Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/53321/?format=api
{ "id": 53321, "url": "https://patches.dpdk.org/api/patches/53321/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/patch/20190508104717.13448-3-marcinx.smoczynski@intel.com/", "project": { "id": 1, "url": "https://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20190508104717.13448-3-marcinx.smoczynski@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20190508104717.13448-3-marcinx.smoczynski@intel.com", "date": "2019-05-08T10:47:17", "name": "[3/3] examples/ipsec-secgw: add support for ipv6 options", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "4b9025e10195c90c861846544c9247bb8fe56eb0", "submitter": { "id": 1293, "url": "https://patches.dpdk.org/api/people/1293/?format=api", "name": "Marcin Smoczynski", "email": "marcinx.smoczynski@intel.com" }, "delegate": { "id": 6690, "url": "https://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "https://patches.dpdk.org/project/dpdk/patch/20190508104717.13448-3-marcinx.smoczynski@intel.com/mbox/", "series": [ { "id": 4596, "url": "https://patches.dpdk.org/api/series/4596/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=4596", "date": "2019-05-08T10:47:15", "name": "[1/3] net: new ipv6 header extension parsing function", "version": 1, "mbox": "https://patches.dpdk.org/series/4596/mbox/" } ], "comments": "https://patches.dpdk.org/api/patches/53321/comments/", "check": "fail", "checks": "https://patches.dpdk.org/api/patches/53321/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@dpdk.org", "Delivered-To": "patchwork@dpdk.org", "Received": [ "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 9939F4C94;\n\tWed, 8 May 2019 12:48:10 +0200 (CEST)", "from mga12.intel.com (mga12.intel.com [192.55.52.136])\n\tby dpdk.org (Postfix) with ESMTP id ACF154C93\n\tfor <dev@dpdk.org>; Wed, 8 May 2019 12:48:08 +0200 (CEST)", "from fmsmga001.fm.intel.com ([10.253.24.23])\n\tby fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t08 May 2019 03:48:08 -0700", "from msmoczyx-mobl.ger.corp.intel.com ([10.103.104.100])\n\tby fmsmga001.fm.intel.com with ESMTP; 08 May 2019 03:48:05 -0700" ], "X-Amp-Result": "SKIPPED(no attachment in message)", "X-Amp-File-Uploaded": "False", "X-ExtLoop1": "1", "From": "Marcin Smoczynski <marcinx.smoczynski@intel.com>", "To": "marko.kovacevic@intel.com, orika@mellanox.com, bruce.richardson@intel.com,\n\tpablo.de.lara.guarch@intel.com, radu.nicolau@intel.com,\n\takhil.goyal@nxp.com, tomasz.kantecki@intel.com,\n\tkonstantin.ananyev@intel.com, bernard.iremonger@intel.com,\n\tolivier.matz@6wind.com", "Cc": "dev@dpdk.org,\n\tMarcin Smoczynski <marcinx.smoczynski@intel.com>", "Date": "Wed, 8 May 2019 12:47:17 +0200", "Message-Id": "<20190508104717.13448-3-marcinx.smoczynski@intel.com>", "X-Mailer": "git-send-email 2.21.0.windows.1", "In-Reply-To": "<20190508104717.13448-1-marcinx.smoczynski@intel.com>", "References": "<20190508104717.13448-1-marcinx.smoczynski@intel.