From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by dpdk.org (Postfix) with ESMTP id 4061F1B01F for ; Mon, 8 Jan 2018 18:23:09 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Jan 2018 09:23:08 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,330,1511856000"; d="scan'208";a="18431507" Received: from pgsmsx112-dag.png.intel.com (HELO PGSMSX112.gar.corp.intel.com) ([10.108.55.234]) by orsmga003.jf.intel.com with ESMTP; 08 Jan 2018 09:23:06 -0800 Received: from pgsmsx102.gar.corp.intel.com ([169.254.6.144]) by PGSMSX112.gar.corp.intel.com ([169.254.3.86]) with mapi id 14.03.0319.002; Tue, 9 Jan 2018 01:23:05 +0800 From: "Gowda, Sandesh" To: "Avi Cohen (A)" , "users@dpdk.org" Thread-Topic: IPSEC-SECGW sample application Thread-Index: AdOHy7KaBzLhC8jTTQWybyU8LedmBwAkRJQAAAZCeTAAChXREAABZA3A Date: Mon, 8 Jan 2018 17:23:05 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZDIzMDA4M2YtOGVlNy00NjIzLTllNTgtOTdmMmZmZDY2YWZlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE2LjUuOS4zIiwiVHJ1c3RlZExhYmVsSGFzaCI6IklnRTU2OXFBYzBEMk11Z05cL0w3bU42Zm5RSGFpbE54dElWdEN6SW5Cc3pRPSJ9 x-ctpclassification: CTP_IC dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [172.30.20.205] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-users] IPSEC-SECGW sample application X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 17:23:09 -0000 Hi Avi, My response inline. > 1. I see in the documentation that this app. Supports only **complete > offload**. > But Intel NICS x540 and 82599 which supports ipsec offload requires that= the > SW will add/remove the ESP headers How can I run this app with x540 nic = ? The SA rule "type" field lets you choose the kind of offload.=20 Following is the description from the ipsecgw app guide: Action type to specify the security action. This option specify the SA to b= e performed with look aside protocol offload to HW accelerator or protocol = offload on ethernet device or inline crypto processing on the ethernet devi= ce during transmission. Optional: Yes, default type no-offload Available options: lookaside-protocol-offload: look aside protocol offload to HW accelerator inline-protocol-offload: inline protocol offload on ethernet device inline-crypto-offload: inline crypto processing on ethernet device no-offload: no offloading to hardware Correct your SA rules to have the desired "type" field. The ipsecgw application must work fine for QAT PCIe as well as Ethernet NIC= with IPSec feature provided the VFs as correctly bound to DPDK. =20 > 2. I added support for ESP header and trailer insertion for inline-proto= col- > offload for intel x540 > Can you tell me the exact command line to run the application for this mo= de ? > is vdev required ? The ipsecgw application must work fine for QAT PCIe as well as Ethernet NI= C with IPSec feature provided the VFs as correctly bound to DPDK.=20 Please try running a more basic L2Fwd Crypto application on your NIC to mak= e sure the Crypto feature works. Regards, Sandesh > -----Original Message----- > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com] > Sent: Monday, January 08, 2018 10:05 PM > To: Gowda, Sandesh ; users@dpdk.org > Subject: RE: IPSEC-SECGW sample application >=20 >=20 > Hi Sandesh [I added one more question] Thank you - I already understo= od > that. > 1. I see in the documentation that this app. Supports only **complete > offload**. > But Intel NICS x540 and 82599 which supports ipsec offload requires that= the > SW will add/remove the ESP headers How can I run this app with x540 nic = ? >=20 > 2. I added support for ESP header and trailer insertion for inline-proto= col- > offload for intel x540 > Can you tell me the exact command line to run the application for this mo= de ? > is vdev required ? > Best Regards > Avi > > > > > > > > > -----Original Message----- > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com] > > > Sent: Monday, 08 January, 2018 10:47 AM > > > To: Avi Cohen (A); users@dpdk.org > > > Subject: RE: IPSEC-SECGW sample application > > > > > > > > > Hi Avi, > > > > > > The application classifies the ports as Protected and Unprotected. > > > Thus, > > traffic > > > received on an Unprotected or Protected port is consider Inbound or > > Outbound > > > respectively. > > > ( Refer : http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html > > > ) > > > > > > The Packets sent on a Unprotected network requires Encryption > > > whereas packets on Protected Network can be plain text. > > > This is the expected behavior. > > > > > > Regards, > > > Sandesh > > > > > > > > > > > > > > > -----Original Message----- > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen > > > (A) > > > Sent: Sunday, January 07, 2018 9:12 PM > > > To: users@dpdk.org > > > Subject: [dpdk-users] IPSEC-SECGW sample application > > > > > > > > > Hello > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw. > > > I have 2 ports port 0 is protected and port 1 is unprotected Traffic > > > is received > > in > > > the unprotected and should be sent to the protected port for > > > encryption But the traffic processing for the traffic received in > > > the unprotected port is going through the **process_pkts_inbound ** . > > > I expect that the traffic should be directed to the > > **process_pkts_outbound** > > > [where ESP headers are added etc.] Can someone help ? > > > > > > > > > This is the config file: > > > > > > #SP rules > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA rules sa > > > in 5 cipher_algo aes-128-cbc cipher_key > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id 0 > > > #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst > > > 1.1.2.0/24 port 0 rt ipv4 dst > > > 1.1.1.0/24 port 0 > > > > > > > > > and this is the command line to run the applic: > > > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2 > > > --config=3D"(0,0,1),(1,0,1)" -f ../ep1.cfg > > > > > > > > > Best Regards > > > Avi