* [dpdk-dev] [PATCH v2 1/3] security: add option to configure tunnel header verification
2021-09-28 12:07 [dpdk-dev] [PATCH v2 0/3] add option to configure tunnel header verification Tejasree Kondoj
@ 2021-09-28 12:07 ` Tejasree Kondoj
2021-09-28 16:00 ` Akhil Goyal
2021-09-28 12:07 ` [dpdk-dev] [PATCH v2 2/3] common/cnxk: add support for " Tejasree Kondoj
2021-09-28 12:07 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add tunnel header verification tests Tejasree Kondoj
2 siblings, 1 reply; 5+ messages in thread
From: Tejasree Kondoj @ 2021-09-28 12:07 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau, Declan Doherty
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
Fan Zhang, Archana Muniganti, dev
Add option to indicate whether outer header verification
need to be done as part of inbound IPsec processing.
With inline IPsec processing, SA lookup would be happening
in the Rx path of rte_ethdev. When rte_flow is configured to
support more than one SA, SPI would be used to lookup SA.
In such cases, additional verification would be required to
ensure duplicate SPIs are not getting processed in the inline path.
For lookaside cases, the same option can be used by application
to offload tunnel verification to the PMD.
These verifications would help in averting possible DoS attacks.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
---
doc/guides/rel_notes/deprecation.rst | 2 +-
doc/guides/rel_notes/release_21_11.rst | 5 +++++
lib/security/rte_security.h | 17 +++++++++++++++++
3 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index 69fbde0c70..80ae9a6372 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -238,7 +238,7 @@ Deprecation Notices
* security: The IPsec SA config options ``struct rte_security_ipsec_sa_options``
will be updated with new fields to support new features like IPsec inner
- checksum, tunnel header verification, TSO in case of protocol offload.
+ checksum, TSO in case of protocol offload.
* ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field
``hdr_l3_len`` to configure tunnel L3 header length.
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 0b7ffa5e50..623b52d9c9 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -181,6 +181,11 @@ ABI Changes
soft and hard SA expiry limits. Limits can be either in units of packets or
bytes.
+* security: add IPsec SA option to configure tunnel header verification
+
+ * Added SA option to indicate whether outer header verification need to be
+ done as part of inbound IPsec processing.
+
Known Issues
------------
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 88147e1f57..a10c9b5f00 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type {
/**< Outer header is IPv6 */
};
+/**
+ * IPSEC tunnel header verification mode
+ *
+ * Controls how outer IP header is verified in inbound.
+ */
+#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
+#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
+
/**
* Security context for crypto/eth devices
*
@@ -206,6 +214,15 @@ struct rte_security_ipsec_sa_options {
* by the PMD.
*/
uint32_t iv_gen_disable : 1;
+
+ /** Verify tunnel header in inbound
+ * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
+ * IP address.
+ *
+ * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
+ * source and destination IP addresses.
+ */
+ uint32_t tunnel_hdr_verify : 2;
};
/** IPSec security association direction */
--
2.27.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [dpdk-dev] [PATCH v2 2/3] common/cnxk: add support for tunnel header verification
2021-09-28 12:07 [dpdk-dev] [PATCH v2 0/3] add option to configure tunnel header verification Tejasree Kondoj
2021-09-28 12:07 ` [dpdk-dev] [PATCH v2 1/3] security: " Tejasree Kondoj
@ 2021-09-28 12:07 ` Tejasree Kondoj
2021-09-28 12:07 ` [dpdk-dev] [PATCH v2 3/3] test/crypto: add tunnel header verification tests Tejasree Kondoj
2 siblings, 0 replies; 5+ messages in thread
From: Tejasree Kondoj @ 2021-09-28 12:07 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau, Declan Doherty
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
Fan Zhang, Archana Muniganti, dev
Adding support to verify tunnel header in IPsec inbound.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 60 +++++++++++++++++++
drivers/common/cnxk/roc_ie_ot.h | 6 +-
.../crypto/cnxk/cnxk_cryptodev_capabilities.c | 4 ++
3 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 215d9fd4d1..cc5daf333c 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -199,6 +199,62 @@ ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa)
return size;
}
+static int
+ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa,
+ struct rte_security_ipsec_xform *ipsec_xfrm)
+{
+ struct rte_security_ipsec_tunnel_param *tunnel;
+
+ if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ return 0;
+
+ if (ipsec_xfrm->options.tunnel_hdr_verify == 0)
+ return 0;
+
+ tunnel = &ipsec_xfrm->tunnel;
+
+ switch (tunnel->type) {
+ case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
+ sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
+ memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip,
+ sizeof(struct in_addr));
+ memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip,
+ sizeof(struct in_addr));
+
+ /* IP Source and Dest are in LE/CPU endian */
+ sa->outer_hdr.ipv4.src_addr =
+ rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr);
+ sa->outer_hdr.ipv4.dst_addr =
+ rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr);
+
+ break;
+ case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
+ sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
+ memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr,
+ sizeof(struct in6_addr));
+ memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr,
+ sizeof(struct in6_addr));
+
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ switch (ipsec_xfrm->options.tunnel_hdr_verify) {
+ case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR:
+ sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR;
+ break;
+ case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR:
+ sa->w2.s.ip_hdr_verify =
+ ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR;
+ break;
+ default:
+ return -ENOTSUP;
+ }
+
+ return 0;
+}
+
int
cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
struct rte_security_ipsec_xform *ipsec_xfrm,
@@ -229,6 +285,10 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5;
}
+ rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm);
+ if (rc)
+ return rc;
+
/* Default options for pkt_out and pkt_fmt are with
* second pass meta and no defrag.
