From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: Hemant Agrawal <hemant.agrawal@nxp.com>, "dev@dpdk.org" <dev@dpdk.org>
Cc: "akhil.goyal@nxp.com" <akhil.goyal@nxp.com>
Subject: Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz
Date: Wed, 6 Nov 2019 13:31:20 +0000 [thread overview]
Message-ID: <2601191342CEEE43887BDE71AB97725801A8C810FD@IRSMSX104.ger.corp.intel.com> (raw)
In-Reply-To: <20191106065414.4311-2-hemant.agrawal@nxp.com>
Hi guys,
> The rte_security lib has introduced replay_win_sz,
> so it can be removed from the rte_ipsec lib.
>
> The relaved tests,app are also update to reflect
> the usages.
>
> Note that esn and anti-replay fileds were earlier used
> only for ipsec library, they were enabling the libipsec
> by default. With this change esn and anti-replay setting
> will not automatically enabled libipsec.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> ---
> app/test/test_ipsec.c | 2 +-
> doc/guides/rel_notes/release_19_11.rst | 7 +++++--
> examples/ipsec-secgw/ipsec-secgw.c | 5 -----
> examples/ipsec-secgw/ipsec.c | 4 ++++
> examples/ipsec-secgw/sa.c | 2 +-
> lib/librte_ipsec/Makefile | 2 +-
> lib/librte_ipsec/meson.build | 1 +
> lib/librte_ipsec/rte_ipsec_sa.h | 6 ------
> lib/librte_ipsec/sa.c | 4 ++--
> 9 files changed, 15 insertions(+), 18 deletions(-)
>
> diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> index 4007eff19..7dc83fee7 100644
> --- a/app/test/test_ipsec.c
> +++ b/app/test/test_ipsec.c
> @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags)
>
> prm->userdata = 1;
> prm->flags = flags;
> - prm->replay_win_sz = replay_win_sz;
>
> /* setup ipsec xform */
> prm->ipsec_xform = ut_params->ipsec_xform;
> prm->ipsec_xform.salt = (uint32_t)rte_rand();
> + prm->ipsec_xform.replay_win_sz = replay_win_sz;
>
> /* setup tunnel related fields */
> prm->tun.hdr_len = sizeof(ipv4_outer);
> diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
> index dcae08002..0504a3443 100644
> --- a/doc/guides/rel_notes/release_19_11.rst
> +++ b/doc/guides/rel_notes/release_19_11.rst
> @@ -369,10 +369,13 @@ ABI Changes
> align the Ethernet header on receive and all known encapsulations
> preserve the alignment of the header.
>
> -* security: A new field ''replay_win_sz'' has been added to the structure
> +* security: The field ''replay_win_sz'' has been moved from ipsec library
> + based ''rte_ipsec_sa_prm'' structure to security library based structure
> ``rte_security_ipsec_xform``, which specify the Anti replay window size
> to enable sequence replay attack handling.
>
> +* ipsec: The field ''replay_win_sz'' has been removed from the structure
> + ''rte_ipsec_sa_prm'' as it has been added to the security library.
>
> Shared Library Versions
> -----------------------
> @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were incremented in this version.
> librte_gso.so.1
> librte_hash.so.2
> librte_ip_frag.so.1
> - librte_ipsec.so.1
> + + librte_ipsec.so.2
> librte_jobstats.so.1
> librte_kni.so.2
> librte_kvargs.so.1
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index b12936470..3b5aaf683 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
> printf("librte_ipsec usage: %s\n",
> (prm->enable == 0) ? "disabled" : "enabled");
>
> - if (prm->enable == 0)
> - return;
> -
> printf("replay window size: %u\n", prm->window_size);
> printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> printf("SA flags: %#" PRIx64 "\n", prm->flags);
> @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
> app_sa_prm.enable = 1;
> break;
> case 'w':
> - app_sa_prm.enable = 1;
That actually will break lib-mode functional tests at:
examples/ipsec-secgw/test/
Due to my laziness I enabled in them library mode via '-w' option,
as that moment legacy mode didn't support replay window...
As these patches already applied, I'll send the fix in a new one in next few.
> app_sa_prm.window_size = parse_decimal(optarg);
> break;
> case 'e':
> - app_sa_prm.enable = 1;
> app_sa_prm.enable_esn = 1;
> break;
> case 'a':
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index d7761e966..d4b57121a 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
> /* TODO support for Transport */
> }
> ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> + ipsec->replay_win_sz = app_sa_prm.window_size;
> + ipsec->options.esn = app_sa_prm.enable_esn;
Ok, but what to do for the devices that don't support esn or replay_win_sz?
