summaryrefslogtreecommitdiffstats
path: root/src/plugins/dpdk/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2021-03-04dpdk: deprecate ipsec backendFan Zhang8-4057/+0
Type: refactor DPDK crypto devices are now accessible via the async infra, so there is no need for the DPDK ipsec plugin. In addition this patch fixes the problem that cryptodev backend not working when master core and worker cores lies in different numa nodes. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie8516bea706248c7bc25abac53a9c656bb8247d9
2021-02-26ipsec: move the IPSec SA pool out of ipsec_mainNeale Ranns3-8/+4
Type: refactor this allows the ipsec_sa_get funtion to be moved from ipsec.h to ipsec_sa.h where it belongs. Also use ipsec_sa_get throughout the code base. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I2dce726c4f7052b5507dd8dcfead0ed5604357df
2021-02-10ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-6/+6
support Type: feature attmpet 2. this includes changes in ah_encrypt that don't use uninitialised memory when doing tunnel mode fixups. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
2021-02-09Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"Matthew Smith1-6/+6
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f. Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged. Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-08ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-6/+6
support Type: feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
2021-01-18ipsec: Support MPLS over IPSec[46] interfaceNeale Ranns1-13/+6
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I89dc3815eabfee135cd5b3c910dea5e2e2ef1333
2020-12-11dpdk: bump to dpdk 20.11Fan Zhang3-5/+3
Type: feature This patch bumps DPDK to 20.11. In addtion a few changes are made: - Changed dynamic rx offload flag display. - Updated deprecating options. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: I6e4399d551a7eb8e1a9fc9ef6e39e74266450ad4
2020-11-09vlib: fix trace number accountingBenoît Ganne1-7/+9
When using classifier to filter traces, not all packets will be traced. In that case, we should only count traced packets. Type: fix Change-Id: I87d1e217b580ebff8c6ade7860eb43950420ae78 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-10-21vlib: print logs to stderr if interactive or nosyslog setDamjan Marion1-1/+3
If VPP is started in interactive mode, instead of sending logs to syslog server we print them directly to stderr. Output is colorized, but that can be turned off with unix { nocolor } Type: improvement Change-Id: I9a0f0803e4cba2849a6efa0b6a86b9614ed33ced Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-10-21misc: minimize dependencies on udp.hFlorin Coras1-1/+1
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id13f33843b230a1d169560742c4f7b2dc17d8718
2020-09-08dpdk-ipsec: don't leak buffers on crypto alloc failureChristian Hopps2-6/+8
Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I4dee2ea723631e1bd95b33a74b9431d984565aef
2020-09-04dpdk-ipsec: use init function instead of one-time processChristian Hopps1-11/+3
Use VLIB_MAIN_LOOP_ENTER_FUNCTION to do post init initialization for dpdk crypto rather than create a one-time process to do the same. Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I06e480b028c8e1fc1b0024a66b2338eb21a797ca
2020-09-04dpdk-ipsec: fix show outputChristian Hopps3-3/+3
Fix the shown crypto inflight counts which were reversed. Also improve a couple error descriptions to tell them apart when viewed. Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I6d4054c64aa842658cfcde8969c7aa48f6d21207
2020-05-24dpdk: del warnings that duplicate counters in espAlexander Chernavin2-12/+0
Type: improvement Change-Id: I51cbe5c76a88d7fa65fa24dc1528e4f991eba534 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-05-04fib: midchain adjacency optimisationsNeale Ranns1-14/+0
Type: improvement - inline some common encap fixup functions into the midchain rewrite node so we don't incur the cost of the virtual function call - change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header - add adj-midchain-tx to multiarch sources - don't run adj-midchain-tx as a feature, instead put this node as the adj's next and at the end of the feature arc. - cache the feature arc config index (to save the cache miss going to fetch it) - don't check if features are enabled when taking the arc (since we know they are) the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc) for IPSec: - don't run esp_encrypt as a feature, instead when required insert this node into the adj's next and into the end of the feature arc. this implies that encrypt is always 'the last feature' run, which is symmetric with decrypt always being the first. - esp_encrpyt for tunnels has adj-midchain-tx as next node Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-04-30crypto: introduce async crypto infraFan Zhang1-9/+27
Type: feature Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Signed-off-by: Dariusz Kazimierski <dariuszx.kazimierski@intel.com> Signed-off-by: Piotr Kleski <piotrx.kleski@intel.com> Change-Id: I4c3fcccf55c36842b7b48aed260fef2802b5c54b
2020-04-17dpdk: fix udp-encap for esp in transport modeAlexander Chernavin2-10/+9
