XFRM pCPU: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
Line 3: Line 3:


== How to test ==
== How to test ==
=== Libreswan source with pCPU supportbranch #clones-1 ===
=== Libreswan source with pCPU support branch #clones-3 ===
<pre>
<pre>
git clone --single-branch --branch clones-1 https://github.com/antonyantony/libreswan
git clone --single-branch --branch clones-3 https://github.com/antonyantony/libreswan
</pre>
</pre>
Sample config [https://github.com/antonyantony/libreswan/blob/clones-1/testing/pluto/ikev2-68-sa-clones/ipsec.conf | ipsec.conf]
Sample config [https://github.com/antonyantony/libreswan/blob/clones-1/testing/pluto/ikev2-68-sa-clones/ipsec.conf | ipsec.conf]
Line 34: Line 34:
</pre>
</pre>


===Kernel source pcpu-1====
===Kernel source pcpu-2====


git clone -b pcpu-1 https://github.com/antonyantony/linux/tree/pcpu
git clone -b pcpu-2 https://github.com/antonyantony/linux/tree/pcpu


== Kernel / xfrm plans ==
== Kernel / xfrm plans ==
* Release private branch on Steffen's repository to get wider testing.
* Release private branch on Steffen's repository to get wider testing.
* Kernel support for rekey. Possibly with refcounting the linked list on the Head SA. One could rekey in any order - either head SA or sub SA.
* Kernel support for rekey. Possibly with reference counting the linked list on the Head SA. One could rekey in any order - either head SA or sub SA.
* Ben would like to add feature bind a sub sa to a head SA,
* Ben would like to add feature bind a sub sa to a head SA,


Line 46: Line 46:
== Libreswan Plans ==
== Libreswan Plans ==
* Currently support clones=n. Both sides should have same number.
* Currently support clones=n. Both sides should have same number.
* support for asymetric configuration, one side 8(initiator) and responder (4).  
* support for asymmetric configuration, one side 8(initiator) and responder (4).  
* rekey support
* add rekey support
* fix bugs down and delete.
* fix bugs down and delete.
* don't allow clone instance on its own to be add|delete|down on the unaliased name.
* don't allow clone instance on its own to be add|delete|down on the unaliased name.

Revision as of 16:06, 31 October 2019

the idea called per cpu sa for the out going direction was discussed at Linux IPsec workshop in Prague. During the following a small group of people worked on a prototype of userspace, Libreswan, and kernel, xfrm. The libreswan picked the terminology "clones". Kernel so far calls pCPU. These names may change.


How to test

Libreswan source with pCPU support branch #clones-3

git clone --single-branch --branch clones-3 https://github.com/antonyantony/libreswan

Sample config | ipsec.conf 

conn westnet-eastnet
	rightid=@east
        leftid=@west
        left=192.1.2.45
        right=192.1.2.23
	rightsubnet=192.0.2.0/24
	leftsubnet=192.0.1.0/24
	authby=secret
        clones=2
        auto=add

ipsec auto --up westnet-eastnet
taskset 0x1 ping -n -c 2 -I 192.0.1.254 192.0.2.254
taskset 0x2 ping -n -c 2 -I 192.0.1.254 192.0.2.254

ipsec trafficstatus

ipsec whack --trafficstatus
006 #2: "westnet-eastnet-0", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@east'
006 #4: "westnet-eastnet-1", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='@east'
006 #3: "westnet-eastnet-2", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='@east'

NOTE both SA #3 and #4 has outgoing traffic on it.

Kernel source pcpu-2=

git clone -b pcpu-2 https://github.com/antonyantony/linux/tree/pcpu

Kernel / xfrm plans

  • Release private branch on Steffen's repository to get wider testing.
  • Kernel support for rekey. Possibly with reference counting the linked list on the Head SA. One could rekey in any order - either head SA or sub SA.
  • Ben would like to add feature bind a sub sa to a head SA,


Libreswan Plans

  • Currently support clones=n. Both sides should have same number.
  • support for asymmetric configuration, one side 8(initiator) and responder (4).
  • add rekey support
  • fix bugs down and delete.
  • don't allow clone instance on its own to be add|delete|down on the unaliased name.
  • test interop with unsupported version. ideally we should figure it out and not install clones. It could be that we will install clones and the last one would be used.


how add pCPU support only on OUT direction

You need extra flags to XFRM_MSG_GETSA and XFRM_MSG_UPDSA, XFRM_MSG_GETSA when dealing with out going s

XFRM_MSG_GETSA | XFRM_MSG_UPDSA

both head SA and sub SA need extra attributes.

  • head SA set XFRMA_SA_EXTRA_FLAGS to XFRM_SA_PCPU_HEAD*
  • sub sa set XFRMA_SA_EXTRA_FLAGS to XFRM_SA_PCPU_SUB AND XFRMA_SA_PCPU to <sub-sa-id>. Sub SA ID start from 0-u32

XFRM_MSG_GETSA call only change for sub sda

  • sub SA set XFRMA_SA_EXTRA_FLAGS to XFRM_SA_PCPU_SUB AND XFRMA_SA_PCPU to <sub-sa-id>.
  • also set XFRMA_SRCADDR to src addr
Retrieved from "https://libreswan.org/wiki/index.php?title=XFRM_pCPU&oldid=21744"