Hi, Damjan,
It worked!
Thanks for helping!
I can see native ipsec stack works with aes-gcm-256 now.
00:44:05:465769: ip4-input-no-checksum
IPSEC_ESP: 10.10.10.11 -> 10.10.10.10
tos 0x00, ttl 253, length 540, checksum 0x9387
fragment id 0x0000
00:44:05:465770: ipsec4-input-feature
IPSEC_ESP: sa_id 2 spd 1 policy 0 spi 255128 (0x0003e498) seq 3478582380
00:44:05:465770: *esp4-decrypt*
esp: crypto *aes-gcm-256* integrity none pkt-seq -816384916 sa-seq 0
sa-seq-hi 0
vpp# sh ver
vpp v20.01-rc0~735-gbfd7d294d built by root on esdn-lab at Wed Nov 27
19:34:36 UTC 2019
vpp# sh dpdk ver
DPDK Version: DPDK 19.08.0
DPDK EAL init args: -c 5554 -n 4 --in-memory --log-level debug
--file-prefix vpp -w 0000:1b:10.1 -w 0000:19:00.1 --master-lcore 2
vpp#
8.5Gbps udp/tcp ixia traffic is happy now.
However, I did not see any performance improvement, i.e., still the same
8.5Gbps. Probably, native stack is more stable and well tested as you
mentioned before.
Thanks.
Chuan
On Thu, Dec 5, 2019 at 4:11 PM Damjan Marion <[email protected]> wrote:
>
> Hi Chuan,
>
> You need to specify salt for GCM to work in static config.
>
> i.e.
> ipsec sa add 1 spi 255129 esp crypto-key
> 0123456789012345678901234567890101234567890123456789012345678901 crypto-alg
> aes-gcm-256 salt 0x12345678
>
> LMK if this helps...
>
> --
> Damjan
>
>
> On 27 Nov 2019, at 15:16, Chuan Han <[email protected]> wrote:
>
> I switched cipher from aes-gcm to aes-cbc. native stack works. it seems
> the issue is related to aes-gcm cipher support in native stack?
> Probably some integration bug between aes-gcm and native stack?
>
> On Tue, Nov 19, 2019 at 10:42 AM Chuan Han via Lists.Fd.Io
> <http://lists.fd.io/> <[email protected]> wrote:
>
>> Hi, Damjan,
>>
>> See attachment for detailed logs. no.vdev.xxx files contain the log for
>> the case where vdev is commented out. v.dev.xxx files contain logs for the
>> case where vdev is enabled.
>>
>> I pinged srv-1 from srv-2, i.e., 172.16.2.2 -> 172.16.1.2.
>>
>> When vdev is removed, the srv-1 cannot decrypt the esp pkts. When vdev is
>> enabled, I can see srv-1 decrypted esp pkts and ping worked fine.
>>
>> Thanks.
>> Chuan
>>
>>
>> On Tue, Nov 19, 2019 at 2:08 AM Damjan Marion <[email protected]> wrote:
>>
>>> Hi Chuan,
>>>
>>> Please note that we have daily run of IPSec performance tests in CSIT
>>> with VPP running on the physical NIC with DPDK drivers.
>>> Also please note that every VPP patch is passing unit tests with IETF
>>> and NIST test encryption vectors.
>>>
>>> Other comments inline….
>>>
>>>
>>> > On 18 Nov 2019, at 23:48, Chuan Han via Lists.Fd.Io
>>> <http://lists.fd.io/> <[email protected]> wrote:
>>> >
>>> > Hi, vpp experts,
>>> >
>>> > I was told that vpp's native ipsec stack is stabler and more
>>> performant. We can enable it by commenting out the vdev line in dpdk
>>> stanza.
>>> >
>>> > However, when I did so, ipsec decryption failed.
>>> >
>>> > Ex:
>>> > # commenting out this line makes decryption fail.
