From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 318C645B7C; Wed, 13 Nov 2024 05:38:38 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id DAB91400D7; Wed, 13 Nov 2024 05:38:36 +0100 (CET) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mails.dpdk.org (Postfix) with ESMTP id DBF29400D6 for ; Wed, 13 Nov 2024 05:38:34 +0100 (CET) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-2e2c6bc4840so5138970a91.2 for ; Tue, 12 Nov 2024 20:38:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731472714; x=1732077514; darn=dpdk.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=lGm2aKhbO1EkeOYIc+WRw328O5QQ5D6GjL5oqlBND7U=; b=Uq5wijXWW0x3W7+QLjZriJh2hI9r5K1pDMl8RRh+OU1BEpmxVQtQPI26gpfRYgWaOt WP988Fw/MkZ2xPX4ryrlLwrvV8dVHlz+MHV6yWhfAw3gJnq2n8emQ7TDAUI7TNVjNvt2 p/kICxhOF8/+/3JCf1Jo993APBHJ+hnlYvRL1eoYuwPtYaIjKZldzG35uGutb7nrGuQI jKyJFw3lhDeXJREt3KJLJGCRcQmW6p+8ONpfgtrf13MMnRR8O7C0DljStTlbt720f4bv UCNrziyrhy5rbzTWLuI8tP7e1WCX6vX9B2QIDsy+vNOM/QsF0Efqqp0/jUDJ50hwPoSq OkXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731472714; x=1732077514; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lGm2aKhbO1EkeOYIc+WRw328O5QQ5D6GjL5oqlBND7U=; b=aezhnHkf7+ptm1k8RAk5YGIwRY6lXFavzpUC/prbaVQ7w80GuXgA+Bdf8KDxr3J2s3 8WvDZcO5gWzSDCc03dY0g0kgjAw7X/bCJDQV7ofwtFqnmht2fgVmZ7G9RZ9mH1nNaltH piU2rJmUuEujitgfO/i0y4Wi+qN1zkiZD5rS5XU2g7wsQ9KwZ62L7h4fN0pRNd7em2pJ 681B42jF0xHSKAsiaZSAHIU7G7jNTunDZmMlmUXdUTPfsoJCrkuKmxuJM+4IYsIlhcOI PmDBoKF/CrkX/N2vhUJfmQRRqTfnvIy8CSGxtwJdf1Eb6iY/SPBF4U121+WrQhKQiq+w o1yQ== X-Gm-Message-State: AOJu0YyYq6kmCSt7m5v7bX5mNnmLNnhaMs1WrefQtgQXTr9s4z0nIMNh ufOomG15gFkF6OEutqpq53JXtabYX876ByWN0AK8qXcOYhtOzU/vt0Woh1f/ X-Google-Smtp-Source: AGHT+IF/hrqzhBvdfE+k9WIw0ISNW4Ro5YmbDLIl+YwfAK+ILhI5zdJgw7W1hvKXSa5PcWemIGkyRQ== X-Received: by 2002:a17:90b:4c10:b0:2e2:b513:d534 with SMTP id 98e67ed59e1d1-2e9b1783a6amr24419137a91.37.1731472713346; Tue, 12 Nov 2024 20:38:33 -0800 (PST) Received: from localhost.localdomain (syn-076-032-089-124.res.spectrum.com. [76.32.89.124]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2e9f3ea55e1sm453151a91.1.2024.11.12.20.38.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Nov 2024 20:38:32 -0800 (PST) From: Nandini Persad To: dev@dpdk.org Cc: Thomas Monjalon , Stephen Hemminger Subject: [PATCH] doc/guides: add security document Date: Tue, 12 Nov 2024 20:38:13 -0800 Message-Id: <20241113043813.67751-1-nandinipersad361@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This is a new document covering security protocols implemented=0D in DPDK.=0D =0D Signed-off-by: Nandini Persad =0D Signed-off-by: Thomas Monjalon =0D Reviewed-by: Stephen Hemminger =0D ---=0D doc/guides/index.rst | 1 +=0D doc/guides/security/index.rst | 333 ++++++++++++++++++++++++++++++++++=0D 2 files changed, 334 insertions(+)=0D create mode 100644 doc/guides/security/index.rst=0D =0D diff --git a/doc/guides/index.rst b/doc/guides/index.rst=0D index 244b99624c..b8fddc56ae 100644=0D --- a/doc/guides/index.rst=0D +++ b/doc/guides/index.rst=0D @@ -13,6 +13,7 @@ DPDK documentation=0D sample_app_ug/index=0D prog_guide/index=0D howto/index=0D + security/index=0D tools/index=0D testpmd_app_ug/index=0D nics/index=0D diff --git a/doc/guides/security/index.rst b/doc/guides/security/index.rst= =0D new file mode 100644=0D index 0000000000..5547a93aec=0D --- /dev/null=0D +++ b/doc/guides/security/index.rst=0D @@ -0,0 +1,333 @@=0D +.. SPDX-License-Identifier: BSD-3-Clause=0D +=0D +Security Support Guide=0D +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D +=0D +This document describes the security features available in the DPDK.