This feature is supported on crypto-enabled products of BlueField-2 DPUs, and on ConnectX-6 Dx, ConnectX-6 Lx and ConnectX-7 adapters.
Newer/future crypto-enabled DPU and adapter product generations should also support the feature, unless explicitly stated in their documentation.
For NVIDIA BlueField-2 DPUs and ConnectX-6 Dx adapters Only: If your target application will utilize bandwidth of100Gb/s or higher, where a substantial part of the bandwidth will be allocated for IPsec traffic, please refer to the NVIDIA BlueField-2 DPUs Product Release Notes or NVIDIA ConnectX-6 Dx Adapters Product Release Notes document to learn about a potential bandwidth limitation. To access the relevant product release notes, please contact your NVIDIA sales representative.
Overview and Configuration
IPsec crypto offload feature, also known as IPsec inline offload or IPsec aware offload feature enables the user to offload IPsec crypto encryption and decryption operations to the hardware.
Note that the hardware implementation only supports AES-GCM encryption scheme.
To enable the feature, support in both kernel and adapter firmware is required.
For support in the kernel, make sure the following flags are set as follows.
Note: These flags are enabled by default in RedHat 8 and Ubuntu 18.04.
For support in the firmware, make sure the below string is found in the dmesg.
Configuring Security Associations for IPsec Offloads
To program the inline offload security associations (SA), add the option "offload dev <netdev interface> dir out/in" in the "ip xfrm state" command for transmitting and receiving SA.
Transmit inline offload SA xfrm command example:
Receive inline offload SA xfrm command example:
Setting xfrm Policies Example