Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: improvement
- inline some common encap fixup functions into the midchain
rewrite node so we don't incur the cost of the virtual function call
- change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header
- add adj-midchain-tx to multiarch sources
- don't run adj-midchain-tx as a feature, instead put this node as the
adj's next and at the end of the feature arc.
- cache the feature arc config index (to save the cache miss going to fetch it)
- don't check if features are enabled when taking the arc (since we know they are)
the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc)
for IPSec:
- don't run esp_encrypt as a feature, instead when required insert this
node into the adj's next and into the end of the feature arc. this
implies that encrypt is always 'the last feature' run, which is
symmetric with decrypt always being the first.
- esp_encrpyt for tunnels has adj-midchain-tx as next node
Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Signed-off-by: Dariusz Kazimierski <dariuszx.kazimierski@intel.com>
Signed-off-by: Piotr Kleski <piotrx.kleski@intel.com>
Change-Id: I4c3fcccf55c36842b7b48aed260fef2802b5c54b
|
|
Now UDP encapsulation doesn't work in transport mode because:
- the encrypt node misses filling of UDP header and it gets sent with
all zeros;
- the decrypt node misses filling of new IP header and it contains
garbage data.
With this commit, fill UDP header during encryption and fill IP header
during decryption.
Change-Id: I87a7bd594f0e312b16d3e5eb19e568b4e3164d36
Type: fix
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Type: fix
fetch the sa_index from the correct location
Change-Id: I351035ee0226c47585995ff9122320fd5c73ec53
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
- Fix AAD initialization. With use-esn the aad data consists of the SPI
and the 64-bit sequence number in big-endian order. Fix the u32 swapped
code.
- Remove salt-reinitialization. The GCM code seems inspired by the GCM
RFCs recommendations on IKE keydata and how to produce a salt
value (create an extra 4 octets of keying material). This is not IKE
code though and the SA already holds the configured salt value which
this code is blowing away. Use the configured value instead.
Type: fix
Change-Id: I5e75518aa7c1d91037bb24b2a40fe4fc90bdfdb0
Signed-off-by: Christian Hopps <chopps@labn.net>
|
|
The NULL cipher is a (valid) non-AEAD choice for ESP encrypt path.
Allow it.
Type: fix
Signed-off-by: Christian E. Hopps <chopps@chopps.org>
Change-Id: I6d8b66223a0ffb0952c2dd6fa898a8a2289fef7a
|
|
Type: feature
Change-Id: I913f08383ee1c24d610c3d2aac07cef402570e2c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Fixes: 5025d40a1134272ab57c3c3f10311e31a65cd63c
Update the expression for a conditional block which should be executed
when an encrypted packet will be sent via IPv6. Coverity was
complaining that a NULL pointer could be dereferenced. It is unclear
whether that ever would have actually happened, but the updated
expression should quell the warning and should more accurately detect
whether the block for IPv6 should be executed.
Change-Id: I731cad1f982e8f55bd44e6e05e98eff96f1957bb
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: feature
If an attempt was made to send an IPv6 packet over an IPv4 tunnel,
the DPDK esp_encrypt did not complete setting up
the crypto operation for a buffer, but still queued the crypto
operations that were allocated. This results in a SEGV when
attempting to dequeue them in dpdk-crypto-input.
Allow IPv6 packets to be sent over a v4 tunnel when using the DPDK
plugin esp crypto nodes.
Change-Id: Ic9a4cd69b7fc06a17ab2f64ae806ec2ceacfef27
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
Several Fixes:
1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
2 - The high sequence number was not byte swapped during ESP encrypt.
3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
4 - improved tracing to show the low and high seq numbers
5 - documented the anti-replay window checks
6 - fixed scapy patch for ESN support for GCM
7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo
Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Print the SPI in hexadecimal and decimal.
Type: feature
Change-Id: I012e94f9147058064e06c6bb4622ab6b6507957d
Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
|
|
When the same worker thread processes packet for encrypt and decrypt,
ie. single worker with bi-directional traffic, given that the queue is
shared results in packets to be decrypted being dropped as the encrypt
always happens first for each main loop.
With this change, each crypto device queue is logically split into two
queues, each half the real size, avoiding the described problem.
Change-Id: Ifd3f15e316c92fbd6ca05802456b10a7f73f85da
Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
|
|
Change-Id: Id406eb8c69a89c57305d8f138e8e6730037aa799
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Recent changes removed the function that was incrementing the
tx counters. Increment them in the esp_encrypt functions.
Change-Id: I446333a23ccf66e34893adb2aa49af562cf35507
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
The memory areas storing vlib_buffer_t and ip4|6_and_esp_header_t
are not prefetched. The patch help dpdk_esp_encrypt to reduce 18
clocks/pkt from 149 to 131 on Haswell when running IPsec in tunnel
mode.
Change-Id: I4f4e9e2b3982a4b7810cab8ed828a5e4631f8f8c
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|
|
Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ib73352d6be26d639a7f9d47ca0570a1248bff04a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I81ecdf9fdcfcb017117b47dc031f93208e004d7c
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
1) stats are accessed via the stat segment which is more condusive to
monitoring
2) stats are accurate in the presence of multiple threads. There's no
guarantee that an SA is access from only one worker.
Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
don't have to convert from mbuf to vlib_buffer then buffer index
save a few clock cycles in crypto-input
plus, a bit improvements of CLI
1. show more information, resource placement & qp stats
2. clear dpdk qp statistics
cleanup cli as sugguested by Sergio Gonzalez Monroy
Change-Id: Ic4fd65bfa9a6b05b344a9a40c554990dde072d19
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
in the same maaner as with other tunnel tyeps we use
the FIB to cache and track the destination used to reach
the tunnel endpoint. Post encap we can then ship the packet
straight to this adjacency and thus elide the costly second
lookup.
- SA add and del function so they can be used both directly
from the API and for tunnels.
- API change for the SA dump to use the SA type
- ipsec_key_t type for convenience (copying, [un]formating)
- no matching tunnel counters in ipsec-if-input
Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
DPDK 19.02 adds two new fields to struct rte_cryptodev_qp_conf,
which the current code was not initializing properly.
Also session mempools are now required to have specific private data.
For that just use the new API to create symmetric session pools.
Change-Id: Ie732d4e10b908aeaea322717d6011113e3e7172c
Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
|
|
dpdk_crypto_input_trace was called before vlib_buffer_enqueue_to_next
then VLIB_FRAME_TRACE of next_frame->flag will be overwritten by
vlib_next_frame_change_ownership(), leading to a broken trace.
now it is working:
Packet 1
00:00:15:654983: dpdk-crypto-input
dev_id 0 next-index 1
00:00:15:654999: ip4-lookup
fib 0 dpo-idx 0 flow hash: 0x00000000
IPSEC_ESP: 18.1.0.71 -> 18.1.0.241
tos 0x00, ttl 254, length 168, checksum 0x96ea
......
Change-Id: I73d77c06c11db8911866adb6240b2565b690f469
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
HQoS requires fixes to work with dpdk 19.02 so code is disabled and
pending deprecation unless active maintainer is found.
Change-Id: I3569c4287b6dfdd2c29e02375eb53bf01fa6ae84
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I2c796583087c70fbc5cf09e8afd0f2a1f389d346
Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
|
|
This patch introduces following changes:
- deprecated free lists which are not used and not compatible
with external buffer managers (i.e. DPDK)
- introduces native support for per-numa buffer pools
- significantly improves performance of buffer alloc and free
Change-Id: I4a8e723ae47056717afd6cac0efe87cb731b5be7
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
as this node is refactored in new style with
vlib_buffer_enqueue_to_next, we have to check if the 'count'
is greater than 0. otherise, the next_index would be invalid
then lead to a crash
Change-Id: If7c323b59c02b5c16bd9d77b65c946512cc972c1
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
Change-Id: I998658ad7860b23425444e218ce2e1ec655b885a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I764c6565f96e0cb9078503e54e3cf3bb3fd9ff3f
Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
|
|
Change-Id: I47d021522cfc92cfb3877449333cbf31022c06f4
Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
|
|
Change-Id: I2ef33c7c15b3eb1f55bbfd5cbdd230d6a4d58936
Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
|
|
* u32/u64/uword mismatches
* pointer-to-int fixes
* printf formatting issues
* issues with incorrect "ULL" and related suffixes
* structure alignment and padding issues
Change-Id: I70b989007758755fe8211c074f651150680f60b4
Signed-off-by: David Johnson <davijoh3@cisco.com>
|
|
fix a copy-paste bug, and a typo of function name
Change-Id: Ib408522d2bb6fde7a7492de6f5d5369b461d77c9
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
1. multi-loop, and new style with vlib_buffer_enqueue_to_next
2. add error counter for AUTH-FAILURE
3. buffer trace changed. now it supports 'trace add dpdk-crypto-input 10'
just like the other input nodes
Actual measurement shows >10 clocks per packets are saved, under QAT
or openssl PMD case
Change-Id: I6ea34e4ae3b08c381219ff6bc8adda2d927fbfd5
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
startup.conf
otherwise, these pools will occupy an entire huge page for each even
they are very small.
Change-Id: I08919714de9b6cd4b8dddb546ca54364b56ec99f
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
fix coding style
Change-Id: I458d81fa80c509b71edb2021468a89715cb32ae3
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
crypto-input,esp encrypt/decrypt are indicated in CMakefiles
Change-Id: I18ba851c1d4e5633d07c5de61cdaeae938e94982
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Fixes debug build crash.
Change-Id: Ia5c5da82beda5992f9e67456af9a4676b9b82722
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic4c46bc733afae8bf0d8146623ed15633928de30
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
The function dpdk_ipsec_process() attempts to initialize some
globals that store node indexes after looking up the node
dpdk-esp6-decrypt. No such node was declared, so a segv
occurs after dereferencing the result of the lookup.
Add a node function that invokes dpdk_esp_decrypt_inline()
with is_ip6 set to 1. Add a declaration of node dpdk-esp6-decrypt
that uses the node function.
Change-Id: I31ce23a458c2d4181bf40cbc2118c4ef3b9baf97
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I70bc5af646894811d373456ec66aa83f2d75a477
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Change-Id: If1b93341c222160b9a08f127620c024620e55c37
Signed-off-by: Damjan Marion <damarion@cisco.com>
|