* [dpdk-users] IPSEC-SECGW sample application
@ 2018-01-07 15:41 Avi Cohen (A)
2018-01-08 8:47 ` Gowda, Sandesh
0 siblings, 1 reply; 10+ messages in thread
From: Avi Cohen (A) @ 2018-01-07 15:41 UTC (permalink / raw)
To: users
Hello
I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
I have 2 ports port 0 is protected and port 1 is unprotected
Traffic is received in the unprotected and should be sent to the protected port for encryption
But the traffic processing for the traffic received in the unprotected port is going through the **process_pkts_inbound ** .
I expect that the traffic should be directed to the **process_pkts_outbound** [where ESP headers are added etc.]
Can someone help ?
This is the config file:
#SP rules
sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32
#SA rules
sa in 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
type inline-protocol-offload port_id 0
#Routing rules
rt ipv4 dst 172.16.2.5/32 port 0
rt ipv4 dst 1.1.2.0/24 port 0
rt ipv4 dst 1.1.1.0/24 port 0
and this is the command line to run the applic:
./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
Best Regards
Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-users] IPSEC-SECGW sample application
2018-01-07 15:41 [dpdk-users] IPSEC-SECGW sample application Avi Cohen (A)
@ 2018-01-08 8:47 ` Gowda, Sandesh
2018-01-08 11:47 ` Avi Cohen (A)
2018-01-08 16:34 ` Avi Cohen (A)
0 siblings, 2 replies; 10+ messages in thread
From: Gowda, Sandesh @ 2018-01-08 8:47 UTC (permalink / raw)
To: Avi Cohen (A), users
Hi Avi,
The application classifies the ports as Protected and Unprotected. Thus, traffic received on an Unprotected or Protected port is consider Inbound or Outbound respectively.
( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html )
The Packets sent on a Unprotected network requires Encryption whereas packets on Protected Network can be plain text.
This is the expected behavior.
Regards,
Sandesh
-----Original Message-----
From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
Sent: Sunday, January 07, 2018 9:12 PM
To: users@dpdk.org
Subject: [dpdk-users] IPSEC-SECGW sample application
Hello
I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
I have 2 ports port 0 is protected and port 1 is unprotected Traffic is received in the unprotected and should be sent to the protected port for encryption But the traffic processing for the traffic received in the unprotected port is going through the **process_pkts_inbound ** .
I expect that the traffic should be directed to the **process_pkts_outbound** [where ESP headers are added etc.] Can someone help ?
This is the config file:
#SP rules
sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32
#SA rules
sa in 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
type inline-protocol-offload port_id 0
#Routing rules
rt ipv4 dst 172.16.2.5/32 port 0
rt ipv4 dst 1.1.2.0/24 port 0
rt ipv4 dst 1.1.1.0/24 port 0
and this is the command line to run the applic:
./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
Best Regards
Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-users] IPSEC-SECGW sample application
2018-01-08 8:47 ` Gowda, Sandesh
@ 2018-01-08 11:47 ` Avi Cohen (A)
2018-01-08 16:34 ` Avi Cohen (A)
1 sibling, 0 replies; 10+ messages in thread
From: Avi Cohen (A) @ 2018-01-08 11:47 UTC (permalink / raw)
To: Gowda, Sandesh, users
Hi Sandesh
Thank you - I already understood that.
I see in the documentation that this app. Supports only **complete offload**. But Intel NICS x540 and 82599 which supports ipsec offload requires that the SW will add/remove the ESP headers
How can I run this app with x540 nic ?
Best Regards
Avi
> -----Original Message-----
> From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> Sent: Monday, 08 January, 2018 10:47 AM
> To: Avi Cohen (A); users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
>
>
> Hi Avi,
>
> The application classifies the ports as Protected and Unprotected. Thus, traffic
> received on an Unprotected or Protected port is consider Inbound or Outbound
> respectively.
> ( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html )
>
> The Packets sent on a Unprotected network requires Encryption whereas
> packets on Protected Network can be plain text.
> This is the expected behavior.
>
> Regards,
> Sandesh
>
>
>
>
> -----Original Message-----
> From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
> Sent: Sunday, January 07, 2018 9:12 PM
> To: users@dpdk.org
> Subject: [dpdk-users] IPSEC-SECGW sample application
>
>
> Hello
> I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> I have 2 ports port 0 is protected and port 1 is unprotected Traffic is received in
> the unprotected and should be sent to the protected port for encryption But
> the traffic processing for the traffic received in the unprotected port is going
> through the **process_pkts_inbound ** .
> I expect that the traffic should be directed to the **process_pkts_outbound**
> [where ESP headers are added etc.] Can someone help ?
>
>
> This is the config file:
>
> #SP rules
> sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules sa in 5
> cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo
> sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel
> src 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0 #Routing
> rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst 1.1.2.0/24 port 0 rt ipv4 dst
> 1.1.1.0/24 port 0
>
>
> and this is the command line to run the applic:
>
> ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
>
>
> Best Regards
> Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-users] IPSEC-SECGW sample application
2018-01-08 8:47 ` Gowda, Sandesh
2018-01-08 11:47 ` Avi Cohen (A)
@ 2018-01-08 16:34 ` Avi Cohen (A)
2018-01-08 17:23 ` Gowda, Sandesh
1 sibling, 1 reply; 10+ messages in thread
From: Avi Cohen (A) @ 2018-01-08 16:34 UTC (permalink / raw)
To: Gowda, Sandesh, users
Hi Sandesh [I added one more question]
Thank you - I already understood that.
