I switched cipher from aes-gcm to aes-cbc. native stack works. it seems the issue is related to aes-gcm cipher support in native stack? Probably some integration bug between aes-gcm and native stack?
On Tue, Nov 19, 2019 at 10:42 AM Chuan Han via Lists.Fd.Io <chuanhan= [email protected]> wrote: > Hi, Damjan, > > See attachment for detailed logs. no.vdev.xxx files contain the log for > the case where vdev is commented out. v.dev.xxx files contain logs for the > case where vdev is enabled. > > I pinged srv-1 from srv-2, i.e., 172.16.2.2 -> 172.16.1.2. > > When vdev is removed, the srv-1 cannot decrypt the esp pkts. When vdev is > enabled, I can see srv-1 decrypted esp pkts and ping worked fine. > > Thanks. > Chuan > > > On Tue, Nov 19, 2019 at 2:08 AM Damjan Marion <[email protected]> wrote: > >> Hi Chuan, >> >> Please note that we have daily run of IPSec performance tests in CSIT >> with VPP running on the physical NIC with DPDK drivers. >> Also please note that every VPP patch is passing unit tests with IETF and >> NIST test encryption vectors. >> >> Other comments inline…. >> >> >> > On 18 Nov 2019, at 23:48, Chuan Han via Lists.Fd.Io <chuanhan= >> [email protected]> wrote: >> > >> > Hi, vpp experts, >> > >> > I was told that vpp's native ipsec stack is stabler and more >> performant. We can enable it by commenting out the vdev line in dpdk >> stanza. >> > >> > However, when I did so, ipsec decryption failed. >> > >> > Ex: >> > # commenting out this line makes decryption fail. >> > vdev crypto_aesni_mb0,socket_id=0 >> >> Have you validated that in your working case, packets are decrypted >> correctly? >> Can you share packet trace for both cases? >> >> > >> > Did anyone ever make native ipsec stack, i.e., ia32 work with dpdk/phy >> nic? >> >> yes, it is tested and working on the daily basis. >> > >> > The interesting thing is no matter whether I comment out the vdev line >> or not, ia32 is shown as the active crypto handler for aes-gcm-256. Does >> this mean ia32 is used by both cases? >> > >> > vpp# sh crypto engines >> > Name Prio Description >> > ia32 100 Intel IA32 ISA Optimized Crypto >> > ipsecmb 80 Intel(R) Multi-Buffer Crypto for IPsec >> Library 0.52.0 >> > openssl 50 OpenSSL >> > vpp# sh crypto handlers >> > Algo Type Active Candidates >> > (nil) >> > des-cbc encrypt openssl openssl >> > decrypt openssl openssl >> > 3des-cbc encrypt openssl openssl >> > decrypt openssl openssl >> > aes-128-cbc encrypt ia32 ia32 >> ipsecmb openssl >> > decrypt ia32 ia32 >> ipsecmb openssl >> > aes-192-cbc encrypt ia32 ia32 >> ipsecmb openssl >> > decrypt ia32 ia32 >> ipsecmb openssl >> > aes-256-cbc encrypt ia32 ia32 >> ipsecmb openssl >> > decrypt ia32 ia32 >> ipsecmb openssl >> > aes-128-ctr encrypt openssl openssl >> > decrypt openssl openssl >> > aes-192-ctr encrypt openssl openssl >> > decrypt openssl openssl >> > aes-256-ctr encrypt openssl openssl >> > decrypt openssl openssl >> > aes-128-gcm aead-encrypt ia32 ia32 >> ipsecmb openssl >> > aead-decrypt ia32 ia32 >> ipsecmb openssl >> > aes-192-gcm aead-encrypt ia32 ia32 >> ipsecmb openssl >> > aead-decrypt ia32 ia32 >> ipsecmb openssl >> > aes-256-gcm aead-encrypt ia32 ia32 >> ipsecmb openssl >> > aead-decrypt ia32 ia32 >> ipsecmb openssl >> > hmac-md5 hmac openssl openssl >> > hmac-sha-1 hmac ipsecmb ipsecmb >> openssl >> > hmac-sha-224 hmac ipsecmb ipsecmb >> openssl >> > hmac-sha-256 hmac ipsecmb ipsecmb >> openssl >> > hmac-sha-384 hmac ipsecmb ipsecmb >> openssl >> > hmac-sha-512 hmac ipsecmb ipsecmb >> openssl >> > vpp# >> >> “show crypto handlers” command is part of new crypto infra, and that >> command doesn’t have anything with dpdk ipsec implementation. >> If you turn on dpdk ipsec, new crypto infra is simply not used... >> >> > >> > I attached the two servers' startup conf files and topology diagram. >> > >> > Any input/comments are welcome. >> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]] >> > -=-=-=-=-=-=-=-=-=-=-=- >> >> -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#14628): https://lists.fd.io/g/vpp-dev/message/14628 > Mute This Topic: https://lists.fd.io/mt/60327762/1991531 > Group Owner: [email protected] > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]] > -=-=-=-=-=-=-=-=-=-=-=- >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14722): https://lists.fd.io/g/vpp-dev/message/14722 Mute This Topic: https://lists.fd.io/mt/60327762/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
