Re: [Ocf-linux-users] NETKEY and OCF-Linux under 2.6.24
Brought to you by:
david-m
From: xianghua x. <x....@fr...> - 2008-05-29 03:35:17
|
David McCullough wrote: > > Jivin xianghua xiao lays it down ... > > Hi, > > > > Based on ocf-linux 20071215 release and David's 20080427 patch, I can > > use openssl to verify that talitos driver is working and having a better > > performance comparing to cpu-only mode when 1024/2048 packet size are > > used. I'm using 2.6.24 kernel and its NETKEY stack along with these two > > ocf patches. > > > > However when I use setkey to setup an IPSEC(transport mode) channel > > between two hosts, use iperf I could not find any throughput gain after > > I 'insmod ocf cryptodev cryptosoft talitos', it showed no difference > > when the hardware engine is used. > > > > OpenSwan is broken on 2.6.24, which is the reason I'm trying NETKEY with > > OCF on 2.6.24. It looks to me cryptodev is working with openssl, however > > I'm not sure if IPSEC will work, anyone is aware of the status on > > IPSEC-OCF-NETKEY-2.6.24? When I set up ipsec, will NETKEY stack invoke > > OCF/hardware-engine automatically, just like what KLIPS did in the older > > kernel versions? > > There is no netkey->ocf connection, so you cannot use OCF to accelerate > netkey at this point. There was a patch posted a long time ago, but it > would be of little use now with mainline crypto becoming async and > having HW acceleration itself, though it would be easier to make a > netkey/ocf connection now. > > As you have found it is possible to accelerate openssl, and klips will > work accelerated as well if you have an appropriate kernel. > > I have Openswan 2.4.12 running under 2.6.25 and I am trying to get a > release of OCF + openswan patches done real soon now, so you may be > able to go that path if you like ? > > I was hoping to have all done a while back but a lot of things have got > in the way. All I can say is real soon now :-) I can package up an > alpha level tarball if you need it sooner ? > > Cheers, > Davidm > > -- > David McCullough, dav...@se..., Ph:+61 > 734352815 > Secure Computing - SnapGear http://www.uCdot.org > http://www.snapgear.com > David, Yes I would like to try your alpha tarball right away. I managed to get KLIPS compiled under 2.6.24 but it crashes sometimes, plus pluto complained "no hardware accelerator was found". Hope someday NETKEY can invoke OCF directly, that will make life easier. There are quite a lot legacy network code in OpenSwan (partially due to its back-compatibility support) and it's becoming harder to keep KLIPS in sync with new kernel releases. Thank you, Xianghua |