Now UDP encapsulation doesn't work in transport mode because: - the encrypt node misses filling of UDP header and it gets sent with all zeros; - the decrypt node misses filling of new IP header and it contains garbage data. With this commit, fill UDP header during encryption and fill IP header during decryption. Change-Id: I87a7bd594f0e312b16d3e5eb19e568b4e3164d36 Type: fix Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-13dpdk-ipsec: Fix for multipoint IPSECNeale Ranns1-4/+4
Type: fix fetch the sa_index from the correct location Change-Id: I351035ee0226c47585995ff9122320fd5c73ec53 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-01-22ipsec: re-enable DPDK IPSec for tunnel decap/encap (VPP-1823)Neale Ranns4-5/+27
Type: fix Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-07dpdk: ipsec gcm fixesChristian Hopps3-25/+14
- Fix AAD initialization. With use-esn the aad data consists of the SPI and the 64-bit sequence number in big-endian order. Fix the u32 swapped code. - Remove salt-reinitialization. The GCM code seems inspired by the GCM RFCs recommendations on IKE keydata and how to produce a salt value (create an extra 4 octets of keying material). This is not IKE code though and the SA already holds the configured salt value which this code is blowing away. Use the configured value instead. Type: fix Change-Id: I5e75518aa7c1d91037bb24b2a40fe4fc90bdfdb0 Signed-off-by: Christian Hopps <chopps@labn.net>
2019-09-30ipsec: allow null cipher with dpdk espChristian E. Hopps1-1/+2
The NULL cipher is a (valid) non-AEAD choice for ESP encrypt path. Allow it. Type: fix Signed-off-by: Christian E. Hopps <chopps@chopps.org> Change-Id: I6d8b66223a0ffb0952c2dd6fa898a8a2289fef7a
2019-09-24vlib: add flag to explicitelly mark nodes which can init per-node packet traceDamjan Marion1-0/+1
Type: feature Change-Id: I913f08383ee1c24d610c3d2aac07cef402570e2c Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-08-19dpdk: fix ipsec coverity warningMatthew Smith1-2/+4
Type: fix Fixes: 5025d40a1134272ab57c3c3f10311e31a65cd63c Update the expression for a conditional block which should be executed when an encrypted packet will be sent via IPv6. Coverity was complaining that a NULL pointer could be dereferenced. It is unclear whether that ever would have actually happened, but the updated expression should quell the warning and should more accurately detect whether the block for IPv6 should be executed. Change-Id: I731cad1f982e8f55bd44e6e05e98eff96f1957bb Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-08-15dpdk: ipsec tunnel support for ip6-in-ip4Matthew G Smith2-23/+10
Type: feature If an attempt was made to send an IPv6 packet over an IPv4 tunnel, the DPDK esp_encrypt did not complete setting up the crypto operation for a buffer, but still queued the crypto operations that were allocated. This results in a SEGV when attempting to dequeue them in dpdk-crypto-input. Allow IPv6 packets to be sent over a v4 tunnel when using the DPDK plugin esp crypto nodes. Change-Id: Ic9a4cd69b7fc06a17ab2f64ae806ec2ceacfef27 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-07-24ipsec: GCM, Anti-replay and ESN fixessNeale Ranns1-2/+4
Type: fix Several Fixes: 1 - Anti-replay did not work with GCM becuase it overwrote the sequence number in the ESP header. To fix i added the seq num to the per-packet data so it is preserved 2 - The high sequence number was not byte swapped during ESP encrypt. 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM the others return BAD_HMAC. removed the former 4 - improved tracing to show the low and high seq numbers 5 - documented the anti-replay window checks 6 - fixed scapy patch for ESN support for GCM 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-25ipsec: print spi in hexadecimalGuillaume Solignac1-2/+3
Print the SPI in hexadecimal and decimal. Type: feature Change-Id: I012e94f9147058064e06c6bb4622ab6b6507957d Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
2019-05-17dpdk-ipsec: fix encrypt/decrypt single queueSergio Gonzalez Monroy6-39/+58
When the same worker thread processes packet for encrypt and decrypt, ie. single worker with bi-directional traffic, given that the queue is shared results in packets to be decrypted being dropped as the encrypt always happens first for each main loop. With this change, each crypto device queue is logically split into two queues, each half the real size, avoiding the described problem. Change-Id: Ifd3f15e316c92fbd6ca05802456b10a7f73f85da Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
2019-05-14IPSEC: remove unecessary pass by reference of sequence numberNeale Ranns1-1/+1
Change-Id: Id406eb8c69a89c57305d8f138e8e6730037aa799 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-14IPsec: increment tunnel intf tx countersMatthew Smith1-0/+9
Recent changes removed the function that was incrementing the tx counters. Increment them in the esp_encrypt functions. Change-Id: I446333a23ccf66e34893adb2aa49af562cf35507 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-04-25IPSEC; dpdk backend for tunnel interface encryptionNeale Ranns2-4/+75
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-23dpdk_esp_encrypt: add to prefetch dataZhiyong Yang1-3/+13
The memory areas storing vlib_buffer_t and ip4|6_and_esp_header_t are not prefetched. The patch help dpdk_esp_encrypt to reduce 18 clocks/pkt from 149 to 131 on Haswell when running IPsec in tunnel mode. Change-Id: I4f4e9e2b3982a4b7810cab8ed828a5e4631f8f8c Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
