From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by dpdk.org (Postfix) with ESMTP id 80E531B958 for ; Fri, 11 Jan 2019 02:09:27 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jan 2019 17:09:26 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,463,1539673200"; d="scan'208";a="290656025" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by orsmga005.jf.intel.com with ESMTP; 10 Jan 2019 17:09:26 -0800 Received: from fmsmsx113.amr.corp.intel.com (10.18.116.7) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 10 Jan 2019 17:09:25 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by FMSMSX113.amr.corp.intel.com (10.18.116.7) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 10 Jan 2019 17:09:25 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.63]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.196]) with mapi id 14.03.0415.000; Fri, 11 Jan 2019 09:09:23 +0800 From: "Xu, Yanjie" To: "Ananyev, Konstantin" , "dev@dpdk.org" , "dev@dpdk.org" CC: "akhil.goyal@nxp.com" Thread-Topic: [PATCH v6 00/10] ipsec: new library for IPsec data-path processing Thread-Index: AQHUo6E7gqvXc95Y+0aDvjwH8JDddaWpTTfA Date: Fri, 11 Jan 2019 01:09:22 +0000 Message-ID: <7C3BD4BA76EE544E86BA054EFFE7CB445450488A@shsmsx102.ccr.corp.intel.com> References: <1546010263-16257-2-git-send-email-konstantin.ananyev@intel.com> <1546546586-22009-1-git-send-email-konstantin.ananyev@intel.com> In-Reply-To: <1546546586-22009-1-git-send-email-konstantin.ananyev@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzY0YWE5NWQtNTk3My00MWZkLWE1MzUtMmI5ZWY3ZWUxMGViIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiYmJ2XC9INzhjcFVxRkhaNG9ndnVjaExtb0UwdXhsREwxY3dDVDNWRXIzQW5KRlpUVHFkOWJhSWo1eEFBNzZIXC9zIn0= x-ctpclassification: CTP_NT x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH v6 00/10] ipsec: new library for IPsec data-path processing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2019 01:09:28 -0000 The patch series latest versions be tested by yanjie xu, which work for cr= ypto and inline ipsec cases. -----Original Message----- From: Ananyev, Konstantin=20 Sent: Friday, January 4, 2019 4:16 AM To: dev@dpdk.org; dev@dpdk.org Cc: akhil.goyal@nxp.com; Ananyev, Konstantin Subject: [PATCH v6 00/10] ipsec: new library for IPsec data-path processing v5 -> v6 - Fix issues reported by Akhil: rte_ipsec_session_prepare() fails for lookaside-proto v4 -> v5 - Fix issue with SQN overflows - Address Akhil comments: documentation update spell checks spacing etc. fix input crypto_xform check/prepcess test cases for lookaside and inline proto v3 -> v4 - Changes to adress Declan comments - Update docs v2 -> v3 - Several fixes for IPv6 support - Extra checks for input parameters in public APi functions=20 v1 -> v2 - Changes to get into account l2_len for outbound transport packets (Qi comments) - Several bug fixes - Some code restructured - Update MAINTAINERS file RFCv2 -> v1 - Changes per Jerin comments - Implement transport mode - Several bug fixes - UT largely reworked and extended This patch introduces a new library within DPDK: librte_ipsec. The aim is to provide DPDK native high performance library for IPsec data-p= ath processing. The library is supposed to utilize existing DPDK crypto-dev and security AP= I to provide application with transparent IPsec processing API. The library is concentrated on data-path protocols processing (ESP and AH),= IKE protocol(s) implementation is out of scope for that library. Current patch introduces SA-level API. SA (low) level API =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D API described below operates on SA level. It provides functionality that allows user for given SA to process inbound = and outbound IPsec packets. To be more specific: - for inbound ESP/AH packets perform decryption, authentication, integrity checking, remove ESP/AH related headers - for outbound packets perform payload