1. I see in the documentation that this app. Supports only **complete offload**.
But Intel NICS x540 and 82599 which supports ipsec offload requires that the
SW will add/remove the ESP headers How can I run this app with x540 nic ?
2. I added support for ESP header and trailer insertion for inline-protocol-offload for intel x540
Can you tell me the exact command line to run the application for this mode ? is vdev required ?
Best Regards
Avi
>
>
>
> > -----Original Message-----
> > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > Sent: Monday, 08 January, 2018 10:47 AM
> > To: Avi Cohen (A); users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> >
> > Hi Avi,
> >
> > The application classifies the ports as Protected and Unprotected. Thus,
> traffic
> > received on an Unprotected or Protected port is consider Inbound or
> Outbound
> > respectively.
> > ( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html )
> >
> > The Packets sent on a Unprotected network requires Encryption whereas
> > packets on Protected Network can be plain text.
> > This is the expected behavior.
> >
> > Regards,
> > Sandesh
> >
> >
> >
> >
> > -----Original Message-----
> > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
> > Sent: Sunday, January 07, 2018 9:12 PM
> > To: users@dpdk.org
> > Subject: [dpdk-users] IPSEC-SECGW sample application
> >
> >
> > Hello
> > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > I have 2 ports port 0 is protected and port 1 is unprotected Traffic is received
> in
> > the unprotected and should be sent to the protected port for encryption But
> > the traffic processing for the traffic received in the unprotected port is going
> > through the **process_pkts_inbound ** .
> > I expect that the traffic should be directed to the
> **process_pkts_outbound**
> > [where ESP headers are added etc.] Can someone help ?
> >
> >
> > This is the config file:
> >
> > #SP rules
> > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules sa in 5
> > cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo
> > sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel
> > src 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0 #Routing
> > rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst 1.1.2.0/24 port 0 rt ipv4 dst
> > 1.1.1.0/24 port 0
> >
> >
> > and this is the command line to run the applic:
> >
> > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> >
> >
> > Best Regards
> > Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-users] IPSEC-SECGW sample application
2018-01-08 16:34 ` Avi Cohen (A)
@ 2018-01-08 17:23 ` Gowda, Sandesh
2018-01-09 9:38 ` Avi Cohen (A)
0 siblings, 1 reply; 10+ messages in thread
From: Gowda, Sandesh @ 2018-01-08 17:23 UTC (permalink / raw)
To: Avi Cohen (A), users
Hi Avi,
My response inline.
> 1. I see in the documentation that this app. Supports only **complete
> offload**.
> But Intel NICS x540 and 82599 which supports ipsec offload requires that the
> SW will add/remove the ESP headers How can I run this app with x540 nic ?
The SA rule "type" field lets you choose the kind of offload.
Following is the description from the ipsecgw app guide:
<type>
Action type to specify the security action. This option specify the SA to be performed with look aside protocol offload to HW accelerator or protocol offload on ethernet device or inline crypto processing on the ethernet device during transmission.
Optional: Yes, default type no-offload
Available options:
lookaside-protocol-offload: look aside protocol offload to HW accelerator
inline-protocol-offload: inline protocol offload on ethernet device
inline-crypto-offload: inline crypto processing on ethernet device
no-offload: no offloading to hardware
Correct your SA rules to have the desired "type" field.
The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC with IPSec feature provided the VFs as correctly bound to DPDK.
> 2. I added support for ESP header and trailer insertion for inline-protocol-
> offload for intel x540
> Can you tell me the exact command line to run the application for this mode ?
> is vdev required ?
The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC with IPSec feature provided the VFs as correctly bound to DPDK.
Please try running a more basic L2Fwd Crypto application on your NIC to make sure the Crypto feature works.
Regards,
Sandesh
> -----Original Message-----
> From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> Sent: Monday, January 08, 2018 10:05 PM
> To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
>
>
> Hi Sandesh [I added one more question] Thank you - I already understood
> that.
> 1. I see in the documentation that this app. Supports only **complete
> offload**.
> But Intel NICS x540 and 82599 which supports ipsec offload requires that the
> SW will add/remove the ESP headers How can I run this app with x540 nic ?
>
> 2. I added support for ESP header and trailer insertion for inline-protocol-
> offload for intel x540
> Can you tell me the exact command line to run the application for this mode ?
> is vdev required ?
> Best Regards
> Avi
> >
> >
> >
> > > -----Original Message-----
> > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > Sent: Monday, 08 January, 2018 10:47 AM
> > > To: Avi Cohen (A); users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > >
> > > Hi Avi,
> > >
> > > The application classifies the ports as Protected and Unprotected.
> > > Thus,
> > traffic
> > > received on an Unprotected or Protected port is consider Inbound or
> > Outbound
> > > respectively.
> > > ( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > )
> > >
> > > The Packets sent on a Unprotected network requires Encryption
> > > whereas packets on Protected Network can be plain text.
> > > This is the expected behavior.
> > >
> > > Regards,
> > > Sandesh
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > (A)
> > > Sent: Sunday, January 07, 2018 9:12 PM
> > > To: users@dpdk.org
> > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > >
> > >
> > > Hello
> > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > I have 2 ports port 0 is protected and port 1 is unprotected Traffic
> > > is received
> > in
> > > the unprotected and should be sent to the protected port for
> > > encryption But the traffic processing for the traffic received in
> > > the unprotected port is going through the **process_pkts_inbound ** .