2019-03-28ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESNDamjan Marion3-5/+5
Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-28ipsec: anti-replay code cleanupDamjan Marion1-35/+15
Change-Id: Ib73352d6be26d639a7f9d47ca0570a1248bff04a Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-27ipsec: compress ipsec_sa_t so data used by dataplane code fits in cachelineDamjan Marion3-22/+24
Change-Id: I81ecdf9fdcfcb017117b47dc031f93208e004d7c Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18IPSEC: move SA counters into the stats segmentNeale Ranns2-4/+12
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-15dpdk-ipsec: store buffer index into crypto-op privateKingwel Xie5-44/+115
don't have to convert from mbuf to vlib_buffer then buffer index save a few clock cycles in crypto-input plus, a bit improvements of CLI 1. show more information, resource placement & qp stats 2. clear dpdk qp statistics cleanup cli as sugguested by Sergio Gonzalez Monroy Change-Id: Ic4fd65bfa9a6b05b344a9a40c554990dde072d19 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-07IPSEC: no second lookup after tunnel encapNeale Ranns1-4/+5
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-06dpdp-crypto: fix cryptodev segfault with dpdk 19.02Sergio Gonzalez Monroy1-11/+16
DPDK 19.02 adds two new fields to struct rte_cryptodev_qp_conf, which the current code was not initializing properly. Also session mempools are now required to have specific private data. For that just use the new API to create symmetric session pools. Change-Id: Ie732d4e10b908aeaea322717d6011113e3e7172c Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
2019-02-05crypto-input: fix broken buffer trace issueKingwel Xie1-37/+16
dpdk_crypto_input_trace was called before vlib_buffer_enqueue_to_next then VLIB_FRAME_TRACE of next_frame->flag will be overwritten by vlib_next_frame_change_ownership(), leading to a broken trace. now it is working: Packet 1 00:00:15:654983: dpdk-crypto-input dev_id 0 next-index 1 00:00:15:654999: ip4-lookup fib 0 dpo-idx 0 flow hash: 0x00000000 IPSEC_ESP: 18.1.0.71 -> 18.1.0.241 tos 0x00, ttl 254, length 168, checksum 0x96ea ...... Change-Id: I73d77c06c11db8911866adb6240b2565b690f469 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-02dpdk: bump to dpdk 19.02Damjan Marion1-0/+17
HQoS requires fixes to work with dpdk 19.02 so code is disabled and pending deprecation unless active maintainer is found. Change-Id: I3569c4287b6dfdd2c29e02375eb53bf01fa6ae84 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-01-31dpdk-ipsec: use single queue pair per crypto resourceSergio Gonzalez Monroy6-32/+30
Change-Id: I2c796583087c70fbc5cf09e8afd0f2a1f389d346 Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
2019-01-30buffers: major cleanup and improvementsDamjan Marion1-5/+7
This patch introduces following changes: - deprecated free lists which are not used and not compatible with external buffer managers (i.e. DPDK) - introduces native support for per-numa buffer pools - significantly improves performance of buffer alloc and free Change-Id: I4a8e723ae47056717afd6cac0efe87cb731b5be7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-01-21crypto-input: fix crash bugKingwel Xie1-8/+12
as this node is refactored in new style with vlib_buffer_enqueue_to_next, we have to check if the 'count' is greater than 0. otherise, the next_index would be invalid then lead to a crash Change-Id: If7c323b59c02b5c16bd9d77b65c946512cc972c1 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-01-20dpdk: add buffer.hDamjan Marion3-0/+3
Change-Id: I998658ad7860b23425444e218ce2e1ec655b885a Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-01-17Fix ASSERT usage issue in cryptodevSimon Zhang1-1/+1
Change-Id: I764c6565f96e0cb9078503e54e3cf3bb3fd9ff3f Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
2019-01-16fix dpdk cryptodev enable issuev19.04-rc0Simon Zhang1-6/+9
Change-Id: I47d021522cfc92cfb3877449333cbf31022c06f4 Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
2019-01-13remove useless line in dpdk cryptodevSimon Zhang1-2/+0
Change-Id: I2ef33c7c15b3eb1f55bbfd5cbdd230d6a4d58936 Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
2019-01-02Fixes for buliding for 32bit targets:David Johnson1-1/+3
* u32/u64/uword mismatches * pointer-to-int fixes * printf formatting issues * issues with incorrect "ULL" and related suffixes * structure alignment and padding issues Change-Id: I70b989007758755fe8211c074f651150680f60b4 Signed-off-by: David Johnson <davijoh3@cisco.com>
2018-12-24crypto-input: bug fix check-opKingwel Xie1-6/+6
fix a copy-paste bug, and a typo of function name Change-Id: Ib408522d2bb6fde7a7492de6f5d5369b461d77c9 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-12-22crypto-input impprovement:Kingwel Xie1-74/+163
1. multi-loop, and new style with vlib_buffer_enqueue_to_next 2. add error counter for AUTH-FAILURE 3. buffer trace changed. now it supports 'trace add dpdk-crypto-input 10' just like the other input nodes Actual measurement shows >10 clocks per packets are saved, under QAT or openssl PMD case Change-Id: I6ea34e4ae3b08c381219ff6bc8adda2d927fbfd5 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>