encryption, attach ICV, update/add IP headers, add ESP/AH headers/trailers, setup related mbuf felids (ol_flags, tx_offloads, etc.). - initialize/un-initialize given SA based on user provided parameters. The following functionality: - match inbound/outbound packets to particular SA - manage crypto/security devices - provide SAD/SPD related functionality - determine what crypto/security device has to be used for given packet(s) is out of scope for SA-level API. SA-level API is based on top of crypto-dev/security API and relies on them = to perform actual cipher and integrity checking. To have an ability to easily map crypto/security sessions into related IPSe= c SA opaque userdata field was added into rte_cryptodev_sym_session and rte= _security_session structures. That implies ABI change for both librte_crytpodev and librte_security. Due to the nature of crypto-dev API (enqueue/deque model) we use asynchrono= us API for IPsec packets destined to be processed by crypto-device. Expected API call sequence would be: /* enqueue for processing by crypto-device */ rte_ipsec_pkt_crypto_prepare(...); rte_cryptodev_enqueue_burst(...); /* dequeue from crypto-device and do final processing (if any) */ rte_cryptodev_dequeue_burst(...); rte_ipsec_pkt_crypto_group(...); /* optional */ rte_ipsec_pkt_process(...); Though for packets destined for inline processing no extra overhead is requ= ired and synchronous API call: rte_ipsec_pkt_process() is sufficient for th= at case. Current implementation supports all four currently defined rte_security typ= es. Though to accommodate future custom implementations function pointers model= is used for both for *crypto_prepare* and *process* impelementations. Konstantin Ananyev (10): cryptodev: add opaque userdata pointer into crypto sym session security: add opaque userdata pointer into security session net: add ESP trailer structure definition lib: introduce ipsec library ipsec: add SA data-path API ipsec: implement SA data-path API ipsec: rework SA replay window/SQN for MT environment ipsec: helper functions to group completed crypto-ops test/ipsec: introduce functional test doc: add IPsec library guide MAINTAINERS | 8 +- config/common_base | 5 + doc/guides/prog_guide/index.rst | 1 + doc/guides/prog_guide/ipsec_lib.rst | 168 ++ doc/guides/rel_notes/release_19_02.rst | 11 + lib/Makefile | 2 + lib/librte_cryptodev/rte_cryptodev.h | 2 + lib/librte_ipsec/Makefile | 27 + lib/librte_ipsec/crypto.h | 123 ++ lib/librte_ipsec/iph.h | 84 + lib/librte_ipsec/ipsec_sqn.h | 343 ++++ lib/librte_ipsec/meson.build | 10 + lib/librte_ipsec/pad.h | 45 + lib/librte_ipsec/rte_ipsec.h | 154 ++ lib/librte_ipsec/rte_ipsec_group.h | 151 ++ lib/librte_ipsec/rte_ipsec_sa.h | 174 ++ lib/librte_ipsec/rte_ipsec_version.map | 15 + lib/librte_ipsec/sa.c | 1527 ++++++++++++++ lib/librte_ipsec/sa.h | 106 + lib/librte_ipsec/ses.c | 52 + lib/librte_net/rte_esp.h | 10 +- lib/librte_security/rte_security.h | 2 + lib/meson.build | 2 + mk/rte.app.mk | 2 + test/test/Makefile | 3 + test/test/meson.build | 3 + test/test/test_ipsec.c | 2555 ++++++++++++++++++++++++ 27 files changed, 5583 insertions(+), 2 deletions(-) create mode 100644 d= oc/guides/prog_guide/ipsec_lib.rst create mode 100644 lib/librte_ipsec/Makefile create mode 100644 lib/librt= e_ipsec/crypto.h create mode 100644 lib/librte_ipsec/iph.h create mode 10= 0644 lib/librte_ipsec/ipsec_sqn.h create mode 100644 lib/librte_ipsec/meso= n.build create mode 100644 lib/librte_ipsec/pad.h create mode 100644 lib/= librte_ipsec/rte_ipsec.h create mode 100644 lib/librte_ipsec/rte_ipsec_gro= up.h create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h create mode 100644 lib= /librte_ipsec/rte_ipsec_version.map create mode 100644 lib/librte_ipsec/sa.c create mode 100644 lib/librte_ip= sec/sa.h create mode 100644 lib/librte_ipsec/ses.c create mode 100644 tes= t/test/test_ipsec.c -- 2.17.1