* [dpdk-dev] [PATCH v2 1/4] crypto/octeontx2: add UDP encapsulation support
2021-04-01 11:26 [dpdk-dev] [PATCH v2 0/4] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
@ 2021-04-01 11:26 ` Tejasree Kondoj
2021-04-05 18:14 ` Akhil Goyal
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 2/4] mbuf: add packet type for UDP-ESP tunnel packets Tejasree Kondoj
` (2 subsequent siblings)
3 siblings, 1 reply; 13+ messages in thread
From: Tejasree Kondoj @ 2021-04-01 11:26 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev
Adding UDP encapsulation support for IPsec in
lookaside protocol mode.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/octeontx2.rst | 1 +
doc/guides/rel_notes/release_21_05.rst | 5 +++
drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 40 ++++++-------------
3 files changed, 18 insertions(+), 28 deletions(-)
diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index d312eeb74c..b30f98180a 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -181,6 +181,7 @@ Features supported
* Tunnel mode
* ESN
* Anti-replay
+* UDP Encapsulation
* AES-128/192/256-GCM
* AES-128/192/256-CBC-SHA1-HMAC
* AES-128/192/256-CBC-SHA256-128-HMAC
diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index 8e686cc627..8065b3daf8 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -94,6 +94,11 @@ New Features
* Added support for preferred busy polling.
+* **Updated the OCTEON TX2 crypto PMD.**
+
+ * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
+ UDP encapsulation support for NAT Traversal.
+
* **Updated testpmd.**
* Added a command line option to configure forced speed for Ethernet port.
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 342f089df8..8942ff1fac 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -203,6 +203,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
struct rte_security_session *sec_sess)
{
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+ struct otx2_ipsec_po_ip_template *template;
const uint8_t *cipher_key, *auth_key;
struct otx2_sec_session_ipsec_lp *lp;
struct otx2_ipsec_po_sa_ctl *ctl;
@@ -248,11 +249,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
- if (ipsec->options.udp_encap) {
- sa->aes_gcm.template.ip4.udp_src = 4500;
- sa->aes_gcm.template.ip4.udp_dst = 4500;
- }
- ip = &sa->aes_gcm.template.ip4.ipv4_hdr;
+ template = &sa->aes_gcm.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
aes_gcm.template) + sizeof(
sa->aes_gcm.template.ip4);
@@ -260,11 +257,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA1) {
- if (ipsec->options.udp_encap) {
- sa->sha1.template.ip4.udp_src = 4500;
- sa->sha1.template.ip4.udp_dst = 4500;
- }
- ip = &sa->sha1.template.ip4.ipv4_hdr;
+ template = &sa->sha1.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha1.template) + sizeof(
sa->sha1.template.ip4);
@@ -272,11 +265,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
- if (ipsec->options.udp_encap) {
- sa->sha2.template.ip4.udp_src = 4500;
- sa->sha2.template.ip4.udp_dst = 4500;
- }
- ip = &sa->sha2.template.ip4.ipv4_hdr;
+ template = &sa->sha2.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha2.template) + sizeof(
sa->sha2.template.ip4);
@@ -285,8 +274,15 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
} else {
return -EINVAL;
}
+ ip = &template->ip4.ipv4_hdr;
+ if (ipsec->options.udp_encap) {
+ ip->next_proto_id = IPPROTO_UDP;
+ template->ip4.udp_src = rte_be_to_cpu_16(4500);
+ template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+ } else {
+ ip->next_proto_id = IPPROTO_ESP;
+ }
ip->version_ihl = RTE_IPV4_VHL_DEF;
- ip->next_proto_id = IPPROTO_ESP;
ip->time_to_live = ipsec->tunnel.ipv4.ttl;
ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
if (ipsec->tunnel.ipv4.df)
@@ -299,10 +295,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
- if (ipsec->options.udp_encap) {
- sa->aes_gcm.template.ip6.udp_src = 4500;
- sa->aes_gcm.template.ip6.udp_dst = 4500;
- }
ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
aes_gcm.template) + sizeof(
@@ -311,10 +303,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA1) {
- if (ipsec->options.udp_encap) {
- sa->sha1.template.ip6.udp_src = 4500;
- sa->sha1.template.ip6.udp_dst = 4500;
- }
ip6 = &sa->sha1.template.ip6.ipv6_hdr;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha1.template) + sizeof(
@@ -323,10 +311,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
- if (ipsec->options.udp_encap) {
- sa->sha2.template.ip6.udp_src = 4500;
- sa->sha2.template.ip6.udp_dst = 4500;
- }
ip6 = &sa->sha2.template.ip6.ipv6_hdr;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha2.template) + sizeof(
--
2.27.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v2 2/4] mbuf: add packet type for UDP-ESP tunnel packets
2021-04-01 11:26 [dpdk-dev] [PATCH v2 0/4] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 1/4] crypto/octeontx2: add UDP encapsulation support Tejasree Kondoj
@ 2021-04-01 11:26 ` Tejasree Kondoj
2021-04-05 18:11 ` Akhil Goyal
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support Tejasree Kondoj
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 4/4] crypto/octeontx2: support lookaside IPv4 transport mode Tejasree Kondoj
3 siblings, 1 reply; 13+ messages in thread
From: Tejasree Kondoj @ 2021-04-01 11:26 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau, Konstantin Ananyev
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev
Adding new mbuf packet type for UDP encapsulated
ESP packets.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/rel_notes/release_21_05.rst | 5 +++++
lib/librte_mbuf/rte_mbuf_ptype.h | 21 +++++++++++++++++++++
2 files changed, 26 insertions(+)
diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index 8065b3daf8..4ab2d7500f 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -55,6 +55,11 @@ New Features
Also, make sure to start the actual text at the margin.