Should we add some check? Either to the app, or preferably into rte_security
level at rte_security_session_create()?
> }
>
> int
> @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
> .spi = sa->spi,
> .salt = sa->salt,
> .options = { 0 },
> + .replay_win_sz = 0,
> .direction = sa->direction,
> .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> .mode = (IS_TUNNEL(sa->flags)) ?
> @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
> .spi = sa->spi,
> .salt = sa->salt,
> .options = { 0 },
> + .replay_win_sz = 0,
> .direction = sa->direction,
> .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> .mode = (sa->flags == IP4_TUNNEL ||
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index a8dee342e..4605a3a6c 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm,
>
> prm->flags = app_prm->flags;
> prm->ipsec_xform.options.esn = app_prm->enable_esn;
> - prm->replay_win_sz = app_prm->window_size;
> + prm->ipsec_xform.replay_win_sz = app_prm->window_size;
> }
>
> static int
> diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
> index 81fb99980..161ea9e3d 100644
> --- a/lib/librte_ipsec/Makefile
> +++ b/lib/librte_ipsec/Makefile
> @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash
>
> EXPORT_MAP := rte_ipsec_version.map
>
> -LIBABIVER := 1
> +LIBABIVER := 2
>
> # all source are stored in SRCS-y
> SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
> diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
> index 70358526b..e8604dadd 100644
> --- a/lib/librte_ipsec/meson.build
> +++ b/lib/librte_ipsec/meson.build
> @@ -1,6 +1,7 @@
> # SPDX-License-Identifier: BSD-3-Clause
> # Copyright(c) 2018 Intel Corporation
>
> +version = 2
> allow_experimental_apis = true
>
> sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
> diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
> index 47ce169d2..1cfde5874 100644
> --- a/lib/librte_ipsec/rte_ipsec_sa.h
> +++ b/lib/librte_ipsec/rte_ipsec_sa.h
> @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
> uint8_t proto; /**< next header protocol */
> } trs; /**< transport mode related parameters */
> };
> -
> - /**
> - * window size to enable sequence replay attack handling.
> - * replay checking is disabled if the window size is 0.
> - */
> - uint32_t replay_win_sz;
> };
>
> /**
> diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> index 23d394b46..6f1d92c3c 100644
> --- a/lib/librte_ipsec/sa.c
> +++ b/lib/librte_ipsec/sa.c
> @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
> return rc;
>
> /* determine required size */
> - wsz = prm->replay_win_sz;
> + wsz = prm->ipsec_xform.replay_win_sz;
> return ipsec_sa_size(type, &wsz, &nb);
> }
>
> @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
> return rc;
>
> /* determine required size */
> - wsz = prm->replay_win_sz;
> + wsz = prm->ipsec_xform.replay_win_sz;
> sz = ipsec_sa_size(type, &wsz, &nb);
> if (sz < 0)
> return sz;
> --
> 2.17.1
next prev parent reply other threads:[~2019-11-06 13:31 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 6:20 [dpdk-dev] [PATCH 1/2] security: add anti replay window size Hemant Agrawal
2019-10-25 6:20 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for replay win for lookaside Hemant Agrawal
2019-10-25 10:00 ` [dpdk-dev] [PATCH 1/2] security: add anti replay window size Ananyev, Konstantin
2019-10-25 15:56 ` Hemant Agrawal
2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 " Hemant Agrawal
2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size Hemant Agrawal
2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-30 13:08 ` Ananyev, Konstantin
2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal
2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-31 10:21 ` Ananyev, Konstantin
2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-10-31 6:29 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Anoob Joseph
2019-10-31 7:30 ` Hemant Agrawal
2019-10-31 10:20 ` Ananyev, Konstantin
2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal
2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-11-05 22:01 ` Akhil Goyal
2019-11-06 5:16 ` Hemant Agrawal
2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-11-05 22:07 ` Akhil Goyal
2019-11-06 5:16 ` Hemant Agrawal
2019-11-01 6:16 ` [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size Anoob Joseph
2019-11-01 9:48 ` Hemant Agrawal
2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal
2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-11-06 7:00 ` Akhil Goyal
2019-11-06 13:31 ` Ananyev, Konstantin [this message]
2019-11-06 13:40 ` Akhil Goyal
2019-11-06 14:27 ` Ananyev, Konstantin
2019-11-06 14:29 ` Akhil Goyal
2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-11-06 7:02 ` Akhil Goyal
2019-11-06 13:15 ` [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2601191342CEEE43887BDE71AB97725801A8C810FD@IRSMSX104.ger.corp.intel.com \
--to=konstantin.ananyev@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.