Inline IPsec offload support on crypto-enabled BlueField 2

changh · November 7, 2022, 9:49pm

Hi,
I was trying to run ipsec-gw DPDK application (22.07) with inline-crypto-mode on BlueField-2 (crypto-enabled), but it failed with the following error. Is inline crypto mode supported on BlueField 2?

sudo dpdk-ipsec-secgw -l 0,1 -n 4 --vdev “crypto_null” -a 03:00.0 -a 03:00.1 – -p 0x3 -P -u 0x3 --transfer-mode poll -f ~/default.cfg --config=“(0,0,0),(1,0,1)”

EAL: Detected CPU lcores: 8
EAL: Detected NUMA nodes: 1
EAL: Detected static linkage of DPDK
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Selected IOVA mode ‘VA’
EAL: VFIO support initialized
mlx5_common: DevX create q counter set failed errno=22 status=0 syndrome=0
EAL: Probe PCI driver: mlx5_pci (15b3:a2d6) device: 0000:03:00.0 (socket 0)
mlx5_common: DevX create q counter set failed errno=22 status=0 syndrome=0
EAL: Probe PCI driver: mlx5_pci (15b3:a2d6) device: 0000:03:00.1 (socket 0)
mlx5_common: DevX create q counter set failed errno=22 status=0 syndrome=0
CRYPTODEV: Creating cryptodev crypto_null

CRYPTODEV: Initialisation parameters - name: crypto_null,socket id: 0, max queue pairs: 8
Promiscuous mode selected
librte_ipsec usage: disabled
replay window size: 0
ESN: disabled
SA flags: 0
Frag TTL: 10000000000 ns
lcore/cryptodev/qp mappings:
Inbound cdev mapping: lcore 0 using cdev 0 qp 0 (cdev_id_qp 0)
Inbound cdev mapping: lcore 1 using cdev 0 qp 1 (cdev_id_qp 0)

Allocated mbuf pool on socket 0
CRYPTODEV: elt_size 64 is expanded to 272

Allocated session pool on socket 0
Allocated session priv pool on socket 0
Number of mbufs in packet pool 10880
Configuring device port 0:
Address: 02:CA:F9:64:0E:2F
Creating queues: nb_rx_queue=1 nb_tx_queue=2…
EAL: Error - exiting with code: 1
Cause: Error: port 0 required RX offloads: 0x800e, available RX offloads: 0x18620f

Content of configuration file:

sp ipv4 in esp protect 105 pri 1 dst 192.168.115.0/24 sport 0:65535 dport 0:65535

#SA rules
sa in 105 cipher_algo aes-128-cbc cipher_key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0 auth_algo sha1-hmac auth_
key a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:a0:0 mode ipv4-tunnel src 192.168.115.10 dst 192.168.115.20
type inline-crypto-offload port_id 0

#Routing rules
rt ipv4 dst 192.168.115.0/24 port 1

I tried full IPsec offload in switchdev mode with ip xfrm, and it works fine. It’s just that I cannot enable full IPsec offload in DPDK. Any help will be appreciated.

Thanks,
-Chang

vikiz · November 8, 2022, 1:25pm

Hello,

inline crypto mode is not supported on BlueField-2.
IPsec is supported in kernel (xfrm). Nvidia will have Beta support via DOCA software later this year.

Best Regards,
Viki

system · November 22, 2022, 1:26pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.