Re: [vpp-dev] vlib_node_add_next usage #vpp

[Ranadip Das]

The session_register_transport() has the foreach code.

1381 /* *INDENT-OFF* */
1382 if (output_node != ~0)
1383 {
1384 foreach_vlib_main ( 
https://docs.fd.io/vpp/19.08/db/d96/threads_8h.html#a26faa6aef056b1bbb12dc83ce874923c
 ) (({
1385 next_index = vlib_node_add_next ( 
https://docs.fd.io/vpp/19.08/d8/dd1/node__funcs_8h.html#a09e4a0c3cf563727b0132cbac6429021
 ) (this_vlib_main,
1386 session_queue_node ( 
https://docs.fd.io/vpp/19.08/da/d46/session_8h.html#a6ce226a8e2ca912465cb5e93a288b7c8
 ).index,
1387 output_node);
1388 }));
1389 }
1390 /* *INDENT-ON* */
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14103): https://lists.fd.io/g/vpp-dev/message/14103
Mute This Topic: https://lists.fd.io/mt/34376308/21656
Mute #vpp: https://lists.fd.io/mk?hashtag=vpp&subid=1480452
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] vlib_node_add_next usage #vpp

[Christian Hopps]

> On Oct 2, 2019, at 6:48 PM, Ranadip Das  wrote:
> 
> Hello,
> 
> I am seeing vlib_node_add_next is getting used in two different ways.
> 
> vlib_node_add_next(vm, node_index, next_node_index);
> 
> And
> 
> foreach_vlib_main (({
>  next_index = vlib_node_add_next (this_vlib_main, node_index, 
> next_node_index);
> }));
> 
> The first one (without foreach_vlib_main) calls vlib_node_add_next only for 
> the current vm.
> Does it mean that the other workers will not have the node_index to 
> next_node_index edge in the node graph?
> 

vlib_node_add_next as it's final action calls:

vlib_worker_thread_node_runtime_update (void)
{
  /*
   * Make a note that we need to do a node runtime update
   * prior to releasing the barrier.
   */
  vlib_global_main.need_vlib_worker_thread_node_runtime_update = 1;
}

As this comment indicates (and infers) the code expects to be inside the thread 
barrier which means all work threads are waiting for the barrier to be 
released. When the barrier holder releases the barrier it first checks the 
above flag and if set sets "reforks" to the number of worker threads, then 
releases the barrier. Each worker thread will, upon being released from the 
barrier, see that "reforks" is set and update (thus in parallel) it's copy of 
the graph and runtime data, decrementing reforks and then waiting for reforks 
to reach zero before continuing on.

I don't actually see the foreach code you quote above, but I'm looking at 
stable/1908 right now. Doesn't jive with my understanding of the code.
Thanks,
Chris.


> regards!!
> _RD
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> 
> View/Reply Online (#14101): https://lists.fd.io/g/vpp-dev/message/14101
> Mute This Topic: https://lists.fd.io/mt/34376308/1826170
> Mute #vpp: https://lists.fd.io/mk?hashtag=vpp&subid=3963883
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [cho...@chopps.org]
> -=-=-=-=-=-=-=-=-=-=-=-



signature.asc
Description: Message signed with OpenPGP
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14102): https://lists.fd.io/g/vpp-dev/message/14102
Mute This Topic: https://lists.fd.io/mt/34376308/21656
Mute #vpp: https://lists.fd.io/mk?hashtag=vpp&subid=1480452
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] vlib_node_add_next usage #vpp

[Ranadip Das]

Hello,

I am seeing vlib_node_add_next is getting used in two different ways.

vlib_node_add_next(vm, node_index, next_node_index);

And

foreach_vlib_main (({
next_index = vlib_node_add_next (this_vlib_main, node_index, next_node_index);
}));

The first one (without foreach_vlib_main) calls vlib_node_add_next only for the 
current vm.
Does it mean that the other workers will not have the node_index to 
next_node_index edge in the node graph?

regards!!
_RD
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14101): https://lists.fd.io/g/vpp-dev/message/14101
Mute This Topic: https://lists.fd.io/mt/34376308/21656
Mute #vpp: https://lists.fd.io/mk?hashtag=vpp&subid=1480452
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08

[John Lo (loj) via Lists.Fd.Io]

To create GRE tunnel in L2 mode, you can add “teb” keyword in the create CLI 
which makes the GRE tunnel work in transparent ethernet bridging mode:

vpp# create gre ?
  create gre tunnelcreate gre tunnel src  dst 
 [instance ] [outer-fib-id ] [teb | erspan ] [del]

In theory, a GRE tunnel can be configured with IPSec, as described by Neale, 
irrespective of it being in teb mode or not.  Neale, please correct me if it is 
not the case.

