[Intel-wired-lan] [RFC PATCH 0/6] ixgbe/ixgbevf: IPsec hardware offload for 10Gbe VF

Shannon Nelson shannon.nelson at oracle.com
Thu May 17 18:22:44 UTC 2018

This RFC patchset looks at adding IPsec hardware offload capabilities to
ixgbevf, Intel's 10Gbe VF driver.

I'm publishing this code as a way to start conversations on (a) is this
is something that people want, and (b) how can we manage the potential
security issues this can bring up?

I intend to leave this code as an RFC for now for a number of reasons.
Firstly, it raises some interesting security issues, discussed below.
Secondly, this code only "mostly" works: I haven't done a lot of testing
on it, but I do know that the VF's Tx encryption doesn't happen - the
registers and descriptors seem to be set up correctly, just as in the
PF, but the outbound encryption engine doesn't engage, and there is no
error reporting available.  If there is sufficient interest in further
work on these patches, I'll spend more time to track down this issue.
It's likely something simple.

Points to consider include:

 - Do VFs even need IPsec hardware offload?
 	Is there anyone who actually might find this useful, either in
	a cloud setting or possibly in a security appliance?

 - Sharing SPI/SA space with PF and other VFs
	In a particular IPsec "peer" (VM or bare-metal or hypervisor),
	the SPIs chosen for each SA are unique to each conversation
	that is being encrypted, and the choosing of the SPIs is usually
	orchestrated by the userland software such as StrongSwan or
	LibreSwan running on that peer.

	The Intel NIC has only one set of IPsec offload registers for use
	with PF and VFs.  Because of this, when multiple peers on that
	same host are each trying to run their own constellations of SPIs,
	we have the opportunity for number space collisions.

	The SPI collisions might be moot if the VMs are coordinated enough
	to be using different networks: for example VM1 on
	and VM2 on  A typical way to keep VMs separate
	is to put them on different tunnels and not worry about their
	specific networks.  However, on something like Intel's 10gbe NIC,
	the Rx decryption happens on the tunneled packet with no regard
	for the tunnel id - if both VMs use the same network spaces inside
	their tunnels, only separated by different tunnels, then their
	SPI/IP spaces will collide.

 - Trusting the VF
	To attempt a simple mitigation of security issues, I'm assuming
	in this implementation that a VF with the offload must part of a
	solution where all parts are managed together, and thus the VF is
	"trusted".  Therefore, the 'trusted' bit must be enabled on the
	VF, e.g.:
	    ip link set dev ${PF} vf ${vf_id} trust on
	This is probably more useful in an appliance that uses VFs for
	specific traffic management rather than someone's cloud VM servers.

 - Other issues?
 	What other issues am I missing in this?

I would appreciate hearing your thoughts and concerns.


Shannon Nelson (6):
  ixgbe: prep ipsec constants for later use
  ixgbe: add VF ipsec management
  ixgbe: add VF IPsec offload request message handling
  ixgbevf: add defines for IPsec offload request
  ixgbevf: add VF ipsec offload code
  ixgbevf: enable VF ipsec offload operations

 drivers/net/ethernet/intel/ixgbe/ixgbe.h          |   9 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c    | 251 ++++++++-
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.h    |  13 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h      |   5 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c    |  17 +-
 drivers/net/ethernet/intel/ixgbevf/Makefile       |   1 +
 drivers/net/ethernet/intel/ixgbevf/defines.h      |  10 +-
 drivers/net/ethernet/intel/ixgbevf/ethtool.c      |   2 +
 drivers/net/ethernet/intel/ixgbevf/ipsec.c        | 623 ++++++++++++++++++++++
 drivers/net/ethernet/intel/ixgbevf/ipsec.h        |  66 +++
 drivers/net/ethernet/intel/ixgbevf/ixgbevf.h      |  28 +
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c |  71 ++-
 drivers/net/ethernet/intel/ixgbevf/mbx.h          |   5 +
 13 files changed, 1067 insertions(+), 34 deletions(-)
 create mode 100644 drivers/net/ethernet/intel/ixgbevf/ipsec.c
 create mode 100644 drivers/net/ethernet/intel/ixgbevf/ipsec.h


More information about the Intel-wired-lan mailing list