From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 5642523D for ; Fri, 29 Dec 2017 10:55:39 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Dec 2017 01:55:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.45,475,1508828400"; d="scan'208";a="22328588" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga002.jf.intel.com with ESMTP; 29 Dec 2017 01:55:37 -0800 Received: from fmsmsx113.amr.corp.intel.com (10.18.116.7) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 29 Dec 2017 01:55:35 -0800 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by FMSMSX113.amr.corp.intel.com (10.18.116.7) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 29 Dec 2017 01:55:34 -0800 Received: from shsmsx101.ccr.corp.intel.com ([169.254.1.159]) by SHSMSX103.ccr.corp.intel.com ([169.254.4.213]) with mapi id 14.03.0319.002; Fri, 29 Dec 2017 17:55:33 +0800 From: "Xu, GangX" To: "Peng, Yuan" , "dts@dpdk.org" CC: "Peng, Yuan" Thread-Topic: [dts] [PATCH V1] add inline_ipsec test plan Thread-Index: AQHTgIoV8UEe4xeVsUGSfGbnKtD2XKNaFPMA Date: Fri, 29 Dec 2017 09:55:32 +0000 Message-ID: <52FE6B2C7B32C541B3B4C691E214F6AB314F8C74@SHSMSX101.ccr.corp.intel.com> References: <1514540896-92174-1-git-send-email-yuan.peng@intel.com> In-Reply-To: <1514540896-92174-1-git-send-email-yuan.peng@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dts] [PATCH V1] add inline_ipsec test plan X-BeenThere: dts@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: test suite reviews and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 09:55:40 -0000 Please Ignore this file -----Original Message----- From: dts [mailto:dts-bounces@dpdk.org] On Behalf Of Peng Yuan Sent: Friday, December 29, 2017 5:48 PM To: dts@dpdk.org Cc: Peng, Yuan Subject: [dts] [PATCH V1] add inline_ipsec test plan Signed-off-by: Peng Yuan --- test_plans/inline_ipsec_test_plan.rst | 355 ++++++++++++++++++++++++++++++= ++++ 1 file changed, 355 insertions(+) create mode 100644 test_plans/inline_ipsec_test_plan.rst diff --git a/test_plans/inline_ipsec_test_plan.rst b/test_plans/inline_ipse= c_test_plan.rst new file mode 100644 index 0000000..bc10111 --- /dev/null +++ b/test_plans/inline_ipsec_test_plan.rst @@ -0,0 +1,355 @@ +.. Copyright (c) <2017>, Intel Corporation + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + - Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + - Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + - Neither the name of Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPR ESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Inline IPsec Test Plan +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +This test plan describe the method of validation inline hardware=20 +acceleration of symmetric crypto processing of IPsec flows on Intel=C2=AE= =20 +82599 10 GbE Controller (IXGBE) within the cryptodev framework. + +***Limitation: +AES-GCM 128 ESP Tunnel/Transport mode and Authentication only mode are +supported.*** + +Ref links: +https://tools.ietf.org/html/rfc4301 + +https://tools.ietf.org/html/rfc4302 + +https://tools.ietf.org/html/rfc4303 + +http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html + +Abbr: +ESP: Encapsulating Security Payload:: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---- + | Security Parameters Index (SPI) | ^Int. + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- + | Sequence Number | |ered + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ---- + | Payload Data* (variable) | | ^ + ~ ~ | | + | | |Conf. + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- + | | Padding (0-255 bytes) | |ered* + +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + | | Pad Length | Next Header | v v + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ + | Integrity Check Value-ICV (variable) | + ~ ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +SPI: Security Parameters Index + +The SPI is an arbitrary 32-bit value that is used by a receiver to=20 +identify the SA to which an incoming packet is bound. + +Sequence Number: + +This unsigned 32-bit field contains a counter value that increases by=20 +one for each packet sent + +AES: Advanced Encryption Standard + +GCM: Galois Counter Mode + +Prerequisites +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +2 * 10Gb Ethernet ports of the DUT are directly connected in=20 +full-duplex to different ports of the peer traffic generator. + +Bind two ports to vfio-pci. +modprobe vfio-pci + +=09 +Test Case: Inline cfg parsing +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D +Create inline ipsec configuration file like below:: + + #SP