=0D +This guide will provides information on each protocol,=0D +including supported algorithms, practical implementation details, and refe= rences.=0D +=0D +By detailing the supported algorithms and providing insights into each=0D +security protocol, this document serves as a resource for anyone looking=0D +to implement or enhance security measures within their DPDK-based environm= ents.=0D +=0D +=0D +=0D +Related Documentation=0D +---------------------=0D +=0D +Here is a list of related documents that provide detail of each library,=0D +its capabilities and what level of support it currently has within DPDK.=0D +=0D +* :doc:`Crypto Device Drivers <../cryptodevs/index>`=0D + This section contains information about all the crypto drivers in DPDK,= =0D + such as feature support availability, cipher algorithms and authenticati= on=0D + algorithms.=0D +=0D +* :doc:`Security Library <../prog_guide/rte_security>`=0D + This library is the glue between ethdev and and crypto dev. It includes = low-level supported protocols such as MACsec, TLS, IPSec, and PDCP.=0D +=0D +* Protocols: These include two supported protocols in DPDK.=0D + * :doc:`IPSec Library <../prog_guide/ipsec_lib>`=0D + * :doc:`PDCP Library <../prog_guide/pdcp_lib>`=0D +=0D +=0D +Protocols=0D +---------=0D +=0D +QUIC=0D +~~~~=0D +=0D +QUIC (Quick UDP Internet Connections) is a transport layer network=0D +protocol designed by Google to improve the speed and reliability of web co= nnections.=0D +QUIC is built on top of the User Datagram Protocol (UDP) and uses a combin= ation of=0D +encryption and multiplexing to achieve its goals. The protocol's main goal= is to=0D +reduce latency compared to Transmission Control Protocol (TCP). QUIC also= =0D +aims to make HTTP traffic more secure and eventually replace TCP and TLS o= n=0D +the web.=0D +=0D +Media over QUICK (MoQ) is a new live media protocol powered by QUIC. It is= =0D +a TCP/UDP replacement designed for HTTP/3.=0D +=0D +=0D +**Wikipedia Link**=0D + * https://en.wikipedia.org/wiki/QUIC=0D +=0D +**Standard Link**=0D + * https://quic.video/=0D +=0D +**Level of Support in DPDK**=0D + * Not supported in DPDK.=0D +=0D +**Pros**=0D + * Useful for time-sensitive application like online gaming or vide= o streaming.=0D + * Can send multiple streams of data over a single channel.=0D + * Automatically limits the packet transmission rate to counteract = load peaks and avoid overload, even with low bandwidth connections.=0D + * Uses TLS 1.3, which offers better security than others.=0D + * Fast data transfer.=0D + * Combines features of TCP, such as reliability and congestion con= trol, with the speed and flexibility of UDP.=0D +=0D +**Cons**=0D + * Has more complex protocol logic, which can result in higher CPU = and memory usage compared to TCP.=0D + * May result in poorer transmission rates.=0D + * Requires changes to client and server, making it more challengin= g to deploy that TCP.=0D + * Not yet as widely deployed as TCP.=0D +=0D +=0D +MACSec=0D +~~~~~~=0D +=0D +MACsec (accelerated by Marvell) is a network security standard that operat= es=0D +at the medium access control layer and defines connectionless data confide= ntiality=0D +and integrity for media access independent protocols. It is standardized b= y the=0D +IEEE 802.1 working group.