[v2,3/4] examples/ipsec-secgw: add UDP encapsulation support
Checks
Commit Message
Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulation on the SA.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
doc/guides/rel_notes/release_21_05.rst | 5 ++++
doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++---
examples/ipsec-secgw/ipsec-secgw.h | 2 ++
examples/ipsec-secgw/ipsec.c | 9 ++++++++
examples/ipsec-secgw/ipsec.h | 2 ++
examples/ipsec-secgw/sa.c | 18 +++++++++++++++
examples/ipsec-secgw/sad.h | 7 +++++-
8 files changed, 81 insertions(+), 6 deletions(-)
Comments
>
> Adding lookaside IPsec UDP encapsulation support
> for NAT traversal.
> Application has to add udp-encap option to sa config file
> to enable UDP encapsulation on the SA.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
Konstantin,
Any more comments on this?
Regards,
Akhil
Hi Akhil,
> >
> > Adding lookaside IPsec UDP encapsulation support
> > for NAT traversal.
> > Application has to add udp-encap option to sa config file
> > to enable UDP encapsulation on the SA.
> >
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > ---
> Acked-by: Akhil Goyal <gakhil@marvell.com>
>
> Konstantin,
> Any more comments on this?
Didn't look at v2 yet.
Will try to do that during this week.
Konstantin
>
> Adding lookaside IPsec UDP encapsulation support
> for NAT traversal.
> Application has to add udp-encap option to sa config file
> to enable UDP encapsulation on the SA.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
> doc/guides/rel_notes/release_21_05.rst | 5 ++++
> doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
> examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++---
> examples/ipsec-secgw/ipsec-secgw.h | 2 ++
> examples/ipsec-secgw/ipsec.c | 9 ++++++++
> examples/ipsec-secgw/ipsec.h | 2 ++
> examples/ipsec-secgw/sa.c | 18 +++++++++++++++
> examples/ipsec-secgw/sad.h | 7 +++++-
> 8 files changed, 81 insertions(+), 6 deletions(-)
>
> diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
> index 4ab2d7500f..9ef2537b1a 100644
> --- a/doc/guides/rel_notes/release_21_05.rst
> +++ b/doc/guides/rel_notes/release_21_05.rst
> @@ -111,6 +111,11 @@ New Features
> * Added command to display Rx queue used descriptor count.
> ``show port (port_id) rxq (queue_id) desc used count``
>
> +* **Updated ipsec-secgw sample application.**
> +
> + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
> + support for NAT Traversal.
> +
>
> Removed Items
> -------------
> diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
> index 176e292d3f..07bbbb5916 100644
> --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
>
> sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
> <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
> - <flow-direction> <port_id> <queue_id>
> + <flow-direction> <port_id> <queue_id> <udp-encap>
>
> where each options means:
>
> @@ -709,6 +709,17 @@ where each options means:
> * *port_id*: Port ID of the NIC for which the SA is configured.
> * *queue_id*: Queue ID to which traffic should be redirected.
>
> + ``<udp-encap>``
> +
> + * Option to enable IPsec UDP encapsulation for NAT Traversal.
> + Only lookaside-protocol-offload mode is supported at the moment.
> +
> + * Optional: Yes, it is disabled by default
> +
> + * Syntax:
> +
> + * *udp-encap*
> +
> Example SA rules:
>
> .. code-block:: console
> @@ -1023,4 +1034,4 @@ Available options:
> * ``-h`` Show usage.
>
> If <ipsec_mode> is specified, only tests for that mode will be invoked. For the
> -list of available modes please refer to run_test.sh.
> \ No newline at end of file
> +list of available modes please refer to run_test.sh.
