Traffic bifurcation using VSP on DPAA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traffic bifurcation using VSP on DPAA

3,115 Views
sakthi_mgtech
Contributor II

I am working with LS1046ARDB Evaluation Board to develop a network based application. I have started my project with Flex-builder(flexbuild_lsdk2108), Flex-installer(version: 1.13.2108) and Codewarrior IDE.

In my case LS1046ARDB device should act as network device such as switches(L2) and routers(L3) plus security device. Security operations are encryption, decryption and authentication on L2 frames and L3 datas. I have started with DPDK version 20.11 which is provided in LSDKUG21.08 by default. I was able to make a data plane application by using DPDK. At the same time i need a control plane application to make the data plane to be automatic(key's used for data plane in L2, L3 should exchange with remote LS1046ARDB device). I found this document from nxp community -> https://community.nxp.com/t5/Layerscape-Knowledge-Base/Data-Path-Development-Kit-on-Layerscape-platf...

There are three methods proposed in the above document.

Method 1: Using DPDK KNI application

Method 2: DPAA2 support HW (WRIOP) based traffic splitting with different logical ethernet interfaces.

Method 3: DPAA support HW (FMAN) – Virtual based traffic splitting with different interfaces.\

I am using LS1046ARDB, so only method 1 and 3 are available for me due to DPAA.

I have analyzed both the method 1 and 3. I have tested the method 1 by running the KNI DPDK application, it will create a virtual interface on linux networking. But i can't go with this method, i need to run the DPDK l2fwd-crypto application so i can't run multiprocess application in DPDK. The solution is to integrate the KNI DPDK code into l2fwd-crypto DPDK, but this is difficult for me because i am fresher in DPDK.

I have approached method 3 which is the configuration changed required to run this method. I tested this method also, it is working but not expected. I have a query related to this method. Here i have posted my work below with my query, guide me to achieve the control plane application with data plane(DPDK).

 

I have download the images from https://lsdk.github.io/components.html

boot_LS -> wget https://www.nxp.com/lgfiles/sdk/lsdk2108/boot_LS_arm64_lts_5.10.tgz

firmware image -> wget https://www.nxp.com/lgfiles/sdk/lsdk2108/firmware_ls1046ardb_sdboot.img

Rootfs -> wget https://www.nxp.com/lgfiles/sdk/lsdk2108/rootfs_lsdk2108_ubuntu_main_arm64.tgz

I have depolyed the image's in SD card through flex-installer:

$ flex-installer -i pf -d /dev/sdx (partition and format the target storage device)

$ sudo flex-installer -b boot_LS_arm64_lts_5.10.tgz -r rootfs_lsdk2108_ubuntu_main_arm64.tgz -f firmware_ls1046ardb_sdboot.img -d /dev/sdx

I have booted the board using SD card, by default caam driver is not enabled in linux kernel it was builded as a module.

In Bootloader i have updated the device-tree as per LSDKUG_21.08

sakthi_mgtech_0-1658750236885.pngsakthi_mgtech_1-1658750267638.png

As per the document i have done all the setting and it was working fine. I was able to receive UDP/ESP traffic in DPDK(l2fwd) and rest of all traffic in kernel. 

Here the issue was whenever i am running the l2fwd-crypto application this method is leads to failure. Once the plain packet is received into the l2fwd-crypto application means it will do the encryption and send it to outside. The encrypted packet is given to another l2fwd-crypto with the same method, this leads to Segmentation fault. The Virtual stroage profile will not able to handle the encrypted packet. If i send the encrypted TCP packet to kernel means, it also won't received this is verified by tcpdump.

I have debugged the each bytes in the encrypted packet, issue is due to UDP packet length because it is encrypted, due to this VSP channels are not working properly, not able to send the frame to top leves(DPDK user/Kernel).

Please provide me a required details to overcome this issue. 

Thanks in advance.

 

 

 

0 Kudos
Reply
8 Replies

3,102 Views
yipingwang
NXP TechSupport
NXP TechSupport

I didn't reproduce the issue in VSP scenarios with l2fwd-crypto application.
Could you please share the detailed logs?
Here is my commands to launch dpdk app.

dpdk-l2fwd-crypto -v -c 0xc -n 1 -- -p 0x03 -q 1 --chain CIPHER_HASH --cipher_algo aes-cbc --cipher_op ENCRYPT --cipher_key 01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10 --auth_algo sha1-hmac --auth_op GENERATE --auth_key_random_size 64

0 Kudos
Reply

3,076 Views
sakthi_mgtech
Contributor II

Hi yipingwang,

Thank you for you response.

I have attached the log and files which is required for you to analyze more on this traffic bifurcation issue in VSP. Basically i want to achieve a control plane(linux networking stack) from data plane(DPDK framework), if this method is not suitable means, let me guide to achieve the linux kernel features by using DPDK as underlying platform.

Please check the 'config and Log.zip' and give me a solution on this. Looking forward for your reply.

Thanks in advance.

0 Kudos
Reply

3,064 Views
yipingwang
NXP TechSupport
NXP TechSupport

Please refer to the following update from the SE team.

