'Re: [E1000-devel] [e1000-devel@lists.sourceforge.net] x540 / 82599 IPsec offload - Linux ixgbe drive'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       e1000-devel
Subject:    Re: [E1000-devel] [e1000-devel@lists.sourceforge.net] x540 / 82599 IPsec offload - Linux ixgbe drive
From:       Alexander Duyck <alexander.duyck () gmail ! com>
Date:       2018-01-17 16:01:06
Message-ID: CAKgT0UekHmF0TtaENn2ZTqGq3ACNUbxDoDri6g2oiOh5FuiAug () mail ! gmail ! com
[Download RAW message or body]

Hi Avi,

Having to zero out the IPv4 checksum seems to imply that the outer IP
checksum is being recomputed by hardware. That shouldn't be the case
normally unless we are running TSO since the IP header shouldn't be
changing as the hardware requires all the fields be present. Do you
know if the provided IPv4 header was valid for the frame or not before
it was given to the hardware? You should be able to verify that using
something like tcpdump or wireshark as I believe either one can
perform validation of the IPv4 header as a part of the packet analysis
for outgoing frames.

My concern is that either the addition of the trailer isn't being
correctly added to the length of the IPv4 frame and recomputed if an
offload is requested, or that the hardware is recomputing the IPv4
checksum when it doesn't need to which would imply we are requesting
it somewhere where we shouldn't be.

Thanks.

