[dpdk-dev] [PATCH 0/9] ipsec: new library for IPsec data-path processing

Konstantin Ananyev konstantin.ananyev at intel.com
Fri Nov 16 00:53:42 CET 2018


This patch series targets 19.02 release.

This patch series depends on the patch:
http://patches.dpdk.org/patch/48044/
to be applied first.

RFCv2 -> v1
 - Changes per Jerin comments
 - Implement transport mode
 - Several bug fixes
 - UT largely reworked and extended

This patch introduces a new library within DPDK: librte_ipsec.
The aim is to provide DPDK native high performance library for IPsec
data-path processing.
The library is supposed to utilize existing DPDK crypto-dev and
security API to provide application with transparent IPsec processing API.
The library is concentrated on data-path protocols processing (ESP and AH), 
IKE protocol(s) implementation is out of scope for that library.
Current patch introduces SA-level API.

SA (low) level API
==================

API described below operates on SA level.
It provides functionality that allows user for given SA to process
inbound and outbound IPsec packets.
To be more specific:
- for inbound ESP/AH packets perform decryption, authentication,
  integrity checking, remove ESP/AH related headers
- for outbound packets perform payload encryption, attach ICV,
  update/add IP headers, add ESP/AH headers/trailers,
  setup related mbuf felids (ol_flags, tx_offloads, etc.).
- initialize/un-initialize given SA based on user provided parameters.

The following functionality:
  - match inbound/outbound packets to particular SA
  - manage crypto/security devices
  - provide SAD/SPD related functionality
  - determine what crypto/security device has to be used
    for given packet(s)
is out of scope for SA-level API.

SA-level API is based on top of crypto-dev/security API and relies on them
to perform actual cipher and integrity checking.
To have an ability to easily map crypto/security sessions into related
IPSec SA opaque userdata field was added into
rte_cryptodev_sym_session and rte_security_session structures.
That implies ABI change for both librte_crytpodev and librte_security.

Due to the nature of crypto-dev API (enqueue/deque model) we use
asynchronous API for IPsec packets destined to be processed
by crypto-device.
Expected API call sequence would be:
  /* enqueue for processing by crypto-device */
  rte_ipsec_pkt_crypto_prepare(...);
  rte_cryptodev_enqueue_burst(...);
  /* dequeue from crypto-device and do final processing (if any) */
  rte_cryptodev_dequeue_burst(...);
  rte_ipsec_pkt_crypto_group(...); /* optional */
  rte_ipsec_pkt_process(...);

Though for packets destined for inline processing no extra overhead
is required and synchronous API call: rte_ipsec_pkt_process()
is sufficient for that case.

Current implementation supports all four currently defined rte_security types.
Though to accommodate future custom implementations function pointers
model is used for both for *crypto_prepare* and *process* impelementations.

Implemented:
------------
- ESP tunnel mode support (both IPv4/IPv6)
- ESP transport mode support (both IPv4/IPv6)
- Supported algorithms: AES-CBC, AES-GCM, HMAC-SHA1, NULL
- Anti-Replay window and ESN support
- Unit Test

TODO list
---------
- update examples/ipsec-secgw to use librte_ipsec
  (will be subject of a separate patch).

Konstantin Ananyev (9):
  cryptodev: add opaque userdata pointer into crypto sym session
  security: add opaque userdata pointer into security session
  net: add ESP trailer structure definition
  lib: introduce ipsec library
  ipsec: add SA data-path API
  ipsec: implement SA data-path API
  ipsec: rework SA replay window/SQN for MT environment
  ipsec: helper functions to group completed crypto-ops
  test/ipsec: introduce functional test

 config/common_base                     |    5 +
 lib/Makefile                           |    2 +
 lib/librte_cryptodev/rte_cryptodev.h   |    2 +
 lib/librte_ipsec/Makefile              |   27 +
 lib/librte_ipsec/crypto.h              |  119 ++
 lib/librte_ipsec/iph.h                 |   63 +
 lib/librte_ipsec/ipsec_sqn.h           |  343 ++++
 lib/librte_ipsec/meson.build           |   10 +
 lib/librte_ipsec/pad.h                 |   45 +
 lib/librte_ipsec/rte_ipsec.h           |  156 ++
 lib/librte_ipsec/rte_ipsec_group.h     |  151 ++
 lib/librte_ipsec/rte_ipsec_sa.h        |  166 ++
 lib/librte_ipsec/rte_ipsec_version.map |   15 +
 lib/librte_ipsec/sa.c                  | 1387 +++++++++++++++
 lib/librte_ipsec/sa.h                  |   98 ++
 lib/librte_ipsec/ses.c                 |   45 +
 lib/librte_net/rte_esp.h               |   10 +-
 lib/librte_security/rte_security.h     |    2 +
 lib/meson.build                        |    2 +
 mk/rte.app.mk                          |    2 +
 test/test/Makefile                     |    3 +
 test/test/meson.build                  |    3 +
 test/test/test_ipsec.c                 | 2209 ++++++++++++++++++++++++
 23 files changed, 4864 insertions(+), 1 deletion(-)
 create mode 100644 lib/librte_ipsec/Makefile
 create mode 100644 lib/librte_ipsec/crypto.h
 create mode 100644 lib/librte_ipsec/iph.h
 create mode 100644 lib/librte_ipsec/ipsec_sqn.h
 create mode 100644 lib/librte_ipsec/meson.build
 create mode 100644 lib/librte_ipsec/pad.h
 create mode 100644 lib/librte_ipsec/rte_ipsec.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_group.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h
 create mode 100644 lib/librte_ipsec/rte_ipsec_version.map
 create mode 100644 lib/librte_ipsec/sa.c
 create mode 100644 lib/librte_ipsec/sa.h
 create mode 100644 lib/librte_ipsec/ses.c
 create mode 100644 test/test/test_ipsec.c

-- 
2.17.1



More information about the dev mailing list