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Subject": "[dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: add support for ipv6\n\toptions", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Using transport with IPv6 and header extensions requires calculating\ntotal header length including extensions up to ESP header which is\nachieved with iteratively parsing extensions when preparing traffic\nfor processing. Calculated l3_len is later used to determine SPI\nfield offset for an inbound traffic and to reconstruct L3 header by\nlibrte_ipsec.\n\nA simple unittest script is provided to test various headers for the\nIPv6 transport mode. Within each test case a test packet is crafted\nwith Scapy and sent as an inbound or outbound traffic. Application\nresponse is then checked with a set of assertions.\n\nSigned-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>\n---\n examples/ipsec-secgw/ipsec-secgw.c | 33 +++-\n examples/ipsec-secgw/sa.c | 5 +-\n examples/ipsec-secgw/test/test-scapy.py | 231 ++++++++++++++++++++++++\n 3 files changed, 260 insertions(+), 9 deletions(-)\n create mode 100755 examples/ipsec-secgw/test/test-scapy.py", "diff": "diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c\nindex 478dd80c2..1c49aa22c 100644\n--- a/examples/ipsec-secgw/ipsec-secgw.c\n+++ b/examples/ipsec-secgw/ipsec-secgw.c\n@@ -41,6 +41,7 @@\n #include <rte_jhash.h>\n #include <rte_cryptodev.h>\n #include <rte_security.h>\n+#include <rte_ip.h>\n \n #include \"ipsec.h\"\n #include \"parser.h\"\n@@ -248,16 +249,38 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t)\n \t\tpkt->l2_len = 0;\n \t\tpkt->l3_len = sizeof(struct ip);\n \t} else if (eth->ether_type == rte_cpu_to_be_16(ETHER_TYPE_IPv6)) {\n-\t\tnlp = (uint8_t *)rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);\n-\t\tnlp = RTE_PTR_ADD(nlp, offsetof(struct ip6_hdr, ip6_nxt));\n-\t\tif (*nlp == IPPROTO_ESP)\n+\t\tint next_proto;\n+\t\tsize_t l3len, ext_len;\n+\t\tstruct ipv6_hdr *v6h;\n+\t\tuint8_t *p;\n+\n+\t\t/* get protocol type */\n+\t\tv6h = (struct ipv6_hdr *)rte_pktmbuf_adj(pkt, ETHER_HDR_LEN);\n+\t\tnext_proto = v6h->proto;\n+\n+\t\t/* determine l3 header size up to ESP extension */\n+\t\tl3len = sizeof(struct ip6_hdr);\n+\t\tp = rte_pktmbuf_mtod(pkt, uint8_t *);\n+\t\twhile (next_proto != IPPROTO_ESP && l3len < pkt->data_len &&\n+\t\t\t(next_proto = rte_ipv6_get_next_ext(p + l3len,\n+\t\t\t\t\t\tnext_proto, &ext_len)) >= 0)\n+\t\t\tl3len += ext_len;\n+\n+\t\t/* drop packet when IPv6 header exceeds first segment length */\n+\t\tif (unlikely(l3len > pkt->data_len)) {\n+\t\t\trte_pktmbuf_free(pkt);\n+\t\t\treturn;\n+\t\t}\n+\n+\t\tif (next_proto == IPPROTO_ESP)\n \t\t\tt->ipsec.pkts[(t->ipsec.num)++] = pkt;\n \t\telse {\n-\t\t\tt->ip6.data[t->ip6.num] = nlp;\n+\t\t\tt->ip6.data[t->ip6.num] = rte_pktmbuf_mtod_offset(pkt,\n+\t\t\t\tuint8_t *, offsetof(struct ipv6_hdr, proto));\n \t\t\tt->ip6.pkts[(t->ip6.num)++] = pkt;\n \t\t}\n \t\tpkt->l2_len = 0;\n-\t\tpkt->l3_len = sizeof(struct ip6_hdr);\n+\t\tpkt->l3_len = l3len;\n \t} else {\n \t\t/* Unknown/Unsupported type, drop the packet */\n \t\tRTE_LOG(ERR, IPSEC, \"Unsupported packet type 0x%x\\n\",\ndiff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c\nindex b850e9839..607527d08 100644\n--- a/examples/ipsec-secgw/sa.c\n+++ b/examples/ipsec-secgw/sa.c\n@@ -1228,10 +1228,7 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt,\n \t*sa_ret = NULL;\n \n \tip = rte_pktmbuf_mtod(pkt, struct ip *);\n-\tif (ip->ip_v == IPVERSION)\n-\t\tesp = (struct esp_hdr *)(ip + 1);\n-\telse\n-\t\tesp = (struct esp_hdr *)(((struct ip6_hdr *)ip) + 1);\n+\tesp = rte_pktmbuf_mtod_offset(pkt, struct esp_hdr *, pkt->l3_len);\n \n \tif (esp->spi == INVALID_SPI)\n \t\treturn;\ndiff --git a/examples/ipsec-secgw/test/test-scapy.py b/examples/ipsec-secgw/test/test-scapy.py\nnew file mode 100755\nindex 000000000..d7f66b734\n--- /dev/null\n+++ b/examples/ipsec-secgw/test/test-scapy.py\n@@ -0,0 +1,231 @@\n+#!/usr/bin/env python3\n+\n+# Run DPDK IPsec example with following arguments:\n+# ./dpdk-ipsec-secgw --log-level=31 -l 0 --vdev=crypto_openssl --vdev=net_tap0 --vdev=net_tap1 -- -P -p 0x3 -u 0x1 --config \"(0,0,0),(1,0,0)\" -f test-transport.cfg -l\n+# Two tap ports are expected: 0: unprotected (remote), 1: protected (local)\n+\n+# sample configuration:\n+#\tsp ipv6 out esp protect 5 pri 1 \\\n+#\tsrc 1111:0000:0000:0000:0000:0000:0000:0000/64 \\\n+#\tdst 2222:0000:0000:0000:0000:0000:0000:0000/64 \\\n+#\tsport 0:65535 dport 0:65535\n+#\n+#\tsp ipv6 in esp protect 6 pri 1 \\\n+#\tsrc 2222:0000:0000:0000:0000:0000:0000:0000/64 \\\n+#\tdst 1111:0000:0000:0000:0000:0000:0000:0000/64 \\\n+#\tsport 0:65535 dport 0:65535\n+#\n+#\tsa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \\\n+#\tauth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \\\n+#\tmode transport\n+#\n+#\tsa in 6 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \\\n+#\tauth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \\\n+#\tmode transport\n+#\n+#\trt ipv6 dst 1111:0000:0000:0000:0000:0000:0000:0000/64 port 1\n+#\trt ipv6 dst 2222:0000:0000:0000:0000:0000:0000:0000/64 port 0\n+#\n+# run tests with:\n+# python3 -m unittest test-scapy\n+\n+\n+import socket\n+import sys\n+import unittest\n+from scapy.all import *\n+\n+\n+SRC_ETHER = \"52:54:00:00:00:01\"\n+DST_ETHER = \"52:54:00:00:00:02\"\n+SRC_ADDR = \"1111::1\"\n+DST_ADDR = \"2222::1\"\n+LOCAL_IFACE = \"dtap1\"\n+REMOTE_IFACE = \"dtap0\"\n+\n+\n+class Interface(object):\n+ ETH_P_ALL = 3\n+ MAX_PACKET_SIZE = 1280\n+ def __init__(self, ifname):\n+ self.name = ifname\n+ self.s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(ETH_P_ALL))\n+ self.s.bind((self.name, 0, socket.PACKET_OTHERHOST))\n+\n+ def __del__(self):\n+ self.s.close()\n+\n+ def send_packet(self, pkt):\n+ self.send_bytes(bytes(pkt))\n+\n+ def send_bytes(self, bytedata):\n+ self.s.send(bytedata)\n+\n+ def recv_packet(self):\n+ return Ether(self.recv_bytes())\n+\n+ def recv_bytes(self):\n+ return self.s.recv(Interface.MAX_PACKET_SIZE)\n+\n+\n+class TestTransportMode(unittest.TestCase):\n+ # There is a bug in the IPsec Scapy implementation\n+ # which causes invalid packet reconstruction after\n+ # successful decryption. This method is a workaround.