Thread: [Ocf-linux-users] NETKEY and OCF-Linux under 2.6.24
Brought to you by:
david-m
Menu
▾
▴
ocf-linux-users
|
From: xianghua x. <x....@fr...> - 2008-05-29 02:56:04
|
Hi, Based on ocf-linux 20071215 release and David's 20080427 patch, I can use openssl to verify that talitos driver is working and having a better performance comparing to cpu-only mode when 1024/2048 packet size are used. I'm using 2.6.24 kernel and its NETKEY stack along with these two ocf patches. However when I use setkey to setup an IPSEC(transport mode) channel between two hosts, use iperf I could not find any throughput gain after I 'insmod ocf cryptodev cryptosoft talitos', it showed no difference when the hardware engine is used. OpenSwan is broken on 2.6.24, which is the reason I'm trying NETKEY with OCF on 2.6.24. It looks to me cryptodev is working with openssl, however I'm not sure if IPSEC will work, anyone is aware of the status on IPSEC-OCF-NETKEY-2.6.24? When I set up ipsec, will NETKEY stack invoke OCF/hardware-engine automatically, just like what KLIPS did in the older kernel versions? Thanks a lot! Xianghua |
|
From: David M. <Dav...@se...> - 2008-05-29 03:22:23
|
Jivin xianghua xiao lays it down ... > Hi, > > Based on ocf-linux 20071215 release and David's 20080427 patch, I can > use openssl to verify that talitos driver is working and having a better > performance comparing to cpu-only mode when 1024/2048 packet size are > used. I'm using 2.6.24 kernel and its NETKEY stack along with these two > ocf patches. > > However when I use setkey to setup an IPSEC(transport mode) channel > between two hosts, use iperf I could not find any throughput gain after > I 'insmod ocf cryptodev cryptosoft talitos', it showed no difference > when the hardware engine is used. > > OpenSwan is broken on 2.6.24, which is the reason I'm trying NETKEY with > OCF on 2.6.24. It looks to me cryptodev is working with openssl, however > I'm not sure if IPSEC will work, anyone is aware of the status on > IPSEC-OCF-NETKEY-2.6.24? When I set up ipsec, will NETKEY stack invoke > OCF/hardware-engine automatically, just like what KLIPS did in the older > kernel versions? There is no netkey->ocf connection, so you cannot use OCF to accelerate netkey at this point. There was a patch posted a long time ago, but it would be of little use now with mainline crypto becoming async and having HW acceleration itself, though it would be easier to make a netkey/ocf connection now. As you have found it is possible to accelerate openssl, and klips will work accelerated as well if you have an appropriate kernel. I have Openswan 2.4.12 running under 2.6.25 and I am trying to get a release of OCF + openswan patches done real soon now, so you may be able to go that path if you like ? I was hoping to have all done a while back but a lot of things have got in the way. All I can say is real soon now :-) I can package up an alpha level tarball if you need it sooner ? Cheers, Davidm -- David McCullough, dav...@se..., Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com |
|
From: xianghua x. <x....@fr...> - 2008-05-29 03:35:17
|
David McCullough wrote: > > Jivin xianghua xiao lays it down ... > > Hi, > > > > Based on ocf-linux 20071215 release and David's 20080427 patch, I can > > use openssl to verify that talitos driver is working and having a better > > performance comparing to cpu-only mode when 1024/2048 packet size are > > used. I'm using 2.6.24 kernel and its NETKEY stack along with these two > > ocf patches. > > > > However when I use setkey to setup an IPSEC(transport mode) channel > > between two hosts, use iperf I could not find any throughput gain after > > I 'insmod ocf cryptodev cryptosoft talitos', it showed no difference > > when the hardware engine is used. > > > > OpenSwan is broken on 2.6.24, which is the reason I'm trying NETKEY with > > OCF on 2.6.24. It looks to me cryptodev is working with openssl, however > > I'm not sure if IPSEC will work, anyone is aware of the status on > > IPSEC-OCF-NETKEY-2.6.24? When I set up ipsec, will NETKEY stack invoke > > OCF/hardware-engine automatically, just like what KLIPS did in the older > > kernel versions? > > There is no netkey->ocf connection, so you cannot use OCF to accelerate > netkey at this point. There was a patch posted a long time ago, but it > would be of little