> > > I expect that the traffic should be directed to the
> > **process_pkts_outbound**
> > > [where ESP headers are added etc.] Can someone help ?
> > >
> > >
> > > This is the config file:
> > >
> > > #SP rules
> > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules sa
> > > in 5 cipher_algo aes-128-cbc cipher_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0
> > > #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > 1.1.1.0/24 port 0
> > >
> > >
> > > and this is the command line to run the applic:
> > >
> > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > >
> > >
> > > Best Regards
> > > Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-users] IPSEC-SECGW sample application
2018-01-08 17:23 ` Gowda, Sandesh
@ 2018-01-09 9:38 ` Avi Cohen (A)
2018-01-09 10:00 ` De Lara Guarch, Pablo
0 siblings, 1 reply; 10+ messages in thread
From: Avi Cohen (A) @ 2018-01-09 9:38 UTC (permalink / raw)
To: Gowda, Sandesh, users
Thank you Sandesh
I'm trying to run the l2fwd-crypto sample app. but got this error msg :
"No crypto devices available
EAL: Error - exiting with code: 1
Cause: Failed to initialize crypto devices"
My setup include 2 physical ports (intel x540) bound to dpdk - these Nics are ipsec offload capable.
The cmd-line I use is:
./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain CIPHER_HASH --cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --auth_algo aes-xcbc-mac --auth_key 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
Best Regards
Avi
> -----Original Message-----
> From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> Sent: Monday, 08 January, 2018 7:23 PM
> To: Avi Cohen (A); users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
>
> Hi Avi,
>
> My response inline.
>
> > 1. I see in the documentation that this app. Supports only **complete
> > offload**.
> > But Intel NICS x540 and 82599 which supports ipsec offload requires
> > that the SW will add/remove the ESP headers How can I run this app with
> x540 nic ?
>
> The SA rule "type" field lets you choose the kind of offload.
> Following is the description from the ipsecgw app guide:
>
> <type>
>
> Action type to specify the security action. This option specify the SA to be
> performed with look aside protocol offload to HW accelerator or protocol
> offload on ethernet device or inline crypto processing on the ethernet device
> during transmission.
> Optional: Yes, default type no-offload
> Available options:
> lookaside-protocol-offload: look aside protocol offload to HW accelerator
> inline-protocol-offload: inline protocol offload on ethernet device
> inline-crypto-offload: inline crypto processing on ethernet device
> no-offload: no offloading to hardware
>
> Correct your SA rules to have the desired "type" field.
>
> The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC
> with IPSec feature provided the VFs as correctly bound to DPDK.
>
>
> > 2. I added support for ESP header and trailer insertion for
> > inline-protocol- offload for intel x540 Can you tell me the exact
> > command line to run the application for this mode ?
> > is vdev required ?
>
> The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC
> with IPSec feature provided the VFs as correctly bound to DPDK.
> Please try running a more basic L2Fwd Crypto application on your NIC to make
> sure the Crypto feature works.
>
> Regards,
> Sandesh
>
>
>
> > -----Original Message-----
> > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > Sent: Monday, January 08, 2018 10:05 PM
> > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> >
> > Hi Sandesh [I added one more question] Thank you - I already
> > understood that.
> > 1. I see in the documentation that this app. Supports only **complete
> > offload**.
> > But Intel NICS x540 and 82599 which supports ipsec offload requires
> > that the SW will add/remove the ESP headers How can I run this app with
> x540 nic ?
> >
> > 2. I added support for ESP header and trailer insertion for
> > inline-protocol- offload for intel x540 Can you tell me the exact
> > command line to run the application for this mode ?
> > is vdev required ?
> > Best Regards
> > Avi
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > To: Avi Cohen (A); users@dpdk.org
> > > > Subject: RE: IPSEC-SECGW sample application
> > > >
> > > >
> > > > Hi Avi,
> > > >
> > > > The application classifies the ports as Protected and Unprotected.
> > > > Thus,
> > > traffic
> > > > received on an Unprotected or Protected port is consider Inbound
> > > > or
> > > Outbound
> > > > respectively.
> > > > ( Refer :
> > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > )
> > > >
> > > > The Packets sent on a Unprotected network requires Encryption
> > > > whereas packets on Protected Network can be plain text.
> > > > This is the expected behavior.
> > > >
> > > > Regards,
> > > > Sandesh
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > > (A)
> > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > To: users@dpdk.org
> > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > >
> > > >
> > > > Hello
> > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > Traffic is received
> > > in
> > > > the unprotected and should be sent to the protected port for
> > > > encryption But the traffic processing for the traffic received in
> > > > the unprotected port is going through the **process_pkts_inbound ** .
> > > > I expect that the traffic should be directed to the
> > > **process_pkts_outbound**
> > > > [where ESP headers are added etc.] Can someone help ?
