subject:"\[dpdk\-users\] IPsec offload"

Re: [dpdk-users] IPsec offload

2017-11-08 Thread De Lara Guarch, Pablo



> -Original Message-
> From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> Sent: Wednesday, November 8, 2017 12:40 PM
> To: De Lara Guarch, Pablo ; Thomas
> Monjalon 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> >
> > Even though Thomas is the DPDK main tree maintainer and that has a
> > vast knowledge of it :), Don't expect him to know about what an Intel NIC
> supports.
> >
> > You are looking at two different things here. QAT driver works on the
> > QAT devices mentioned above.
> > But you are looking for inline crypto capability in NIC devices, there
> > is no reference in our documentation yet.
> > We will add that shortly.
> >
> [Avi Cohen (A)]
> Thank you Pablo
> How can I be notified when updated ?

There will be a patch sent to the developers mailing list, which should make 
the 17.11 release.

Pablo

> Regards,
> Avi
>

Re: [dpdk-users] IPsec offload

2017-11-08 Thread Avi Cohen (A)

> 
> Even though Thomas is the DPDK main tree maintainer and that has a vast
> knowledge of it :), Don't expect him to know about what an Intel NIC supports.
> 
> You are looking at two different things here. QAT driver works on the QAT
> devices mentioned above.
> But you are looking for inline crypto capability in NIC devices, there is no
> reference in our documentation yet.
> We will add that shortly.
> 
[Avi Cohen (A)] 
Thank you Pablo
How can I be notified when updated ?
Regards,
Avi

Re: [dpdk-users] IPsec offload

2017-11-08 Thread De Lara Guarch, Pablo

Hi Avid,

> -Original Message-
> From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> Sent: Wednesday, November 8, 2017 11:50 AM
> To: Thomas Monjalon ; De Lara Guarch, Pablo
> 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Hi Thomas
> 
> 
> > 06/11/2017 11:25, Avi Cohen (A):
> > > Thank you Thomas
> > > Is this was tested on a specific HW e.g.  Mellanox Innova  / other ?
> >
> > Mellanox hardware will probably be supported in 18.02.
> > There are some experimental support for NXP DPAA2 and Intel ixgbe in
> > DPDK 17.11.
> [Avi Cohen (A)]
> The Intel x540-AT2 is using the ixgbe driver According to
> http://dpdk.org/doc/guides/cryptodevs/qat.html
> The QAT crypto driver which spports encryption in HW  supports the
> following Intel devices:
> - Intel QuickAssist Technology DH895xCC
> - Intel QuickAssist Technology C62x
> - Intel QuickAssist Technology C3xxx
> - Intel QuickAssist Technology D15xx
> 
> Do you know if the x540-AT2 NIC is also supported ?

Even though Thomas is the DPDK main tree maintainer and that has a vast 
knowledge of it :),
Don't expect him to know about what an Intel NIC supports.

You are looking at two different things here. QAT driver works on the QAT 
devices mentioned above.
But you are looking for inline crypto capability in NIC devices, there is no 
reference in our documentation yet.
We will add that shortly.

Thanks,
Pablo

> Regards,
> Avi
>

Re: [dpdk-users] IPsec offload

2017-11-08 Thread De Lara Guarch, Pablo



> -Original Message-
> From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> Sent: Wednesday, November 8, 2017 11:40 AM
> To: De Lara Guarch, Pablo ; Thomas
> Monjalon 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Hi Pablo
> So according the crypto device matrices  here
> http://dpdk.org/doc/guides/cryptodevs/overview.html
> For encryption HW acceleration I need to use one of these:  DPAA2 ,DPAA
> or QUT  - is that correct ?

Yes, those are the HW accelerators currently supported.


> Regards
> Avi
> > -Original Message-
> > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> > Sent: Wednesday, 08 November, 2017 1:17 PM
> > To: Avi Cohen (A); Thomas Monjalon
> > Cc: users@dpdk.org; ol...@mellanox.com
> > Subject: RE: [dpdk-users] IPsec offload
> >
> > Hi Avi,
> >
> > > -Original Message-
> > > From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> > > Sent: Wednesday, November 8, 2017 10:22 AM
> > > To: De Lara Guarch, Pablo ; Thomas
> > > Monjalon 
> > > Cc: users@dpdk.org; ol...@mellanox.com
> > > Subject: RE: [dpdk-users] IPsec offload
> > >
> > > Pablo
> > > I fixed all issues,  now the app. Is running Just  to clarify one issue:
> > > I meant that my Ethernet device x540 is capable to do IPsec
> > > encryption in HW.
> > > What did you mean "a crypto device (SW or HW)" ?
> >
> > You are talking about inline crypto there then, which I am not very
> familiarized.
> > With crypto device, I mean a lookaside crypto device, such as QAT PMD
> > (example of HW device) or AESNI MB PMD (examples of SW device).
> >
> > Regards,
> > Pablo
> >

Re: [dpdk-users] IPsec offload

2017-11-08 Thread Avi Cohen (A)

Hi Thomas

 
> 06/11/2017 11:25, Avi Cohen (A):
> > Thank you Thomas
> > Is this was tested on a specific HW e.g.  Mellanox Innova  / other ?
> 
> Mellanox hardware will probably be supported in 18.02.
> There are some experimental support for NXP DPAA2 and Intel ixgbe in DPDK
> 17.11.
[Avi Cohen (A)] 
The Intel x540-AT2 is using the ixgbe driver 
According to http://dpdk.org/doc/guides/cryptodevs/qat.html  
The QAT crypto driver which spports encryption in HW  supports the following 
Intel devices:
- Intel QuickAssist Technology DH895xCC
- Intel QuickAssist Technology C62x
- Intel QuickAssist Technology C3xxx
- Intel QuickAssist Technology D15xx