\n+ @staticmethod\n+ def decrypt(pkt, sa):\n+ esp = pkt[ESP]\n+\n+ # decrypt dummy packet with no extensions\n+ d = sa.decrypt(IPv6()/esp)\n+\n+ # fix 'next header' in the preceding header of the original\n+ # packet and remove ESP\n+ pkt[ESP].underlayer.nh = d[IPv6].nh\n+ pkt[ESP].underlayer.remove_payload()\n+\n+ # combine L3 header with decrypted payload\n+ npkt = pkt/d[IPv6].payload\n+\n+ # fix length\n+ npkt[IPv6].plen = d[IPv6].plen + len(pkt[IPv6].payload)\n+\n+ return npkt\n+\n+ def setUp(self):\n+ self.ilocal = Interface(LOCAL_IFACE)\n+ self.iremote = Interface(REMOTE_IFACE)\n+ self.outb_sa = SecurityAssociation(ESP, spi=5, crypt_algo='AES-CBC', crypt_key='\\x00'*16, auth_algo='HMAC-SHA1-96', auth_key='\\x00'*20)\n+ self.inb_sa = SecurityAssociation(ESP, spi=6, crypt_algo='AES-CBC', crypt_key='\\x00'*16, auth_algo='HMAC-SHA1-96', auth_key='\\x00'*20)\n+\n+ def test_outb_ipv6_noopt(self):\n+ pkt = Ether(src=SRC_ETHER, dst=DST_ETHER)\n+ pkt /= IPv6(src=SRC_ADDR, dst=DST_ADDR)\n+ pkt /= UDP(sport=123,dport=456)/Raw(load=\"abc\")\n+ self.ilocal.send_packet(pkt)\n+\n+ # check response\n+ resp = self.iremote.recv_packet()\n+ self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)\n+ self.assertEqual(resp[ESP].spi, 5)\n+\n+ # decrypt response, check packet after decryption\n+ d = TestTransportMode.decrypt(resp[IPv6], self.outb_sa)\n+ self.assertEqual(d[IPv6].nh, socket.IPPROTO_UDP)\n+ self.assertEqual(d[UDP].sport, 123)\n+ self.assertEqual(d[UDP].dport, 456)\n+ self.assertEqual(bytes(d[UDP].payload), b'abc')\n+\n+ def test_outb_ipv6_opt(self):\n+ hoptions = []\n+ hoptions.append(RouterAlert(value=2))\n+ hoptions.append(Jumbo(jumboplen=5000))\n+ hoptions.append(Pad1())\n+\n+ doptions = []\n+ doptions.append(HAO(hoa=\"1234::4321\"))\n+\n+ pkt = Ether(src=SRC_ETHER, dst=DST_ETHER)\n+ pkt /= IPv6(src=SRC_ADDR, dst=DST_ADDR)\n+ pkt /= IPv6ExtHdrHopByHop(options=hoptions)\n+ pkt /= IPv6ExtHdrRouting(addresses=[\"3333::3\",\"4444::4\"])\n+ pkt /= IPv6ExtHdrDestOpt(options=doptions)\n+ pkt /= UDP(sport=123,dport=456)/Raw(load=\"abc\")\n+ self.ilocal.send_packet(pkt)\n+\n+ # check response\n+ resp = self.iremote.recv_packet()\n+ self.assertEqual(resp[IPv6].nh, socket.IPPROTO_HOPOPTS)\n+\n+ # check extensions\n+ self.assertEqual(resp[IPv6ExtHdrHopByHop].nh, socket.IPPROTO_ROUTING)\n+ self.assertEqual(resp[IPv6ExtHdrRouting].nh, socket.IPPROTO_DSTOPTS)\n+ self.assertEqual(resp[IPv6ExtHdrDestOpt].nh, socket.IPPROTO_ESP)\n+\n+ # check ESP\n+ self.assertEqual(resp[ESP].spi, 5)\n+\n+ # decrypt response, check packet