use now with mainline crypto becoming async and > having HW acceleration itself, though it would be easier to make a > netkey/ocf connection now. > > As you have found it is possible to accelerate openssl, and klips will > work accelerated as well if you have an appropriate kernel. > > I have Openswan 2.4.12 running under 2.6.25 and I am trying to get a > release of OCF + openswan patches done real soon now, so you may be > able to go that path if you like ? > > I was hoping to have all done a while back but a lot of things have got > in the way. All I can say is real soon now :-) I can package up an > alpha level tarball if you need it sooner ? > > Cheers, > Davidm > > -- > David McCullough, dav...@se..., Ph:+61 > 734352815 > Secure Computing - SnapGear http://www.uCdot.org > http://www.snapgear.com > David, Yes I would like to try your alpha tarball right away. I managed to get KLIPS compiled under 2.6.24 but it crashes sometimes, plus pluto complained "no hardware accelerator was found". Hope someday NETKEY can invoke OCF directly, that will make life easier. There are quite a lot legacy network code in OpenSwan (partially due to its back-compatibility support) and it's becoming harder to keep KLIPS in sync with new kernel releases. Thank you, Xianghua |
|
From: David M. <Dav...@se...> - 2008-05-29 04:02:04
|
Jivin xianghua xiao lays it down ... ... > Yes I would like to try your alpha tarball right away. I managed to get > KLIPS compiled under 2.6.24 but it crashes sometimes, plus pluto > complained "no hardware accelerator was found". Ok, here is everything I think you need and is easiest to generate. It's a openswan-2.4.12 patch and a diff against the old 2007 release of OCF. Ince you have openssl working I don't think you need a new version of that patch. This is not as nicely packaged as a release, but I think you will be able to work out what you need, if not hassle me :-) > Hope someday NETKEY can invoke OCF directly, that will make life easier. Or some writes crypto drivers for linux for the HW you are using :-) > There are quite a lot legacy network code in OpenSwan (partially due to > its back-compatibility support) and it's becoming harder to keep KLIPS > in sync with new kernel releases. It's not too bad actually, we update kernels regularly and while openswan is often an issue, it's not always the worst offender :-) Cheers, Davidm -- David McCullough, dav...@se..., Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com |
|
From: Xianghua X. <x....@fr...> - 2008-06-03 21:37:05
|
I tried them on 2.6.24 using PSK for subnetA-GW1-GW2-subnetB. run "ipsec eroute" showed a tunnel is up betwwen GW1-GW2. However when I send packets from subnetA to subnetB, it seems the vpn channel is not involved, i.e. I got the same throughput with/without ipsec. I disabled OCF totally for the debugging, also when "ifconfig ipsec0" I saw zero packets are Tx/Rx-ed, though eth1/eth0 has lots of packets Tx/Rx-ed, seems like ipsec0 is bypassed totally. Any suggestions? Thanks, Xianghua David McCullough wrote: > > Jivin xianghua xiao lays it down ... > ... > > Yes I would like to try your alpha tarball right away. I managed to get > > KLIPS compiled under 2.6.24 but it crashes sometimes, plus pluto > > complained "no hardware accelerator was found". > > Ok, here is everything I think you need and is easiest to generate. > It's a openswan-2.4.12 patch and a diff against the old 2007 release of > OCF. Ince you have openssl working I don't think you need a new version > of that patch. > > This is not as nicely packaged as a release, but I think you will be > able to work out what you need, if not hassle me :-) > > > Hope someday NETKEY can invoke OCF directly, that will make life easier. > > Or some writes crypto drivers for linux for the HW you are using :-) > > > There are quite a lot legacy network code in OpenSwan (partially due to > > its back-compatibility support) and it's becoming harder to keep KLIPS > > in sync with new kernel releases. > > It's not too bad actually, we update kernels regularly and while > openswan is often an issue, it's not always the worst offender :-) > > Cheers, > Davidm > > -- > David McCullough, dav...@se..., Ph:+61 > 734352815 > Secure Computing - SnapGear http://www.uCdot.org > http://www.snapgear.com > |
Thanks for helping keep SourceForge clean.
X