1 .. SPDX-License-Identifier: BSD-3-Clause
2 Copyright(c) 2016-2017 Intel Corporation.
4 IPsec Security Gateway Sample Application
5 =========================================
7 The IPsec Security Gateway application is an example of a "real world"
8 application using DPDK cryptodev framework.
13 The application demonstrates the implementation of a Security Gateway
14 (not IPsec compliant, see the Constraints section below) using DPDK based on RFC4301,
15 RFC4303, RFC3602 and RFC2404.
17 Internet Key Exchange (IKE) is not implemented, so only manual setting of
18 Security Policies and Security Associations is supported.
20 The Security Policies (SP) are implemented as ACL rules, the Security
21 Associations (SA) are stored in a table and the routing is implemented
24 The application classifies the ports as *Protected* and *Unprotected*.
25 Thus, traffic received on an Unprotected or Protected port is consider
26 Inbound or Outbound respectively.
28 The application also supports complete IPSec protocol offload to hardware
29 (Look aside crypto accelarator or using ethernet device). It also support
30 inline ipsec processing by the supported ethernet device during transmission.
31 These modes can be selected during the SA creation configuration.
33 In case of complete protocol offload, the processing of headers(ESP and outer
34 IP header) is done by the hardware and the application does not need to
35 add/remove them during outbound/inbound processing.
37 For inline offloaded outbound traffic, the application will not do the LPM
38 lookup for routing, as the port on which the packet has to be forwarded will be
39 part of the SA. Security parameters will be configured on that port only, and
40 sending the packet on other ports could result in unencrypted packets being
43 The Path for IPsec Inbound traffic is:
45 * Read packets from the port.
46 * Classify packets between IPv4 and ESP.
47 * Perform Inbound SA lookup for ESP packets based on their SPI.
48 * Perform Verification/Decryption (Not needed in case of inline ipsec).
49 * Remove ESP and outer IP header (Not needed in case of protocol offload).
50 * Inbound SP check using ACL of decrypted packets and any other IPv4 packets.
52 * Write packet to port.
54 The Path for the IPsec Outbound traffic is:
56 * Read packets from the port.
57 * Perform Outbound SP check using ACL of all IPv4 traffic.
58 * Perform Outbound SA lookup for packets that need IPsec protection.
59 * Add ESP and outer IP header (Not needed in case protocol offload).
60 * Perform Encryption/Digest (Not needed in case of inline ipsec).
62 * Write packet to port.
68 * No IPv6 options headers.
70 * Supported algorithms: AES-CBC, AES-CTR, AES-GCM, 3DES-CBC, HMAC-SHA1 and NULL.
71 * Each SA must be handle by a unique lcore (*1 RX queue per port*).
74 Compiling the Application
75 -------------------------
77 To compile the sample application see :doc:`compiling`.
79 The application is located in the ``rpsec-secgw`` sub-directory.
81 #. [Optional] Build the application for debugging:
82 This option adds some extra flags, disables compiler optimizations and
88 Running the Application
89 -----------------------
91 The application has a number of command line options::
94 ./build/ipsec-secgw [EAL options] --
95 -p PORTMASK -P -u PORTMASK -j FRAMESIZE
96 --config (port,queue,lcore)[,(port,queue,lcore]
102 * ``-p PORTMASK``: Hexadecimal bitmask of ports to configure.
104 * ``-P``: *optional*. Sets all ports to promiscuous mode so that packets are
105 accepted regardless of the packet's Ethernet MAC destination address.
106 Without this option, only packets with the Ethernet MAC destination address
107 set to the Ethernet address of the port are accepted (default is enabled).
109 * ``-u PORTMASK``: hexadecimal bitmask of unprotected ports
111 * ``-j FRAMESIZE``: *optional*. Enables jumbo frames with the maximum size
112 specified as FRAMESIZE. If an invalid value is provided as FRAMESIZE
113 then the default value 9000 is used.
115 * ``--config (port,queue,lcore)[,(port,queue,lcore)]``: determines which queues
116 from which ports are mapped to which cores.
118 * ``--single-sa SAIDX``: use a single SA for outbound traffic, bypassing the SP
119 on both Inbound and Outbound. This option is meant for debugging/performance
122 * ``-f CONFIG_FILE_PATH``: the full path of text-based file containing all
123 configuration items for running the application (See Configuration file
124 syntax section below). ``-f CONFIG_FILE_PATH`` **must** be specified.
125 **ONLY** the UNIX format configuration file is accepted.
128 The mapping of lcores to port/queues is similar to other l3fwd applications.
130 For example, given the following command line::
132 ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 \
133 --vdev "crypto_null" -- -p 0xf -P -u 0x3 \
134 --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" \
135 -f /path/to/config_file \
137 where each options means:
139 * The ``-l`` option enables cores 20 and 21.
141 * The ``-n`` option sets memory 4 channels.
143 * The ``--socket-mem`` to use 2GB on socket 1.
145 * The ``--vdev "crypto_null"`` option creates virtual NULL cryptodev PMD.
147 * The ``-p`` option enables ports (detected) 0, 1, 2 and 3.
149 * The ``-P`` option enables promiscuous mode.
151 * The ``-u`` option sets ports 1 and 2 as unprotected, leaving 2 and 3 as protected.
153 * The ``--config`` option enables one queue per port with the following mapping:
155 +----------+-----------+-----------+---------------------------------------+
156 | **Port** | **Queue** | **lcore** | **Description** |
158 +----------+-----------+-----------+---------------------------------------+
159 | 0 | 0 | 20 | Map queue 0 from port 0 to lcore 20. |
161 +----------+-----------+-----------+---------------------------------------+
162 | 1 | 0 | 20 | Map queue 0 from port 1 to lcore 20. |
164 +----------+-----------+-----------+---------------------------------------+
165 | 2 | 0 | 21 | Map queue 0 from port 2 to lcore 21. |
167 +----------+-----------+-----------+---------------------------------------+
168 | 3 | 0 | 21 | Map queue 0 from port 3 to lcore 21. |
170 +----------+-----------+-----------+---------------------------------------+
172 * The ``-f /path/to/config_file`` option enables the application read and
173 parse the configuration file specified, and configures the application
174 with a given set of SP, SA and Routing entries accordingly. The syntax of
175 the configuration file will be explained below in more detail. Please
176 **note** the parser only accepts UNIX format text file. Other formats
177 such as DOS/MAC format will cause a parse error.
179 Refer to the *DPDK Getting Started Guide* for general information on running
180 applications and the Environment Abstraction Layer (EAL) options.
182 The application would do a best effort to "map" crypto devices to cores, with
183 hardware devices having priority. Basically, hardware devices if present would
184 be assigned to a core before software ones.
185 This means that if the application is using a single core and both hardware
186 and software crypto devices are detected, hardware devices will be used.
188 A way to achieve the case where you want to force the use of virtual crypto
189 devices is to whitelist the Ethernet devices needed and therefore implicitly
190 blacklisting all hardware crypto devices.
192 For example, something like the following command line:
194 .. code-block:: console
196 ./build/ipsec-secgw -l 20,21 -n 4 --socket-mem 0,2048 \
197 -w 81:00.0 -w 81:00.1 -w 81:00.2 -w 81:00.3 \
198 --vdev "crypto_aesni_mb" --vdev "crypto_null" \
200 -p 0xf -P -u 0x3 --config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" \
207 The following sections provide the syntax of configurations to initialize
208 your SP, SA and Routing tables.
209 Configurations shall be specified in the configuration file to be passed to
210 the application. The file is then parsed by the application. The successful
211 parsing will result in the appropriate rules being applied to the tables
215 Configuration File Syntax
216 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
218 As mention in the overview, the Security Policies are ACL rules.
219 The application parsers the rules specified in the configuration file and
220 passes them to the ACL table, and replicates them per socket in use.
222 Following are the configuration file syntax.
227 The parse treats one line in the configuration file as one configuration
228 item (unless the line concatenation symbol exists). Every configuration
229 item shall follow the syntax of either SP, SA, or Routing rules specified
232 The configuration parser supports the following special symbols:
234 * Comment symbol **#**. Any character from this symbol to the end of
235 line is treated as comment and will not be parsed.
237 * Line concatenation symbol **\\**. This symbol shall be placed in the end
238 of the line to be concatenated to the line below. Multiple lines'
239 concatenation is supported.
245 The SP rule syntax is shown as follows:
247 .. code-block:: console
249 sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip>
250 <proto> <sport> <dport>
253 where each options means:
257 * IP protocol version
263 * *ipv4*: IP protocol version 4
264 * *ipv6*: IP protocol version 6
268 * The traffic direction
274 * *in*: inbound traffic
275 * *out*: outbound traffic
285 * *protect <SA_idx>*: the specified traffic is protected by SA rule
287 * *bypass*: the specified traffic traffic is bypassed
288 * *discard*: the specified traffic is discarded
294 * Optional: Yes, default priority 0 will be used
300 * The source IP address and mask
302 * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
306 * *src X.X.X.X/Y* for IPv4
307 * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
311 * The destination IP address and mask
313 * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
317 * *dst X.X.X.X/Y* for IPv4
318 * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
322 * The protocol start and end range
324 * Optional: yes, default range of 0 to 0 will be used
326 * Syntax: *proto X:Y*
330 * The source port start and end range
332 * Optional: yes, default range of 0 to 0 will be used
334 * Syntax: *sport X:Y*
338 * The destination port start and end range
340 * Optional: yes, default range of 0 to 0 will be used
342 * Syntax: *dport X:Y*
346 .. code-block:: console
348 sp ipv4 out esp protect 105 pri 1 dst 192.168.115.0/24 sport 0:65535 \
351 sp ipv6 in esp bypass pri 1 dst 0000:0000:0000:0000:5555:5555:\
352 0000:0000/96 sport 0:65535 dport 0:65535
358 The successfully parsed SA rules will be stored in an array table.
360 The SA rule syntax is shown as follows:
362 .. code-block:: console
364 sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
365 <mode> <src_ip> <dst_ip> <action_type> <port_id>
367 where each options means:
371 * The traffic direction
377 * *in*: inbound traffic
378 * *out*: outbound traffic
386 * Syntax: unsigned integer number
392 * Optional: Yes, unless <aead_algo> is not used
396 * *null*: NULL algorithm
397 * *aes-128-cbc*: AES-CBC 128-bit algorithm
398 * *aes-256-cbc*: AES-CBC 256-bit algorithm
399 * *aes-128-ctr*: AES-CTR 128-bit algorithm
400 * *3des-cbc*: 3DES-CBC 192-bit algorithm
402 * Syntax: *cipher_algo <your algorithm>*
406 * Cipher key, NOT available when 'null' algorithm is used
408 * Optional: Yes, unless <aead_algo> is not used.
409 Must be followed by <cipher_algo> option
411 * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
412 The number of bytes should be as same as the specified cipher algorithm
415 For example: *cipher_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
420 * Authentication algorithm
422 * Optional: Yes, unless <aead_algo> is not used
426 * *null*: NULL algorithm
427 * *sha1-hmac*: HMAC SHA1 algorithm
431 * Authentication key, NOT available when 'null' or 'aes-128-gcm' algorithm
434 * Optional: Yes, unless <aead_algo> is not used.
435 Must be followed by <auth_algo> option
437 * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
438 The number of bytes should be as same as the specified authentication
441 For example: *auth_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
448 * Optional: Yes, unless <cipher_algo> and <auth_algo> are not used
452 * *aes-128-gcm*: AES-GCM 128-bit algorithm
454 * Syntax: *cipher_algo <your algorithm>*
458 * Cipher key, NOT available when 'null' algorithm is used
460 * Optional: Yes, unless <cipher_algo> and <auth_algo> are not used.
461 Must be followed by <aead_algo> option
463 * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
464 The number of bytes should be as same as the specified AEAD algorithm
467 For example: *aead_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
478 * *ipv4-tunnel*: Tunnel mode for IPv4 packets
479 * *ipv6-tunnel*: Tunnel mode for IPv6 packets
480 * *transport*: transport mode
486 * The source IP address. This option is not available when
487 transport mode is used
489 * Optional: Yes, default address 0.0.0.0 will be used
493 * *src X.X.X.X* for IPv4
494 * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX* for IPv6
498 * The destination IP address. This option is not available when
499 transport mode is used
501 * Optional: Yes, default address 0.0.0.0 will be used
505 * *dst X.X.X.X* for IPv4
506 * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX* for IPv6
510 * Action type to specify the security action. This option specify
511 the SA to be performed with look aside protocol offload to HW
512 accelerator or protocol offload on ethernet device or inline
513 crypto processing on the ethernet device during transmission.
515 * Optional: Yes, default type *no-offload*
519 * *lookaside-protocol-offload*: look aside protocol offload to HW accelerator
520 * *inline-protocol-offload*: inline protocol offload on ethernet device
521 * *inline-crypto-offload*: inline crypto processing on ethernet device
522 * *no-offload*: no offloading to hardware
526 * Port/device ID of the ethernet/crypto accelerator for which the SA is
527 configured. For *inline-crypto-offload* and *inline-protocol-offload*, this
528 port will be used for routing. The routing table will not be referred in
531 * Optional: No, if *type* is not *no-offload*
535 * *port_id X* X is a valid device number in decimal
540 .. code-block:: console
542 sa out 5 cipher_algo null auth_algo null mode ipv4-tunnel \
543 src 172.16.1.5 dst 172.16.2.5
545 sa out 25 cipher_algo aes-128-cbc \
546 cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3 \
547 auth_algo sha1-hmac \
548 auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3 \
550 src 1111:1111:1111:1111:1111:1111:1111:5555 \
551 dst 2222:2222:2222:2222:2222:2222:2222:5555
553 sa in 105 aead_algo aes-128-gcm \
554 aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
555 mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
557 sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
558 auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
559 mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
560 type lookaside-protocol-offload port_id 4
565 The Routing rule syntax is shown as follows:
567 .. code-block:: console
569 rt <ip_ver> <src_ip> <dst_ip> <port>
572 where each options means:
576 * IP protocol version
582 * *ipv4*: IP protocol version 4
583 * *ipv6*: IP protocol version 6
587 * The source IP address and mask
589 * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
593 * *src X.X.X.X/Y* for IPv4
594 * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
598 * The destination IP address and mask
600 * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
604 * *dst X.X.X.X/Y* for IPv4
605 * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
609 * The traffic output port id
611 * Optional: yes, default output port 0 will be used
617 .. code-block:: console
619 rt ipv4 dst 172.16.1.5/32 port 0
621 rt ipv6 dst 1111:1111:1111:1111:1111:1111:1111:5555/116 port 0