lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20231003180557.GC51282@unreal>
Date: Tue, 3 Oct 2023 21:05:57 +0300
From: Leon Romanovsky <leon@...nel.org>
To: David Ahern <dsahern@...nel.org>
Cc: Tariq Toukan <tariqt@...dia.com>,
	Stephen Hemminger <stephen@...workplumber.org>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
	Jiri Pirko <jiri@...dia.com>, Dima Chumak <dchumak@...dia.com>,
	Jakub Kicinski <kuba@...nel.org>,
	Saeed Mahameed <saeedm@...dia.com>, netdev@...r.kernel.org
Subject: Re: [PATCH iproute2-next V3 1/2] devlink: Support setting port
 function ipsec_crypto cap

On Tue, Oct 03, 2023 at 08:46:51AM -0600, David Ahern wrote:
> On 10/2/23 4:43 AM, Tariq Toukan wrote:
> > From: Dima Chumak <dchumak@...dia.com>
> > 
> > Support port function commands to enable / disable IPsec crypto
> > offloads, this is used to control the port IPsec device capabilities.
> > 
> > When IPsec crypto capability is disabled for a function of the port
> > (default), function cannot offload IPsec operation. When enabled, IPsec
> > operation can be offloaded by the function of the port.
> > 
> > Enabling IPsec crypto offloads lets the kernel to delegate XFRM state
> > processing and encrypt/decrypt operation to the device hardware.
> > 
> > Example of a PCI VF port which supports IPsec crypto offloads:
> > 
> > $ devlink port show pci/0000:06:00.0/1
> >     pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
> > 	function:
> > 	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto disable
> > 
> > $ devlink port function set pci/0000:06:00.0/1 ipsec_crypto enable
> > 
> > $ devlink port show pci/0000:06:00.0/1
> >     pci/0000:06:00.0/1: type eth netdev enp6s0pf0vf0 flavour pcivf pfnum 0 vfnum 0
> > 	function:
> > 	hw_addr 00:00:00:00:00:00 roce enable ipsec_crypto enable
> > 
> 
> Why not just 'ipsec' instead of 'ipsec_crypto'? What value does the
> extra '_crypto' provide?

There are two IPsec offloaded modes: crypto offload and packet offload.
They need to be separated and can operate independently as these modes
per-SA/policy. 

To make it more clear to users, we are using ipsec_crypto to be
explicit.

Thanks

> 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