From: "Loc Ho" Subject: RE: IPSec ESP Authenc Offload Date: Wed, 28 May 2008 16:02:11 -0700 Message-ID: <0CA0A16855646F4FA96D25A158E299D604815113@SDCEXCHANGE01.ad.amcc.com> References: <20080526112058.GA16525@gondor.apana.org.au> <0CA0A16855646F4FA96D25A158E299D604814C4A@SDCEXCHANGE01.ad.amcc.com> <20080528063434.GA1173@gondor.apana.org.au> <0CA0A16855646F4FA96D25A158E299D604814F16@SDCEXCHANGE01.ad.amcc.com> <20080528222246.GA7798@gondor.apana.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT Cc: To: "Herbert Xu" Return-path: Received: from sdcmail02-ext1.amcc.com ([198.137.200.73]:30888 "EHLO sdcmail02.amcc.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753820AbYE1XCN convert rfc822-to-8bit (ORCPT ); Wed, 28 May 2008 19:02:13 -0400 Content-class: urn:content-classes:message In-Reply-To: <20080528222246.GA7798@gondor.apana.org.au> Sender: linux-crypto-owner@vger.kernel.org List-ID: Hi, It doesn't help if it is generated by software. The driver still needs a context SA for each operation. In addition, the driver will have to increment seq (or load from request) and load SEQ and IV into each context SA. It is much cleaner if our driver knows the whole header length. Even if the hardware rewrites the SPI and SEQ again, it is all handled by hardware offload and will not be a problem for IPSEC ESP. -Loc -----Original Message----- From: Herbert Xu [mailto:herbert@gondor.apana.org.au] Sent: Wednesday, May 28, 2008 3:23 PM To: Loc Ho Cc: linux-crypto@vger.kernel.org Subject: Re: IPSec ESP Authenc Offload On Wed, May 28, 2008 at 09:42:47AM -0700, Loc Ho wrote: > Hi, > > With IPSec ESP Authenc, it is expected that the selected driver > generates "IV" as well as encrypts the data. Our 'hardware' (available > currently), can only handle either no header processing or header > processing (from ESP to IV processing but not individual field > processing). > > For no header processing, we will have to do a lot more work in > software > - create a context SA for each requested operation, copy from the > initial context SA, after the operation completed, retrieve the update > IV from context SA, and then write it back to the packet. Do you still need to do this if we used a software-generated IV? Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt