From: "Avi Cohen (A)" <avi.cohen@huawei.com>
To: "De Lara Guarch, Pablo" <pablo.de.lara.guarch@intel.com>,
"Gowda, Sandesh" <sandesh.gowda@intel.com>,
"users@dpdk.org" <users@dpdk.org>
Subject: Re: [dpdk-users] IPSEC-SECGW sample application
Date: Mon, 15 Jan 2018 13:54:56 +0000 [thread overview]
Message-ID: <B84047ECBD981D4B93EAE5A6245AA3610159511D@FRAEML521-MBX.china.huawei.com> (raw)
In-Reply-To: <E115CCD9D858EF4F90C690B0DCB4D8976CC6AA86@IRSMSX108.ger.corp.intel.com>
The ip-checksum is not calculated in the inbound direction - any idea why ? (Intel x540)
> -----Original Message-----
> From: Avi Cohen (A)
> Sent: Sunday, 14 January, 2018 3:53 PM
> To: 'De Lara Guarch, Pablo'; 'Gowda, Sandesh'; 'users@dpdk.org'
> Subject: RE: IPSEC-SECGW sample application
>
> Hi Sandesh
> The ipsec-secgw is generally working except for the cksm.
> e.g. when I send icmp echo request - I see bad checksum in the destination
> machine is HW cksm offload coexists with ipsec offload ? other ?
> Best Regards
> Avi
>
> > -----Original Message-----
> > From: Avi Cohen (A)
> > Sent: Tuesday, 09 January, 2018 5:15 PM
> > To: 'De Lara Guarch, Pablo'; Gowda, Sandesh; users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> > Thank you Sandesh and Pablo
> > I went back to the ipsec-secgw app.
> > with gdb I saw that the ixgbe driver is complaining about the aead
> > algo, so I only changed the sa configuration I added the aead algo to
> > the sa - and now ipsec offload is working fine.
> >
> > sa in 105 aead_algo aes-128-gcm \
> > aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
> > mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
> >
> > Best Regards
> > Avi
> > > -----Original Message-----
> > > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.guarch@intel.com]
> > > Sent: Tuesday, 09 January, 2018 12:00 PM
> > > To: Avi Cohen (A); Gowda, Sandesh; users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > > Hi Avi,
> > >
> > > > -----Original Message-----
> > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > > (A)
> > > > Sent: Tuesday, January 9, 2018 9:39 AM
> > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > Subject: Re: [dpdk-users] IPSEC-SECGW sample application
> > > >
> > > > Thank you Sandesh
> > > > I'm trying to run the l2fwd-crypto sample app. but got this error msg :
> > > > "No crypto devices available
> > > > EAL: Error - exiting with code: 1
> > > > Cause: Failed to initialize crypto devices"
> > > >
> > > > My setup include 2 physical ports (intel x540) bound to dpdk -
> > > > these Nics are ipsec offload capable.
> > >
> > > L2fwd-crypto does not support inline IPSec. For this application,
> > > you can only use crypto devices (under crypto folder).
> > >
> > > Pablo
> > >
> > > >
> > > > The cmd-line I use is:
> > > > ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain
> > > > CIPHER_HASH -- cipher_op ENCRYPT --cipher_algo aes-cbc
> > > > --cipher_key 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f
> > > > --auth_op GENERATE
> > > > -- auth_algo aes-xcbc-mac --auth_key
> > > > 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
> > > >
> > > > Best Regards
> > > > Avi
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > Sent: Monday, 08 January, 2018 7:23 PM
> > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > Subject: RE: IPSEC-SECGW sample application
> > > > >
> > > > > Hi Avi,
> > > > >
> > > > > My response inline.
> > > > >
> > > > > > 1. I see in the documentation that this app. Supports only
> > > > > > **complete offload**.
> > > > > > But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > > requires that the SW will add/remove the ESP headers How can
> > > > > > I run this app with
> > > > > x540 nic ?
> > > > >
> > > > > The SA rule "type" field lets you choose the kind of offload.
> > > > > Following is the description from the ipsecgw app guide:
> > > > >
> > > > > <type>
> > > > >
> > > > > Action type to specify the security action. This option specify
> > > > > the SA to be performed with look aside protocol offload to HW
> > > > > accelerator or protocol offload on ethernet device or inline
> > > > > crypto processing on the ethernet device during transmission.
> > > > > Optional: Yes, default type no-offload Available options:
> > > > > lookaside-protocol-offload: look aside protocol offload to HW
> > > > > accelerator
> > > > > inline-protocol-offload: inline protocol offload on ethernet
> > > > > device
> > > > > inline-crypto-offload: inline crypto processing on ethernet
> > > > > device
> > > > > no-offload: no offloading to hardware
> > > > >
> > > > > Correct your SA rules to have the desired "type" field.
