Hi Ben, Thank you for the prompt response. Yes AVX-512 were enabled. That should be it. I changed To aes-gcm and it works now Thanks, /HU
> On Mar 30, 2022, at 12:01 AM, Benoit Ganne (bganne) <bga...@cisco.com> wrote: > > Is your system AVX-512 enabled? We just fixed 2 bugs in AES CBC with VAES: > https://gerrit.fd.io/r/c/vpp/+/35746 > https://gerrit.fd.io/r/c/vpp/+/35767 > > best > ben > >> -----Original Message----- >> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of >> hustu...@gmail.com >> Sent: Tuesday, March 29, 2022 21:24 >> To: vpp-dev@lists.fd.io >> Subject: [vpp-dev] IPSEC: possible packet corruption encrypting/decrypting >> larger than ~200 bytes packets #ipsec >> >> Hello, >> It seems that packet corrupted during encryption or decryption. Anyone >> seen this issue? am I doing something wrong ? >> >> Version >> ===== >> >> vpp# show version >> vpp v22.02-release built by root on 7890dde1892a at 2022-02-23T14:16:58 >> vpp# >> >> >> Config: >> ===== >> Very basic config for testing: >> >> Site A: >> >> set interface ip address eth0/0/32768 10.61.1.122/24 >> set interface ip address eth0/2/32768 10.31.1.122/24 >> >> create ipip tunnel src 10.31.1.122 dst 10.31.1.123 >> set interface ip address ipip0 10.71.1.122/24 >> set int state ipip0 up >> >> ipsec sa add 20 spi 200 esp crypto-alg aes-cbc-128 crypto-key >> 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key >> 4339314b55523947594d6d3547666b45764e6a58 >> ipsec sa add 30 spi 300 esp crypto-alg aes-cbc-128 crypto-key >> 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key >> 4339314b55523947594d6d3547666b45764e6a58 >> >> ipsec tunnel protect ipip0 sa-in 20 sa-out 30 >> >> >> Site B: >> ===== >> >> >> set interface ip address eth0/0/32768 10.62.1.123/24 >> set interface ip address eth0/2/32768 10.31.1.123/24 >> >> create ipip tunnel src 10.31.1.123 dst 10.31.1.122 >> set interface ip address ipip0 10.71.1.123/24 >> set int state ipip0 up >> ipsec sa add 20 spi 200 esp crypto-alg aes-cbc-128 crypto-key >> 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key >> 4339314b55523947594d6d3547666b45764e6a58 >> ipsec sa add 30 spi 300 esp crypto-alg aes-cbc-128 crypto-key >> 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key >> 4339314b55523947594d6d3547666b45764e6a58 >> >> ipsec tunnel protect ipip0 sa-in 30 sa-out 20 >> >> 100 bytes ping works fine >> ====================== >> >> >> ping 10.62.1.141 -c 1 -s 100 >> >> Packet 1 >> >> 00:35:16:851059: dpdk-input >> eth0/2/32768 rx queue 0 >> buffer 0x26a2ad2: current data 0, length 214, buffer-pool 0, ref-count >> 1, trace handle 0x0 >> ext-hdr-valid >> PKT MBUF: port 2, nb_segs 1, pkt_len 214 >> buf_len 2176, data_len 214, ol_flags 0x80, data_off 128, phys_addr >> 0x9a8ab500 >> packet_type 0x91 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 >> rss 0x0 fdir.hi 0x0 fdir.lo 0x0 >> Packet Offload Flags >> PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid >> PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. >> Packet