Do you know if the x540-AT2 NIC is also supported ?
Regards,
Avi

Re: [dpdk-users] IPsec offload

2017-11-08 Thread Avi Cohen (A)

Hi Pablo
So according the crypto device matrices  here 
http://dpdk.org/doc/guides/cryptodevs/overview.html
For encryption HW acceleration I need to use one of these:  DPAA2 ,DPAA  or QUT 
 - is that correct ?
Regards
Avi
> -Original Message-
> From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> Sent: Wednesday, 08 November, 2017 1:17 PM
> To: Avi Cohen (A); Thomas Monjalon
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Hi Avi,
> 
> > -Original Message-
> > From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> > Sent: Wednesday, November 8, 2017 10:22 AM
> > To: De Lara Guarch, Pablo ; Thomas
> > Monjalon 
> > Cc: users@dpdk.org; ol...@mellanox.com
> > Subject: RE: [dpdk-users] IPsec offload
> >
> > Pablo
> > I fixed all issues,  now the app. Is running Just  to clarify one issue:
> > I meant that my Ethernet device x540 is capable to do IPsec encryption
> > in HW.
> > What did you mean "a crypto device (SW or HW)" ?
> 
> You are talking about inline crypto there then, which I am not very 
> familiarized.
> With crypto device, I mean a lookaside crypto device, such as QAT PMD
> (example of HW device) or AESNI MB PMD (examples of SW device).
> 
> Regards,
> Pablo
>

Re: [dpdk-users] IPsec offload

2017-11-08 Thread De Lara Guarch, Pablo

Hi Avi,

> -Original Message-
> From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> Sent: Wednesday, November 8, 2017 10:22 AM
> To: De Lara Guarch, Pablo ; Thomas
> Monjalon 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Pablo
> I fixed all issues,  now the app. Is running Just  to clarify one issue:
> I meant that my Ethernet device x540 is capable to do IPsec encryption in
> HW.
> What did you mean "a crypto device (SW or HW)" ?

You are talking about inline crypto there then, which I am not very 
familiarized.
With crypto device, I mean a lookaside crypto device, such as QAT PMD (example 
of HW device)
or AESNI MB PMD (examples of SW device).

Regards,
Pablo

> Regards,
> Avi
> 
> > -Original Message-
> > From: Avi Cohen (A)
> > Sent: Wednesday, 08 November, 2017 11:21 AM
> > To: 'De Lara Guarch, Pablo'; 'Thomas Monjalon'
> > Cc: 'users@dpdk.org'; 'ol...@mellanox.com'
> > Subject: RE: [dpdk-users] IPsec offload
> >
> > Hi Pablo,
> >
> >  > 1 - Double check you are using the latest IPSec library (0.47) and
> > > that you are linking against it (just follow the documentation).
> >  > 2 - That's a network device, not a crypto device.
> >  [Avi Cohen (A)]
> > 1.  I meant that my Ethernet device x540 is capable to do IPsec
> > encryption in HW.
> >  What did you mean "a crypto device (SW or HW)" ?
> >
> > 2. I  also I enable the IESNI_GCM_PMD according the
> > http://dpdk.org/doc/guides/cryptodevs/aesni_gcm.html ,   but still
> receive this
> > error in init  (: unrecognized input "sa")
> >
> >
> > ./ipsec-secgw -l 20,21 -n 4  --vdev "crypto_aesni_gcm" -- -p 0xf -P -u
> > 0x3 -- config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" -f ep-sample.cfg
> >
> > EAL: Detected 24 lcore(s)
> > EAL: 16 hugepages of size 1073741824 reserved, but no mounted
> > hugetlbfs found for that size
> > EAL: Probing VFIO support...
> > EAL: PCI device :01:00.0 on NUMA socket 0
> > EAL:   probe driver: 8086:1528 net_ixgbe
> > EAL: PCI device :01:00.1 on NUMA socket 0
> > EAL:   probe driver: 8086:1528 net_ixgbe
> > EAL: PCI device :04:00.0 on NUMA socket 0
> > EAL:   probe driver: 8086:1528 net_ixgbe
> > EAL: PCI device :04:00.1 on NUMA socket 0
> > EAL:   probe driver: 8086:1528 net_ixgbe
> > EAL: PCI device :08:00.0 on NUMA socket 0
> > EAL:   probe driver: 8086:1521 net_e1000_igb
> > EAL: PCI device :08:00.1 on NUMA socket 0
> > EAL:   probe driver: 8086:1521 net_e1000_igb
> > CRYPTODEV: [crypto_aesni_gcm] - Creating cryptodev crypto_aesni_gcm
> >
> > CRYPTODEV: [crypto_aesni_gcm] - Initialisation parameters - name:
> > crypto_aesni_gcm,socket id: 0, max queue pairs: 8, max sessions: 2048
> > Promiscuous mode selected PANIC in parse_cfg_file():
> > ep-sample.cfg:1: error: unrecognized input "sa"
> > 6: [./ipsec-secgw(_start+0x29) [0x44a0f9]]
> > 5: [/lib64/libc.so.6(__libc_start_main+0xf1) [0x7fe3cd492731]]
> > 4: [./ipsec-secgw(main+0xdd) [0x445d2d]]
> > 3: [./ipsec-secgw(parse_cfg_file+0x3d0) [0x44b180]]
> > 2: [./ipsec-secgw(__rte_panic+0xb8) [0x440d83]]
> > 1: [./ipsec-secgw(rte_dump_stack+0x16) [0x4b5876]]
> >
> > Regards
> >  Avi
> >

Re: [dpdk-users] IPsec offload

2017-11-08 Thread Avi Cohen (A)

Pablo
I fixed all issues,  now the app. Is running 
Just  to clarify one issue:
I meant that my Ethernet device x540 is capable to do IPsec encryption in HW.
What did you mean "a crypto device (SW or HW)" ?
Regards,
Avi

> -Original Message-
> From: Avi Cohen (A)
> Sent: Wednesday, 08 November, 2017 11:21 AM
> To: 'De Lara Guarch, Pablo'; 'Thomas Monjalon'
> Cc: 'users@dpdk.org'; 'ol...@mellanox.com'
> Subject: RE: [dpdk-users] IPsec offload
> 
> Hi Pablo,
> 
>  > 1 - Double check you are using the latest IPSec library (0.47) and  > that 
> you
> are linking against it (just follow the documentation).
>  > 2 - That's a network device, not a crypto device.
>  [Avi Cohen (A)]
> 1.  I meant that my Ethernet device x540 is capable to do IPsec encryption in
> HW.
>  What did you mean "a crypto device (SW or HW)" ?
> 
> 2. I  also I enable the IESNI_GCM_PMD according the
> http://dpdk.org/doc/guides/cryptodevs/aesni_gcm.html ,   but still receive 
> this
> error in init  (: unrecognized input "sa")
> 
> 
> ./ipsec-secgw -l 20,21 -n 4  --vdev "crypto_aesni_gcm" -- -p 0xf -P -u 0x3 --
> config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" -f ep-sample.cfg
> 
> EAL: Detected 24 lcore(s)
> EAL: 16 hugepages of size 1073741824 reserved, but no mounted hugetlbfs
> found for that size
> EAL: Probing VFIO support...
> EAL: PCI device :01:00.0 on NUMA socket 0
> EAL:   probe driver: 8086:1528 net_ixgbe
> EAL: PCI device :01:00.1 on NUMA socket 0
> EAL:   probe driver: 8086:1528 net_ixgbe
> EAL: PCI device :04:00.0 on NUMA socket 0
> EAL:   probe driver: 8086:1528 net_ixgbe
> EAL: PCI device :04:00.1 on NUMA socket 0
> EAL:   probe driver: 8086:1528 net_ixgbe
> EAL: PCI device :08:00.0 on NUMA socket 0
> EAL:   probe driver: 8086:1521 net_e1000_igb
> EAL: PCI device :08:00.1 on NUMA socket 0
> EAL:   probe driver: 8086:1521 net_e1000_igb
> CRYPTODEV: [crypto_aesni_gcm] - Creating cryptodev crypto_aesni_gcm
> 
> CRYPTODEV: [crypto_aesni_gcm] - Initialisation parameters - name:
> crypto_aesni_gcm,socket id: 0, max queue pairs: 8, max sessions: 2048
> Promiscuous mode selected PANIC in parse_cfg_file():
> ep-sample.cfg:1: error: unrecognized input "sa"
> 6: [./ipsec-secgw(_start+0x29) [0x44a0f9]]
> 5: [/lib64/libc.so.6(__libc_start_main+0xf1) [0x7fe3cd492731]]
> 4: [./ipsec-secgw(main+0xdd) [0x445d2d]]
> 3: [./ipsec-secgw(parse_cfg_file+0x3d0) [0x44b180]]
> 2: [./ipsec-secgw(__rte_panic+0xb8) [0x440d83]]
> 1: [./ipsec-secgw(rte_dump_stack+0x16) [0x4b5876]]
> 
> Regards
>  Avi
>

Re: [dpdk-users] IPsec offload

2017-11-08 Thread Avi Cohen (A)

Hi Pablo,

 > 1 - Double check you are using the latest IPSec library (0.47) and
 > that you are linking against it (just follow the documentation).
 > 2 - That's a network device, not a crypto device.
 [Avi Cohen (A)]
1.  I meant that my Ethernet device x540 is capable to do IPsec encryption in 
HW.
 What did you mean "a crypto device (SW or HW)" ?

2. I  also I enable the IESNI_GCM_PMD according the 
http://dpdk.org/doc/guides/cryptodevs/aesni_gcm.html ,   but still receive this 
error in init  (: unrecognized input "sa")


./ipsec-secgw -l 20,21 -n 4  --vdev "crypto_aesni_gcm" -- -p 0xf -P -u 0x3 
--config="(0,0,20),(1,0,20),(2,0,21),(3,0,21)" -f ep-sample.cfg

EAL: Detected 24 lcore(s)
EAL: 16 hugepages of size 1073741824 reserved, but no mounted hugetlbfs found 
for that size
EAL: Probing VFIO support...
EAL: PCI device :01:00.0 on NUMA socket 0
EAL:   probe driver: 8086:1528 net_ixgbe
EAL: PCI device :01:00.1 on NUMA socket 0
EAL:   probe driver: 8086:1528 net_ixgbe
EAL: PCI device :04:00.0 on NUMA socket 0
EAL:   probe driver: 8086:1528 net_ixgbe
EAL: PCI device :04:00.1 on NUMA socket 0
EAL:   probe driver: 8086:1528 net_ixgbe
EAL: PCI device :08:00.0 on NUMA socket 0
EAL:   probe driver: 8086:1521 net_e1000_igb
EAL: PCI device :08:00.1 on NUMA socket 0
EAL:   probe driver: 8086:1521 net_e1000_igb
CRYPTODEV: [crypto_aesni_gcm] - Creating cryptodev crypto_aesni_gcm

