manualshive.com logo in svg

Mellanox Technologies Innova IPsec, Руководство пользователя

Бесплатное руководство пользователя для продукта Mellanox Technologies Innova IPsec доступно для скачивания на нашем сайте. Узнайте все функции и характеристики этого продукта, изучив наше подробное руководство. Скачивайте сейчас на manualshive.com и начните использовать своё устройство максимально эффективно.

Поделиться
Скачать
background image

Rev 1.8

38

Mellanox Technologies

2. Set the ingress traffic security parameters: 

ip xfrm state add src

1

 192.168.7.9 dst

2

 192.168.7.2 

proto esp spi

3

 0x0f2e596c reqid 0x0f2e596c mode tunnel aead 'rfc4106(gcm(aes))' 

0x44e6625f4d2fb01b03cc9baefe9b5c8de9d7b9c1

4

 128 

offload dev ens8 dir in

5

 

Note: 

offload dev ens8 dir out

 and 

offload dev ens8 dir in 

are the new flags which instruct the 

iproute2 utility to enable HW offload for the specified security policy.

3. Apply  the  new  egress  traffic  security  policy: 

ip xfrm policy add src 192.168.7.2 dst

6

192.168.7.9 dir out tmpl

7

 src 192.168.7.2 dst

8

 192.168.7.9 proto esp reqid 0x4c250336 mode 

tunnel

                                                                  

4. Apply  the  new  ingress  traffic  security  policy: 

ip xfrm policy add src 192.168.7.9 dst 

192.168.7.2 dir in tmpl src 192.168.7.9 dst 192.168.7.2 proto esp reqid 0x0f2e596c mode 
tunnel

                 

Note:

 

The above example shows how to configure a host on one side of the IPsec secured 

connection. The peer host must undergo the same flow listed above only with the 
traffic directions inverted. That is, the settings of the egress traffic in this example are 
the settings of the ingress traffic for the peer host.

Once  configured,  the  existing  xfrm  states  (SAs)  and  policies  can  be  seen  using  the  following 
commands:
1. ip xfrm state - to view all the xfrm states in the kernel.
2. ip xfrm pol - to view all the xfrm policies in the kernel.

When  viewing  the  xfrm  states  in  the  system,  the  flag  dir  in/dir  out  (depending  on  the  traffic 
direction of the state), under the “crypto offload parameters” section, will indicate that this state 
is  offloaded  by  an  offload  device.  If  these  flags  are  not  present,  it  indicates  that  encryption/
decryption is not offloaded for this xfrm state and remains within the kernel scope. 

3. SPI value for egress traffic - add your own desired value.
4. SA request id - this ID is used as a reference to the new SA (for modification, destruction, attaching to a policy). Any number can be chosen 

here.

5. The 128 bit key concatenated with the constant initialization vector (IV) that are used for the encryption of the egress traffic.
6. The relevant network interface name - replace with your own.
7. out/in - traffic direction of this IPsec tunnel setting.
1. The IP addresses of the src host of the ingress traffic. Modify it with your own relevant addresses.
2. The IP addresses of the destination host of the ingress traffic. Modify it with your own relevant addresses.
3. SPI value for ingress traffic - add your own desired value.
4. The 128 bit key concatenated with the constant initialization vector (IV) that are used for the decryption of the ingress traffic. This traffic key 

does not have to be similar to the egress traffic key.

5. out/in - traffic direction of this IPsec tunnel setting.
6. The IP addresses of the inner (original) packet to undergo transformation and tunnel encapsulation.
7. Indicates that we are about to define the template of the outer IP header of our tunnel.
8.  The tunnel source and destination IP addresses - can be different than the inner packet IP address.

Содержание Innova IPsec

Страница 1: ...Mellanox Technologies www mellanox com Mellanox Innova IPsec Ethernet Adapter Card User Manual Rev 1 8...

Страница 2: ...updated list of Mellanox trademarks visit http www mellanox com page trademarks NOTE THIS HARDWARE SOFTWARE OR TEST SUITE PRODUCT PRODUCT S AND ITS RELATED DOCUMENTATION ARE PROVIDED BY MELLANOX TECHN...

