| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Y3xr5DkA+EZXEfkZ@unreal>
Date: Tue, 22 Nov 2022 08:27:48 +0200
From: Leon Romanovsky <leon@...nel.org>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@...unet.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org
Subject: Re: [PATCH xfrm-next v7 6/8] xfrm: speed-up lookup of HW policies
On Tue, Nov 22, 2022 at 12:29:12PM +0800, Herbert Xu wrote:
> On Mon, Nov 21, 2022 at 03:21:45PM +0200, Leon Romanovsky wrote:
> >
> > The thing is that this SW acquire flow is a fraction case, as it applies
> > to locally generated traffic.
>
> A router can trigger an acquire on forwarded packets too. Without
> larvals this could quickly overwhelm the router.
This series doesn't support tunnel mode yet.
Maybe I was not clear, but I wanted to say what in eswitch case and
tunnel mode, the packets will be handled purely by HW without raising
into SW core.
It is so called transparent IPsec, where all configuration is done on
hypervisor, so VMs connected through eswitch will get already decrypted
traffic which is routed through eswitch NIC logic without passing
hypervisor data path.
Steffen expected to see changes to acquire logic as part of this series
and in my explanation, I tried to explain why it is not needed now and
how will it be implemented later.
Thanks
>
> Cheers,
> --
> Email: Herbert Xu <herbert@...dor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists