I'm sponsoring this case for Dan McDonald. Timeout expires 8/21/2008.
Release binding is Minor - this interface will only be removed from
post-Solaris-10 releases.
This is an Open case about a Contract Private interface implemented by a
closed-source driver for EOL'ed hardware which is used by the
open-source Solaris IP stack.
----
We propose to remove the use of the DL_CAPAB_IPSEC_* interface
capabilities from the solaris IP stack in a future Minor release.
This is a Contracted Consolidation Private interface between ON and
CPG.
The hardware product which exported this interface (SCA 4000
aka. "Venus") has been EOLed due to RoHS.
The SCA4000 combined a gigabit ethernet port with a cryptographic
coprocessor; the DL_CAPAP_IPSEC_* interfaces allowed the crypto-aware
NIC on board the SCA4000 to encrypt and then transmit, or receive and
decrypt, an IPsec-encrypted packet without sending the packet data
over the I/O bus three times (in and out of a crypto unit and then out
the ethernet).
The follow-on RoHS-compliant SCA-6000 does not include the on-board
NIC; no other devices are known to export the same acceleration
interface.
If we want to support similar devices in the future, we do not
recommend reusing this interface; instead, we recommend extending
GLDv3 to control the functionality and share the IPsec SADB with the
card via a synchronous function-call interface.
Description:
------------
Part of PSARC 2001/070 describes STREAMS interfaces provided by a
hardware driver to enable Network Interface Card (NIC)-level
acceleration of IPsec encryption or data integrity.
The only provider of this interface was the Sun Crypto Accelerator 4000,
aka. "Venus". Venus has been EOLed due to non-compliance with EU RoHS laws.
According to the contract in 2001/070:
7. Changes to INTERFACES requires ARC approval. If SUPPLIER decides
to change (including replace or remove) any portion of the
INTERFACES, SUPPLIER will notify CONSUMER of the proposed new
version, no later than the application for ARC approval of the new
version. If SUPPLIER and CONSUMER are contained in the same bundle,
they have the option of arranging for simultaneous conversion to the
new interfaces. If this is not possible, or if they are not in the
same bundle, then SUPPLIER will either make best effort to work with
CONSUMER so that CONSUMER can detect which version of INTERFACES is
being supplied, or else SUPPLIER will make best effort to supply both
old and new versions of INTERFACES. If SUPPLIER cannot make both
versions of INTERFACES available, and SUPPLIER and CONSUMER cannot
devise a method whereby CONSUMER can detect which version of
INTERFACES is being supplied, and the old version of CONSUMER will
not run with the new version of SUPPLIER, then either the EOL process
must be followed by SUPPLIER, or else a major release of SUPPLIER
will be required.
The SUPPLIER was CPG - the Venus folks. We propose to stop using this
interface within the Solaris IPsec stack. The Venus card can continue
to be used to provide general cryptographic acceleration and keystore
functionality even without the use of this interface.
