[dpdk-dev] [PATCH v4 00/10] ipsec: new library for IPsec data-path processing

Konstantin Ananyev konstantin.ananyev at intel.com
Fri Dec 14 17:29:19 CET 2018

This patch series depends on the patch:
to be applied first.

v3 -> v4
 - Changes to adress Declan comments
 - Update docs

v2 -> v3
 - Several fixes for IPv6 support
 - Extra checks for input parameters in public APi functions 

v1 -> v2
 - Changes to get into account l2_len for outbound transport packets
   (Qi comments)
 - Several bug fixes
 - Some code restructured
 - Update MAINTAINERS file

RFCv2 -> v1
 - Changes per Jerin comments
 - Implement transport mode
 - Several bug fixes
 - UT largely reworked and extended

This patch introduces a new library within DPDK: librte_ipsec.
The aim is to provide DPDK native high performance library for IPsec
data-path processing.
The library is supposed to utilize existing DPDK crypto-dev and
security API to provide application with transparent IPsec
processing API.
The library is concentrated on data-path protocols processing
(ESP and AH), IKE protocol(s) implementation is out of scope
for that library.
Current patch introduces SA-level API.

SA (low) level API

API described below operates on SA level.
It provides functionality that allows user for given SA to process
inbound and outbound IPsec packets.
To be more specific:
- for inbound ESP/AH packets perform decryption, authentication,
  integrity checking, remove ESP/AH related headers
- for outbound packets perform payload encryption, attach ICV,
  update/add IP headers, add ESP/AH headers/trailers,
  setup related mbuf felids (ol_flags, tx_offloads, etc.).
- initialize/un-initialize given SA based on user provided parameters.

The following functionality:
  - match inbound/outbound packets to particular SA
  - manage crypto/security devices
  - provide SAD/SPD related functionality
  - determine what crypto/security device has to be used
    for given packet(s)
is out of scope for SA-level API.

SA-level API is based on top of crypto-dev/security API and relies on
to perform actual cipher and integrity checking.
To have an ability to easily map crypto/security sessions into related
IPSec SA opaque userdata field was added into
rte_cryptodev_sym_session and rte_security_session structures.
That implies ABI change for both librte_crytpodev and librte_security.

Due to the nature of crypto-dev API (enqueue/deque model) we use
asynchronous API for IPsec packets destined to be processed
by crypto-device.
Expected API call sequence would be:
  /* enqueue for processing by crypto-device */
  /* dequeue from crypto-device and do final processing (if any) */
  rte_ipsec_pkt_crypto_group(...); /* optional */

Though for packets destined for inline processing no extra overhead
is required and synchronous API call: rte_ipsec_pkt_process()
is sufficient for that case.

Current implementation supports all four currently defined
rte_security types.
Though to accommodate future custom implementations function pointers
model is used for both for *crypto_prepare* and *process*

Konstantin Ananyev (10):
  cryptodev: add opaque userdata pointer into crypto sym session
  security: add opaque userdata pointer into security session
  net: add ESP trailer structure definition
  lib: introduce ipsec library
  ipsec: add SA data-path API
  ipsec: implement SA data-path API
  ipsec: rework SA replay window/SQN for MT environment
  ipsec: helper functions to group completed crypto-ops
  test/ipsec: introduce functional test
  doc: add IPsec library guide

 MAINTAINERS                            |    5 +
 config/common_base                     |    5 +
 doc/guides/prog_guide/index.rst        |    1 +
 doc/guides/prog_guide/ipsec_lib.rst    |   74 +
 doc/guides/rel_notes/release_19_02.rst |   10 +
 lib/Makefile                           |    2 +
 lib/librte_cryptodev/rte_cryptodev.h   |    2 +
 lib/librte_ipsec/Makefile              |   27 +
 lib/librte_ipsec/crypto.h              |  123 ++
 lib/librte_ipsec/iph.h                 |   84 +
 lib/librte_ipsec/ipsec_sqn.h           |  343 ++++
 lib/librte_ipsec/meson.build           |   10 +
 lib/librte_ipsec/pad.h                 |   45 +
 lib/librte_ipsec/rte_ipsec.h           |  153 ++
 lib/librte_ipsec/rte_ipsec_group.h     |  151 ++
 lib/librte_ipsec/rte_ipsec_sa.h        |  172 ++
 lib/librte_ipsec/rte_ipsec_version.map |   15 +
 lib/librte_ipsec/sa.c                  | 1407 +++++++++++++++
 lib/librte_ipsec/sa.h                  |   98 ++
 lib/librte_ipsec/ses.c                 |   45 +
 lib/librte_net/rte_esp.h               |   10 +-
 lib/librte_security/rte_security.h     |    2 +
 lib/meson.build                        |    2 +
 mk/rte.app.mk                          |    2 +
 test/test/Makefile                     |    3 +
 test/test/meson.build                  |    3 +
 test/test/test_ipsec.c                 | 2209 ++++++++++++++++++++++++
 27 files changed, 5002 insertions(+), 1 deletion(-)
 create mode 100644 doc/guides/prog_guide/ipsec_lib.rst
 create mode 100644 lib/librte_ipsec/Makefile
 create mode 100644 lib/librte_ipsec/crypto.h
 create mode 100644 lib/librte_ipsec/iph.h
 create mode 100644 lib/librte_ipsec/ipsec_sqn.h
 create mode 100644 lib/librte_ipsec/meson.build
 create mode 100644 lib/librte_ipsec/pad.h
 create mode 100644 lib/librte_ipsec/rte_ipsec.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_group.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_version.map
 create mode 100644 lib/librte_ipsec/sa.c
 create mode 100644 lib/librte_ipsec/sa.h
 create mode 100644 lib/librte_ipsec/ses.c
 create mode 100644 test/test/test_ipsec.c


More information about the dev mailing list