From: "Loc Ho" <lho@amcc.com>
Subject: RE: IPSec ESP Authenc Offload
Date: Wed, 28 May 2008 16:02:11 -0700
Message-ID: <0CA0A16855646F4FA96D25A158E299D604815113@SDCEXCHANGE01.ad.amcc.com>
References: <alpine.LFD.1.10.0805250731530.23219@localhost.localdomain> <20080526112058.GA16525@gondor.apana.org.au> <0CA0A16855646F4FA96D25A158E299D604814C4A@SDCEXCHANGE01.ad.amcc.com> <20080528063434.GA1173@gondor.apana.org.au> <0CA0A16855646F4FA96D25A158E299D604814F16@SDCEXCHANGE01.ad.amcc.com> <20080528222246.GA7798@gondor.apana.org.au>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 8BIT
Cc: <linux-crypto@vger.kernel.org>
To: "Herbert Xu" <herbert@gondor.apana.org.au>
Return-path: <linux-crypto-owner@vger.kernel.org>
Received: from sdcmail02-ext1.amcc.com ([198.137.200.73]:30888 "EHLO
	sdcmail02.amcc.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753820AbYE1XCN convert rfc822-to-8bit (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Wed, 28 May 2008 19:02:13 -0400
Content-class: urn:content-classes:message
In-Reply-To: <20080528222246.GA7798@gondor.apana.org.au>
Sender: linux-crypto-owner@vger.kernel.org
List-ID: <linux-crypto.vger.kernel.org>

Hi,

It doesn't help if it is generated by software. The driver still needs a
context SA for each operation. In addition, the driver will have to
increment seq (or load from request) and load SEQ and IV into each
context SA. It is much cleaner if our driver knows the whole header
length. Even if the hardware rewrites the SPI and SEQ again, it is all
handled by hardware offload and will not be a problem for IPSEC ESP.

-Loc


-----Original Message-----
From: Herbert Xu [mailto:herbert@gondor.apana.org.au] 
Sent: Wednesday, May 28, 2008 3:23 PM
To: Loc Ho
Cc: linux-crypto@vger.kernel.org
Subject: Re: IPSec ESP Authenc Offload

On Wed, May 28, 2008 at 09:42:47AM -0700, Loc Ho wrote:
> Hi,
> 
> With IPSec ESP Authenc, it is expected that the selected driver 
> generates "IV" as well as encrypts the data. Our 'hardware' (available

> currently), can only handle either no header processing or header 
> processing (from ESP to IV processing but not individual field 
> processing).
> 
> For no header processing, we will have to do a lot more work in 
> software
> - create a context SA for each requested operation, copy from the 
> initial context SA, after the operation completed, retrieve the update

> IV from context SA, and then write it back to the packet.

Do you still need to do this if we used a software-generated IV?

Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page:
http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt