X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=doc%2Fguides%2Fprog_guide%2Fipsec_lib.rst;h=9f2b26072d1fd04d8a0d485e50ea767ea9921674;hb=be76aa5836b488b5668c50eebc829641f02f499a;hp=17d9da28fb41839fd449e834b0509b381939c391;hpb=b53e6272cbae03d8c6fd38a57e3aa60b76b6f4da;p=dpdk.git diff --git a/doc/guides/prog_guide/ipsec_lib.rst b/doc/guides/prog_guide/ipsec_lib.rst index 17d9da28fb..9f2b26072d 100644 --- a/doc/guides/prog_guide/ipsec_lib.rst +++ b/doc/guides/prog_guide/ipsec_lib.rst @@ -1,5 +1,5 @@ .. SPDX-License-Identifier: BSD-3-Clause - Copyright(c) 2018 Intel Corporation. + Copyright(c) 2018-2020 Intel Corporation. IPsec Packet Processing Library =============================== @@ -81,6 +81,14 @@ In that mode the library functions perform - verify that crypto device operations (encryption, ICV generation) were completed successfully +RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In that mode the library functions perform same operations as in +``RTE_SECURITY_ACTION_TYPE_NONE``. The only difference is that crypto operations +are performed with CPU crypto synchronous API. + + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -143,6 +151,158 @@ In that mode the library functions perform To accommodate future custom implementations function pointers model is used for both *crypto_prepare* and *process* implementations. +SA database API +---------------- + +SA database(SAD) is a table with pairs. + +Value is an opaque user provided pointer to the user defined SA data structure. + +According to RFC4301 each SA can be uniquely identified by a key +which is either: + + - security parameter index(SPI) + - or SPI and destination IP(DIP) + - or SPI, DIP and source IP(SIP) + +In case of multiple matches, longest matching key will be returned. + +Create/destroy +~~~~~~~~~~~~~~ + +librte_ipsec SAD implementation provides ability to create/destroy SAD tables. + +To create SAD table user has to specify how many entries of each key type is +required and IP protocol type (IPv4/IPv6). +As an example: + + +.. code-block:: c + + struct rte_ipsec_sad *sad; + struct rte_ipsec_sad_conf conf; + + conf.socket_id = -1; + conf.max_sa[RTE_IPSEC_SAD_SPI_ONLY] = some_nb_rules_spi_only; + conf.max_sa[RTE_IPSEC_SAD_SPI_DIP] = some_nb_rules_spi_dip; + conf.max_sa[RTE_IPSEC_SAD_SPI_DIP_SIP] = some_nb_rules_spi_dip_sip; + conf.flags = RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY; + + sad = rte_ipsec_sad_create("test", &conf); + +.. note:: + + for more information please refer to ipsec library API reference + +Add/delete rules +~~~~~~~~~~~~~~~~ + +Library also provides methods to add or delete key/value pairs from the SAD. +To add user has to specify key, key type and a value which is an opaque pointer to SA. +The key type reflects a set of tuple fields that will be used for lookup of the SA. +As mentioned above there are 3 types of a key and the representation of a key type is: + +.. code-block:: c + + RTE_IPSEC_SAD_SPI_ONLY, + RTE_IPSEC_SAD_SPI_DIP, + RTE_IPSEC_SAD_SPI_DIP_SIP, + +As an example, to add new entry into the SAD for IPv4 addresses: + +.. code-block:: c + + struct rte_ipsec_sa *sa; + union rte_ipsec_sad_key key; + + key.v4.spi = rte_cpu_to_be_32(spi_val); + if (key_type >= RTE_IPSEC_SAD_SPI_DIP) /* DIP is optional*/ + key.v4.dip = rte_cpu_to_be_32(dip_val); + if (key_type == RTE_IPSEC_SAD_SPI_DIP_SIP) /* SIP is optional*/ + key.v4.sip = rte_cpu_to_be_32(sip_val); + + rte_ipsec_sad_add(sad, &key, key_type, sa); + +.. note:: + + By performance reason it is better to keep spi/dip/sip in net byte order + to eliminate byteswap on lookup + +To delete user has to specify key and key type. + +Delete code would look like: + +.. code-block:: c + + union rte_ipsec_sad_key key; + + key.v4.spi = rte_cpu_to_be_32(necessary_spi); + if (key_type >= RTE_IPSEC_SAD_SPI_DIP) /* DIP is optional*/ + key.v4.dip = rte_cpu_to_be_32(necessary_dip); + if (key_type == RTE_IPSEC_SAD_SPI_DIP_SIP) /* SIP is optional*/ + key.v4.sip = rte_cpu_to_be_32(necessary_sip); + + rte_ipsec_sad_del(sad, &key, key_type); + + +Lookup +~~~~~~ +Library provides lookup by the given {SPI,DIP,SIP} tuple of +inbound ipsec packet as a key. + +The search key is represented by: + +.. code-block:: c + + union rte_ipsec_sad_key { + struct rte_ipsec_sadv4_key v4; + struct rte_ipsec_sadv6_key v6; + }; + +where v4 is a tuple for IPv4: + +.. code-block:: c + + struct rte_ipsec_sadv4_key { + uint32_t spi; + uint32_t dip; + uint32_t sip; + }; + +and v6 is a tuple for IPv6: + +.. code-block:: c + + struct rte_ipsec_sadv6_key { + uint32_t spi; + uint8_t dip[16]; + uint8_t sip[16]; + }; + +As an example, lookup related code could look like that: + +.. code-block:: c + + int i; + union rte_ipsec_sad_key keys[BURST_SZ]; + const union rte_ipsec_sad_key *keys_p[BURST_SZ]; + void *vals[BURST_SZ]; + + for (i = 0; i < BURST_SZ_MAX; i++) { + keys[i].v4.spi = esp_hdr[i]->spi; + keys[i].v4.dip = ipv4_hdr[i]->dst_addr; + keys[i].v4.sip = ipv4_hdr[i]->src_addr; + keys_p[i] = &keys[i]; + } + rte_ipsec_sad_lookup(sad, keys_p, vals, BURST_SZ); + + for (i = 0; i < BURST_SZ_MAX; i++) { + if (vals[i] == NULL) + printf("SA not found for key index %d\n", i); + else + printf("SA pointer is %p\n", vals[i]); + } + Supported features ------------------