Created attachment 33 [details] ipsec_secgw_failure_log.txt repo http://dpdk.org/git/next/dpdk-next-crypto branch master commit 3331ddc doc: update ipsec lib for supported algos Ipsec-secgw example fails to initialize when librte_ipsec is enabled and when default configuration of ep0.cfg is used. It complains that two SP rules use the same SPI ./ipsec-secgw --log-level=8 -c 0xff -- -P -p 0x3 -u 0x1 --config "(1,0,0),(0,0,0)" -f ../ep0.cfg -l IPSEC: get_spi_proto: SPI 110 used simultaeously by IPv4(2) and IPv6 (2) SP rules EAL: Error - exiting with code: 1 Cause: failed to init inbound SAs Ipsec-secgw initializes successfully when used without librte_ipsec. Full log is attached.
Yep indeed, with '-l' flag ipsec-secgw doesn't allow SA which match both IPv4 and IPv6 headers. I think 2 possibilities to fix it: 1. just update config file in examples to change spi for affected entries (quick fix, though probably not the best one). 2. make changes into ipsec-secgw to split SA table into 2 - based on internal IP header version: one for IPv4, another for IPv6.
Created attachment 34 [details] ipsec-secgw.patch
Hi Konstantin, 1. Do you think that ep0.cfg configuration is not valid because if it is allowed by RFC to use the same SA by two different SPs then in my opinion ipsec-secgw should not alter this behaviour. I also attach my local changes which I made to be able to proceed with ep0.cfg. Does it make sense to you ? Thanks, Lukasz
Hi Lukasz, > it is allowed by RFC to use the same SA by two different SPs AFAIK there is no no place in RFCs (at least I couldn't find it) that either directly prohibits it or says that each compliant implementation have to support such configuration. From other side looking at SPD selector fields that should be PFP-allowable and/or inherited bt SAD entries, I don't see how support such config (multiple SPD rules refer the same SA) can be done in a generic and perfomant way. About the ipsec-secgw app and related patch - I think we can allow both ipv4 and ipv6 SPD rule to reference the same SPI, but I think in that case there should be 2 different SAs created with the same SPI (one for IPv4, antoehr for IPv6). For that we need to split common SA table in ipsec-secgw into 2: one for IPv4, another for IPv6.
Hi Konstantin, > About the ipsec-secgw app and related patch - I think we can allow both ipv4 > and ipv6 SPD rule to reference the same SPI, but I think in that case there > should be 2 different SAs created with the same SPI (one for IPv4, antoehr > for IPv6). For that we need to split common SA table in ipsec-secgw into 2: > one for IPv4, another for IPv6. Would you please elaborate why you think there is a need to split SA table in two tables (for IPv4 and IPv6) ? Is this a need based on a new features yet to come ? I ask because currently ipsec-secgw supports only manual configuration of SPs & SAs and I'm not seeing advantages of such a split. Thanks, Lukasz
Hi Lukasz, >Is this a need based on a new features yet to come ? Mainly yes, if (/when) we'll have the proper SAD, I think it would be the most natural way to implement it.
Again current librte_ipsec expects such division already - same SA not supposed to handle both IPv4 and IPv6 packets.
Lukasz, Do you agree with Konstantin's assessment? Do you have any further concerns? Thanks
Hi Ajit, I'm ok with the assessment. I don't have any concerns. Thanks, Lukasz