CRYPTODEV: [crypto_aesni_gcm] - Initialisation parameters - name: 
crypto_aesni_gcm,socket id: 0, max queue pairs: 8, max sessions: 2048
Promiscuous mode selected
PANIC in parse_cfg_file():
ep-sample.cfg:1: error: unrecognized input "sa"
6: [./ipsec-secgw(_start+0x29) [0x44a0f9]]
5: [/lib64/libc.so.6(__libc_start_main+0xf1) [0x7fe3cd492731]]
4: [./ipsec-secgw(main+0xdd) [0x445d2d]]
3: [./ipsec-secgw(parse_cfg_file+0x3d0) [0x44b180]]
2: [./ipsec-secgw(__rte_panic+0xb8) [0x440d83]]
1: [./ipsec-secgw(rte_dump_stack+0x16) [0x4b5876]]
 
Regards
 Avi

Re: [dpdk-users] IPsec offload

2017-11-08 Thread Avi Cohen (A)

Hi Pablo
> > Thank you Pablo
> > 1. Now I have multiple build errors 'undeclared here' when building
> > dpdk for example aes_gcm_enc_128_sse . I'm trying to find where these
> > are declared 2. Regarding the crypto-device - I have Intel x540-AT2
> > Nic Regards Avi
> 
> 1 - Double check you are using the latest IPSec library (0.47) and that you 
> are
> linking against it (just follow the documentation).
> 2 - That's a network device, not a crypto device.
[Avi Cohen (A)] 
I meant that my Ethernet device x540 is capable to do IPsec encryption in HW.   
 
What did you mean "a crypto device (SW or HW)" ?
Regards
Avi
> 
> Pablo

Re: [dpdk-users] IPsec offload

2017-11-07 Thread De Lara Guarch, Pablo

Hi Avi,

> -Original Message-
> From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> Sent: Tuesday, November 7, 2017 1:36 PM
> To: De Lara Guarch, Pablo ; Thomas
> Monjalon 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Thank you Pablo
> 1. Now I have multiple build errors 'undeclared here' when building dpdk
> for example aes_gcm_enc_128_sse . I'm trying to find where these are
> declared 2. Regarding the crypto-device - I have Intel x540-AT2 Nic Regards
> Avi

1 - Double check you are using the latest IPSec library (0.47) and that
you are linking against it (just follow the documentation).
2 - That's a network device, not a crypto device.

Pablo

Re: [dpdk-users] IPsec offload

2017-11-07 Thread Avi Cohen (A)

Thank you Pablo
1. Now I have multiple build errors 'undeclared here' when building dpdk for 
example aes_gcm_enc_128_sse . I'm trying to find where these are declared
2. Regarding the crypto-device - I have Intel x540-AT2 Nic
Regards
Avi

> -Original Message-
> From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> Sent: Tuesday, 07 November, 2017 1:24 PM
> To: Avi Cohen (A); Thomas Monjalon
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Hi Avi,
> 
> > -Original Message-
> > From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> > Sent: Tuesday, November 7, 2017 8:55 AM
> > To: De Lara Guarch, Pablo ; Thomas
> > Monjalon 
> > Cc: users@dpdk.org; ol...@mellanox.com
> > Subject: RE: [dpdk-users] IPsec offload
> >
> >
> > > > Thank you Pablo
> > > > Can you supply an example command line to run the ipsec-secgw ?
> > >
> > > ./examples/ipsec-secgw/build/ipsec-secgw -l 10,11 -n 4 --
> > > vdev="crypto_aesni_gcm0" /
> > > -- -p 0x1 -P --config="(0,0,10)" -f ep-sample.cfg
> > >
> > > Where ep-sample.cfg contains:
> > >
> > > sp ipv4 out esp protect 0010 pri 1 dst 001.0.0.0/24 sport 0:65535
> > > dport 0:65535 sa out 0010 aead_algo aes-128-gcm aead_key
> > de:ad:be:ef:de:ad:be:ef:de:ad:be:
> > > ef:de:ad:be:ef:de:ad:be:ef mode ipv4-tunnel src 20.0.0.0 dst
> > > 21.0.0.0 rt ipv4 dst
> > > 21.0.0.0/8 port 0
> > >
> > [Avi Cohen (A)]
> >
> > When running it almost all parameters from the config file starting from "
> > sa out 0010"  are not recognized by the application Do I have to
> > create any additional objects before running it ? I don't see it in the
> documentation .
> > I want to run IPsec offload over ethernet port Best Regards Avi
> 
> You need to make sure that you have a crypto device (SW or HW) that support
> the algorithms set in the sa lines.
> For instance, the "SA line" above is using AES-GCM, so you could use the AESNI
> GCM PMD, with the command line above (using --vdev).
> 
> Regards,
> Pablo

