VIA/ACE PadLock integration with crypto(9).

Mike Tancsa mike at sentex.net
Sat Aug 13 18:24:24 GMT 2005


At 03:46 AM 13/08/2005, Pawel Jakub Dawidek wrote:
>On Sat, Aug 13, 2005 at 01:45:44AM -0400, Mike Tancsa wrote:
>+> Is there something else that needs to be done to tell crypto(4) 
>or FAST_IPSEC to use the "hardware" in this case ?
>
>I'm not sure why you need to set net.inet.ipsec.crypto_support to 1 for
>this. Shouldn't be needed.
>
>If you want to figure it out, you may place debug print into

Will do.  I will play with it over the weekend.

Overnight I also let a copy of netperf run blasting various network 
tests across the IPSEC tunnel and all was as expected.  I had to 
enable polling on the box as it was getting dangerously close to 
livelock with the high level of interrupts.  At 1500 HZ its still 
quite fast, forwarding IPSEC traffic at 60Mb/s and the box is VERY 
responsive.  Without the padlock.ko, it comes in just at 23Mb/s.

+> Also,   I came across a small ipsec bug while testing
>+>
>+> http://www.freebsd.org/cgi/query-pr.cgi?pr=84860
>
>It could be RELENG_5 specific, as it uses rijndael implementation
>which was removed after RELENG_5 (there is no sys/opencrypto/rijndael.c
>anymore). Maybe rijndael version from sys/crypto/ handles it better?
>This needs to be verified.

Actually this happens in RELENG_6 as well.  I have updated the PR 
with a crash dump and back trace.

         ---Mike 



More information about the freebsd-current mailing list