- Alex

On Tue, Jan 16, 2018 at 11:46 PM, Avi Cohen (A) <avi.cohen@huawei.com> wrote:
> Hi Shannon
> I solved the checksum issue by clearing the ip-checksum field before sending pkt to \
> the nic (there was a value there != 0 - I think he HW leave this field unchanged if \
> not set to zero) Currently I'm working with the dpdk ipsec offload sample app.
> I'll update you with the  TSO issue later
> Thanks Avi
> 
> > -----Original Message-----
> > From: Shannon Nelson [mailto:shannon.nelson@oracle.com]
> > Sent: Monday, 15 January, 2018 7:56 PM
> > To: Avi Cohen (A); Fujinaka, Todd; Buchholz, Donald
> > Cc: e1000-devel@lists.sourceforge.net
> > Subject: Re: [e1000-devel@lists.sourceforge.net] x540 / 82599 IPsec offload -
> > Linux ixgbe driver
> > 
> > On 1/15/2018 2:24 AM, Avi Cohen (A) wrote:
> > > Hi Shannon
> > > You've mentioned that " the code doesn't yet handle TSO or checksum offload
> > at the same time as ipsec offload "
> > > Why is that is this HW limitation ?
> > > Best Regards
> > > Avi
> > 
> > This is a software issue, the hardware should be fine with it.  For me, it didn't
> > work on the "first try", and I was seeing some odd stuff in the short bit of \
> > debug work that I did.  I decided to put out what I did have working, and then I \
> > could come back to the TSO and checksum work later.  I should be able to work on
> > that in the next couple of weeks.
> > 
> > sln
> > 
> > > 
> > > > -----Original Message-----
> > > > From: Shannon Nelson [mailto:shannon.nelson@oracle.com]
> > > > Sent: Wednesday, 03 January, 2018 7:22 PM
> > > > To: Avi Cohen (A); Fujinaka, Todd; Buchholz, Donald
> > > > Cc: e1000-devel@lists.sourceforge.net
> > > > Subject: Re: [e1000-devel@lists.sourceforge.net] x540 / 82599 IPsec offload
> > -
> > > > Linux ixgbe driver
> > > > 
> > > > Hi folks, it's nice to hear from you all.
> > > > 
> > > > To your questions, Avi:
> > > > 1. The Linux kernel stack didn't support ipsec when the ixgbe driver first
> > came
> > > > out.  This support was only recently (in the last year) added.  My patches \
> > > > are being tested by Intel before they push them up to net-next, but you are
> > > > welcome to pull them yourself for your own testing
> > > > - Don's links below will get you to them.
> > > > 2. The recent XFRM work from Steffen Klassert takes care of the upper-stack
> > > > responsibilities for setting up the Tx and tearing down the Rx packets.  The
> > > > offload capability does the encryption/decryption and updates the ESP fields.
> > > > 3. The Intel datasheets and the code in the Mellanox driver are the
> > references I
> > > > had available to me when implementing the changes.  I also appreciate the
> > > > support I got from a few of the Intel developers.
> > > > 
> > > > The quick summary is that under my simple testing, the patches offload
> > ipsec
> > > > traffic for the one encryption that Intel offers.  The performance still \
> > > > needs some tweaking as the code doesn't yet handle TSO or checksum offload at
> > the
> > > > same time as ipsec offload.  However, in one iperf test where the software
> > > > ipsec only gives us about 300Mbps on a 10GbE link, I've seen 7Gbps or
> > better
> > > > with the offload turned on.
> > > > 
> > > > You can get more information from the slides and video of the IPsec
> > workshop
> > > > at the recent NetDevConf:
> > > > https://www.netdevconf.org/2.2/session.html?klassert-ipsec-workshop
> > > > You can get a little more information and background from the previous
> > > > NetDevConf slides and videos.
> > > > 
> > > > As Don mentioned below, I've forwarded the patches to Intel's git tree and
> > they
> > > > are currently under review and test with the Intel folks.  I don't know their
> > > > current progress, but I hope to see the patches pushed into net-next soon.
> > > > 
> > > > Todd, perhaps you can poke at the test folks and let them know we have
> > > > customers anxiously awaiting the patches?
> > > > 
> > > > Thanks for your interest,
> > > > Shannon
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > On 1/3/2018 12:29 AM, Avi Cohen (A) wrote:
> > > > > Hi Nelson
> > > > > 
> > > > > 1.Can you tell what is the status of ixgbe – ipsec offload patch's?
> > > > > 
> > > > > 2.Are there any ‘numbers' of performance tests?  Ipsec in SW  v.s.
> > > > > ipsec in HW ?
> > > > > 
> > > > > 3.Where is the code for ipsec headers insertion/removal by SW ? is
> > > > > this done in ip-stack ? hooks ?
> > > > > 
> > > > > Thanks You (and  Don and Todd) and Best Regards
> > > > > 
> > > > > Avi
> > > > > 
> > > > > *From:*Fujinaka, Todd [mailto:todd.fujinaka@intel.com]
> > > > > *Sent:* Tuesday, 02 January, 2018 10:54 PM
> > > > > *To:* Buchholz, Donald; Avi Cohen (A)
> > > > > *Subject:* RE: [linux.nics@intel.com] x540 / 82599 IPsec offload -
> > > > > Linux ixgbe driver
> > > > > 
> > > > > We did not support IPsec offloads in Linux because the kernel
> > > > > maintainers didn't trust any crypto implementation that they couldn't
> > > > > audit and told us those patches wouldn't be accepted. I don't know if
> > > > > that's changed.
> > > > > 
> > > > > The implementation of IPsec offloads is being done by an Oracle
> > > > > engineer and I would suggest contacting him directly with your questions.
> > > > > 
> > > > > *Todd Fujinaka*
> > > > > 
> > > > > Software Application Engineer
> > > > > 
> > > > > Datacenter Engineering Group
> > > > > 
> > > > > Intel Corporation
> > > > > 
> > > > > _todd.fujinaka@intel.com <mailto:todd.fujinaka@intel.com>___
> > > > > 
> > > > > *From:*Buchholz, Donald
> > > > > *Sent:* Tuesday, January 2, 2018 11:15 AM
> > > > > *To:* Avi Cohen <avi.cohen@huawei.com
> > <mailto:avi.cohen@huawei.com>>
> > > > > *Subject:* Re: [linux.nics@intel.com] x540 / 82599 IPsec offload -
> > > > > Linux ixgbe driver
> > > > > 
> > > > > Hi Avi,
> > > > > 
> > > > > We have not supported IPsec Offload in 'ixgbe' in the past due to lack
> > > > > of demand.  However, your timing in this matter is perfect!  Patches
> > > > > have been submitted to the intel-wired-lan list and are currently
> > > > > under review in the ixgbe development tree.  We expect these to be in
> > > > > the linux-4.16 kernel.
> > > > > 
> > > > > Patch series under review:
> > > > > --
> > > > > 
> > > > > http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=19548
> > > > > 
> > > > > Patch series in intel-wired-lan email list:
> > > > > --
> > > > > 
> > > > > https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-2017121
> > > > > 8/thread.html
> > > > > 
> > > > > I am copying this reply to an internal engineering list so the
> > > > > development team is aware of your interest.
> > > > > 
> > > > > Unfortunately this "linux.nics@intel.com"
> > > > > <mailto:linux.nics@intel.com> email address isn't well-monitored.
> > > > > Please use "e1000-devel@lists.sourceforge.net"
> > > > > <mailto:e1000-devel@lists.sourceforge.net>
> > > > > for any additional questions about the Linux drivers for any Intel
> > > > > (wired) Ethernet device.
> > > > > -- https://sourceforge.net/p/e1000/mailman/
> > > > > 
> > > > > Best Regards,
> > > > > - Don Buchholz
> > > > > - Network SW Engineer
> > > > > - Intel Corporation
> > > > > - DCG/CG/ND/SW Core/Open Source
> > > > > 
> > > > > ----------------------------------------------------------------------
> > > > > --
> > > > > 
> > > > > Date: Sun, 31 Dec 2017 14:54:54 +0000
> > > > > From: "Avi Cohen (A)" <avi.cohen@huawei.com>
> > > > > <mailto:avi.cohen@huawei.com>
> > > > > To: "linux.nics@intel.com" <mailto:linux.nics@intel.com>
> > > > > <linux.nics@intel.com> <mailto:linux.nics@intel.com>
> > > > > Subject: x540 / 82599   IPsec offload - Linux ixgbe driver
> > > > > 
> > > > > Hello all,
> > > > > I see in the datasheet of devices x540/82599 that it supports HW IPsec
> > > > > offload - but there is no support in ixgbe SW driver.
> > > > > Questions:
> > > > > 1. Why there is no support in ixgbe ?
> > > > > 2. From the datasheet I understand that TX packets send to HW should
> > > > > contain IPsec headers
> > > > > I think this should be handled in Linux ip-stack - is there any
> > > > > work done there ?
> > > > > 3. Is there  other helpful documentation to implement SW for HW IPsec,
> > > > > available ?
> > > > > 
> > > > > Thank you and bets regards
> > > > > Avi
> > > > > 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> E1000-devel mailing list
> E1000-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/e1000-devel
> To learn more about Intel&#174; Ethernet, visit \
> http://communities.intel.com/community/wired

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel&#174; Ethernet, visit \
http://communities.intel.com/community/wired


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic