Re: [vpp-dev] Query for IPSec support on VPP

Tue, 29 Aug 2017 08:11:41 -0700 

Hi Mukesh,

On 28/08/2017 17:19, Mukesh Yadav (mukyadav) wrote:


Hi,


I have recently started working on VPP IPSec. My knowledge for same is 
limited to IPSEC.



I have few queries w.r.t to broader support of IPSec in VPP. Would 
appreciate any pointers/help for same.



As per wiki below, I have installed IPSec and it worked well for 
aes-cbc-128/sha1


https://wiki.fd.io/view/VPP/IPSec_and_IKEv2


I see source of VPP and found that VPP core code only supports 
AES_CBC/SHA1.


Quick google pointed me few links where VPP used DPDK for IPSEC.

Wanted to know what all Enc/hmac algorithm are supported by VPP->DPDK

For same, I followed below

https://docs.fd.io/vpp/17.04/dpdk_crypto_ipsec_doc.html

and compiled vpp using “make vpp_uses_dpdk_cryptodev_sw=yes build-release”




That documentation is from an older release, with latest code you do not 
need 'vpp_uses_dpdk_cryptodev_sw=yes'.

It should make no difference anyway.


I see dpdk crypto files in dir src/plugins/dpdk/ipsec. Here it looks 
that only aes-gcm-128 is supported.


Not sure whether this is what I shall be looking for Dpdk supported IPSec.



DPDK supports AES-CBC and MD5/SHAs also.


With above steps:

When I am trying to configure aes-gcm-128, I get error


vpp# ipsec sa add 10 spi 1001 esp crypto-alg aes-gcm-128 crypto-key 
4a506a794f574265564551694d653768


ipsec sa: unsupported aes-gcm-128 crypto-alg




That looks like trying to use aes-gcm-128 with default VPP OpenSSL 
implementation.
What might be happening is, if we do not have enough crypto devs (either 
HW or SW), we default to OpenSSL (should have warning when running VPP)



IPSec support via VPP core and Dpdk is as follows it seems:

1.Aes-cbc is supported in VPP core

2.Aes-gcm is supported in VPP via DPDK.



OpenSSL implementation: AES-CBC, MD5, HMAC-SHAs
DPDK: Same as OpenSSL implementation plus AES-GCM-128


Is there any plan/way to include other algorithms like 
DES_CBC/MD5/AES_XCBC?





At least I plan to include DPDK support for AES-GCM 192/256 and AES-CTR 
128/192/256.


Did you mean 3DES_CBC? According to RFC 7321 DES_CBC is a MUST_NOT.

Thanks,
Sergio


System Details:

vpp# show vers


vpp v17.10-rc0~103-g42e6b09 built by vagrant on localhost at Sun Aug 
27 22:06:20 PDT 2017


vpp# show dpdk vers

DPDK Version:             DPDK 17.05.0


DPDK EAL init args:       -c 1 -n 4 --huge-dir /run/vpp/hugepages 
--file-prefix vpp -b 0000:00:03.0 -b 0000:00:09.0 --master-lcore 0 
--socket-mem 256


Thanks

Mukesh



_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev




_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev





















					Reply via email to