Regards,
John

From: vpp-dev@lists.fd.io  On Behalf Of Chuan Han via 
Lists.Fd.Io
Sent: Wednesday, October 02, 2019 11:32 AM
To: Neale Ranns (nranns) 
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08

Gre is l3 in this case. Right? This limits the possible use cases.

Is there any plan to support l2 gre over ipsec transport mode? It seems vpp 17 
support s this feature. Not sure why it is dropped in 19.

On Wed, Oct 2, 2019, 12:18 AM Neale Ranns (nranns) 
mailto:nra...@cisco.com>> wrote:

Hi Chuan,

IPSec and GRE is supported using the tunnel protection mechanism :
  https://wiki.fd.io/view/VPP/IPSec

GRE over IPSec is only support when the SA is in tunnel mode. This means there 
is a double encap of the IP header ; once by the SA (in tunnel mode) and once 
by the tunnel itself. (Which has always been the case in VPP).

Example config follows :

  DBGvpp# ipsec sa add 20 spi 200 crypto-key 6541686776336961656264656f6f6579 
crypto-alg aes-cbc-128 tunnel-src 10.10.10.10 tunnel-dst 10.10.10.11
  DBGvpp# ipsec sa add 30 spi 300 crypto-key 6541686776336961656264656f6f6579 
crypto-alg aes-cbc-128 tunnel-src 10.10.10.11 tunnel-dst 10.10.10.10
  DBGvpp# create gre tunnel src 10.10.10.10 dst 10.10.10.11
gre0
  DBGvpp# ipsec tunnel protect gre0 sa-in 20 sa-out 30
  DBGvpp# sh ipsec protect
  gre0
   output-sa:
[1] sa 30 (0x1e) spi 300 (0x012c) protocol:esp flags:[tunnel ]
   input-sa:
[0] sa 20 (0x14) spi 200 (0x00c8) protocol:esp flags:[tunnel Protect ]

Regards,
neale


From: mailto:vpp-dev@lists.fd.io>> on behalf of "Chuan Han 
via Lists.Fd.Io" 
mailto:google@lists.fd.io>>
Reply to: "chuan...@google.com" 
mailto:chuan...@google.com>>
Date: Wednesday 2 October 2019 at 02:08
To: "vpp-dev@lists.fd.io" 
mailto:vpp-dev@lists.fd.io>>
Cc: "vpp-dev@lists.fd.io" 
mailto:vpp-dev@lists.fd.io>>
Subject: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08

Hi, vpp experts,

I am trying to configure l2 gre over ipsec. I followed the steps here:
https://docs.fd.io/vpp/16.12/ipsec_gre_doc.html

I hit the following error:
create ipsec: unknown input `gre tunnel src 10.10.10.10 dst...'

My vpp version is v19.08.1-release

It seems on this version the "create ipsec gre tunnel" command does not work. 
If so, is there any other way of configuring l2 gre over ipsec in 19.08?

Please advise.

Thanks.
Chuan
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14100): https://lists.fd.io/g/vpp-dev/message/14100
Mute This Topic: https://lists.fd.io/mt/34364734/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08

[Chuan Han via Lists.Fd.Io]

Gre is l3 in this case. Right? This limits the possible use cases.

Is there any plan to support l2 gre over ipsec transport mode? It seems vpp
17 support s this feature. Not sure why it is dropped in 19.

