Hi Manuel,
Thanks for reporting back.
Cheers,
Sergio
On Tue, Feb 12, 2019 at 5:14 PM wrote:
> Hi Sergio,
>
> ipsec is actually working(therefore also your patch), my issue was
> regarding dpdk and hw setup.
>
> BR,
> Manuel -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to
Hi Sergio,
ipsec is actually working(therefore also your patch), my issue was regarding
dpdk and hw setup.
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12237): https://lists.fd.io/g/vpp-dev/message/12237
Mute This Topic:
Hi,
my apologies, forget my last email.. I measured data back and forth (supposed
to be encrypted) and I checked that cpt crypto devices were enabled and
available but the ipsec tunnel was not working(since crypto counters were not
increasing).
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You
Hi Sergio,
after tracing the crypto layers a bit I did not find anything suspicious so I
decided to revert a commit around ipsec(git checkout
3553abaec54c2784bc6fdccc890411d586c3997e src/vnet/ipsec/*) and looks to be
working as I would expect(using the HW encrypt/decryption). I guess the issue
Hi Manuel,
I forgot to mention that the test I performed does not validate the HW
crypto device case, ie. there could be a bug in the DMA addresses for the
crypto op. I do not have any crypto HW to test but afaik CSIT does run a
few different use cases using HW crypto.
HTH,
Sergio
On Fri, Feb
Hi Sergio,
thank you for your comment, I will try to debug the problem ASAP.
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12213): https://lists.fd.io/g/vpp-dev/message/12213
Mute This Topic: https://lists.fd.io/mt/29538345/21656
Mute
So I have tried both IPsec ESP in transport mode with aes-gcm and aes-cbc
and it does encrypt properly.
In the test I'm using VPP 19.01 release with software cryptodevs and the
built-in packet-generator:
00:00:07:563578: ipsec4-output-feature
spd 1
00:00:07:563595: dpdk-esp4-encrypt
cipher
Yes I did, OpenSSL backend is working.
I can see the esp4-encrypt and esp4-decrypt counters incrementing and there are
no errors.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12206): https://lists.fd.io/g/vpp-dev/message/12206
Mute This Topic:
Have you tried using the OpenSSL backend instead of cryptodev ?
Just wondering if there is a bug in the transport mode case in the DPDK
code.
Looking at the trace again, the src/dst mac seems to be ok, yet the
ethertype is already 0 on the sender side after crypto.
On Thu, Feb 7, 2019 at 1:48 PM
Hi Sergio,
yes, disabling ipsec I successfully get every packet in the receiver side.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12203): https://lists.fd.io/g/vpp-dev/message/12203
Mute This Topic: https://lists.fd.io/mt/29538345/21656
Mute
Hi Manuel,
If I am not mistaken, you should be able to forward the same traffic if you
disable ipsec, have you tried that with success?
On Thu, Feb 7, 2019 at 11:15 AM wrote:
> Hi Sergio,
>
> you are right, both boards are connected back to back in the
> 192.168.30.0/24 net.
> I have cleaned
Hi Sergio,
you are right, both boards are connected back to back in the 192.168.30.0/24
net.
I have cleaned up redundant routes, adding what you are proposing and
unfortunately still I am getting the llc-input errors in the receiving interface
vpp# sh errors
Hi Manuel,
Could you try modifying your config with something like below?
By the way, I am not sure you need to set any arp entries, I am assuming
you have connected back-to-back the interfaces with IPs in the
192.168.30.0/24 net.
You can check with 'show ip arp' that you have entries for the
See attached files, setup is taking place in the scripts via vppctl instead of
using the 'exec path_to_file' used in startup.cnf
Let me know if you see anything suspicious
BR,
Manuel
start_vpp_ipsec_board_a_xaui30_p2.sh
Description: application/shellscript
Hi Manuel,
I was having another look at this. Could you provide the configuration
commands you have used to setup ipsec sa/spd etc ?
Regards,
Sergio
On Fri, Feb 1, 2019 at 2:13 PM wrote:
> capture and config. attached -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this
configuration file assumes that “socket_id” ==> NUMA, but this is
> actually
>
> a single-socket system with four NUMA zones.
