DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH 0/3] add lookaside IPsec UDP encapsulation and transport mode
@ 2021-03-15 10:36 Tejasree Kondoj
  2021-03-15 10:36 ` [dpdk-dev] [PATCH 1/3] crypto/octeontx2: add UDP encapsulation support Tejasree Kondoj
                   ` (2 more replies)
  0 siblings, 3 replies; 13+ messages in thread
From: Tejasree Kondoj @ 2021-03-15 10:36 UTC (permalink / raw)
  To: Akhil Goyal, Radu Nicolau
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev

This series adds lookaside IPsec UDP encapsulation and transport mode support.
The functionality has been tested with ipsec-secgw application running in
lookaside protocol offload mode.

Tejasree Kondoj (3):
  crypto/octeontx2: add UDP encapsulation support
  examples/ipsec-secgw: add UDP encapsulation support
  crypto/octeontx2: support lookaside IPv4 transport mode

 doc/guides/cryptodevs/octeontx2.rst           |   2 +
 doc/guides/rel_notes/release_21_05.rst        |  10 ++
 doc/guides/sample_app_ug/ipsec_secgw.rst      |   5 +-
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c |   7 +-
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 126 ++++++++----------
 drivers/crypto/octeontx2/otx2_cryptodev_sec.h |   4 +-
 drivers/crypto/octeontx2/otx2_ipsec_po.h      |   6 +
 drivers/crypto/octeontx2/otx2_ipsec_po_ops.h  |   8 +-
 examples/ipsec-secgw/ipsec-secgw.c            |  33 ++++-
 examples/ipsec-secgw/ipsec-secgw.h            |   2 +
 examples/ipsec-secgw/ipsec.c                  |   1 +
 examples/ipsec-secgw/ipsec.h                  |   1 +
 examples/ipsec-secgw/sad.h                    |   5 +-
 13 files changed, 130 insertions(+), 80 deletions(-)

-- 
2.27.0


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [dpdk-dev] [PATCH 1/3] crypto/octeontx2: add UDP encapsulation support
  2021-03-15 10:36 [dpdk-dev] [PATCH 0/3] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
@ 2021-03-15 10:36 ` Tejasree Kondoj
  2021-03-15 10:36 ` [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: " Tejasree Kondoj
  2021-03-15 10:36 ` [dpdk-dev] [PATCH 3/3] crypto/octeontx2: support lookaside IPv4 transport mode Tejasree Kondoj
  2 siblings, 0 replies; 13+ messages in thread
From: Tejasree Kondoj @ 2021-03-15 10:36 UTC (permalink / raw)
  To: Akhil Goyal, Radu Nicolau
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev

Adding UDP encapsulation support for IPsec in
lookaside protocol mode.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/octeontx2.rst           |  1 +
 doc/guides/rel_notes/release_21_05.rst        |  5 +++
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 40 ++++++-------------
 3 files changed, 18 insertions(+), 28 deletions(-)

diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index d312eeb74c..b30f98180a 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -181,6 +181,7 @@ Features supported
 * Tunnel mode
 * ESN
 * Anti-replay
+* UDP Encapsulation
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
 * AES-128/192/256-CBC-SHA256-128-HMAC
diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index 23f7f0bff9..66e28e21be 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -65,6 +65,11 @@ New Features
 
   * Added support for txgbevf PMD.
 
+* **Updated the OCTEON TX2 crypto PMD.**
+
+  * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
+    UDP encapsulation support for NAT Traversal.
+
 * **Updated testpmd.**
 
   * Added command to display Rx queue used descriptor count.
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 342f089df8..8942ff1fac 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -203,6 +203,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				     struct rte_security_session *sec_sess)
 {
 	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_ipsec_po_ip_template *template;
 	const uint8_t *cipher_key, *auth_key;
 	struct otx2_sec_session_ipsec_lp *lp;
 	struct otx2_ipsec_po_sa_ctl *ctl;
@@ -248,11 +249,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
 
 			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
-				if (ipsec->options.udp_encap) {
-					sa->aes_gcm.template.ip4.udp_src = 4500;
-					sa->aes_gcm.template.ip4.udp_dst = 4500;
-				}
-				ip = &sa->aes_gcm.template.ip4.ipv4_hdr;
+				template = &sa->aes_gcm.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						aes_gcm.template) + sizeof(
 						sa->aes_gcm.template.ip4);
@@ -260,11 +257,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA1) {
-				if (ipsec->options.udp_encap) {
-					sa->sha1.template.ip4.udp_src = 4500;
-					sa->sha1.template.ip4.udp_dst = 4500;
-				}
-				ip = &sa->sha1.template.ip4.ipv4_hdr;
+				template = &sa->sha1.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha1.template) + sizeof(
 						sa->sha1.template.ip4);
@@ -272,11 +265,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
-				if (ipsec->options.udp_encap) {
-					sa->sha2.template.ip4.udp_src = 4500;
-					sa->sha2.template.ip4.udp_dst = 4500;
-				}
-				ip = &sa->sha2.template.ip4.ipv4_hdr;
+				template = &sa->sha2.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha2.template) + sizeof(
 						sa->sha2.template.ip4);
@@ -285,8 +274,15 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 			} else {
 				return -EINVAL;
 			}
+			ip = &template->ip4.ipv4_hdr;
+			if (ipsec->options.udp_encap) {
+				ip->next_proto_id = IPPROTO_UDP;
+				template->ip4.udp_src = rte_be_to_cpu_16(4500);
+				template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+			} else {
+				ip->next_proto_id = IPPROTO_ESP;
+			}
 			ip->version_ihl = RTE_IPV4_VHL_DEF;
-			ip->next_proto_id = IPPROTO_ESP;
 			ip->time_to_live = ipsec->tunnel.ipv4.ttl;
 			ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
 			if (ipsec->tunnel.ipv4.df)
@@ -299,10 +295,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
 
 			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
-				if (ipsec->options.udp_encap) {
-					sa->aes_gcm.template.ip6.udp_src = 4500;
-					sa->aes_gcm.template.ip6.udp_dst = 4500;
-				}
 				ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						aes_gcm.template) + sizeof(
@@ -311,10 +303,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA1) {
-				if (ipsec->options.udp_encap) {
-					sa->sha1.template.ip6.udp_src = 4500;
-					sa->sha1.template.ip6.udp_dst = 4500;
-				}
 				ip6 = &sa->sha1.template.ip6.ipv6_hdr;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha1.template) + sizeof(
@@ -323,10 +311,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
-				if (ipsec->options.udp_encap) {
-					sa->sha2.template.ip6.udp_src = 4500;
-					sa->sha2.template.ip6.udp_dst = 4500;
-				}
 				ip6 = &sa->sha2.template.ip6.ipv6_hdr;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha2.template) + sizeof(
-- 
2.27.0


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-15 10:36 [dpdk-dev] [PATCH 0/3] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
  2021-03-15 10:36 ` [dpdk-dev] [PATCH 1/3] crypto/octeontx2: add UDP encapsulation support Tejasree Kondoj
@ 2021-03-15 10:36 ` Tejasree Kondoj
  2021-03-19 16:46   ` Ananyev, Konstantin
  2021-03-15 10:36 ` [dpdk-dev] [PATCH 3/3] crypto/octeontx2: support lookaside IPv4 transport mode Tejasree Kondoj
  2 siblings, 1 reply; 13+ messages in thread
From: Tejasree Kondoj @ 2021-03-15 10:36 UTC (permalink / raw)
  To: Akhil Goyal, Radu Nicolau
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev

Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Added --udp-encap option for application to specify
if UDP encapsulation need to be enabled.
Example secgw command with UDP encapsultation enabled:
<secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/rel_notes/release_21_05.rst   |  5 ++++
 doc/guides/sample_app_ug/ipsec_secgw.rst |  5 +++-
 examples/ipsec-secgw/ipsec-secgw.c       | 33 ++++++++++++++++++++++--
 examples/ipsec-secgw/ipsec-secgw.h       |  2 ++
 examples/ipsec-secgw/ipsec.c             |  1 +
 examples/ipsec-secgw/ipsec.h             |  1 +
 examples/ipsec-secgw/sad.h               |  5 +++-
 7 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index 66e28e21be..2e67038bfe 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -75,6 +75,11 @@ New Features
   * Added command to display Rx queue used descriptor count.
     ``show port (port_id) rxq (queue_id) desc used count``
 
+* **Updated ipsec-secgw sample application.**
+
+  * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
+    support for NAT Traversal.
+
 
 Removed Items
 -------------
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 176e292d3f..099f499c18 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -139,6 +139,7 @@ The application has a number of command line options::
                         --reassemble NUM
                         --mtu MTU
                         --frag-ttl FRAG_TTL_NS
+                        --udp-encap
 
 Where:
 
@@ -234,6 +235,8 @@ Where:
     Should be lower for low number of reassembly buckets.
     Valid values: from 1 ns to 10 s. Default value: 10000000 (10 s).
 
+*   ``--udp-encap``: enables IPsec UDP Encapsulation for NAT Traversal.
+
 
 The mapping of lcores to port/queues is similar to other l3fwd applications.
 
@@ -1023,4 +1026,4 @@ Available options:
 *   ``-h`` Show usage.
 
 If <ipsec_mode> is specified, only tests for that mode will be invoked. For the
-list of available modes please refer to run_test.sh.
\ No newline at end of file
+list of available modes please refer to run_test.sh.
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 20d69ba813..57c8973e9d 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -115,6 +115,7 @@ struct flow_info flow_info_tbl[RTE_MAX_ETHPORTS];
 #define CMD_LINE_OPT_REASSEMBLE		"reassemble"
 #define CMD_LINE_OPT_MTU		"mtu"
 #define CMD_LINE_OPT_FRAG_TTL		"frag-ttl"
+#define CMD_LINE_OPT_UDP_ENCAP		"udp-encap"
 
 #define CMD_LINE_ARG_EVENT	"event"
 #define CMD_LINE_ARG_POLL	"poll"
@@ -139,6 +140,7 @@ enum {
 	CMD_LINE_OPT_REASSEMBLE_NUM,
 	CMD_LINE_OPT_MTU_NUM,
 	CMD_LINE_OPT_FRAG_TTL_NUM,
+	CMD_LINE_OPT_UDP_ENCAP_NUM,
 };
 
 static const struct option lgopts[] = {
@@ -152,6 +154,7 @@ static const struct option lgopts[] = {
 	{CMD_LINE_OPT_REASSEMBLE, 1, 0, CMD_LINE_OPT_REASSEMBLE_NUM},
 	{CMD_LINE_OPT_MTU, 1, 0, CMD_LINE_OPT_MTU_NUM},
 	{CMD_LINE_OPT_FRAG_TTL, 1, 0, CMD_LINE_OPT_FRAG_TTL_NUM},
+	{CMD_LINE_OPT_UDP_ENCAP, 0, 0, CMD_LINE_OPT_UDP_ENCAP_NUM},
 	{NULL, 0, 0, 0}
 };
 
@@ -360,6 +363,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
 	const struct rte_ether_hdr *eth;
 	const struct rte_ipv4_hdr *iph4;
 	const struct rte_ipv6_hdr *iph6;
+	const struct rte_udp_hdr *udp;
+	uint16_t nat_port;
+	uint16_t ip4_hdr_len;
 
 	eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
 	if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
@@ -368,9 +374,26 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
 			RTE_ETHER_HDR_LEN);
 		adjust_ipv4_pktlen(pkt, iph4, 0);
 
-		if (iph4->next_proto_id == IPPROTO_ESP)
+		switch (iph4->next_proto_id) {
+		case IPPROTO_ESP:
 			t->ipsec.pkts[(t->ipsec.num)++] = pkt;
-		else {
+			break;
+		case IPPROTO_UDP:
+			if (app_sa_prm.udp_encap == 1) {
+				ip4_hdr_len = ((iph4->version_ihl &
+					RTE_IPV4_HDR_IHL_MASK) *
+					RTE_IPV4_IHL_MULTIPLIER);
+				udp = rte_pktmbuf_mtod_offset(pkt,
+					struct rte_udp_hdr *, ip4_hdr_len);
+				nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
+				if (udp->src_port == nat_port ||
+					udp->dst_port == nat_port){
+					t->ipsec.pkts[(t->ipsec.num)++] = pkt;
+					break;
+				}
+			}
+		/* Fall through */
+		default:
 			t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
 			t->ip4.pkts[(t->ip4.num)++] = pkt;
 		}
@@ -1378,6 +1401,7 @@ print_usage(const char *prgname)
 		" [--" CMD_LINE_OPT_TX_OFFLOAD " TX_OFFLOAD_MASK]"
 		" [--" CMD_LINE_OPT_REASSEMBLE " REASSEMBLE_TABLE_SIZE]"
 		" [--" CMD_LINE_OPT_MTU " MTU]"
+		" [--" CMD_LINE_OPT_UDP_ENCAP "]"
 		"\n\n"
 		"  -p PORTMASK: Hexadecimal bitmask of ports to configure\n"
 		"  -P : Enable promiscuous mode\n"
@@ -1431,6 +1455,8 @@ print_usage(const char *prgname)
 		"  --" CMD_LINE_OPT_FRAG_TTL " FRAG_TTL_NS"
 		": fragments lifetime in nanoseconds, default\n"
 		"    and maximum value is 10.000.000.000 ns (10 s)\n"
+		"  --" CMD_LINE_OPT_UDP_ENCAP
+		": enables UDP Encapsulation for NAT Traversal\n"
 		"\n",
 		prgname);
 }
@@ -1780,6 +1806,9 @@ parse_args(int32_t argc, char **argv, struct eh_conf *eh_conf)
 			}
 			frag_ttl_ns = ret;
 			break;
+		case CMD_LINE_OPT_UDP_ENCAP_NUM:
+			app_sa_prm.udp_encap = 1;
+			break;
 		default:
 			print_usage(prgname);
 			return -1;
diff --git a/examples/ipsec-secgw/ipsec-secgw.h b/examples/ipsec-secgw/ipsec-secgw.h
index f2281e73cf..6887d752ab 100644
--- a/examples/ipsec-secgw/ipsec-secgw.h
+++ b/examples/ipsec-secgw/ipsec-secgw.h
@@ -47,6 +47,8 @@
 
