Re: Crypto acceleration (was: Re: VIA C7 hardware AES support in IPSEC(ctl))
On Fri, 2006-06-23 at 10:00 +0200, Markus Friedl wrote: > yes, the card needs to support all algorithms, > crypto_newsession() does this: > > /* >* The algorithm we use here is pretty stupid; just use the >* first driver that supports all the algorithms we need. Do >* a double-pass over all the drivers, ignoring software ones >* at first, to deal with cases of drivers that register after >* the software one(s) --- e.g., PCMCIA crypto cards. >* >* XXX We need more smarts here (in real life too, but that's >* XXX another story altogether). >*/ > > -m I was looking at this a while ago for an old setup which is still alive for test pourpose and needed attention just for this particular case. Thanks Christian and Markus for pointing this out. Regards. -- Massimo.run();
Re: Crypto acceleration (was: Re: VIA C7 hardware AES support in IPSEC(ctl))
yes, the card needs to support all algorithms, crypto_newsession() does this: /* * The algorithm we use here is pretty stupid; just use the * first driver that supports all the algorithms we need. Do * a double-pass over all the drivers, ignoring software ones * at first, to deal with cases of drivers that register after * the software one(s) --- e.g., PCMCIA crypto cards. * * XXX We need more smarts here (in real life too, but that's * XXX another story altogether). */ -m
Crypto acceleration (was: Re: VIA C7 hardware AES support in IPSEC(ctl))
Bihlmaier Andreas <[EMAIL PROTECTED]> wrote: > Since I have no glue at all how IPSEC goes about "looking" for crypto > accelerator hardware and making use of it, I'm kind of stuck. Because > everything I have found so far by google and archives was that it should > "just work". Not directly applicable to Andreas's problem, but doubting questions whether a provided crypto accelerator is actually used keep coming up, and I just became aware of an extra twist to this: My hifn (a Soekris vpn1401) didn't appear to be used for IPsec either. When I had ssh traffic terminating at that machine, there were plenty of hifn0 interrupts, but when it only served as an IPsec gateway there were none. Strange. So I took another look at the crypto algorithms employed. ipsecctl(8) defaults to AES and SHA2-256. The Hifn 7955 supports AES, of course, and ... no SHA2. You'd imagine the crypto accelerator would still be used for AES with the SHA2-256 hash added in software, but apparently this is not the case. I switched the IPsec setup to AES/SHA1 and now the hardware acceleration is used, as the respective interrupt rate and overall lower CPU usage convincingly demonstrate. -- Christian "naddy" Weisgerber [EMAIL PROTECTED]