<br><font size=2 face="sans-serif">Thanks a lot.</font>
<br>
<br><font size=2 face="sans-serif">I've checked out the git tree, and after
a first look, it sounds far easier to integrate a full packet IPsec hw
offload engine than on 26sec....</font>
<br><font size=2 face="sans-serif">I've seen that this is part of the ocf-linux
"todo list" and that the SafeNet SafeXcel is able to do this
ESP/AH processing too... (but not yet supported :-()</font>
<br><font size=2 face="sans-serif">My plan is to add an additional field
(ocf_full_pkt_proc) in the struct ipsec_sa (like ocf_in_use flag)
which would be initialized according to crypto driver capabilities (in
ipsec_ocf_sa_init()) </font>
<br><font size=2 face="sans-serif">Then according to this flag we could
skip some part of code in the IPsec state machine functions.</font>
<br>
<br><font size=2 face="sans-serif">Maybe you've already started to work
on this...</font>
<br><font size=2 face="sans-serif">In anycase, any comment/suggestions
would be appreciated ...</font>
<br>
<br><font size=2 face="sans-serif">best regards</font>
<br><font size=2 face="sans-serif">Remy</font>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>David McCullough <david_mccullough@au.securecomputing.com></b></font>
<br><font size=1 face="sans-serif">Sent by: David McCullough <davidm@snapgear.com></font>
<p><font size=1 face="sans-serif">31/05/2006 12:56</font>
<td><font size=1 face="Arial"> </font>
<br><font size=1 face="sans-serif"> To:
remy.gauguey@mindspeed.com</font>
<br><font size=1 face="sans-serif"> cc:
dev@openswan.org</font>
<br><font size=1 face="sans-serif"> Subject:
Re: [Openswan dev] IPsec HW Offload
Engine support</font></table>
<br>
<br>
<br><font size=2><tt><br>
Jivin remy.gauguey@mindspeed.com lays it down ...<br>
> Hello,<br>
> <br>
> I'm currently working on a CPE SoC based on ARM11 with an IPSec offload
<br>
> engine.<br>
> This engine performs crypto operations (cipher + digest) but also
ESP/AH <br>
> protocols offload (ESP/AH header and trailer insertion, IPv4 (only)
header <br>
> modification...).<br>
> This engine manages SA database, with TTL and anti-replay checks.<br>
> I'm currently working on the integration of this HW accelerator into
the <br>
> 26sec (based on a patch written for 3Com crypto NICs : <br>
> http://oss.sgi.com/archives/netdev/2005-01/msg00360.html ), but I
would <br>
> like to know how feasible would it be to integrate such a IPSec Offload
<br>
> Engine into OpenSwan KLIPS architecture.<br>
> It sounds like to me the IPsecX interface would allow to do this easier
<br>
> than on 26sec...<br>
> <br>
> Any ideas or comments are welcome<br>
<br>
Have a look at:<br>
<br>
http://ocf-linux.sourceforge.net/<br>
<br>
There is also a publicly available GIT tree for 2.6 with Openswan and<br>
OCF fully integrated.<br>
<br>
http://git.openswan.org/public/scm/klips.git#ocf_v2.6.16<br>
<br>
It should be really easy to add an OCF driver for the cipher/digest<br>
portions, from there the state machine is already close to what will
be<br>
needed for ful packet processing and is something that is being worked<br>
on/discussed.<br>
<br>
Cheers,<br>
Davidm<br>
<br>
-- <br>
David McCullough, david_mccullough@securecomputing.com, Ph:+61
734352815<br>
Secure Computing - SnapGear http://www.uCdot.org http://www.cyberguard.com<br>
<br>
</tt></font>
<br>