=======================================================
+* **Added new packet type for UDP-ESP packets in mbuf.**
+
+ Added new packet type ``RTE_PTYPE_TUNNEL_ESP_IN_UDP`` which can be
+ used to identify UDP encapsulated ESP packets.
+
* **Enhanced ethdev representor syntax.**
* Introduced representor type of VF, SF and PF.
diff --git a/lib/librte_mbuf/rte_mbuf_ptype.h b/lib/librte_mbuf/rte_mbuf_ptype.h
index 17a2dd3576..bf92ce0c1a 100644
--- a/lib/librte_mbuf/rte_mbuf_ptype.h
+++ b/lib/librte_mbuf/rte_mbuf_ptype.h
@@ -491,6 +491,27 @@ extern "C" {
* | 'destination port'=6635>
*/
#define RTE_PTYPE_TUNNEL_MPLS_IN_UDP 0x0000d000
+/**
+ * ESP-in-UDP tunneling packet type (RFC 3948).
+ *
+ * Packet format:
+ * <'ether type'=0x0800
+ * | 'version'=4, 'protocol'=17
+ * | 'destination port'=4500>
+ * or,
+ * <'ether type'=0x86DD
+ * | 'version'=6, 'next header'=17
+ * | 'destination port'=4500>
+ * or,
+ * <'ether type'=0x0800
+ * | 'version'=4, 'protocol'=17
+ * | 'source port'=4500>
+ * or,
+ * <'ether type'=0x86DD
+ * | 'version'=6, 'next header'=17
+ * | 'source port'=4500>
+ */
+#define RTE_PTYPE_TUNNEL_ESP_IN_UDP 0x0000e000
/**
* Mask of tunneling packet types.
*/
--
2.27.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH v2 2/4] mbuf: add packet type for UDP-ESP tunnel packets
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 2/4] mbuf: add packet type for UDP-ESP tunnel packets Tejasree Kondoj
@ 2021-04-05 18:11 ` Akhil Goyal
2021-04-05 19:03 ` Thomas Monjalon
0 siblings, 1 reply; 13+ messages in thread
From: Akhil Goyal @ 2021-04-05 18:11 UTC (permalink / raw)
To: Tejasree Kondoj, Radu Nicolau, Konstantin Ananyev, thomas,
olivier.matz, ferruh.yigit
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, dev
> Adding new mbuf packet type for UDP encapsulated
> ESP packets.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
> doc/guides/rel_notes/release_21_05.rst | 5 +++++
> lib/librte_mbuf/rte_mbuf_ptype.h | 21 +++++++++++++++++++++
> 2 files changed, 26 insertions(+)
>
Acked-by: Akhil Goyal <gakhil@marvell.com>
++Olivier
Thomas,
Can this patch be part of crypto tree if acked by Olivier?
Regards,
Akhil
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH v2 2/4] mbuf: add packet type for UDP-ESP tunnel packets
2021-04-05 18:11 ` Akhil Goyal
@ 2021-04-05 19:03 ` Thomas Monjalon
0 siblings, 0 replies; 13+ messages in thread
From: Thomas Monjalon @ 2021-04-05 19:03 UTC (permalink / raw)
To: olivier.matz, andrew.rybchenko
Cc: Tejasree Kondoj, Radu Nicolau, Konstantin Ananyev, ferruh.yigit,
Akhil Goyal, Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, dev
05/04/2021 20:11, Akhil Goyal:
> > Adding new mbuf packet type for UDP encapsulated
> > ESP packets.
> >
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > ---
> > doc/guides/rel_notes/release_21_05.rst | 5 +++++
> > lib/librte_mbuf/rte_mbuf_ptype.h | 21 +++++++++++++++++++++
> > 2 files changed, 26 insertions(+)
> >
> Acked-by: Akhil Goyal <gakhil@marvell.com>
>
> ++Olivier
>
> Thomas,
> Can this patch be part of crypto tree if acked by Olivier?
Yes, adding a packet type is OK if reviewed by Olivier or Andrew.
Olivier, Andrew, please could you review?