 #define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
 
+#define IPSEC_NAT_T_PORT 4500
+
 struct traffic_type {
 	const uint8_t *data[MAX_PKT_BURST * 2];
 	struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index 6baeeb342f..6e0caa198d 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -52,6 +52,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
 	ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
 	ipsec->replay_win_sz = app_sa_prm.window_size;
 	ipsec->options.esn = app_sa_prm.enable_esn;
+	ipsec->options.udp_encap = app_sa_prm.udp_encap;
 }
 
 int
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index 7031e28c46..430afea688 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -75,6 +75,7 @@ struct app_sa_prm {
 	uint32_t window_size; /* replay window size */
 	uint32_t enable_esn;  /* enable/disable ESN support */
 	uint32_t cache_sz;	/* per lcore SA cache size */
+	uint32_t udp_encap;   /* enable/disable UDP Encapsulation */
 	uint64_t flags;       /* rte_ipsec_sa_prm.flags */
 };
 
diff --git a/examples/ipsec-secgw/sad.h b/examples/ipsec-secgw/sad.h
index 473aaa938e..89b50488ec 100644
--- a/examples/ipsec-secgw/sad.h
+++ b/examples/ipsec-secgw/sad.h
@@ -77,6 +77,7 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],
 	uint32_t spi, cache_idx;
 	struct ipsec_sad_cache *cache;
 	struct ipsec_sa *cached_sa;
+	uint16_t udp_hdr_len = 0;
 	int is_ipv4;
 
 	cache  = &RTE_PER_LCORE(sad_cache);
@@ -85,8 +86,10 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],
 	for (i = 0; i < nb_pkts; i++) {
 		ipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *);
 		ipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *);
+		if (app_sa_prm.udp_encap == 1)
+			udp_hdr_len = sizeof(struct rte_udp_hdr);
 		esp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *,
-				pkts[i]->l3_len);
+				pkts[i]->l3_len + udp_hdr_len);
 
 		is_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4;
 		spi = rte_be_to_cpu_32(esp->spi);
-- 
2.27.0


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [dpdk-dev] [PATCH 3/3] crypto/octeontx2: support lookaside IPv4 transport mode
  2021-03-15 10:36 [dpdk-dev] [PATCH 0/3] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
  2021-03-15 10:36 ` [dpdk-dev] [PATCH 1/3] crypto/octeontx2: add UDP encapsulation support Tejasree Kondoj
  2021-03-15 10:36 ` [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: " Tejasree Kondoj
@ 2021-03-15 10:36 ` Tejasree Kondoj
  2 siblings, 0 replies; 13+ messages in thread
From: Tejasree Kondoj @ 2021-03-15 10:36 UTC (permalink / raw)
  To: Akhil Goyal, Radu Nicolau
  Cc: Tejasree Kondoj, Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev

Adding support for IPv4 lookaside IPsec transport mode.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/octeontx2.rst           |   1 +
 drivers/crypto/octeontx2/otx2_cryptodev_ops.c |   7 +-
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 110 ++++++++++--------
 drivers/crypto/octeontx2/otx2_cryptodev_sec.h |   4 +-
 drivers/crypto/octeontx2/otx2_ipsec_po.h      |   6 +
 drivers/crypto/octeontx2/otx2_ipsec_po_ops.h  |   8 +-
 6 files changed, 76 insertions(+), 60 deletions(-)

diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index b30f98180a..811e61a1f6 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -179,6 +179,7 @@ Features supported
 * IPv6
 * ESP
 * Tunnel mode
+* Transport mode(IPv4)
 * ESN
 * Anti-replay
 * UDP Encapsulation
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
index cec20b5c6d..c20170bcaa 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_ops.c
@@ -928,7 +928,7 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp)
 	struct rte_mbuf *m = sym_op->m_src;
 	struct rte_ipv6_hdr *ip6;
 	struct rte_ipv4_hdr *ip;
-	uint16_t m_len;
+	uint16_t m_len = 0;
 	int mdata_len;
 	char *data;
 
@@ -938,11 +938,12 @@ otx2_cpt_sec_post_process(struct rte_crypto_op *cop, uintptr_t *rsp)
 	if (word0->s.opcode.major == OTX2_IPSEC_PO_PROCESS_IPSEC_INB) {
 		data = rte_pktmbuf_mtod(m, char *);
 
-		if (rsp[4] == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+		if (rsp[4] == OTX2_IPSEC_PO_TRANSPORT ||
+		    rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV4) {
 			ip = (struct rte_ipv4_hdr *)(data +
 				OTX2_IPSEC_PO_INB_RPTR_HDR);
 			m_len = rte_be_to_cpu_16(ip->total_length);
-		} else {
+		} else if (rsp[4] == OTX2_IPSEC_PO_TUNNEL_IPV6) {
 			ip6 = (struct rte_ipv6_hdr *)(data +
 				OTX2_IPSEC_PO_INB_RPTR_HDR);
 			m_len = rte_be_to_cpu_16(ip6->payload_len) +
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 8942ff1fac..6493ce8370 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -25,12 +25,15 @@ ipsec_lp_len_precalc(struct rte_security_ipsec_xform *ipsec,
 {
 	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
 
-	if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
-		lp->partial_len = sizeof(struct rte_ipv4_hdr);
-	else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
-		lp->partial_len = sizeof(struct rte_ipv6_hdr);
-	else
-		return -EINVAL;
+	lp->partial_len = 0;
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+			lp->partial_len = sizeof(struct rte_ipv4_hdr);
+		else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+			lp->partial_len = sizeof(struct rte_ipv6_hdr);
+		else
+			return -EINVAL;
+	}
 
 	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
 		lp->partial_len += sizeof(struct rte_esp_hdr);
@@ -203,7 +206,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				     struct rte_security_session *sec_sess)
 {
 	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
-	struct otx2_ipsec_po_ip_template *template;
+	struct otx2_ipsec_po_ip_template *template = NULL;
 	const uint8_t *cipher_key, *auth_key;
 	struct otx2_sec_session_ipsec_lp *lp;
 	struct otx2_ipsec_po_sa_ctl *ctl;
@@ -229,10 +232,10 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 	memset(sa, 0, sizeof(struct otx2_ipsec_po_out_sa));
 
 	/* Initialize lookaside ipsec private data */
+	lp->mode_type = OTX2_IPSEC_PO_TRANSPORT;
 	lp->ip_id = 0;
 	lp->seq_lo = 1;
 	lp->seq_hi = 0;
-	lp->tunnel_type = ipsec->tunnel.type;
 
 	ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl);
 	if (ret)
@@ -242,46 +245,47 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 	if (ret)
 		return ret;
 
-	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
-		/* Start ip id from 1 */
-		lp->ip_id = 1;
+	/* Start ip id from 1 */
+	lp->ip_id = 1;
+
+	if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
+		template = &sa->aes_gcm.template;
+		ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+				aes_gcm.template) + sizeof(
+				sa->aes_gcm.template.ip4);
+		ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+		lp->ctx_len = ctx_len >> 3;
+	} else if (ctl->auth_type ==
+			OTX2_IPSEC_PO_SA_AUTH_SHA1) {
+		template = &sa->sha1.template;
+		ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+				sha1.template) + sizeof(
+				sa->sha1.template.ip4);
+		ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+		lp->ctx_len = ctx_len >> 3;
+	} else if (ctl->auth_type ==
+			OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+		template = &sa->sha2.template;
+		ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+				sha2.template) + sizeof(
+				sa->sha2.template.ip4);
+		ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+		lp->ctx_len = ctx_len >> 3;
+	} else {
+		return -EINVAL;
+	}
+	ip = &template->ip4.ipv4_hdr;
+	if (ipsec->options.udp_encap) {
+		ip->next_proto_id = IPPROTO_UDP;
+		template->ip4.udp_src = rte_be_to_cpu_16(4500);
+		template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+	} else {
+		ip->next_proto_id = IPPROTO_ESP;
+	}
 
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
-
-			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
-				template = &sa->aes_gcm.template;
-				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
-						aes_gcm.template) + sizeof(
-						sa->aes_gcm.template.ip4);
-				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
-				lp->ctx_len = ctx_len >> 3;
-			} else if (ctl->auth_type ==
-					OTX2_IPSEC_PO_SA_AUTH_SHA1) {
-				template = &sa->sha1.template;
-				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
-						sha1.template) + sizeof(
-						sa->sha1.template.ip4);
-				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
-				lp->ctx_len = ctx_len >> 3;
-			} else if (ctl->auth_type ==
-					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
-				template = &sa->sha2.template;
-				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
-						sha2.template) + sizeof(
-						sa->sha2.template.ip4);
-				ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
-				lp->ctx_len = ctx_len >> 3;
-			} else {
-				return -EINVAL;
-			}
-			ip = &template->ip4.ipv4_hdr;
-			if (ipsec->options.udp_encap) {
-				ip->next_proto_id = IPPROTO_UDP;
-				template->ip4.udp_src = rte_be_to_cpu_16(4500);
-				template->ip4.udp_dst = rte_be_to_cpu_16(4500);
-			} else {
-				ip->next_proto_id = IPPROTO_ESP;
-			}
+			lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV4;
 			ip->version_ihl = RTE_IPV4_VHL_DEF;
 			ip->time_to_live = ipsec->tunnel.ipv4.ttl;
 			ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
@@ -294,6 +298,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 		} else if (ipsec->tunnel.type ==
 				RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
 
+			lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV6;
 			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
 				ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
@@ -336,11 +341,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				sizeof(struct in6_addr));
 			memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
 				sizeof(struct in6_addr));
-		} else {
-			return -EINVAL;
 		}
-	} else {
-		return -EINVAL;
 	}
 
 	cipher_xform = crypto_xform;
@@ -421,13 +422,20 @@ crypto_sec_ipsec_inb_session_create(struct rte_cryptodev *crypto_dev,
 	if (ret)
 		return ret;
 
-	lp->tunnel_type = ipsec->tunnel.type;
+	lp->mode_type = OTX2_IPSEC_PO_TRANSPORT;
+
 	auth_xform = crypto_xform;
 	cipher_xform = crypto_xform->next;
 
 	cipher_key_len = 0;
 	auth_key_len = 0;
 
+	if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		lp->mode_type = (ipsec->tunnel.type ==
+				RTE_SECURITY_IPSEC_TUNNEL_IPV4) ?
+				OTX2_IPSEC_PO_TUNNEL_IPV4 :
+				OTX2_IPSEC_PO_TUNNEL_IPV6;
+
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
 			memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
index 2849c1ab75..87f55c97fe 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.h
@@ -55,8 +55,8 @@ struct otx2_sec_session_ipsec_lp {
 	uint8_t iv_length;
 	/** Auth IV length in bytes */
 	uint8_t auth_iv_length;
-	/** IPsec tunnel type */
-	enum rte_security_ipsec_tunnel_type tunnel_type;
+	/** IPsec mode and tunnel type */
+	enum otx2_ipsec_po_mode_type mode_type;
 };
 
 int otx2_crypto_sec_ctx_create(struct rte_cryptodev *crypto_dev);
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po.h b/drivers/crypto/octeontx2/otx2_ipsec_po.h
index 8a672a38ea..faa434dae3 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po.h
@@ -20,6 +20,12 @@
 
 #define OTX2_IPSEC_PO_INB_RPTR_HDR         0x8
 
+enum otx2_ipsec_po_mode_type {
+	OTX2_IPSEC_PO_TRANSPORT = 1,
+	OTX2_IPSEC_PO_TUNNEL_IPV4,
+	OTX2_IPSEC_PO_TUNNEL_IPV6,
+};
+
 enum otx2_ipsec_po_comp_e {
 	OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
 	OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
diff --git a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
index f4cab19811..58b199f4f3 100644
--- a/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
+++ b/drivers/crypto/octeontx2/otx2_ipsec_po_ops.h
@@ -26,7 +26,7 @@ otx2_ipsec_po_out_rlen_get(struct otx2_sec_session_ipsec_lp *sess,
 
 static __rte_always_inline struct cpt_request_info *
 alloc_request_struct(char *maddr, void *cop, int mdata_len,
-		     enum rte_security_ipsec_tunnel_type tunnel_type)
+		     enum otx2_ipsec_po_mode_type mode_type)
 {
 	struct cpt_request_info *req;
 	struct cpt_meta_info *meta;
@@ -48,7 +48,7 @@ alloc_request_struct(char *maddr, void *cop, int mdata_len,
 	op[1] = (uintptr_t)cop;
 	op[2] = (uintptr_t)req;
 	op[3] = mdata_len;
-	op[4] = tunnel_type;
+	op[4] = mode_type;
 
 	return req;
 }
@@ -89,7 +89,7 @@ process_outb_sa(struct rte_crypto_op *cop,
 
 	mdata += extend_tail; /* mdata follows encrypted data */
 	req = alloc_request_struct(mdata, (void *)cop, mdata_len,
-		sess->tunnel_type);
+		sess->mode_type);
 
 	data = rte_pktmbuf_prepend(m_src, extend_head);
 	if (unlikely(data == NULL)) {
@@ -162,7 +162,7 @@ process_inb_sa(struct rte_crypto_op *cop,
 	}
 
 	req = alloc_request_struct(mdata, (void *)cop, mdata_len,
-		sess->tunnel_type);
+		sess->mode_type);
 
 	/* Prepare CPT instruction */
 	word0.u64 = sess->ucmd_w0;
-- 
2.27.0


^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-15 10:36 ` [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: " Tejasree Kondoj
@ 2021-03-19 16:46   ` Ananyev, Konstantin
  2021-03-23  8:02     ` Akhil Goyal
  0 siblings, 1 reply; 13+ messages in thread
From: Ananyev, Konstantin @ 2021-03-19 16:46 UTC (permalink / raw)
  To: Tejasree Kondoj, Akhil Goyal, Nicolau, Radu
  Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob, dev

Hi, 
> Adding lookaside IPsec UDP encapsulation support
> for NAT traversal.
> Added --udp-encap option for application to specify
> if UDP encapsulation need to be enabled.
> Example secgw command with UDP encapsultation enabled:
> <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap

Can we have it not as global, but a per SA option?
Add new keyword for SA/SP into ipsec-secgw config file, etc.
Konstantin  

> 
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
>  doc/guides/rel_notes/release_21_05.rst   |  5 ++++
>  doc/guides/sample_app_ug/ipsec_secgw.rst |  5 +++-
>  examples/ipsec-secgw/ipsec-secgw.c       | 33 ++++++++++++++++++++++--
>  examples/ipsec-secgw/ipsec-secgw.h       |  2 ++
>  examples/ipsec-secgw/ipsec.c             |  1 +
>  examples/ipsec-secgw/ipsec.h             |  1 +
>  examples/ipsec-secgw/sad.h               |  5 +++-
>  7 files changed, 48 insertions(+), 4 deletions(-)
> 
> diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
> index 66e28e21be..2e67038bfe 100644
> --- a/doc/guides/rel_notes/release_21_05.rst
> +++ b/doc/guides/rel_notes/release_21_05.rst
> @@ -75,6 +75,11 @@ New Features
>    * Added command to display Rx queue used descriptor count.
>      ``show port (port_id) rxq (queue_id) desc used count``
> 
> +* **Updated ipsec-secgw sample application.**
> +
> +  * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
> +    support for NAT Traversal.
> +
> 
>  Removed Items
>  -------------
> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
> index 176e292d3f..099f499c18 100644
> --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> @@ -139,6 +139,7 @@ The application has a number of command line options::
>                          --reassemble NUM
>                          --mtu MTU
>                          --frag-ttl FRAG_TTL_NS
> +                        --udp-encap
> 
>  Where:
> 
> @@ -234,6 +235,8 @@ Where:
>      Should be lower for low number of reassembly buckets.
>      Valid values: from 1 ns to 10 s. Default value: 10000000 (10 s).
> 
> +*   ``--udp-encap``: enables IPsec UDP Encapsulation for NAT Traversal.
> +
> 
>  The mapping of lcores to port/queues is similar to other l3fwd applications.
> 
> @@ -1023,4 +1026,4 @@ Available options:
>  *   ``-h`` Show usage.
> 
>  If <ipsec_mode> is specified, only tests for that mode will be invoked. For the
> -list of available modes please refer to run_test.sh.
> \ No newline at end of file
> +list of available modes please refer to run_test.sh.
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 20d69ba813..57c8973e9d 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -115,6 +115,7 @@ struct flow_info flow_info_tbl[RTE_MAX_ETHPORTS];
>  #define CMD_LINE_OPT_REASSEMBLE		"reassemble"
>  #define CMD_LINE_OPT_MTU		"mtu"
>  #define CMD_LINE_OPT_FRAG_TTL		"frag-ttl"
> +#define CMD_LINE_OPT_UDP_ENCAP		"udp-encap"
> 
>  #define CMD_LINE_ARG_EVENT	"event"
>  #define CMD_LINE_ARG_POLL	"poll"
> @@ -139,6 +140,7 @@ enum {
>  	CMD_LINE_OPT_REASSEMBLE_NUM,
>  	CMD_LINE_OPT_MTU_NUM,
>  	CMD_LINE_OPT_FRAG_TTL_NUM,
> +	CMD_LINE_OPT_UDP_ENCAP_NUM,
>  };
> 
>  static const struct option lgopts[] = {
> @@ -152,6 +154,7 @@ static const struct option lgopts[] = {
>  	{CMD_LINE_OPT_REASSEMBLE, 1, 0, CMD_LINE_OPT_REASSEMBLE_NUM},
>  	{CMD_LINE_OPT_MTU, 1, 0, CMD_LINE_OPT_MTU_NUM},
>  	{CMD_LINE_OPT_FRAG_TTL, 1, 0, CMD_LINE_OPT_FRAG_TTL_NUM},
> +	{CMD_LINE_OPT_UDP_ENCAP, 0, 0, CMD_LINE_OPT_UDP_ENCAP_NUM},
>  	{NULL, 0, 0, 0}
>  };
> 
> @@ -360,6 +363,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
>  	const struct rte_ether_hdr *eth;
>  	const struct rte_ipv4_hdr *iph4;
>  	const struct rte_ipv6_hdr *iph6;
> +	const struct rte_udp_hdr *udp;
> +	uint16_t nat_port;
> +	uint16_t ip4_hdr_len;
> 
>  	eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
>  	if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
> @@ -368,9 +374,26 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
>  			RTE_ETHER_HDR_LEN);
>  		adjust_ipv4_pktlen(pkt, iph4, 0);
> 
> -		if (iph4->next_proto_id == IPPROTO_ESP)
> +		switch (iph4->next_proto_id) {
> +		case IPPROTO_ESP:
>  			t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> -		else {
> +			break;
> +		case IPPROTO_UDP:
> +			if (app_sa_prm.udp_encap == 1) {
> +				ip4_hdr_len = ((iph4->version_ihl &
> +					RTE_IPV4_HDR_IHL_MASK) *
> +					RTE_IPV4_IHL_MULTIPLIER);
> +				udp = rte_pktmbuf_mtod_offset(pkt,
> +					struct rte_udp_hdr *, ip4_hdr_len);
> +				nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
> +				if (udp->src_port == nat_port ||
> +					udp->dst_port == nat_port){
> +					t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> +					break;
> +				}
> +			}
> +		/* Fall through */
> +		default:
>  			t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
>  			t->ip4.pkts[(t->ip4.num)++] = pkt;
>  		}
> @@ -1378,6 +1401,7 @@ print_usage(const char *prgname)
>  		" [--" CMD_LINE_OPT_TX_OFFLOAD " TX_OFFLOAD_MASK]"
>  		" [--" CMD_LINE_OPT_REASSEMBLE " REASSEMBLE_TABLE_SIZE]"
>  		" [--" CMD_LINE_OPT_MTU " MTU]"
> +		" [--" CMD_LINE_OPT_UDP_ENCAP "]"
>  		"\n\n"
>  		"  -p PORTMASK: Hexadecimal bitmask of ports to configure\n"
>  		"  -P : Enable promiscuous mode\n"
> @@ -1431,6 +1455,8 @@ print_usage(const char *prgname)
>  		"  --" CMD_LINE_OPT_FRAG_TTL " FRAG_TTL_NS"
>  		": fragments lifetime in nanoseconds, default\n"
>  		"    and maximum value is 10.000.000.000 ns (10 s)\n"
> +		"  --" CMD_LINE_OPT_UDP_ENCAP
> +		": enables UDP Encapsulation for NAT Traversal\n"
>  		"\n",
>  		prgname);
>  }
> @@ -1780,6 +1806,9 @@ parse_args(int32_t argc, char **argv, struct eh_conf *eh_conf)
>  			}
>  			frag_ttl_ns = ret;
>  			break;
> +		case CMD_LINE_OPT_UDP_ENCAP_NUM:
> +			app_sa_prm.udp_encap = 1;
> +			break;
>  		default:
>  			print_usage(prgname);
>  			return -1;
> diff --git a/examples/ipsec-secgw/ipsec-secgw.h b/examples/ipsec-secgw/ipsec-secgw.h
> index f2281e73cf..6887d752ab 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.h
> +++ b/examples/ipsec-secgw/ipsec-secgw.h
> @@ -47,6 +47,8 @@
> 
>  #define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
> 
> +#define IPSEC_NAT_T_PORT 4500
> +
>  struct traffic_type {
>  	const uint8_t *data[MAX_PKT_BURST * 2];
>  	struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index 6baeeb342f..6e0caa198d 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -52,6 +52,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
>  	ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
>  	ipsec->replay_win_sz = app_sa_prm.window_size;
>  	ipsec->options.esn = app_sa_prm.enable_esn;
> +	ipsec->options.udp_encap = app_sa_prm.udp_encap;
>  }
> 
>  int
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> index 7031e28c46..430afea688 100644
> --- a/examples/ipsec-secgw/ipsec.h
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -75,6 +75,7 @@ struct app_sa_prm {
>  	uint32_t window_size; /* replay window size */
>  	uint32_t enable_esn;  /* enable/disable ESN support */
>  	uint32_t cache_sz;	/* per lcore SA cache size */
> +	uint32_t udp_encap;   /* enable/disable UDP Encapsulation */
>  	uint64_t flags;       /* rte_ipsec_sa_prm.flags */
>  };
> 
> diff --git a/examples/ipsec-secgw/sad.h b/examples/ipsec-secgw/sad.h
> index 473aaa938e..89b50488ec 100644
> --- a/examples/ipsec-secgw/sad.h
> +++ b/examples/ipsec-secgw/sad.h
> @@ -77,6 +77,7 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],
>  	uint32_t spi, cache_idx;
>  	struct ipsec_sad_cache *cache;
>  	struct ipsec_sa *cached_sa;
> +	uint16_t udp_hdr_len = 0;
>  	int is_ipv4;
> 
>  	cache  = &RTE_PER_LCORE(sad_cache);
> @@ -85,8 +86,10 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],
>  	for (i = 0; i < nb_pkts; i++) {
>  		ipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *);
>  		ipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *);
> +		if (app_sa_prm.udp_encap == 1)
> +			udp_hdr_len = sizeof(struct rte_udp_hdr);
>  		esp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *,
> -				pkts[i]->l3_len);
> +				pkts[i]->l3_len + udp_hdr_len);
> 
>  		is_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4;
>  		spi = rte_be_to_cpu_32(esp->spi);
> --
> 2.27.0


