From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by dpdk.org (Postfix) with ESMTP id 961211B94B for ; Fri, 11 Jan 2019 03:49:52 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jan 2019 18:49:50 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,463,1539673200"; d="scan'208";a="117235377" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga003.jf.intel.com with ESMTP; 10 Jan 2019 18:49:51 -0800 Received: from fmsmsx156.amr.corp.intel.com (10.18.116.74) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 10 Jan 2019 18:49:51 -0800 Received: from bgsmsx104.gar.corp.intel.com (10.223.4.190) by fmsmsx156.amr.corp.intel.com (10.18.116.74) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 10 Jan 2019 18:49:50 -0800 Received: from bgsmsx101.gar.corp.intel.com ([169.254.1.128]) by BGSMSX104.gar.corp.intel.com ([169.254.5.16]) with mapi id 14.03.0415.000; Fri, 11 Jan 2019 08:19:47 +0530 From: "Varghese, Vipin" To: "Ananyev, Konstantin" , "dev@dpdk.org" CC: "akhil.goyal@nxp.com" , "De Lara Guarch, Pablo" , "thomas@monjalon.net" , "Ananyev, Konstantin" , "Iremonger, Bernard" Thread-Topic: [dpdk-dev] [PATCH v8 10/10] doc: update ipsec-secgw guide and relelase notes Thread-Index: AQHUqSlLIwHq3CP1dkG3RWAia2exa6WpXbIA Date: Fri, 11 Jan 2019 02:49:46 +0000 Message-ID: <4C9E0AB70F954A408CC4ADDBF0F8FA7D4D2EFBAE@BGSMSX101.gar.corp.intel.com> References: <1547034250-21252-2-git-send-email-konstantin.ananyev@intel.com> <1547154553-15814-11-git-send-email-konstantin.ananyev@intel.com> In-Reply-To: <1547154553-15814-11-git-send-email-konstantin.ananyev@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZjQxNWIxODEtNDUxYi00YTk4LTk0MzctNjNjNWJlMjg5ZThkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiVEF2MnpjXC9RMFE4VTVuRXMrRVZ2cXNaVkMya3hmTmF0am9sa0wyVnJVWTV2TVF5Kzd2TGN3bVlkQjRFTHZFZEkifQ== dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.223.10.10] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH v8 10/10] doc: update ipsec-secgw guide and relelase notes X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2019 02:49:53 -0000 Hi Konstantin, As per 19.02-rc1, documentation has to be updated along with the code base.= =20 snipped > --- a/doc/guides/rel_notes/release_19_02.rst > +++ b/doc/guides/rel_notes/release_19_02.rst > @@ -133,6 +133,20 @@ New Features >=20 > See :doc:`../prog_guide/ipsec_lib` for more information. >=20 > +* **Updated the ipsec-secgw sample application.** > + > + The ``ipsec-secgw`` sample application has been updated to use the > + new ``librte_ipsec`` library also added in this release. > + The original functionality of ipsec-secgw is retained, a new command > + line parameter ``-l`` has been added to ipsec-secgw to use the IPsec > + library, instead of the existing IPsec code in the application. > + > + The IPsec library does not support all the functionality of the > + existing ipsec-secgw application, its is planned to add the > + outstanding functionality in future releases. > + > + See :doc:`../sample_app_ug/ipsec_secgw` for more information. > + >=20 In my opinion this can come in the first patch=20 snipped > #. [Optional] Build the application for debugging: > This option adds some extra flags, disables compiler optimizations an= d @@ - > 93,6 +93,7 @@ The application has a number of command line options:: >=20 > ./build/ipsec-secgw [EAL options] -- > -p PORTMASK -P -u PORTMASK -j FRAMESIZE > + -l -w REPLAY_WINOW_SIZE -e -a This can be added patch which adds the option > --config (port,queue,lcore)[,(port,queue,lcore] > --single-sa SAIDX > --rxoffload MASK @@ -114,6 +115,18 @@ Where: > specified as FRAMESIZE. If an invalid value is provided as FRAMESIZE > then the default value 9000 is used. >=20 > +* ``-l``: enables code-path that uses librte_ipsec. > + > +* ``-w REPLAY_WINOW_SIZE``: specifies the IPsec sequence number replay > window > + size for each Security Association (available only with