[e2e] Re: TCP/IP and IPSEC Offload Engines.

Angelos D. Keromytis angelos at cs.columbia.edu
Wed Jun 25 13:57:24 PDT 2003 

>I'm researching the efficiency of TCP/IP and IPSEC (Security) Offload
>Engines (TOE & SOE) relative to existing workstation and server OSes. My
>principle concern is the level of standardization (or lack thereof) that
>inhibits/cripples/negates TOE & SOE implementation relative to Windows
>9X/NT/2000/XP, Linux, and Solaris, with unicast and multicast
>applications.

Standardization at the hardware level is not that important, actually.
Different vendors' cards are likely to differ in the details as, e.g., Ethernet
cards by different vendors require different drivers. What's needed is a
software layer (usually in the OS kernel) that can abstract away these
differences. One example of such an abstraction layer for cryptographic 
services
is the OpenBSD Cryptographic Framework, which I developed a few years ago for,
you guessed it, OpenBSD. It has recently been picked up by FreeBSD and NetBSD,
and supports a number of different cryptographic accelerators (mostly Hifn and
Broadcom based). A paper describing OCF was published in this year's USENIX
Technical Conference, and can be found at

http://www.cs.columbia.edu/~angelos/Papers/ocf.pdf

Although the OCF itself does not support integrated NIC/crypto cards, OpenBSD
itself has support for such by allowing the IPsec stack to determine whether
the NIC has such support and to tag packets appropriately for deferred
processing. It then becomes purely a device driver issue (to parse and process
these tags for output, or to produce them on input). Similar support exists for
TCP/IP checksum offloading...the details will appear in a paper to the upcoming
USENIX BSD Conference, this September (the paper is not yet available).
-Angelos

PS. One problem I've encountered with IPsec offloading NICs is that there
aren't any good ones on the market (we tried writing a driver for the 3Com
3cr990-tx-97, but the firmware on those cards is so buggy that it locks up the
card when outgoing TCP checksum offloading is requested by the OS; Intel won't
give me specs for their NIC+IPsec card).

More information about the end2end-interest mailing list