^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-19 16:46   ` Ananyev, Konstantin
@ 2021-03-23  8:02     ` Akhil Goyal
  2021-03-23 14:29       ` Ananyev, Konstantin
  0 siblings, 1 reply; 13+ messages in thread
From: Akhil Goyal @ 2021-03-23  8:02 UTC (permalink / raw)
  To: Ananyev, Konstantin, Tejasree Kondoj, Nicolau, Radu
  Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev

Hi Konstantin,
> Hi,
> > Adding lookaside IPsec UDP encapsulation support
> > for NAT traversal.
> > Added --udp-encap option for application to specify
> > if UDP encapsulation need to be enabled.
> > Example secgw command with UDP encapsultation enabled:
> > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap
> 
> Can we have it not as global, but a per SA option?
> Add new keyword for SA/SP into ipsec-secgw config file, etc.
> Konstantin
> 

Any specific reason to make udp_encap as per SA?
UDP encapsulation is a feature which I believe should be application vide.
If it supports the feature it should be enabled for all SAs when the UDP port
is 4500 which is reserved for it. 

Regards,
Akhil

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-23  8:02     ` Akhil Goyal
@ 2021-03-23 14:29       ` Ananyev, Konstantin
  2021-03-23 15:06         ` Akhil Goyal
  0 siblings, 1 reply; 13+ messages in thread
From: Ananyev, Konstantin @ 2021-03-23 14:29 UTC (permalink / raw)
  To: Akhil Goyal, Tejasree Kondoj, Nicolau, Radu
  Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev


Hi Akhil,
 
> Hi Konstantin,
> > Hi,
> > > Adding lookaside IPsec UDP encapsulation support
> > > for NAT traversal.
> > > Added --udp-encap option for application to specify
> > > if UDP encapsulation need to be enabled.
> > > Example secgw command with UDP encapsultation enabled:
> > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap
> >
> > Can we have it not as global, but a per SA option?
> > Add new keyword for SA/SP into ipsec-secgw config file, etc.
> > Konstantin
> >
> 
> Any specific reason to make udp_encap as per SA?
> UDP encapsulation is a feature which I believe should be application vide.
> If it supports the feature it should be enabled for all SAs when the UDP port
> is 4500 which is reserved for it.

Not sure why it has to be application wide?
Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode over port 0,
and SA2 with udp encap over port 1?
Note that in DPDK librte_security it is per SA option.
Konstantin

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-23 14:29       ` Ananyev, Konstantin
@ 2021-03-23 15:06         ` Akhil Goyal
  2021-03-23 15:46           ` Ananyev, Konstantin
  0 siblings, 1 reply; 13+ messages in thread
From: Akhil Goyal @ 2021-03-23 15:06 UTC (permalink / raw)
  To: Ananyev, Konstantin, Tejasree Kondoj, Nicolau, Radu
  Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev

Hi Konstantin,
> 
> Hi Akhil,
> > > > Adding lookaside IPsec UDP encapsulation support
> > > > for NAT traversal.
> > > > Added --udp-encap option for application to specify
> > > > if UDP encapsulation need to be enabled.
> > > > Example secgw command with UDP encapsultation enabled:
> > > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap
> > >
> > > Can we have it not as global, but a per SA option?
> > > Add new keyword for SA/SP into ipsec-secgw config file, etc.
> > > Konstantin
> > >
> >
> > Any specific reason to make udp_encap as per SA?
> > UDP encapsulation is a feature which I believe should be application vide.
> > If it supports the feature it should be enabled for all SAs when the UDP port
> > is 4500 which is reserved for it.
> 
> Not sure why it has to be application wide?
> Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode over port 0,
> and SA2 with udp encap over port 1?
> Note that in DPDK librte_security it is per SA option.

UDP encapsulation can be done only if the UDP port is 4500 as per the specification.
Please correct me if I am wrong. So if UDP port is NOT 4500 and udp-encap is enabled in the
Command line, UDP encapsulation will not work.

Hence it does make sense to make it application vide. It will be tedious for the user to
Add this in every SA.

Regards,
Akhil



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-23 15:06         ` Akhil Goyal
@ 2021-03-23 15:46           ` Ananyev, Konstantin
  2021-03-23 17:54             ` Akhil Goyal
  0 siblings, 1 reply; 13+ messages in thread
From: Ananyev, Konstantin @ 2021-03-23 15:46 UTC (permalink / raw)
  To: Akhil Goyal, Tejasree Kondoj, Nicolau, Radu
  Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev


> Hi Konstantin,
> >
> > Hi Akhil,
> > > > > Adding lookaside IPsec UDP encapsulation support
> > > > > for NAT traversal.
> > > > > Added --udp-encap option for application to specify
> > > > > if UDP encapsulation need to be enabled.
> > > > > Example secgw command with UDP encapsultation enabled:
> > > > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap
> > > >
> > > > Can we have it not as global, but a per SA option?
> > > > Add new keyword for SA/SP into ipsec-secgw config file, etc.
> > > > Konstantin
> > > >
> > >
> > > Any specific reason to make udp_encap as per SA?
> > > UDP encapsulation is a feature which I believe should be application vide.
> > > If it supports the feature it should be enabled for all SAs when the UDP port
> > > is 4500 which is reserved for it.
> >
> > Not sure why it has to be application wide?
> > Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode over port 0,
> > and SA2 with udp encap over port 1?
> > Note that in DPDK librte_security it is per SA option.
> 
> UDP encapsulation can be done only if the UDP port is 4500 as per the specification.
> Please correct me if I am wrong. So if UDP port is NOT 4500 and udp-encap is enabled in the
> Command line, UDP encapsulation will not work.

I am not asking you so support multiple UDP ports for IPsec encapsulation.
What I am saying: it should be possible to use SAs with UDP encapsulation
along with SAs without (plain tunnel/transport mode).
As I understand with your patch it is not possible: if user specified --udp-encap
all SAs (on all crypto-devs) will be treated as UDP encapsulated. 

> 
> Hence it does make sense to make it application vide. It will be tedious for the user to
> Add this in every SA.
> 
> Regards,
> Akhil
> 


^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-23 15:46           ` Ananyev, Konstantin
@ 2021-03-23 17:54             ` Akhil Goyal
  2021-03-24  9:45               ` Tejasree Kondoj
  0 siblings, 1 reply; 13+ messages in thread
From: Akhil Goyal @ 2021-03-23 17:54 UTC (permalink / raw)
  To: Ananyev, Konstantin, Tejasree Kondoj, Nicolau, Radu
  Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev

> 
> > Hi Konstantin,
> > >
> > > Hi Akhil,
> > > > > > Adding lookaside IPsec UDP encapsulation support
> > > > > > for NAT traversal.
> > > > > > Added --udp-encap option for application to specify
> > > > > > if UDP encapsulation need to be enabled.
> > > > > > Example secgw command with UDP encapsultation enabled:
> > > > > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap
> > > > >
> > > > > Can we have it not as global, but a per SA option?
> > > > > Add new keyword for SA/SP into ipsec-secgw config file, etc.
> > > > > Konstantin
> > > > >
> > > >
> > > > Any specific reason to make udp_encap as per SA?
> > > > UDP encapsulation is a feature which I believe should be application
> vide.
> > > > If it supports the feature it should be enabled for all SAs when the UDP
> port
> > > > is 4500 which is reserved for it.
> > >
> > > Not sure why it has to be application wide?
> > > Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode over port
> 0,
> > > and SA2 with udp encap over port 1?
> > > Note that in DPDK librte_security it is per SA option.
> >
> > UDP encapsulation can be done only if the UDP port is 4500 as per the
> specification.
> > Please correct me if I am wrong. So if UDP port is NOT 4500 and udp-encap
> is enabled in the
> > Command line, UDP encapsulation will not work.
> 
> I am not asking you so support multiple UDP ports for IPsec encapsulation.

Multiple ports are not required to be supported as per specification.
UDP encapsulation work only on one port i.e. 4500.
By specification, it says, port 4500 is reserved for NAT traversal and if a
Packet has this port, then it has to be processed accordingly.

> What I am saying: it should be possible to use SAs with UDP encapsulation
> along with SAs without (plain tunnel/transport mode).

Yes it is possible with the current patch.
If a packet has a UDP port = 4500 then it is UDP encapsulated otherwise it is not.
Hence, a packet with UDP port other than 4500 will work as it is working without
--udp-encap param.

> As I understand with your patch it is not possible: if user specified --udp-
> encap
> all SAs (on all crypto-devs) will be treated as UDP encapsulated.

Just to correct this statement.

If user specified --udp-encap all SAs (on all crypto-devs) will be treated as
UDP encapsulated if and only if the UDP port = 4500 and not otherwise.

I hope this statement clears your concern and it makes more sense to make it
application vide, just like esn and anti-replay.

Regards,
Akhil

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-23 17:54             ` Akhil Goyal
@ 2021-03-24  9:45               ` Tejasree Kondoj
  2021-03-24 10:39                 ` Ananyev, Konstantin
  0 siblings, 1 reply; 13+ messages in thread
From: Tejasree Kondoj @ 2021-03-24  9:45 UTC (permalink / raw)
  To: Akhil Goyal, Ananyev, Konstantin, Nicolau, Radu
  Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev

Hi Akhil, Konstantin,

Please see inline.

Thanks
Tejasree

> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Tuesday, March 23, 2021 11:24 PM
> To: Ananyev, Konstantin <konstantin.ananyev@intel.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>
> Cc: Anoob Joseph <anoobj@marvell.com>; Ankur Dwivedi
> <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>;
> dev@dpdk.org
> Subject: RE: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP
> encapsulation support
> 
> >
> > > Hi Konstantin,
> > > >
> > > > Hi Akhil,
> > > > > > > Adding lookaside IPsec UDP encapsulation support for NAT
> > > > > > > traversal.
> > > > > > > Added --udp-encap option for application to specify if UDP
> > > > > > > encapsulation need to be enabled.
> > > > > > > Example secgw command with UDP encapsultation enabled:
> > > > > > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg
> > > > > > > --udp-encap
> > > > > >
> > > > > > Can we have it not as global, but a per SA option?
> > > > > > Add new keyword for SA/SP into ipsec-secgw config file, etc.
> > > > > > Konstantin
> > > > > >
> > > > >
> > > > > Any specific reason to make udp_encap as per SA?
> > > > > UDP encapsulation is a feature which I believe should be
> > > > > application
> > vide.
> > > > > If it supports the feature it should be enabled for all SAs when
> > > > > the UDP
> > port
> > > > > is 4500 which is reserved for it.
> > > >
> > > > Not sure why it has to be application wide?
> > > > Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode
> > > > over port
> > 0,
> > > > and SA2 with udp encap over port 1?
> > > > Note that in DPDK librte_security it is per SA option.
> > >
> > > UDP encapsulation can be done only if the UDP port is 4500 as per
> > > the
> > specification.
> > > Please correct me if I am wrong. So if UDP port is NOT 4500 and
> > > udp-encap
> > is enabled in the
> > > Command line, UDP encapsulation will not work.
> >
> > I am not asking you so support multiple UDP ports for IPsec encapsulation.
> 
> Multiple ports are not required to be supported as per specification.
> UDP encapsulation work only on one port i.e. 4500.
> By specification, it says, port 4500 is reserved for NAT traversal and if a
> Packet has this port, then it has to be processed accordingly.
> 
> > What I am saying: it should be possible to use SAs with UDP
> > encapsulation along with SAs without (plain tunnel/transport mode).
> 
> Yes it is possible with the current patch.
> If a packet has a UDP port = 4500 then it is UDP encapsulated otherwise it is
> not.
> Hence, a packet with UDP port other than 4500 will work as it is working
> without --udp-encap param.
> 
> > As I understand with your patch it is not possible: if user specified
> > --udp- encap all SAs (on all crypto-devs) will be treated as UDP
> > encapsulated.
> 
> Just to correct this statement.
> 
> If user specified --udp-encap all SAs (on all crypto-devs) will be treated as
> UDP encapsulated if and only if the UDP port = 4500 and not otherwise.
> 
> I hope this statement clears your concern and it makes more sense to make it
> application vide, just like esn and anti-replay.
> 

[Tejasree] Just realized that all SAs are treated as UDP encapsulated 
if the packet type is other than UDP. Will add per SA support.

Concern with per SA support: we cannot have "udp_encap==1" check in the prepare_one_packet()
function as SA info is not available at that time and plain UDP packets with port 4500 are
treated as IPsec and results could be unpredictable.

> Regards,
> Akhil

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-24  9:45               ` Tejasree Kondoj
@ 2021-03-24 10:39                 ` Ananyev, Konstantin
  2021-03-25  8:38                   ` Tejasree Kondoj
  0 siblings, 1 reply; 13+ messages in thread
From: Ananyev, Konstantin @ 2021-03-24 10:39 UTC (permalink / raw)
  To: Tejasree Kondoj, Akhil Goyal, Nicolau, Radu
  Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev

Hi Tejasree,

> > > > > > > > Adding lookaside IPsec UDP encapsulation support for NAT
> > > > > > > > traversal.
> > > > > > > > Added --udp-encap option for application to specify if UDP
> > > > > > > > encapsulation need to be enabled.
> > > > > > > > Example secgw command with UDP encapsultation enabled:
> > > > > > > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg
> > > > > > > > --udp-encap
> > > > > > >
> > > > > > > Can we have it not as global, but a per SA option?
> > > > > > > Add new keyword for SA/SP into ipsec-secgw config file, etc.
> > > > > > > Konstantin
> > > > > > >
> > > > > >
> > > > > > Any specific reason to make udp_encap as per SA?
> > > > > > UDP encapsulation is a feature which I believe should be
> > > > > > application
> > > vide.
> > > > > > If it supports the feature it should be enabled for all SAs when
> > > > > > the UDP
> > > port
> > > > > > is 4500 which is reserved for it.
> > > > >
> > > > > Not sure why it has to be application wide?
> > > > > Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode
> > > > > over port
> > > 0,
> > > > > and SA2 with udp encap over port 1?
> > > > > Note that in DPDK librte_security it is per SA option.
> > > >
> > > > UDP encapsulation can be done only if the UDP port is 4500 as per
> > > > the
> > > specification.
> > > > Please correct me if I am wrong. So if UDP port is NOT 4500 and
> > > > udp-encap
> > > is enabled in the
> > > > Command line, UDP encapsulation will not work.
> > >
> > > I am not asking you so support multiple UDP ports for IPsec encapsulation.
> >
> > Multiple ports are not required to be supported as per specification.
> > UDP encapsulation work only on one port i.e. 4500.
> > By specification, it says, port 4500 is reserved for NAT traversal and if a
> > Packet has this port, then it has to be processed accordingly.
> >
> > > What I am saying: it should be possible to use SAs with UDP
> > > encapsulation along with SAs without (plain tunnel/transport mode).
> >
> > Yes it is possible with the current patch.
> > If a packet has a UDP port = 4500 then it is UDP encapsulated otherwise it is
> > not.
> > Hence, a packet with UDP port other than 4500 will work as it is working
> > without --udp-encap param.
> >
> > > As I understand with your patch it is not possible: if user specified
> > > --udp- encap all SAs (on all crypto-devs) will be treated as UDP
> > > encapsulated.
> >
> > Just to correct this statement.
> >
> > If user specified --udp-encap all SAs (on all crypto-devs) will be treated as
> > UDP encapsulated if and only if the UDP port = 4500 and not otherwise.
> >
> > I hope this statement clears your concern and it makes more sense to make it
> > application vide, just like esn and anti-replay.
> >
> 
> [Tejasree] Just realized that all SAs are treated as UDP encapsulated
> if the packet type is other than UDP. Will add per SA support.
>
> Concern with per SA support: we cannot have "udp_encap==1" check in the prepare_one_packet()
> function as SA info is not available at that time and plain UDP packets with port 4500 are
> treated as IPsec and results could be unpredictable.
 
