[dpdk-dev] [PATCH v4 00/10] ipsec: new library for IPsec data-path processing

Akhil Goyal akhil.goyal at nxp.com
Fri Dec 21 14:32:09 CET 2018
Previous message: [dpdk-dev] [PATCH v4 00/10] ipsec: new library for IPsec data-path processing
Next message: [dpdk-dev] [PATCH v3 2/9] security: add opaque userdata pointer into security session
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Konstantin,

I am done with the review, will be running the code in early next week 
after I finish the review of changes in ipsec application.
key points for review were
  - some code may be generic and can be moved in appropriate files
  - documentation update
  - spell checks spacing etc.
  - some cases like cipher only need to be looked appropriately
  - test cases for lookaside and inline proto
  - checksum/ttl update

With these comments we cannot make this to RC1, but RC2 can be looked upon.

Thanks,
Akhil

On 12/14/2018 9:59 PM, Konstantin Ananyev wrote:
> This patch series depends on the patch:
> http://patches.dpdk.org/patch/48044/
> to be applied first.
>
> v3 -> v4
>   - Changes to adress Declan comments
>   - Update docs
>
> v2 -> v3
>   - Several fixes for IPv6 support
>   - Extra checks for input parameters in public APi functions
>
> v1 -> v2
>   - Changes to get into account l2_len for outbound transport packets
>     (Qi comments)
>   - Several bug fixes
>   - Some code restructured
>   - Update MAINTAINERS file
>
> RFCv2 -> v1
>   - Changes per Jerin comments
>   - Implement transport mode
>   - Several bug fixes
>   - UT largely reworked and extended
>
> This patch introduces a new library within DPDK: librte_ipsec.
> The aim is to provide DPDK native high performance library for IPsec
> data-path processing.
> The library is supposed to utilize existing DPDK crypto-dev and
> security API to provide application with transparent IPsec
> processing API.
> The library is concentrated on data-path protocols processing
> (ESP and AH), IKE protocol(s) implementation is out of scope
> for that library.
> Current patch introduces SA-level API.
>
> SA (low) level API
> ==================
>
> API described below operates on SA level.
> It provides functionality that allows user for given SA to process
> inbound and outbound IPsec packets.
> To be more specific:
> - for inbound ESP/AH packets perform decryption, authentication,
>    integrity checking, remove ESP/AH related headers
> - for outbound packets perform payload encryption, attach ICV,
>    update/add IP headers, add ESP/AH headers/trailers,
>    setup related mbuf felids (ol_flags, tx_offloads, etc.).
> - initialize/un-initialize given SA based on user provided parameters.
>
> The following functionality:
>    - match inbound/outbound packets to particular SA
>    - manage crypto/security devices
>    - provide SAD/SPD related functionality
>    - determine what crypto/security device has to be used
>      for given packet(s)
> is out of scope for SA-level API.
>
> SA-level API is based on top of crypto-dev/security API and relies on
> them
> to perform actual cipher and integrity checking.
> To have an ability to easily map crypto/security sessions into related
> IPSec SA opaque userdata field was added into
> rte_cryptodev_sym_session and rte_security_session structures.
> That implies ABI change for both librte_crytpodev and librte_security.
>
> Due to the nature of crypto-dev API (enqueue/deque model) we use
> asynchronous API for IPsec packets destined to be processed
> by crypto-device.
> Expected API call sequence would be:
>    /* enqueue for processing by crypto-device */
>    rte_ipsec_pkt_crypto_prepare(...);
>    rte_cryptodev_enqueue_burst(...);
>    /* dequeue from crypto-device and do final processing (if any) */
>    rte_cryptodev_dequeue_burst(...);
>    rte_ipsec_pkt_crypto_group(...); /* optional */
>    rte_ipsec_pkt_process(...);
>
> Though for packets destined for inline processing no extra overhead
> is required and synchronous API call: rte_ipsec_pkt_process()
> is sufficient for that case.
>
> Current implementation supports all four currently defined
> rte_security types.
> Though to accommodate future custom implementations function pointers
> model is used for both for *crypto_prepare* and *process*
> impelementations.
>
> Konstantin Ananyev (10):
>    cryptodev: add opaque userdata pointer into crypto sym session
>    security: add opaque userdata pointer into security session
>    net: add ESP trailer structure definition
>    lib: introduce ipsec library
>    ipsec: add SA data-path API
>    ipsec: implement SA data-path API
>    ipsec: rework SA replay window/SQN for MT environment
>    ipsec: helper functions to group completed crypto-ops
>    test/ipsec: introduce functional test
>    doc: add IPsec library guide
>
>   MAINTAINERS                            |    5 +
>   config/common_base                     |    5 +
>   doc/guides/prog_guide/index.rst        |    1 +
>   doc/guides/prog_guide/ipsec_lib.rst    |   74 +
>   doc/guides/rel_notes/release_19_02.rst |   10 +
>   lib/Makefile                           |    2 +
>   lib/librte_cryptodev/rte_cryptodev.h   |    2 +
>   lib/librte_ipsec/Makefile              |   27 +
>   lib/librte_ipsec/crypto.h              |  123 ++
>   lib/librte_ipsec/iph.h                 |   84 +
>   lib/librte_ipsec/ipsec_sqn.h           |  343 ++++
>   lib/librte_ipsec/meson.build           |   10 +
>   lib/librte_ipsec/pad.h                 |   45 +
>   lib/librte_ipsec/rte_ipsec.h           |  153 ++
>   lib/librte_ipsec/rte_ipsec_group.h     |  151 ++
>   lib/librte_ipsec/rte_ipsec_sa.h        |  172 ++
>   lib/librte_ipsec/rte_ipsec_version.map |   15 +
>   lib/librte_ipsec/sa.c                  | 1407 +++++++++++++++
>   lib/librte_ipsec/sa.h                  |   98 ++
>   lib/librte_ipsec/ses.c                 |   45 +
>   lib/librte_net/rte_esp.h               |   10 +-
>   lib/librte_security/rte_security.h     |    2 +
>   lib/meson.build                        |    2 +
>   mk/rte.app.mk                          |    2 +
>   test/test/Makefile                     |    3 +
>   test/test/meson.build                  |    3 +
>   test/test/test_ipsec.c                 | 2209 ++++++++++++++++++++++++
>   27 files changed, 5002 insertions(+), 1 deletion(-)
>   create mode 100644 doc/guides/prog_guide/ipsec_lib.rst
>   create mode 100644 lib/librte_ipsec/Makefile
>   create mode 100644 lib/librte_ipsec/crypto.h
>   create mode 100644 lib/librte_ipsec/iph.h
>   create mode 100644 lib/librte_ipsec/ipsec_sqn.h
>   create mode 100644 lib/librte_ipsec/meson.build
>   create mode 100644 lib/librte_ipsec/pad.h
>   create mode 100644 lib/librte_ipsec/rte_ipsec.h
>   create mode 100644 lib/librte_ipsec/rte_ipsec_group.h
>   create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h
>   create mode 100644 lib/librte_ipsec/rte_ipsec_version.map
>   create mode 100644 lib/librte_ipsec/sa.c
>   create mode 100644 lib/librte_ipsec/sa.h
>   create mode 100644 lib/librte_ipsec/ses.c
>   create mode 100644 test/test/test_ipsec.c
>
Previous message: [dpdk-dev] [PATCH v4 00/10] ipsec: new library for IPsec data-path processing
Next message: [dpdk-dev] [PATCH v3 2/9] security: add opaque userdata pointer into security session
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the dev mailing list