Страница 3: ...7 3 1 System Requirements 17 3 1 1 Hardware 17 3 1 2 Operating Systems Distributions 17 3 2 Safety Precautions 17 3 3 Pre installation Checklist 17 3 4 Bracket Installation Instructions 17 3 4 1 Remov...

Страница 4: ...ems 32 5 1 5 2 Removing Signature from Kernel Modules 33 5 2 Installation of Kernel Module with IPsec Offload 34 5 2 1 Obtaining the Kernel Modules 34 5 2 2 Installing the Kernel and Driver 34 5 2 3 I...

Страница 5: ...54 Appendix A Fast Installation and Update 56 A 1 Hardware Installation 56 A 2 Content of Mellanox Innova IPsec Bundle 56 A 3 Software Firmware and Tools Installation 56 A 4 Software Firmware and Too...

Страница 6: ...nox Innova IPsec Active Cooling Adapter Card 11 Table 4 Features 12 Table 5 Documents List 15 Table 6 mlnxofedinstall Return Codes 31 Table 7 ethtool IPsec Offload Counters 39 Table 8 MNV101512A BCIT...

Страница 7: ...s and Components 23 Figure 3 MNV101511A BCIT MNV101512A BCIT LEDs Placement Example 50 Figure 4 Mechanical Drawing of MNV101511A BCIT 52 Figure 5 Mechanical Drawing of MNV101512A BCIT 53 Figure 6 Sing...

Страница 8: ...ation via MLNX_OFED on page 25 Updated Section 5 1 Installation via MLNX_OFED on page 25 Added Table 9 MNV101511A BCIT Specifications Table on page 49 Added Figure 5 Mechanical Drawing of MNV101512A B...

Страница 9: ...page 52 Added Chapter 5 IPsec Offload Software Installation and Operation on page 25 Updated Section 5 2 2 Installing the Kernel and Driver on page 34 Updated Section 5 3 1 Loading Unloading the Modul...

Страница 10: ...n session However the high computing power required by the IPsec algorithms consumes expensive CPU cycles and limits network connection performance The Mellanox Innova IPsec EN adapter offloads the pr...

Страница 11: ...h Xilinx Kintex UltraScale XCKU060 Data Transmission Rate Ethernet 10 40Gb s Network Connector Types Single port QSFP PCI Express PCIe SerDes Speed PCIe 3 0 x8 8GT s RoHS R6 Adapter IC Part Number MT2...

Страница 12: ...c applications with no required changes to the user s software IPsec offloading is handled by the combination of the ConnectX 4 Lx network controller and an on board FPGA providing high performance an...

Страница 13: ...ad allowing more available CPU for computation tasks Quality of Service QoS Support for port based Quality of Service enabling various application requirements for latency and SLA Storage Acceleration...

Страница 14: ...N Adapter Card Block Diagram 1 4 Operating Systems Distributions1 RHEL CentOS 1 Please refer to the driver release notes for feature availability Co n n e ctX D RA M x8 P C Ie G en3 FP G A C o n fig F...

Страница 15: ...for Linux MLNX_OFED Performance Tuning Guidelines for Mellanox Network Adapters Document no 3368 User Manual describes important tuning parameters and settings that can improve performance for Mellan...

Страница 16: ...an use a Mellanox QSA QSFP to SFP adapter module 2 2 PCI Express Interface The Mellanox Innova IPsec adapter card supports PCI Express 3 0 1 1 and 2 0 compatible through an x8 edge connector The devic...

Страница 17: ...ystem if active 3 After shutting down the system turn off power and unplug the cord 4 Remove the card from its package Please note that the card must be placed on an antistatic surface 5 Check the car...

Страница 18: ...ake sure that the LEDs are aligned onto the bracket holes 4 Use a torque driver to apply up to 2 9 lbs in torque on the screws 3 5 Card Installation Instructions 1 Open the system case 2 Place the ada...

Страница 19: ...tor straight into the cage Do not apply any torque up or down to the connector cage in the adapter card d Make sure that the connector locks in place 3 After inserting a cable into a port the Amber LE...

