Hardware acceleration

Edit online

The 10/100 Mbps Ethernet PCI Adapter II (Feature code 4962) offers standards-based IP Security and is designed to offload IP Security functions from the AIX® operating system.

When the 10/100 Mbps Ethernet PCI Adapter II is present in the AIX system, the IP Security stack uses the following capabilities of the adapter:

  • Encryption and decryption using DES or Triple DES algorithms
  • Authentication using the MD5 or SHA-1 algorithms
  • Storage of the security-association information

The functions on the adapter are used instead of the software algorithms. The 10/100 Mbps Ethernet PCI Adapter II is available for manual and IKE tunnels.

The IP Security hardware acceleration feature is available in the 5.1.0.25 or later level of the bos.net.ipsec.rte and devices.pci.1410ff01.rte file sets.

There is a limit on the number of security associations that can be offloaded to the network adapter on the receive side (inbound traffic). On the transmit side (outbound traffic), all packets that use a supported configuration are offloaded to the adapter. Some tunnel configurations can not be offloaded to the adapter.

The 10/100 Mbps Ethernet PCI Adapter II supports the following features:

  • DES, 3DES, or NULL encryption through ESP
  • HMAC-MD5 or HMAC-SHA-1 authentication through ESP or AH, but not both. (If ESP and AH both used, ESP must be performed first. This is always true for IKE tunnels, but the user can select the order for manual tunnels.)
  • Transport and Tunnel mode
  • Offload of IPV4 packets
Note: The 10/100 Mbps Ethernet PCI Adapter II cannot handle packets with IP options.

To enable the 10/100 Mbps Ethernet PCI Adapter II for IP Security, you may have to detach the network interface and then enable the IPsec Offload feature.

To detach the network interface, perform the following steps using the SMIT interface:

To enable the IPsec Offload feature, do the following using the SMIT interface:

  1. Login as the root user.
  2. Type smitty eadap at the command line and press Enter.
  3. Select the Change / Show Characteristics of an Ethernet Adapter option and press Enter.
  4. Select the 10/100 Mbps Ethernet PCI Adapter II and press Enter.
  5. Change the IPsec Offload field to yes and press Enter.
To detach the network interface, from the command line, type the following: 
# ifconfig enX detach
To enable the IPsec offload attribute, from the command line, type the following: 
# chdev -l entX -a ipsec_offload=yes
To verify that the IPsec offload attribute has been enabled, from the command line, type the following: 
# lsattr -El entX detach
To disable the IPsec offload attribute, from the command line, type the following: 
# chdev -l entX -a ipsec_offload=no
Use the enstat command to ensure that your tunnel configuration is taking advantage of the IPsec offload attribute. The enstat command shows all the statistics of transmit and receive IPsec packets when the IPsec offload attribute is enabled. For example, if the Ethernet interface is ent1, type the following: 
# entstat -d ent1
The output will be similar to the following example: 
.
.
.
10/100 Mbps Ethernet PCI Adapter II (1410ff01) Specific Statistics: 
--------------------------------------------       
.
.
.
Transmit IPsec packets: 3
Transmit IPsec packets dropped: 0
Receive IPsec packets: 2
Receive IPsec packets dropped: 0