librte_ipsec > + code path). > + > +* ``-e``: enables Security Association extended sequence number proces= sing > + (available only with librte_ipsec code path). > + > +* ``-a``: enables Security Association sequence number atomic behaviou= r > + (available only with librte_ipsec code path). > + > * ``--config (port,queue,lcore)[,(port,queue,lcore)]``: determines whi= ch > queues > from which ports are mapped to which cores. >=20 > @@ -225,7 +238,7 @@ accordingly. >=20 >=20 > Configuration File Syntax > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > +~~~~~~~~~~~~~~~~~~~~~~~~~ >=20 > As mention in the overview, the Security Policies are ACL rules. > The application parsers the rules specified in the configuration file an= d @@ - > 571,6 +584,11 @@ Example SA rules: > mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > type lookaside-protocol-offload port_id 4 >=20 > + sa in 35 aead_algo aes-128-gcm \ > + aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef= \ > + mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 \ > + type inline-crypto-offload port_id 0 > + > Routing rule syntax > ^^^^^^^^^^^^^^^^^^^ >=20 > @@ -667,3 +685,86 @@ Example Neighbour rules: > .. code-block:: console >=20 > neigh port 0 DE:AD:BE:EF:01:02 > + > +Test directory > +-------------- > + > +The test directory contains scripts for testing the various encryption > +algorithms. > + > +The purpose of the scripts is to automate ipsec-secgw testing using > +another system running linux as a DUT. > + > +The user must setup the following environment variables: > + > +* ``SGW_PATH``: path to the ipsec-secgw binary to test. > + > +* ``REMOTE_HOST``: IP address/hostname of the DUT. > + > +* ``REMOTE_IFACE``: interface name for the test-port on the DUT. > + > +* ``ETH_DEV``: ethernet device to be used on the SUT by DPDK ('-w ') > + > +Also the user can optionally setup: > + > +* ``SGW_LCORE``: lcore to run ipsec-secgw on (default value is 0) > + > +* ``CRYPTO_DEV``: crypto device to be used ('-w '). If none sp= ecified > + appropriate vdevs will be created by the script > + > +Note that most of the tests require the appropriate crypto PMD/device > +to be available. > + > +Server configuration > +~~~~~~~~~~~~~~~~~~~~ > + > +Two servers are required for the tests, SUT and DUT. > + > +Make sure the user from the SUT can ssh to the DUT without entering the > password. > +To enable this feature keys must be setup on the DUT. > + > +``ssh-keygen`` will make a private & public key pair on the SUT. > + > +``ssh-copy-id`` @ on the SUT will copy the > +public key to the DUT. It will ask for credentials so that it can upload= the > public key. > + > +The SUT and DUT are connected through at least 2 NIC ports. > + > +One NIC port is expected to be managed by linux on both machines and > +will be used as a control path. > + > +The second NIC port (test-port) should be bound to DPDK on the SUT, and > +should be managed by linux on the DUT. > + > +The script starts ``ipsec-secgw`` with 2 NIC devices: ``test-port`` and > +``tap vdev``. > + > +It then configures the local tap interface and the remote interface and > +IPsec policies in the following way: > + > +Traffic going over the test-port in both directions has to be protected = by > IPsec. > + > +Traffic going over the TAP port in both directions does not have to be > protected. > + > +i.e: > + > +DUT OS(NIC1)--(IPsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS > + > +SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(IPsec)-->(NIC1)DUT OS > + > +It then tries to perform some data transfer using the scheme decribed ab= ove. > + > +usage > +~~~~~ > + > +In the ipsec-secgw/test directory > + > +to run one test for IPv4 or IPv6 > + > +/bin/bash linux_test(4|6).sh > + > +to run all tests for IPv4 or IPv6 > + > +/bin/bash run_test.sh -4|-6 > + > +For the list of available modes please refer to run_test.sh. > -- > 2.17.1