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 20d69ba813..6f6f2aa796 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
> /* application wide librte_ipsec/SA parameters */
> struct app_sa_prm app_sa_prm = {
> .enable = 0,
> - .cache_sz = SA_CACHE_SZ
> + .cache_sz = SA_CACHE_SZ,
> + .udp_encap = 0
> };
> static const char *cfgfile;
>
> @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
> const struct rte_ether_hdr *eth;
> const struct rte_ipv4_hdr *iph4;
> const struct rte_ipv6_hdr *iph6;
> + const struct rte_udp_hdr *udp;
> + uint16_t ip4_hdr_len;
> + uint16_t nat_port;
>
> eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
> if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
> @@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
> RTE_ETHER_HDR_LEN);
> adjust_ipv4_pktlen(pkt, iph4, 0);
>
> - if (iph4->next_proto_id == IPPROTO_ESP)
> + switch (iph4->next_proto_id) {
> + case IPPROTO_ESP:
> t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> - else {
> + break;
> + case IPPROTO_UDP:
> + if (app_sa_prm.udp_encap == 1) {
> + ip4_hdr_len = ((iph4->version_ihl &
> + RTE_IPV4_HDR_IHL_MASK) *
> + RTE_IPV4_IHL_MULTIPLIER);
> + udp = rte_pktmbuf_mtod_offset(pkt,
> + struct rte_udp_hdr *, ip4_hdr_len);
> + nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
> + if (udp->src_port == nat_port ||
> + udp->dst_port == nat_port){
> + t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> + pkt->packet_type |=
> + RTE_PTYPE_TUNNEL_ESP_IN_UDP;
> + break;
> + }
> + }
> + /* Fall through */
> + default:
> t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
> t->ip4.pkts[(t->ip4.num)++] = pkt;
> }
As I understand you don't support UDP tunneling for ipv6 packets for now.
If so, then it probably worth to notice that in the doc, and in parse_sa_tokens()
add a check for ipv4.
Apart from that all seems ok to me.
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Hi Konstantin,
Please see inline.
Thanks
Tejasree
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Tuesday, April 6, 2021 7:08 PM
> To: Tejasree Kondoj <ktejasree@marvell.com>; Akhil Goyal
> <gakhil@marvell.com>; Nicolau, Radu <radu.nicolau@intel.com>
> Cc: Anoob Joseph <anoobj@marvell.com>; Ankur Dwivedi
> <adwivedi@marvell.com>; Jerin Jacob Kollanukkaran <jerinj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v2 3/4] examples/ipsec-secgw: add UDP
> encapsulation support
>
> External Email
>
> ----------------------------------------------------------------------
>
> >
> > Adding lookaside IPsec UDP encapsulation support for NAT traversal.
> > Application has to add udp-encap option to sa config file to enable
> > UDP encapsulation on the SA.
> >
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > ---
> > doc/guides/rel_notes/release_21_05.rst | 5 ++++
> > doc/guides/sample_app_ug/ipsec_secgw.rst | 15 ++++++++++--
> > examples/ipsec-secgw/ipsec-secgw.c | 29 +++++++++++++++++++++---
> > examples/ipsec-secgw/ipsec-secgw.h | 2 ++
> > examples/ipsec-secgw/ipsec.c | 9 ++++++++
> > examples/ipsec-secgw/ipsec.h | 2 ++
> > examples/ipsec-secgw/sa.c | 18 +++++++++++++++
> > examples/ipsec-secgw/sad.h | 7 +++++-
> > 8 files changed, 81 insertions(+), 6 deletions(-)
> >
> > diff --git a/doc/guides/rel_notes/release_21_05.rst
> > b/doc/guides/rel_notes/release_21_05.rst
> > index 4ab2d7500f..9ef2537b1a 100644
> > --- a/doc/guides/rel_notes/release_21_05.rst
> > +++ b/doc/guides/rel_notes/release_21_05.rst
> > @@ -111,6 +111,11 @@ New Features
> > * Added command to display Rx queue used descriptor count.
> > ``show port (port_id) rxq (queue_id) desc used count``
> >
> > +* **Updated ipsec-secgw sample application.**
> > +
> > + * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
> > + support for NAT Traversal.