Re: [dpdk-users] IPsec offload

2017-11-07 Thread De Lara Guarch, Pablo

Hi Avi,

> -Original Message-
> From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> Sent: Tuesday, November 7, 2017 8:55 AM
> To: De Lara Guarch, Pablo ; Thomas
> Monjalon 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> 
> > > Thank you Pablo
> > > Can you supply an example command line to run the ipsec-secgw ?
> >
> > ./examples/ipsec-secgw/build/ipsec-secgw -l 10,11 -n 4 --
> > vdev="crypto_aesni_gcm0" /
> > -- -p 0x1 -P --config="(0,0,10)" -f ep-sample.cfg
> >
> > Where ep-sample.cfg contains:
> >
> > sp ipv4 out esp protect 0010 pri 1 dst 001.0.0.0/24 sport 0:65535
> > dport 0:65535 sa out 0010 aead_algo aes-128-gcm aead_key
> de:ad:be:ef:de:ad:be:ef:de:ad:be:
> > ef:de:ad:be:ef:de:ad:be:ef mode ipv4-tunnel src 20.0.0.0 dst 21.0.0.0
> > rt ipv4 dst
> > 21.0.0.0/8 port 0
> >
> [Avi Cohen (A)]
> 
> When running it almost all parameters from the config file starting from "
> sa out 0010"  are not recognized by the application Do I have to create any
> additional objects before running it ? I don't see it in the documentation .
> I want to run IPsec offload over ethernet port Best Regards Avi

You need to make sure that you have a crypto device (SW or HW) that support
the algorithms set in the sa lines.
For instance, the "SA line" above is using AES-GCM, so you could use the AESNI 
GCM PMD,
with the command line above (using --vdev).

Regards,
Pablo

Re: [dpdk-users] IPsec offload

2017-11-07 Thread De Lara Guarch, Pablo

Hi Avi,

> -Original Message-
> From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> Sent: Tuesday, November 7, 2017 9:49 AM
> To: De Lara Guarch, Pablo ; Thomas
> Monjalon 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Hi Pablo
> When running - I get "Unable to parse device 'crypto_aesni_gcm0' (then the
> app. Exit) Regards, Avi

That's probably because you haven't enabled the AESNI_GCM PMD.
Take a look at the documentation:

http://dpdk.org/doc/guides/cryptodevs/aesni_gcm.html

Pablo

Re: [dpdk-users] IPsec offload

2017-11-07 Thread Avi Cohen (A)

Hi Pablo
When running - I get "Unable to parse device 'crypto_aesni_gcm0' (then the app. 
Exit) 
Regards,
Avi

> -Original Message-
> From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> Sent: Tuesday, 07 November, 2017 11:43 AM
> To: Avi Cohen (A); Thomas Monjalon
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Hi Avi,
> 
> > -Original Message-
> > From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> > Sent: Monday, November 6, 2017 5:16 PM
> > To: De Lara Guarch, Pablo ; Thomas
> > Monjalon 
> > Cc: users@dpdk.org; ol...@mellanox.com
> > Subject: RE: [dpdk-users] IPsec offload
> >
> > Pablo
> > This cmd-line is for a crypto-device - correct ?
> > What is the cmd-line for Ethernet device ?  (I already bound this
> > Ethernet device to dpdk) Regards Avi
> 
> That command line is initializing a software-based crypto device.
> It assumes that you have one physical Ethernet device (it will use it due to 
> the -
> p and --config options).
> 
> Pablo
> 
> >
> > > -Original Message-
> > > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> > > Sent: Monday, 06 November, 2017 6:48 PM
> > > To: Avi Cohen (A); Thomas Monjalon
> > > Cc: users@dpdk.org; ol...@mellanox.com
> > > Subject: RE: [dpdk-users] IPsec offload
> > >
> > >
> > >
> > > > -Original Message-
> > > > From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> > > > Sent: Monday, November 6, 2017 4:42 PM
> > > > To: De Lara Guarch, Pablo ; Thomas
> > > > Monjalon 
> > > > Cc: users@dpdk.org; ol...@mellanox.com
> > > > Subject: RE: [dpdk-users] IPsec offload
> > > >
> > > > Thank you Pablo
> > > > Can you supply an example command line to run the ipsec-secgw ?
> > >
> > > ./examples/ipsec-secgw/build/ipsec-secgw -l 10,11 -n 4 --
> > > vdev="crypto_aesni_gcm0" /
> > > -- -p 0x1 -P --config="(0,0,10)" -f ep-sample.cfg
> > >
> > > Where ep-sample.cfg contains:
> > >
> > > sp ipv4 out esp protect 0010 pri 1 dst 001.0.0.0/24 sport 0:65535
> > > dport 0:65535 sa out 0010 aead_algo aes-128-gcm aead_key
> > de:ad:be:ef:de:ad:be:ef:de:ad:be:
> > > ef:de:ad:be:ef:de:ad:be:ef mode ipv4-tunnel src 20.0.0.0 dst
> > > 21.0.0.0 rt ipv4 dst
> > > 21.0.0.0/8 port 0
> > >
> > >
> > > > Regards
> > > > Avi
> > > >
> > > > > -Original Message-
> > > > > From: De Lara Guarch, Pablo
> > > > > [mailto:pablo.de.lara.gua...@intel.com]
> > > > > Sent: Monday, 06 November, 2017 6:37 PM
> > > > > To: Avi Cohen (A); Thomas Monjalon
> > > > > Cc: users@dpdk.org; ol...@mellanox.com
> > > > > Subject: RE: [dpdk-users] IPsec offload
> > > > >
> > > > > Hi Avi,
> > > > >
> > > > >
> > > > > > -Original Message-
> > > > > > From: users [mailto:users-boun...@dpdk.org] On Behalf Of Avi
> > > > > > Cohen
> > > > > > (A)
> > > > > > Sent: Monday, November 6, 2017 3:53 PM
> > > > > > To: Thomas Monjalon 
> > > > > > Cc: users@dpdk.org; ol...@mellanox.com
> > > > > > Subject: Re: [dpdk-users] IPsec offload
> > > > > >
> > > > > > Thank you Thomas
> > > > > > When I run the ipsec-secgw sample app. The program is exiting
> > > > > > with error 'Mandatory option "-f" not present'
> > > > > > What is this option ? config file ?
> > > > >
> > > > > Yes, that's a configuration file, like the one that you can find
> > > > > in ep0.cfg or ep1.cfg.
> > > > >
> > > > > Pablo

