Re: [vpp-dev] VPP tls doesn't support adding a custom tls engine, and vcl not support choosing tls engine

2019-10-20 Thread Florin Coras 
Hi, 

Here’s a draft patch that allows the addition of new application crypto engine 
types [1] and another draft patch that allows the configuration of custom tls 
engines for vcl apps [2]. The latter might change as we improve vcl integration 
with tls, but for now should do. 

I pushed the patches without too much testing, so do let me know if they don’t 
work as expected.

Thanks,
Florin

[1] https://gerrit.fd.io/r/c/vpp/+/22863 
[2] https://gerrit.fd.io/r/c/vpp/+/22865


> On Oct 20, 2019, at 6:39 PM, jiangxiaom...@outlook.com wrote:
> 
> I found there's no way to add a custom tls engine, and tls_register_engine 
> only support maximum of 4 tls engine.
> So I think it's need to add at least one enum tag, like CRYPTO_ENGINE_CUSTOM 
> to enum crypto_engine_type_t for vpp user adding their custom tls engine.
> And VCL should also support choosing tls engine.(Now it's hard coding with 
> CRYPTO_ENGINE_OPENSSL) -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> 
> View/Reply Online (#14251): https://lists.fd.io/g/vpp-dev/message/14251
> Mute This Topic: https://lists.fd.io/mt/36250146/675152
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [fcoras.li...@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14252): https://lists.fd.io/g/vpp-dev/message/14252
Mute This Topic: https://lists.fd.io/mt/36250146/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] VPP tls doesn't support adding a custom tls engine, and vcl not support choosing tls engine

2019-10-20 Thread jiangxiaoming 
I found there's no way to add a custom tls engine, and *tls_register_engine* 
only support maximum of 4 tls engine.
So I think it's need to add at least one enum tag, like *CRYPTO_ENGINE_CUSTOM* 
to enum *crypto_engine_type_t* for vpp user adding their custom tls engine.
And VCL should also support choosing tls engine.(Now it's hard coding with 
*CRYPTO_ENGINE_OPENSSL* )
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14251): https://lists.fd.io/g/vpp-dev/message/14251
Mute This Topic: https://lists.fd.io/mt/36250146/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Basic l2 bridging does not work

2019-10-20 Thread Chuan Han via Lists.Fd.Io 
The same problem still exists.

vpp# sh hardware-interfaces eth0
  NameIdx   Link  Hardware
eth0   2down  eth0
  Link speed: unknown
  Ethernet address b4:96:91:23:1e:d6
  Intel 82599
*carrier down *
flags: admin-up promisc pmd rx-ip4-cksum

*rx: queues 1 (max 128), desc 512 (min 32 max 4096 align 8)tx:
queues 1 (max 64), desc 512 (min 32 max 4096 align 8)*
pci: device 8086:154d subsystem 8086:7b11 address :06:00.01 numa 0
max rx packet len: 15872
promiscuous: unicast on all-multicast on
vlan offload: strip off filter off qinq off
rx offload avail:  vlan-strip ipv4-cksum udp-cksum tcp-cksum tcp-lro
   macsec-strip vlan-filter vlan-extend jumbo-frame
scatter
   security keep-crc
rx offload active: ipv4-cksum
tx offload avail:  vlan-insert ipv4-cksum udp-cksum tcp-cksum
sctp-cksum
   tcp-tso macsec-insert multi-segs security
tx offload active: none
rss avail: ipv4-tcp ipv4-udp ipv4 ipv6-tcp-ex ipv6-udp-ex
ipv6-tcp
   ipv6-udp ipv6-ex ipv6
rss active:none
tx burst function: (nil)
rx burst function: ixgbe_recv_pkts_vec

vpp#

testpmd shows that interface is up.

testpmd> show port summary 1
Number of available ports: 2
Port MAC Address   Name Driver Status   Link
*1B4:96:91:23:1E:D6 :06:00.1 net_ixgbe  up   1Mbps*
testpmd>

On Fri, Oct 18, 2019 at 8:16 PM Steven Luong (sluong) 
wrote:

