From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: gakhil@marvell.com
Cc: dev@dpdk.org, Barry Cao <barry.cao@nxp.com>
Subject: [PATCH 3/4] crypto/dpaa_sec: add support for UDP-encapsulated ESP
Date: Thu, 24 Oct 2024 20:31:50 +0530 [thread overview]
Message-ID: <20241024150151.2290617-3-hemant.agrawal@nxp.com> (raw)
In-Reply-To: <20241024150151.2290617-1-hemant.agrawal@nxp.com>
From: Barry Cao <barry.cao@nxp.com>
This patch enables support for NAT-T traversal in IPSEC ESP
protocol offload mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Barry Cao <barry.cao@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 63 ++++++++++++++++++++++++------
drivers/crypto/dpaa_sec/dpaa_sec.h | 14 +++++++
2 files changed, 66 insertions(+), 11 deletions(-)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 881435fdb6..3fa88ca968 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -20,6 +20,7 @@
#include <dev_driver.h>
#include <rte_io.h>
#include <rte_ip.h>
+#include <rte_udp.h>
#include <rte_kvargs.h>
#include <rte_malloc.h>
#include <rte_mbuf.h>
@@ -46,6 +47,7 @@
#include <dpaax_iova_table.h>
#define DRIVER_DUMP_MODE "drv_dump_mode"
+#define DPAA_DEFAULT_NAT_T_PORT 4500
/* DPAA_SEC_DP_DUMP levels */
enum dpaa_sec_dump_levels {
@@ -2961,15 +2963,22 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
session->ip4_hdr.ip_v = IPVERSION;
session->ip4_hdr.ip_hl = 5;
- session->ip4_hdr.ip_len = rte_cpu_to_be_16(
- sizeof(session->ip4_hdr));
+ if (ipsec_xform->options.udp_encap)
+ session->ip4_hdr.ip_len = rte_cpu_to_be_16(
+ sizeof(session->ip4_hdr) + sizeof(struct rte_udp_hdr));
+ else
+ session->ip4_hdr.ip_len = rte_cpu_to_be_16(
+ sizeof(session->ip4_hdr));
session->ip4_hdr.ip_tos = ipsec_xform->tunnel.ipv4.dscp;
session->ip4_hdr.ip_id = 0;
session->ip4_hdr.ip_off = 0;
session->ip4_hdr.ip_ttl = ipsec_xform->tunnel.ipv4.ttl;
- session->ip4_hdr.ip_p = (ipsec_xform->proto ==
- RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
- IPPROTO_ESP : IPPROTO_AH;
+ if (ipsec_xform->options.udp_encap)
+ session->ip4_hdr.ip_p = IPPROTO_UDP;
+ else
+ session->ip4_hdr.ip_p = (ipsec_xform->proto ==
+ RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
+ IPPROTO_ESP : IPPROTO_AH;
session->ip4_hdr.ip_sum = 0;
session->ip4_hdr.ip_src =
ipsec_xform->tunnel.ipv4.src_ip;
@@ -2993,9 +3002,12 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->ip6_hdr.payload_len = 0;
session->ip6_hdr.hop_limits =
ipsec_xform->tunnel.ipv6.hlimit;
- session->ip6_hdr.proto = (ipsec_xform->proto ==
- RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
- IPPROTO_ESP : IPPROTO_AH;
+ if (ipsec_xform->options.udp_encap)
+ session->ip6_hdr.proto = IPPROTO_UDP;
+ else
+ session->ip6_hdr.proto = (ipsec_xform->proto ==
+ RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
+ IPPROTO_ESP : IPPROTO_AH;
memcpy(&session->ip6_hdr.src_addr,
&ipsec_xform->tunnel.ipv6.src_addr, 16);
memcpy(&session->ip6_hdr.dst_addr,
@@ -3022,18 +3034,47 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->encap_pdb.seq_num_ext_hi = conf->ipsec.esn.hi;
session->encap_pdb.seq_num = conf->ipsec.esn.low;
}
+ if (ipsec_xform->options.udp_encap) {
+ struct rte_udp_hdr *udp_hdr;
+
+ if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+ udp_hdr = (struct rte_udp_hdr *)(&session->udp4.udp_hdr);
