NetDevConf: > https://www.netdevconf.org/2.2/session.html?klassert-ipsec-workshop > You can get a little more information and background from the previous > NetDevConf slides and videos. > > As Don mentioned below, I've forwarded the patches to Intel's git tree and > they > are currently under review and test with the Intel folks. I don't know their > current progress, but I hope to see the patches pushed into net-next soon. > > Todd, perhaps you can poke at the test folks and let them know we have > customers anxiously awaiting the patches? > > Thanks for your interest, > Shannon > > > > > > On 1/3/2018 12:29 AM, Avi Cohen (A) wrote: > > Hi Nelson > > > > 1.Can you tell what is the status of ixgbe – ipsec offload patch’s? > > > > 2.Are there any ‘numbers’ of performance tests? Ipsec in SW v.s. > > ipsec in HW ? > > > > 3.Where is the code for ipsec headers insertion/removal by SW ? is > > this done in ip-stack ? hooks ? > > > > Thanks You (and Don and Todd) and Best Regards > > > > Avi > > > > *From:*Fujinaka, Todd [mailto:todd.fujin...@intel.com] > > *Sent:* Tuesday, 02 January, 2018 10:54 PM > > *To:* Buchholz, Donald; Avi Cohen (A) > > *Subject:* RE: [linux.n...@intel.com] x540 / 82599 IPsec offload - > > Linux ixgbe driver > > > > We did not support IPsec offloads in Linux because the kernel > > maintainers didn’t trust any crypto implementation that they couldn’t > > audit and told us those patches wouldn’t be accepted. I don’t know if > > that’s changed. > > > > The implementation of IPsec offloads is being done by an Oracle > > engineer and I would suggest contacting him directly with your questions. > > > > *Todd Fujinaka* > > > > Software Application Engineer > > > > Datacenter Engineering Group > > > > Intel Corporation > > > > _todd.fujin...@intel.com <mailto:todd.fujin...@intel.com>___ > > > > *From:*Buchholz, Donald > > *Sent:* Tuesday, January 2, 2018 11:15 AM > > *To:* Avi Cohen <avi.co...@huawei.com <mailto:avi.co...@huawei.com>> > > *Subject:* Re: [linux.n...@intel.com] x540 / 82599 IPsec offload - > > Linux ixgbe driver > > > > Hi Avi, > > > > We have not supported IPsec Offload in 'ixgbe' in the past due to lack > > of demand. However, your timing in this matter is perfect! Patches > > have been submitted to the intel-wired-lan list and are currently > > under review in the ixgbe development tree. We expect these to be in > > the linux-4.16 kernel. > > > > Patch series under review: > > -- > > > > http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=19548 > > > > Patch series in intel-wired-lan email list: > > -- > > > > https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-2017121 > > 8/thread.html > > > > I am copying this reply to an internal engineering list so the > > development team is aware of your interest. > > > > Unfortunately this "linux.n...@intel.com" > > <mailto:linux.n...@intel.com> email address isn't well-monitored. > > Please use "e1000-devel@lists.sourceforge.net" > > <mailto:e1000-devel@lists.sourceforge.net> > > for any additional questions about the Linux drivers for any Intel > > (wired) Ethernet device. > > -- https://sourceforge.net/p/e1000/mailman/ > > > > Best Regards, > > - Don Buchholz > > - Network SW Engineer > > - Intel Corporation > > - DCG/CG/ND/SW Core/Open Source > > > > ---------------------------------------------------------------------- > > -- > > > > Date: Sun, 31 Dec 2017 14:54:54 +0000 > > From: "Avi Cohen (A)" <avi.co...@huawei.com> > > <mailto:avi.co...@huawei.com> > > To: "linux.n...@intel.com" <mailto:linux.n...@intel.com> > > <linux.n...@intel.com> <mailto:linux.n...@intel.com> > > Subject: x540 / 82599 IPsec offload - Linux ixgbe driver > > > > Hello all, > > I see in the datasheet of devices x540/82599 that it supports HW IPsec > > offload - but there is no support in ixgbe SW driver. > > Questions: > > 1. Why there is no support in ixgbe ? > > 2. From the datasheet I understand that TX packets send to HW should > > contain IPsec headers > > I think this should be handled in Linux ip-stack - is there any > > work done there ? > > 3. Is there other helpful documentation to implement SW for HW IPsec, > > available ? > > > > Thank you and bets regards > > Avi > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ E1000-devel mailing list E1000-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