=0D +=0D +=0D +**Wikipedia Link**=0D + * https://en.wikipedia.org/wiki/IEEE_802.1AE=0D +=0D +**Standard Link**=0D + * https://1.ieee802.org/security/802-1ae/=0D +=0D +**Level of Support in DPDK**=0D + * Supported in DPDK + 'Sample Application '=0D +=0D +**Supported Algorithms**=0D + * As specified by MACsec specification: AES-128-GCM, AES-256-GCM=0D +=0D +**Drivers**=0D + * Marvell cnxk Ethernet PMD which supports inline MACsec=0D +=0D +**Facts**=0D + * Uses the AES-GCM cryptography algorithm=0D + * Works on layer 2 and protects all DHCP and ARP traffic=0D + * Each MAC frame has a separate integrity verification code=0D + * Prevents attackers from resending copied MAC frames into the net= work without being detected=0D + * Commonly used in environments where securing Ethernet traffic be= tween devices is critical, such as in enterprise networks, data centers and= service provider networks=0D + * Applications do not need modification to work with IPsec=0D +=0D +**Cons**=0D + * Only operates at Layer 2, so it doesn't protect traffic beyond t= he local Ethernet segment or over Layer 3 networks or the internet=0D + * Data is decrypted and re-encrypted at each network device,=0D +which could expose data at each point=0D + * Can't detect rogue devices that operate on Layer 1=0D + * Relies on hardware for encryption and decryption, so not all net= work devices can use it=0D +=0D +=0D +IPSec=0D +~~~~~=0D +=0D +IPsec (accelerated by Intel, Marvell, Netronome, NXP) allows secure commun= ication=0D +over the internet by encrypting data traffic between two or more devices o= r networks.=0D +IPsec works on a different layer than MACsec, at layer 3.=0D +=0D +**Wikipedia Link**=0D + * https://en.wikipedia.org/wiki/IPsec=0D +=0D +**Standard Link**=0D + * https://datatracker.ietf.org/wg/ipsec/about/=0D +=0D +**Level of Support in DPDK**=0D + * Supported=0D + * High-level library and sample application=0D + * https://doc.dpdk.org/guides/sample_app_ug/ipsec_secgw.html=0D +=0D +**Supported Algorithms**=0D + * AES-GCM and ChaCha20-Poly1305=0D + * AES CBC and AES-CTR=0D + * HMAC-SHA1/SHA2 for integrity protection and authenticity=0D +=0D +**Pros**=0D + * Uses public keys to create an encrypted, authenticated tunnel to= resources=0D + * Offers strong security, scalability, and interoperability=0D + * IPsec can work across routers=0D + * Applications do not need modification to work with IPsec=0D +=0D +**Cons**=0D + * Can be simple to apply but complex to use. It can also be diffic= ult to configure and place an administrative burden on network administrato= rs=0D + * Can impact network performance because it encrypts all traffic a= nd uses strict authentication processes, both of which consume network band= width and increase data usage=0D + * IPsec relies on the security of public keys. Key management prot= ocol is not part of DPDK but DPDK provides asymmetric crypto APIs which are= required for key generation=0D +=0D +=0D +TLS=0D +~~~=0D +=0D +Transport Layer Security (TLS) is a cryptographic protocol that operates a= t the fifth application layer.=0D +It encrypts data sent between web applications and servers, such as when a= web browser loads a website.=0D +TLS can also be used to encrypt other types of communication, including: E= mail, Voice over IP (VoIP),=0D +File transfers, Video/audio conferencing, and Internet services like DNS a= nd NTP.