[dpdk-dev] [PATCH v5 0/8] Add MACsec offload support for ixgbe

Peng, Yuan yuan.peng at intel.com
Wed Jan 4 09:29:39 CET 2017


Tested-by: Peng Yuan <yuan.peng at intel.com>

- Tested Branch: master
- Tested Commit: eac901ce29be559b1bb5c5da33fe2bf5c0b4bfd6
- OS: Fedora24 4.5.5-300.fc24.x86_64
- GCC: gcc version 5.3.1 20151207
- CPU: Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz
- NIC: Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection [8086:10fb] 
- Default x86_64-native-linuxapp-gcc configuration
- Total 5 cases, 5 passed, 0 failed

- Prerequisites:
  1x Niantic NIC (2x 10G)
  2x IXIA ports (10G)

- Added commands:
  testpmd>set macsec offload (port_id) on encrypt (on|off) replay-protect (on|off)
  " Enable MACsec offload. "
  testpmd>set macsec offload (port_id) off
  " Disable MACsec offload. "
  testpmd>set macsec sc (tx|rx) (port_id) (mac) (pi)
  " Configure MACsec secure connection (SC). "
  testpmd>set macsec sa (tx|rx) (port_id) (idx) (an) (pn) (key)
  " Configure MACsec secure association (SA). "

- Test Case 1: MACsec packets send and receive
============================================

1. bind two ports to dpdk driver::
 ./tools/dpdk-devbind.py -b igb_uio 07:00.0 07:00.1

2. config the rx port
1). start the testpmd of rx port::
 ./testpmd -c 0xc --socket-mem 1024,1024 --file-prefix=rx -w 0000:07:00.1 \
 -- --port-topology=chained -i --crc-strip

2). set MACsec offload on::
 testpmd>set macsec offload 0 on encrypt on replay-protect on

3). set MACsec parameters as rx_port::
 testpmd>set macsec sc rx 0 00:00:00:00:00:01 0
 testpmd>set macsec sa rx 0 0 0 0 00112200000000000000000000000000

4). set MACsec parameters as tx_port::
 testpmd>set macsec sc tx 0 00:00:00:00:00:02 0
 testpmd>set macsec sa tx 0 0 0 0 00112200000000000000000000000000

5). set rxonly::
 testpmd>set fwd rxonly

6). start::
 testpmd>set promisc all on
 testpmd>start

3. config the tx port
1). start the testpmd of tx port::
 ./testpmd -c 0x30 --socket-mem 1024,1024 --file-prefix=tx -w 0000:07:00.0 \
 -- --port-topology=chained -i --crc-strip --txqflags=0x0

2). set MACsec offload on::
 testpmd>set macsec offload 0 on encrypt on replay-protect on

3). set MACsec parameters as tx_port::
 testpmd>set macsec sc tx 0 00:00:00:00:00:01 0
 testpmd>set macsec sa tx 0 0 0 0 00112200000000000000000000000000

4). set MACsec parameters as rx_port::
 testpmd>set macsec sc rx 0 00:00:00:00:00:02 0
 testpmd>set macsec sa rx 0 0 0 0 00112200000000000000000000000000

5). set txonly::
 testpmd>set fwd txonly

6). start::
 testpmd>start

4. check the result::
 testpmd>stop
 testpmd>show port xstats 0
stop the packet transmiting on tx_port first, then stop the packet receiving
on rx_port.
check the rx data and tx data:
tx_good_packets == rx_good_packets
out_pkts_encrypted == in_pkts_ok == tx_good_packets == rx_good_packets
out_octets_encrypted == in_octets_decrypted
out_octets_protected == in_octets_validated

 if you want to check the content of the packet, use the command::
 testpmd>set verbose 1
the received packets are Decrypted.
check the ol_flags:PKT_RX_IP_CKSUM_GOOD
check the content of the packet:
type=0x0800, the ptype of L2,L3,L4: L2_ETHER L3_IPV4 L4_UDP

Test Case 2: MACsec packets send and normal receive
===================================================

1. disable MACsec offload on rx port::
 testpmd>set macsec offload 0 off

2. start the the packets transfer

3. check the result::
 testpmd>stop
 testpmd>show port xstats 0
stop the testpmd on tx_port first, then stop the testpmd on rx_port.
the received packets are encrypted.
check the content of the packet:
type=0x88e5 sw ptype: L2_ETHER  - l2_len=14 - Receive queue=0x0
you can't find L3 and L4 infomation in the packet
in_octets_decrypted and in_octets_validated doesn't increase on last data
transfer.