> > > >
> > > >
> > > > This is the config file:
> > > >
> > > > #SP rules
> > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules
> > > > sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0
> > > > #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > 1.1.1.0/24 port 0
> > > >
> > > >
> > > > and this is the command line to run the applic:
> > > >
> > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > >
> > > >
> > > > Best Regards
> > > > Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-users] IPSEC-SECGW sample application
2018-01-09 9:38 ` Avi Cohen (A)
@ 2018-01-09 10:00 ` De Lara Guarch, Pablo
2018-01-09 15:15 ` Avi Cohen (A)
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: De Lara Guarch, Pablo @ 2018-01-09 10:00 UTC (permalink / raw)
To: Avi Cohen (A), Gowda, Sandesh, users
Hi Avi,
> -----Original Message-----
> From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
> Sent: Tuesday, January 9, 2018 9:39 AM
> To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> Subject: Re: [dpdk-users] IPSEC-SECGW sample application
>
> Thank you Sandesh
> I'm trying to run the l2fwd-crypto sample app. but got this error msg :
> "No crypto devices available
> EAL: Error - exiting with code: 1
> Cause: Failed to initialize crypto devices"
>
> My setup include 2 physical ports (intel x540) bound to dpdk - these Nics
> are ipsec offload capable.
L2fwd-crypto does not support inline IPSec. For this application,
you can only use crypto devices (under crypto folder).
Pablo
>
> The cmd-line I use is:
> ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain CIPHER_HASH --
> cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key
> 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --
> auth_algo aes-xcbc-mac --auth_key
> 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
>
> Best Regards
> Avi
>
>
> > -----Original Message-----
> > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > Sent: Monday, 08 January, 2018 7:23 PM
> > To: Avi Cohen (A); users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> > Hi Avi,
> >
> > My response inline.
> >
> > > 1. I see in the documentation that this app. Supports only
> > > **complete offload**.
> > > But Intel NICS x540 and 82599 which supports ipsec offload requires
> > > that the SW will add/remove the ESP headers How can I run this app
> > > with
> > x540 nic ?
> >
> > The SA rule "type" field lets you choose the kind of offload.
> > Following is the description from the ipsecgw app guide:
> >
> > <type>
> >
> > Action type to specify the security action. This option specify the SA
> > to be performed with look aside protocol offload to HW accelerator or
> > protocol offload on ethernet device or inline crypto processing on the
> > ethernet device during transmission.
> > Optional: Yes, default type no-offload Available options:
> > lookaside-protocol-offload: look aside protocol offload to HW
> > accelerator
> > inline-protocol-offload: inline protocol offload on ethernet device
> > inline-crypto-offload: inline crypto processing on ethernet device
> > no-offload: no offloading to hardware
> >
> > Correct your SA rules to have the desired "type" field.
> >
> > The ipsecgw application must work fine for QAT PCIe as well as
> > Ethernet NIC with IPSec feature provided the VFs as correctly bound to
> DPDK.
> >
> >
> > > 2. I added support for ESP header and trailer insertion for
> > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > command line to run the application for this mode ?
> > > is vdev required ?
> >
> > The ipsecgw application must work fine for QAT PCIe as well as
> > Ethernet NIC with IPSec feature provided the VFs as correctly bound to
> DPDK.
> > Please try running a more basic L2Fwd Crypto application on your NIC
> > to make sure the Crypto feature works.
> >
> > Regards,
> > Sandesh
> >
> >
> >
> > > -----Original Message-----
> > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > Sent: Monday, January 08, 2018 10:05 PM
> > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > >
> > > Hi Sandesh [I added one more question] Thank you - I already
> > > understood that.
> > > 1. I see in the documentation that this app. Supports only
> > > **complete offload**.
> > > But Intel NICS x540 and 82599 which supports ipsec offload requires
> > > that the SW will add/remove the ESP headers How can I run this app
> > > with
> > x540 nic ?
> > >
> > > 2. I added support for ESP header and trailer insertion for
> > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > command line to run the application for this mode ?
> > > is vdev required ?
> > > Best Regards
> > > Avi
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > Subject: RE: IPSEC-SECGW sample application
> > > > >
> > > > >
> > > > > Hi Avi,
> > > > >
> > > > > The application classifies the ports as Protected and Unprotected.
> > > > > Thus,
> > > > traffic
> > > > > received on an Unprotected or Protected port is consider Inbound
> > > > > or
> > > > Outbound
> > > > > respectively.
> > > > > ( Refer :
> > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > )
> > > > >
> > > > > The Packets sent on a Unprotected network requires Encryption
> > > > > whereas packets on Protected Network can be plain text.
> > > > > This is the expected behavior.
> > > > >
> > > > > Regards,
> > > > > Sandesh
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi
> > > > > Cohen
> > > > > (A)
> > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > To: users@dpdk.org
> > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > >
> > > > >
> > > > > Hello
> > > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > > Traffic is received
> > > > in
> > > > > the unprotected and should be sent to the protected port for
> > > > > encryption But the traffic processing for the traffic received
> > > > > in the unprotected port is going through the
> **process_pkts_inbound ** .
> > > > > I expect that the traffic should be directed to the
> > > > **process_pkts_outbound**
> > > > > [where ESP headers are added etc.] Can someone help ?
