Fill Job Fields

[rider8581]

I am developing a kind of ipsec gateway and using this library as a encryption/decryption engine.

I have to encrypt and decrypt the payload data based on configuration like following:

SP IPv4 rules

sp ipv4 out esp protect 7 pri 1 dst 0.0.0.0/0 sport 0:65535 dport 0:65535

sp ipv4 in esp protect 8 pri 1 dst 0.0.0.0/0 sport 0:65535 dport 0:65535

SA rules

sa out 7 cipher_algo aes-128-cbc \ cipher_key AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB \ auth_algo sha1-hmac auth_key C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1:C1 \ mode ipv4-tunnel src 169.254.9.10 dst 169.254.9.9

sa in 8 cipher_algo aes-128-cbc \ cipher_key 12:12:12:12:12:12:12:12:12:12:12:12:12:12:12:12 \ auth_algo sha1-hmac auth_key B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5:B5 \ mode ipv4-tunnel src 169.254.9.9 dst 169.254.9.10

Routing rules

rt ipv4 dst 169.254.9.0/24 port 0

Neighbour rules

neigh port 0 54:B2:03:8C:F3:64

There are too many parameters and I cannot find any sample code to initialize the mb_mgr and fill the job parameters based on the above configuration.

Help me, Help me, please... Any guides or sample code would be helpful to me.

[rider8581]

I read the code of dpdk cryptodev, however, it is too difficult for me to use. I have no dpdk installed and to customize dpdk code for my project is taking too much time....

[tkanteck]

Please have a look here https://github.com/intel/intel-ipsec-mb/blob/master/test/chained_test.c to see example of programming interface for AES-CBC-128 HMAC-SHA1 that is identical to your configuration

[rider8581]

Thank you for your kind response. Yeah, I checked it and it seems like the IV is manually set. When I decrypt ESP packet, I need to get IV from ESP header. https://github.com/intel/intel-ipsec-mb/blob/master/test/ipsec_xvalid.c Do you think this example can get the IV from ESP header? Or any other examples which can decrypt or encrypt the ESP packets?

[tkanteck]

As to packet format, you may need to look into spec like this https://tools.ietf.org/html/rfc3602#section-3 or some example ipsec network stacks (example https://doc.dpdk.org/guides/sample_app_ug/ipsec_secgw.html).

The library is rather agnostic when it comes to the protocol above and it can be used with IPsec or TLS or something else.

[rider8581]

https://doc.dpdk.org/guides/sample_app_ug/ipsec_secgw.html I checked and ran this example, however it is based on dpdk so I cannot use it for my project. Please let me know if there are any other IPsec implementation based on intel-ipsec-mb.

[tkanteck]

Right but you can have a look as to how IV is extracted from the packet.

[rider8581]

Yes, I know it. But it would take a lot of time to implement the ESP protocol by myself. Please let me know if there are any examples of IPSec implementation based on intel-ipsec-mb. (without dpdk)

[tkanteck]

I am aware of DPDK, VPP and 6Wind implementations

[rider8581]

Could you give me the reference of VPP and 6Wind?

[tkanteck]

https://wiki.fd.io/view/VPP/IPSec https://www.6wind.com/vrouter-solutions/6windgate/

[rider8581]

Thank you for your comment. I checked the projects which you sent me, however, all those are big projects which cover their own memory management and I cannot use them because I have to run my application on Graphene-SGX(https://github.com/oscarlab/graphene). I can capture the ESP packet and I need the simple code which can decrypt it and encrypt the plain-IP packets into ESP packets to respond. Are there any other examples?

[tkanteck]

Sorry but I am not aware of other samples other than the ones I shared earlier. If you find something then please take a minute to post an update here. Thanks

[tkanteck]

Let me close this issue. Feel free to re-open or post an update at any time. Thanks