Test Case 3: normal packet send and MACsec receive
==================================================

1. enable MACsec offload on rx port::
 testpmd>set macsec offload 0 on encrypt on replay-protect on

2. disable MACsec offload on tx port::
 testpmd>set macsec offload 0 off

3. start the the packets transfer

4. check the result::
 testpmd>stop
 testpmd>show port xstats 0
stop the testpmd on tx_port first, then stop the testpmd on rx_port.
the received packets are not encrypted.
check the content of the packet:
type=0x0800, the ptype of L2,L3,L4: L2_ETHER L3_IPV4 L4_UDP
in_octets_decrypted and out_pkts_encrypted doesn't increase on last data
transfer.


Test Case 4: MACsec send and receive with wrong parameters
==========================================================

1. don't add "--txqflags=0x0" in the tx_port command line.
   the MACsec offload can't work. the tx packets are normal packets.

2. set different pn on rx and tx port, then start the data transfer.

1) set the parameters as test case 1, start and stop the data transfer.
   check the result, rx port can receive and decrypt the packets normally.
2) reset the pn of tx port to 0::
    testpmd>set macsec sa tx 0 0 0 0 00112200000000000000000000000000
   rx port can receive the packets until the pn equals the pn of tx port::
    out_pkts_encrypted = in_pkts_late + in_pkts_ok

2. set different keys on rx and tx port, then start the data transfer::
    the RX-packets=0,
    in_octets_decrypted == out_octets_encrypted,
    in_pkts_notvalid == out_pkts_encrypted,
    in_pkts_ok=0,
    rx_good_packets=0

3. set different pi on rx and tx port(reset on rx_port), then start the data
   transfer::
    in_octets_decrypted == out_octets_encrypted,
    in_pkts_ok = 0,
    in_pkts_nosci == out_pkts_encrypted

4. set different an on rx and tx port, then start the data transfer::
    rx_good_packets=0,
    in_octets_decrypted == out_octets_encrypted,
    in_pkts_notusingsa == out_pkts_encrypted,
    in_pkts_ok=0,
    rx_good_packets=0

5. set different index on rx and tx port, then start the data transfer::
    in_octets_decrypted == out_octets_encrypted,
    in_pkts_ok == out_pkts_encrypted


Test Case 5: performance test of MACsec offload packets
==========================================================

1. tx linerate
   port0 connected to IXIA port5, port1 connected to IXIA port6, set port0
   MACsec offload on, set fwd mac.
   on IXIA side, start IXIA port6 transmit, start the IXIA capture.
   view the IXIA port5 captrued packet, the protocol is MACsec, the EtherType
   is 0x88E5, and the packet length is 96bytes, more than the normal packet
   32 bytes.
   The valid frames received rate is 10.78Mpps, and the %linerate is 100%.

2. rx linerate
   there are three ports 05:00.0 07:00.0 07:00.1. connect 07:00.0 to 07:00.1
   with cable, connect 05:00.0 to IXIA. bind the three ports to dpdk driver.
   start two testpmd::
    ./testpmd -c 0x3 --socket-mem 1024,1024 --file-prefix=rx -w 0000:07:00.1 \
    -- --port-topology=chained -i --crc-strip --txqflags=0x0

    testpmd>set macsec offload 0 on encrypt on replay-protect on
    testpmd>set macsec sc rx 0 00:00:00:00:00:01 0
    testpmd>set macsec sa rx 0 0 0 0 00112200000000000000000000000000
    testpmd>set macsec sc tx 0 00:00:00:00:00:02 0
    testpmd>set macsec sa tx 0 0 0 0 00112200000000000000000000000000
    testpmd>set fwd rxonly

    ./testpmd -c 0xc --socket-mem 1024,1024 --file-prefix=tx -b 0000:07:00.1 \
    -- --port-topology=chained -i --crc-strip --txqflags=0x0

    testpmd>set macsec offload 1 on encrypt on replay-protect on
    testpmd>set macsec sc rx 1 00:00:00:00:00:02 0
    testpmd>set macsec sa rx 1 0 0 0 00112200000000000000000000000000
    testpmd>set macsec sc tx 1 00:00:00:00:00:01 0
    testpmd>set macsec sa tx 1 0 0 0 00112200000000000000000000000000
    testpmd>set fwd mac

   start on both two testpmd.
   start data transmit from IXIA port, the frame size is 64bytes,
   the Ethertype is 0x0800. the rate is 14.88Mpps.
   check the linerate on rxonly port::
    testpmd>show port stats 0
   It shows "Rx-pps:     10775697", so the rx %linerate is 100%.
   check the MACsec packets number on tx side::
    testpmd>show port xstats 1
   on rx side::
    testpmd>show port xstats 0
   in_pkts_ok == out_pkts_encrypted




-----Original Message-----
From: dev [mailto:dev-bounces at dpdk.org] On Behalf Of Tiwei Bie
Sent: Wednesday, January 4, 2017 3:22 PM
To: dev at dpdk.org
Cc: adrien.mazarguil at 6wind.com; Lu, Wenzhuo <wenzhuo.lu at intel.com>; Mcnamara, John <john.mcnamara at intel.com>; olivier.matz at 6wind.com; thomas.monjalon at 6wind.com; Ananyev, Konstantin <konstantin.ananyev at intel.com>; Zhang, Helin <helin.zhang at intel.com>; Dai, Wei <wei.dai at intel.com>; Wang, Xiao W <xiao.w.wang at intel.com>
Subject: [dpdk-dev] [PATCH v5 0/8] Add MACsec offload support for ixgbe

This patch set adds the MACsec offload support for ixgbe.
The testpmd is also updated to support MACsec cmds.

v2:
- Update the documents for testpmd;
- Update the release notes;
- Reuse the functions provided by base code;

v3:
- Add the missing parts of MACsec mbuf flag and reorganize the patch set;
- Add an ethdev event type for MACsec;
- Advertise the MACsec offload capabilities based on the mac type;
- Minor fixes and improvements;

v4:
- Reserve bits in mbuf and ethdev for PMD specific API;
- Use the reserved bits in PMD specific API;

v5:
- Add MACsec offload in the NIC feature list;
- Minor improvements on comments;

Tiwei Bie (8):
  mbuf: reserve a Tx offload flag for PMD-specific API
  ethdev: reserve an event type for PMD-specific API
  ethdev: reserve capability flags for PMD-specific API
  net/ixgbe: add MACsec offload support
  app/testpmd: add MACsec offload commands
  doc: add ixgbe specific APIs
  doc: update the release notes for the reserved flags
  doc: add MACsec offload into NIC feature list

 app/test-pmd/cmdline.c                      | 389 ++++++++++++++++++++++
 app/test-pmd/macfwd.c                       |   7 +
 app/test-pmd/macswap.c                      |   7 +
 app/test-pmd/testpmd.h                      |   2 +
 app/test-pmd/txonly.c                       |   7 +
 doc/guides/nics/features/default.ini        |   1 +
 doc/guides/nics/features/ixgbe.ini          |   1 +
 doc/guides/rel_notes/release_17_02.rst      |  18 ++
 doc/guides/testpmd_app_ug/testpmd_funcs.rst |  32 ++
 drivers/net/ixgbe/ixgbe_ethdev.c            | 481 +++++++++++++++++++++++++++-
 drivers/net/ixgbe/ixgbe_ethdev.h            |  45 +++
 drivers/net/ixgbe/ixgbe_rxtx.c              |   5 +
 drivers/net/ixgbe/rte_pmd_ixgbe.h           | 122 +++++++
 drivers/net/ixgbe/rte_pmd_ixgbe_version.map |  11 +
 lib/librte_ether/rte_ethdev.h               |   4 +
 lib/librte_mbuf/rte_mbuf.c                  |   2 +
 lib/librte_mbuf/rte_mbuf.h                  |   5 +
 17 files changed, 1134 insertions(+), 5 deletions(-)

-- 
2.7.4



More information about the dev mailing list