Menu
▾
▴
Re: [E1000-devel] [e1000-devel@lists.sourceforge.net] x540 / 82599 IPsec offload - Linux ixgbe driver
|
From: Shannon N. <sha...@or...> - 2018-01-08 04:18:19
|
On 1/7/2018 4:50 AM, Avi Cohen (A) wrote: > Thank you Shannon > 1. I did not find the configuration file to config the SA/SP ? I don't use any particular configuration file, I have a simple shell script that does some "ip x s ..." and "ip x p ..." commands for my testing. You can see an example of the resulting commands on one of the last slides from the NetdevConf talk. > 2. Do you know if this IPsec offload can coexist with SR-IOV ? I haven't tested this myself yet, but I see no reason why not. The trick, though, will be in coordinating the ipsec config with any VMs using those SR-IOV VFs. sln > > Best Regards > Avi > > >> -----Original Message----- >> From: Shannon Nelson [mailto:sha...@or...] >> Sent: Wednesday, 03 January, 2018 7:22 PM >> To: Avi Cohen (A); Fujinaka, Todd; Buchholz, Donald >> Cc: e10...@li... >> Subject: Re: [e10...@li...] x540 / 82599 IPsec offload - >> Linux ixgbe driver >> >> Hi folks, it's nice to hear from you all. >> >> To your questions, Avi: >> 1. The Linux kernel stack didn't support ipsec when the ixgbe driver first came >> out. This support was only recently (in the last year) added. My patches are >> being tested by Intel before they push them up to net-next, but you are >> welcome to pull them yourself for your own testing >> - Don's links below will get you to them. >> 2. The recent XFRM work from Steffen Klassert takes care of the upper-stack >> responsibilities for setting up the Tx and tearing down the Rx packets. The >> offload capability does the encryption/decryption and updates the ESP fields. >> 3. The Intel datasheets and the code in the Mellanox driver are the references I >> had available to me when implementing the changes. I also appreciate the >> support I got from a few of the Intel developers. >> >> The quick summary is that under my simple testing, the patches offload ipsec >> traffic for the one encryption that Intel offers. The performance still needs >> some tweaking as the code doesn't yet handle TSO or checksum offload at the >> same time as ipsec offload. However, in one iperf test where the software >> ipsec only gives us about 300Mbps on a 10GbE link, I've seen 7Gbps or better >> with the offload turned on. >> >> You can get more information from the slides and video of the IPsec workshop >> at the recent NetDevConf: >> https://www.netdevconf.org/2.2/session.html?klassert-ipsec-workshop >> You can get a little more information and background from the previous >> NetDevConf slides and videos. >> >> As Don mentioned below, I've forwarded the patches to Intel's git tree and they >> are currently under review and test with the Intel folks. I don't know their >> current progress, but I hope to see the patches pushed into net-next soon. >> >> Todd, perhaps you can poke at the test folks and let them know we have >> customers anxiously awaiting the patches? >> >> Thanks for your interest, >> Shannon >> >> >> >> >> >> On 1/3/2018 12:29 AM, Avi Cohen (A) wrote: >>> Hi Nelson >>> >>> 1.Can you tell what is the status of ixgbe – ipsec offload patch’s? >>> >>> 2.Are there any ‘numbers’ of performance tests? Ipsec in SW v.s. >>> ipsec in HW ? >>> >>> 3.Where is the code for ipsec headers insertion/removal by SW ? is >>> this done in ip-stack ? hooks ? >>> >>> Thanks You (and Don and Todd) and Best Regards >>> >>> Avi >>> >>> *From:*Fujinaka, Todd [mailto:tod...@in...] >>> *Sent:* Tuesday, 02 January, 2018 10:54 PM >>> *To:* Buchholz, Donald; Avi Cohen (A) >>> *Subject:* RE: [lin...@in...] x540 / 82599 IPsec offload - >>> Linux ixgbe driver >>> >>> We did not support IPsec offloads in Linux because the kernel >>> maintainers didn’t trust any crypto implementation that they couldn’t >>> audit and told us those patches wouldn’t be accepted. I don’t know if >>> that’s changed. >>> >>> The implementation of IPsec offloads is being done by an Oracle >>> engineer and I would suggest contacting him directly with your questions. >>> >>> *Todd Fujinaka* >>> >>> Software Application Engineer >>> >>> Datacenter Engineering Group >>> >>> Intel Corporation >>> >>> _to...@in... <mailto:tod...@in...>___ >>> >>> *From:*Buchholz, Donald >>> *Sent:* Tuesday, January 2, 2018 11:15 AM >>> *To:* Avi Cohen <avi...@hu... <mailto:avi...@hu...>> >>> *Subject:* Re: [lin...@in...] x540 / 82599 IPsec offload - >>> Linux ixgbe driver >>> >>> Hi Avi, >>> >>> We have not supported IPsec Offload in 'ixgbe' in the past due to lack >>> of demand. However, your timing in this matter is perfect! Patches >>> have been submitted to the intel-wired-lan list and are currently >>> under review in the ixgbe development tree. We expect these to be in >>> the linux-4.16 kernel. >>> >>> Patch series under review: >>> -- >>> >>> http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=19548 >>> >>> Patch series in intel-wired-lan email list: >>> -- >>> >>> https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-2017121 >>> 8/thread.html >>> >>> I am copying this reply to an internal engineering list so the >>> development team is aware of your interest. >>> >>> Unfortunately this "lin...@in..." >>> <mailto:lin...@in...> email address isn't well-monitored. >>> Please use "e10...@li..." >>> <mailto:e10...@li...> >>> for any additional questions about the Linux drivers for any Intel >>> (wired) Ethernet device. >>> -- https://sourceforge.net/p/e1000/mailman/ >>> >>> Best Regards, >>> - Don Buchholz >>> - Network SW Engineer >>> - Intel Corporation >>> - DCG/CG/ND/SW Core/Open Source >>> >>> ---------------------------------------------------------------------- >>> -- >>> >>> Date: Sun, 31 Dec 2017 14:54:54 +0000 >>> From: "Avi Cohen (A)" <avi...@hu...> >>> <mailto:avi...@hu...> >>> To: "lin...@in..." <mailto:lin...@in...> >>> <lin...@in...> <mailto:lin...@in...> >>> Subject: x540 / 82599 IPsec offload - Linux ixgbe driver >>> >>> Hello all, >>> I see in the datasheet of devices x540/82599 that it supports HW IPsec >>> offload - but there is no support in ixgbe SW driver. >>> Questions: >>> 1. Why there is no support in ixgbe ? >>> 2. From the datasheet I understand that TX packets send to HW should >>> contain IPsec headers >>> I think this should be handled in Linux ip-stack - is there any >>> work done there ? >>> 3. Is there other helpful documentation to implement SW for HW IPsec, >>> available ? >>> >>> Thank you and bets regards >>> Avi >>> |
