[dpdk-dev] [PATCH v3 9/9] doc: update ipsec sample guide

2016-06-09 Thread Mcnamara, John 
> -Original Message-
> From: Gonzalez Monroy, Sergio
> Sent: Thursday, June 9, 2016 9:43 AM
> To: dev at dpdk.org
> Cc: De Lara Guarch, Pablo ; Mcnamara, John
> 
> Subject: [PATCH v3 9/9] doc: update ipsec sample guide
> 
> Signed-off-by: Sergio Gonzalez Monroy 
>
> ...
>
>  Configurations
>  --
> 
>  The following sections provide some details on the default values used to
>  initialize the SP, SA and Routing tables.
> -Currently all the configuration is hard coded into the application.
> +Currently all configuration information is hard coded into the
> application.
> +
> +The following image illustrate a few of the concepts regarding IPSec,
> such
> +as protected/unprotected and inbound/outbound traffic, from the point of
> +view of two back-to-back endpoints:
> +
> +.. _figure_ipsec_endpoints:
> +
> +.. figure:: img/ipsec_endpoints.svg
> +
> +   IPSec Inbound/Outbound traffic

Hi,

This file throws an error with make doc-guides-pdf.

The image needs to be specified as "img/ipsec_endpoints.*" (now .svg) to 
allow it to be converted from svg to pdf.

With this fix the build works.

John

[dpdk-dev] [PATCH v3 9/9] doc: update ipsec sample guide

2016-06-09 Thread Sergio Gonzalez Monroy 
Signed-off-by: Sergio Gonzalez Monroy 
---
 doc/guides/sample_app_ug/img/ipsec_endpoints.svg | 850 +
 doc/guides/sample_app_ug/ipsec_secgw.rst | 910 ++-
 2 files changed, 1400 insertions(+), 360 deletions(-)
 create mode 100644 doc/guides/sample_app_ug/img/ipsec_endpoints.svg

diff --git a/doc/guides/sample_app_ug/img/ipsec_endpoints.svg 
b/doc/guides/sample_app_ug/img/ipsec_endpoints.svg
new file mode 100644
index 000..e4aba4c
--- /dev/null
+++ b/doc/guides/sample_app_ug/img/ipsec_endpoints.svg
@@ -0,0 +1,850 @@
+
+
+
+http://www.openswatchbook.org/uri/2009/osb;
+   xmlns:dc="http://purl.org/dc/elements/1.1/;
+   xmlns:cc="http://creativecommons.org/ns#;
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#;
+   xmlns:svg="http://www.w3.org/2000/svg;
+   xmlns="http://www.w3.org/2000/svg;
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd;
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape;
+   width="155.68507mm"
+   height="76.061203mm"
+   viewBox="0 0 551.64003 269.50821"
+   id="svg2"
+   version="1.1"
+   inkscape:version="0.91 r13725"
+   sodipodi:docname="endpoints.svg">
+  
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+
+
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+
+  
+
+  
+  
+  
+
+  
+image/svg+xml
+http://purl.org/dc/dcmitype/StillImage; />
+
+  
+
+  
+  
+
+
+
+
+ep0
+ep1
+traffic gen
+traffic gen
+
+
+
+
+
+2
+3
+2
+3
+0
+1
+
+0
+1
+
+UNPROTECTEDcipher-text
+PROTECTEDclear-text
+
+
+outbound
+inbound
+
+
+
+
+
+
+  
+
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst 
b/doc/guides/sample_app_ug/ipsec_secgw.rst
index c11c7e7..66dd326 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -38,165 +38,171 @@ Overview
 

 The application demonstrates the implementation of a Security Gateway
-(not IPsec compliant, see Constraints bellow) using DPDK based on RFC4301,
+(not IPsec compliant, see the Constraints section below) using DPDK based on 
RFC4301,
 RFC4303, RFC3602 and RFC2404.

 Internet Key Exchange (IKE) is not implemented, so only manual setting of
 Security Policies and Security Associations is supported.

 The Security Policies (SP) are implemented as ACL rules, the Security
-Associations (SA) are stored in a table and the Routing is implemented
+Associations (SA) are stored in a table and the routing is implemented
 using LPM.

-The application classify the ports between Protected and Unprotected.
-Thus, traffic received in an Unprotected or Protected port is consider
+The application classifies the ports as *Protected* and *Unprotected*.
+Thus, traffic received on an Unprotected or Protected port is consider
 Inbound or Outbound respectively.

-Path for IPsec Inbound traffic:
+The Path for IPsec Inbound traffic is:

-*  Read packets from the port
+*  Read packets from the port.
 *  Classify packets between IPv4 and ESP.
-*  Inbound SA lookup for ESP packets based on their SPI
-*  Verification/Decryption
-*  Removal of ESP and outer IP header
-*  Inbound SP check using ACL of decrypted packets and any other IPv4 packet
-   we read.
-*  Routing
-*  Write packet to port
-
-Path for IPsec Outbound traffic:
-
-*  Read packets from the port
-*  Outbound SP check using ACL of all IPv4 traffic
-*  Outbound SA lookup for packets that need IPsec protection
-*  Add ESP and outer IP header
-*  Encryption/Digest
-*  Routing
-*  Write packet to port
+*  Perform Inbound SA lookup for ESP packets based on their SPI.
+*  Perform Verification/Decryption.
+*  Remove ESP and outer IP header
+*  Inbound SP check using ACL of decrypted packets and any other IPv4 packets.
+*  Routing.
+*  Write packet to port.
+
+The Path for the IPsec Outbound traffic is:
+
+*  Read packets from the port.
+*  Perform Outbound SP check using ACL of all IPv4 traffic.
+*  Perform Outbound SA lookup for packets that need IPsec protection.
+*  Add ESP and outer IP header.
+*  Perform Encryption/Digest.
+*  Routing.
+*  Write packet to port.
+

 Constraints
 ---
-*  IPv4 traffic
-*  ESP tunnel mode
-*  EAS-CBC, HMAC-SHA1 and NULL
-*  Each SA must be handle by a unique lcore (1 RX queue per port)
-*  No chained mbufs
+
+*  No IPv6 options headers.
+*  No AH mode.