> > > > >
> > > > > The ipsecgw application must work fine for QAT PCIe as well as
> > > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > > bound to
> > > > DPDK.
> > > > >
> > > > >
> > > > > > 2. I added support for ESP header and trailer insertion for
> > > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > > exact command line to run the application for this mode ?
> > > > > > is vdev required ?
> > > > >
> > > > > The ipsecgw application must work fine for QAT PCIe as well as
> > > > > Ethernet NIC with IPSec feature provided the VFs as correctly
> > > > > bound to
> > > > DPDK.
> > > > > Please try running a more basic L2Fwd Crypto application on your
> > > > > NIC to make sure the Crypto feature works.
> > > > >
> > > > > Regards,
> > > > > Sandesh
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > > > > Sent: Monday, January 08, 2018 10:05 PM
> > > > > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > >
> > > > > >
> > > > > > Hi Sandesh [I added one more question] Thank you - I
> > > > > > already understood that.
> > > > > > 1. I see in the documentation that this app. Supports only
> > > > > > **complete offload**.
> > > > > > But Intel NICS x540 and 82599 which supports ipsec offload
> > > > > > requires that the SW will add/remove the ESP headers How can
> > > > > > I run this app with
> > > > > x540 nic ?
> > > > > >
> > > > > > 2. I added support for ESP header and trailer insertion for
> > > > > > inline-protocol- offload for intel x540 Can you tell me the
> > > > > > exact command line to run the application for this mode ?
> > > > > > is vdev required ?
> > > > > > Best Regards
> > > > > > Avi
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > > > > Subject: RE: IPSEC-SECGW sample application
> > > > > > > >
> > > > > > > >
> > > > > > > > Hi Avi,
> > > > > > > >
> > > > > > > > The application classifies the ports as Protected and Unprotected.
> > > > > > > > Thus,
> > > > > > > traffic
> > > > > > > > received on an Unprotected or Protected port is consider
> > > > > > > > Inbound or
> > > > > > > Outbound
> > > > > > > > respectively.
> > > > > > > > ( Refer :
> > > > > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > > > > )
> > > > > > > >
> > > > > > > > The Packets sent on a Unprotected network requires
> > > > > > > > Encryption whereas packets on Protected Network can be plain
> text.
> > > > > > > > This is the expected behavior.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Sandesh
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of
> > > > > > > > Avi Cohen
> > > > > > > > (A)
> > > > > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > > > > To: users@dpdk.org
> > > > > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > > > > >
> > > > > > > >
> > > > > > > > Hello
> > > > > > > > I'm using the DPDK17.11 and running the sample app.
> Ipsec_secgw.
> > > > > > > > I have 2 ports port 0 is protected and port 1 is
> > > > > > > > unprotected Traffic is received
> > > > > > > in
> > > > > > > > the unprotected and should be sent to the protected port
> > > > > > > > for encryption But the traffic processing for the traffic
> > > > > > > > received in the unprotected port is going through the
> > > > **process_pkts_inbound ** .
> > > > > > > > I expect that the traffic should be directed to the
> > > > > > > **process_pkts_outbound**
> > > > > > > > [where ESP headers are added etc.] Can someone help ?
> > > > > > > >
> > > > > > > >
> > > > > > > > This is the config file:
> > > > > > > >
> > > > > > > > #SP rules
> > > > > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32
> > > > > > > > #SA rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac
> > > > > > > > auth_key
> > > > > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel
> > > > > > > > src
> > > > > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload
> > > > > > > > port_id
> > > > > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4
> > > > > > > > dst
> > > > > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > > > > 1.1.1.0/24 port 0
> > > > > > > >
> > > > > > > >
> > > > > > > > and this is the command line to run the applic:
> > > > > > > >
> > > > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > > > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > > > > >
> > > > > > > >
> > > > > > > > Best Regards
> > > > > > > > Avi
prev parent reply other threads:[~2018-01-15 13:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-07 15:41 Avi Cohen (A)
2018-01-08 8:47 ` Gowda, Sandesh
2018-01-08 11:47 ` Avi Cohen (A)
2018-01-08 16:34 ` Avi Cohen (A)
2018-01-08 17:23 ` Gowda, Sandesh
2018-01-09 9:38 ` Avi Cohen (A)
2018-01-09 10:00 ` De Lara Guarch, Pablo
2018-01-09 15:15 ` Avi Cohen (A)
2018-01-14 13:53 ` Avi Cohen (A)
2018-01-15 13:54 ` Avi Cohen (A) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B84047ECBD981D4B93EAE5A6245AA3610159511D@FRAEML521-MBX.china.huawei.com \
--to=avi.cohen@huawei.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=sandesh.gowda@intel.com \
--cc=users@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).