examples/ipsec-secgw: add pool size parameters

Add support to enable per port packet pool and also override
vector pool size from command line args. This is useful
on some HW to tune performance bas

examples/ipsec-secgw: add pool size parameters

Add support to enable per port packet pool and also override
vector pool size from command line args. This is useful
on some HW to tune performance based on usecase.

Signed-off-by: Nithin Dabilpuram <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support additional algorithms

Add support for AES-GMAC, AES_CTR, AES_XCBC_MAC,
AES_CCM, CHACHA20_POLY1305

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-b

examples/ipsec-secgw: support additional algorithms

Add support for AES-GMAC, AES_CTR, AES_XCBC_MAC,
AES_CCM, CHACHA20_POLY1305

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: define initial ESN value

New option added to the SA configuration arguments that
allows setting an arbitrary start value for ESN.

For example in the SA below ESN will be enabl

examples/ipsec-secgw: define initial ESN value

New option added to the SA configuration arguments that
allows setting an arbitrary start value for ESN.

For example in the SA below ESN will be enabled and first egress
IPsec packet will have the ESN value 10000:

sa out 15 cipher_algo null auth_algo null mode ipv4-tunnel \
src 172.16.1.5 dst 172.16.2.5 \
esn 10000

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support telemetry

Add telemetry support to the IPsec GW sample app and add
support for per SA telemetry when using IPsec library.

Signed-off-by: Declan Doherty <declan.doherty

examples/ipsec-secgw: support telemetry

Add telemetry support to the IPsec GW sample app and add
support for per SA telemetry when using IPsec library.

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support UDP encap for inline crypto

Enable UDP encapsulation for both transport and tunnel modes for the
inline crypto offload path.

Signed-off-by: Radu Nicolau <radu.nicolau@

examples/ipsec-secgw: support UDP encap for inline crypto

Enable UDP encapsulation for both transport and tunnel modes for the
inline crypto offload path.

Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support TCP TSO

Add support to allow user to specific MSS for TCP TSO offload on a per SA
basis. MSS configuration in the context of IPsec is only supported for
outbound SA's i

examples/ipsec-secgw: support TCP TSO

Add support to allow user to specific MSS for TCP TSO offload on a per SA
basis. MSS configuration in the context of IPsec is only supported for
outbound SA's in the context of an inline IPsec Crypto offload.

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: clear soft expiry configuration

Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Als

examples/ipsec-secgw: clear soft expiry configuration

Soft expiry is not a mandatory IPsec feature. It is verified separately
with IPsec unit tests. So configuration of the same is not required.
Also, soft expiry tracking can cause perf degradation with some PMDs.
Since a separate UT is available and the same setting in ipsec-secgw is
not verifying the functionality, remove the same by clearing life
configuration.

Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

security: add SA lifetime configuration

Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated

security: add SA lifetime configuration

Add SA lifetime configuration to register soft and hard expiry limits.
Expiry can be in units of number of packets or bytes. Crypto op
status is also updated to include new field, aux_flags, which can be
used to indicate cases such as soft expiry in case of lookaside
protocol operations.

In case of soft expiry, the packets are successfully IPsec processed but
the soft expiry would indicate that SA needs to be reconfigured. For
inline protocol capable ethdev, this would result in an eth event while
for lookaside protocol capable cryptodev, this can be communicated via
`rte_crypto_op.aux_flags` field.

In case of hard expiry, the packets will not be IPsec processed and
would result in error.

Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support UDP encapsulation

Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulat

examples/ipsec-secgw: support UDP encapsulation

Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulation on the SA.

Signed-off-by: Tejasree Kondoj <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>

show more ...

examples/ipsec-secgw: enable flow based distribution

RTE_FLOW API allows hardware parsing and steering of packets to specific
queues which helps in distributing ingress traffic across various cores.

examples/ipsec-secgw: enable flow based distribution

RTE_FLOW API allows hardware parsing and steering of packets to specific
queues which helps in distributing ingress traffic across various cores.
Adding 'flow' rules allows user to specify the distribution required.

Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: remove limitation for crypto sessions

Get rid of hardcoded limit of cryptodev sessions.

Signed-off-by: Vladimir Medvedkin <[email protected]>
Tested-by: Konstantin

examples/ipsec-secgw: remove limitation for crypto sessions

Get rid of hardcoded limit of cryptodev sessions.

Signed-off-by: Vladimir Medvedkin <[email protected]>
Tested-by: Konstantin Ananyev <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support flow director

Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the speci

examples/ipsec-secgw: support flow director

Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the specified inbound ipsec flow
to a specified queue. This is achieved by extending the SA rule syntax
to support specification by adding new action_type of <flow-direction>
to a specified <port_id> <queue_id>.

Signed-off-by: Praveen Shetty <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support 192/256 AES key sizes

Adding support for the following,
1. AES-192-GCM
2. AES-256-GCM
3. AES-192-CBC

Signed-off-by: Anoob Joseph <[email protected]>
Signed-off-by: Te

examples/ipsec-secgw: support 192/256 AES key sizes

Adding support for the following,
1. AES-192-GCM
2. AES-256-GCM
3. AES-192-CBC

Signed-off-by: Anoob Joseph <[email protected]>
Signed-off-by: Tejasree Kondoj <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

replace packed attributes

There is a common macro __rte_packed for packing structs,
which is now used where appropriate for consistency.

Signed-off-by: Thomas Monjalon <[email protected]>

examples/ipsec-secgw: add app mode worker

Add application inbound/outbound worker thread and
IPsec application processing code for event mode.

Example ipsec-secgw command in app mode:
ipsec-secgw -

examples/ipsec-secgw: add app mode worker

Add application inbound/outbound worker thread and
IPsec application processing code for event mode.

Example ipsec-secgw command in app mode:
ipsec-secgw -w 0002:02:00.0,ipsec_in_max_spi=128
-w 0002:03:00.0,ipsec_in_max_spi=128 -w 0002:0e:00.0 -w 0002:10:00.1
--log-level=8 -c 0x1 -- -P -p 0x3 -u 0x1 -f aes-gcm.cfg
--transfer-mode event --event-schedule-type parallel

Signed-off-by: Anoob Joseph <[email protected]>
Signed-off-by: Ankur Dwivedi <[email protected]>
Signed-off-by: Lukasz Bartosik <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: add driver mode worker

Add driver inbound and outbound worker thread for ipsec-secgw. In driver
mode application does as little as possible. It simply forwards packets
back to

examples/ipsec-secgw: add driver mode worker

Add driver inbound and outbound worker thread for ipsec-secgw. In driver
mode application does as little as possible. It simply forwards packets
back to port from which traffic was received instructing HW to apply
inline security processing using first outbound SA configured for
a given port. If a port does not have SA configured outbound traffic
on that port will be silently dropped. The aim of this mode is to
measure HW capabilities. Driver mode is selected with single-sa option.
The single-sa option accepts SA index however in event mode the SA
index is ignored.

Example command to run ipsec-secgw in driver mode:
ipsec-secgw -w 0002:02:00.0,ipsec_in_max_spi=128
-w 0002:03:00.0,ipsec_in_max_spi=128 -w 0002:0e:00.0 -w 0002:10:00.1
--log-level=8 -c 0x1 -- -P -p 0x3 -u 0x1 -f aes-gcm.cfg
--transfer-mode event --event-schedule-type parallel --single-sa 0

Signed-off-by: Anoob Joseph <[email protected]>
Signed-off-by: Ankur Dwivedi <[email protected]>
Signed-off-by: Lukasz Bartosik <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: add event mode

Add eventmode support to ipsec-secgw. With the aid of event helper
configure and use the eventmode capabilities.

Signed-off-by: Anoob Joseph <[email protected]

examples/ipsec-secgw: add event mode

Add eventmode support to ipsec-secgw. With the aid of event helper
configure and use the eventmode capabilities.

Signed-off-by: Anoob Joseph <[email protected]>
Signed-off-by: Lukasz Bartosik <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: add default flow for inline Rx

The default flow created would enable security processing on all ESP
packets. If the default flow is created, SA based rte_flow creation
would be

examples/ipsec-secgw: add default flow for inline Rx

The default flow created would enable security processing on all ESP
packets. If the default flow is created, SA based rte_flow creation
would be skipped.