Re: [dpdk-users] IPsec offload

2017-11-07 Thread De Lara Guarch, Pablo

Hi Avi,

> -Original Message-
> From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> Sent: Monday, November 6, 2017 5:16 PM
> To: De Lara Guarch, Pablo ; Thomas
> Monjalon 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Pablo
> This cmd-line is for a crypto-device - correct ?
> What is the cmd-line for Ethernet device ?  (I already bound this Ethernet
> device to dpdk) Regards Avi

That command line is initializing a software-based crypto device.
It assumes that you have one physical Ethernet device (it will use it due to 
the -p and --config options).

Pablo

> 
> > -Original Message-
> > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> > Sent: Monday, 06 November, 2017 6:48 PM
> > To: Avi Cohen (A); Thomas Monjalon
> > Cc: users@dpdk.org; ol...@mellanox.com
> > Subject: RE: [dpdk-users] IPsec offload
> >
> >
> >
> > > -Original Message-
> > > From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> > > Sent: Monday, November 6, 2017 4:42 PM
> > > To: De Lara Guarch, Pablo ; Thomas
> > > Monjalon 
> > > Cc: users@dpdk.org; ol...@mellanox.com
> > > Subject: RE: [dpdk-users] IPsec offload
> > >
> > > Thank you Pablo
> > > Can you supply an example command line to run the ipsec-secgw ?
> >
> > ./examples/ipsec-secgw/build/ipsec-secgw -l 10,11 -n 4 --
> > vdev="crypto_aesni_gcm0" /
> > -- -p 0x1 -P --config="(0,0,10)" -f ep-sample.cfg
> >
> > Where ep-sample.cfg contains:
> >
> > sp ipv4 out esp protect 0010 pri 1 dst 001.0.0.0/24 sport 0:65535
> > dport 0:65535 sa out 0010 aead_algo aes-128-gcm aead_key
> de:ad:be:ef:de:ad:be:ef:de:ad:be:
> > ef:de:ad:be:ef:de:ad:be:ef mode ipv4-tunnel src 20.0.0.0 dst 21.0.0.0
> > rt ipv4 dst
> > 21.0.0.0/8 port 0
> >
> >
> > > Regards
> > > Avi
> > >
> > > > -Original Message-
> > > > From: De Lara Guarch, Pablo
> > > > [mailto:pablo.de.lara.gua...@intel.com]
> > > > Sent: Monday, 06 November, 2017 6:37 PM
> > > > To: Avi Cohen (A); Thomas Monjalon
> > > > Cc: users@dpdk.org; ol...@mellanox.com
> > > > Subject: RE: [dpdk-users] IPsec offload
> > > >
> > > > Hi Avi,
> > > >
> > > >
> > > > > -Original Message-
> > > > > From: users [mailto:users-boun...@dpdk.org] On Behalf Of Avi
> > > > > Cohen
> > > > > (A)
> > > > > Sent: Monday, November 6, 2017 3:53 PM
> > > > > To: Thomas Monjalon 
> > > > > Cc: users@dpdk.org; ol...@mellanox.com
> > > > > Subject: Re: [dpdk-users] IPsec offload
> > > > >
> > > > > Thank you Thomas
> > > > > When I run the ipsec-secgw sample app. The program is exiting
> > > > > with error 'Mandatory option "-f" not present'
> > > > > What is this option ? config file ?
> > > >
> > > > Yes, that's a configuration file, like the one that you can find
> > > > in ep0.cfg or ep1.cfg.
> > > >
> > > > Pablo

Re: [dpdk-users] IPsec offload

2017-11-07 Thread Avi Cohen (A)


> > Thank you Pablo
> > Can you supply an example command line to run the ipsec-secgw ?
> 
> ./examples/ipsec-secgw/build/ipsec-secgw -l 10,11 -n 4 --
> vdev="crypto_aesni_gcm0" /
> -- -p 0x1 -P --config="(0,0,10)" -f ep-sample.cfg
> 
> Where ep-sample.cfg contains:
> 
> sp ipv4 out esp protect 0010 pri 1 dst 001.0.0.0/24 sport 0:65535 dport 
> 0:65535
> sa out 0010 aead_algo aes-128-gcm aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:
> ef:de:ad:be:ef:de:ad:be:ef mode ipv4-tunnel src 20.0.0.0 dst 21.0.0.0 rt ipv4 
> dst
> 21.0.0.0/8 port 0
> 
[Avi Cohen (A)] 

When running it almost all parameters from the config file starting from " sa 
out 0010"  are not recognized by the application 
Do I have to create any additional objects before running it ? I don't see it 
in the documentation .
I want to run IPsec offload over ethernet port
Best Regards
Avi

Re: [dpdk-users] IPsec offload

2017-11-06 Thread Avi Cohen (A)

Pablo
This cmd-line is for a crypto-device - correct ? 
What is the cmd-line for Ethernet device ?  (I already bound this Ethernet 
device to dpdk)
Regards
Avi

