From: Anoob Joseph <anoobj@marvell.com>
To: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>,
"Smoczynski, MarcinX" <marcinx.smoczynski@intel.com>,
"akhil.goyal@nxp.com" <akhil.goyal@nxp.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>,
Narayana Prasad Raju Athreya <pathreya@marvell.com>,
Jerin Jacob Kollanukkaran <jerinj@marvell.com>,
Archana Muniganti <marchana@marvell.com>
Subject: Re: [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback session
Date: Thu, 19 Sep 2019 02:50:51 +0000 [thread overview]
Message-ID: <MN2PR18MB2877C0F8EED2207F84FC882BDF890@MN2PR18MB2877.namprd18.prod.outlook.com> (raw)
In-Reply-To: <2601191342CEEE43887BDE71AB9772580191966FFC@irsmsx105.ger.corp.intel.com>
Hi Konstantin,
Please see inline.
Thanks,
Anoob
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Thursday, September 19, 2019 3:49 AM
> To: Anoob Joseph <anoobj@marvell.com>; Smoczynski, MarcinX
> <marcinx.smoczynski@intel.com>; akhil.goyal@nxp.com
> Cc: dev@dpdk.org; Narayana Prasad Raju Athreya <pathreya@marvell.com>;
> Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
> <marchana@marvell.com>
> Subject: RE: [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback
> session
>
>
>
> Hi Anoob,
>
> > > > Sorry for the late response. But how do you plan to handle "inline
> protocol"
> > > processed packets?
> > >
> > > Right now that feature is supported for "inline crypto" only.
> >
> > [Anoob] The description says "inline processed" packets. Hence the confusion.
> >
> > > For the case when SA doesn't enable replay window and/or ESN current
> > > patch should also work for "inline proto" too, but this is just my
> > > understanding (not tested, etc.).
> >
> > [Anoob] In case of inline ipsec processing, the ipsec state (which
> > would track sequence number etc) will be internal to the PMDs. So
> > anti- replay/ESN would have to be done either in the h/w or PMD. This would
> mean application will not have state information regarding ipsec processing.
> Hence fallback handling with the above scheme will not work in that case.
>
> Agree, that's why I wrote above that current wok might work for inline-proto
> *only* if replay window and ESN is disabled.
[Anoob] Any feature that makes use of protocol "state" would fail with this scheme. In case of inline ipsec, that is anti-replay & ESN. I see that you are not planning for fallback session for outbound. If at all that is planned, this scheme will fail to co-ordinate sequence number between original and fallback sessions.
>
> >
> > To address this properly for inline protocol, we will have to come up
> > with some logic to share session private data b/w "eligible" PMDs. This would
> involve library changes to rte_security, etc.
>
> Again, totally agree.
> As I remember we already discussed it about a year ago, but didn't come up with
> any concrete proposal.
>
> > Once that is proposed, there will be one kind of handling for inline
> > protocol processing and another kind for inline crypto processing. Would you
> be fine with that?
>
> For sure something needs to be changed for inline-proto to sync replay-
> window/ESN related data between HW/PMD and SW.
> What it should be - new function, or something else - hard to tell right now.
[Anoob] No disagreement. My only concern is the incompleteness of this solution. We will have to propose a totally new scheme for inline protocol. You do agree that this approach will not help inline protocol offloading, right? If you are okay with having different solutions for inline crypto & inline protocol, I don't have any issue with this series.
Also, how do you plan to pass "state" info to lookaside protocol session? That will be required to handle ESN/anti-replay in lookaside protocol capable PMD as well.
> Konstantin
>
> >
> > > Konstantin
> > >
> > > >
> > > > Thanks,
> > > > Anoob
> > > >
> > > > > -----Original Message-----
> > > > > From: dev <dev-bounces@dpdk.org> On Behalf Of Marcin Smoczynski
> > > > > Sent: Wednesday, September 4, 2019 7:47 PM
> > > > > To: konstantin.ananyev@intel.com; akhil.goyal@nxp.com
> > > > > Cc: dev@dpdk.org; Marcin Smoczynski
> > > > > <marcinx.smoczynski@intel.com>
> > > > > Subject: [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add
> > > > > fallback session
> > > > >
> > > > > Inline processing is limited to a specified subset of traffic.
> > > > > It is often unable to handle more complicated situations, such
> > > > > as fragmented traffic. When using inline processing such traffic is
> dropped.
> > > > >
> > > > > Introduce multiple sessions per SA allowing to configure a
> > > > > fallback lookaside session for packets that normally would be dropped.
> > > > > A fallback session type in the SA configuration by adding 'fallback'
> > > > > with 'lookaside-none' or 'lookaside-protocol' parameter to
> > > > > determine type of session.
> > > > >
> > > > > Fallback session feature is available only when using librte_ipsec.
