[dpdk-dev] RFC - IPsec Sample App

["Gonzalez Monroy, Sergio" <sergio.gonzalez.monroy@intel.com>]

We are looking for feedback on the proposal to create a new sample 
application
to showcase the new cryptodev library (1) for acceleration in both SW 
and HW of
crypto processing with a real world example of an IPsec implementation 
on DPDK.

In the proposed implementation the core IPsec logic will be based on a 
port of
NetBSD IPsec kernel module, and will support the ESP protocol and IPv4
tunneling only using statically defined key material (no external IKE client
support).

* Application Design

The sample application will be based on a simple l2fwd application with 
packets
being statically forwarded between defined ports. The IPsec processing of IP
packets will occur on the ethdev callbacks.

The library will have two processing paths, an ingress(inbound) and
egress(outbound) traffic path, which will handle bursts of packets and 
return
bursts of processed packets in an asynchronous fashion.

We envisage the APIs for processing bursts looking like the following:

int rte_ipsec_ingress_process_burst(struct rte_ipsec_instance *instance,
             struct rte_mbuf **pkts, int nb_pkts, int max_pkts);

int rte_ipsec_egress_process_burst(struct rte_ipsec_instance *instance,
             struct rte_mbuf **pkts, int nb_pkts, int max_pkts);

One or more cryptodevs must be bound to an IPsec instance. If more than one
cryptodev is bound to an instance then traffic balancing will be implemented
with the caveat that all packets from a flow will always be process on 
the same
cryptodev. It will also be possible to specify that a flow should be 
processed
on a specified device.

A set of generic APIs for the configuration of IPsec security policies and
associations will be provided, which will be independent of the 
underlying BSD
database implementation.

* NOTE
This sample app has a dependency on the new DPDK crypto API (1).

(1) http://dpdk.org/ml/archives/dev/2015-August/022930.html