+ else
+ udp_hdr = (struct rte_udp_hdr *)(&session->udp6.udp_hdr);
+
+ if (ipsec_xform->udp.sport)
+ udp_hdr->src_port = rte_cpu_to_be_16(ipsec_xform->udp.sport);
+ else
+ udp_hdr->src_port = rte_cpu_to_be_16(DPAA_DEFAULT_NAT_T_PORT);
+
+ if (ipsec_xform->udp.dport)
+ udp_hdr->dst_port = rte_cpu_to_be_16(ipsec_xform->udp.dport);
+ else
+ udp_hdr->dst_port = rte_cpu_to_be_16(DPAA_DEFAULT_NAT_T_PORT);
+ udp_hdr->dgram_len = 0;
+ udp_hdr->dgram_cksum = 0;
+ session->encap_pdb.ip_hdr_len += sizeof(struct rte_udp_hdr);
+ session->encap_pdb.options |= PDBOPTS_ESP_NAT | PDBOPTS_ESP_NUC;
+ }
if (ipsec_xform->options.ecn)
session->encap_pdb.options |= PDBOPTS_ESP_TECN;
} else if (ipsec_xform->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
- session->decap_pdb.options = sizeof(struct ip) << 16;
+ if (ipsec_xform->options.udp_encap)
+ session->decap_pdb.options =
+ (sizeof(struct ip) + sizeof(struct rte_udp_hdr)) << 16;
+ else
+ session->decap_pdb.options = sizeof(struct ip) << 16;
if (ipsec_xform->options.copy_df)
session->decap_pdb.options |= PDBHMO_ESP_DFV;
} else {
- session->decap_pdb.options =
- sizeof(struct rte_ipv6_hdr) << 16;
+ if (ipsec_xform->options.udp_encap)
+ session->decap_pdb.options =
+ (sizeof(struct rte_ipv6_hdr) + sizeof(struct rte_udp_hdr)) << 16;
+ else
+ session->decap_pdb.options = sizeof(struct rte_ipv6_hdr) << 16;
}
if (ipsec_xform->options.esn) {
session->decap_pdb.options |= PDBOPTS_ESP_ESN;
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index 603a7d8f38..64d9e22159 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -143,6 +143,16 @@ typedef struct dpaa_sec_job* (*dpaa_sec_build_raw_dp_fd_t)(uint8_t *drv_ctx,
void *userdata,
struct qm_fd *fd);
+struct dpaa_ipv4_udp {
+ struct ip ip4_hdr;
+ struct rte_udp_hdr udp_hdr;
+};
+
+struct dpaa_ipv6_udp {
+ struct rte_ipv6_hdr ip6_hdr;
+ struct rte_udp_hdr udp_hdr;
+};
+
typedef struct dpaa_sec_session_entry {
struct sec_cdb cdb; /**< cmd block associated with qp */
struct dpaa_sec_qp *qp[MAX_DPAA_CORES];
@@ -191,6 +201,8 @@ typedef struct dpaa_sec_session_entry {
union {
struct ip ip4_hdr;
struct rte_ipv6_hdr ip6_hdr;
+ struct dpaa_ipv4_udp udp4;
+ struct dpaa_ipv6_udp udp6;
};
uint8_t auth_cipher_text;
/**< Authenticate/cipher ordering */
@@ -995,6 +1007,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
.dec_ttl = 1,
.ecn = 1,
.esn = 1,
+ .udp_encap = 1,
},
.replay_win_sz_max = 128
},
@@ -1013,6 +1026,7 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
.dec_ttl = 1,
.ecn = 1,
.esn = 1,
+ .udp_encap = 1,
},
.replay_win_sz_max = 128
},
--
2.25.1
next prev parent reply other threads:[~2024-10-24 15:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-24 15:01 [PATCH 1/4] crypto/dpaa_sec: enhance IPsec extended sequence number Hemant Agrawal
2024-10-24 15:01 ` [PATCH 2/4] crypto/dpaa_sec: enabling diffserv and ECN support Hemant Agrawal
2024-10-24 15:01 ` Hemant Agrawal [this message]
2024-10-24 15:01 ` [PATCH 4/4] crypto/dpaa2_sec: add support for IPv6 UDP encap Hemant Agrawal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241024150151.2290617-3-hemant.agrawal@nxp.com \
--to=hemant.agrawal@nxp.com \
--cc=barry.cao@nxp.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).