Страница 20: ...upward or downward in the rack 6 To remove a cable disengage the locks and slowly pull the connector away from the port receptacle LED indicator will turn off when the cable is unseated 3 7 Identify t...

Страница 21: ...network stacks process more than once With these benefits IPsec offload allows the adapter to reach full wire speed with IPsec secured traffic on the wire while reducing CPU utilization IPsec offload...

Страница 22: ...n the user can choose whether to enable the Mellanox Innova IPsec offload on the specific IPsec security association SA that is created once the connection is generated See Section 5 3 2 Setting up an...

Страница 23: ...ova IPsec adapter currently supports offloading of the encryption decryption and authentication of IPsec traffic The key generation and exchange protocol whether done manually or through IKE protocol...

Страница 24: ...oll Mode Driver PMD which makes use of this interface PMD provides a new API for DPDK applications to open close offloaded security associations control path while transmitting receiving traffic throu...

Страница 25: ...nload the ISO image to your host The image s name has the format MLNX_OFED_LINUX ver OS label CPU arch iso An ISO image for the Mellanox Innova Flex adapter can be obtained through Mellanox support St...

Страница 26: ...t be updated if you run the install script with the without fw update option mnt mlnxofedinstall OPTIONS Pre existing configuration files will be saved with the extension conf rpmsave On Redhat distri...

Страница 27: ...ving OFED RPMs Created tmp MLNX_OFED_LINUX x x x rhel7 1 x86_64 ext tgz c config packages config_file Example of the configuration file can be found under docs n net network config_file Example of the...

Страница 28: ...h uEFI and or tool will override this flag add kernel support Add kernel support Run mlnx_add_kernel_support sh skip distro check Do not check MLNX_OFED vs Distro matching hugepages overcommit Setting...

Страница 29: ...lanox OFED components can be configured or reconfigured after the installation by modifying the relevant configuration files See the relevant chapters in this manual for details The list of the module...

Страница 30: ...e kernel modules are installed under lib modules uname r extra mlnx ofa_kernel on RHEL and other RedHat like Distributions lib modules uname r updates dkms on Ubuntu Firmware The firmware of existing...

Страница 31: ...URL to the software package tarball Example 2 With t flag to provide the path to the downloaded tarball Example 3 With p flag to provide the path to the downloaded and extracted tarball Example Table...

Страница 32: ...ent request Step 3 Reboot the system The pending MOK key enrollment request will be noticed by shim efi and it will launch MokManager efi to allow you to complete the enrollment from the UEFI console...

Страница 33: ...ing However please note that a similar message as the following will still be presented This message is presented once only for each boot for the first module that either has no signature or whose key...

Страница 34: ...disk image has been created a Run ls boot and look for the relevant initramfs and vmlinuz files that match the kernel version you just installed names should match the RPM name 3 Please verify that th...

Страница 35: ...e2 is a user space utilities package that controls TCP IP networking configuration in the kernel It includes commands such as ip for management of network tables and network interfaces It is also used...

Страница 36: ...ec offload flags installed in your system Note There are several additional user space applications that provide an interface to configure IPsec policies and SAs Strongswan which has IPsec offload sup...

Страница 37: ...anox see Section 5 2 3 Installing the Customized iproute2 Utility on page 35 In order to configure an IPsec secured connection between hosts it is necessary to 1 Configure the security association SA...

Страница 38: ...the flag dir in dir out depending on the traffic direction of the state under the crypto offload parameters section will indicate that this state is offloaded by an offload device If these flags are n...

Страница 39: ...the offload operation These counters are a part of the network interface counters and can be viewed using the ethtool S interface_name command Note The mlx5_core module must be loaded for the counter...

Страница 40: ...added by FPGA ipsec_add_sa_fail Total amount of failed SA add commands by FPGA This can be a result of adding an already valid SA ipsec_del_sa_success Total amount of SAs successfully removed by FPGA...

Страница 41: ...otes Extract the TGZ and run install sh Load mlx5_fpga_tools module See Section 4 2 2 mlx5_fpga_tools Module on page 23 Start mst service with the fpga lookup flag mst start with_fpga 6 2 mlx_fpga Syn...

Страница 42: ...mst status MST modules MST PCI module is not loaded MST PCI configuration module is not loaded MST devices No MST devices were found nor MST modules were loaded You may need to run mst start to load...

Страница 43: ...Range Default RW Description image_version 0x900000 31 00 00 0x0 RO Version of the image image_date 0x900004 31 00 00 0x0 RO Image date of creation The hex number is actually the decimal value i e 0x...

Страница 44: ...the command mst status The mst device name will be of the form dev mst mt4117_pciconf0 d Get the PSID firmware identification and programmed firmware version using the command flint d mst device q wh...

Страница 45: ...nox Innova IPsec Adapter Card Firmware Rev 1 8 45 Mellanox Technologies b To burn the firmware run c To load the firmware run mlxburn d dev mst mt4117_pciconf0 i fw bin mlxfwreset d dev mst mt4117_pci...

Страница 46: ...ters stopped working after installing another adapter Try removing and re installing all adapters Check that cables are connected properly Make sure your motherboard has the latest BIOS Link indicator...

Страница 47: ...grep i Mellanox Mellanox Firmware Tool MFT Download and install MFT http www mellanox com content pages php pg management_tools menu_section 34 Refer to the User Manual for installation instructions...

Страница 48: ...wer Passive Cables 31 5W 1 5W Active Cables 33W Max power available through QSFP port 1 5W Temperature Operational 0 C to 55 Ca Non operational 40 C to 70 C a Ambient temperature may vary Please conta...

Страница 49: ...bles 31W Max power available through QSFP port 1 5W Temperature Operational 0 C to 55 Ca Non operational 40 C to 70 C a Ambient temperature may vary Please contact Mellanox technical support if furthe...

Страница 50: ...ls Group B LEDs Debug LEDs indicate memory calibration done memory BIST done ConnectX 4 Lx link up is with traffic Heartbeat and power good See Section 9 3 2 FPGA Debug LEDs on page 51 for details Gro...

Страница 51: ...reen LED is lit and the Amber LED is off then the logical link has not been established Table 11 FPGA Debug LEDs LED Symbols LED Function D2 Power Good Or on all POWER GOOD inputs Expected LED ON D3 C...

Страница 52: ...BCIT Table 12 FPGA Load Flow Debug LEDs LED LED Symbol and Function Green power good Off power issue D10 Power Good Red during configuration Green when complete D11 Configuration Done Indication Red f...

Страница 53: ...Specifications Rev 1 8 53 Mellanox Technologies Figure 5 Mechanical Drawing of MNV101512A BCIT 167 65 68 90...

Страница 54: ...Rev 1 8 54 Mellanox Technologies 9 5 Bracket Mechanical Drawing Figure 6 Single Port Tall Bracket 21 6 120 02...

Страница 55: ...Specifications Rev 1 8 55 Mellanox Technologies Figure 7 Single Port Short Bracket 80 3 22 83...

Страница 56: ...tion only If the bundle is already installed please refer to Appendix A 4 Software Firmware and Tools Update on page 58 Please make sure to install in the following order Step 1 Download the bundle fr...

Страница 57: ...will install the FPGA image the FW and will also ask if to install the MFT and do a reset at the end modprobe mlx5_fpga_tools mst start with_fpga mst status MST modules MST PCI module is not loaded MS...

Страница 58: ...p a modprobe mlx5_fpga_tools Step b mst start with_fpga Step c mst status To update the FPGA image Step 4 In the bundle folder directory look for the installation script mlnx_fpga_updater sh Step a Th...

Страница 59: ...ollowing update script using one of the modes below 1 With u flag to provide URL to the software package tarball Example 2 With t flag to provide the path to the downloaded tarball Example 3 With p fl...

Страница 60: ...dapter card has a different identifier printed on the label serial number and the card MAC for the Ethernet protocol Figure 8 MNV101511A BCIT Board Label Figure 9 MNV101512A BCIT Board Label The revis...

Страница 61: ...1 F To guarantee proper air flow allow at least 8cm 3 inches of clearance around the ven tilation openings During periods of lightning activity do not work on the equipment or connect or dis connect c...

Страница 62: ...se of controls or adjustment or performance of procedures other than those specified herein may result in hazardous radiation exposure CLASS 1 LASER PRODUCT and reference to the most recent laser stan...

Страница 63: ...maximale est n cessaire En outre pour garantir un bon coulement de l air laissez au moins 8 cm 3 pouces d espace libre autour des ouver tures de ventilation Pendant un orage il ne faut pas utiliser l...

Страница 64: ...e en garde l utilisation de commandes ou de r glages ou l ex cution de proc dures autres que ce qui est sp cifi dans les pr sentes peut engendrer une exposition au rayonnement grave PRODUIT LASER DE C...

Страница 65: ...gstemperatur erforderlich Au erdem sollten mindestens 8 cm 3 in Freiraum um die Bel ftungs ffnungen sein um einen einwandfreien Luftstrom zu gew hrleisten Arbeiten Sie w hrend eines Gewitters und Blit...

Страница 66: ...ak Achtung Nutzung von Steuerungen oder Einstellungen oder Ausf hrung von Prozeduren die hier nicht spezifiziert sind kann zu gef hrlichem Strahlenkon takt f hren Klasse 1 Laserprodukt und Referenzen...

Страница 67: ...ar una circulaci n de aire adecuada se debe dejar como m nimo un espacio de 8 cm 3 pulgadas alrededor de las aberturas de ventilaci n No utilizar el equipo ni conectar o desconectar cables durante per...

Страница 68: ...ligrosos Precauci n el uso de controles o ajustes o la realizaci n de procedimientos distintos de los que aqu se especifican podr an causar exposici n a niveles de radiaci n peligrosos PRODUCTO L SER...

Отзывы:

Нет отзывов

Похожие инструкции для Innova IPsec

Qlogic QLE2460 Brochure preview
QLE2460
Бренд: Qlogic Страницы: 2
NETGEAR WNDA3200 User Manual preview
WNDA3200
Бренд: NETGEAR Страницы: 18
Leader LC 2130 Instruction Manual preview
LC 2130
Бренд: Leader Страницы: 12
TwinMOS Netkey 73-TMWBG-001 Use Manual preview
Netkey 73-TMWBG-001
Бренд: TwinMOS Страницы: 25
KILLARK VMCHVM Installation, Operation & Maintenance Data Sheet preview
VMCHVM
Бренд: KILLARK Страницы: 2
SWEEX LC203 Introduction Manual preview
LC203
Бренд: SWEEX Страницы: 8
Renesas PCA4738F-100A User Manual preview
PCA4738F-100A
Бренд: Renesas Страницы: 26
Teknatool NOVA Comet Versaturn Instruction Manual preview
NOVA Comet Versaturn
Бренд: Teknatool Страницы: 16
VOLTCRAFT 19 73 39 Operating Instructions preview
19 73 39
Бренд: VOLTCRAFT Страницы: 2
Allen-Bradley 2100-ENET User Manual preview
2100-ENET
Бренд: Allen-Bradley Страницы: 76
TERK Technologies XMDirect XMDPIO110 Installation Manual preview
XMDirect XMDPIO110
Бренд: TERK Technologies Страницы: 6
7inova 7HP120 User Manual preview
7HP120
Бренд: 7inova Страницы: 36
Ruijie Networks RG-PBOX Series Reference Manual preview
RG-PBOX Series
Бренд: Ruijie Networks Страницы: 19
oticon TVA3 Instructions For Use Manual preview
TVA3
Бренд: oticon Страницы: 54
TRENDnet TBW-101UB Quick Installation Manual preview
TBW-101UB
Бренд: TRENDnet Страницы: 9
D-Link AirPro DWL-AB650 Installation Manual preview
AirPro DWL-AB650
Бренд: D-Link Страницы: 19
D-Link DFB-A5 Quick Installation Manual preview
DFB-A5
Бренд: D-Link Страницы: 13
D-Link DE-530CT+ Installation Manual preview
DE-530CT+
Бренд: D-Link Страницы: 21

Бренды по названию

Популярные бренды

Загрузить еще бренды