> > > > >
> > > > >
> > > > > This is the config file:
> > > > >
> > > > > #SP rules
> > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA
> > > > > rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id
> > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > 1.1.1.0/24 port 0
> > > > >
> > > > >
> > > > > and this is the command line to run the applic:
> > > > >
> > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > >
> > > > >
> > > > > Best Regards
> > > > > Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-users] IPSEC-SECGW sample application
2018-01-09 10:00 ` De Lara Guarch, Pablo
@ 2018-01-09 15:15 ` Avi Cohen (A)
2018-01-14 13:53 ` Avi Cohen (A)
2018-01-15 13:54 ` Avi Cohen (A)
2 siblings, 0 replies; 10+ messages in thread
From: Avi Cohen (A) @ 2018-01-09 15:15 UTC (permalink / raw)
To: De Lara Guarch, Pablo, Gowda, Sandesh, users
Thank you Sandesh and Pablo
I went back to the ipsec-secgw app.
with gdb I saw that the ixgbe driver is complaining about the aead algo, so I only changed the sa configuration
I added the aead algo to the sa - and now ipsec offload is working fine.
sa in 105 aead_algo aes-128-gcm \
aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
Best Regards
Avi
> -----Original Message-----
> From: De Lara Guarch, Pablo [mailto:pablo.de.lara.guarch@intel.com]
> Sent: Tuesday, 09 January, 2018 12:00 PM
> To: Avi Cohen (A); Gowda, Sandesh; users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
>
> Hi Avi,
>
> > -----Original Message-----
> > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
> > Sent: Tuesday, January 9, 2018 9:39 AM
> > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > Subject: Re: [dpdk-users] IPSEC-SECGW sample application
> >
> > Thank you Sandesh
> > I'm trying to run the l2fwd-crypto sample app. but got this error msg :
> > "No crypto devices available
> > EAL: Error - exiting with code: 1
> > Cause: Failed to initialize crypto devices"
> >
> > My setup include 2 physical ports (intel x540) bound to dpdk - these
> > Nics are ipsec offload capable.
>
> L2fwd-crypto does not support inline IPSec. For this application, you can only
> use crypto devices (under crypto folder).
>
> Pablo
>
> >
> > The cmd-line I use is:
> > ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain
> > CIPHER_HASH -- cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key
> > 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --
> > auth_algo aes-xcbc-mac --auth_key
> > 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
> >
> > Best Regards
> > Avi
> >
> >
> > > -----Original Message-----
> > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > Sent: Monday, 08 January, 2018 7:23 PM
> > > To: Avi Cohen (A); users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > > Hi Avi,
> > >
> > > My response inline.
> > >
> > > > 1. I see in the documentation that this app. Supports only
> > > > **complete offload**.
> > > > But Intel NICS x540 and 82599 which supports ipsec offload
> > > > requires that the SW will add/remove the ESP headers How can I
> > > > run this app with
> > > x540 nic ?
> > >
> > > The SA rule "type" field lets you choose the kind of offload.
> > > Following is the description from the ipsecgw app guide:
> > >
> > > <type>
> > >
> > > Action type to specify the security action. This option specify the
> > > SA to be performed with look aside protocol offload to HW
> > > accelerator or protocol offload on ethernet device or inline crypto
> > > processing on the ethernet device during transmission.
> > > Optional: Yes, default type no-offload Available options:
> > > lookaside-protocol-offload: look aside protocol offload to HW
> > > accelerator
> > > inline-protocol-offload: inline protocol offload on ethernet device
> > > inline-crypto-offload: inline crypto processing on ethernet device
> > > no-offload: no offloading to hardware
> > >
> > > Correct your SA rules to have the desired "type" field.
> > >
> > > The ipsecgw application must work fine for QAT PCIe as well as
> > > Ethernet NIC with IPSec feature provided the VFs as correctly bound
> > > to
> > DPDK.
> > >
> > >
> > > > 2. I added support for ESP header and trailer insertion for
> > > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > > command line to run the application for this mode ?
> > > > is vdev required ?
> > >
> > > The ipsecgw application must work fine for QAT PCIe as well as
> > > Ethernet NIC with IPSec feature provided the VFs as correctly bound
> > > to
> > DPDK.
> > > Please try running a more basic L2Fwd Crypto application on your NIC
> > > to make sure the Crypto feature works.
> > >
> > > Regards,
> > > Sandesh
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > > Sent: Monday, January 08, 2018 10:05 PM
> > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > Subject: RE: IPSEC-SECGW sample application
> > > >
> > > >
> > > > Hi Sandesh [I added one more question] Thank you - I already
> > > > understood that.
> > > > 1. I see in the documentation that this app. Supports only
> > > > **complete offload**.
> > > > But Intel NICS x540 and 82599 which supports ipsec offload
> > > > requires that the SW will add/remove the ESP headers How can I
> > > > run this app with
> > > x540 nic ?
> > > >
> > > > 2. I added support for ESP header and trailer insertion for
> > > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > > command line to run the application for this mode ?
> > > > is vdev required ?
> > > > Best Regards
> > > > Avi
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > >
> > > > > >
> > > > > > Hi Avi,
> > > > > >
> > > > > > The application classifies the ports as Protected and Unprotected.
> > > > > > Thus,
> > > > > traffic
> > > > > > received on an Unprotected or Protected port is consider
> > > > > > Inbound or
> > > > > Outbound
> > > > > > respectively.
> > > > > > ( Refer :
> > > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > > )
> > > > > >
> > > > > > The Packets sent on a Unprotected network requires
> > > > > > Encryption whereas packets on Protected Network can be plain text.
> > > > > > This is the expected behavior.
> > > > > >
> > > > > > Regards,
> > > > > > Sandesh
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi
> > > > > > Cohen
> > > > > > (A)
> > > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > > To: users@dpdk.org
> > > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > > >
> > > > > >
> > > > > > Hello
> > > > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > > > Traffic is received
> > > > > in
> > > > > > the unprotected and should be sent to the protected port for
> > > > > > encryption But the traffic processing for the traffic received
> > > > > > in the unprotected port is going through the
> > **process_pkts_inbound ** .
> > > > > > I expect that the traffic should be directed to the
> > > > > **process_pkts_outbound**
> > > > > > [where ESP headers are added etc.] Can someone help ?
