1 # VPP IPSec implementation using DPDK Cryptodev API {#dpdk_crypto_ipsec_doc}
3 This document is meant to contain all related information about implementation and usability.
6 ## VPP IPsec with DPDK Cryptodev
8 DPDK Cryptodev is an asynchronous crypto API that supports both Hardware and Software implementations (for more details refer to [DPDK Cryptography Device Library documentation](http://dpdk.org/doc/guides/prog_guide/cryptodev_lib.html)).
10 When DPDK Cryptodev support is enabled, the node graph is modified by adding and replacing some of the nodes.
12 The following nodes are replaced:
13 * esp-encrypt -> dpdk-esp-encrypt
14 * esp-decrypt -> dpdk-esp-decrypt
16 The following nodes are added:
17 * dpdk-crypto-input : polling input node, basically dequeuing from crypto devices.
18 * dpdk-esp-encrypt-post : internal node.
19 * dpdk-esp-decrypt-post : internal node.
22 ### How to enable VPP IPSec with DPDK Cryptodev support
24 To enable DPDK Cryptodev support (disabled by default), we need the following env option:
26 vpp_uses_dpdk_cryptodev=yes
28 A couple of ways to achive this:
29 * uncomment/add it in the platforms config (ie. build-data/platforms/vpp.mk)
30 * set the option when building vpp (ie. make vpp_uses_dpdk_cryptodev=yes build-release)
33 ### Crypto Resources allocation
35 VPP allocates crypto resources based on a best effort approach:
36 * first allocate Hardware crypto resources, then Software.
37 * if there are not enough crypto resources for all workers, all packets will be dropped if they reach ESP encrypt/decrypt nodes, displaying the warning:
39 0: dpdk_ipsec_init: not enough cryptodevs for ipsec
42 ### Configuration example
44 No especial IPsec configuration is required.
46 Once DPDK Cryptodev is enabled, the user just needs to provide cryptodevs in the startup.conf.
58 vdev cryptodev_aesni_mb_pmd,socket_id=1
59 vdev cryptodev_aesni_mb_pmd,socket_id=1
63 In the above configuration:
64 * 0000:85:01.0 and 0000:85:01.1 are crypto BDFs and they require the same driver binding as DPDK Ethernet devices but they do not support any extra configuration options.
65 * Two AESNI-MB Software Cryptodev PMDs are created in NUMA node 1.
67 For further details refer to [DPDK Crypto Device Driver documentation](http://dpdk.org/doc/guides/cryptodevs/index.html)
71 The following CLI command displays the Cryptodev/Worker mapping:
73 show crypto device mapping [verbose]