blob: 8089696f4a0eca73c758af2e42c237f03a3ab58e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
# VPP IPSec implementation using DPDK Cryptodev API {#dpdk_crypto_ipsec_doc}
This document is meant to contain all related information about implementation and usability.
## VPP IPsec with DPDK Cryptodev
DPDK Cryptodev is an asynchronous crypto API that supports both Hardware and Software implementations (for more details refer to [DPDK Cryptography Device Library documentation](http://dpdk.org/doc/guides/prog_guide/cryptodev_lib.html)).
When DPDK Cryptodev support is enabled, the node graph is modified by adding and replacing some of the nodes.
The following nodes are replaced:
* esp-encrypt -> dpdk-esp-encrypt
* esp-decrypt -> dpdk-esp-decrypt
The following nodes are added:
* dpdk-crypto-input : polling input node, basically dequeuing from crypto devices.
* dpdk-esp-encrypt-post : internal node.
* dpdk-esp-decrypt-post : internal node.
### How to enable VPP IPSec with DPDK Cryptodev support
To enable DPDK Cryptodev support (disabled by default), we need the following env option:
vpp_uses_dpdk_cryptodev=yes
A couple of ways to achive this:
* uncomment/add it in the platforms config (ie. build-data/platforms/vpp.mk)
* set the option when building vpp (ie. make vpp_uses_dpdk_cryptodev=yes build-release)
### Crypto Resources allocation
VPP allocates crypto resources based on a best effort approach:
* first allocate Hardware crypto resources, then Software.
* if there are not enough crypto resources for all workers, all packets will be dropped if they reach ESP encrypt/decrypt nodes, displaying the warning:
0: dpdk_ipsec_init: not enough cryptodevs for ipsec
### Configuration example
No especial IPsec configuration is required.
Once DPDK Cryptodev is enabled, the user just needs to provide cryptodevs in the startup.conf.
Example startup.conf:
```
dpdk {
socket-mem 1024,1024
num-mbufs 131072
dev 0000:81:00.0
dev 0000:81:00.1
dev 0000:85:01.0
dev 0000:85:01.1
vdev cryptodev_aesni_mb_pmd,socket_id=1
vdev cryptodev_aesni_mb_pmd,socket_id=1
}
```
In the above configuration:
* 0000:85:01.0 and 0000:85:01.1 are crypto BDFs and they require the same driver binding as DPDK Ethernet devices but they do not support any extra configuration options.
* Two AESNI-MB Software Cryptodev PMDs are created in NUMA node 1.
For further details refer to [DPDK Crypto Device Driver documentation](http://dpdk.org/doc/guides/cryptodevs/index.html)
### Operational data
The following CLI command displays the Cryptodev/Worker mapping:
show crypto device mapping [verbose]
|