> > > > > >
> > > > > >
> > > > > > This is the config file:
> > > > > >
> > > > > > #SP rules
> > > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA
> > > > > > rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload
> > > > > > port_id
> > > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > > 1.1.1.0/24 port 0
> > > > > >
> > > > > >
> > > > > > and this is the command line to run the applic:
> > > > > >
> > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > > >
> > > > > >
> > > > > > Best Regards
> > > > > > Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-users] IPSEC-SECGW sample application
2018-01-09 10:00 ` De Lara Guarch, Pablo
2018-01-09 15:15 ` Avi Cohen (A)
@ 2018-01-14 13:53 ` Avi Cohen (A)
2018-01-15 13:54 ` Avi Cohen (A)
2 siblings, 0 replies; 10+ messages in thread
From: Avi Cohen (A) @ 2018-01-14 13:53 UTC (permalink / raw)
To: De Lara Guarch, Pablo, Gowda, Sandesh, users
Hi Sandesh
The ipsec-secgw is generally working except for the cksm.
e.g. when I send icmp echo request - I see bad checksum in the destination machine
is HW cksm offload coexists with ipsec offload ? other ?
Best Regards
Avi
> -----Original Message-----
> From: Avi Cohen (A)
> Sent: Tuesday, 09 January, 2018 5:15 PM
> To: 'De Lara Guarch, Pablo'; Gowda, Sandesh; users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
>
> Thank you Sandesh and Pablo
> I went back to the ipsec-secgw app.
> with gdb I saw that the ixgbe driver is complaining about the aead algo, so I
> only changed the sa configuration I added the aead algo to the sa - and now
> ipsec offload is working fine.
>
> sa in 105 aead_algo aes-128-gcm \
> aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ mode
> ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
>
> Best Regards
> Avi
> > -----Original Message-----
> > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.guarch@intel.com]
> > Sent: Tuesday, 09 January, 2018 12:00 PM
> > To: Avi Cohen (A); Gowda, Sandesh; users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> > Hi Avi,
> >
> > > -----Original Message-----
> > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > (A)
> > > Sent: Tuesday, January 9, 2018 9:39 AM
> > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > Subject: Re: [dpdk-users] IPSEC-SECGW sample application
> > >
> > > Thank you Sandesh
> > > I'm trying to run the l2fwd-crypto sample app. but got this error msg :
> > > "No crypto devices available
> > > EAL: Error - exiting with code: 1
> > > Cause: Failed to initialize crypto devices"
> > >
> > > My setup include 2 physical ports (intel x540) bound to dpdk -
> > > these Nics are ipsec offload capable.
> >
> > L2fwd-crypto does not support inline IPSec. For this application, you
> > can only use crypto devices (under crypto folder).
> >
> > Pablo
> >
> > >
> > > The cmd-line I use is:
> > > ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain
> > > CIPHER_HASH -- cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key
> > > 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE
> > > -- auth_algo aes-xcbc-mac --auth_key
> > > 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
> > >
> > > Best Regards
> > > Avi
> > >
> > >
> > > > -----Original Message-----
> > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > Sent: Monday, 08 January, 2018 7:23 PM
> > > > To: Avi Cohen (A); users@dpdk.org
> > > > Subject: RE: IPSEC-SECGW sample application
> > > >
> > > > Hi Avi,
> > > >
> > > > My response inline.
> > > >
> > > > > 1. I see in the documentation that this app. Supports only
> > > > > **complete offload**.
> > > > > But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > requires that the SW will add/remove the ESP headers How can I
> > > > > run this app with
> > > > x540 nic ?
> > > >
> > > > The SA rule "type" field lets you choose the kind of offload.
> > > > Following is the description from the ipsecgw app guide:
> > > >
> > > > <type>
> > > >
> > > > Action type to specify the security action. This option specify
> > > > the SA to be performed with look aside protocol offload to HW
> > > > accelerator or protocol offload on ethernet device or inline
> > > > crypto processing on the ethernet device during transmission.
> > > > Optional: Yes, default type no-offload Available options:
> > > > lookaside-protocol-offload: look aside protocol offload to HW
> > > > accelerator
> > > > inline-protocol-offload: inline protocol offload on ethernet
> > > > device
> > > > inline-crypto-offload: inline crypto processing on ethernet device
> > > > no-offload: no offloading to hardware
> > > >
> > > > Correct your SA rules to have the desired "type" field.
> > > >
> > > > The ipsecgw application must work fine for QAT PCIe as well as
> > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > bound to
> > > DPDK.
> > > >
> > > >
> > > > > 2. I added support for ESP header and trailer insertion for
> > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > exact command line to run the application for this mode ?
> > > > > is vdev required ?
> > > >
> > > > The ipsecgw application must work fine for QAT PCIe as well as
> > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > bound to
> > > DPDK.
> > > > Please try running a more basic L2Fwd Crypto application on your
> > > > NIC to make sure the Crypto feature works.
> > > >
> > > > Regards,
> > > > Sandesh
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > > > Sent: Monday, January 08, 2018 10:05 PM
> > > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > > Subject: RE: IPSEC-SECGW sample application
> > > > >
> > > > >
> > > > > Hi Sandesh [I added one more question] Thank you - I already
> > > > > understood that.
> > > > > 1. I see in the documentation that this app. Supports only
> > > > > **complete offload**.