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support
2021-04-01 11:26 [dpdk-dev] [PATCH v2 0/4] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 1/4] crypto/octeontx2: add UDP encapsulation support Tejasree Kondoj
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 2/4] mbuf: add packet type for UDP-ESP tunnel packets Tejasree Kondoj
@ 2021-04-01 11:26 ` Tejasree Kondoj
2021-04-05 18:22 ` Akhil Goyal
2021-04-06 13:38 ` Ananyev, Konstantin
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 4/4] crypto/octeontx2: support lookaside IPv4 transport mode Tejasree Kondoj
3 siblings, 2 replies; 13+ messages in thread
From: Tejasree Kondoj @ 2021-04-01 11:26 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau, Konstantin Ananyev
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev
Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulation on the SA.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/rel_notes/release_21_05.rst | 5 ++++
doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++---
examples/ipsec-secgw/ipsec-secgw.h | 2 ++
examples/ipsec-secgw/ipsec.c | 9 ++++++++
examples/ipsec-secgw/ipsec.h | 2 ++
examples/ipsec-secgw/sa.c | 18 +++++++++++++++
examples/ipsec-secgw/sad.h | 7 +++++-
8 files changed, 81 insertions(+), 6 deletions(-)
diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index 4ab2d7500f..9ef2537b1a 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -111,6 +111,11 @@ New Features
* Added command to display Rx queue used descriptor count.
``show port (port_id) rxq (queue_id) desc used count``
+* **Updated ipsec-secgw sample application.**
+
+ * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
+ support for NAT Traversal.
+
Removed Items
-------------
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 176e292d3f..07bbbb5916 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
<mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
- <flow-direction> <port_id> <queue_id>
+ <flow-direction> <port_id> <queue_id> <udp-encap>
where each options means:
@@ -709,6 +709,17 @@ where each options means:
* *port_id*: Port ID of the NIC for which the SA is configured.
* *queue_id*: Queue ID to which traffic should be redirected.
+ ``<udp-encap>``
+
+ * Option to enable IPsec UDP encapsulation for NAT Traversal.
+ Only lookaside-protocol-offload mode is supported at the moment.
+
+ * Optional: Yes, it is disabled by default
+
+ * Syntax:
+
+ * *udp-encap*
+
Example SA rules:
.. code-block:: console
@@ -1023,4 +1034,4 @@ Available options:
* ``-h`` Show usage.
If <ipsec_mode> is specified, only tests for that mode will be invoked. For the
-list of available modes please refer to run_test.sh.
\ No newline at end of file
+list of available modes please refer to run_test.sh.
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 20d69ba813..6f6f2aa796 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {
.enable = 0,
- .cache_sz = SA_CACHE_SZ
+ .cache_sz = SA_CACHE_SZ,
+ .udp_encap = 0
};
static const char *cfgfile;
@@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
const struct rte_ether_hdr *eth;
const struct rte_ipv4_hdr *iph4;
const struct rte_ipv6_hdr *iph6;
+ const struct rte_udp_hdr *udp;
+ uint16_t ip4_hdr_len;
+ uint16_t nat_port;
eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
@@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
RTE_ETHER_HDR_LEN);
adjust_ipv4_pktlen(pkt, iph4, 0);
- if (iph4->next_proto_id == IPPROTO_ESP)
+ switch (iph4->next_proto_id) {
+ case IPPROTO_ESP:
t->ipsec.pkts[(t->ipsec.num)++] = pkt;
- else {
+ break;
+ case IPPROTO_UDP:
+ if (app_sa_prm.udp_encap == 1) {
+ ip4_hdr_len = ((iph4->version_ihl &
+ RTE_IPV4_HDR_IHL_MASK) *
+ RTE_IPV4_IHL_MULTIPLIER);
+ udp = rte_pktmbuf_mtod_offset(pkt,
+ struct rte_udp_hdr *, ip4_hdr_len);
+ nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
+ if (udp->src_port == nat_port ||
+ udp->dst_port == nat_port){
+ t->ipsec.pkts[(t->ipsec.num)++] = pkt;
+ pkt->packet_type |=
+ RTE_PTYPE_TUNNEL_ESP_IN_UDP;
+ break;
+ }
+ }
+ /* Fall through */
+ default:
t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
t->ip4.pkts[(t->ip4.num)++] = pkt;
}
diff --git a/examples/ipsec-secgw/ipsec-secgw.h b/examples/ipsec-secgw/ipsec-secgw.h
index f2281e73cf..6887d752ab 100644
--- a/examples/ipsec-secgw/ipsec-secgw.h
+++ b/examples/ipsec-secgw/ipsec-secgw.h
@@ -47,6 +47,8 @@
#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
+#define IPSEC_NAT_T_PORT 4500
+
struct traffic_type {
const uint8_t *data[MAX_PKT_BURST * 2];
struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 6baeeb342f..79382f0fa2 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -52,6 +52,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
+ ipsec->options.udp_encap = sa->udp_encap;
}
int
@@ -528,6 +529,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
struct rte_crypto_sym_op *sym_cop;
struct ipsec_sa *sa;
struct rte_ipsec_session *ips;
+ int is_udp_esp;
