summaryrefslogtreecommitdiffstats
path: root/src/plugins/dpdk/ipsec/esp_encrypt.c
AgeCommit message (Collapse)AuthorFilesLines
2020-10-21misc: minimize dependencies on udp.hFlorin Coras1-1/+1
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id13f33843b230a1d169560742c4f7b2dc17d8718
2020-09-08dpdk-ipsec: don't leak buffers on crypto alloc failureChristian Hopps1-3/+4
Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I4dee2ea723631e1bd95b33a74b9431d984565aef
2020-09-04dpdk-ipsec: fix show outputChristian Hopps1-1/+1
Fix the shown crypto inflight counts which were reversed. Also improve a couple error descriptions to tell them apart when viewed. Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I6d4054c64aa842658cfcde8969c7aa48f6d21207
2020-05-24dpdk: del warnings that duplicate counters in espAlexander Chernavin1-6/+0
Type: improvement Change-Id: I51cbe5c76a88d7fa65fa24dc1528e4f991eba534 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-05-04fib: midchain adjacency optimisationsNeale Ranns1-14/+0
Type: improvement - inline some common encap fixup functions into the midchain rewrite node so we don't incur the cost of the virtual function call - change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header - add adj-midchain-tx to multiarch sources - don't run adj-midchain-tx as a feature, instead put this node as the adj's next and at the end of the feature arc. - cache the feature arc config index (to save the cache miss going to fetch it) - don't check if features are enabled when taking the arc (since we know they are) the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc) for IPSec: - don't run esp_encrypt as a feature, instead when required insert this node into the adj's next and into the end of the feature arc. this implies that encrypt is always 'the last feature' run, which is symmetric with decrypt always being the first. - esp_encrpyt for tunnels has adj-midchain-tx as next node Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-04-17dpdk: fix udp-encap for esp in transport modeAlexander Chernavin1-1/+2
Now UDP encapsulation doesn't work in transport mode because: - the encrypt node misses filling of UDP header and it gets sent with all zeros; - the decrypt node misses filling of new IP header and it contains garbage data. With this commit, fill UDP header during encryption and fill IP header during decryption. Change-Id: I87a7bd594f0e312b16d3e5eb19e568b4e3164d36 Type: fix Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-13dpdk-ipsec: Fix for multipoint IPSECNeale Ranns1-4/+4
Type: fix fetch the sa_index from the correct location Change-Id: I351035ee0226c47585995ff9122320fd5c73ec53 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-01-22ipsec: re-enable DPDK IPSec for tunnel decap/encap (VPP-1823)Neale Ranns1-4/+20
Type: fix Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-07dpdk: ipsec gcm fixesChristian Hopps1-4/+9
- Fix AAD initialization. With use-esn the aad data consists of the SPI and the 64-bit sequence number in big-endian order. Fix the u32 swapped code. - Remove salt-reinitialization. The GCM code seems inspired by the GCM RFCs recommendations on IKE keydata and how to produce a salt value (create an extra 4 octets of keying material). This is not IKE code though and the SA already holds the configured salt value which this code is blowing away. Use the configured value instead. Type: fix Change-Id: I5e75518aa7c1d91037bb24b2a40fe4fc90bdfdb0 Signed-off-by: Christian Hopps <chopps@labn.net>
2019-09-30ipsec: allow null cipher with dpdk espChristian E. Hopps1-1/+2
The NULL cipher is a (valid) non-AEAD choice for ESP encrypt path. Allow it. Type: fix Signed-off-by: Christian E. Hopps <chopps@chopps.org> Change-Id: I6d8b66223a0ffb0952c2dd6fa898a8a2289fef7a
2019-08-19dpdk: fix ipsec coverity warningMatthew Smith1-2/+4
Type: fix Fixes: 5025d40a1134272ab57c3c3f10311e31a65cd63c Update the expression for a conditional block which should be executed when an encrypted packet will be sent via IPv6. Coverity was complaining that a NULL pointer could be dereferenced. It is unclear whether that ever would have actually happened, but the updated expression should quell the warning and should more accurately detect whether the block for IPv6 should be executed. Change-Id: I731cad1f982e8f55bd44e6e05e98eff96f1957bb Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-08-15dpdk: ipsec tunnel support for ip6-in-ip4Matthew G Smith1-21/+9
Type: feature If an attempt was made to send an IPv6 packet over an IPv4 tunnel, the DPDK esp_encrypt did not complete setting up the crypto operation for a buffer, but still queued the crypto operations that were allocated. This results in a SEGV when attempting to dequeue them in dpdk-crypto-input. Allow IPv6 packets to be sent over a v4 tunnel when using the DPDK plugin esp crypto nodes. Change-Id: Ic9a4cd69b7fc06a17ab2f64ae806ec2ceacfef27 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-06-25ipsec: print spi in hexadecimalGuillaume Solignac1-2/+3
Print the SPI in hexadecimal and decimal. Type: feature Change-Id: I012e94f9147058064e06c6bb4622ab6b6507957d Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
2019-05-17dpdk-ipsec: fix encrypt/decrypt single queueSergio Gonzalez Monroy1-2/+3
When the same worker thread processes packet for encrypt and decrypt, ie. single worker with bi-directional traffic, given that the queue is shared results in packets to be decrypted being dropped as the encrypt always happens first for each main loop. With this change, each crypto device queue is logically split into two queues, each half the real size, avoiding the described problem. Change-Id: Ifd3f15e316c92fbd6ca05802456b10a7f73f85da Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
2019-05-14IPsec: increment tunnel intf tx countersMatthew Smith1-0/+9
Recent changes removed the function that was incrementing the tx counters. Increment them in the esp_encrypt functions. Change-Id: I446333a23ccf66e34893adb2aa49af562cf35507 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-04-25IPSEC; dpdk backend for tunnel interface encryptionNeale Ranns1-4/+73
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-23dpdk_esp_encrypt: add to prefetch dataZhiyong Yang1-3/+13
The memory areas storing vlib_buffer_t and ip4|6_and_esp_header_t are not prefetched. The patch help dpdk_esp_encrypt to reduce 18 clocks/pkt from 149 to 131 on Haswell when running IPsec in tunnel mode. Change-Id: I4f4e9e2b3982a4b7810cab8ed828a5e4631f8f8c Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
2019-03-28ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESNDamjan Marion1-2/+2
Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-27ipsec: compress ipsec_sa_t so data used by dataplane code fits in cachelineDamjan Marion1-11/+12
Change-Id: I81ecdf9fdcfcb017117b47dc031f93208e004d7c Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18IPSEC: move SA counters into the stats segmentNeale Ranns1-2/+5
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-15dpdk-ipsec: store buffer index into crypto-op privateKingwel Xie1-0/+2
don't have to convert from mbuf to vlib_buffer then buffer index save a few clock cycles in crypto-input plus, a bit improvements of CLI 1. show more information, resource placement & qp stats 2. clear dpdk qp statistics cleanup cli as sugguested by Sergio Gonzalez Monroy Change-Id: Ic4fd65bfa9a6b05b344a9a40c554990dde072d19 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-01-31dpdk-ipsec: use single queue pair per crypto resourceSergio Gonzalez Monroy1-2/+2
Change-Id: I2c796583087c70fbc5cf09e8afd0f2a1f389d346 Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
2019-01-20dpdk: add buffer.hDamjan Marion1-0/+1
Change-Id: I998658ad7860b23425444e218ce2e1ec655b885a Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-01-13remove useless line in dpdk cryptodevSimon Zhang1-2/+0
Change-Id: I2ef33c7c15b3eb1f55bbfd5cbdd230d6a4d58936 Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
2018-11-29dpdk-ipsec-nodes multiarch: nodes are formatted in VLIB_NODE_FN styleKingwel Xie1-2/+2
crypto-input,esp encrypt/decrypt are indicated in CMakefiles Change-Id: I18ba851c1d4e5633d07c5de61cdaeae938e94982 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-11-14Remove c-11 memcpy checks from perf-critical codeDave Barach1-2/+2
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1 Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-30dpdk: .function should be removed for mutiarch nodesDamjan Marion1-2/+0
Fixes debug build crash. Change-Id: Ia5c5da82beda5992f9e67456af9a4676b9b82722 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-10-29migrate ipsec to new multiarch infraKlement Sekera1-13/+6
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-22ipsec fix missing node renamesKlement Sekera1-2/+2
Change-Id: I70bc5af646894811d373456ec66aa83f2d75a477 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-22ipsec: split ipsec nodes into ip4/ip6 nodesKlement Sekera1-35/+110
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-21dpdk/ipsec: add support for UDP encap/decapRadu Nicolau1-6/+45
Change-Id: I024c1d398fcb51e5a20f9049d16a87b3b1ba0c20 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-01-18VPP-1122 dpdk/ipsec: fix transport mode pkt lenRadu Nicolau1-3/+7
Change-Id: I6eef2ca258ff5b4aa9b21b98543d814633e295af Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-12-05dpdk/ipsec: multiple fixesSergio Gonzalez Monroy1-22/+17
- fix ESP transport mode - safely free crypto sessions - use rte_mempool_virt2phy/rte_mempool_virt2iova - align DPDK QAT capabilities for IPsec usage (DPDK 17.08) - reserve 16B for aad (reference cryptodev doc) Change-Id: I3822a7456fb5a255c767f5a44a429f91a140fe64 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-11-20dpdk: add support for DPDK 17.11Damjan Marion1-6/+0
Also remove DPDK 17.05 support. Change-Id: I4f96cb3f002cd90b12d800d6904f2364d7c4e270 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-11-01dpdk/ipsec: fix digest physical addressSergio Gonzalez Monroy1-1/+3
VPP-1034 Change-Id: I02b4db9e52446ab8578df1f011dd27f39de64c70 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-10-14change format_get_indent() to use u32 instead of uwordGabriel Ganne1-1/+1
This follows commit d3c008d108aa2187d1a2afe2833b4de25ca2c2ab by Christophe Fontaine. Change-Id: I0c4df40df44be2ac0ab25817fa050a1f619eca4d Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
2017-10-12dpdk/ipsec: coverity fixesSergio Gonzalez Monroy1-4/+4
Change-Id: Ica3bc74ffbb1c0df4e198b0abff8df10cdeb2182 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-10-05dpdk/ipsec: rework plus improved cli commandsSergio Gonzalez Monroy1-359/+287
This patch reworks the DPDK ipsec implementation including the cryptodev management as well as replacing new cli commands for better usability. For the data path: - The dpdk-esp-encrypt-post node is not necessary anymore. - IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead of ip4-input. The DPDK cryptodev cli commands are replaced by the following new commands: - show dpdk crypto devices - show dpdk crypto placement [verbose] - set dpdk crypto placement (<device> <thread> | auto) - clear dpdk crypto placement <device> [<thread>] - show dpdk crypto pools Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-08-25dpdk: required changes for 17.08Sergio Gonzalez Monroy1-63/+43
DPDK 17.08 breaks ethdev and cryptodev APIs. Address those changes while keeping backwards compatibility for DPDK 17.02 and 17.05. Change-Id: Idd6ac264d0d047fe586c41d4c4ca74e8fc778a54 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-06-09dpdk: fix ipsec coverity warningSergio Gonzalez Monroy1-2/+2
CID 170475 Change-Id: I9748dd56bdcb62e68d8f672e5b1619a3be400b8f Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-06-07dpdk: ipsec fixesSergio Gonzalez Monroy1-33/+36
- Fix buffer trace from esp_decrypt node - Fix VLIB_REGISTER_NODE macro format - Remove unnecessary code since we do not reconfigure graph unless requirements are met Change-Id: Ic1c2afffb8265e40a6ced0c8a58775c05fadc9e2 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-06-07dpdk: fix ipsec coverity warningsSergio Gonzalez Monroy1-2/+3
CID 161044 and 161045 Change-Id: I50a450e231e387f05e354e3b07dc777ab864d018 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-04-06Use thread local storage for thread indexDamjan Marion1-2/+3
This patch deprecates stack-based thread identification, Also removes requirement that thread stacks are adjacent. Finally, possibly annoying for some folks, it renames all occurences of cpu_index and cpu_number with thread index. Using word "cpu" is misleading here as thread can be migrated ti different CPU, and also it is not related to linux cpu index. Change-Id: I68cdaf661e701d2336fc953dcb9978d10a70f7c1 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-03-01dpdk: be a pluginDamjan Marion1-0/+609
Change-Id: I238258cdeb77035adc5e88903d824593d0a1da90 Signed-off-by: Damjan Marion <damarion@cisco.com>