> > > > > But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > requires that the SW will add/remove the ESP headers How can I
> > > > > run this app with
> > > > x540 nic ?
> > > > >
> > > > > 2. I added support for ESP header and trailer insertion for
> > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > exact command line to run the application for this mode ?
> > > > > is vdev required ?
> > > > > Best Regards
> > > > > Avi
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > > >
> > > > > > >
> > > > > > > Hi Avi,
> > > > > > >
> > > > > > > The application classifies the ports as Protected and Unprotected.
> > > > > > > Thus,
> > > > > > traffic
> > > > > > > received on an Unprotected or Protected port is consider
> > > > > > > Inbound or
> > > > > > Outbound
> > > > > > > respectively.
> > > > > > > ( Refer :
> > > > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > > > )
> > > > > > >
> > > > > > > The Packets sent on a Unprotected network requires
> > > > > > > Encryption whereas packets on Protected Network can be plain text.
> > > > > > > This is the expected behavior.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Sandesh
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi
> > > > > > > Cohen
> > > > > > > (A)
> > > > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > > > To: users@dpdk.org
> > > > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > > > >
> > > > > > >
> > > > > > > Hello
> > > > > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > > > > Traffic is received
> > > > > > in
> > > > > > > the unprotected and should be sent to the protected port
> > > > > > > for encryption But the traffic processing for the traffic
> > > > > > > received in the unprotected port is going through the
> > > **process_pkts_inbound ** .
> > > > > > > I expect that the traffic should be directed to the
> > > > > > **process_pkts_outbound**
> > > > > > > [where ESP headers are added etc.] Can someone help ?
> > > > > > >
> > > > > > >
> > > > > > > This is the config file:
> > > > > > >
> > > > > > > #SP rules
> > > > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA
> > > > > > > rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac
> > > > > > > auth_key
> > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel
> > > > > > > src
> > > > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload
> > > > > > > port_id
> > > > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4
> > > > > > > dst
> > > > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > > > 1.1.1.0/24 port 0
> > > > > > >
> > > > > > >
> > > > > > > and this is the command line to run the applic:
> > > > > > >
> > > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > > > >
> > > > > > >
> > > > > > > Best Regards
> > > > > > > Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-users] IPSEC-SECGW sample application
2018-01-09 10:00 ` De Lara Guarch, Pablo
2018-01-09 15:15 ` Avi Cohen (A)
2018-01-14 13:53 ` Avi Cohen (A)
@ 2018-01-15 13:54 ` Avi Cohen (A)
2 siblings, 0 replies; 10+ messages in thread
From: Avi Cohen (A) @ 2018-01-15 13:54 UTC (permalink / raw)
To: De Lara Guarch, Pablo, Gowda, Sandesh, users
The ip-checksum is not calculated in the inbound direction - any idea why ? (Intel x540)
> -----Original Message-----
> From: Avi Cohen (A)
> Sent: Sunday, 14 January, 2018 3:53 PM
> To: 'De Lara Guarch, Pablo'; 'Gowda, Sandesh'; 'users@dpdk.org'
> Subject: RE: IPSEC-SECGW sample application
>
> Hi Sandesh
> The ipsec-secgw is generally working except for the cksm.
> e.g. when I send icmp echo request - I see bad checksum in the destination
> machine is HW cksm offload coexists with ipsec offload ? other ?
> Best Regards
> Avi
>
> > -----Original Message-----
> > From: Avi Cohen (A)
> > Sent: Tuesday, 09 January, 2018 5:15 PM
> > To: 'De Lara Guarch, Pablo'; Gowda, Sandesh; users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> > Thank you Sandesh and Pablo
> > I went back to the ipsec-secgw app.
> > with gdb I saw that the ixgbe driver is complaining about the aead
> > algo, so I only changed the sa configuration I added the aead algo to
> > the sa - and now ipsec offload is working fine.
> >
> > sa in 105 aead_algo aes-128-gcm \
> > aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
> > mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
> >
> > Best Regards
> > Avi
> > > -----Original Message-----
> > > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.guarch@intel.com]
> > > Sent: Tuesday, 09 January, 2018 12:00 PM
> > > To: Avi Cohen (A); Gowda, Sandesh; users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > > Hi Avi,
> > >
> > > > -----Original Message-----
> > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > > (A)
> > > > Sent: Tuesday, January 9, 2018 9:39 AM
> > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > Subject: Re: [dpdk-users] IPSEC-SECGW sample application
> > > >
> > > > Thank you Sandesh
> > > > I'm trying to run the l2fwd-crypto sample app. but got this error msg :
> > > > "No crypto devices available
> > > > EAL: Error - exiting with code: 1
> > > > Cause: Failed to initialize crypto devices"
> > > >
> > > > My setup include 2 physical ports (intel x540) bound to dpdk -
> > > > these Nics are ipsec offload capable.
> > >
> > > L2fwd-crypto does not support inline IPSec. For this application,
> > > you can only use crypto devices (under crypto folder).
> > >
> > > Pablo
> > >
> > > >
> > > > The cmd-line I use is:
> > > > ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain
> > > > CIPHER_HASH -- cipher_op ENCRYPT --cipher_algo aes-cbc
> > > > --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f
> > > > --auth_op GENERATE
> > > > -- auth_algo aes-xcbc-mac --auth_key
> > > > 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
> > > >
> > > > Best Regards
> > > > Avi
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > Sent: Monday, 08 January, 2018 7:23 PM
> > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > Subject: RE: IPSEC-SECGW sample application
> > > > >
> > > > > Hi Avi,
> > > > >
> > > > > My response inline.