for (i = 0; i < nb_pkts; i++) {
if (unlikely(sas[i] == NULL)) {
@@ -556,6 +558,13 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
continue;
}
+ is_udp_esp = pkts[i]->packet_type &
+ RTE_PTYPE_TUNNEL_ESP_IN_UDP;
+ if (unlikely(is_udp_esp && sa->udp_encap != 1)) {
+ free_pkts(&pkts[i], 1);
+ continue;
+ }
+
sym_cop = get_sym_cop(&priv->cop);
sym_cop->m_src = pkts[i];
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 7031e28c46..ae5058de27 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -75,6 +75,7 @@ struct app_sa_prm {
uint32_t window_size; /* replay window size */
uint32_t enable_esn; /* enable/disable ESN support */
uint32_t cache_sz; /* per lcore SA cache size */
+ uint32_t udp_encap; /* enable/disable UDP Encapsulation */
uint64_t flags; /* rte_ipsec_sa_prm.flags */
};
@@ -136,6 +137,7 @@ struct ipsec_sa {
struct rte_security_ipsec_xform *sec_xform;
};
enum rte_security_ipsec_sa_direction direction;
+ uint8_t udp_encap;
uint16_t portid;
uint8_t fdir_qid;
uint8_t fdir_flag;
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index cd1397531a..7bb9ef36c2 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -298,6 +298,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
uint32_t portid_p = 0;
uint32_t fallback_p = 0;
int16_t status_p = 0;
+ uint16_t udp_encap_p = 0;
if (strcmp(tokens[0], "in") == 0) {
ri = &nb_sa_in;
@@ -757,6 +758,23 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
}
continue;
}
+ if (strcmp(tokens[ti], "udp-encap") == 0) {
+ APP_CHECK(ips->type ==
+ RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ status, "UDP encapsulation is allowed if the "
+ "session is of type lookaside-protocol-offload "
+ "only.");
+ if (status->status < 0)
+ return;
+ APP_CHECK_PRESENCE(udp_encap_p, tokens[ti], status);
+ if (status->status < 0)
+ return;
+
+ rule->udp_encap = 1;
+ app_sa_prm.udp_encap = 1;
+ udp_encap_p = 1;
+ continue;
+ }
/* unrecognizeable input */
APP_CHECK(0, status, "unrecognized input \"%s\"",
diff --git a/examples/ipsec-secgw/sad.h b/examples/ipsec-secgw/sad.h
index 473aaa938e..9616a80948 100644
--- a/examples/ipsec-secgw/sad.h
+++ b/examples/ipsec-secgw/sad.h
@@ -77,6 +77,8 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],
uint32_t spi, cache_idx;
struct ipsec_sad_cache *cache;
struct ipsec_sa *cached_sa;
+ uint16_t udp_hdr_len = 0;
+ int is_udp_esp;
int is_ipv4;
cache = &RTE_PER_LCORE(sad_cache);
@@ -85,8 +87,11 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],
for (i = 0; i < nb_pkts; i++) {
ipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *);
ipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *);
+ is_udp_esp = pkts[i]->packet_type & RTE_PTYPE_TUNNEL_ESP_IN_UDP;
+ if (is_udp_esp)
+ udp_hdr_len = sizeof(struct rte_udp_hdr);
esp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *,
- pkts[i]->l3_len);
+ pkts[i]->l3_len + udp_hdr_len);
is_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4;
spi = rte_be_to_cpu_32(esp->spi);
--
2.27.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support Tejasree Kondoj
@ 2021-04-05 18:22 ` Akhil Goyal
2021-04-05 23:16 ` Ananyev, Konstantin
2021-04-06 13:38 ` Ananyev, Konstantin
1 sibling, 1 reply; 13+ messages in thread
From: Akhil Goyal @ 2021-04-05 18:22 UTC (permalink / raw)
To: Tejasree Kondoj, Radu Nicolau, Konstantin Ananyev
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, dev
>
> Adding lookaside IPsec UDP encapsulation support
> for NAT traversal.
> Application has to add udp-encap option to sa config file
> to enable UDP encapsulation on the SA.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
Konstantin,
Any more comments on this?
Regards,
Akhil
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support
2021-04-05 18:22 ` Akhil Goyal
@ 2021-04-05 23:16 ` Ananyev, Konstantin
0 siblings, 0 replies; 13+ messages in thread
From: Ananyev, Konstantin @ 2021-04-05 23:16 UTC (permalink / raw)
To: Akhil Goyal, Tejasree Kondoj, Nicolau, Radu
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi,
Jerin Jacob Kollanukkaran, dev
Hi Akhil,
> >
> > Adding lookaside IPsec UDP encapsulation support
> > for NAT traversal.
> > Application has to add udp-encap option to sa config file
> > to enable UDP encapsulation on the SA.
> >
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > ---
> Acked-by: Akhil Goyal <gakhil@marvell.com>
>
> Konstantin,
> Any more comments on this?
Didn't look at v2 yet.
Will try to do that during this week.
Konstantin
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support Tejasree Kondoj
2021-04-05 18:22 ` Akhil Goyal
@ 2021-04-06 13:38 ` Ananyev, Konstantin
2021-04-08 8:16 ` Tejasree Kondoj
1 sibling, 1 reply; 13+ messages in thread
From: Ananyev, Konstantin @ 2021-04-06 13:38 UTC (permalink / raw)
To: Tejasree Kondoj, Akhil Goyal, Nicolau, Radu
Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev
>
> Adding lookaside IPsec UDP encapsulation support
> for NAT traversal.
