examples/ipsec-secgw: change CBC IV generation

NIST SP800-38A recommends two methods to generate unpredictable IVs
(Initilisation Vector) for CBC mode:
1) Apply the forward function to a nonce (ie.

examples/ipsec-secgw: change CBC IV generation

NIST SP800-38A recommends two methods to generate unpredictable IVs
(Initilisation Vector) for CBC mode:
1) Apply the forward function to a nonce (ie. counter)
2) Use a FIPS-approved random number generator

This patch implements the first recommended method by using the forward
function to generate the IV.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

show more ...

examples/ipsec-secgw: support transport mode

IPSec transport mode support.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@int

examples/ipsec-secgw: support transport mode

IPSec transport mode support.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

show more ...

examples/ipsec-secgw: support IPv6

Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel.

We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6,
but a common SA table.

examples/ipsec-secgw: support IPv6

Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel.

We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6,
but a common SA table.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

show more ...

examples/ipsec-secgw: rework processing loop

Rework implementation moving from function pointers approach, where each
function implements very specific functionality, to a generic function
approach.

examples/ipsec-secgw: rework processing loop

Rework implementation moving from function pointers approach, where each
function implements very specific functionality, to a generic function
approach.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

show more ...

examples/ipsec-secgw: fix esp padding check

Current code fails to correctly check padding sequence for inbound
packets.
Padding sequence starts on 1 but it checks for 0.

Fixes: d299106e8e31 ("examp

examples/ipsec-secgw: fix esp padding check

Current code fails to correctly check padding sequence for inbound
packets.
Padding sequence starts on 1 but it checks for 0.

Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

show more ...

eal: add assert macro for debug

The macro RTE_VERIFY always checks a condition.
It is optimized with "unlikely" hint.
While this macro is well suited for test applications, it is preferred
in librar

eal: add assert macro for debug

The macro RTE_VERIFY always checks a condition.
It is optimized with "unlikely" hint.
While this macro is well suited for test applications, it is preferred
in libraries and examples to enable such check in debug mode.
That's why the macro RTE_ASSERT is introduced to call RTE_VERIFY only
if built with debug logs enabled.

A lot of assert macros were duplicated and enabled with a specific flag.
Removing these #ifdef allows to test these code branches more easily
and avoid dead code pitfalls.

The ENA_ASSERT is kept (in debug mode only) because it has more
parameters to log.

Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>

show more ...

examples: remove useless debug flags

The debug logs must be enabled at compile-time and run-time.
There are also some internal flags in some examples to enable the debug
logs of the applications. Th

examples: remove useless debug flags

The debug logs must be enabled at compile-time and run-time.
There are also some internal flags in some examples to enable the debug
logs of the applications. They are now enabled in debug configs and
can be disabled thanks to the more generic logtype mechanism:
rte_set_log_type(RTE_LOGTYPE_USER1, 0);

Removing these #ifdef allows to test these code branches more easily
and avoid dead code pitfalls.

Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
Acked-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>

show more ...

examples/ipsec-secgw: fix build on FreeBSD

In FreeBSD, sys/types.h and netinet/in.h need to be included before
netinet/ip.h

There were missed typedef for u_char - <sys/types.h>
There were missed ne

examples/ipsec-secgw: fix build on FreeBSD

In FreeBSD, sys/types.h and netinet/in.h need to be included before
netinet/ip.h

There were missed typedef for u_char - <sys/types.h>
There were missed network definitions - <netinet/in.h>

Failure #13: http://dpdk.org/ml/archives/test-report/2016-March/001896.html

Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")

Signed-off-by: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>

show more ...

examples/ipsec-secgw: add IPsec sample application

Sample app implementing an IPsec Security Geteway.
The main goal of this app is to show the use of cryptodev framework
in a "real world" applicatio

examples/ipsec-secgw: add IPsec sample application

Sample app implementing an IPsec Security Geteway.
The main goal of this app is to show the use of cryptodev framework
in a "real world" application.

Currently only supported static IPv4 ESP IPsec tunnels for the following
algorithms:
- Cipher: AES-CBC, NULL
- Authentication: HMAC-SHA1, NULL

Not supported:
- SA auto negotiation (No IKE implementation)
- chained mbufs

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

show more ...