On Wed, Oct 2, 2019, 12:18 AM Neale Ranns (nranns)  wrote:

>
> Hi Chuan,
>
> IPSec and GRE is supported using the tunnel protection mechanism :
>   https://wiki.fd.io/view/VPP/IPSec
>
> GRE over IPSec is only support when the SA is in tunnel mode. This means
> there is a double encap of the IP header ; once by the SA (in tunnel mode)
> and once by the tunnel itself. (Which has always been the case in VPP).
>
> Example config follows :
>
>   DBGvpp# ipsec sa add 20 spi 200 crypto-key
> 6541686776336961656264656f6f6579 crypto-alg aes-cbc-128 tunnel-src
> 10.10.10.10 tunnel-dst 10.10.10.11
>   DBGvpp# ipsec sa add 30 spi 300 crypto-key
> 6541686776336961656264656f6f6579 crypto-alg aes-cbc-128 tunnel-src
> 10.10.10.11 tunnel-dst 10.10.10.10
>   DBGvpp# create gre tunnel src 10.10.10.10 dst 10.10.10.11
> gre0
>   DBGvpp# ipsec tunnel protect gre0 sa-in 20 sa-out 30
>   DBGvpp# sh ipsec protect
>   gre0
>output-sa:
> [1] sa 30 (0x1e) spi 300 (0x012c) protocol:esp flags:[tunnel ]
>input-sa:
> [0] sa 20 (0x14) spi 200 (0x00c8) protocol:esp flags:[tunnel
> Protect ]
>
> Regards,
> neale
>
>
> From:  on behalf of "Chuan Han via Lists.Fd.Io"
> 
> Reply to: "chuan...@google.com" 
> Date: Wednesday 2 October 2019 at 02:08
> To: "vpp-dev@lists.fd.io" 
> Cc: "vpp-dev@lists.fd.io" 
> Subject: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08
>
> Hi, vpp experts,
>
> I am trying to configure l2 gre over ipsec. I followed the steps here:
> https://docs.fd.io/vpp/16.12/ipsec_gre_doc.html
>
> I hit the following error:
> create ipsec: unknown input `gre tunnel src 10.10.10.10 dst...'
>
> My vpp version is v19.08.1-release
>
> It seems on this version the "create ipsec gre tunnel" command does not
> work. If so, is there any other way of configuring l2 gre over ipsec in
> 19.08?
>
> Please advise.
>
> Thanks.
> Chuan
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14099): https://lists.fd.io/g/vpp-dev/message/14099
Mute This Topic: https://lists.fd.io/mt/34364734/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08

[Neale Ranns via Lists.Fd.Io]

Hi Chuan,

IPSec and GRE is supported using the tunnel protection mechanism :
  https://wiki.fd.io/view/VPP/IPSec

GRE over IPSec is only support when the SA is in tunnel mode. This means there 
is a double encap of the IP header ; once by the SA (in tunnel mode) and once 
by the tunnel itself. (Which has always been the case in VPP).

Example config follows :

  DBGvpp# ipsec sa add 20 spi 200 crypto-key 6541686776336961656264656f6f6579 
crypto-alg aes-cbc-128 tunnel-src 10.10.10.10 tunnel-dst 10.10.10.11
  DBGvpp# ipsec sa add 30 spi 300 crypto-key 6541686776336961656264656f6f6579 
crypto-alg aes-cbc-128 tunnel-src 10.10.10.11 tunnel-dst 10.10.10.10
  DBGvpp# create gre tunnel src 10.10.10.10 dst 10.10.10.11
gre0
  DBGvpp# ipsec tunnel protect gre0 sa-in 20 sa-out 30
  DBGvpp# sh ipsec protect
  gre0
   output-sa:
    [1] sa 30 (0x1e) spi 300 (0x012c) protocol:esp flags:[tunnel ]
   input-sa:
    [0] sa 20 (0x14) spi 200 (0x00c8) protocol:esp flags:[tunnel Protect ]

Regards,
neale


From:  on behalf of "Chuan Han via Lists.Fd.Io" 

Reply to: "chuan...@google.com" 
Date: Wednesday 2 October 2019 at 02:08
To: "vpp-dev@lists.fd.io" 
Cc: "vpp-dev@lists.fd.io" 
Subject: [vpp-dev] How to configure l2 gre over ipsec in vpp 19.08

Hi, vpp experts,  

I am trying to configure l2 gre over ipsec. I followed the steps here:
https://docs.fd.io/vpp/16.12/ipsec_gre_doc.html

I hit the following error:
create ipsec: unknown input `gre tunnel src 10.10.10.10 dst...'

My vpp version is v19.08.1-release

It seems on this version the "create ipsec gre tunnel" command does not work. 
If so, is there any other way of configuring l2 gre over ipsec in 19.08?

Please advise. 

Thanks.
Chuan

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14098): https://lists.fd.io/g/vpp-dev/message/14098
Mute This Topic: https://lists.fd.io/mt/34364734/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-