> Can you reduce your rx and tx queues to 1 and try again?
>
>
>
> rx: queues 2 (max 128), desc 512 (min 32 max 4096 align 8)
> tx: queues 3 (max 64), desc 512 (min 32 max 4096 align 8)
>
> Steven
>
>
>
> *From: * on behalf of "Chuan Han via Lists.Fd.Io"
> 
> *Reply-To: *"chuan...@google.com" 
> *Date: *Friday, October 18, 2019 at 4:05 PM
> *To: *Chuan Han 
> *Cc: *"vpp-dev@lists.fd.io" 
> *Subject: *Re: [vpp-dev] Basic l2 bridging does not work
>
>
>
> Hi, Damjan,
>
>
>
> It seems the bug is in vpp.
>
>
>
> On R230, vpp shows eth0 is down.
>
>
>
> vpp# sh hardware-interfaces eth0
>   NameIdx   Link  Hardware
> eth0   2down  eth0
>   Link speed: unknown
>
>
> *  Ethernet address b4:96:91:23:1e:d6   Intel 82599 carrier down*
> flags: admin-up promisc pmd rx-ip4-cksum
> rx: queues 2 (max 128), desc 512 (min 32 max 4096 align 8)
> tx: queues 3 (max 64), desc 512 (min 32 max 4096 align 8)
> pci: device 8086:154d subsystem 8086:7b11 address :06:00.01 numa 0
> max rx packet len: 15872
> promiscuous: unicast on all-multicast on
> vlan offload: strip off filter off qinq off
> rx offload avail:  vlan-strip ipv4-cksum udp-cksum tcp-cksum tcp-lro
>macsec-strip vlan-filter vlan-extend jumbo-frame
> scatter
>security keep-crc
> rx offload active: ipv4-cksum
> tx offload avail:  vlan-insert ipv4-cksum udp-cksum tcp-cksum
> sctp-cksum
>tcp-tso macsec-insert multi-segs security
> tx offload active: none
> rss avail: ipv4-tcp ipv4-udp ipv4 ipv6-tcp-ex ipv6-udp-ex
> ipv6-tcp
>ipv6-udp ipv6-ex ipv6
> rss active:none
> tx burst function: (nil)
> rx burst function: ixgbe_recv_pkts_vec
>
> extended stats:
>   mac local errors   318
> vpp#
>
>
>
> However, the testpmd tool shows it is up.
>
>
>
> testpmd> show port summary 1
> Number of available ports: 2
> Port MAC Address   Name Driver Status   Link
> *1B4:96:91:23:1E:D6 :06:00.1 net_ixgbe  up   1Mbps*
> testpmd>
>
>
>
> Does this prove something wrong on vpp side?
>
>
>
> Thanks.
>
> Chuan
>
>
>
> On Fri, Oct 18, 2019 at 3:06 PM Chuan Han  wrote:
>
> I built testpmd binary on both r740 and r230, and ran the test. I did see
> testpmd reports some link status change on r230 server. testpmd report on
> r740 is stabler. no status change reported.
>
>
>
> r230 log
>
> 
>
> Press enter to exit
>
> Port 0: link state change event
>
> Port 1: link state change event
>
> Port 1: link state change event
>
> r740 log
>
> 
>
> Press enter to exitx0 - TX RS bit threshold=32
>
> If it is a dpdk bug, what shall I do? Report to dpdk mailing list?
>
>
>
> On Fri, Oct 18, 2019 at 11:55 AM Chuan Han via Lists.Fd.Io  google@lists.fd.io> wrote:
>
> So, it is a dpdk bug?
>
>
>
> I am new to dpdk/vpp.
>
>
>
> How do I run dpdk testpmd? Shall I install dpdk separately on the r230
> server? Are there any steps to follow?
>
>
>
> On Fri, Oct 18, 2019 at 10:30 AM Damjan Marion  wrote:
>
> In this case we are purely relying on link state provided by DPDK.
>
> Have you tried to check if same problem exists with DPDK testpmd app?
>
>
>
>
>
> On 18 Oct 2019, at 10:26, Chuan Han via

Re: [vpp-dev] VPP IPSec failed to add SA

2019-10-20 Thread Ying, Ruoyu 
Thanks Balaji,

I’m able to see crypto engines loaded after installing the plugins, but I still 
got the same error that the sa failed.

vpp# show  ipsec backend
IPsec AH backends available:
   Name Index Active
  crypto engine backend   0 yes
IPsec ESP backends available:
   Name Index Active
  crypto engine backend   0 no
   dpdk backend   1 yes
vpp# sh crypto engine
NamePrioDescription
ia32100 Intel IA32 ISA Optimized Crypto
ipsecmb 80  Intel(R) Multi-Buffer Crypto for IPsec Library 
0.52.0
openssl 50  OpenSSL

vpp# set interface state VirtualFunctionEthernet0/6/0 up
vpp# set interface ip address VirtualFunctionEthernet0/5/0 192.168.70.100/24
vpp# set interface ip address VirtualFunctionEthernet0/5/0 192.168.100.3/24
vpp# set int promiscuous on VirtualFunctionEthernet0/5/0
vpp# set int promiscuous on VirtualFunctionEthernet0/6/0
vpp# set ip arp VirtualFunctionEthernet0/6/0 192.168.100.4 fa:16:3e:b3:8b:fd
vpp# ip route add count 1 104.0.0.0/32 via 192.168.100.4 
VirtualFunctionEthernet0/6/0
vpp# ipsec spd add 1
vpp# set interface ipsec spd VirtualFunctionEthernet0/6/0 1
vpp# ipsec sa add 1 spi 25500128 esp tunnel-src 192.168.100.3 tunnel-dst 
192.168.100.4 crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg 
aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
ipsec sa: failed

Anything else that I need to take care of? Thanks a lot.

