[dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec modes

Ananyev, Konstantin konstantin.ananyev at intel.com
Thu Jun 6 12:43:46 CEST 2019

> -----Original Message-----
> From: Drost, MariuszX
> Sent: Tuesday, June 4, 2019 11:07 AM
> To: Nicolau, Radu <radu.nicolau at intel.com>; akhil.goyal at nxp.com; Lu, Wenzhuo <wenzhuo.lu at intel.com>; Ananyev, Konstantin
> <konstantin.ananyev at intel.com>
> Cc: dev at dpdk.org; Drost, MariuszX <mariuszx.drost at intel.com>
> Subject: [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec modes
> Application ipsec-secgw is not working for IPv4 transport mode and for
> IPv6 both transport and tunnel mode.
> IPv6 tunnel mode is not working due to wrongly assigned fields of
> security association patterns, as it was IPv4, during creation of
> inline crypto session.
> IPv6 and IPv4 transport mode is iterating through security capabilities
> until it reaches tunnel, which causes session to be created as tunnel,
> instead of transport. Another issue, is that config file does not
> provide source and destination ip addresses for transport mode, which
> are required by NIC to perform inline crypto. It uses default addresses
> stored in security association (all zeroes), which causes dropped
> packages.
> To fix that, reorganization of code in create_session() is needed,
> to behave appropriately to given protocol (IPv6/IPv4). Change in
> iteration through security capabilities is also required, to check
> for expected mode (not only tunnel).
> For lack of addresses issue, some resolving mechanism is needed.
> Approach is to store addresses in security association, as it is
> for tunnel mode. Difference is that they are obtained from sp rules,
> instead of config file. To do that, sp[4/6]_spi_present() function
> is used to find addresses based on spi value, and then stored in
> corresponding sa rule. This approach assumes, that every sp rule
> for inline crypto have valid addresses, as well as range of addresses
> is not supported.
> New flags for ipsec_sa structure are required to distinguish between
> IPv4 and IPv6 transport modes. Because of that, there is need to
> change all checks done on these flags, so they work as expected.
> Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
> Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec")
> Signed-off-by: Mariusz Drost <mariuszx.drost at intel.com>
> ---

Acked-by: Konstantin Ananyev <konstantin.ananyev at intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev at intel.com>

> --
> 2.17.1

More information about the dev mailing list