DPDK usage discussions
 help / color / mirror / Atom feed
* [dpdk-users] DPDK l2fwd-crypto sample app Don't see encrypted icmp packet on the transmit side
@ 2021-02-11 17:56 Das, Surajit
  2021-02-12  4:02 ` Das, Surajit
  0 siblings, 1 reply; 2+ messages in thread
From: Das, Surajit @ 2021-02-11 17:56 UTC (permalink / raw)
  To: users

Hi DPDK Experts,

I am running l2fwd-crypto app on SR-IOV VFs.
I am sending ICMP ping on ipv4 to the l2fwd-crypto.
On the transmit side, I am not receiving any encrypted packet.
Instead I am just receiving the very same icmp packet.
The only change I made, is to the l2fwd_mac_updating function, to set the destination mac to broadcast, to make sure the packet reaches destination VF.

Command to send packet:
arp -s 30.30.20.10 -i dev0 3a:fc:e6:60:a9:d3
ping -I dev0 30.30.20.10 -c1

Command to run l2fwd-crypto:
./l2fwd-crypto -l 0-1 -n 4 --vdev "crypto_aesni_mb0" --vdev "crypto_aesni_mb1" -w 0000:65:00.4 -w 0000:65:00.5 -- -p 0x3 --cdev SW --chain CIPHER_HASH --cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --auth_algo aes-xcbc-mac --auth_key 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f

Output Counter suggests encryption was done:
Port statistics ====================================
Statistics for port 0 ------------------------------
Packets sent:                                1
Packets received:                            0
Packets dropped:                             0
Statistics for port 1 ------------------------------
Packets sent:                                0
Packets received:                            1
Packets dropped:                             0
Crypto statistics ==================================
Statistics for cryptodev 0 -------------------------
Packets enqueued:                            0
Packets dequeued:                            0
Packets errors:                              0
Statistics for cryptodev 1 -------------------------
Packets enqueued:                            1
Packets dequeued:                            1
Packets errors:                              0
Aggregate statistics ===============================
Total packets received:                      1
Total packets enqueued:                      1
Total packets dequeued:                      1
Total packets sent:                          1
Total packets dropped:                       0
Total packets crypto errors:                 0
====================================================

What the received packet looks like:
[root@decrypt-app-deployment-79fdd95b56-h8lxr ~]# tshark  -i dev4
Running as user "root" and group "root". This could be dangerous.
Capturing on 'dev4'
  1 0.000000000  30.30.20.12 -> 30.30.20.10  ICMP 110 Unknown ICMP (obsolete or malformed?) [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
^C1 packet captured

Can anyone suggest what I could be missing here?

Regards,
Surajit

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [dpdk-users] DPDK l2fwd-crypto sample app Don't see encrypted icmp packet on the transmit side
  2021-02-11 17:56 [dpdk-users] DPDK l2fwd-crypto sample app Don't see encrypted icmp packet on the transmit side Das, Surajit
@ 2021-02-12  4:02 ` Das, Surajit
  0 siblings, 0 replies; 2+ messages in thread
From: Das, Surajit @ 2021-02-12  4:02 UTC (permalink / raw)
  To: users

Hi DPDK Experts,

I figured that the l2fwd-crypto app is encrypting packets.
Tshark, thinks the packet is ICMP because crypto dev does not modify the ipv4 header.
So ip4_hdr->next_proto_id value remains unchanged, causing tshark to think it's an ICMP packet.

The payload of the ipv4 header, which is the ICMP part does look encrypted.

Now, I tried decrypting the packet by using the l2fwd-cypto app on an adjacent container.

Command with arguments:
[root@decrypt-app-deployment-79fdd95b56-h8lxr build]# ./l2fwd-crypto -l 2-3 -n 4 --vdev "crypto_aesni_mb0" --vdev "crypto_aesni_mb1" -w 0000:65:01.0 -w 0000:65:01.6 -- -p 0x3 --cdev SW --chain HASH_CIPHER --cipher_op DECRYPT --cipher_algo aes-cbc --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op VERIFY --auth_algo aes-xcbc-mac --auth_key 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f


On the other end of the receive side after decrypting, I still see the packet is encrypted.
Packet structure on the decrypted side:
Internet Protocol Version 4, Src: 30.30.20.12 (30.30.20.12), Dst: 30.30.20.10 (30.30.20.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 84
    Identification: 0x99cd (39373)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: ICMP (1)
    Header checksum: 0x3c8a [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 30.30.20.12 (30.30.20.12)
    Destination: 30.30.20.10 (30.30.20.10)
Internet Control Message Protocol
    Type: 169 (Unknown ICMP (obsolete or malformed?))
    Code: 121
    Checksum: 0xb89e [incorrect, should be 0xee1d]

As you can see, the ICMP part still looks encrypted.
Is there anything in the command line arguments, that I am missing?

Regards,
Surajit

From: Das, Surajit
Sent: Thursday, February 11, 2021 11:26 PM
To: users <users@dpdk.org>
Subject: DPDK l2fwd-crypto sample app Don't see encrypted icmp packet on the transmit side

Hi DPDK Experts,

I am running l2fwd-crypto app on SR-IOV VFs.
I am sending ICMP ping on ipv4 to the l2fwd-crypto.
On the transmit side, I am not receiving any encrypted packet.
Instead I am just receiving the very same icmp packet.
The only change I made, is to the l2fwd_mac_updating function, to set the destination mac to broadcast, to make sure the packet reaches destination VF.

Command to send packet:
arp -s 30.30.20.10 -i dev0 3a:fc:e6:60:a9:d3
ping -I dev0 30.30.20.10 -c1

Command to run l2fwd-crypto:
./l2fwd-crypto -l 0-1 -n 4 --vdev "crypto_aesni_mb0" --vdev "crypto_aesni_mb1" -w 0000:65:00.4 -w 0000:65:00.5 -- -p 0x3 --cdev SW --chain CIPHER_HASH --cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --auth_algo aes-xcbc-mac --auth_key 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f

Output Counter suggests encryption was done:
Port statistics ====================================
Statistics for port 0 ------------------------------
Packets sent:                                1
Packets received:                            0
Packets dropped:                             0
Statistics for port 1 ------------------------------
Packets sent:                                0
Packets received:                            1
Packets dropped:                             0
Crypto statistics ==================================
Statistics for cryptodev 0 -------------------------
Packets enqueued:                            0
Packets dequeued:                            0
Packets errors:                              0
Statistics for cryptodev 1 -------------------------
Packets enqueued:                            1
Packets dequeued:                            1
Packets errors:                              0
Aggregate statistics ===============================
Total packets received:                      1
Total packets enqueued:                      1
Total packets dequeued:                      1
Total packets sent:                          1
Total packets dropped:                       0
Total packets crypto errors:                 0
====================================================

What the received packet looks like:
[root@decrypt-app-deployment-79fdd95b56-h8lxr ~]# tshark  -i dev4
Running as user "root" and group "root". This could be dangerous.
Capturing on 'dev4'
  1 0.000000000  30.30.20.12 -> 30.30.20.10  ICMP 110 Unknown ICMP (obsolete or malformed?) [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
^C1 packet captured

Can anyone suggest what I could be missing here?

Regards,
Surajit

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-02-12  4:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-11 17:56 [dpdk-users] DPDK l2fwd-crypto sample app Don't see encrypted icmp packet on the transmit side Das, Surajit
2021-02-12  4:02 ` Das, Surajit

DPDK usage discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.dpdk.org/users/0 users/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 users users/ http://inbox.dpdk.org/users \
		users@dpdk.org
	public-inbox-index users

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.users


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git