XFRM pCPU: Difference between revisions

From Libreswan
Jump to navigation Jump to search
(Created page with "= the idea called per cpu sa in out going direction was discussed at Linux IPsec workshop in Prague. The following two worked on proto type. Libreswan picket terminology "clon...")
 
No edit summary
Line 14: Line 14:
* don't allow clone instance on its own to be add|delete|down on the unaliased name.
* don't allow clone instance on its own to be add|delete|down on the unaliased name.
* test interop with unsupported version. ideally we should figure it out and not install clones. It could be that we will install clones and the last one would be used.
* test interop with unsupported version. ideally we should figure it out and not install clones. It could be that we will install clones and the last one would be used.
== how add pCPU support only on OUT direction ==
You need extra flags to XFRM_MSG_GETSA  and XFRM_MSG_UPDSA, XFRM_MSG_GETSA when dealing with out going s
=== XFRM_MSG_GETSA | XFRM_MSG_UPDSA  ===
both head SA and sub SA need extra attributes.
* head SA set XFRMA_SA_EXTRA_FLAGS to XFRM_SA_PCPU_HEAD*
* sub sa set XFRMA_SA_EXTRA_FLAGS to XFRM_SA_PCPU_SUB AND XFRMA_SA_PCPU to <sub-sa-id>. Sub SA ID start from 0-u32
=== XFRM_MSG_GETSA call only change for sub sda ===
* sub SA set  XFRMA_SA_EXTRA_FLAGS to XFRM_SA_PCPU_SUB AND XFRMA_SA_PCPU to <sub-sa-id>.
* also set XFRMA_SRCADDR to src addr

Revision as of 14:35, 16 April 2019

= the idea called per cpu sa in out going direction was discussed at Linux IPsec workshop in Prague. The following two worked on proto type. Libreswan picket terminology "clones".

Kernel / xfrm plans

  • Release private branch on Steffen's repository to get wider testing.
  • Kernel support for rekey. Possibly with refcounting the linked list on the Head SA. One could rekey in any order - either head SA or sub SA.
  • Ben would like to add feature bind a sub sa to a head SA,


Libreswan Plans

  • Currently support clones=n. Both sides should have same number.
  • support for asymetric configuration, one side 8(initiator) and responder (4).
  • rekey support
  • fix bugs down and delete.
  • don't allow clone instance on its own to be add|delete|down on the unaliased name.
  • test interop with unsupported version. ideally we should figure it out and not install clones. It could be that we will install clones and the last one would be used.


how add pCPU support only on OUT direction

You need extra flags to XFRM_MSG_GETSA and XFRM_MSG_UPDSA, XFRM_MSG_GETSA when dealing with out going s

XFRM_MSG_GETSA | XFRM_MSG_UPDSA

both head SA and sub SA need extra attributes.

  • head SA set XFRMA_SA_EXTRA_FLAGS to XFRM_SA_PCPU_HEAD*
  • sub sa set XFRMA_SA_EXTRA_FLAGS to XFRM_SA_PCPU_SUB AND XFRMA_SA_PCPU to <sub-sa-id>. Sub SA ID start from 0-u32

XFRM_MSG_GETSA call only change for sub sda

  • sub SA set XFRMA_SA_EXTRA_FLAGS to XFRM_SA_PCPU_SUB AND XFRMA_SA_PCPU to <sub-sa-id>.
  • also set XFRMA_SRCADDR to src addr
Retrieved from "https://libreswan.org/wiki/index.php?title=XFRM_pCPU&oldid=21586"