If you think global udp_encap would be helpful (let say for prepare_one_packet),
I think it is possible to keep it. By default it will be 0, and can be initialized to 1,
if we have at least one session  with udp_encap enabled (after config file parsing).
My thought about it was:
-prepare_packet() - mark both ip/esp and ip/udp(sport,dport=4500) as ESP ones,
  plus set mbuf.packet_type properly (UDP/ESP) (should we set l4_len also?). 
- sad_lookup() - based on packet type (l4_len?) determine location of ESP header
  and do the lookup. Then if lookup was successful, for UDP packets check does
  SA.udp_encap==1. If no, then drop the packet.

 




^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
  2021-03-24 10:39                 ` Ananyev, Konstantin
@ 2021-03-25  8:38                   ` Tejasree Kondoj
  0 siblings, 0 replies; 13+ messages in thread
From: Tejasree Kondoj @ 2021-03-25  8:38 UTC (permalink / raw)
  To: Ananyev, Konstantin, Akhil Goyal, Nicolau, Radu
  Cc: Anoob Joseph, Ankur Dwivedi, Jerin Jacob Kollanukkaran, dev

Hi Konstantin,

Please see inline.

Thanks
Tejasree

> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Wednesday, March 24, 2021 4:10 PM
> To: Tejasree Kondoj <ktejasree@marvell.com>; Akhil Goyal
> <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>
> Cc: Anoob Joseph <anoobj@marvell.com>; Ankur Dwivedi
> <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP
> encapsulation support
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Tejasree,
> 
> > > > > > > > > Adding lookaside IPsec UDP encapsulation support for NAT
> > > > > > > > > traversal.
> > > > > > > > > Added --udp-encap option for application to specify if UDP
> > > > > > > > > encapsulation need to be enabled.
> > > > > > > > > Example secgw command with UDP encapsultation enabled:
> > > > > > > > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg
> > > > > > > > > --udp-encap
> > > > > > > >
> > > > > > > > Can we have it not as global, but a per SA option?
> > > > > > > > Add new keyword for SA/SP into ipsec-secgw config file, etc.
> > > > > > > > Konstantin
> > > > > > > >
> > > > > > >
> > > > > > > Any specific reason to make udp_encap as per SA?
> > > > > > > UDP encapsulation is a feature which I believe should be
> > > > > > > application
> > > > vide.
> > > > > > > If it supports the feature it should be enabled for all SAs when
> > > > > > > the UDP
> > > > port
> > > > > > > is 4500 which is reserved for it.
> > > > > >
> > > > > > Not sure why it has to be application wide?
> > > > > > Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode
> > > > > > over port
> > > > 0,
> > > > > > and SA2 with udp encap over port 1?
> > > > > > Note that in DPDK librte_security it is per SA option.
> > > > >
> > > > > UDP encapsulation can be done only if the UDP port is 4500 as per
> > > > > the
> > > > specification.
> > > > > Please correct me if I am wrong. So if UDP port is NOT 4500 and
> > > > > udp-encap
> > > > is enabled in the
> > > > > Command line, UDP encapsulation will not work.
> > > >
> > > > I am not asking you so support multiple UDP ports for IPsec
> encapsulation.
> > >
> > > Multiple ports are not required to be supported as per specification.
> > > UDP encapsulation work only on one port i.e. 4500.
> > > By specification, it says, port 4500 is reserved for NAT traversal and if a
> > > Packet has this port, then it has to be processed accordingly.
> > >
> > > > What I am saying: it should be possible to use SAs with UDP
> > > > encapsulation along with SAs without (plain tunnel/transport mode).
> > >
> > > Yes it is possible with the current patch.
> > > If a packet has a UDP port = 4500 then it is UDP encapsulated otherwise it
> is
> > > not.
> > > Hence, a packet with UDP port other than 4500 will work as it is working
> > > without --udp-encap param.
> > >
> > > > As I understand with your patch it is not possible: if user specified
> > > > --udp- encap all SAs (on all crypto-devs) will be treated as UDP
> > > > encapsulated.
> > >
> > > Just to correct this statement.
> > >
> > > If user specified --udp-encap all SAs (on all crypto-devs) will be treated as
> > > UDP encapsulated if and only if the UDP port = 4500 and not otherwise.
> > >
> > > I hope this statement clears your concern and it makes more sense to
> make it
> > > application vide, just like esn and anti-replay.
> > >
> >
> > [Tejasree] Just realized that all SAs are treated as UDP encapsulated
> > if the packet type is other than UDP. Will add per SA support.
> >
> > Concern with per SA support: we cannot have "udp_encap==1" check in the
> prepare_one_packet()
> > function as SA info is not available at that time and plain UDP packets with
> port 4500 are
> > treated as IPsec and results could be unpredictable.
> 
> If you think global udp_encap would be helpful (let say for
> prepare_one_packet),
> I think it is possible to keep it. By default it will be 0, and can be initialized to
> 1,
> if we have at least one session  with udp_encap enabled (after config file
> parsing).
> My thought about it was:
> -prepare_packet() - mark both ip/esp and ip/udp(sport,dport=4500) as ESP
> ones,
>   plus set mbuf.packet_type properly (UDP/ESP) (should we set l4_len also?).
> - sad_lookup() - based on packet type (l4_len?) determine location of ESP
> header
>   and do the lookup. Then if lookup was successful, for UDP packets check
> does
>   SA.udp_encap==1. If no, then drop the packet.
> 
> 
> 
> 
[Tejasree] l4_len setting is not needed. mbuf.packet_type can be used.
Will send v2 with per SA support.


^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2021-03-25  8:38 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-15 10:36 [dpdk-dev] [PATCH 0/3] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
2021-03-15 10:36 ` [dpdk-dev] [PATCH 1/3] crypto/octeontx2: add UDP encapsulation support Tejasree Kondoj
2021-03-15 10:36 ` [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: " Tejasree Kondoj
2021-03-19 16:46   ` Ananyev, Konstantin
2021-03-23  8:02     ` Akhil Goyal
2021-03-23 14:29       ` Ananyev, Konstantin
2021-03-23 15:06         ` Akhil Goyal
2021-03-23 15:46           ` Ananyev, Konstantin
2021-03-23 17:54             ` Akhil Goyal
2021-03-24  9:45               ` Tejasree Kondoj
2021-03-24 10:39                 ` Ananyev, Konstantin
2021-03-25  8:38                   ` Tejasree Kondoj
2021-03-15 10:36 ` [dpdk-dev] [PATCH 3/3] crypto/octeontx2: support lookaside IPv4 transport mode Tejasree Kondoj

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).