From: Jakub Kicinski <kuba@kernel.org>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Leon Romanovsky <leon@kernel.org>,
"David S . Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
<netdev@vger.kernel.org>, Raed Salem <raeds@nvidia.com>,
ipsec-devel <devel@linux-ipsec.org>,
Jason Gunthorpe <jgg@nvidia.com>
Subject: Re: [PATCH xfrm-next v2 0/6] Extend XFRM core to allow full offload configuration
Date: Thu, 18 Aug 2022 18:54:12 -0700 [thread overview]
Message-ID: <20220818185412.6f294cef@kernel.org> (raw)
In-Reply-To: <20220818101031.GC566407@gauss3.secunet.de>
On Thu, 18 Aug 2022 12:10:31 +0200 Steffen Klassert wrote:
> > > You must provide a clear analysis (as in examination in data) and
> > > discussion (as in examination in writing) if you're intending to
> > > change the "let's keep packet formation in the SW" policy. What you
> > > got below is a good start but not sufficient.
>
> I'm still a bit unease about this approach. I fear that doing parts
> of statefull IPsec procesing in software and parts in hardware will
> lead to all sort of problems. E.g. with this implementation
> the software has no stats, liftetime, lifebyte and packet count
> information but is responsible to do the IKE communication.
>
> We might be able to sort out all problems during the upstraming
> process, but I still have no clear picture how this should work
> in the end with all corener cases this creates.
Makes sense. I'm not sure any of the "deep and stateful offloads"
we have can be considered a success so IMHO we can be selective
in the approaches we accept.
> Also the name full offload is a bit missleading, because the
> software still has to hold all offloaded states and policies.
> In a full offload, the stack would IMO just act as a stub
> layer between IKE and hardware.
next prev parent reply other threads:[~2022-08-19 1:54 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-16 8:59 [PATCH xfrm-next v2 0/6] Extend XFRM core to allow full offload configuration Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 1/6] xfrm: add new full offload flag Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 2/6] xfrm: allow state full offload mode Leon Romanovsky
2022-08-18 10:12 ` Steffen Klassert
2022-08-18 13:28 ` Leon Romanovsky
2022-08-22 8:01 ` Steffen Klassert
2022-08-22 8:46 ` Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 3/6] xfrm: add an interface to offload policy Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 4/6] xfrm: add TX datapath support for IPsec full offload mode Leon Romanovsky
2022-08-18 10:24 ` Steffen Klassert
2022-08-18 13:34 ` Leon Romanovsky
2022-08-22 8:04 ` Steffen Klassert
2022-08-22 8:50 ` Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 5/6] xfrm: add RX datapath protection " Leon Romanovsky
2022-08-18 10:27 ` Steffen Klassert
2022-08-18 13:36 ` Leon Romanovsky
2022-08-22 8:06 ` Steffen Klassert
2022-08-22 9:35 ` Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 6/6] xfrm: enforce separation between priorities of HW/SW policies Leon Romanovsky
2022-08-17 2:54 ` [PATCH xfrm-next v2 0/6] Extend XFRM core to allow full offload configuration Jakub Kicinski
2022-08-17 5:22 ` Leon Romanovsky
2022-08-17 18:10 ` Jakub Kicinski
2022-08-18 5:24 ` Leon Romanovsky
2022-08-18 10:10 ` Steffen Klassert
2022-08-18 12:51 ` Leon Romanovsky
2022-08-19 1:54 ` Jakub Kicinski [this message]
2022-08-19 2:34 ` Jakub Kicinski
2022-08-19 5:52 ` Leon Romanovsky
2022-08-19 15:47 ` Jakub Kicinski
2022-08-19 16:01 ` Jason Gunthorpe
2022-08-19 17:53 ` Jakub Kicinski
2022-08-22 8:41 ` Steffen Klassert
2022-08-22 8:54 ` Leon Romanovsky
2022-08-22 16:33 ` Jakub Kicinski
2022-08-22 21:27 ` Saeed Mahameed
2022-08-23 0:17 ` Jakub Kicinski
2022-08-23 5:22 ` Steffen Klassert
2022-08-23 14:06 ` Leon Romanovsky
2022-08-23 4:48 ` Leon Romanovsky
2022-08-26 12:20 ` Jason Gunthorpe
2022-08-23 5:34 ` Leon Romanovsky
2022-08-18 10:09 ` Steffen Klassert
2022-08-18 13:26 ` Leon Romanovsky
2022-08-22 8:34 ` Steffen Klassert
2022-08-22 9:34 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220818185412.6f294cef@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=herbert@gondor.apana.org.au \
--cc=jgg@nvidia.com \
--cc=leon@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=raeds@nvidia.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.