> > +
> >
> > Removed Items
> > -------------
> > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst
> > b/doc/guides/sample_app_ug/ipsec_secgw.rst
> > index 176e292d3f..07bbbb5916 100644
> > --- a/doc/guides/sample_app_ug/ipsec_secgw.rst
> > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
> > @@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
> >
> > sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
> > <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
> > - <flow-direction> <port_id> <queue_id>
> > + <flow-direction> <port_id> <queue_id> <udp-encap>
> >
> > where each options means:
> >
> > @@ -709,6 +709,17 @@ where each options means:
> > * *port_id*: Port ID of the NIC for which the SA is configured.
> > * *queue_id*: Queue ID to which traffic should be redirected.
> >
> > + ``<udp-encap>``
> > +
> > + * Option to enable IPsec UDP encapsulation for NAT Traversal.
> > + Only lookaside-protocol-offload mode is supported at the moment.
> > +
> > + * Optional: Yes, it is disabled by default
> > +
> > + * Syntax:
> > +
> > + * *udp-encap*
> > +
> > Example SA rules:
> >
> > .. code-block:: console
> > @@ -1023,4 +1034,4 @@ Available options:
> > * ``-h`` Show usage.
> >
> > If <ipsec_mode> is specified, only tests for that mode will be
> > invoked. For the -list of available modes please refer to run_test.sh.
> > \ No newline at end of file
> > +list of available modes please refer to run_test.sh.
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c
> > b/examples/ipsec-secgw/ipsec-secgw.c
> > index 20d69ba813..6f6f2aa796 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > @@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
> > /* application wide librte_ipsec/SA parameters */ struct app_sa_prm
> > app_sa_prm = {
> > .enable = 0,
> > - .cache_sz = SA_CACHE_SZ
> > + .cache_sz = SA_CACHE_SZ,
> > + .udp_encap = 0
> > };
> > static const char *cfgfile;
> >
> > @@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
> ipsec_traffic *t)
> > const struct rte_ether_hdr *eth;
> > const struct rte_ipv4_hdr *iph4;
> > const struct rte_ipv6_hdr *iph6;
> > + const struct rte_udp_hdr *udp;
> > + uint16_t ip4_hdr_len;
> > + uint16_t nat_port;
> >
> > eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
> > if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
> @@
> > -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct
> ipsec_traffic *t)
> > RTE_ETHER_HDR_LEN);
> > adjust_ipv4_pktlen(pkt, iph4, 0);
> >
> > - if (iph4->next_proto_id == IPPROTO_ESP)
> > + switch (iph4->next_proto_id) {
> > + case IPPROTO_ESP:
> > t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> > - else {
> > + break;
> > + case IPPROTO_UDP:
> > + if (app_sa_prm.udp_encap == 1) {
> > + ip4_hdr_len = ((iph4->version_ihl &
> > + RTE_IPV4_HDR_IHL_MASK) *
> > + RTE_IPV4_IHL_MULTIPLIER);
> > + udp = rte_pktmbuf_mtod_offset(pkt,
> > + struct rte_udp_hdr *, ip4_hdr_len);
> > + nat_port =
> rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
> > + if (udp->src_port == nat_port ||
> > + udp->dst_port == nat_port){
> > + t->ipsec.pkts[(t->ipsec.num)++] = pkt;
> > + pkt->packet_type |=
> > +
> RTE_PTYPE_TUNNEL_ESP_IN_UDP;
> > + break;
> > + }
> > + }
> > + /* Fall through */
> > + default:
> > t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
> > t->ip4.pkts[(t->ip4.num)++] = pkt;
> > }
>
> As I understand you don't support UDP tunneling for ipv6 packets for now.
> If so, then it probably worth to notice that in the doc, and in
> parse_sa_tokens() add a check for ipv4.
> Apart from that all seems ok to me.
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
[Tejasree] Added support for IPv6 packets in v3. Could you please review?
@@ -111,6 +111,11 @@ New Features
* Added command to display Rx queue used descriptor count.
