[dpdk-dev] [PATCH v4 00/10] ipsec: new library for IPsec data-path processing
Akhil Goyal
akhil.goyal at nxp.com
Fri Dec 21 14:32:09 CET 2018
Hi Konstantin,
I am done with the review, will be running the code in early next week
after I finish the review of changes in ipsec application.
key points for review were
- some code may be generic and can be moved in appropriate files
- documentation update
- spell checks spacing etc.
- some cases like cipher only need to be looked appropriately
- test cases for lookaside and inline proto
- checksum/ttl update
With these comments we cannot make this to RC1, but RC2 can be looked upon.
Thanks,
Akhil
On 12/14/2018 9:59 PM, Konstantin Ananyev wrote:
> This patch series depends on the patch:
> http://patches.dpdk.org/patch/48044/
> to be applied first.
>
> v3 -> v4
> - Changes to adress Declan comments
> - Update docs
>
> v2 -> v3
> - Several fixes for IPv6 support
> - Extra checks for input parameters in public APi functions
>
> v1 -> v2
> - Changes to get into account l2_len for outbound transport packets
> (Qi comments)
> - Several bug fixes
> - Some code restructured
> - Update MAINTAINERS file
>
> RFCv2 -> v1
> - Changes per Jerin comments
> - Implement transport mode
> - Several bug fixes
> - UT largely reworked and extended
>
> This patch introduces a new library within DPDK: librte_ipsec.
> The aim is to provide DPDK native high performance library for IPsec
> data-path processing.
> The library is supposed to utilize existing DPDK crypto-dev and
> security API to provide application with transparent IPsec
> processing API.
> The library is concentrated on data-path protocols processing
> (ESP and AH), IKE protocol(s) implementation is out of scope
> for that library.
> Current patch introduces SA-level API.
>
> SA (low) level API
> ==================
>
> API described below operates on SA level.
> It provides functionality that allows user for given SA to process
> inbound and outbound IPsec packets.
> To be more specific:
> - for inbound ESP/AH packets perform decryption, authentication,
> integrity checking, remove ESP/AH related headers
> - for outbound packets perform payload encryption, attach ICV,
> update/add IP headers, add ESP/AH headers/trailers,
> setup related mbuf felids (ol_flags, tx_offloads, etc.).
> - initialize/un-initialize given SA based on user provided parameters.
>
> The following functionality:
> - match inbound/outbound packets to particular SA
> - manage crypto/security devices
> - provide SAD/SPD related functionality
> - determine what crypto/security device has to be used
> for given packet(s)
> is out of scope for SA-level API.
>
> SA-level API is based on top of crypto-dev/security API and relies on
> them
> to perform actual cipher and integrity checking.
> To have an ability to easily map crypto/security sessions into related
> IPSec SA opaque userdata field was added into
> rte_cryptodev_sym_session and rte_security_session structures.
> That implies ABI change for both librte_crytpodev and librte_security.
>
> Due to the nature of crypto-dev API (enqueue/deque model) we use
> asynchronous API for IPsec packets destined to be processed
> by crypto-device.
> Expected API call sequence would be:
> /* enqueue for processing by crypto-device */
> rte_ipsec_pkt_crypto_prepare(...);
> rte_cryptodev_enqueue_burst(...);
> /* dequeue from crypto-device and do final processing (if any) */
> rte_cryptodev_dequeue_burst(...);
> rte_ipsec_pkt_crypto_group(...); /* optional */
> rte_ipsec_pkt_process(...);
>
> Though for packets destined for inline processing no extra overhead
> is required and synchronous API call: rte_ipsec_pkt_process()
> is sufficient for that case.
>
> Current implementation supports all four currently defined
> rte_security types.
> Though to accommodate future custom implementations function pointers
> model is used for both for *crypto_prepare* and *process*
> impelementations.
>
> Konstantin Ananyev (10):
> cryptodev: add opaque userdata pointer into crypto sym session
> security: add opaque userdata pointer into security session
> net: add ESP trailer structure definition
> lib: introduce ipsec library
> ipsec: add SA data-path API
> ipsec: implement SA data-path API
> ipsec: rework SA replay window/SQN for MT environment
> ipsec: helper functions to group completed crypto-ops
> test/ipsec: introduce functional test
> doc: add IPsec library guide
>
> MAINTAINERS | 5 +
> config/common_base | 5 +
> doc/guides/prog_guide/index.rst | 1 +
> doc/guides/prog_guide/ipsec_lib.rst | 74 +
> doc/guides/rel_notes/release_19_02.rst | 10 +
> lib/Makefile | 2 +
> lib/librte_cryptodev/rte_cryptodev.h | 2 +
> lib/librte_ipsec/Makefile | 27 +
> lib/librte_ipsec/crypto.h | 123 ++
> lib/librte_ipsec/iph.h | 84 +
> lib/librte_ipsec/ipsec_sqn.h | 343 ++++
> lib/librte_ipsec/meson.build | 10 +
> lib/librte_ipsec/pad.h | 45 +
> lib/librte_ipsec/rte_ipsec.h | 153 ++
> lib/librte_ipsec/rte_ipsec_group.h | 151 ++
> lib/librte_ipsec/rte_ipsec_sa.h | 172 ++
> lib/librte_ipsec/rte_ipsec_version.map | 15 +
> lib/librte_ipsec/sa.c | 1407 +++++++++++++++
> lib/librte_ipsec/sa.h | 98 ++
> lib/librte_ipsec/ses.c | 45 +
> lib/librte_net/rte_esp.h | 10 +-
> lib/librte_security/rte_security.h | 2 +
> lib/meson.build | 2 +
> mk/rte.app.mk | 2 +
> test/test/Makefile | 3 +
> test/test/meson.build | 3 +
> test/test/test_ipsec.c | 2209 ++++++++++++++++++++++++
> 27 files changed, 5002 insertions(+), 1 deletion(-)
> create mode 100644 doc/guides/prog_guide/ipsec_lib.rst
> create mode 100644 lib/librte_ipsec/Makefile
> create mode 100644 lib/librte_ipsec/crypto.h
> create mode 100644 lib/librte_ipsec/iph.h
> create mode 100644 lib/librte_ipsec/ipsec_sqn.h
> create mode 100644 lib/librte_ipsec/meson.build
> create mode 100644 lib/librte_ipsec/pad.h
> create mode 100644 lib/librte_ipsec/rte_ipsec.h
> create mode 100644 lib/librte_ipsec/rte_ipsec_group.h
> create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h
> create mode 100644 lib/librte_ipsec/rte_ipsec_version.map
> create mode 100644 lib/librte_ipsec/sa.c
> create mode 100644 lib/librte_ipsec/sa.h
> create mode 100644 lib/librte_ipsec/ses.c
> create mode 100644 test/test/test_ipsec.c
>
More information about the dev
mailing list