> -Original Message-
> From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> Sent: Monday, 06 November, 2017 6:48 PM
> To: Avi Cohen (A); Thomas Monjalon
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> 
> 
> > -Original Message-
> > From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> > Sent: Monday, November 6, 2017 4:42 PM
> > To: De Lara Guarch, Pablo ; Thomas
> > Monjalon 
> > Cc: users@dpdk.org; ol...@mellanox.com
> > Subject: RE: [dpdk-users] IPsec offload
> >
> > Thank you Pablo
> > Can you supply an example command line to run the ipsec-secgw ?
> 
> ./examples/ipsec-secgw/build/ipsec-secgw -l 10,11 -n 4 --
> vdev="crypto_aesni_gcm0" /
> -- -p 0x1 -P --config="(0,0,10)" -f ep-sample.cfg
> 
> Where ep-sample.cfg contains:
> 
> sp ipv4 out esp protect 0010 pri 1 dst 001.0.0.0/24 sport 0:65535 dport 
> 0:65535
> sa out 0010 aead_algo aes-128-gcm aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:
> ef:de:ad:be:ef:de:ad:be:ef mode ipv4-tunnel src 20.0.0.0 dst 21.0.0.0 rt ipv4 
> dst
> 21.0.0.0/8 port 0
> 
> 
> > Regards
> > Avi
> >
> > > -Original Message-
> > > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> > > Sent: Monday, 06 November, 2017 6:37 PM
> > > To: Avi Cohen (A); Thomas Monjalon
> > > Cc: users@dpdk.org; ol...@mellanox.com
> > > Subject: RE: [dpdk-users] IPsec offload
> > >
> > > Hi Avi,
> > >
> > >
> > > > -Original Message-
> > > > From: users [mailto:users-boun...@dpdk.org] On Behalf Of Avi Cohen
> > > > (A)
> > > > Sent: Monday, November 6, 2017 3:53 PM
> > > > To: Thomas Monjalon 
> > > > Cc: users@dpdk.org; ol...@mellanox.com
> > > > Subject: Re: [dpdk-users] IPsec offload
> > > >
> > > > Thank you Thomas
> > > > When I run the ipsec-secgw sample app. The program is exiting
> > > > with error 'Mandatory option "-f" not present'
> > > > What is this option ? config file ?
> > >
> > > Yes, that's a configuration file, like the one that you can find in
> > > ep0.cfg or ep1.cfg.
> > >
> > > Pablo

Re: [dpdk-users] IPsec offload

2017-11-06 Thread De Lara Guarch, Pablo



> -Original Message-
> From: Avi Cohen (A) [mailto:avi.co...@huawei.com]
> Sent: Monday, November 6, 2017 4:42 PM
> To: De Lara Guarch, Pablo ; Thomas
> Monjalon 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Thank you Pablo
> Can you supply an example command line to run the ipsec-secgw ?

./examples/ipsec-secgw/build/ipsec-secgw -l 10,11 -n 4 
--vdev="crypto_aesni_gcm0" /
-- -p 0x1 -P --config="(0,0,10)" -f ep-sample.cfg

Where ep-sample.cfg contains:

sp ipv4 out esp protect 0010 pri 1 dst 001.0.0.0/24 sport 0:65535 dport 0:65535
sa out 0010 aead_algo aes-128-gcm aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:
ef:de:ad:be:ef:de:ad:be:ef mode ipv4-tunnel src 20.0.0.0 dst 21.0.0.0
rt ipv4 dst 21.0.0.0/8 port 0


> Regards
> Avi
> 
> > -Original Message-
> > From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> > Sent: Monday, 06 November, 2017 6:37 PM
> > To: Avi Cohen (A); Thomas Monjalon
> > Cc: users@dpdk.org; ol...@mellanox.com
> > Subject: RE: [dpdk-users] IPsec offload
> >
> > Hi Avi,
> >
> >
> > > -Original Message-
> > > From: users [mailto:users-boun...@dpdk.org] On Behalf Of Avi Cohen
> > > (A)
> > > Sent: Monday, November 6, 2017 3:53 PM
> > > To: Thomas Monjalon 
> > > Cc: users@dpdk.org; ol...@mellanox.com
> > > Subject: Re: [dpdk-users] IPsec offload
> > >
> > > Thank you Thomas
> > > When I run the ipsec-secgw sample app. The program is exiting  with
> > > error 'Mandatory option "-f" not present'
> > > What is this option ? config file ?
> >
> > Yes, that's a configuration file, like the one that you can find in
> > ep0.cfg or ep1.cfg.
> >
> > Pablo

Re: [dpdk-users] IPsec offload

2017-11-06 Thread Avi Cohen (A)

Thank you Pablo
Can you supply an example command line to run the ipsec-secgw ?
Regards
Avi

> -Original Message-
> From: De Lara Guarch, Pablo [mailto:pablo.de.lara.gua...@intel.com]
> Sent: Monday, 06 November, 2017 6:37 PM
> To: Avi Cohen (A); Thomas Monjalon
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: RE: [dpdk-users] IPsec offload
> 
> Hi Avi,
> 
> 
> > -Original Message-
> > From: users [mailto:users-boun...@dpdk.org] On Behalf Of Avi Cohen (A)
> > Sent: Monday, November 6, 2017 3:53 PM
> > To: Thomas Monjalon 
> > Cc: users@dpdk.org; ol...@mellanox.com
> > Subject: Re: [dpdk-users] IPsec offload
> >
> > Thank you Thomas
> > When I run the ipsec-secgw sample app. The program is exiting  with
> > error 'Mandatory option "-f" not present'
> > What is this option ? config file ?
> 
> Yes, that's a configuration file, like the one that you can find in ep0.cfg or
> ep1.cfg.
> 
> Pablo

Re: [dpdk-users] IPsec offload

2017-11-06 Thread De Lara Guarch, Pablo

Hi Avi,


> -Original Message-
> From: users [mailto:users-boun...@dpdk.org] On Behalf Of Avi Cohen (A)
> Sent: Monday, November 6, 2017 3:53 PM
> To: Thomas Monjalon 
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: Re: [dpdk-users] IPsec offload
> 
> Thank you Thomas
> When I run the ipsec-secgw sample app. The program is exiting  with error
> 'Mandatory option "-f" not present'
> What is this option ? config file ?

