SlideShare a Scribd company logo

LF_DPDK17_rte_security: enhancing IPSEC offload

L
LF_DPDK

This document describes rte_security, a framework for enabling hardware acceleration of security protocols like IPsec in DPDK. It provides a generic API to manage security sessions and interfaces with crypto and Ethernet devices. Currently it supports inline crypto acceleration and lookaside protocol acceleration. The framework is protocol-agnostic and aims to support additional protocols like SSL, PDCP, and CAPWAP. It allows applications to leverage different security accelerations through a common API.

Technology
1 of 11
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
Boris Pismenny (Mellanox) Declan Doherty (Intel) Hemant Agrawal (NXP) DPDK Summit - San Jose – 2017 rte_security: enabling IPsec hw acceleration #DPDKSummit
2 Introduction u Framework for management and provisioning of hardware acceleration of security protocols. u Generic APIs to manage security sessions. u Security acceleration functions are accessed through security instances which can instantiated on any device type, current supports security instances on Crypto and Ethernet devices. u Rich capabilities discovery APIs u Current only targets the support of IP Security (IPsec) protocol. u Could support a wide variety of protocols/applications u Enterprise/SMB VPNs — IPsec u Wireless backhaul — IPsec, PDCP u Data-center — SSL u WLAN backhaul — CAPWAP/DTLS u Control-plane options for above — PKCS, RNG Net PMD Security Library Crypto PMD
3 Community Collaboration u Collaborative work between Intel, Mellanoxand NXP with contributions from: u Hemant Agrawal, Declan Doherty, Akhil Goyal, Radu Nicolau, Boris Pismenny, and Aviad Yehezkel. u rte_security is now part of DPDK 17.11 as *Experimenal* API
4 Inline Crypto Acceleration u IO based acceleration performed on the physical interface as packet ingress/egress the system. u No packet headers modifications on the hardware, only encryption/decryption and authentication operations are preformed. u Hardware may support extra features like payload padding, setting of etc. HOST CRYPTO IPSEC POST- CRYPTO IPSEC PRE- CRYPTO [ inline crypto == Yes ] SET INLINE METADATA L3/L2 PMDL3 IPSec INLINE CRYPTO FILTER EGRESS INLINE CRYPTO OTHER PIPELINE STAGES SP/SA LOOKUP
5 Lookaside Protocol Acceleration u Lookaside acceleration model where packet is given to an accelerator for processing and then returned to the host after processing is complete. u Security function is provided as an extension of a librte_cryptodevcrypto PMD. u Security session is used in place of crypto session in crypto op when enqueuingand dequeuingpackets to the crypto PMD. u Supports full protocol (IPsec) processing on the accelerator. Including: u Add/remove protocol headers u Handling SA state information
6 Library Features u Protocol agnostic session API for the management of protocol state on underlying hardware. u Definitions of supported protocols, currently only IPsec, and the parameters for configuring the options. For IPsec this includes: u Acceleration type – inline crypto/lookaside protocol/inline protocol u Defining security association (SA) parameters such as Tunnel/Transport, ESP/AH, Ingress/Egress as well as associated crypto processing and key material u Crypto operations are defined using primitives defined in librte_cryptodevlimit any redefinition of parameters within DPDK. u Capabilities APIs to allow dynamic discovery of a instances features.
7 Session Management /** security session configuration parameters */ struct rte_security_session_conf config = { .action_type = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, /**< Type of action to be performed on the session */ .protocol = RTE_SECURITY_PROTOCOL_IPSEC, /**< Security protocol to be configured */ .ipsec = { .spi = /**< Security Protocol Index */, .salt = /** Salt value */, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL }, /**< Configuration parameters for security session */ .crypto_xform = /** crypto transforms*/ /**< Security Session Crypto Transformations */ }; u Session APIs support u Create Session struct rte_security_session * rte_security_session_create(uint16_t id, struct rte_security_session_conf *conf, struct rte_mempool *mp); u Update u Destroy u Query (Get Stats)
8 Flow Action Programming (Inline Crypto) Pattern[2] Pattern[1] /** flow parameters */ attr->ingress = 1; /** attr->egress = 1 */ pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH; pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4; pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP; pattern[3].type = RTE_FLOW_ITEM_TYPE_END; action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY; action[0].conf = sa->sec_session; action[1].type = RTE_FLOW_ACTION_TYPE_ PASSTHRU; action[2].type = RTE_FLOW_ACTION_TYPE_END; HWSW
9 Summary u Provides an abstraction for provisioning security hw accelerations, initially targeting IPsec. u Can be used with ethdev and cryptodev u rte_security + rte_flow = powerful control plane u Agnostic API to allow applications to use different security accelerations. u IPsec Security Gateway Sample application is available today using rte_security to support inline crypto (on Intel’s IXGBE NET PMD) and lookaside protocol acceleration (on NXP’s DPAA2 CRYPTO PMD). u Go try it out!
10 Future Work u Further IPsec enablement u Further encapsulations u LSO + checksum u IPsec inline protocol offload u Further protocol enablement u MACsec, PDCP, DTLS, etc would fit under this model. u Software equivalent enablement u It could be possible to offer software equivalent processing under this API, may or may not be desirable depending on protocol and it’s processing overhead.
Questions? Boris Pismenny (Mellanox) Declan Doherty (Intel) Hemant Agrawal (NXP)