>
>
>
> -Lee
>
>
>
>
>
> *From:* Sergio G.M. [mailto:sgmon...@gmail.com]
> *Sent:* Monday, February 04, 2019 2:55 PM
> *
r: Advanced Micro Devices, Inc. [AMD] Device
> 1468
>
> NUMA node: 3
>
>
>
>
>
>
>
>
>
> *From:* Sergio G.M. [mailto:sgmon...@gmail.com]
> *Sent:* Monday, February 04, 2019 3:27 PM
> *To:* Roberts, Lee A.
> *Cc:* manuel.alo...@cavium.c
(alg)] = 1;
>
> alg->resources += vec_len (dev->free_resources);
>
> /* At least enough resources to support one algo */
>
> dcm->enabled |= (alg->resources >= n_mains);
>
> }
>
> break;
>
om: vpp-dev@lists.fd.io [mailto:vpp-dev@lists.fd.io] On Behalf Of Sergio
Gonzalez Monroy
Sent: Wednesday, January 30, 2019 1:59 PM
To: Roberts, Lee A. ; manuel.alo...@cavium.com;
vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] Question about crypto dev queue pairs #vpp
Hi folks,
Give the fo
capture and config. attached
vpp# sh ipsec config
sa 10 spi 1001 mode transport protocol esp
crypto alg aes-cbc-128 key 4a506a794f574265564551694d653768 integrity alg
sha1-96 key 4339314b55523947594d6d3547666b45764e6a58
sa 20 spi 1000 mode transport protocol esp
crypto alg aes-cbc-128 key
Subject: Re: [vpp-dev] Question about crypto dev queue pairs #vpp
Hi Sergio,
too quick response...I was excited about results...but checking the logs it
looks that it was not encrypting/decrypting.
I am a bit confused since I am running same configuration scripts, anyhow there
are attached some
Hi Sergio,
my apologies... I have been carefully testing this morning(to give you logs)
and everything is working perfectly (encrypting/decrypting with cpt and/or
encrypting/decrypting with openssl).
Thanks a lot for your quick fix!
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all
Hello Sergio,
>From my side, your patch looks good to me.
Nevertheless I can't manage to properly run encryption/decryption (ipsec
between two boards) with the Octeon CPT hardware. (Same ipsec scenario setup
via openssl is actually working as expected)
Do not know whether the problem is
: Roberts, Lee A.
Sent: Tuesday, January 29, 2019 3:49 PM
To: Sergio Gonzalez Monroy; manuel.alo...@cavium.com; vpp-dev@lists.fd.io
Subject: RE: [vpp-dev] Question about crypto dev queue pairs #vpp
Sergio,
I encountered the same problem when attempting to enable the AMD CCP poll mode
driver
in VPP
day, January 29, 2019 2:18 AM
To: manuel.alo...@cavium.com; vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] Question about crypto dev queue pairs #vpp
Hi Manuel,
This is likely a mismatch in VPP side. I only tested it with QAT (2 qps per VF)
and SW cryptodevs (default 8 qps) at the time (over a year ago).
Hi Sergio,
I prefer you to provide the patch to use 1 qp since I have been inspecting
source code for two days only(I might add other bugs...).
I could test your patch in an Octeon board that is supposed to setup 1 qp.
BR,
Manuel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to
?
Regards,
Sergio
From: vpp-dev@lists.fd.io on behalf of
manuel.alo...@cavium.com
Sent: Monday, January 28, 2019 4:15 PM
To: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] Question about crypto dev queue pairs #vpp
Hi Sergio,
thank you for the explanation, I see
Hi Sergio,
thank you for the explanation, I see that there are 2 (or more qps). My concern
was due to dpdk, since there are a few device drivers exporting only one queue
pair for their crypto devices.
(I followed the code assuming one qps, based on a dpdk-18.11 exported value)
So I do not know
Hello all,
Just tracing a bit the code I noticed that there is a concept of "queue pair"
and every crypto device allocates its own number of queue pairs.
Two questions (version 19.01):
1. Regarding the max_res_idx (ipsec.c) calculation:
max_res_idx = (dev->max_qp / 2) - 1; (if dev->max_qp == 1
29 matches
Mail list logo