Re: [Ocf-linux-users] NETKEY and OCF-Linux under 2.6.24

[David M. <Dav...@se...>]

Jivin xianghua xiao lays it down ...
> Hi,
> 
> Based on ocf-linux 20071215 release and David's 20080427 patch, I can 
> use openssl to verify that talitos driver is working and having a better 
> performance comparing to cpu-only mode when 1024/2048 packet size are 
> used. I'm using 2.6.24 kernel and its NETKEY stack along with these two 
> ocf patches.
> 
> However when I use setkey to setup an IPSEC(transport mode) channel 
> between two hosts, use iperf I could not find any throughput gain after 
> I 'insmod ocf cryptodev cryptosoft talitos', it showed no difference 
> when the hardware engine is used.
> 
> OpenSwan is broken on 2.6.24, which is the reason I'm trying NETKEY with 
> OCF on 2.6.24. It looks to me cryptodev is working with openssl, however 
> I'm not sure if IPSEC will work, anyone is aware of the status on 
> IPSEC-OCF-NETKEY-2.6.24? When I set up ipsec, will NETKEY stack invoke 
> OCF/hardware-engine automatically, just like what KLIPS did in the older 
> kernel versions?

There is no netkey->ocf connection,  so you cannot use OCF to accelerate
netkey at this point.  There was a patch posted a long time ago,  but it
would be of little use now with mainline crypto becoming async and
having HW acceleration itself,  though it would be easier to make a
netkey/ocf connection now.

As you have found it is possible to accelerate openssl,  and klips will
work accelerated as well if you have an appropriate kernel.

I have Openswan 2.4.12 running under 2.6.25 and I am trying to get a
release of OCF + openswan patches done real soon now,  so you may be
able to go that path if you like ?

I was hoping to have all done a while back but a lot of things have got
in the way.  All I can say is real soon now :-)  I can package up an
alpha level tarball if you need it sooner ?

Cheers,
Davidm

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org   http://www.snapgear.com