> Application has to add udp-encap option to sa config file
> to enable UDP encapsulation on the SA.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
> doc/guides/rel_notes/release_21_05.rst | 5 ++++
> doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
> examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++---
> examples/ipsec-secgw/ipsec-secgw.h | 2 ++
> examples/ipsec-secgw/ipsec.c | 9 ++++++++
> examples/ipsec-secgw/ipsec.h | 2 ++
> examples/ipsec-secgw/sa.c | 18 +++++++++++++++
> examples/ipsec-secgw/sad.h | 7 +++++-
> 8 files changed, 81 insertions(+), 6 deletions(-)
>
> diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
> index 4ab2d7500f..9ef2537b1a 100644
> --- a/doc/guides/rel_notes/release_21_05.rst
> +++ b/doc/guides/rel_notes/release_21_05.rst
> @@ -111,6 +111,11 @@ New Features
> * Added command to display Rx queue used descriptor count.
> ``show port (port_id) rxq (queue_id) desc used count``
>
> +* **Updated ipsec-secgw sample application.**
> +
> + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
> + support for NAT Traversal.
> +
>
> Removed Items
> -------------
> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
> index 176e292d3f..07bbbb5916 100644
> --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
>
> sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
> <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
> - <flow-direction> <port_id> <queue_id>
> + <flow-direction> <port_id> <queue_id> <udp-encap>
>
> where each options means:
>
> @@ -709,6 +709,17 @@ where each options means:
> * *port_id*: Port ID of the NIC for which the SA is configured.
> * *queue_id*: Queue ID to which traffic should be redirected.
>
> + ``<udp-encap>``
> +
> + * Option to enable IPsec UDP encapsulation for NAT Traversal.
> + Only lookaside-protocol-offload mode is supported at the moment.
> +
> + * Optional: Yes, it is disabled by default
> +
> + * Syntax:
> +
> + * *udp-encap*
> +
> Example SA rules:
>
> .. code-block:: console
> @@ -1023,4 +1034,4 @@ Available options:
> * ``-h`` Show usage.
>
> If <ipsec_mode> is specified, only tests for that mode will be invoked. For the
> -list of available modes please refer to run_test.sh.
> \ No newline at end of file
> +list of available modes please refer to run_test.sh.
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 20d69ba813..6f6f2aa796 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
> /* application wide librte_ipsec/SA parameters */
> struct app_sa_prm app_sa_prm = {
> .enable = 0,
> - .cache_sz = SA_CACHE_SZ
> + .cache_sz = SA_CACHE_SZ,
> + .udp_encap = 0
> };
> static const char *cfgfile;
>
> @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
> const struct rte_ether_hdr *eth;
> const struct rte_ipv4_hdr *iph4;
> const struct rte_ipv6_hdr *iph6;
> + const struct rte_udp_hdr *udp;
> + uint16_t ip4_hdr_len;
> + uint16_t nat_port;
>
> eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
> if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
> @@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
> RTE_ETHER_HDR_LEN);
> adjust_ipv4_pktlen(pkt, iph4, 0);
>
> - if (iph4->next_proto_id == IPPROTO_ESP)
> + switch (iph4->next_proto_id) {
> + case IPPROTO_ESP:
> t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> - else {
> + break;
> + case IPPROTO_UDP:
> + if (app_sa_prm.udp_encap == 1) {
> + ip4_hdr_len = ((iph4->version_ihl &
> + RTE_IPV4_HDR_IHL_MASK) *
> + RTE_IPV4_IHL_MULTIPLIER);
> + udp = rte_pktmbuf_mtod_offset(pkt,
> + struct rte_udp_hdr *, ip4_hdr_len);
> + nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
> + if (udp->src_port == nat_port ||
> + udp->dst_port == nat_port){
> + t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> + pkt->packet_type |=
> + RTE_PTYPE_TUNNEL_ESP_IN_UDP;
> + break;
> + }
> + }
> + /* Fall through */
> + default:
> t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
> t->ip4.pkts[(t->ip4.num)++] = pkt;
> }
As I understand you don't support UDP tunneling for ipv6 packets for now.
If so, then it probably worth to notice that in the doc, and in parse_sa_tokens()
add a check for ipv4.
Apart from that all seems ok to me.
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support
2021-04-06 13:38 ` Ananyev, Konstantin
@ 2021-04-08 8:16 ` Tejasree Kondoj
0 siblings, 0 replies; 13+ messages in thread
From: Tejasree Kondoj @ 2021-04-08 8:16 UTC (permalink / raw)
To: Ananyev, Konstantin, Akhil Goyal, Nicolau, Radu
Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev
Hi Konstantin,
Please see inline.