I have a trial with single board.
As customer description, the DPDK or kernel both are not received the packets, on my side, the packet can be captured both by dpdk or linux.
For segment fault, I will try it later due to i cannot find the second LS1046ARDB board.
For bad UDP packet length, i reproduced the issue, I will check it.

here is my setup.

Spirent TC (traffic generator) port 1 ------- |fm1-mac3 --- fm1-mac4 | ----- Spirent TC (traffic generator) port 2
| LS1046ARDB |

0 Kudos
Reply

3,049 Views
yipingwang
NXP TechSupport
NXP TechSupport

I reproduced the segmentation fault issue on the second LS1046ARDB board.
For UDP length, l2fwd-crypto application is designed in such a way to do custom encryption and authentication on any packet data after the IPv4 header, so This behavior of the application is the expected one.

I will keep the update about segmentation fault issue.

0 Kudos
Reply

3,043 Views
sakthi_mgtech
Contributor II

Hi yipingwang,

Thank you for you response.

For UDP length, l2fwd-crypto application is designed in such a way to do custom encryption and authentication on any packet data after the IPv4 header, so This behavior of the application is the expected one ->

       I think the issue is not only with l2fwd-crypto application, same issue is produced in linux kernel VSP also. UDP traffic is send to DPDK through VSP1, rest of the traffic is going to the kernel through VSP2. If i send a malformed TCP packet(contains malformed TCP LENGTH) to port means, linux kernel also didn't receive the TCP packet(this i have verified through tcpdump tool in linux kernel). 

Can you please ensure on linux kernel VSP side also.

0 Kudos
Reply

3,026 Views
yipingwang
NXP TechSupport
NXP TechSupport

Here is feedback from DPDK team.


l2fwd-crypto is just sample application to check the performance of an algo. Actual IPsec can be performed by dpdk-ipsec-secgw application.

Do they really need to encrypt the UDP header?

Problem is when UDP header is encrypted and packet is reaching to FMAN on next board. FMAN tries to check the UDP header including length which is invalid (because of encryption) as IPv4 next proto is UDP and this is causing the problem because of which FMAN is not able to send the packets to DPDK.

If they really want to use l2fwd-crypto, they can modify the application not to encrypt the UDP header. Or best option is use the dpdk-ipsec-secgw application.

0 Kudos
Reply

3,018 Views
sakthi_mgtech
Contributor II

I am basically developing a network encryptor application using LS1046ARDB, in my case i need to encrypt Layer 2 frame(Encryption starts from IP headers/Any header next to ethernet header) and Layer 3 packet (Encryption starts after IP header). I am using dpdk-l2fwd-crypto sample application for doing the Layer 2 frame encryption and dpdk-ipsec-secgw for Layer 3 packet encryption.

By using dpdk-l2fwd-crypto & dpdk-ipsec-secgw, i was able to achieve the data plane with maximum throughput. But my requirement is to achieve control plane along with data plane using same hardware NIC port.

@yipingwang You suggested me to test dpdk-ipsec-secgw application, i have tested the dpdk-ipsec-secgw using two LS1046ARDB board here also i am facing Segmentation fault when encrypted ESP packet received on 2nd LS1046ARDB same as dpdk-l2fwd-crypto. I have followed method mentioned in this topic under LSDKUG_Rev21.08 -> Traffic bifurcation using VSP on DPAA. Below i have attached the detailed log, please check it & update ASAP.

sakthi_mgtech_0-1660036675026.png

This is a ESP packet sent to VSP, it was causing segmentation fault in dpdk-ipsec-secgw and kernel traffic also won't receive the encrypted ESP packet. Wireshark log is stored in config.zip file.

Can you guide me in this part -> Basically i want to achieve DPDK(data traffic-encryption/decryption) with control traffic(TCP socket to exchange certificate/keys using OpenSSL) on same NIC port.

You mentioned two methods in this document under DPDK Linux Networking https://community.nxp.com/t5/Layerscape-Knowledge-Base/Data-Path-Development-Kit-on-Layerscape-platf...

Typically, DPDK PMD receives all the traffic.
DPDK Application may registers a virtual/logical ethernet interface in kernel netdev for each
physical interface it own.Based on the application logic, it sends the linux host bound traffic to Linux networking stack using this interface

sakthi_mgtech_0-1660030707884.png

I have tested kni also as per this link http://doc.dpdk.org/guides-20.11/sample_app_ug/kernel_nic_interface.html

DPDK KNI is working fine but i need to run DPDK application for packet processing/encryption/decryption/kni in single application, typically kni+dpdk-l2fwd-crypto or kni+dpdk-ipsec-secgw, is possible to integrate these two application in single application, I am fresher to DPDK can you guide me to integrate this applications or suggest alternate plan to achieve DPDK linux networking.

Thanks in advance.

0 Kudos
Reply

2,989 Views
yipingwang
NXP TechSupport
NXP TechSupport

Please refer to the following update from the SE team.

I checked the configurations file from customer, it seems customer used transport mode.

Can customer try ipsecgw with tunnel mode?

or they only need transport mode?

0 Kudos
Reply