Re: [PATCH xfrm-next v7 6/8] xfrm: speed-up lookup of HW policies

From: Leon Romanovsky <leon@kernel.org>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org
Subject: Re: [PATCH xfrm-next v7 6/8] xfrm: speed-up lookup of HW policies
Date: Wed, 23 Nov 2022 12:25:34 +0200	[thread overview]
Message-ID: <Y331Hli5YG5XtRgc@unreal> (raw)
In-Reply-To: <20221123082358.GL424616@gauss3.secunet.de>

On Wed, Nov 23, 2022 at 09:23:58AM +0100, Steffen Klassert wrote:
> On Tue, Nov 22, 2022 at 03:54:42PM +0200, Leon Romanovsky wrote:
> > On Tue, Nov 22, 2022 at 02:00:02PM +0100, Steffen Klassert wrote:
> > > On Tue, Nov 22, 2022 at 08:27:48AM +0200, Leon Romanovsky wrote:
> > > > On Tue, Nov 22, 2022 at 12:29:12PM +0800, Herbert Xu wrote:
> > > > > On Mon, Nov 21, 2022 at 03:21:45PM +0200, Leon Romanovsky wrote:
> > > 
> > > Can you please explain why we need host interaction for
> > > transport, but not for tunnel mode?
> > 
> > The main difference is that in transport mode, you must bring packet
> > to the kernel in which you configured SA/policy. It means that we must
> > ensure that such packets won't be checked again in SW because all packets
> > (encrypted and not) pass XFRM logic.
> > 
> >  - wire -> RX NIC -> kernel -> XFRM stack (we need HW DB here to skip this stage) -> ....
> >  ... -> kernel -> XFRM stack (skip for HW SA/policies) -> TX NIC -> wire.
> > 
> > In tunnel mode, we arrive to XFRM when nothing IPsec related is configured.
> > 
> >  - wire -> RX PF NIC -> eswitch NIC logic -> TX uplink NIC -> RX
> >    representors -> XFRM stack in VM (nothing configured here) -> kernel
> 
> Forget about eswitch, VM, etc. for a moment. I'm interested how the
> simplest possible tunnel mode cases will work.
> 
> Forwarding:
> 
> wire -> random NIC RX -> kernel -> IPsec tunnel offload NIC TX -> wire
> wire -> IPsec tunnel offload NIC RX -> kernel -> random NIC TX -> wire
> 
> Local endpoints:
> 
> Application -> kernel -> IPsec tunnel offload NIC TX -> wire
> wire -> IPsec tunnel offload NIC RX -> kernel -> Application
> 
> These two must work, so how are these cases handled?

These two cases conceptually no different from transport modes.
The difference is how HW handles IP packets.

If packet comes from RX, it will be received as plain packet in the
kernel. If packet goes to TX, it must be skipped in the XFRM.

For all "wire -> IPsec tunnel offload NIC RX ...", everything works
as you would expect. HW handles everything, and feeds the kernel with
plain packet. These packets will have CRYPTO_DONE and status so they
can skip all XFRM logic.

All this complexity is For "... kernel -> IPsec tunnel offload NIC TX -> wire"
flow. You need a way to say to the kernel that XFRM should be skipped.

In TX path, we will need to perform neighbor resolution to fill proper
MAC address for outer IP header.
In RX path, once the packet is decrypted, there is a need to change MAC
address for the inner IP header. This will be done by kernel as HW
doesn't have such knowledge.

Of course, there are many possible implementations of how to have right
MAC address (static during SA creations, or dynamic if we listen to ARP
events), but it is not XFRM related.

Thanks

> 
> If you can do more fancy things with tunnel mode and special NICs
> at TX and RX, that's fine but not absolutely required.