Fast MAC algorithms?

james hughes hughejp at
Fri Jul 24 04:21:33 EDT 2009

On Jul 24, 2009, at 1:30 PM, Peter Gutmann wrote:

> [I realise this isn't crypto, but it's arguably security-relevant  
> and arguably
> interesting :-)].

As long as we think this is interesting, (although I respectfully  
disagree that there are any inherent security problems with TOE. Maybe  
there are insecure implementation...).

> James Hughes <hughejp at> writes:
>> TOEs that are implemented in a slow processor in a NIC card have  
>> been shown
>> many times to be ineffective compared to keeping TCP in the fastest  
>> CPU
>> (where it is now).
> The problem with statements like this is that they smack of the Linux
> religious zealotry against TCP offload support in the kernel, "TOE's  
> are bad
> because we say they are, and we'll keep asserting this until you go  
> away".

There were a dozen or so protocol offload research projects that the  
US government funded in the 90s. All failed. Is the people who say  
"TOE's are bad"  because of zealotry or standing on the shoulders of  
the people that ran those projects. At Network Systems, we partnered  
with HT Kung of CMU at the time to move TCP out of a really slow  
Decstation. Result? A accelerator that cost as much as the workstation  
that was faster until the next processor version was available. Yes,  
we could have reduced it to a chip but it wasn't. The take away was  
that improving the software is the gift that keeps on giving. Moore's  
law means you get a faster TCP every time the clock ticks.

BTW, I am not a Linux bigot, just someone that got caught up in this  
issue more than a decade ago. I do not agree with your assertion or  
the Wikipedia page that this is linux bigotry. I find that page  
horribly inaccurate and self serving to the TOE manufacturing community.

What I learned from participating in a project that spent $5M of tax  
payer money was that "The protocol itself is a small fraction of the  

> A
> decade ago, during the Win2K development, Microsoft were measuring a  
> 1/3
> reduction in CPU usage just from TCP checksum offload.  Given the  
> time frame
> this was probably on 300MHz PII's, but then again it'd be with  
> late-90s
> vintage NICs.  On the other hand I've seen even more impressive  
> figures with
> their more recent TCP chimney offload (which just moves more of the  
> NDIS stack
> onto the NIC, I think it came out around Server 2003).
> Does this mean that MS have figured out (a decade or so ago) how to  
> make TOE
> work while the OSS community has been too occupied telling everyone  
> it doesn't
> to do anything about it?  There must be some reason for the  
> difference between
> the two camps.

Offloading features like checksumming, fragmentation/reassembly (aka  
Large Segment Offload), packet categorization, slitting flows to  
different threads, etc. is not TOE.

TOE is offloading of the TCP stack. The thin line that is crossed is  
"where is the TCP state kept". If the state is kept in the card, then  
the protocol to get the data reliably to the application is has more  
corner cases (hence complexity) since the IP layer can be lossy and  
the socket layer can not. In all the research, this has always been  
the case.

If there is something windows has not learned could be that processing  
TCP should be simple and quick. Since the source code is not  
available, I don't know if their software falls into the "too  
complicated" camp or not... In the case of Chimney partial stack  
offload, the state is in both places. Sounds simple straight forward,  

The case of iSCSI where a complete protocol conversion is done (the  
card looks like a SCSI card, but the data goes out over TCP/IP) it is  
a different story (which is also arguably still about solving the OS  
vendor's lack of software agility with hardware), but that is not the  
intent of this discussion.

I fully agree that offloading features that makes the TCP processing  
easier is a good thing.

Back to crypto?

> Peter.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list