More Related Content

PDF
LF_DPDK17_DPDK on Microsoft Azure
LF_DPDK
 
PDF
LF_DPDK17_rte_raw_device: implementing programmable accelerators using generi...
LF_DPDK
 
PDF
LF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK
 
PDF
LF_DPDK17_Accelerating NFV with VMware's Enhanced Network Stack (ENS) and Int...
LF_DPDK
 
PPTX
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
 
PDF
Intel- OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
PDF
KDDI - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
PPTX
6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WIND
 
LF_DPDK17_DPDK on Microsoft Azure
LF_DPDK
 
LF_DPDK17_rte_raw_device: implementing programmable accelerators using generi...
LF_DPDK
 
LF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK
 
LF_DPDK17_Accelerating NFV with VMware's Enhanced Network Stack (ENS) and Int...
LF_DPDK
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
 
Intel- OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
KDDI - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
6WINDGate™ - Powering the New-Generation of IPsec Gateways
6WIND
 

What's hot (20)

PPTX
6WINDGate™ - Powering the New Generation of Network Appliances
6WIND
 
PDF
Brocade Software Networking (SDN NFV Day ITB 2016)
SDNRG ITB
 
PDF
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
PDF
DPDK Summit 2015 - Intro - Tim O'Driscoll
Jim St. Leger
 
PDF
Presentación Laboratorio NFV de Telefónica de Antonio Elizondo
videos
 
PDF
Network Function Virtualisation (NFV) BoF
APNIC
 
PDF
Improving performance and efficiency with Network Virtualization Overlays
Adam Johnson
 
PDF
Red hat NFV Roadmap - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
PDF
F5 perspective of nfv+sdn (SDN NFV Day ITB 2016)
SDNRG ITB
 
PDF
Cto’s guide to sdn, nfv and vnf
Paulo R
 
PDF
MidoNet 101
alexbikfalvi
 
PDF
2014년 오픈소스 기반 플랫폼 기술 세미나 - Let's Start NFV & SDN
Hongsik Choi
 
PPTX
SDN & NFV: Driving Additional Value into Managed Services
TBI Inc.
 
PDF
9th SDN Expert Group Seminar - Session3
NAIM Networks, Inc.
 
