On Thu, 1 Dec 2016, Ilan Tayari wrote:

You will see ESP packets properly encapsulated. But if you use
tcpdump -x (or -w, etc.) you will see plaintext payload inside them.


Replay protection and UDP encapsulation are both features of the XFRM stack
and not the crypto layer. They behave with offload just like without offload.
You configure them the same way too, and I believe AQUIRE works the same way
as well.

Only the crypto is offloaded to the NIC. Not the whole IPSec stack.
Although we did talk about offloading the replay protection as well, so that
RSS can work on the inner packets. This was not implemented yet.

esp4/6.c have lots of changes in these patches. Yes.
The new mechanisms are highly integrated into this logic.

Thanks for the information! I see no issues with adding support for your
device, although one remaining question is how we can easilly detect
support for this in the kernel during runtime. Will there be a proc
value either in the nic subsystem or elsewhere that we can check for?

Paul
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to