Re: [Ocf-linux-users] Regarding ocf for ipsec
Brought to you by:
david-m
From: David M. <Dav...@se...> - 2008-07-10 11:59:26
|
Jivin Manish RATHI lays it down ... > Hi, > I've applied the patch. > As such there is no change in ipsec files in kernel networking stack. Thats correct because the linux NETKEY stack does not use OCF and there is no patch to make this work. If you want accelerated IPSEC that uses OCF you need to use openswan and the openswan KLIPS kernel stack, not the linux NETKEY kernel stack. > Can you tell me name of files which tell the linux kernel so that it uses > OCF instead of linux kernel crypto framework? Read about openswan here: www.openswan.org The latest version of openswan that uses OCF is: http://www.openswan.org/download/development/openswan-2.6.16dr4.tar.gz or there is the older stable 2.4 series, Cheers, Davidm > -----Original Message----- > From: David McCullough [mailto:Dav...@se...] > Sent: Thursday, July 10, 2008 4:17 PM > To: Manish RATHI > Cc: ocf...@li... > Subject: Re: [Ocf-linux-users] Regarding ocf for ipsec > > > Jivin Manish RATHI lays it down ... > > Hi, > > Patch I found for linux KLIPS Openswan doesn't look to be applicable > > to latest 2.6.24 kernel. > > Go to: > http://sourceforge.net/project/showfiles.php?group_id=133575 > > and download > > ocf-linux-26-20080704.patch.gz > > take a stock linux-2.6.24 (or 25) and extract: > > cd linux-2.6.24 > gunzip < ocf-linux-26-20080704.patch.gz | patch -p1 > > The previous OCF release (20071215) has a patch for 2.6.23. > Either way, I know it's supported because I am running it :-) > > > It's big change and I am not sure about its stability. > > The patch is big because it includes all of OCF so that you do not need to > do anything else. I have had some reports that you may need to fix a couple > of things after applying the patch but I have no details to help you with on > that. > > > Has anybody used it over 2.6.24? > > Anyone other than me :-) > > > Can I use crptodev with linux kernel crypto framework so that I use > > openssl+cryptodev + linux crypto? Is there any patch available? > > No and not that I know of. > > > I am still not able to appreciate why linux kernel crypto framework > > not able to provide async APIs as OCF is providing. > > Read the linux-crypto or the older cryptodev mailing list archives, it may > help, > > Cheers. > Davidm > > > -----Original Message----- > > From: David McCullough [mailto:Dav...@se...] > > Sent: Thursday, July 10, 2008 4:41 AM > > To: Manish RATHI > > Cc: ocf...@li... > > Subject: Re: [Ocf-linux-users] Regarding ocf for ipsec > > > > > > Jivin Manish RATHI lays it down ... > > > Hi, > > > ipsec in vannila linux kernel uses linux kernel crypto not OCF > framework? > > > > yes. > > > > > I am using OCF driver for crypto acceleration to be used with > > > openssl > > engine. > > > > > > Currently ipsec uses linux kernel crypto framework. So I've to write > > > 2 drivers > > > > You could use the openswan KLIPS stack in the kernel instead. > > > > > 1) kernel crypto driver > > > 2) OCF driver > > > > > > I'd like to use single driver that can be used with OpenSSL/OCF and > > > Linux > > kernel crypto. > > > > > > Is there any stable patch available for ipsec in latest linux kernel > > > so > > that it uses OCF? > > > > No. The linux kernel is doing it's own async crypto but I am not sure > > which kernel is is/will appear in and how stable it is. > > > > > Why OCF is not used in linux kernel for ipsec? > > > > One reason is licensing (OCF is BSD license). > > > > > I've read that current > > > ipsec doesn't uses Bottom half so async API framework such as OCF is > > > not required. Is it correct? > > > > An async api is required, but previously the stack counld not handle it. > > Work is being done in the space by the linux crypto guys. > > > > > What are the pros and cons of using OCF with ipsec? > > > > It goes faster, you have to patch your kernel, > > > > Cheers, > > Davidm > > > > -- > > David McCullough, dav...@se..., Ph:+61 > 734352815 > > Secure Computing - SnapGear http://www.uCdot.org > http://www.snapgear.com > > > > -- > David McCullough, dav...@se..., Ph:+61 734352815 > Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com > -- David McCullough, dav...@se..., Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com |