[Openswan dev] IPsec HW Offload Engine support

remy.gauguey at mindspeed.com remy.gauguey at mindspeed.com
Wed Jun 7 19:08:00 CEST 2006

Thanks a lot.

I've checked out the git tree, and after a first look, it sounds far 
easier to integrate a full packet IPsec hw offload engine than on 
I've seen that this is part of the ocf-linux "todo list" and that the 
SafeNet SafeXcel is able to do this ESP/AH processing too... (but not yet 
supported :-()
My plan is to add an additional field (ocf_full_pkt_proc) in the struct 
ipsec_sa  (like ocf_in_use flag) which would be initialized according to 
crypto driver capabilities (in ipsec_ocf_sa_init()) 
Then according to this flag we could skip some part of code in the IPsec 
state machine functions.

Maybe you've already started to work on this...
In anycase, any comment/suggestions would be appreciated ...

best regards

David McCullough <david_mccullough at au.securecomputing.com>
Sent by: David McCullough <davidm at snapgear.com>
31/05/2006 12:56
        To:     remy.gauguey at mindspeed.com
        cc:     dev at openswan.org
        Subject:        Re: [Openswan dev] IPsec HW Offload Engine support

Jivin remy.gauguey at mindspeed.com lays it down ...
> Hello,
> I'm currently working on a CPE SoC based on ARM11 with an IPSec offload 
> engine.
> This engine performs crypto operations (cipher + digest) but also ESP/AH 

> protocols offload (ESP/AH header and trailer insertion, IPv4 (only) 
> modification...).
> This engine manages SA database, with TTL and anti-replay checks.
> I'm currently working on the integration of this HW accelerator into the 

> 26sec (based on a patch written for 3Com crypto NICs : 
> http://oss.sgi.com/archives/netdev/2005-01/msg00360.html ), but I would 
> like to know how feasible would it be to integrate such a IPSec Offload 
> Engine into OpenSwan KLIPS architecture.
> It sounds like to me the IPsecX interface would allow to do this easier 
> than on 26sec...
> Any ideas or comments are welcome

Have a look at:


There is also a publicly available GIT tree for 2.6 with Openswan and
OCF fully integrated.


It should be really easy to add an OCF driver for the cipher/digest
portions,  from there the state machine is already close to what will be
needed for ful packet processing and is something that is being worked


David McCullough,  david_mccullough at securecomputing.com,   Ph:+61 
Secure Computing - SnapGear  http://www.uCdot.org 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20060607/976e4078/attachment.htm

More information about the Dev mailing list