Thanks
Tejasree
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Tuesday, April 6, 2021 7:08 PM
> To: Tejasree Kondoj <ktejasree@marvell.com>; Akhil Goyal
> <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>
> Cc: Anoob Joseph <anoobj@marvell.com>; Ankur Dwivedi
> <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 3/4] examples/ipsec-secgw: add UDP
> encapsulation support
>
> External Email
>
> ----------------------------------------------------------------------
>
> >
> > Adding lookaside IPsec UDP encapsulation support for NAT traversal.
> > Application has to add udp-encap option to sa config file to enable
> > UDP encapsulation on the SA.
> >
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > ---
> > doc/guides/rel_notes/release_21_05.rst | 5 ++++
> > doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
> > examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++---
> > examples/ipsec-secgw/ipsec-secgw.h | 2 ++
> > examples/ipsec-secgw/ipsec.c | 9 ++++++++
> > examples/ipsec-secgw/ipsec.h | 2 ++
> > examples/ipsec-secgw/sa.c | 18 +++++++++++++++
> > examples/ipsec-secgw/sad.h | 7 +++++-
> > 8 files changed, 81 insertions(+), 6 deletions(-)
> >
> > diff --git a/doc/guides/rel_notes/release_21_05.rst
> > b/doc/guides/rel_notes/release_21_05.rst
> > index 4ab2d7500f..9ef2537b1a 100644
> > --- a/doc/guides/rel_notes/release_21_05.rst
> > +++ b/doc/guides/rel_notes/release_21_05.rst
> > @@ -111,6 +111,11 @@ New Features
> > * Added command to display Rx queue used descriptor count.
> > ``show port (port_id) rxq (queue_id) desc used count``
> >
> > +* **Updated ipsec-secgw sample application.**
> > +
> > + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
> > + support for NAT Traversal.
> > +
> >
> > Removed Items
> > -------------
> > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
> > b/doc/guides/sample_app_ug/ipsec_secgw.rst
> > index 176e292d3f..07bbbb5916 100644
> > --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> > @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
> >
> > sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
> > <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
> > - <flow-direction> <port_id> <queue_id>
> > + <flow-direction> <port_id> <queue_id> <udp-encap>
> >
> > where each options means:
> >
> > @@ -709,6 +709,17 @@ where each options means:
> > * *port_id*: Port ID of the NIC for which the SA is configured.
> > * *queue_id*: Queue ID to which traffic should be redirected.
> >
> > + ``<udp-encap>``
> > +
> > + * Option to enable IPsec UDP encapsulation for NAT Traversal.
> > + Only lookaside-protocol-offload mode is supported at the moment.
> > +
> > + * Optional: Yes, it is disabled by default
> > +
> > + * Syntax:
> > +
> > + * *udp-encap*
> > +
> > Example SA rules:
> >
> > .. code-block:: console
> > @@ -1023,4 +1034,4 @@ Available options:
> > * ``-h`` Show usage.
> >
> > If <ipsec_mode> is specified, only tests for that mode will be
> > invoked. For the -list of available modes please refer to run_test.sh.
> > \ No newline at end of file
> > +list of available modes please refer to run_test.sh.
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c
> > b/examples/ipsec-secgw/ipsec-secgw.c
> > index 20d69ba813..6f6f2aa796 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
> > /* application wide librte_ipsec/SA parameters */ struct app_sa_prm
> > app_sa_prm = {
> > .enable = 0,
> > - .cache_sz = SA_CACHE_SZ
> > + .cache_sz = SA_CACHE_SZ,
> > + .udp_encap = 0
> > };
> > static const char *cfgfile;
> >
> > @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
> ipsec_traffic *t)
> > const struct rte_ether_hdr *eth;
> > const struct rte_ipv4_hdr *iph4;
> > const struct rte_ipv6_hdr *iph6;
> > + const struct rte_udp_hdr *udp;
> > + uint16_t ip4_hdr_len;
> > + uint16_t nat_port;
> >
> > eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
> > if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
> @@
> > -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
> ipsec_traffic *t)
> > RTE_ETHER_HDR_LEN);
> > adjust_ipv4_pktlen(pkt, iph4, 0);
> >
> > - if (iph4->next_proto_id == IPPROTO_ESP)
> > + switch (iph4->next_proto_id) {
> > + case IPPROTO_ESP:
> > t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> > - else {
> > + break;
> > + case IPPROTO_UDP:
> > + if (app_sa_prm.udp_encap == 1) {
> > + ip4_hdr_len = ((iph4->version_ihl &
> > + RTE_IPV4_HDR_IHL_MASK) *
> > + RTE_IPV4_IHL_MULTIPLIER);
> > + udp = rte_pktmbuf_mtod_offset(pkt,
> > + struct rte_udp_hdr *, ip4_hdr_len);
> > + nat_port =
> rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
> > + if (udp->src_port == nat_port ||
> > + udp->dst_port == nat_port){
> > + t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> > + pkt->packet_type |=
> > +
> RTE_PTYPE_TUNNEL_ESP_IN_UDP;
> > + break;
> > + }
> > + }
> > + /* Fall through */
> > + default:
> > t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
> > t->ip4.pkts[(t->ip4.num)++] = pkt;
> > }
>
> As I understand you don't support UDP tunneling for ipv6 packets for now.