IPv4 rules + sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535=20 +dport 0:65535 + + #SA rules + sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:= 15:88:09:cf:4f:3d:de:ad:be:ef \ + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ + port_id 1 \ + type inline-crypto-offload \ + + sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:8= 8:09:cf:4f:3d:de:ad:be:ef \ + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ + port_id 1 \ + type inline-crypto-offload \ + + #Routing rules + rt ipv4 dst 172.16.2.5/32 port 1 + rt ipv4 dst 192.168.105.10/32 port 0 + +Starting ipsec-secgw sample and make sure SP/SA/RT rules loaded successful= ly. + +Check ipsec-secgw can detect invalid cipher algo. + +Check ipsec-secgw can detect invalid auth algo. + +Check ipsec-secgw can detect invalid key format. + + +Test Case: IPSec Encryption +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mo= de:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev=20 + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u=20 + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port sudo python ./scapy_receive.py=20 +-i ens802f1 +=09 +Send burst(32) normal packets with dst ip (192.168.105.0) to protected por= t. + sudo python ./scapy_send.py -i ens802f0 -s 32 -c 1 -e 0 + +Check burst esp packets received from unprotected port. +tcpdump -Xvvvi ens802f1 + +[root@dpdk98 scripts]# tcpdump -Xvvvi ens802f1 +tcpdump: listening on ens802f1, link-type EN10MB (Ethernet), capture=20 +size 262144 bytes +06:10:25.674233 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto E= SP (50), length 108) + 172.16.1.5 > 172.16.2.5: ESP(spi=3D0x000003ed,seq=3D0x9), length 88 + 0x0000: 4500 006c 0000 0000 4032 1f36 ac10 0105 E..l....@2.6.... + 0x0010: ac10 0205 0000 03ed 0000 0009 0000 0000 ................ + 0x0020: 0000 0009 4468 a4af 5853 7545 b21d 977c ....Dh..XSuE...| + 0x0030: b911 7ec6 74a0 3349 b986 02d2 a322 d050 ..~.t.3I.....".P + 0x0040: 8a0d 4ffc ef4d 6246 86fe 26f0 9377 84b5 ..O..MbF..&..w.. + 0x0050: 8b06 c7e0 05d3 1ac5 1a30 1a93 8660 4292 .........0...`B. + 0x0060: 999a c84d 49ed ff95 89a1 6917 ...MI.....i. + + +Check esp packets' format is correct. + +See decrypted packets on scapy output +[root@dpdk98 scripts]# sudo python ./scapy_receive.py -i ens802f1 ###[=20 +IP ]### + version =3D 4 + ihl =3D 5 + tos =3D 0x0 + len =3D 52 + id =3D 1 + flags =3D + frag =3D 0 + ttl =3D 63 + proto =3D ip + chksum =3D 0x2764 + src =3D 192.168.105.10 + dst =3D 192.168.105.10 + \options \ +###[ Raw ]### + load =3D '|->test-test-test-test-test-t<-|' + + +Test Case: IPSec Encryption with Jumboframe=20 +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mo= de:: + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev=20 + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u=20 + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port + +Default frame size is 1518, send burst(1000) packets with dst ip (192.168.= 105.0) to protected port. + +Check burst esp packets received from unprotected port. + +Check esp packets' format is correct. + +See decrypted packets on scapy output + +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected po= rt. + +Check burst esp packets can't be received from unprotected port. + +Set jumbo frames size as 9000, start it with port 1 assigned to unprotecte= d mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev=20 + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u=20 + 0x2 -j 9000 --config=3D"(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port +=09 +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected po= rt. + +Check burst jumbo packets received from unprotected port. + +Check esp packets' format is correct. + +See decrypted packets on scapy output + +Send burst(9000) jumbo packets with dst ip (192.168.105.0) to protected po= rt. + +Check burst jumbo packets can't be received from unprotected port. + + +Test Case: IPSec Encryption with RSS +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Create configuration file with multiple SP/SA/RT rules for different ip ad= dress. + +Start ipsec-secgw with two queues enabled on each port and port 1 assigned= to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev=20 + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u=20 + 0x2 --config=3D"(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./enc_rss.cfg + +Use scapy to listen on unprotected port sudo python=20 +./scapy_receive_enc_rss.py -i ens802f1 +=09 +Send burst(32) packets with different dst ip to protected port. +sudo python ./scapy_send_enc_rss.py -i ens802f0 -s 32 -c 1 -e 0 + +Check burst esp packets received from queue 0 and queue 1 on unprotected p= ort. +tcpdump -Xvvvi ens802f1 + +Check esp packets' format is correct. + +See decrypted packets on scapy output + + +Test Case: IPSec Decryption +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mo= de:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev=20 + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u=20 + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./dec.cfg + +Send two burst(32) esp packets to unprotected port. +sudo python ./scapy_send.py -i ens802f1 -s 32 -c 1 -e 1 + +First one will produce an error "IPSEC_ESP: failed crypto op" in the=20 +IPsec application, but it will setup the SA. Second one will decrypt and s= end back the decrypted packet. + +Check burst packets which have been decapsulated received from=20 +protected port tcpdump -Xvvvi ens802f0 + +Test Case: IPSec Decryption with wrong key=20 +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mo= de:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev=20 + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u=20 + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./dec.cfg + +Change dec.cfg key is not same with send packet encrypted key +=09 +Send one burst(32) esp packets to unprotected port. + +IPsec application will produce an error "IPSEC_ESP: failed crypto op" ,=20 +but it will setup the SA. + +Send one burst(32) esp packets to unprotected port. + +Check burst packets which have been decapsulated can't be received from=20 +protected port, IPsec application will produce error "IPSEC_ESP: failed cr= ypto op". + + =09 +Test Case: IPSec Decryption with Jumboframe=20 +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mo= de:: + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev=20 + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u=20 + 0x2 --config=3D"(0,0,20),(1,0,21)" -f ./dec.cfg Default frame size is=20 +1518, Send two burst(1000) esp packets to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the=20 +IPsec application, but it will setup the SA. Second one will decrypt and s= end back the decrypted packet. + +Check burst(1000) packets which have been decapsulated received from prote= cted port. + +Send burst(8192) esp packets to unprotected port. + +Check burst(8192) packets which have been decapsulated can't be received f= rom protected port. + +Set jumbo frames size as 9000, start it with port 1 assigned to unprotecte= d mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev=20 + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u=20 + 0x2 -j 9000 --config=3D"(0,0,20),(1,0,21)" -f ./dec.cfg + +Send two burst(8192) esp packets to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the=20 +IPsec application, but it will setup the SA. Second one will decrypt and s= end back the decrypted packet. + +Check burst(8192) packets which have been decapsulated received from prote= cted port. + +Send burst(9000) esp packets to unprotected port. + +Check burst(9000) packets which have been decapsulated can't be received f= rom protected port. + + +Test Case: IPSec Decryption with RSS +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Create configuration file with multiple SA rule for different ip address. + +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mo= de:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev=20 + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u=20 + 0x2 -config=3D"(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./dec_rss.cfg + +Send two burst(32) esp packets with different ip to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the=20 +IPsec application, but it will setup the SA. Second one will decrypt and s= end back the decrypted packet. + +Check burst(32) packets which have been decapsulated received from=20 +queue 0 and +1 on protected port. + + +Test Case: IPSec Encryption/Decryption simultaneously=20 +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mo= de:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1=20 + --vdev "crypto_null" --log-level 8 --socket-mem 1024,1=20 + -- -p 0xf -P -u 0x2 --config=3D"(0,0,20),(1,0,21)" -f=20 +./enc_dec.cfg +=09 +Send normal and esp packets to protected and unprotected ports simultaneou= sly. + +Note when testing inbound IPSec, first one will produce an error "IPSEC_ES= P:=20 +invalid padding" in the IPsec application, but it will setup the SA.=20 +Second one will decrypt and send back the decrypted packet. + +Check esp and normal packets received from unprotected and protected ports= . -- 1.9.3