Mellanox ConnectX-6 Dx

Sissejuhatus

TODO

ktls

Väited

• ktls kasutamine offload režiimis ei tähenda, et kõik krüpto tegevused toimuvad riistvaras - tundub, et tls sessioon lepitakse kokku user-space's ja sümmeetrilise võtmega osa toimub kernel space'is
• tundub, et pigem on ktls abil pikalt kestvate ja mahuka andmevahetusega tls ühenduste puhul
• tundub, et puhtalt riistvara toeta, aga kernelis tls'iga tegelemine ei anna praktilist kasu

Kui füüsilise võrgukaardi nö perekond mingite konkreetsete 'ostu Option'-itega toetab ktls'i, siis võib paista see mitte toetava ostu-Option puhul sedasi

root@pve-moraal-x570:~# ethtool -k enp4s0f1np1 | grep "tls"
tls-hw-tx-offload: off [fixed]
tls-hw-rx-offload: off [fixed]
tls-hw-record: off [fixed]

kus

• [fixed] - tähistab asjaolu, et väärtus on riistvaraline st ei saa muuta konkreetsel juhul on tegu 'ConnectX-6 Lx' ja 'MCX631102AN-ADAT' seadmega

Ootus on, et Mudel 'ConnectX-6 Dx' ja 'MCX621202AC-ADAT' seadme puhul on need non-fixed.

nginx

Proxmox v. 8.3 kerneli '6.8.12-5-pve' puhul käitub klts + nginx + openssl komplekt nt selliselt, isegi kui riistvaralist ktls offload tuge ei ole, operatsioonisüsteemi vaade

root@pm-varundus:/etc/nginx# lsmod | grep tls
tls                   147456  2 bonding,mlx5_core

root@pm-varundus:/etc/nginx# modinfo tls
filename:       /lib/modules/6.8.12-5-pve/kernel/net/tls/tls.ko
alias:          tcp-ulp-tls
alias:          tls
license:        Dual BSD/GPL
description:    Transport Layer Security Support
author:         Mellanox Technologies
srcversion:     3DA47AD82175CA5E5752597
depends:        
retpoline:      Y
intree:         Y
name:           tls
vermagic:       6.8.12-5-pve SMP preempt mod_unload modversions 
sig_id:         PKCS#7
signer:         Build time autogenerated kernel key
sig_key:        42:5F:C7:A0:25:87:B9:B9:A3:D2:F9:06:9E:C5:B1:48:61:99:62:10
sig_hashalgo:   sha512
signature:      20:14:E5:89:6C:F5:B2:99:2C:6A:79:55:63:1D:2D:09:1E:17:2A:73:
                7A:5F:9B:08:99:43:7C:DF:09:AC:88:42:7B:B9:3F:23:27:8C:8F:9A:
                81:34:B2:9E:A2:65:7B:99:9D:17:6A:7B:EF:0E:39:BE:67:CA:95:29:
                D8:67:A0:75:2E:53:A6:19:FA:DC:07:94:90:D3:76:0F:36:1D:D2:12:
                0E:DB:99:19:11:51:28:DA:8A:1D:AD:65:7E:33:B4:0A:12:9B:3D:69:
                73:2A:AB:C8:88:37:FF:52:80:F1:DE:8C:B3:B4:F4:D4:6B:12:AD:CA:
                11:C6:B6:79:5F:07:01:23:46:3A:F8:5E:40:77:80:CC:56:E5:7A:C4:
                5A:BD:5C:64:70:C8:CF:9B:0C:58:A8:8B:35:4D:98:64:33:02:55:BC:
                9D:D7:8D:82:E0:A7:78:BC:00:9E:C9:9F:31:CF:82:A1:4D:13:0C:24:
                DE:A0:65:FE:8B:0F:E8:68:99:2E:10:9F:24:35:4F:B0:CB:14:7E:D2:
                97:5A:48:FE:E0:D8:0C:5E:01:51:BF:F4:38:AA:DB:81:6A:53:CA:04:
                BE:7E:EB:B2:2B:F5:5F:02:0F:DF:00:7F:DA:56:AC:C6:9B:14:18:B8:
                07:60:0C:4C:64:C4:B3:8E:76:FF:03:6E:B1:6C:5C:BB:49:F2:5D:E3:
                42:C2:03:00:C6:1A:E8:EC:FD:49:0C:87:91:34:4F:A7:54:9F:B7:38:
                36:EE:07:7A:C7:0E:B5:AA:BB:54:99:92:34:37:12:51:1A:1B:4E:8F:
                DF:9F:43:C2:D0:4E:32:E0:0A:7A:DE:95:63:5D:22:73:AE:ED:EC:D7:
                AB:BE:4C:24:48:4B:6E:66:A2:76:4D:C5:B7:CE:B6:2B:96:0E:78:19:
                22:E2:11:EC:24:66:F7:CA:44:2A:5F:E3:97:E9:00:C6:22:B2:5A:05:
                4C:7E:4B:3C:44:E7:AA:FD:92:6C:60:B6:D5:06:3D:86:D6:C0:31:50:
                88:42:24:1B:2A:9C:A9:5A:37:26:4C:78:82:32:B0:C7:C1:B2:5A:A9:
                AE:F0:56:F4:AA:3C:11:06:C3:E7:C9:BA:98:AE:0C:7C:A9:D6:41:8F:
                E4:71:EF:8F:DD:C2:88:6D:22:BA:5E:D5:3B:1F:B8:1F:D5:19:03:68:
                3B:3F:0E:29:52:08:F6:40:6E:60:DC:B0:AC:38:81:36:31:2E:9C:5E:
                48:F2:C0:9F:D5:74:BC:36:F8:45:1B:FF:C6:0B:47:5E:BE:3C:AD:89:
                93:2E:8B:10:C3:71:FE:62:50:E5:38:B7:05:72:48:4A:F0:28:70:83:
                DB:95:7B:D0:AB:89:83:DB:B3:37:92:A6

