From owner-freebsd-net Tue Jul 11 4: 9: 5 2000 Delivered-To: freebsd-net@freebsd.org Received: from pr.infosec.ru (pr.infosec.ru [194.135.141.98]) by hub.freebsd.org (Postfix) with ESMTP id C58A037BE33 for ; Tue, 11 Jul 2000 04:09:02 -0700 (PDT) (envelope-from blaze@infosec.ru) Received: from blaze (WS_BLAZE [200.0.0.51]) by pr.infosec.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 3WLXZ1N9; Tue, 11 Jul 2000 15:09:14 +0400 Date: Tue, 11 Jul 2000 15:08:37 +0400 (MSD) From: Andrey Sverdlichenko X-Sender: blaze@blaze To: freebsd-net@freebsd.org Subject: Re: Hardware crypto (Re: KAME stable 20000704) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 10 Jul 2000, Jun-ichiro itojun Hagino wrote: > In case anyone got confused: please note that "IPsec support for > crypto card" and "crypto card support as user-mode device file" > are totally different thing. Former one needs MAJOR work in > network IP layer design (BSD IP layer runs under software interrupt, > killing possibility for offloading CPU). OpenBSD did a truely > super job on this. Hmmm... i don't know about KAME/IPSEC, but in our cryptorouter i made it in easy way: 1) in software interrupt context packet goes to "crypto task queue" 2) kernel process gets packet from this queue and passes it to encryption/decryption functions (currently software, but i see nothing special in hardware support) 3) after processing packet injected back to ip_input()/ip_output(). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message