Best Regards,
Ruoyu


From: Balaji Venkatraman (balajiv) 
Sent: Friday, October 18, 2019 11:59 PM
To: Ying, Ruoyu ; Neale Ranns (nranns) 
; Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) 
; vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] VPP IPSec failed to add SA

I think the vpp-plugin-core, vpp-plugin-dpdk should carry them:

sudo apt-get install vpp-plugin-core vpp-plugin-dpdk

and confirm the crypto engine is loaded :

show plugins


--
Regards,
Balaji.


From: "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>>
Date: Friday, October 18, 2019 at 8:43 AM
To: "Neale Ranns (nranns)" mailto:nra...@cisco.com>>, "Filip 
Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco)" 
mailto:fteh...@cisco.com>>, "Balaji Venkatraman (balajiv)" 
mailto:bala...@cisco.com>>, 
"vpp-dev@lists.fd.io" 
mailto:vpp-dev@lists.fd.io>>
Subject: RE: [vpp-dev] VPP IPSec failed to add SA

Hi Neale,

I’m really new to VPP and can you tell me where’s the plugins you mentioned? 
Thanks a lot.


Best Regards,
Ruoyu

From: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>> On Behalf Of Neale Ranns via 
Lists.Fd.Io
Sent: Friday, October 18, 2019 4:02 PM
To: Ying, Ruoyu mailto:ruoyu.y...@intel.com>>; Filip 
Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco) 
mailto:fteh...@cisco.com>>; Balaji Venkatraman (balajiv) 
mailto:bala...@cisco.com>>; 
vpp-dev@lists.fd.io
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] VPP IPSec failed to add SA

Hi Ruoyo,

You need to load one of the crypto_* plugins that provide the engine functions.

/neale


From: "Ying, Ruoyu" mailto:ruoyu.y...@intel.com>>
Date: Friday 18 October 2019 at 09:44
To: "Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES at Cisco)" 
mailto:fteh...@cisco.com>>, "Balaji Venkatraman (balajiv)" 
mailto:bala...@cisco.com>>, "Neale Ranns (nranns)" 
mailto:nra...@cisco.com>>, 
"vpp-dev@lists.fd.io" 
mailto:vpp-dev@lists.fd.io>>
Subject: RE: [vpp-dev] VPP IPSec failed to add SA

Hi Filip,

I tried them also, but I still get a similar error:
vpp# set crypto handler aes-128-cbc openssl
failed to set engine openssl for aes-128-cbc!
vpp# set crypto handler aes-128-cbc ia32
failed to set engine ia32 for aes-128-cbc!

And the handlers look like this:
vpp# sh crypto handlers
AlgoTypeActive  Candidates
(nil)
des-cbc encrypt
decrypt
3des-cbcencrypt
decrypt
aes-128-cbc encrypt
decrypt
aes-192-cbc encrypt
decrypt
aes-256-cbc encrypt
decrypt
aes-128-ctr encrypt
decrypt
aes-192-ctr encrypt
decrypt
aes-256-ctr encrypt
decrypt
aes-128-gcm aead-encrypt
aead-decrypt
aes-192-gcm aead-encrypt
aead-decrypt
aes-256-gcm aead-encrypt
aead-decrypt
hmac-md5hmac
hmac-sha-1  hmac
hmac-sha-224hmac
hmac-sha-256hmac
hmac-sha-384hmac
hmac-sha-512hmac

Am I setting with the correct command? Thanks a lot.


Best Regards,
Ruoyu



From: Filip Tehlar -X (ftehlar - PANTHEON TECHNOLOGIES

[vpp-dev] iommu_group value is always -1 when run vpp with dpdk plugin

2019-10-20 Thread Pei, Yulong 
Hello vpp-dev and csit-dev,

When run CSIT test,  it first run  verify_vpp_on_all_duts  with default  
startup.conf without uio-driver field setup in it,
Then VPP will probe uio-driver automatically, due to iommu_group=-1,  VPP will 
change the value of
/sys/module/vfio/parameters/enable_unsafe_noiommu_mode  in the system  from N 
to Y,   this will cause that VPP always  mistake
to run with vfio-noiommu driver within the platform that is on intel_iommu=on 
state.

I proposed a patch [1] to fix this issue, please kindly help to review to see 
if it is acceptable.
[1]  https://gerrit.fd.io/r/c/vpp/+/22805
Normally  to configure vfio-noiommu with intel_iommu=on on the platform that 
has IOMMU should be regarded as invalid config,
But below test result(on intel cascadelake platform) made me puzzled,

1. VPP worked fine with vfio noiommu driver and intel_iommu=on when running 
with 1G hugepages.
2. VPP do not work with vfio noiommu driver and intel_iommu=on when running 
with 2M hugepages.

So here need your expert's comment  if vfio noiommu driver and intel_iommu=on 
is a valid configuration for VPP ?
If Yes, it may to your expert to fix issue of running with 2M hugepages.

Best Regards
Yulong Pei
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#14248): https://lists.fd.io/g/vpp-dev/message/14248
Mute This Topic: https://lists.fd.io/mt/35943087/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-