*/
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index 1ff468841d..12c75afac2 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -180,7 +180,11 @@ union roc_ot_ipsec_sa_word2 {
uint64_t auth_type : 4;
uint64_t encap_type : 2;
- uint64_t rsvd1 : 6;
+ uint64_t et_ovrwr_ddr_en : 1;
+ uint64_t esn_en : 1;
+ uint64_t tport_l4_incr_csum : 1;
+ uint64_t ip_hdr_verify : 2;
+ uint64_t rsvd5 : 1;
uint64_t rsvd2 : 7;
uint64_t async_mode : 1;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 4b97639e56..8a0cf289fd 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
#ifdef LA_IPSEC_DEBUG
sec_cap->ipsec.options.iv_gen_disable = 1;
#endif
+ } else {
+ if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ sec_cap->ipsec.options.tunnel_hdr_verify =
+ RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
}
}
--
2.27.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [dpdk-dev] [PATCH v2 3/3] test/crypto: add tunnel header verification tests
2021-09-28 12:07 [dpdk-dev] [PATCH v2 0/3] add option to configure tunnel header verification Tejasree Kondoj
2021-09-28 12:07 ` [dpdk-dev] [PATCH v2 1/3] security: " Tejasree Kondoj
2021-09-28 12:07 ` [dpdk-dev] [PATCH v2 2/3] common/cnxk: add support for " Tejasree Kondoj
@ 2021-09-28 12:07 ` Tejasree Kondoj
2 siblings, 0 replies; 5+ messages in thread
From: Tejasree Kondoj @ 2021-09-28 12:07 UTC (permalink / raw)
To: Akhil Goyal, Radu Nicolau, Declan Doherty
Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob,
Konstantin Ananyev, Ciara Power, Hemant Agrawal, Gagandeep Singh,
Fan Zhang, Archana Muniganti, dev
Add test cases to verify tunnel header in IPsec inbound.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
app/test/test_cryptodev.c | 45 ++++++++++++++++++-
app/test/test_cryptodev_security_ipsec.c | 25 ++++++++++-
app/test/test_cryptodev_security_ipsec.h | 1 +
...st_cryptodev_security_ipsec_test_vectors.h | 3 ++
4 files changed, 71 insertions(+), 3 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 34b55a952e..665d19c0a4 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8924,6 +8924,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
int salt_len, i, ret = TEST_SUCCESS;
struct rte_security_ctx *ctx;
uint8_t *input_text;
+ uint32_t verify;
ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
@@ -8933,11 +8934,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
/* Copy IPsec xform */
memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
+ dir = ipsec_xform.direction;
+ verify = flags->tunnel_hdr_verify;
+
+ if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) {
+ if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR)
+ src += 1;
+ else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR)
+ dst += 1;
+ }
+
memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
- dir = ipsec_xform.direction;
-
ctx = rte_cryptodev_get_sec_ctx(dev_id);
sec_cap_idx.action = ut_params->type;
@@ -9229,6 +9238,30 @@ test_ipsec_proto_udp_encap(const void *data __rte_unused)
return test_ipsec_proto_all(&flags);
}
+static int
+test_ipsec_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR;
+
+ return test_ipsec_proto_all(&flags);
+}
+
static int
test_PDCP_PROTO_all(void)
{
@@ -14173,6 +14206,14 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Negative test: ICV corruption",
ut_setup_security, ut_teardown,
test_ipsec_proto_err_icv_corrupt),
+ TEST_CASE_NAMED_ST(
+ "Tunnel dst addr verification",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_tunnel_dst_addr_verify),
+ TEST_CASE_NAMED_ST(
+ "Tunnel src and dst addr verification",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_tunnel_src_dst_addr_verify),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 046536cc9c..f040630655 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -86,6 +86,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ (ipsec_xform->options.tunnel_hdr_verify >
+ sec_cap->ipsec.options.tunnel_hdr_verify)) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Tunnel header verify is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
@@ -207,6 +216,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
if (flags->udp_encap)
td_inb[i].ipsec_xform.options.udp_encap = 1;
+ td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
+ flags->tunnel_hdr_verify;
+
/* Clear outbound specific flags */
td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
@@ -292,7 +304,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
/* For tests with status as error for test success, skip verification */
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
(flags->icv_corrupt ||
- flags->sa_expiry_pkts_hard))
+ flags->sa_expiry_pkts_hard ||
+ flags->tunnel_hdr_verify))
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -420,6 +433,16 @@ test_ipsec_status_check(struct rte_crypto_op *op,
}
}
+ if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->tunnel_hdr_verify) {
+ if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+ printf("Tunnel header verify test case failed\n");
+ return TEST_FAILED;
+ } else {
+ return TEST_SUCCESS;
+ }
+ }
+
if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
printf("ICV corruption test case failed\n");
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 18f3c64bb7..a65cb54eae 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -53,6 +53,7 @@ struct ipsec_test_flags {
bool sa_expiry_pkts_hard;
bool icv_corrupt;
bool iv_gen;
+ uint32_t tunnel_hdr_verify;
bool udp_encap;
};
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 38ea43d157..4e147ec19c 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -94,6 +94,7 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.options.dec_ttl = 0,
.options.ecn = 0,
.options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -190,6 +191,7 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.options.dec_ttl = 0,
.options.ecn = 0,
.options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -289,6 +291,7 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.options.dec_ttl = 0,
.options.ecn = 0,
.options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
--
2.27.0
^ permalink raw reply [flat|nested] 5+ messages in thread