[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Mar 2020 11:36:15 +0100
From: Antoine Tenart <antoine.tenart@...tlin.com>
To: dsahern@...il.com, sd@...asysnail.net
Cc: Antoine Tenart <antoine.tenart@...tlin.com>, netdev@...r.kernel.org
Subject: [PATCH iproute2-next v2 0/4] macsec: add offloading support
Hello,
This series adds support for selecting and reporting the offloading mode
of a MACsec interface. Available modes are for now 'off' and 'phy',
'off' being the default when an interface is created. Modes are not only
'off' and 'on' as the MACsec operations can be offloaded to multiple
kinds of specialized hardware devices, at least to PHYs and Ethernet
MACs. The later isn't currently supported in the kernel though.
The first patch adds support for reporting the offloading mode currently
selected for a given MACsec interface through the `ip macsec show`
command:
# ip macsec show
18: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 3e5035b67c860001 on SA 0
0: PN 1, state on, key 00000000000000000000000000000000
RXSC: b4969112700f0001, state on
0: PN 1, state on, key 01000000000000000000000000000000
-> offload: phy
19: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 3e5035b67c880001 on SA 0
1: PN 1, state on, key 00000000000000000000000000000000
RXSC: b4969112700f0001, state on
1: PN 1, state on, key 01000000000000000000000000000000
-> offload: off
The second patch allows an user to change the offloading mode at runtime
through a new subcommand, `ip macsec offload`:
# ip macsec offload macsec0 phy
# ip macsec offload macsec0 off
If a mode isn't supported, `ip macsec offload` will report an issue
(-EOPNOTSUPP).
Giving the offloading mode when a macsec interface is created was
discussed; it is not implemented in this series. It could come later
on, when needed, as we'll still want to support updating the offloading
mode at runtime (what's implemented in this series).
Thanks!
Antoine
Since v1:
- Added an accessor when accessing the offload_str array. Likewise
added an accessor for the existing validate_str array.
- Added a description of the new `macsec offload` command in the man
page.
Antoine Tenart (4):
macsec: report the offloading mode currently selected
macsec: add support for changing the offloading mode
man: document the ip macsec offload command
macsec: add an accessor for validate_str
ip/ipmacsec.c | 83 ++++++++++++++++++++++++++++++++++++++++++--
man/man8/ip-macsec.8 | 7 ++++
2 files changed, 88 insertions(+), 2 deletions(-)
--
2.24.1
Powered by blists - more mailing lists