after decryption\n+ d = TestTransportMode.decrypt(resp[IPv6], self.outb_sa)\n+ self.assertEqual(d[IPv6].nh, socket.IPPROTO_HOPOPTS)\n+ self.assertEqual(d[IPv6ExtHdrHopByHop].nh, socket.IPPROTO_ROUTING)\n+ self.assertEqual(d[IPv6ExtHdrRouting].nh, socket.IPPROTO_DSTOPTS)\n+ self.assertEqual(d[IPv6ExtHdrDestOpt].nh, socket.IPPROTO_UDP)\n+\n+ # check UDP\n+ self.assertEqual(d[UDP].sport, 123)\n+ self.assertEqual(d[UDP].dport, 456)\n+ self.assertEqual(bytes(d[UDP].payload), b'abc')\n+\n+ def test_inb_ipv6_noopt(self):\n+ # encrypt and send raw UDP packet\n+ pkt = IPv6(src=DST_ADDR, dst=SRC_ADDR)\n+ pkt /= UDP(sport=123,dport=456)/Raw(load=\"abc\")\n+ e = self.inb_sa.encrypt(pkt)\n+ e = Ether(src=DST_ETHER, dst=SRC_ETHER)/e\n+ self.iremote.send_packet(e)\n+\n+ # check response\n+ resp = self.ilocal.recv_packet()\n+ self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)\n+\n+ # check UDP packet\n+ self.assertEqual(resp[UDP].sport, 123)\n+ self.assertEqual(resp[UDP].dport, 456)\n+ self.assertEqual(bytes(resp[UDP].payload), b'abc')\n+\n+ def test_inb_ipv6_opt(self):\n+ hoptions = []\n+ hoptions.append(RouterAlert(value=2))\n+ hoptions.append(Jumbo(jumboplen=5000))\n+ hoptions.append(Pad1())\n+\n+ doptions = []\n+ doptions.append(HAO(hoa=\"1234::4321\"))\n+\n+ # prepare packet with options\n+ pkt = IPv6(src=DST_ADDR, dst=SRC_ADDR)\n+ pkt /= IPv6ExtHdrHopByHop(options=hoptions)\n+ pkt /= IPv6ExtHdrRouting(addresses=[\"3333::3\",\"4444::4\"])\n+ pkt /= IPv6ExtHdrDestOpt(options=doptions)\n+ pkt /= UDP(sport=123,dport=456)/Raw(load=\"abc\")\n+\n+ # encrypt and send packet\n+ e = self.inb_sa.encrypt(pkt)\n+ e = Ether(src=DST_ETHER, dst=SRC_ETHER)/e\n+ self.iremote.send_packet(e)\n+\n+ # check response\n+ resp = self.ilocal.recv_packet()\n+ self.assertEqual(resp[IPv6].nh, socket.IPPROTO_HOPOPTS)\n+ self.assertEqual(resp[IPv6ExtHdrHopByHop].nh, socket.IPPROTO_ROUTING)\n+ self.assertEqual(resp[IPv6ExtHdrRouting].nh, socket.IPPROTO_DSTOPTS)\n+ self.assertEqual(resp[IPv6ExtHdrDestOpt].nh, socket.IPPROTO_UDP)\n+\n+ # check UDP\n+ self.assertEqual(resp[UDP].sport, 123)\n+ self.assertEqual(resp[UDP].dport, 456)\n+ self.assertEqual(bytes(resp[UDP].payload), b'abc')\n+\n+ def test_inb_ipv6_frag(self):\n+ # prepare ESP payload\n+ pkt = UDP(sport=123,dport=456)/Raw(load=\"abc\")\n+ e = self.inb_sa.encrypt(IPv6()/pkt)\n+\n+ # craft and send inbound packet\n+ e = Ether(src=DST_ETHER, dst=SRC_ETHER)/IPv6(src=DST_ADDR, dst=SRC_ADDR)/IPv6ExtHdrFragment()/e[IPv6].payload\n+ self.iremote.send_packet(e)\n+\n+ # check response\n+ resp = self.ilocal.recv_packet()\n+ self.assertEqual(resp[IPv6].nh, socket.IPPROTO_FRAGMENT)\n+ self.assertEqual(resp[IPv6ExtHdrFragment].nh, socket.IPPROTO_UDP)\n+\n+ # check UDP\n+ self.assertEqual(resp[UDP].sport, 123)\n+ self.assertEqual(resp[UDP].dport, 456)\n+ self.assertEqual(bytes(resp[UDP].payload), b'abc')\n+\n+\n+if __name__ == \"__main__\":\n+ unittest.main()\n", "prefixes": [ "3/3" ] }