Hi Konstantin, I am done with the review, will be running the code in early next week after I finish the review of changes in ipsec application. key points for review were - some code may be generic and can be moved in appropriate files - documentation update - spell checks spacing etc. - some cases like cipher only need to be looked appropriately - test cases for lookaside and inline proto - checksum/ttl update
With these comments we cannot make this to RC1, but RC2 can be looked upon. Thanks, Akhil On 12/14/2018 9:59 PM, Konstantin Ananyev wrote: > This patch series depends on the patch: > http://patches.dpdk.org/patch/48044/ > to be applied first. > > v3 -> v4 > - Changes to adress Declan comments > - Update docs > > v2 -> v3 > - Several fixes for IPv6 support > - Extra checks for input parameters in public APi functions > > v1 -> v2 > - Changes to get into account l2_len for outbound transport packets > (Qi comments) > - Several bug fixes > - Some code restructured > - Update MAINTAINERS file > > RFCv2 -> v1 > - Changes per Jerin comments > - Implement transport mode > - Several bug fixes > - UT largely reworked and extended > > This patch introduces a new library within DPDK: librte_ipsec. > The aim is to provide DPDK native high performance library for IPsec > data-path processing. > The library is supposed to utilize existing DPDK crypto-dev and > security API to provide application with transparent IPsec > processing API. > The library is concentrated on data-path protocols processing > (ESP and AH), IKE protocol(s) implementation is out of scope > for that library. > Current patch introduces SA-level API. > > SA (low) level API > ================== > > API described below operates on SA level. > It provides functionality that allows user for given SA to process > inbound and outbound IPsec packets. > To be more specific: > - for inbound ESP/AH packets perform decryption, authentication, > integrity checking, remove ESP/AH related headers > - for outbound packets perform payload encryption, attach ICV, > update/add IP headers, add ESP/AH headers/trailers, > setup related mbuf felids (ol_flags, tx_offloads, etc.). > - initialize/un-initialize given SA based on user provided parameters. > > The following functionality: > - match inbound/outbound packets to particular SA > - manage crypto/security devices > - provide SAD/SPD related functionality > - determine what crypto/security device has to be used > for given packet(s) > is out of scope for SA-level API. > > SA-level API is based on top of crypto-dev/security API and relies on > them > to perform actual cipher and integrity checking. > To have an ability to easily map crypto/security sessions into related > IPSec SA opaque userdata field was added into > rte_cryptodev_sym_session and rte_security_session structures. > That implies ABI change for both librte_crytpodev and librte_security. > > Due to the nature of crypto-dev API (enqueue/deque model) we use > asynchronous API for IPsec packets destined to be processed > by crypto-device. > Expected API call sequence would be: > /* enqueue for processing by crypto-device */ > rte_ipsec_pkt_crypto_prepare(...); > rte_cryptodev_enqueue_burst(...); > /* dequeue from crypto-device and do final processing (if any) */ > rte_cryptodev_dequeue_burst(...); > rte_ipsec_pkt_crypto_group(...); /* optional */ > rte_ipsec_pkt_process(...); > > Though for packets destined for inline processing no extra overhead > is required and synchronous API call: rte_ipsec_pkt_process() > is sufficient for that case. > > Current implementation supports all four currently defined > rte_security types. > Though to accommodate future custom implementations function pointers > model is used for both for *crypto_prepare* and *process* > impelementations. > > Konstantin Ananyev (10): > cryptodev: add opaque userdata pointer into crypto sym session > security: add opaque userdata pointer into security session > net: add ESP trailer structure definition > lib: introduce ipsec library > ipsec: add SA data-path API > ipsec: implement SA data-path API > ipsec: rework SA replay window/SQN for MT environment > ipsec: helper functions to group completed crypto-ops > test/ipsec: introduce functional test > doc: add IPsec library guide > > MAINTAINERS | 5 + > config/common_base | 5 + > doc/guides/prog_guide/index.rst | 1 + > doc/guides/prog_guide/ipsec_lib.rst | 74 + > doc/guides/rel_notes/release_19_02.rst | 10 + > lib/Makefile | 2 + > lib/librte_cryptodev/rte_cryptodev.h | 2 + > lib/librte_ipsec/Makefile | 27 + > lib/librte_ipsec/crypto.h | 123 ++ > lib/librte_ipsec/iph.h | 84 + > lib/librte_ipsec/ipsec_sqn.h | 343 ++++ > lib/librte_ipsec/meson.build | 10 + > lib/librte_ipsec/pad.h | 45 + > lib/librte_ipsec/rte_ipsec.h | 153 ++ > lib/librte_ipsec/rte_ipsec_group.h | 151 ++ > lib/librte_ipsec/rte_ipsec_sa.h | 172 ++ > lib/librte_ipsec/rte_ipsec_version.map | 15 + > lib/librte_ipsec/sa.c | 1407 +++++++++++++++ > lib/librte_ipsec/sa.h | 98 ++ > lib/librte_ipsec/ses.c | 45 + > lib/librte_net/rte_esp.h | 10 +- > lib/librte_security/rte_security.h | 2 + > lib/meson.build | 2 + > mk/rte.app.mk | 2 + > test/test/Makefile | 3 + > test/test/meson.build | 3 + > test/test/test_ipsec.c | 2209 ++++++++++++++++++++++++ > 27 files changed, 5002 insertions(+), 1 deletion(-) > create mode 100644 doc/guides/prog_guide/ipsec_lib.rst > create mode 100644 lib/librte_ipsec/Makefile > create mode 100644 lib/librte_ipsec/crypto.h > create mode 100644 lib/librte_ipsec/iph.h > create mode 100644 lib/librte_ipsec/ipsec_sqn.h > create mode 100644 lib/librte_ipsec/meson.build > create mode 100644 lib/librte_ipsec/pad.h > create mode 100644 lib/librte_ipsec/rte_ipsec.h > create mode 100644 lib/librte_ipsec/rte_ipsec_group.h > create mode 100644 lib/librte_ipsec/rte_ipsec_sa.h > create mode 100644 lib/librte_ipsec/rte_ipsec_version.map > create mode 100644 lib/librte_ipsec/sa.c > create mode 100644 lib/librte_ipsec/sa.h > create mode 100644 lib/librte_ipsec/ses.c > create mode 100644 test/test/test_ipsec.c >