PDF
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
PPTX
OpenContrail Silicon Valley Meetup Aug 25 2015
Scott Sneddon
 
PDF
The Power of SmartNICs
Netronome
 
PDF
DPDK Architecture Musings - Andy Harvey
harryvanhaaren
 
PDF
Building the SD-Branch using uCPE
Michelle Holley
 
PDF
The NFV, SDN & Wireless Network Infrastructure Market: 2015 - 2020 - Opportun...
LeeSam111
 
6WINDGate™ - Powering the New Generation of Network Appliances
6WIND
 
Brocade Software Networking (SDN NFV Day ITB 2016)
SDNRG ITB
 
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
DPDK Summit 2015 - Intro - Tim O'Driscoll
Jim St. Leger
 
Presentación Laboratorio NFV de Telefónica de Antonio Elizondo
videos
 
Network Function Virtualisation (NFV) BoF
APNIC
 
Improving performance and efficiency with Network Virtualization Overlays
Adam Johnson
 
Red hat NFV Roadmap - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
F5 perspective of nfv+sdn (SDN NFV Day ITB 2016)
SDNRG ITB
 
Cto’s guide to sdn, nfv and vnf
Paulo R
 
MidoNet 101
alexbikfalvi
 
2014년 오픈소스 기반 플랫폼 기술 세미나 - Let's Start NFV & SDN
Hongsik Choi
 
SDN & NFV: Driving Additional Value into Managed Services
TBI Inc.
 
9th SDN Expert Group Seminar - Session3
NAIM Networks, Inc.
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
OpenContrail Silicon Valley Meetup Aug 25 2015
Scott Sneddon
 
The Power of SmartNICs
Netronome
 
DPDK Architecture Musings - Andy Harvey
harryvanhaaren
 
Building the SD-Branch using uCPE
Michelle Holley
 
The NFV, SDN & Wireless Network Infrastructure Market: 2015 - 2020 - Opportun...
LeeSam111
 
Ad

Similar to LF_DPDK17_rte_security: enhancing IPSEC offload (20)

PPT
Vp ns
Swarup Kumar Mall
 
PPT
VPN
Swarup Kumar Mall
 
PDF
Working Survey of Authentication Header and Encapsulating Security Payload
ijtsrd
 
DOCX
college assignment on Applications of ipsec
bigchill29
 
PDF
I psec cisco
Deepak296
 
PDF
IP security and VPN presentation
KishoreTs3
 
PDF
Cns unit4
PRADEEPJ30
 
PDF
Cns unit4
PRADEEPJ30
 
DOC
Resume_Appaji
Appaji K
 
PPT
aaa
hungnhatban
 
PPT
Sectools
securedome
 
DOC
Ip sec
Shiva Krishna Chandra Shekar
 
PPTX
Lec 9.pptx
ssuserbab2f4
 
PPT
Blug Talk
guestb9d7f98
 
PPT
Blug talk
Swarup Kumar Mall
 
PDF
Stay Anonymous and Protected.pdf
Enterprise world
 
PPTX
Network Security version Virtual Private Networks
Zaheer Parvez
 
DOCX
Kasturi_Puramwar
Kasturi Puramwar
 
PDF
Wrapped rsa cryptography check on window
iaemedu
 
PPTX
VPN in Virtualized DataCenter
Jang Group of Companies
 
Vp ns
Swarup Kumar Mall
 
VPN
Swarup Kumar Mall
 
Working Survey of Authentication Header and Encapsulating Security Payload
ijtsrd
 
college assignment on Applications of ipsec
bigchill29
 
I psec cisco
Deepak296
 
IP security and VPN presentation
KishoreTs3
 
Cns unit4
PRADEEPJ30
 
Cns unit4
PRADEEPJ30
 
Resume_Appaji
Appaji K
 
aaa
hungnhatban
 
Sectools
securedome
 
Ip sec
Shiva Krishna Chandra Shekar
 
Lec 9.pptx
ssuserbab2f4
 
Blug Talk
guestb9d7f98
 
Blug talk
Swarup Kumar Mall
 
Stay Anonymous and Protected.pdf
Enterprise world
 
Network Security version Virtual Private Networks
Zaheer Parvez
 
Kasturi_Puramwar
Kasturi Puramwar
 
Wrapped rsa cryptography check on window
iaemedu
 
VPN in Virtualized DataCenter
Jang Group of Companies
 
Ad

More from LF_DPDK (20)

PDF
LF_DPDK17_Event Adapters - Connecting Devices to Eventdev
LF_DPDK
 
PDF
LF_DPDK17_Integrating and using DPDK with Open vSwitch
LF_DPDK
 
PDF
LF_DPDK17_ OpenVswitch hardware offload over DPDK
LF_DPDK
 
PDF
LF_DPDK17_DPDK support for new hardware offloads
LF_DPDK
 
PDF
LF_DPDK17_DPDK's best kept secret – Micro-benchmark performance tests
LF_DPDK
 
