examples/ipsec-secgw: define initial ESN value

New option added to the SA configuration arguments that
allows setting an arbitrary start value for ESN.

For example in the SA below ESN will be enabl

examples/ipsec-secgw: define initial ESN value

New option added to the SA configuration arguments that
allows setting an arbitrary start value for ESN.

For example in the SA below ESN will be enabled and first egress
IPsec packet will have the ESN value 10000:

sa out 15 cipher_algo null auth_algo null mode ipv4-tunnel \
src 172.16.1.5 dst 172.16.2.5 \
esn 10000

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support UDP encap for inline crypto

Enable UDP encapsulation for both transport and tunnel modes for the
inline crypto offload path.

Signed-off-by: Radu Nicolau <radu.nicolau@

examples/ipsec-secgw: support UDP encap for inline crypto

Enable UDP encapsulation for both transport and tunnel modes for the
inline crypto offload path.

Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: update inline session create

Rework create inline session function as to update the session
configuration parameters before create session is called.
Also updated the rss key a

examples/ipsec-secgw: update inline session create

Rework create inline session function as to update the session
configuration parameters before create session is called.
Also updated the rss key array size to prevent buffers overflows
with PMDs that copy more than 40 bytes.

Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: clear soft expiry configuration

Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Als

examples/ipsec-secgw: clear soft expiry configuration

Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Also, soft expiry tracking can cause perf degradation with some PMDs.
Since a separate UT is available and the same setting in ipsec-secgw is
not verifying the functionality, remove the same by clearing life
configuration.

Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

security: add SA lifetime configuration

Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated

security: add SA lifetime configuration

Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.

In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.

In case of hard expiry, the packets will not be IPsec processed and
would result in error.

Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support UDP encapsulation

Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulat

examples/ipsec-secgw: support UDP encapsulation

Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulation on the SA.

Signed-off-by: Tejasree Kondoj <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>

show more ...

security: update session create API

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the nu

security: update session create API

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.

Signed-off-by: Akhil Goyal <[email protected]>
Reviewed-by: Lukasz Wojciechowski <[email protected]>
Tested-by: Lukasz Wojciechowski <[email protected]>

show more ...

examples/ipsec-secgw: add per-core packet statistics

Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.

Since aggregating the packet stats across

examples/ipsec-secgw: add per-core packet statistics

Adding per core packet handling stats to analyze traffic distribution
when multiple cores are engaged.

Since aggregating the packet stats across cores would affect
performance, keeping the feature disabled using compile time flags.

Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support flow director

Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the speci

examples/ipsec-secgw: support flow director

Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the specified inbound ipsec flow
to a specified queue. This is achieved by extending the SA rule syntax
to support specification by adding new action_type of <flow-direction>
to a specified <port_id> <queue_id>.

Signed-off-by: Praveen Shetty <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: add default flow for inline Rx

The default flow created would enable security processing on all ESP
packets. If the default flow is created, SA based rte_flow creation
would be

examples/ipsec-secgw: add default flow for inline Rx

The default flow created would enable security processing on all ESP
packets. If the default flow is created, SA based rte_flow creation
would be skipped.

Signed-off-by: Ankur Dwivedi <[email protected]>
Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support CPU crypto

Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.

Legacy mode i

examples/ipsec-secgw: support CPU crypto

Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.

Legacy mode is not currently supported.

Signed-off-by: Konstantin Ananyev <[email protected]>
Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Fan Zhang <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

ipsec: remove redundant replay window size

The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relevant tests, app are also update to reflect
the usa

ipsec: remove redundant replay window size

The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relevant tests, app are also update to reflect
the usages.

Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.

Signed-off-by: Hemant Agrawal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support fallback session

Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. Wh

examples/ipsec-secgw: support fallback session

Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.

Introduce fallback session for inline crypto processing allowing
handling packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' parameter
to an SA configuration. Only 'inline-crypto-offload" as a primary
session and 'lookaside-none' as a fall-back session combination is
supported by this patch.

Fallback session feature is not available in the legacy mode.

Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Tested-by: Bernard Iremonger <[email protected]>

show more ...

examples/ipsec-secgw: clean SA structure

Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
*

examples/ipsec-secgw: clean SA structure

Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.

Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.

Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Tested-by: Bernard Iremonger <[email protected]>

show more ...

examples/ipsec-secgw: check status of getting ethdev info

rte_eth_dev_info_get() return value was changed from void to
int, so this patch modify rte_eth_dev_info_get() usage across
examples/ipsec-se

examples/ipsec-secgw: check status of getting ethdev info

rte_eth_dev_info_get() return value was changed from void to
int, so this patch modify rte_eth_dev_info_get() usage across
examples/ipsec-secgw according to its new return type.

Signed-off-by: Ivan Ilchenko <[email protected]>
Signed-off-by: Andrew Rybchenko <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support IPv6 tunnel for lookaside proto

IPv6 tunnels are already supported in case of inline and
lookaside none cases. In case of protocol offload, the details
for IPv6 header

examples/ipsec-secgw: support IPv6 tunnel for lookaside proto

IPv6 tunnels are already supported in case of inline and
lookaside none cases. In case of protocol offload, the details
for IPv6 header need to be added in session configuration
for security session create.

Signed-off-by: Akhil Goyal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>

show more ...

examples/ipsec-secgw: add offload error handling

Added error handler for offload mode.

Signed-off-by: Michael Shamis <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

examples/ipsec-secgw: fix unchecked return value

Check the return value of the rte_eth_dev_rss_hash_conf_get function.

Coverity issue: 344970
Fixes: 3a690d5a65e2 ("examples/ipsec-secgw: fix first p

examples/ipsec-secgw: fix unchecked return value

Check the return value of the rte_eth_dev_rss_hash_conf_get function.

Coverity issue: 344970
Fixes: 3a690d5a65e2 ("examples/ipsec-secgw: fix first packet with inline crypto")
Cc: [email protected]

Signed-off-by: Bernard Iremonger <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: fix first packet with inline crypto

Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.

The create_ses

examples/ipsec-secgw: fix first packet with inline crypto

Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.

The create_session() function installs the flow rule,
create_session() has been refactored into create_inline_session()
and create_lookaside_session(). The create_inline_session() function
uses the socket_ctx data and is now called at initialisation in
sa_add_rules().

The max_session_size() function has been added to calculate memory
requirements.

The cryprodev_init() function has been refactored to drop calls to
rte_mempool_create() and to drop calculation of memory requirements.

The main() function has been refactored to call max_session_size() and
to call session_pool_init() and session_priv_pool_init() earlier.
The ports are started now before adding a flow rule in main().
The sa_init(), sp4_init(), sp6_init() and rt_init() functions are
now called after the ports have been started.

The rte_ipsec_session_prepare() function is called in fill_ipsec_session()
for inline which is called from the ipsec_sa_init() function.

Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Cc: [email protected]

Signed-off-by: Bernard Iremonger <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: fix use of ethdev internal struct

Modify ipsec-secgw example app to use rte_eth_dev_info_get instead of
rte_eth_dev.
Apps should not be using internal DPDK data structures dire

examples/ipsec-secgw: fix use of ethdev internal struct

Modify ipsec-secgw example app to use rte_eth_dev_info_get instead of
rte_eth_dev.
Apps should not be using internal DPDK data structures directly.

Fixes: a4677f78368b ("examples/ipsec-secgw: add target queues in flow actions")
Cc: [email protected]

Signed-off-by: Marcin Zapolski <[email protected]>
Reviewed-by: Bruce Richardson <[email protected]>
Acked-by: Nelio Laranjeiro <[email protected]>

show more ...

examples/ipsec-secgw: fix inline modes

Application ipsec-secgw is not working for IPv4 transport mode and for
IPv6 both transport and tunnel mode.

IPv6 tunnel mode is not working due to wrongly ass

examples/ipsec-secgw: fix inline modes

Application ipsec-secgw is not working for IPv4 transport mode and for
IPv6 both transport and tunnel mode.

IPv6 tunnel mode is not working due to wrongly assigned fields of
security association patterns, as it was IPv4, during creation of
inline crypto session.

