Hi, It doesn't help if it is generated by software. The driver still needs a context SA for each operation. In addition, the driver will have to increment seq (or load from request) and load SEQ and IV into each context SA. It is much cleaner if our driver knows the whole header length. Even if the hardware rewrites the SPI and SEQ again, it is all handled by hardware offload and will not be a problem for IPSEC ESP. -Loc -----Original Message----- From: Herbert Xu [mailto:herbert@xxxxxxxxxxxxxxxxxxx] Sent: Wednesday, May 28, 2008 3:23 PM To: Loc Ho Cc: linux-crypto@xxxxxxxxxxxxxxx Subject: Re: IPSec ESP Authenc Offload On Wed, May 28, 2008 at 09:42:47AM -0700, Loc Ho wrote: > Hi, > > With IPSec ESP Authenc, it is expected that the selected driver > generates "IV" as well as encrypts the data. Our 'hardware' (available > currently), can only handle either no header processing or header > processing (from ESP to IV processing but not individual field > processing). > > For no header processing, we will have to do a lot more work in > software > - create a context SA for each requested operation, copy from the > initial context SA, after the operation completed, retrieve the update > IV from context SA, and then write it back to the packet. Do you still need to do this if we used a software-generated IV? Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html