Re: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size

[Anoob Joseph <anoobj@marvell.com>]

Hi Hemant,

How would the PMD specify whether anit-replay is supported or not? Do you have plans to introduce it as a capability? Or do you expect the session creation to fail if the feature is not supported by underlying PMD and the anti replay window size is set.

Thanks,
Anoob

> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal
> Sent: Thursday, October 31, 2019 10:25 AM
> To: dev@dpdk.org; akhil.goyal@nxp.com
> Cc: konstantin.ananyev@intel.com; Hemant Agrawal
> <hemant.agrawal@nxp.com>
> Subject: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size
> 
> At present the ipsec xfrom is missing the important step to configure the anti
> replay window size.
> The newly added field will also help in to enable or disable the anti replay
> checking, if available in offload by means of non-zero or zero value.
> 
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> ---
>  doc/guides/rel_notes/release_19_11.rst | 6 +++++-
>  lib/librte_security/Makefile           | 2 +-
>  lib/librte_security/meson.build        | 2 +-
>  lib/librte_security/rte_security.h     | 4 ++++
>  4 files changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/doc/guides/rel_notes/release_19_11.rst
> b/doc/guides/rel_notes/release_19_11.rst
> index ae8e7b2f0..0508ec545 100644
> --- a/doc/guides/rel_notes/release_19_11.rst
> +++ b/doc/guides/rel_notes/release_19_11.rst
> @@ -365,6 +365,10 @@ ABI Changes
>    align the Ethernet header on receive and all known encapsulations
>    preserve the alignment of the header.
> 
> +* security: A new field ''replay_win_sz'' has been added to the
> +structure
> +  ``rte_security_ipsec_xform``, which specify the Anti replay window
> +size
> +  to enable sequence replay attack handling.
> +
> 
>  Shared Library Versions
>  -----------------------
> @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were
> incremented in this version.
>       librte_reorder.so.1
>       librte_ring.so.2
>     + librte_sched.so.4
> -     librte_security.so.2
> +   + librte_security.so.3
>       librte_stack.so.1
>       librte_table.so.3
>       librte_timer.so.1
> diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index
> 6708effdb..6a268ee2a 100644
> --- a/lib/librte_security/Makefile
> +++ b/lib/librte_security/Makefile
> @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk  LIB = librte_security.a
> 
>  # library version
> -LIBABIVER := 2
> +LIBABIVER := 3
> 
>  # build flags
>  CFLAGS += -O3
> diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
> index a5130d2f6..6fed01273 100644
> --- a/lib/librte_security/meson.build
> +++ b/lib/librte_security/meson.build
> @@ -1,7 +1,7 @@
>  # SPDX-License-Identifier: BSD-3-Clause  # Copyright(c) 2017-2019 Intel
> Corporation
> 
> -version = 2
> +version = 3
>  sources = files('rte_security.c')
>  headers = files('rte_security.h', 'rte_security_driver.h')  deps += ['mempool',
> 'cryptodev'] diff --git a/lib/librte_security/rte_security.h
> b/lib/librte_security/rte_security.h
> index aaafdfcd7..195ad5645 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
>  	/**< Tunnel parameters, NULL for transport mode */
>  	uint64_t esn_soft_limit;
>  	/**< ESN for which the overflow event need to be raised */
> +	uint32_t replay_win_sz;
> +	/**< Anti replay window size to enable sequence replay attack handling.
> +	 * replay checking is disabled if the window size is 0.
> +	 */
>  };
> 
>  /**
> --
> 2.17.1