=0D +=0D +=0D +**Wikipedia Link**=0D + * https://en.wikipedia.org/wiki/Transport_Layer_Security=0D +=0D +**Standard Link**=0D + * https://datatracker.ietf.org/doc/html/rfc8446 - TLS 1.3=0D + * https://datatracker.ietf.org/doc/html/rfc5246 - TLS 1.2=0D + * https://datatracker.ietf.org/doc/html/rfc9147/ - DTLS 1.3=0D +=0D +**Level of Support in DPDK**=0D + * DPDK supports TLS/DTLS record processing via rte_security APIs=0D +=0D +**Pros**=0D + * Considered one of the strongest encryption protocols available=0D + * Doesn't require parties to encrypt the content they exchange=0D + * Universally deployable, doesn't rely on specific operating syste= ms or applications=0D + * Can reduce the risk of phishing attacks=0D +=0D +**Cons**=0D + * May not work with complex proxy caching systems=0D + * Adding a server to handle encryption before it gets to the cachi= ng server can require additional costs=0D + * TLS can be vulnerable to attacks and data leaks, including downg= rade attacks, weak ciphers, and programming errors=0D + * The added layer of security that TLS provides can come at the co= st of speed=0D +=0D +=0D +TLS Handshake=0D +~~~~~~~~~~~~~=0D +=0D +TLS Handshake is the process that kicks off a communication session that u= ses TLS.=0D +During a TLS handshake, the two communicating sides exchange messages to a= cknowledge=0D +each other, verify each other, establish the cryptographic algorithms they= will use,=0D +and agree on session keys.=0D +=0D +=0D +**Wikipedia Link**=0D + * https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_hands= hake=0D +=0D +**Standard Link**=0D + * https://datatracker.ietf.org/doc/html/rfc8446#section-4=0D +=0D +**Level of Support in DPDK**=0D + * Handshake as protocol is not implemented in DPDK. However, it su= pports asymmetric crypto APIs, which can be used by the protocol.=0D +=0D +**Pros**=0D + * TLS 1.3 also supports an even faster version of the TLS handshak= e that does not require any round trips, or back-and-forth communication be= tween client and server, at all.=0D +=0D +**Cons**=0D + * Unknown.=0D +=0D +=0D +TLS Record=0D +~~~~~~~~~~=0D +=0D +TLS Record (accelerated by Marvell) Protocol is a layer of the TLS protoco= l=0D +that protects application data using keys created during the TLS handshake= .=0D +=0D +=0D +**Wikipedia Link**=0D + * https://en.wikipedia.org/wiki/Transport_Layer_Security (Scroll t= o TLS Record)=0D +=0D +**Standard Link**=0D + * https://datatracker.ietf.org/doc/html/rfc8446#section-5=0D +=0D +**Level of Support in DPDK**=0D + * Supported.=0D +=0D +**Supported Algorithms**=0D + * TLS 1.3 - AES-GCM-128, AES-GCM-256, CHACHA20-POLY130=0D + * TLS1.2/DTLS 1.2 - AES-GCM-128, AES-GCM-256, AES-CBC-128-SHA1,=0D + * AES-128-CBC-SHA256, AES-256-CBC-SHA1, AES-256-CBC-SHA256, AES-25= 6-CBC-SHA384, 3DES-CBC-SHA1-HMAC, NULL-SHA1-HMAC, CHACHA20-POLY1305=0D +=0D +**Pros**=0D + * TLS 1.3 also supports an even faster version of the TLS handshak= e that does not require any round trips, or back-and-forth communication be= tween client and server, at all=0D +=0D +**Cons**=0D + * Unknown if this differs from cons listed under TLS.=0D +=0D +=0D +PDCP=0D +~~~~=0D +=0D +Packet Data Convergence Protocol (PDCP) is a sublayer in the LTE radio pro= tocol stack=0D +that provides security and integrity protections to Protocol Data Units (P= DU) in both=0D +the control and data planes. PDCP is located between the Radio Link Contro= l (RLC) layer=0D +and the upper layers of the network, such as the IP layer.