> > > > >
> > > > > > 1. I see in the documentation that this app. Supports only
> > > > > > **complete offload**.
> > > > > > But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > > requires that the SW will add/remove the ESP headers How can
> > > > > > I run this app with
> > > > > x540 nic ?
> > > > >
> > > > > The SA rule "type" field lets you choose the kind of offload.
> > > > > Following is the description from the ipsecgw app guide:
> > > > >
> > > > > <type>
> > > > >
> > > > > Action type to specify the security action. This option specify
> > > > > the SA to be performed with look aside protocol offload to HW
> > > > > accelerator or protocol offload on ethernet device or inline
> > > > > crypto processing on the ethernet device during transmission.
> > > > > Optional: Yes, default type no-offload Available options:
> > > > > lookaside-protocol-offload: look aside protocol offload to HW
> > > > > accelerator
> > > > > inline-protocol-offload: inline protocol offload on ethernet
> > > > > device
> > > > > inline-crypto-offload: inline crypto processing on ethernet
> > > > > device
> > > > > no-offload: no offloading to hardware
> > > > >
> > > > > Correct your SA rules to have the desired "type" field.
> > > > >
> > > > > The ipsecgw application must work fine for QAT PCIe as well as
> > > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > > bound to
> > > > DPDK.
> > > > >
> > > > >
> > > > > > 2. I added support for ESP header and trailer insertion for
> > > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > > exact command line to run the application for this mode ?
> > > > > > is vdev required ?
> > > > >
> > > > > The ipsecgw application must work fine for QAT PCIe as well as
> > > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > > bound to
> > > > DPDK.
> > > > > Please try running a more basic L2Fwd Crypto application on your
> > > > > NIC to make sure the Crypto feature works.
> > > > >
> > > > > Regards,
> > > > > Sandesh
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > > > > Sent: Monday, January 08, 2018 10:05 PM
> > > > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > >
> > > > > >
> > > > > > Hi Sandesh [I added one more question] Thank you - I
> > > > > > already understood that.
> > > > > > 1. I see in the documentation that this app. Supports only
> > > > > > **complete offload**.
> > > > > > But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > > requires that the SW will add/remove the ESP headers How can
> > > > > > I run this app with
> > > > > x540 nic ?
> > > > > >
> > > > > > 2. I added support for ESP header and trailer insertion for
> > > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > > exact command line to run the application for this mode ?
> > > > > > is vdev required ?
> > > > > > Best Regards
> > > > > > Avi
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > > > >
> > > > > > > >
> > > > > > > > Hi Avi,
> > > > > > > >
> > > > > > > > The application classifies the ports as Protected and Unprotected.
> > > > > > > > Thus,
> > > > > > > traffic
> > > > > > > > received on an Unprotected or Protected port is consider
> > > > > > > > Inbound or
> > > > > > > Outbound
> > > > > > > > respectively.
> > > > > > > > ( Refer :
> > > > > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > > > > )
> > > > > > > >
> > > > > > > > The Packets sent on a Unprotected network requires
> > > > > > > > Encryption whereas packets on Protected Network can be plain
> text.
> > > > > > > > This is the expected behavior.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Sandesh
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of
> > > > > > > > Avi Cohen
> > > > > > > > (A)
> > > > > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > > > > To: users@dpdk.org
> > > > > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > > > > >
> > > > > > > >
> > > > > > > > Hello
> > > > > > > > I'm using the DPDK17.11 and running the sample app.
> Ipsec_secgw.
> > > > > > > > I have 2 ports port 0 is protected and port 1 is
> > > > > > > > unprotected Traffic is received
> > > > > > > in
> > > > > > > > the unprotected and should be sent to the protected port
> > > > > > > > for encryption But the traffic processing for the traffic
> > > > > > > > received in the unprotected port is going through the
> > > > **process_pkts_inbound ** .
> > > > > > > > I expect that the traffic should be directed to the
> > > > > > > **process_pkts_outbound**
> > > > > > > > [where ESP headers are added etc.] Can someone help ?
> > > > > > > >
> > > > > > > >
> > > > > > > > This is the config file:
> > > > > > > >
> > > > > > > > #SP rules
> > > > > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32
> > > > > > > > #SA rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac
> > > > > > > > auth_key
> > > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel
> > > > > > > > src
> > > > > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload
> > > > > > > > port_id
> > > > > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4
> > > > > > > > dst
> > > > > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > > > > 1.1.1.0/24 port 0
> > > > > > > >
> > > > > > > >
> > > > > > > > and this is the command line to run the applic:
> > > > > > > >
> > > > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > > > > >
> > > > > > > >
> > > > > > > > Best Regards
> > > > > > > > Avi
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-01-15 13:55 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-07 15:41 [dpdk-users] IPSEC-SECGW sample application Avi Cohen (A)
2018-01-08 8:47 ` Gowda, Sandesh
2018-01-08 11:47 ` Avi Cohen (A)
2018-01-08 16:34 ` Avi Cohen (A)
2018-01-08 17:23 ` Gowda, Sandesh
2018-01-09 9:38 ` Avi Cohen (A)
2018-01-09 10:00 ` De Lara Guarch, Pablo
2018-01-09 15:15 ` Avi Cohen (A)
2018-01-14 13:53 ` Avi Cohen (A)
2018-01-15 13:54 ` Avi Cohen (A)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).