Hello all,
I would like to introduce the new kernel API for IPSec crypto offload, and open
discussion regarding its support in swan daemons.
This is currently just an RFC in Linux net-next, but it is stabilizing and will
be submitted soon enough.
Steffen Klassert has been working on this for a
> -Original Message-
> From: Antony Antony [mailto:ant...@phenome.org]
> Subject: Re: [libreswan RFC 2/3] pluto, whack: Add nic-offload 'auto' mode
>
> Hi Ilan,
> Thanks for the patches.
>
> I reviewed the patches. May be Hugh can clarify the first one. I wonder
> the
> comment following
> -Original Message-
> From: Paul Wouters [mailto:p...@nohats.ca]
> Subject: RE: [libreswan RFC 2/3] pluto, whack: Add nic-offload 'auto' mode
>
> On Mon, 31 Jul 2017, Ilan Tayari wrote:
>
> >> For the second and the third patch here is my suggestion.
> &
> -Original Message-
> From: Paul Wouters [mailto:p...@nohats.ca]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
>
> On Wed, 5 Jul 2017, Ilan Tayari wrote:
>
> > I figured out why pluto doesn't complain about NEWSA f
name option to "nic-offload". Libreswan is moving away from "_"
> 2. whack --nic-offload
> 3. nic-offload:yes; in "ipsec staus" connection
> 4. there is one coding style change I made.
>
> On Wed, Jun 28, 2017 at 05:31:06AM +, Ilan Tayari wrote:
>
ny
Thank you, Antony.
We'll give this a try too.
We'll be in touch regarding the next steps of development of this feature.
Ilan.
>
> On Sun, Jul 02, 2017 at 06:30:51AM +, Ilan Tayari wrote:
> > > -Original Message-
> > > From: Antony Antony [mailto:ant...@phenome
Hi Andrew,
I am trying to build libreswan master on a CentOS 7.1 system.
I have the following in Makefile.inc.local:
USE_DNSSEC=false
USE_SYSTEMD_WATCHDOG=false
I do 'make all', it builds pluto and others, and then I get this error:
make[2]: Leaving directory
> -Original Message-
> From: Paul Wouters [mailto:p...@nohats.ca]
> Subject: Re: [Swan-dev] algparse makefile build fail
>
> On Tue, 4 Jul 2017, Ilan Tayari wrote:
>
> > I am trying to build libreswan master on a CentOS 7.1 system.
> >
> > I have
Hi Paul, Antony, and all,
I want to discuss an improvement to the basic Libreswan nic-offload feature.
We (Mellanox) propose the following change:
* Upgrade the nic-offload configuration option from bool to tristate enum:
* Never – old behavior, never attempt to perform nic-offload.
> -Original Message-
> From: Antony Antony [mailto:ant...@phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
>
> On Thu, Jun 29, 2017 at 04:51:12PM +, Ilan Tayari wrote:
> > > Here are a couple of propos
> > > The conclusion from all the above, is that on failure to add_sa with
> > > offload, we may retry add_sa without offload.
> > > But then again some users may want to engineer their systems to only
> add
> > supported SAs. They will not want to tolerate fallback to non-offload.
> > > Maybe
> > > 1. how to detect which esp algorithms are supported by this card?
> > There is no kernel API for that :/
> > Currently the user is supposed to be aware which algos and modes his
> offload-capable NIC supports.
> >
> It would be nice to have such listing function.
>
> I advise better logging
> -Original Message-
> From: Antony Antony [mailto:ant...@phenome.org]
> Subject: Re: [PATCH libreswan v2 3/3] kernel, netlink: Add support for
> nic_offload='auto' mode
>
> >
> > +static void setup_esp_nic_offload(struct kernel_sa *sa, struct
> connection *c,
> > + bool
> -Original Message-
> From: Antony Antony [mailto:ant...@phenome.org]
> Subject: Re: [PATCH libreswan v2 2/3] pluto, whack: Add nic-offload 'auto'
> mode
>
> > +enum nic_offload_options {
> > + nic_offload_no = 0,
>
> the feed back I sent used nic_offload_no = 1
> that is less
> -Original Message-
> From: Antony Antony [mailto:ant...@phenome.org]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
...
> > iproute2 does show it, btw:
> >
> > # ip x s
> > src 192.168.7.11 dst 192.168.7.1
> > proto esp spi 0xe1fe6a81
> -Original Message-
> From: Paul Wouters [mailto:p...@nohats.ca]
> Subject: Re: [Swan-dev] [PATCH libreswan] Add support for IPSec HW-offload
> on the NIC
>
> On Tue, 27 Jun 2017, Antony Antony wrote:
>
> > I guess this is could be applied. However, please hold on, lets update
> >
y
>
>
> On Tue, Jun 27, 2017 at 06:48:26PM +0300, il...@mellanox.com wrote:
> > From: Ilan Tayari <il...@mellanox.com>
> >
> > Add per-connection configuration flag to enable HW offload.
> >
> > For kernel_netlink, if flag is set and connectio
-offload.
Maybe this could be another configuration option?
In any case maybe these things can be developed as incremental improvements to
libreswan?
Ilan.
>
> thanks,
> -antony
>
> On Tue, Jun 27, 2017 at 06:48:26PM +0300, il...@mellanox.com wrote:
> > From: Ilan Tayari
18 matches
Mail list logo