nginx seadistus

# cat /etc/nginx/nginx.conf
..
http {
        sendfile on;
        ssl_conf_command Options KTLS;
        tcp_nopush on;

...

Pöördumine https kliendiga

root@pve-moraal-x570:~# curl --resolve media-02.moraal.ee:443:192.168.7.184 https://media-02.moraal.ee/index.html

asitõendite jälgimine

root@pm-varundus:/etc/nginx# cat /proc/net/tls_stat
TlsCurrTxSw                             0
TlsCurrRxSw                             0
TlsCurrTxDevice                         0
TlsCurrRxDevice                         0
TlsTxSw                                 20
TlsRxSw                                 0
TlsTxDevice                             0
TlsRxDevice                             0
TlsDecryptError                         0
TlsRxDeviceResync                       0
TlsDecryptRetry                         0
TlsRxNoPadViolation                     0

kus

• TODO igale tls sessiooni st curl käsu käivitamisega kaasneb TlsTxSw väärtuse suurenemine ühe võrra

ktls-utils

Väited

• tundub, et ktls-utils pakett on 2025 aasta alguses nt Ubuntu v. 24.04 operatsioonisüsteemi nö tava-paketihalduse repos olemas

# apt-cache show ktls-utils
Package: ktls-utils
Architecture: amd64
Version: 0.9-2build2
Priority: optional
Section: universe/net
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 79
Depends: libc6 (>= 2.34), libglib2.0-0t64 (>= 2.12.0), libgnutls30t64 (>= 3.8.1), libkeyutils1 (>= 1.5.9), libnl-3-200 (>= 3.2.7), libnl-genl-3-200 (>= 3.2.7)
Filename: pool/universe/k/ktls-utils/ktls-utils_0.9-2build2_amd64.deb
Size: 21196
MD5sum: 2478ba7d6a7e1bd29bed1755d0623c9f
SHA1: aae37f9d40ae0c9e479f22fd69040178d9d881cc
SHA256: 1c7cce0e0ada0bd5b6d5a64918f755e295486cbe435ade0c09b2171e9c5a6968
SHA512: 6bf2c10c3580b6fdb57d7f788aae8be7129800bd830b45daf2cb84eea118d641f83b9e8be5b3ad5446a2decc6d58c80fdceae4ca4a31528d309cb06241a9c019
Homepage: https://github.com/oracle/ktls-utils
Description-en: TLS handshake support for NFS and other in-kernel TLS users
 In-kernel TLS consumers need a mechanism to perform TLS handshakes on
 a connected socket to negotiate TLS session parameters that can then
 be programmed into the kernel's TLS record protocol engine.
 .
 This package of software provides a TLS handshake user agent that
 listens for kernel requests and then materializes a user space socket
 endpoint on which to perform these handshakes. The resulting
 negotiated session parameters are passed back to the kernel via
 standard kTLS socket options.
Description-md5: bdfa1d026c4b9becc24f67e45fab8519

drbd

TODO

Kasulikud lisamaterjalid

• https://linbit.com/blog/encrypted-replication-with-drbd/
• https://www.youtube.com/watch?v=umjfEynt5Ek

iperf

Tundub, et on olemas ktls toega Mellanox iperf fork

• https://docs.nvidia.com/networking/display/freebsdv371/kernel+transport+layer+security+(ktls)+offloads
• https://github.com/Mellanox/iperf_ssl

ipsec

TODO

iscsi

TODO

nvme-of

TODO

Kasulikud lisamaterjalid

• https://delthas.fr/blog/2023/kernel-tls/
• https://www.managedserver.eu/performance-improvement-of-nginx-with-kernel-tls-and-ssl_sendfile/
• https://docs.nvidia.com/networking/display/mlnxenv586041lts/kernel+transport+layer+security+(ktls)+offloads
• https://www.nvidia.com/content/dam/en-zz/Solutions/networking/ethernet-adapters/connectX-6-dx-datasheet.pdf
• https://docs.nvidia.com/networking/display/connectx6dxfirmwarev22431014/validated+and+supported+cables+and+switches#src-704873609_ValidatedandSupportedCablesandSwitches-25GbECables
• https://docs.nvidia.com/networking/display/mlnxofedv24010331/ipsec+full+offload
• https://docs.nvidia.com/doca/archive/2-5-2/nvidia+tls+offload+guide/index.html
• https://docs.kernel.org/networking/tls-offload.html