From: "Gowda, Sandesh" <sandesh.gowda@intel.com>
To: "Avi Cohen (A)" <avi.cohen@huawei.com>,
"users@dpdk.org" <users@dpdk.org>
Subject: Re: [dpdk-users] IPSEC-SECGW sample application
Date: Mon, 8 Jan 2018 17:23:05 +0000 [thread overview]
Message-ID: <EDE1359882508442A045AB0CF959E30B70AEC7B8@PGSMSX102.gar.corp.intel.com> (raw)
In-Reply-To: <B84047ECBD981D4B93EAE5A6245AA36101594BEC@FRAEML521-MBX.china.huawei.com>
Hi Avi,
My response inline.
> 1. I see in the documentation that this app. Supports only **complete
> offload**.
> But Intel NICS x540 and 82599 which supports ipsec offload requires that the
> SW will add/remove the ESP headers How can I run this app with x540 nic ?
The SA rule "type" field lets you choose the kind of offload.
Following is the description from the ipsecgw app guide:
<type>
Action type to specify the security action. This option specify the SA to be performed with look aside protocol offload to HW accelerator or protocol offload on ethernet device or inline crypto processing on the ethernet device during transmission.
Optional: Yes, default type no-offload
Available options:
lookaside-protocol-offload: look aside protocol offload to HW accelerator
inline-protocol-offload: inline protocol offload on ethernet device
inline-crypto-offload: inline crypto processing on ethernet device
no-offload: no offloading to hardware
Correct your SA rules to have the desired "type" field.
The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC with IPSec feature provided the VFs as correctly bound to DPDK.
> 2. I added support for ESP header and trailer insertion for inline-protocol-
> offload for intel x540
> Can you tell me the exact command line to run the application for this mode ?
> is vdev required ?
The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC with IPSec feature provided the VFs as correctly bound to DPDK.
Please try running a more basic L2Fwd Crypto application on your NIC to make sure the Crypto feature works.
Regards,
Sandesh
> -----Original Message-----
> From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> Sent: Monday, January 08, 2018 10:05 PM
> To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> Subject: RE: IPSEC-SECGW sample application
>
>
> Hi Sandesh [I added one more question] Thank you - I already understood
> that.
> 1. I see in the documentation that this app. Supports only **complete
> offload**.
> But Intel NICS x540 and 82599 which supports ipsec offload requires that the
> SW will add/remove the ESP headers How can I run this app with x540 nic ?
>
> 2. I added support for ESP header and trailer insertion for inline-protocol-
> offload for intel x540
> Can you tell me the exact command line to run the application for this mode ?
> is vdev required ?
> Best Regards
> Avi
> >
> >
> >
> > > -----Original Message-----
> > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > Sent: Monday, 08 January, 2018 10:47 AM
> > > To: Avi Cohen (A); users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > >
> > > Hi Avi,
> > >
> > > The application classifies the ports as Protected and Unprotected.
> > > Thus,
> > traffic
> > > received on an Unprotected or Protected port is consider Inbound or
> > Outbound
> > > respectively.
> > > ( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > )
> > >
> > > The Packets sent on a Unprotected network requires Encryption
> > > whereas packets on Protected Network can be plain text.
> > > This is the expected behavior.
> > >
> > > Regards,
> > > Sandesh
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen
> > > (A)
> > > Sent: Sunday, January 07, 2018 9:12 PM
> > > To: users@dpdk.org
> > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > >
> > >
> > > Hello
> > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > I have 2 ports port 0 is protected and port 1 is unprotected Traffic
> > > is received
> > in
> > > the unprotected and should be sent to the protected port for
> > > encryption But the traffic processing for the traffic received in
> > > the unprotected port is going through the **process_pkts_inbound ** .
> > > I expect that the traffic should be directed to the
> > **process_pkts_outbound**
> > > [where ESP headers are added etc.] Can someone help ?
> > >
> > >
> > > This is the config file:
> > >
> > > #SP rules
> > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules sa
> > > in 5 cipher_algo aes-128-cbc cipher_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0
> > > #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > 1.1.1.0/24 port 0
> > >
> > >
> > > and this is the command line to run the applic:
> > >
> > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > --config="(0,0,1),(1,0,1)" -f ../ep1.cfg
> > >
> > >
> > > Best Regards
> > > Avi
next prev parent reply other threads:[~2018-01-08 17:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-07 15:41 Avi Cohen (A)
2018-01-08 8:47 ` Gowda, Sandesh
2018-01-08 11:47 ` Avi Cohen (A)
2018-01-08 16:34 ` Avi Cohen (A)
2018-01-08 17:23 ` Gowda, Sandesh [this message]
2018-01-09 9:38 ` Avi Cohen (A)
2018-01-09 10:00 ` De Lara Guarch, Pablo
2018-01-09 15:15 ` Avi Cohen (A)
2018-01-14 13:53 ` Avi Cohen (A)
2018-01-15 13:54 ` Avi Cohen (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=EDE1359882508442A045AB0CF959E30B70AEC7B8@PGSMSX102.gar.corp.intel.com \
--to=sandesh.gowda@intel.com \
--cc=avi.cohen@huawei.com \
--cc=users@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).