> > > > >
> > > > > v1 to v2 changes:
> > > > > - disable fallback offload for outbound SAs
> > > > > - add test scripts
> > > > >
> > > > > Marcin Smoczynski (3):
> > > > > examples/ipsec-secgw: ipsec_sa structure cleanup
> > > > > examples/ipsec-secgw: add fallback session feature
> > > > > examples/ipsec-secgw: add offload fallback tests
> > > > >
> > > > > doc/guides/sample_app_ug/ipsec_secgw.rst | 17 +-
> > > > > examples/ipsec-secgw/esp.c | 35 ++--
> > > > > examples/ipsec-secgw/ipsec-secgw.c | 16 +-
> > > > > examples/ipsec-secgw/ipsec.c | 99 ++++++-----
> > > > > examples/ipsec-secgw/ipsec.h | 61 +++++--
> > > > > examples/ipsec-secgw/ipsec_process.c | 113 +++++++-----
> > > > > examples/ipsec-secgw/sa.c | 164 +++++++++++++-----
> > > > > .../test/trs_aesgcm_common_defs.sh | 4 +-
> > > > > .../trs_aesgcm_inline_crypto_fallback_defs.sh | 5 +
> > > > > .../test/tun_aesgcm_common_defs.sh | 6 +-
> > > > > .../tun_aesgcm_inline_crypto_fallback_defs.sh | 5 +
> > > > > 11 files changed, 358 insertions(+), 167 deletions(-) create
> > > > > mode
> > > > > 100644
> > > > > examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs
> > > > > .sh create mode 100644 examples/ipsec-
> > > > > secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
> > > > >
> > > > > --
> > > > > 2.21.0.windows.1
next prev parent reply other threads:[~2019-09-19 2:50 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 20:48 [dpdk-dev] [PATCH v1 0/2] examples/ipsec-secgw: add fallback session Marcin Smoczynski
2019-08-14 20:48 ` [dpdk-dev] [PATCH v1 1/2] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-08-14 20:48 ` [dpdk-dev] [PATCH v1 2/2] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback session Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 1/3] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 2/3] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-04 14:16 ` [dpdk-dev] [PATCH v2 3/3] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-09-18 6:45 ` [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback session Anoob Joseph
2019-09-18 8:46 ` Ananyev, Konstantin
2019-09-18 11:40 ` Anoob Joseph
2019-09-18 22:19 ` Ananyev, Konstantin
2019-09-19 2:50 ` Anoob Joseph [this message]
2019-09-19 7:33 ` Ananyev, Konstantin
2019-09-19 10:53 ` Anoob Joseph
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 0/3] " Marcin Smoczynski
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 1/3] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-09-23 16:47 ` Ananyev, Konstantin
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 2/3] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-23 16:49 ` Ananyev, Konstantin
2019-09-23 11:44 ` [dpdk-dev] [PATCH v3 3/3] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-09-23 16:50 ` Ananyev, Konstantin
2019-09-23 12:51 ` [dpdk-dev] [PATCH v3 0/3] add fallback session Smoczynski, MarcinX
2019-09-26 9:04 ` Anoob Joseph
2019-09-26 12:38 ` Ananyev, Konstantin
2019-09-29 14:29 ` Anoob Joseph
2019-09-30 13:31 ` Ananyev, Konstantin
2019-10-02 10:14 ` Anoob Joseph
2019-10-03 14:46 ` Ananyev, Konstantin
2019-10-09 15:36 ` Anoob Joseph
2019-10-10 10:55 ` Ananyev, Konstantin
2019-10-13 12:47 ` Anoob Joseph
2019-10-16 12:02 ` Ananyev, Konstantin
2019-10-16 13:36 ` Ananyev, Konstantin
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 0/4] " Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 1/4] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-09-27 9:10 ` [dpdk-dev] [PATCH v4 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 0/4] add fallback session Marcin Smoczynski
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 1/4] examples/ipsec-secgw: ipsec_sa structure cleanup Marcin Smoczynski
2019-10-02 15:43 ` Nicolau, Radu
2019-10-03 16:35 ` Iremonger, Bernard
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-09-29 17:03 ` Ananyev, Konstantin
2019-09-30 9:13 ` Smoczynski, MarcinX
2019-10-03 16:36 ` Iremonger, Bernard
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-09-30 10:16 ` Ananyev, Konstantin
2019-09-27 15:54 ` [dpdk-dev] [PATCH v5 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-10-03 16:46 ` Iremonger, Bernard
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 0/4] add fallback session Marcin Smoczynski
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 1/4] examples/ipsec-secgw: sa structure cleanup Marcin Smoczynski
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-10-11 14:40 ` Akhil Goyal
2019-10-11 15:06 ` Ananyev, Konstantin
2019-10-15 14:33 ` Akhil Goyal
2019-10-16 10:37 ` Ananyev, Konstantin
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-10-07 13:02 ` [dpdk-dev] [PATCH v6 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 0/4] add fallback session Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 1/4] examples/ipsec-secgw: sa structure cleanup Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 2/4] examples/ipsec-secgw: add fallback session feature Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 3/4] examples/ipsec-secgw: add frag TTL cmdline option Marcin Smoczynski
2019-10-14 13:48 ` [dpdk-dev] [PATCH v7 4/4] examples/ipsec-secgw: add offload fallback tests Marcin Smoczynski
2019-10-21 12:29 ` [dpdk-dev] [PATCH v7 0/4] add fallback session Mcnamara, John
2019-10-21 12:32 ` Akhil Goyal
2019-11-05 12:20 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MN2PR18MB2877C0F8EED2207F84FC882BDF890@MN2PR18MB2877.namprd18.prod.outlook.com \
--to=anoobj@marvell.com \
--cc=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
--cc=jerinj@marvell.com \
--cc=konstantin.ananyev@intel.com \
--cc=marchana@marvell.com \
--cc=marcinx.smoczynski@intel.com \
--cc=pathreya@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).