From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by dpdk.org (Postfix) with ESMTP id 6AD3E1B3EC for ; Fri, 4 Jan 2019 03:42:28 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Jan 2019 18:42:26 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,437,1539673200"; d="scan'208";a="123176888" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by FMSMGA003.fm.intel.com with ESMTP; 03 Jan 2019 18:42:27 -0800 Received: from fmsmsx119.amr.corp.intel.com (10.18.124.207) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 3 Jan 2019 18:42:27 -0800 Received: from bgsmsx153.gar.corp.intel.com (10.224.23.4) by FMSMSX119.amr.corp.intel.com (10.18.124.207) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 3 Jan 2019 18:42:26 -0800 Received: from bgsmsx101.gar.corp.intel.com ([169.254.1.20]) by BGSMSX153.gar.corp.intel.com ([169.254.2.69]) with mapi id 14.03.0415.000; Fri, 4 Jan 2019 08:12:24 +0530 From: "Varghese, Vipin" To: "Ananyev, Konstantin" , "dev@dpdk.org" , "dev@dpdk.org" CC: "akhil.goyal@nxp.com" , "Ananyev, Konstantin" , "Iremonger, Bernard" Thread-Topic: [dpdk-dev] [PATCH v6 10/10] doc: update ipsec-secgw guide and relelase notes Thread-Index: AQHUo6LO0DlOeSz6XkS345zKR/zUVKWeZp+Q Date: Fri, 4 Jan 2019 02:42:23 +0000 Message-ID: <4C9E0AB70F954A408CC4ADDBF0F8FA7D4D2E05C2@BGSMSX101.gar.corp.intel.com> References: <1546011238-22318-2-git-send-email-konstantin.ananyev@intel.com> <1546547138-24965-11-git-send-email-konstantin.ananyev@intel.com> In-Reply-To: <1546547138-24965-11-git-send-email-konstantin.ananyev@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOWVmZGNlNDItMDJhYi00ZTdhLTkyOGYtNjRjNzZlODg0MmMwIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiME53Y3NrS1RkZFhBYXVQcUUyMHArdUNycm9aQWxrWEZCc09NZlRGc2JQRnBmZlZzMUloZWNTOXpaNndUTEtXRyJ9 dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.223.10.10] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH v6 10/10] doc: update ipsec-secgw guide and relelase notes X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jan 2019 02:42:29 -0000 Hi Konstantin, Sharing information with respect to documentation and code update with resp= ect to rel 19.02-rc1 onwards 'it is now required to combine both code and d= ocumentation into a single patch'. Thanks Vipin Varghese > -----Original Message----- > From: dev On Behalf Of Konstantin Ananyev > Sent: Friday, January 4, 2019 1:56 AM > To: dev@dpdk.org; dev@dpdk.org > Cc: akhil.goyal@nxp.com; Ananyev, Konstantin > ; Iremonger, Bernard > > Subject: [dpdk-dev] [PATCH v6 10/10] doc: update ipsec-secgw guide and > relelase notes >=20 > Update ipsec-secgw guide and relelase notes to reflect latest changes. >=20 > Signed-off-by: Bernard Iremonger > Signed-off-by: Konstantin Ananyev > --- > doc/guides/rel_notes/release_19_02.rst | 14 +++ > doc/guides/sample_app_ug/ipsec_secgw.rst | 105 ++++++++++++++++++++++- > 2 files changed, 117 insertions(+), 2 deletions(-) >=20 > diff --git a/doc/guides/rel_notes/release_19_02.rst > b/doc/guides/rel_notes/release_19_02.rst > index 1a9885c44..28dbe3ad0 100644 > --- a/doc/guides/rel_notes/release_19_02.rst > +++ b/doc/guides/rel_notes/release_19_02.rst > @@ -116,6 +116,20 @@ New Features >=20 > See :doc:`../prog_guide/ipsec_lib` for more information. >=20 > +* **Updated the ipsec-secgw sample application.** > + > + The ``ipsec-secgw`` sample application has been updated to use the > + new ``librte_ipsec`` library also added in this release. > + The original functionality of ipsec-secgw is retained, a new command > + line parameter ``-l`` has been added to ipsec-secgw to use the IPsec > + library, instead of the existing IPsec code in the application. > + > + The IPsec library does not support all the functionality of the > + existing ipsec-secgw application, its is planned to add the > + outstanding functionality in future releases. > + > + See :doc:`../sample_app_ug/ipsec_secgw` for more information. > + >=20 > Removed Items > ------------- > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst > b/doc/guides/sample_app_ug/ipsec_secgw.rst > index 61638e733..3d784e705 100644 > --- a/doc/guides/sample_app_ug/ipsec_secgw.rst > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst > @@ -76,7 +76,7 @@ Compiling the Application >=20 > To compile the sample application see :doc:`compiling`. >=20 > -The application is located in the ``rpsec-secgw`` sub-directory. > +The application is located in the ``ipsec-secgw`` sub-directory. >=20 > #. [Optional] Build the application for debugging: > This option adds some extra flags, disables compiler