> If so, then it probably worth to notice that in the doc, and in
> parse_sa_tokens() add a check for ipv4.
> Apart from that all seems ok to me.
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
[Tejasree] Added support for IPv6 packets in v3. Could you please review?
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dpdk-dev] [PATCH v2 4/4] crypto/octeontx2: support lookaside IPv4 transport mode
2021-04-01 11:26 [dpdk-dev] [PATCH v2 0/4] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
` (2 preceding siblings ...)
2021-04-01 11:26 ` [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add UDP encapsulation support Tejasree Kondoj
@ 2021-04-01 11:26 ` Tejasree Kondoj
2021-04-05 18:15 ` Akhil Goyal
3 siblings, 1 reply; 13+ messages in thread
From: Tejasree Kondoj @ 2021-04-01 11:26 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev
Adding support for IPv4 lookaside IPsec transport mode.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/cryptodevs/octeontx2.rst | 1 +
doc/guides/rel_notes/release_21_05.rst | 2 +
drivers/crypto/octeontx2/otx2_cryptodev_ops.c | 7 +-
drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 110 ++++++++++--------
drivers/crypto/octeontx2/otx2_cryptodev_sec.h | 4 +-
drivers/crypto/octeontx2/otx2_ipsec_po.h | 6 +
drivers/crypto/octeontx2/otx2_ipsec_po_ops.h | 8 +-
7 files changed, 78 insertions(+), 60 deletions(-)
diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index b30f98180a..811e61a1f6 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -179,6 +179,7 @@ Features supported
* IPv6
* ESP
* Tunnel mode
+* Transport mode(IPv4)
* ESN
* Anti-replay
* UDP Encapsulation
diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index 9ef2537b1a..be8c36b92e 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -103,6 +103,8 @@ New Features
* Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
UDP encapsulation support for NAT Traversal.
+ * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
+ IPv4 transport mode support.
* **Updated testpmd.**
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index cec20b5c6d..c20170bcaa 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -928,7 +928,7 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp)
struct rte_mbuf *m = sym_op->m_src;
struct rte_ipv6_hdr *ip6;
struct rte_ipv4_hdr *ip;
- uint16_t m_len;
+ uint16_t m_len = 0;
int mdata_len;
char *data;
@@ -938,11 +938,12 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp)
if (word0->s.opcode.major == OTX2_IPSEC_PO_PROCESS_IPSEC_INB) {
data = rte_pktmbuf_mtod(m, char *);
- if (rsp[4] == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ if (rsp[4] == OTX2_IPSEC_PO_TRANSPORT ||
+ rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV4) {
ip = (struct rte_ipv4_hdr *)(data +
OTX2_IPSEC_PO_INB_RPTR_HDR);
m_len = rte_be_to_cpu_16(ip->total_length);
- } else {
+ } else if (rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV6) {
ip6 = (struct rte_ipv6_hdr *)(data +
OTX2_IPSEC_PO_INB_RPTR_HDR);
m_len = rte_be_to_cpu_16(ip6->payload_len) +
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 8942ff1fac..6493ce8370 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -25,12 +25,15 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec,
{
struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
- if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
- lp->partial_len = sizeof(struct rte_ipv4_hdr);
- else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
- lp->partial_len = sizeof(struct rte_ipv6_hdr);
- else
- return -EINVAL;
+ lp->partial_len = 0;
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+ if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+ lp->partial_len = sizeof(struct rte_ipv4_hdr);
+ else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+ lp->partial_len = sizeof(struct rte_ipv6_hdr);
+ else
+ return -EINVAL;
+ }
if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
lp->partial_len += sizeof(struct rte_esp_hdr);
@@ -203,7 +206,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
struct rte_security_session *sec_sess)
{
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
- struct otx2_ipsec_po_ip_template *template;
+ struct otx2_ipsec_po_ip_template *template = NULL;
const uint8_t *cipher_key, *auth_key;
struct otx2_sec_session_ipsec_lp *lp;
struct otx2_ipsec_po_sa_ctl *ctl;
@@ -229,10 +232,10 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
memset(sa, 0, sizeof(struct otx2_ipsec_po_out_sa));
/* Initialize lookaside ipsec private data */
+ lp->mode_type = OTX2_IPSEC_PO_TRANSPORT;
lp->ip_id = 0;
lp->seq_lo = 1;
lp->seq_hi = 0;
- lp->tunnel_type = ipsec->tunnel.type;
ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl);
if (ret)
@@ -242,46 +245,47 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
if (ret)
return ret;
- if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
- /* Start ip id from 1 */
- lp->ip_id = 1;
+ /* Start ip id from 1 */
+ lp->ip_id = 1;
+
+ if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
+ template = &sa->aes_gcm.template;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ aes_gcm.template) + sizeof(
+ sa->aes_gcm.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA1) {
