From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by dpdk.org (Postfix) with ESMTP id 1E9961B90C for ; Thu, 10 Jan 2019 22:06:39 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jan 2019 13:06:39 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,462,1539673200"; d="scan'208";a="107316552" Received: from sivswdev08.ir.intel.com (HELO localhost.localdomain) ([10.237.217.47]) by orsmga006.jf.intel.com with ESMTP; 10 Jan 2019 13:06:37 -0800 From: Konstantin Ananyev To: dev@dpdk.org Cc: akhil.goyal@nxp.com, pablo.de.lara.guarch@intel.com, thomas@monjalon.net, Konstantin Ananyev Date: Thu, 10 Jan 2019 21:06:25 +0000 Message-Id: <1547154394-14875-1-git-send-email-konstantin.ananyev@intel.com> X-Mailer: git-send-email 1.7.0.7 In-Reply-To: <1547130059-9408-2-git-send-email-konstantin.ananyev@intel.com> References: <1547130059-9408-2-git-send-email-konstantin.ananyev@intel.com> Subject: [dpdk-dev] [PATCH v8 0/9] ipsec: new library for IPsec data-path processing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2019 21:06:40 -0000 v7 -> v8 - update release notes with new version for librte_security - rebase on top of crypto-next v6 -> v7 - Changes to address Thomas comments: bump ABI version remove related deprecation notice update release notes, ABI changes section v5 -> v6 - Fix issues reported by Akhil: rte_ipsec_session_prepare() fails for lookaside-proto v4 -> v5 - Fix issue with SQN overflows - Address Akhil comments: documentation update spell checks spacing etc. fix input crypto_xform check/prepcess test cases for lookaside and inline proto v3 -> v4 - Changes to address Declan comments - Update docs v2 -> v3 - Several fixes for IPv6 support - Extra checks for input parameters in public APi functions v1 -> v2 - Changes to get into account l2_len for outbound transport packets (Qi comments) - Several bug fixes - Some code restructured - Update MAINTAINERS file RFCv2 -> v1 - Changes per Jerin comments - Implement transport mode - Several bug fixes - UT largely reworked and extended This patch introduces a new library within DPDK: librte_ipsec. The aim is to provide DPDK native high performance library for IPsec data-path processing. The library is supposed to utilize existing DPDK crypto-dev and security API to provide application with transparent IPsec processing API. The library is concentrated on data-path protocols processing (ESP and AH), IKE protocol(s) implementation is out of scope for that library. Current patch introduces SA-level API. SA level API ============ API described below operates on SA level. It provides functionality that allows user for given SA to process inbound and outbound IPsec packets. To be more specific: - for inbound ESP/AH packets perform decryption, authentication, integrity checking, remove ESP/AH related headers - for outbound packets perform payload encryption, attach ICV, update/add IP headers, add ESP/AH headers/trailers, setup related mbuf felids (ol_flags, tx_offloads, etc.). - initialize/un-initialize given SA based on user provided parameters. The following functionality: - match inbound/outbound packets to particular SA - manage crypto/security devices - provide SAD/SPD related functionality - determine what crypto/security device has to be used for given packet(s) is out of scope for SA-level API. SA-level API is based on top of crypto-dev/security API and relies on them to perform actual cipher and integrity checking. To have an ability to easily map crypto/security sessions into related IPSec SA opaque userdata field was added into rte_cryptodev_sym_session and rte_security_session structures. That implies ABI change for both librte_crytpodev and librte_security. Due to the nature of crypto-dev API (enqueue/deque model) we use asynchronous API for IPsec packets destined to be processed by crypto-device. Expected API call sequence would be: /* enqueue for processing by crypto-device */ rte_ipsec_pkt_crypto_prepare(...); rte_cryptodev_enqueue_burst(...); /* dequeue from crypto-device and do final processing (if any) */ rte_cryptodev_dequeue_burst(...); rte_ipsec_pkt_crypto_group(...); /* optional */ rte_ipsec_pkt_process(...); Though for packets destined for inline processing no extra overhead is required and synchronous API call: rte_ipsec_pkt_process() is sufficient for that case. Current implementation supports all four currently defined rte_security types. Though to accommodate future custom implementations function pointers model is used for both for *crypto_prepare* and *process* impelementations. Konstantin Ananyev (9): security: add opaque userdata pointer into security session net: add ESP trailer structure definition lib: introduce ipsec library ipsec: add SA data-path API ipsec: implement SA data-path API ipsec: rework SA replay window/SQN for MT environment ipsec: helper functions to group completed crypto-ops test/ipsec: introduce functional test doc: add IPsec library guide MAINTAINERS | 8 +- config/common_base | 5 + doc/guides/prog_guide/index.rst | 1 + doc/guides/prog_guide/ipsec_lib.rst | 168 ++ doc/guides/rel_notes/deprecation.rst | 4 - doc/guides/rel_notes/release_19_02.rst | 17 +- lib/Makefile | 2 + lib/librte_ipsec/Makefile | 27 + lib/librte_ipsec/crypto.h | 123 ++ lib/librte_ipsec/iph.h | 84 + lib/librte_ipsec/ipsec_sqn.h | 343 ++++ lib/librte_ipsec/meson.build | 10 + lib/librte_ipsec/pad.h | 45 + lib/librte_ipsec/rte_ipsec.h | 154 ++ lib/librte_ipsec/rte_ipsec_group.h | 151 ++ lib/librte_ipsec/rte_ipsec_sa.h | 174 ++ lib/librte_ipsec/rte_ipsec_version.map | 15 + lib/librte_ipsec/sa.c | 1527 ++++++++++++++ lib/librte_ipsec/sa.h | 106 + lib/librte_ipsec/ses.c | 52 + lib/librte_net/rte_esp.h | 10 +- lib/librte_security/Makefile | 4 +- lib/librte_security/meson.build | 3 +- lib/librte_security/rte_security.h | 2 + lib/meson.build | 2 + mk/rte.app.mk | 2 + test/test/Makefile | 3 + test/test/meson.build | 3 + test/test/test_ipsec.c | 2565 ++++++++++++++++++++++++ 29 files changed, 5600 insertions(+), 10 deletions(-) create mode 100644 doc/guides/prog_guide/ipsec_lib.rst create mode 100644 lib/librte_ipsec/Makefile create mode 100644 lib/librte_ipsec/crypto.h create mode 100644 lib/librte_ipsec/iph.h create mode 100644 lib/librte_ipsec/ipsec_sqn.h create mode 100644 lib/librte_ipsec/meson.build create mode 100644 lib/librte_ipsec/pad.h create mode 100644 lib/librte_ipsec/rte_ipsec.h create mode 100644 lib/librte_ipsec/rte_ipsec_group.h create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h create mode 100644 lib/librte_ipsec/rte_ipsec_version.map create mode 100644 lib/librte_ipsec/sa.c create mode 100644 lib/librte_ipsec/sa.h create mode 100644 lib/librte_ipsec/ses.c create mode 100644 test/test/test_ipsec.c -- 2.17.1