Signed-off-by: Ankur Dwivedi <[email protected]>
Signed-off-by: Anoob Joseph <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: add SAD cache

Introduce SAD cache.
Stores the most recent SA in a per lcore cache.
Cache represents flat array containing SA's indexed by SPI.

Signed-off-by: Vladimir Medvedki

examples/ipsec-secgw: add SAD cache

Introduce SAD cache.
Stores the most recent SA in a per lcore cache.
Cache represents flat array containing SA's indexed by SPI.

Signed-off-by: Vladimir Medvedkin <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Anoob Joseph <[email protected]>

show more ...

examples/ipsec-secgw: get rid of maximum SA limitation

Get rid of maximum SA limitation.
Keep parsed SA's into the sorted by SPI value array.
Use binary search in the sorted SA array to find appropr

examples/ipsec-secgw: get rid of maximum SA limitation

Get rid of maximum SA limitation.
Keep parsed SA's into the sorted by SPI value array.
Use binary search in the sorted SA array to find appropriate SA
for a given SPI.

Signed-off-by: Vladimir Medvedkin <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Anoob Joseph <[email protected]>

show more ...

examples/ipsec-secgw: integrate inbound SAD

Integrate ipsec SAD support into secgw app:

1. Use SAD library for inbound SA lookup
2. Changes in struct sa_ctx:
- sa array allocates dynamically depe

examples/ipsec-secgw: integrate inbound SAD

Integrate ipsec SAD support into secgw app:

1. Use SAD library for inbound SA lookup
2. Changes in struct sa_ctx:
- sa array allocates dynamically depending on number of configured sa
- All SA's are kept one by one without using SPI2IDX
3. SP's userdata now contain index of SA in sa_ctx instead of SPI
4. Get rid of SPI2IDX macro

Signed-off-by: Vladimir Medvedkin <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Anoob Joseph <[email protected]>

show more ...

examples/ipsec-secgw: implement inbound SAD

Add initial support for librte_ipsec SAD library

Signed-off-by: Vladimir Medvedkin <[email protected]>
Acked-by: Konstantin Ananyev <konstanti

examples/ipsec-secgw: implement inbound SAD

Add initial support for librte_ipsec SAD library

Signed-off-by: Vladimir Medvedkin <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Anoob Joseph <[email protected]>

show more ...

examples/ipsec-secgw: support fallback session

Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. Wh

examples/ipsec-secgw: support fallback session

Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.

Introduce fallback session for inline crypto processing allowing
handling packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' parameter
to an SA configuration. Only 'inline-crypto-offload" as a primary
session and 'lookaside-none' as a fall-back session combination is
supported by this patch.

Fallback session feature is not available in the legacy mode.

Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Tested-by: Bernard Iremonger <[email protected]>

show more ...

examples/ipsec-secgw: clean SA structure

Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
*

examples/ipsec-secgw: clean SA structure

Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.

Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.

Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Tested-by: Bernard Iremonger <[email protected]>

show more ...

examples/ipsec-secgw: fix first packet with inline crypto

Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.

The create_ses

examples/ipsec-secgw: fix first packet with inline crypto

Inline crypto installs a flow rule in the NIC. This flow
rule must be installed before the first inbound packet is
received.

The create_session() function installs the flow rule,
create_session() has been refactored into create_inline_session()
and create_lookaside_session(). The create_inline_session() function
uses the socket_ctx data and is now called at initialisation in
sa_add_rules().

The max_session_size() function has been added to calculate memory
requirements.

The cryprodev_init() function has been refactored to drop calls to
rte_mempool_create() and to drop calculation of memory requirements.

The main() function has been refactored to call max_session_size() and
to call session_pool_init() and session_priv_pool_init() earlier.
The ports are started now before adding a flow rule in main().
The sa_init(), sp4_init(), sp6_init() and rt_init() functions are
now called after the ports have been started.

The rte_ipsec_session_prepare() function is called in fill_ipsec_session()
for inline which is called from the ipsec_sa_init() function.

Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")
Cc: [email protected]

Signed-off-by: Bernard Iremonger <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...