Types >> RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet >> RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without >> extension headers >> IP4: 30:d0:42:dc:d6:24 -> 30:d0:42:dd:ed:10 >> IPSEC_ESP: 10.31.1.122 -> 10.31.1.123 >> tos 0x00, ttl 63, length 200, checksum 0x63d2 dscp CS0 ecn NON_ECN >> fragment id 0x0000 >> 00:35:16:851061: ethernet-input >> frame: flags 0x3, hw-if-index 3, sw-if-index 3 >> IP4: 30:d0:42:dc:d6:24 -> 30:d0:42:dd:ed:10 >> 00:35:16:851062: ip4-input-no-checksum >> IPSEC_ESP: 10.31.1.122 -> 10.31.1.123 >> tos 0x00, ttl 63, length 200, checksum 0x63d2 dscp CS0 ecn NON_ECN >> fragment id 0x0000 >> 00:35:16:851063: ip4-lookup >> fib 0 dpo-idx 9 flow hash: 0x00000000 >> IPSEC_ESP: 10.31.1.122 -> 10.31.1.123 >> tos 0x00, ttl 63, length 200, checksum 0x63d2 dscp CS0 ecn NON_ECN >> fragment id 0x0000 >> 00:35:16:851064: ip4-receive >> IPSEC_ESP: 10.31.1.122 -> 10.31.1.123 >> tos 0x00, ttl 63, length 200, checksum 0x63d2 dscp CS0 ecn NON_ECN >> fragment id 0x0000 >> 00:35:16:851064: ipsec4-tun-input >> IPSec: remote:10.31.1.122 spi:300 (0x0000012c) sa:1 tun:0 seq 25 sa >> 1032361824 >> 00:35:16:851065: esp4-decrypt-tun >> esp: crypto aes-cbc-128 integrity sha1-96 pkt-seq 25 sa-seq 25 sa-seq-hi >> 0 pkt-seq-hi 0 >> 00:35:16:851069: ip4-input-no-checksum >> ICMP: 10.61.1.131 -> 10.62.1.141 >> tos 0x00, ttl 63, length 128, checksum 0x6d94 dscp CS0 ecn NON_ECN >> fragment id 0xb65e, flags DONT_FRAGMENT >> ICMP echo_request checksum 0x2a5e id 10 >> 00:35:16:851070: ip4-lookup >> fib 0 dpo-idx 8 flow hash: 0x00000000 >> ICMP: 10.61.1.131 -> 10.62.1.141 >> tos 0x00, ttl 63, length 128, checksum 0x6d94 dscp CS0 ecn NON_ECN >> fragment id 0xb65e, flags DONT_FRAGMENT >> ICMP echo_request checksum 0x2a5e id 10 >> 00:35:16:851070: ip4-rewrite >> tx_sw_if_index 1 dpo-idx 8 : ipv4 via 10.62.1.141 eth0/0/32768: mtu:8996 >> next:6 flags:[] 525400c9a2e330d042dded0e0800 flow hash: 0x00000000 >> 00000000: >> 525400c9a2e330d042dded0e080045000080b65e40003e016e940a3d01830a3e >> 00000020: 018d08002a5e000a000103544362000000001c530700000000001011 >> 00:35:16:851071: eth0/0/32768-output >> eth0/0/32768 >> IP4: 30:d0:42:dd:ed:0e -> 52:54:00:c9:a2:e3 >> ICMP: 10.61.1.131 -> 10.62.1.141 >> tos 0x00, ttl 62, length 128, checksum 0x6e94 dscp CS0 ecn NON_ECN >> fragment id 0xb65e, flags DONT_FRAGMENT >> ICMP echo_request checksum 0x2a5e id 10 >> 00:35:16:851072: eth0/0/32768-tx >> eth0/0/32768 tx queue 0 >> buffer 0x26a2ad2: current data 44, length 142, buffer-pool 0, ref-count >> 1, trace handle 0x0 >> ext-hdr-valid >> l2-hdr-offset 0 l3-hdr-offset 14 >> PKT MBUF: port 2, nb_segs 1, pkt_len 142 >> buf_len 2176, data_len 142, ol_flags 0x80, data_off 172, phys_addr >> 0x9a8ab500 >> packet_type 0x91 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 >> rss 0x0 fdir.hi 0x0 fdir.lo 0x0 >> Packet Offload Flags >> PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid >> PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. >> Packet Types >> RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet >> RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without >> extension headers >> IP4: 30:d0:42:dd:ed:0e -> 52:54:00:c9:a2:e3 >> ICMP: 10.61.1.131 -> 10.62.1.141 >> tos 0x00, ttl 62, length 128, checksum 0x6e94 dscp CS0 ecn NON_ECN >> fragment id 0xb65e, flags DONT_FRAGMENT >> ICMP echo_request checksum 0x2a5e id 10 >> >> >> 500 bytes ping fails >> ================= >> >> >> >> ping 10.62.1.141 -c 1 -s 500 >> >> Packet 3 >> >> 00:21:46:594328: dpdk-input >> eth0/2/32768 rx queue 0 >> buffer 0x26a24ba: current data 0, length 614, buffer-pool 0, ref-count >> 1, trace handle 0x2 >> ext-hdr-valid >> PKT MBUF: port 2, nb_segs 1, pkt_len 614 >> buf_len 2176, data_len 614, ol_flags 0x80, data_off 128, phys_addr >> 0x9a892f00 >> packet_type 0x91 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 >> rss 0x0 fdir.hi 0x0 fdir.lo 0x0 >> Packet Offload Flags >> PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid >> PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. >> Packet Types >> RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet >> RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without >> extension headers >> IP4: 30:d0:42:dc:d6:24 -> 30:d0:42:dd:ed:10 >> IPSEC_ESP: 10.31.1.122 -> 10.31.1.123 >> tos 0x00, ttl 63, length 600, checksum 0x6242 dscp CS0 ecn NON_ECN >> fragment id 0x0000 >> 00:21:46:594328: ethernet-input >> frame: flags 0x3, hw-if-index 3, sw-if-index 3 >> IP4: 30:d0:42:dc:d6:24 -> 30:d0:42:dd:ed:10 >> 00:21:46:594329: ip4-input-no-checksum >> IPSEC_ESP: 10.31.1.122 -> 10.31.1.123 >> tos 0x00, ttl 63, length 600, checksum 0x6242 dscp CS0 ecn NON_ECN >> fragment id 0x0000 >> 00:21:46:594329: ip4-lookup >> fib 0 dpo-idx 9 flow hash: 0x00000000 >> IPSEC_ESP: 10.31.1.122 -> 10.31.1.123 >> tos 0x00, ttl 63, length 600, checksum 0x6242 dscp CS0 ecn NON_ECN >> fragment id 0x0000 >> 00:21:46:594330: ip4-receive >> IPSEC_ESP: 10.31.1.122 -> 10.31.1.123 >> tos 0x00, ttl 63, length 600, checksum 0x6242 dscp CS0 ecn NON_ECN >> fragment id 0x0000 >> 00:21:46:594330: ipsec4-tun-input >> IPSec: remote:10.31.1.122 spi:300 (0x0000012c) sa:1 tun:0 seq 23 sa >> 1032361824 >> 00:21:46:594331: esp4-decrypt-tun >> esp: crypto aes-cbc-128 integrity sha1-96 pkt-seq 23 sa-seq 23 sa-seq-hi >> 0 pkt-seq-hi 0 >> 00:21:46:594337: ip4-drop >> unknown 179: 232.198.57.94 -> 10.178.43.164 >> version 0, header length 0 >> tos 0x00, ttl 131, length 300, checksum 0xcf21 (should be 0x228e) >> dscp CS0 ecn NON_ECN >> fragment id 0x0000 offset 184 >> 00:21:46:594338: error-drop >> rx:ipip0 >> 00:21:46:594338: drop >> esp4-decrypt-tun: unsupported payload >> >> >> Thank you >> /HU
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21148): https://lists.fd.io/g/vpp-dev/message/21148 Mute This Topic: https://lists.fd.io/mt/90116131/21656 Mute #ipsec:https://lists.fd.io/g/vpp-dev/mutehashtag/ipsec Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