``show port (port_id) rxq (queue_id) desc used count``
+* **Updated ipsec-secgw sample application.**
+
+ * Updated the ``ipsec-secgw`` sample application with UDP encapsulation
+ support for NAT Traversal.
+
Removed Items
-------------
@@ -500,7 +500,7 @@ The SA rule syntax is shown as follows:
sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
<mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
- <flow-direction> <port_id> <queue_id>
+ <flow-direction> <port_id> <queue_id> <udp-encap>
where each options means:
@@ -709,6 +709,17 @@ where each options means:
* *port_id*: Port ID of the NIC for which the SA is configured.
* *queue_id*: Queue ID to which traffic should be redirected.
+ ``<udp-encap>``
+
+ * Option to enable IPsec UDP encapsulation for NAT Traversal.
+ Only lookaside-protocol-offload mode is supported at the moment.
+
+ * Optional: Yes, it is disabled by default
+
+ * Syntax:
+
+ * *udp-encap*
+
Example SA rules:
.. code-block:: console
@@ -1023,4 +1034,4 @@ Available options:
* ``-h`` Show usage.
If <ipsec_mode> is specified, only tests for that mode will be invoked. For the
-list of available modes please refer to run_test.sh.
\ No newline at end of file
+list of available modes please refer to run_test.sh.
@@ -184,7 +184,8 @@ static uint64_t frag_ttl_ns = MAX_FRAG_TTL_NS;
/* application wide librte_ipsec/SA parameters */
struct app_sa_prm app_sa_prm = {
.enable = 0,
- .cache_sz = SA_CACHE_SZ
+ .cache_sz = SA_CACHE_SZ,
+ .udp_encap = 0
};
static const char *cfgfile;
@@ -360,6 +361,9 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
const struct rte_ether_hdr *eth;
const struct rte_ipv4_hdr *iph4;
const struct rte_ipv6_hdr *iph6;
+ const struct rte_udp_hdr *udp;
+ uint16_t ip4_hdr_len;
+ uint16_t nat_port;
eth = rte_pktmbuf_mtod(pkt, const struct rte_ether_hdr *);
if (eth->ether_type == rte_cpu_to_be_16(RTE_ETHER_TYPE_IPV4)) {
@@ -368,9 +372,28 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)
RTE_ETHER_HDR_LEN);
adjust_ipv4_pktlen(pkt, iph4, 0);
- if (iph4->next_proto_id == IPPROTO_ESP)
+ switch (iph4->next_proto_id) {
+ case IPPROTO_ESP:
t->ipsec.pkts[(t->ipsec.num)++] = pkt;
- else {
+ break;
+ case IPPROTO_UDP:
+ if (app_sa_prm.udp_encap == 1) {
+ ip4_hdr_len = ((iph4->version_ihl &
+ RTE_IPV4_HDR_IHL_MASK) *
+ RTE_IPV4_IHL_MULTIPLIER);
+ udp = rte_pktmbuf_mtod_offset(pkt,
+ struct rte_udp_hdr *, ip4_hdr_len);
+ nat_port = rte_cpu_to_be_16(IPSEC_NAT_T_PORT);
+ if (udp->src_port == nat_port ||
+ udp->dst_port == nat_port){
+ t->ipsec.pkts[(t->ipsec.num)++] = pkt;
+ pkt->packet_type |=
+ RTE_PTYPE_TUNNEL_ESP_IN_UDP;
+ break;
+ }
+ }
+ /* Fall through */
+ default:
t->ip4.data[t->ip4.num] = &iph4->next_proto_id;
t->ip4.pkts[(t->ip4.num)++] = pkt;
}
@@ -47,6 +47,8 @@
#define ETHADDR(a, b, c, d, e, f) (__BYTES_TO_UINT64(a, b, c, d, e, f, 0, 0))
+#define IPSEC_NAT_T_PORT 4500
+
struct traffic_type {
const uint8_t *data[MAX_PKT_BURST * 2];
struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
@@ -52,6 +52,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
ipsec->replay_win_sz = app_sa_prm.window_size;
ipsec->options.esn = app_sa_prm.enable_esn;
+ ipsec->options.udp_encap = sa->udp_encap;
}
int
@@ -528,6 +529,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
struct rte_crypto_sym_op *sym_cop;
struct ipsec_sa *sa;
struct rte_ipsec_session *ips;
+ int is_udp_esp;
for (i = 0; i < nb_pkts; i++) {
if (unlikely(sas[i] == NULL)) {
@@ -556,6 +558,13 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
continue;
}
+ is_udp_esp = pkts[i]->packet_type &
+ RTE_PTYPE_TUNNEL_ESP_IN_UDP;
+ if (unlikely(is_udp_esp && sa->udp_encap != 1)) {
+ free_pkts(&pkts[i], 1);
+ continue;
+ }
+
sym_cop = get_sym_cop(&priv->cop);
sym_cop->m_src = pkts[i];
@@ -75,6 +75,7 @@ struct app_sa_prm {
uint32_t window_size; /* replay window size */
uint32_t enable_esn; /* enable/disable ESN support */
uint32_t cache_sz; /* per lcore SA cache size */
+ uint32_t udp_encap; /* enable/disable UDP Encapsulation */
uint64_t flags; /* rte_ipsec_sa_prm.flags */
};
@@ -136,6 +137,7 @@ struct ipsec_sa {
struct rte_security_ipsec_xform *sec_xform;
};
enum rte_security_ipsec_sa_direction direction;
+ uint8_t udp_encap;
uint16_t portid;
uint8_t fdir_qid;
uint8_t fdir_flag;
@@ -298,6 +298,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
uint32_t portid_p = 0;
uint32_t fallback_p = 0;
int16_t status_p = 0;
+ uint16_t udp_encap_p = 0;
if (strcmp(tokens[0], "in") == 0) {
ri = &nb_sa_in;
@@ -757,6 +758,23 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
}
continue;
}
+ if (strcmp(tokens[ti], "udp-encap") == 0) {
+ APP_CHECK(ips->type ==
+ RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+ status, "UDP encapsulation is allowed if the "
+ "session is of type lookaside-protocol-offload "
+ "only.");
+ if (status->status < 0)
+ return;
+ APP_CHECK_PRESENCE(udp_encap_p, tokens[ti], status);
+ if (status->status < 0)
+ return;
+
+ rule->udp_encap = 1;
+ app_sa_prm.udp_encap = 1;
+ udp_encap_p = 1;
+ continue;
+ }
/* unrecognizeable input */
APP_CHECK(0, status, "unrecognized input \"%s\"",
@@ -77,6 +77,8 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],
uint32_t spi, cache_idx;
struct ipsec_sad_cache *cache;
struct ipsec_sa *cached_sa;
+ uint16_t udp_hdr_len = 0;
+ int is_udp_esp;
int is_ipv4;
cache = &RTE_PER_LCORE(sad_cache);
@@ -85,8 +87,11 @@ sad_lookup(struct ipsec_sad *sad, struct rte_mbuf *pkts[],
for (i = 0; i < nb_pkts; i++) {
ipv4 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv4_hdr *);
ipv6 = rte_pktmbuf_mtod(pkts[i], struct rte_ipv6_hdr *);
+ is_udp_esp = pkts[i]->packet_type & RTE_PTYPE_TUNNEL_ESP_IN_UDP;
+ if (is_udp_esp)
+ udp_hdr_len = sizeof(struct rte_udp_hdr);
esp = rte_pktmbuf_mtod_offset(pkts[i], struct rte_esp_hdr *,
- pkts[i]->l3_len);
+ pkts[i]->l3_len + udp_hdr_len);
is_ipv4 = pkts[i]->packet_type & RTE_PTYPE_L3_IPV4;
spi = rte_be_to_cpu_32(esp->spi);