=0D +=0D +=0D +**Wikipedia Link**=0D + * https://en.wikipedia.org/wiki/Packet_Data_Convergence_Protocol=0D +=0D +**Standard Link**=0D + * https://portal.3gpp.org/desktopmodules/Specifications/Specificat= ionDetails.aspx?specificationId=3D1177=0D +=0D +**Level of Support in DPDK**=0D + * Supported. High-level library.=0D + * rte_security based PDCP sessions are also supported=0D +=0D +**Supported Algorithms**=0D + * Encryption algo - NULL, AES-CTR, SNOW, ZUC=0D + * Authentication algo - NULL, AES-CMAC, SNOW, ZUC=0D +=0D +**Supported Drivers**=0D + * Drivers supporting rte_security PDCP:=0D + * XPdpaa2_sec, dpaa_sec=0D + * Drivers supporting pdcp lib=0D + * Marvell cnxk=0D + * Intel - QAT, ipsec_mb=0D +=0D +**Pros**=0D + * Compresses the IP header of user plane packets to reduce overhea= d and optimize bandwidth usage over the radio interface. This is particular= ly important in mobile networks where radio resources are limited and effic= iency is critical=0D + * PDCP encrypts and decrypts user plane data to ensure confidentia= lity and integrity of data transmitted over the air interface=0D + * Has the option of interoperability between different generations= of mobile networks (e.g., LTE and 5G) and compatibility with IP-based netw= orks=0D +=0D +**Cons**=0D + * Limitations currently unclear=0D +=0D +=0D +PSP=0D +~~~=0D +=0D +PSP is a TLS-like protocol created by Google for encrypting data in transi= t between data centers.=0D +It uses concepts from IPsec ESP to create an encryption layer on top of IP= , and supports non-TCP=0D +protocols like UDP. Google uses PSP along with other protocols, such as TL= S and IPsec, depending on the use case.=0D +=0D +=0D +**Standard Links**=0D + * https://cloud.google.com/blog/products/identity-security/announc= ing-psp-security-protocol-is-now-open-source?hl=3Den=0D + * https://github.com/google/psp=0D +=0D +**Level of Support in DPDK**=0D + * Not supported in DPDK, but algorithms are supported.=0D + * rte_security based PDCP sessions are also supported=0D +=0D +**Supported Algorithms**=0D + * AES-GCM-128=0D + * AES-GCM-256=0D + * AES-GMAC=0D +=0D +**Pros**=0D + * PSP is transport-independent and can be offloaded to hardware=0D + * It does not mandate a specific key exchange protocol=0D + * Enables per-connection security by allowing an encryption key pe= r layer-4 connection (such as a TCP connection)=0D +=0D +**Cons**=0D + * Offers few choices for the packet format and the cryptographic a= lgorithms=0D +=0D +=0D +Wireguard=0D +~~~~~~~~~=0D +=0D +Wireguard is a open-source tunneling protocol.=0D +=0D +**Wikipedia Link**=0D + * https://en.wikipedia.org/wiki/WireGuard=0D +=0D +**Standard Link**=0D + * https://www.wireguard.com/=0D +=0D +**Level of Support in DPDK**=0D + * Not supported at this time, but algorithms are supported.=0D +=0D +**Supported Algorithms**=0D + * ChachaPoly SW Driver=0D +=0D +**Pros**=0D + * Faster than most VPNs=0D + * straightforward with a lean codebase=0D + * Works with various operating systems such as Linux, Windows, mac= OS, Android, and iOS=0D + * Quick connections (good for mobile environments)=0D +=0D +**Cons**=0D + * Has been rapidly adopted, but still a new, young protocol.=0D + * May not have the same level of extensive real-world testing and = deployment as other VPNs.=0D + * Widely supported, but compatibility may still be an issue.=0D -- =0D 2.45.2=0D =0D