+ template = &sa->sha1.template;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha1.template) + sizeof(
+ sa->sha1.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+ template = &sa->sha2.template;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha2.template) + sizeof(
+ sa->sha2.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else {
+ return -EINVAL;
+ }
+ ip = &template->ip4.ipv4_hdr;
+ if (ipsec->options.udp_encap) {
+ ip->next_proto_id = IPPROTO_UDP;
+ template->ip4.udp_src = rte_be_to_cpu_16(4500);
+ template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+ } else {
+ ip->next_proto_id = IPPROTO_ESP;
+ }
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
-
- if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
- template = &sa->aes_gcm.template;
- ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
- aes_gcm.template) + sizeof(
- sa->aes_gcm.template.ip4);
- ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
- lp->ctx_len = ctx_len >> 3;
- } else if (ctl->auth_type ==
- OTX2_IPSEC_PO_SA_AUTH_SHA1) {
- template = &sa->sha1.template;
- ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
- sha1.template) + sizeof(
- sa->sha1.template.ip4);
- ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
- lp->ctx_len = ctx_len >> 3;
- } else if (ctl->auth_type ==
- OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
- template = &sa->sha2.template;
- ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
- sha2.template) + sizeof(
- sa->sha2.template.ip4);
- ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
- lp->ctx_len = ctx_len >> 3;
- } else {
- return -EINVAL;
- }
- ip = &template->ip4.ipv4_hdr;
- if (ipsec->options.udp_encap) {
- ip->next_proto_id = IPPROTO_UDP;
- template->ip4.udp_src = rte_be_to_cpu_16(4500);
- template->ip4.udp_dst = rte_be_to_cpu_16(4500);
- } else {
- ip->next_proto_id = IPPROTO_ESP;
- }
+ lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV4;
ip->version_ihl = RTE_IPV4_VHL_DEF;
ip->time_to_live = ipsec->tunnel.ipv4.ttl;
ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
@@ -294,6 +298,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
} else if (ipsec->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
+ lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV6;
if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
@@ -336,11 +341,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
sizeof(struct in6_addr));
memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
sizeof(struct in6_addr));
- } else {
- return -EINVAL;
}
- } else {
- return -EINVAL;
}
cipher_xform = crypto_xform;
@@ -421,13 +422,20 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
if (ret)
return ret;
- lp->tunnel_type = ipsec->tunnel.type;
+ lp->mode_type = OTX2_IPSEC_PO_TRANSPORT;
+
auth_xform = crypto_xform;
cipher_xform = crypto_xform->next;
cipher_key_len = 0;
auth_key_len = 0;
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ lp->mode_type = (ipsec->tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4) ?
+ OTX2_IPSEC_PO_TUNNEL_IPV4 :
+ OTX2_IPSEC_PO_TUNNEL_IPV6;
+
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
index 2849c1ab75..87f55c97fe 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
@@ -55,8 +55,8 @@ struct otx2_sec_session_ipsec_lp {
uint8_t iv_length;
/** Auth IV length in bytes */
uint8_t auth_iv_length;
- /** IPsec tunnel type */
- enum rte_security_ipsec_tunnel_type tunnel_type;
+ /** IPsec mode and tunnel type */
+ enum otx2_ipsec_po_mode_type mode_type;
};
int otx2_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev);
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index eda9f19738..b3e7456551 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -20,6 +20,12 @@
#define OTX2_IPSEC_PO_INB_RPTR_HDR 0x8
+enum otx2_ipsec_po_mode_type {
+ OTX2_IPSEC_PO_TRANSPORT = 1,
+ OTX2_IPSEC_PO_TUNNEL_IPV4,
+ OTX2_IPSEC_PO_TUNNEL_IPV6,
+};
+
enum otx2_ipsec_po_comp_e {
OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
index f4cab19811..58b199f4f3 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
@@ -26,7 +26,7 @@ otx2_ipsec_po_out_rlen_get(struct otx2_sec_session_ipsec_lp *sess,
static __rte_always_inline struct cpt_request_info *
alloc_request_struct(char *maddr, void *cop, int mdata_len,
- enum rte_security_ipsec_tunnel_type tunnel_type)
+ enum otx2_ipsec_po_mode_type mode_type)
{
struct cpt_request_info *req;
struct cpt_meta_info *meta;
@@ -48,7 +48,7 @@ alloc_request_struct(char *maddr, void *cop, int mdata_len,
op[1] = (uintptr_t)cop;
op[2] = (uintptr_t)req;
op[3] = mdata_len;
- op[4] = tunnel_type;
+ op[4] = mode_type;
return req;
}
@@ -89,7 +89,7 @@ process_outb_sa(struct rte_crypto_op *cop,
mdata += extend_tail; /* mdata follows encrypted data */
req = alloc_request_struct(mdata, (void *)cop, mdata_len,
- sess->tunnel_type);
+ sess->mode_type);
data = rte_pktmbuf_prepend(m_src, extend_head);
if (unlikely(data == NULL)) {
@@ -162,7 +162,7 @@ process_inb_sa(struct rte_crypto_op *cop,
}
req = alloc_request_struct(mdata, (void *)cop, mdata_len,
- sess->tunnel_type);
+ sess->mode_type);
/* Prepare CPT instruction */
word0.u64 = sess->ucmd_w0;
--
2.27.0
^ permalink raw reply [flat|nested] 13+ messages in thread