>>> > vdev crypto_aesni_mb0,socket_id=0
>>>
>>> Have you validated that in your working case, packets are decrypted
>>> correctly?
>>> Can you share packet trace for both cases?
>>>
>>> >
>>> > Did anyone ever make native ipsec stack, i.e., ia32 work with dpdk/phy
>>> nic?
>>>
>>> yes, it is tested and working on the daily basis.
>>> >
>>> > The interesting thing is no matter whether I comment out the vdev line
>>> or not, ia32 is shown as the active crypto handler for aes-gcm-256. Does
>>> this mean ia32 is used by both cases?
>>> >
>>> > vpp# sh crypto engines
>>> > Name Prio Description
>>> > ia32 100 Intel IA32 ISA Optimized Crypto
>>> > ipsecmb 80 Intel(R) Multi-Buffer Crypto for IPsec
>>> Library 0.52.0
>>> > openssl 50 OpenSSL
>>> > vpp# sh crypto handlers
>>> > Algo Type Active Candidates
>>> > (nil)
>>> > des-cbc encrypt openssl openssl
>>> > decrypt openssl openssl
>>> > 3des-cbc encrypt openssl openssl
>>> > decrypt openssl openssl
>>> > aes-128-cbc encrypt ia32 ia32
>>> ipsecmb openssl
>>> > decrypt ia32 ia32
>>> ipsecmb openssl
>>> > aes-192-cbc encrypt ia32 ia32
>>> ipsecmb openssl
>>> > decrypt ia32 ia32
>>> ipsecmb openssl
>>> > aes-256-cbc encrypt ia32 ia32
>>> ipsecmb openssl
>>> > decrypt ia32 ia32
>>> ipsecmb openssl
>>> > aes-128-ctr encrypt openssl openssl
>>> > decrypt openssl openssl
>>> > aes-192-ctr encrypt openssl openssl
>>> > decrypt openssl openssl
>>> > aes-256-ctr encrypt openssl openssl
>>> > decrypt openssl openssl
>>> > aes-128-gcm aead-encrypt ia32 ia32
>>> ipsecmb openssl
>>> > aead-decrypt ia32 ia32
>>> ipsecmb openssl
>>> > aes-192-gcm aead-encrypt ia32 ia32
>>> ipsecmb openssl
>>> > aead-decrypt ia32 ia32
>>> ipsecmb openssl
>>> > aes-256-gcm aead-encrypt ia32 ia32
>>> ipsecmb openssl
>>> > aead-decrypt ia32 ia32
>>> ipsecmb openssl
>>> > hmac-md5 hmac openssl openssl
>>> > hmac-sha-1 hmac ipsecmb ipsecmb
>>> openssl
>>> > hmac-sha-224 hmac ipsecmb ipsecmb
>>> openssl
>>> > hmac-sha-256 hmac ipsecmb ipsecmb
>>> openssl
>>> > hmac-sha-384 hmac ipsecmb ipsecmb
>>> openssl
>>> > hmac-sha-512 hmac ipsecmb ipsecmb
>>> openssl
>>> > vpp#
>>>
>>> “show crypto handlers” command is part of new crypto infra, and that
>>> command doesn’t have anything with dpdk ipsec implementation.
>>> If you turn on dpdk ipsec, new crypto infra is simply not used...
>>>
>>> >
>>> > I attached the two servers' startup conf files and topology diagram.
>>> >
>>> > Any input/comments are welcome.
>>> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]]
>>> > -=-=-=-=-=-=-=-=-=-=-=-
>>>
>>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>>
>> View/Reply Online (#14628): https://lists.fd.io/g/vpp-dev/message/14628
>> Mute This Topic: https://lists.fd.io/mt/60327762/1991531
>> Group Owner: [email protected]
>> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>
> --
> Damjan
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14883): https://lists.fd.io/g/vpp-dev/message/14883
Mute This Topic: https://lists.fd.io/mt/60327762/21656
Group Owner: [email protected]
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