IPv6 and IPv4 transport mode is iterating through security capabilities
until it reaches tunnel, which causes session to be created as tunnel,
instead of transport. Another issue, is that config file does not
provide source and destination ip addresses for transport mode, which
are required by NIC to perform inline crypto. It uses default addresses
stored in security association (all zeroes), which causes dropped
packages.

To fix that, reorganization of code in create_session() is needed,
to behave appropriately to given protocol (IPv6/IPv4). Change in
iteration through security capabilities is also required, to check
for expected mode (not only tunnel).

For lack of addresses issue, some resolving mechanism is needed.
Approach is to store addresses in security association, as it is
for tunnel mode. Difference is that they are obtained from sp rules,
instead of config file. To do that, sp[4/6]_spi_present() function
is used to find addresses based on spi value, and then stored in
corresponding sa rule. This approach assumes, that every sp rule
for inline crypto have valid addresses, as well as range of addresses
is not supported.

New flags for ipsec_sa structure are required to distinguish between
IPv4 and IPv6 transport modes. Because of that, there is need to
change all checks done on these flags, so they work as expected.

Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec")
Cc: [email protected]

Signed-off-by: Mariusz Drost <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Tested-by: Konstantin Ananyev <[email protected]>

show more ...

examples/ipsec-secgw: fix pool usage for security session

Currently, two separate mempools are being used for creating crypto
sessions and its private data.
crypto sessions are created and initializ

examples/ipsec-secgw: fix pool usage for security session

Currently, two separate mempools are being used for creating crypto
sessions and its private data.
crypto sessions are created and initialized separately, so a separate
mempool is passed to each API, but in case of security sessions, where
only one API create and initialize the private data as well.
So if session mempool is passed to create a security session, the
mempool element size is not sufficient enough to hold the private
data as well.
As a perfect solution, the security session create API should take 2
mempools for header and private data and initiatlize accordingly,
but that would mean an API breakage, which will be done in the next
release cycle. So introducing this patch as a workaround to resolve this
issue.

Fixes: 261bbff75e34 ("examples: use separate crypto session mempools")
Cc: [email protected]

Signed-off-by: Akhil Goyal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>

show more ...

examples/ipsec-secgw: make data-path to use IPsec library

Changes to make ipsec-secgw data-path code to utilize librte_ipsec library.
Note that right now by default current (non-librte_ipsec) code-p

examples/ipsec-secgw: make data-path to use IPsec library

Changes to make ipsec-secgw data-path code to utilize librte_ipsec library.
Note that right now by default current (non-librte_ipsec) code-path will
be used. User has to run application with new command-line option ('-l')
to enable new codepath.

Signed-off-by: Mohammad Abdul Awal <[email protected]>
Signed-off-by: Bernard Iremonger <[email protected]>
Signed-off-by: Konstantin Ananyev <[email protected]>
Acked-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: fix crypto-op might never get dequeued

In some cases crypto-ops could never be dequeued from the crypto-device.
The easiest way to reproduce:
start ipsec-secgw with crypto-dev

examples/ipsec-secgw: fix crypto-op might never get dequeued

In some cases crypto-ops could never be dequeued from the crypto-device.
The easiest way to reproduce:
start ipsec-secgw with crypto-dev and send to it less then 32 packets.
none packets will be forwarded.
Reason for that is that the application does dequeue() from crypto-queues
only when new packets arrive.
This patch makes the app to call dequeue() on a regular basis.
Also to make code cleaner and easier to understand,
it separates crypto-dev enqueue() and dequeue() code paths.
pkt_process() now only enqueues packets into crypto device,
dequeuing and final processing is done by drain_crypto_queues().

Fixes: c64278c0c18b ("examples/ipsec-secgw: rework processing loop")
Cc: [email protected]

Signed-off-by: Konstantin Ananyev <[email protected]>
Acked-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples: use separate crypto session mempools

This patch uses the two session mempool approach to all cryptodev
sample applications. One mempool is for session header objects, and
the other is for

examples: use separate crypto session mempools

This patch uses the two session mempool approach to all cryptodev
sample applications. One mempool is for session header objects, and
the other is for session private data.

Signed-off-by: Fan Zhang <[email protected]>
Acked-by: Fiona Trahe <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...