Yes, that's a configuration file, like the one that you can find in ep0.cfg or 
ep1.cfg.

Pablo

Re: [dpdk-users] IPsec offload

2017-11-06 Thread Avi Cohen (A)

Thank you Thomas
When I run the ipsec-secgw sample app. The program is exiting  with error 
'Mandatory option "-f" not present' 
What is this option ? config file ? 
Regards
Avi

> -Original Message-
> From: Thomas Monjalon [mailto:tho...@monjalon.net]
> Sent: Monday, 06 November, 2017 1:13 PM
> To: Avi Cohen (A)
> Cc: users@dpdk.org; ol...@mellanox.com
> Subject: Re: [dpdk-users] IPsec offload
> 
> 06/11/2017 11:25, Avi Cohen (A):
> > Thank you Thomas
> > Is this was tested on a specific HW e.g.  Mellanox Innova  / other ?
> 
> Mellanox hardware will probably be supported in 18.02.
> There are some experimental support for NXP DPAA2 and Intel ixgbe in DPDK
> 17.11.
> 
> 
> > > -Original Message-
> > > From: Thomas Monjalon [mailto:tho...@monjalon.net]
> > >
> > > Hi,
> > >
> > > 05/11/2017 09:32, Avi Cohen (A):
> > > > Does the DPDK  support HW IPsec offload ?
> > > > can DPDK configure the NIC/Network adapter to ipsec a specific flow ?
> > >
> > > Yes, an experimental IPsec offload support is added in DPDK 17.11.
> > > It is called rte_security:
> > >   http://dpdk.org/doc/guides/prog_guide/rte_security.html
> > >
> > > The hardware support will probably be improved in DPDK 18.02.
> 
>

Re: [dpdk-users] IPsec offload

2017-11-06 Thread Thomas Monjalon

06/11/2017 11:25, Avi Cohen (A):
> Thank you Thomas
> Is this was tested on a specific HW e.g.  Mellanox Innova  / other ?

Mellanox hardware will probably be supported in 18.02.
There are some experimental support for NXP DPAA2 and Intel ixgbe in DPDK 17.11.


> > -Original Message-
> > From: Thomas Monjalon [mailto:tho...@monjalon.net]
> > 
> > Hi,
> > 
> > 05/11/2017 09:32, Avi Cohen (A):
> > > Does the DPDK  support HW IPsec offload ?
> > > can DPDK configure the NIC/Network adapter to ipsec a specific flow ?
> > 
> > Yes, an experimental IPsec offload support is added in DPDK 17.11.
> > It is called rte_security:
> > http://dpdk.org/doc/guides/prog_guide/rte_security.html
> > 
> > The hardware support will probably be improved in DPDK 18.02.

Re: [dpdk-users] IPsec offload

2017-11-06 Thread Avi Cohen (A)

Thank you Thomas
Is this was tested on a specific HW e.g.  Mellanox Innova  / other ?
Regards
Avi

> -Original Message-
> From: Thomas Monjalon [mailto:tho...@monjalon.net]
> Sent: Monday, 06 November, 2017 3:03 AM
> To: Avi Cohen (A)
> Cc: users@dpdk.org
> Subject: Re: [dpdk-users] IPsec offload
> 
> Hi,
> 
> 05/11/2017 09:32, Avi Cohen (A):
> > Does the DPDK  support HW IPsec offload ?
> > can DPDK configure the NIC/Network adapter to ipsec a specific flow ?
> 
> Yes, an experimental IPsec offload support is added in DPDK 17.11.
> It is called rte_security:
>   http://dpdk.org/doc/guides/prog_guide/rte_security.html
> 
> The hardware support will probably be improved in DPDK 18.02.

Re: [dpdk-users] IPsec offload

2017-11-05 Thread Thomas Monjalon

Hi,

05/11/2017 09:32, Avi Cohen (A):
> Does the DPDK  support HW IPsec offload ?
> can DPDK configure the NIC/Network adapter to ipsec a specific flow ?

Yes, an experimental IPsec offload support is added in DPDK 17.11.
It is called rte_security:
http://dpdk.org/doc/guides/prog_guide/rte_security.html

The hardware support will probably be improved in DPDK 18.02.

[dpdk-users] IPsec offload

2017-11-05 Thread Avi Cohen (A)

Does the DPDK  support HW IPsec offload ? can DPDK configure the NIC/Network 
adapter to ipsec a specific flow ?
Thank You
Avi

[dpdk-users] IPsec offload for ixgbe/i40e drivers

2017-10-03 Thread Avi Cohen (A)

Hi,
These Intel  NIC's:  X540, 82599, I40E - supports IPsec offload   
But I don't see that the drivers  supplied by Intel - handle it (??)   
Also I don't see any reference in the DPDK userspace drivers  
librte_pmd_ixgbe.c .. 
Can someone tell if this is supported somewhere ?   
Best Regards   
Avi

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

Re: [dpdk-users] IPsec offload

[dpdk-users] IPsec offload

[dpdk-users] IPsec offload for ixgbe/i40e drivers

27 matches

Site Navigation

Mail list logo

Footer information