PDF
LF_DPDK17_Lagopus Router
LF_DPDK
 
PDF
LF_DPDK17_DPDK Membership Library
LF_DPDK
 
PDF
LF_DPDK17_testpmd: swissknife for NFV
LF_DPDK
 
PDF
LF_DPDK17_Make DPDK's software traffic manager a deployable solution for vBNG
LF_DPDK
 
PDF
LF_DPDK17_OpenNetVM: A high-performance NFV platforms to meet future communic...
LF_DPDK
 
PDF
LF_DPDK17_VPP Host Stack
LF_DPDK
 
PDF
LF_DPDK17_Accelerating Packet Processing with FPGA NICs
LF_DPDK
 
PDF
LF_DPDK17_Enabling hardware acceleration in DPDK data plane applications
LF_DPDK
 
PDF
LF_DPDK17_Serverless DPDK - How SmartNIC resident DPDK Accelerates Packet Pro...
LF_DPDK
 
PDF
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...
LF_DPDK
 
PDF
LF_DPDK17_Technical Roadmap
LF_DPDK
 
PDF
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK
 
PDF
LF_DPDK17_DPDK with KNI – Pushing the Performance of an SDWAN Gateway to High...
LF_DPDK
 
PDF
LF_DPDK17_mediated devices: better userland IO
LF_DPDK
 
PDF
LF_DPDK17_Enhanced Memory Management
LF_DPDK
 
LF_DPDK17_Event Adapters - Connecting Devices to Eventdev
LF_DPDK
 
LF_DPDK17_Integrating and using DPDK with Open vSwitch
LF_DPDK
 
LF_DPDK17_ OpenVswitch hardware offload over DPDK
LF_DPDK
 
LF_DPDK17_DPDK support for new hardware offloads
LF_DPDK
 
LF_DPDK17_DPDK's best kept secret – Micro-benchmark performance tests
LF_DPDK
 
LF_DPDK17_Lagopus Router
LF_DPDK
 
LF_DPDK17_DPDK Membership Library
LF_DPDK
 
LF_DPDK17_testpmd: swissknife for NFV
LF_DPDK
 
LF_DPDK17_Make DPDK's software traffic manager a deployable solution for vBNG
LF_DPDK
 
LF_DPDK17_OpenNetVM: A high-performance NFV platforms to meet future communic...
LF_DPDK
 
LF_DPDK17_VPP Host Stack
LF_DPDK
 
LF_DPDK17_Accelerating Packet Processing with FPGA NICs
LF_DPDK
 
LF_DPDK17_Enabling hardware acceleration in DPDK data plane applications
LF_DPDK
 
LF_DPDK17_Serverless DPDK - How SmartNIC resident DPDK Accelerates Packet Pro...
LF_DPDK
 
LF_DPDK17_Flexible and Extensible support for new protocol processing with DP...
LF_DPDK
 
LF_DPDK17_Technical Roadmap
LF_DPDK
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK
 
LF_DPDK17_DPDK with KNI – Pushing the Performance of an SDWAN Gateway to High...
LF_DPDK
 
LF_DPDK17_mediated devices: better userland IO
LF_DPDK
 
LF_DPDK17_Enhanced Memory Management
LF_DPDK
 

Recently uploaded (20)

PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 

LF_DPDK17_rte_security: enhancing IPSEC offload

  • 2. 2 Introduction u Framework for management and provisioning of hardware acceleration of security protocols. u Generic APIs to manage security sessions. u Security acceleration functions are accessed through security instances which can instantiated on any device type, current supports security instances on Crypto and Ethernet devices. u Rich capabilities discovery APIs u Current only targets the support of IP Security (IPsec) protocol. u Could support a wide variety of protocols/applications u Enterprise/SMB VPNs — IPsec u Wireless backhaul — IPsec, PDCP u Data-center — SSL u WLAN backhaul — CAPWAP/DTLS u Control-plane options for above — PKCS, RNG Net PMD Security Library Crypto PMD
  • 3. 3 Community Collaboration u Collaborative work between Intel, Mellanoxand NXP with contributions from: u Hemant Agrawal, Declan Doherty, Akhil Goyal, Radu Nicolau, Boris Pismenny, and Aviad Yehezkel. u rte_security is now part of DPDK 17.11 as *Experimenal* API
  • 4. 4 Inline Crypto Acceleration u IO based acceleration performed on the physical interface as packet ingress/egress the system. u No packet headers modifications on the hardware, only encryption/decryption and authentication operations are preformed. u Hardware may support extra features like payload padding, setting of etc. HOST CRYPTO IPSEC POST- CRYPTO IPSEC PRE- CRYPTO [ inline crypto == Yes ] SET INLINE METADATA L3/L2 PMDL3 IPSec INLINE CRYPTO FILTER EGRESS INLINE CRYPTO OTHER PIPELINE STAGES SP/SA LOOKUP
  • 5. 5 Lookaside Protocol Acceleration u Lookaside acceleration model where packet is given to an accelerator for processing and then returned to the host after processing is complete. u Security function is provided as an extension of a librte_cryptodevcrypto PMD. u Security session is used in place of crypto session in crypto op when enqueuingand dequeuingpackets to the crypto PMD. u Supports full protocol (IPsec) processing on the accelerator. Including: u Add/remove protocol headers u Handling SA state information
  • 6. 6 Library Features u Protocol agnostic session API for the management of protocol state on underlying hardware. u Definitions of supported protocols, currently only IPsec, and the parameters for configuring the options. For IPsec this includes: u Acceleration type – inline crypto/lookaside protocol/inline protocol u Defining security association (SA) parameters such as Tunnel/Transport, ESP/AH, Ingress/Egress as well as associated crypto processing and key material u Crypto operations are defined using primitives defined in librte_cryptodevlimit any redefinition of parameters within DPDK. u Capabilities APIs to allow dynamic discovery of a instances features.
  • 7. 7 Session Management /** security session configuration parameters */ struct rte_security_session_conf config = { .action_type = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, /**< Type of action to be performed on the session */ .protocol = RTE_SECURITY_PROTOCOL_IPSEC, /**< Security protocol to be configured */ .ipsec = { .spi = /**< Security Protocol Index */, .salt = /** Salt value */, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL }, /**< Configuration parameters for security session */ .crypto_xform = /** crypto transforms*/ /**< Security Session Crypto Transformations */ }; u Session APIs support u Create Session struct rte_security_session * rte_security_session_create(uint16_t id, struct rte_security_session_conf *conf, struct rte_mempool *mp); u Update u Destroy u Query (Get Stats)
  • 8. 8 Flow Action Programming (Inline Crypto) Pattern[2] Pattern[1] /** flow parameters */ attr->ingress = 1; /** attr->egress = 1 */ pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH; pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4; pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP; pattern[3].type = RTE_FLOW_ITEM_TYPE_END; action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY; action[0].conf = sa->sec_session; action[1].type = RTE_FLOW_ACTION_TYPE_ PASSTHRU; action[2].type = RTE_FLOW_ACTION_TYPE_END; HWSW
  • 9. 9 Summary u Provides an abstraction for provisioning security hw accelerations, initially targeting IPsec. u Can be used with ethdev and cryptodev u rte_security + rte_flow = powerful control plane u Agnostic API to allow applications to use different security accelerations. u IPsec Security Gateway Sample application is available today using rte_security to support inline crypto (on Intel’s IXGBE NET PMD) and lookaside protocol acceleration (on NXP’s DPAA2 CRYPTO PMD). u Go try it out!
  • 10. 10 Future Work u Further IPsec enablement u Further encapsulations u LSO + checksum u IPsec inline protocol offload u Further protocol enablement u MACsec, PDCP, DTLS, etc would fit under this model. u Software equivalent enablement u It could be possible to offer software equivalent processing under this API, may or may not be desirable depending on protocol and it’s processing overhead.