optimizations an= d @@ - > 93,6 +93,7 @@ The application has a number of command line options:: >=20 > ./build/ipsec-secgw [EAL options] -- > -p PORTMASK -P -u PORTMASK -j FRAMESIZE > + -l -w REPLAY_WINOW_SIZE -e -a > --config (port,queue,lcore)[,(port,queue,lcore] > --single-sa SAIDX > --rxoffload MASK @@ -114,6 +115,18 @@ Where: > specified as FRAMESIZE. If an invalid value is provided as FRAMESIZE > then the default value 9000 is used. >=20 > +* ``-l``: enables code-path that uses librte_ipsec. > + > +* ``-w REPLAY_WINOW_SIZE``: specifies the IPsec sequence number replay > window > + size for each Security Association (available only with librte_ipsec > + code path). > + > +* ``-e``: enables Security Association extended sequence number proces= sing > + (available only with librte_ipsec code path). > + > +* ``-a``: enables Security Association sequence number atomic behaviou= r > + (available only with librte_ipsec code path). > + > * ``--config (port,queue,lcore)[,(port,queue,lcore)]``: determines whi= ch > queues > from which ports are mapped to which cores. >=20 > @@ -225,7 +238,7 @@ accordingly. >=20 >=20 > Configuration File Syntax > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > +~~~~~~~~~~~~~~~~~~~~~~~~~ >=20 > As mention in the overview, the Security Policies are ACL rules. > The application parsers the rules specified in the configuration file an= d @@ - > 571,6 +584,11 @@ Example SA rules: > mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > type lookaside-protocol-offload port_id 4 >=20 > + sa in 35 aead_algo aes-128-gcm \ > + aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef= \ > + mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 \ > + type inline-crypto-offload port_id 0 > + > Routing rule syntax > ^^^^^^^^^^^^^^^^^^^ >=20 > @@ -667,3 +685,86 @@ Example Neighbour rules: > .. code-block:: console >=20 > neigh port 0 DE:AD:BE:EF:01:02 > + > +Test directory > +-------------- > + > +The test directory contains scripts for testing the various encryption > +algorithms. > + > +The purpose of the scripts is to automate ipsec-secgw testing using > +another system running linux as a DUT. > + > +The user must setup the following environment variables: > + > +* ``SGW_PATH``: path to the ipsec-secgw binary to test. > + > +* ``REMOTE_HOST``: IP address/hostname of the DUT. > + > +* ``REMOTE_IFACE``: interface name for the test-port on the DUT. > + > +* ``ETH_DEV``: ethernet device to be used on the SUT by DPDK ('-w ') > + > +Also the user can optionally setup: > + > +* ``SGW_LCORE``: lcore to run ipsec-secgw on (default value is 0) > + > +* ``CRYPTO_DEV``: crypto device to be used ('-w '). If none sp= ecified > + appropriate vdevs will be created by the script > + > +Note that most of the tests require the appropriate crypto PMD/device > +to be available. > + > +Server configuration > +~~~~~~~~~~~~~~~~~~~~ > + > +Two servers are required for the tests, SUT and DUT. > + > +Make sure the user from the SUT can ssh to the DUT without entering the > password. > +To enable this feature keys must be setup on the DUT. > + > +``ssh-keygen`` will make a private & public key pair on the SUT. > + > +``ssh-copy-id`` @ on the SUT will copy the > +public key to the DUT. It will ask for credentials so that it can upload= the > public key. > + > +The SUT and DUT are connected through at least 2 NIC ports. > + > +One NIC port is expected to be managed by linux on both machines and > +will be used as a control path. > + > +The second NIC port (test-port) should be bound to DPDK on the SUT, and > +should be managed by linux on the DUT. > + > +The script starts ``ipsec-secgw`` with 2 NIC devices: ``test-port`` and > +``tap vdev``. > + > +It then configures the local tap interface and the remote interface and > +IPsec policies in the following way: > + > +Traffic going over the test-port in both directions has to be protected = by > IPsec. > + > +Traffic going over the TAP port in both directions does not have to be > protected. > + > +i.e: > + > +DUT OS(NIC1)--(IPsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS > + > +SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(IPsec)-->(NIC1)DUT OS > + > +It then tries to perform some data transfer using the scheme decribed ab= ove. > + > +usage > +~~~~~ > + > +In the ipsec-secgw/test directory > + > +to run one test for IPv4 or IPv6 > + > +/bin/bash linux_test(4|6).sh > + > +to run all tests for IPv4 or IPv6 > + > +/bin/bash run_test.sh -4|-6 > + > +For the list of available modes please refer to run_test.sh. > -- > 2.17.1