netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Antoine Tenart <antoine.tenart@bootlin.com>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: Igor Russkikh <Igor.Russkikh@aquantia.com>,
	Andrew Lunn <andrew@lunn.ch>,
	Antoine Tenart <antoine.tenart@bootlin.com>,
	"davem@davemloft.net" <davem@davemloft.net>,
	"f.fainelli@gmail.com" <f.fainelli@gmail.com>,
	"hkallweit1@gmail.com" <hkallweit1@gmail.com>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"thomas.petazzoni@bootlin.com" <thomas.petazzoni@bootlin.com>,
	"alexandre.belloni@bootlin.com" <alexandre.belloni@bootlin.com>,
	"allan.nielsen@microchip.com" <allan.nielsen@microchip.com>,
	"camelia.groza@nxp.com" <camelia.groza@nxp.com>,
	Simon Edelhaus <Simon.Edelhaus@aquantia.com>,
	Pavel Belous <Pavel.Belous@aquantia.com>
Subject: Re: [PATCH net-next v2 6/9] net: macsec: hardware offloading infrastructure
Date: Tue, 20 Aug 2019 12:01:40 +0200	[thread overview]
Message-ID: <20190820100140.GA3292@kwain> (raw)
In-Reply-To: <20190816132959.GC8697@bistromath.localdomain>

Hi Sabrina,

On Fri, Aug 16, 2019 at 03:29:59PM +0200, Sabrina Dubroca wrote:
> 2019-08-13, 16:18:40 +0000, Igor Russkikh wrote:
> > On 13.08.2019 16:17, Andrew Lunn wrote:
> 
> > That could be a strong limitation in
> > cases when user sees HW macsec offload is broken or work differently, and he/she
> > wants to replace it with SW one.
> 
> Agreed, I think an offload that cannot be disabled is quite problematic.
> 
> > MACSec is a complex feature, and it may happen something is missing in HW.
> > Trivial example is 256bit encryption, which is not always a musthave in HW
> > implementations.
> 
> +1
> 
> > 2) I think, Antoine, its not totally true that otherwise the user macsec API
> > will be broken/changed. netlink api is the same, the only thing we may want to
> > add is an optional parameter to force selection of SW macsec engine.
> 
> Yes, I think we need an offload on/off parameter (and IMO it should
> probably be off by default). Then, if offloading is requested but
> cannot be satisfied (unsupported key length, too many SAs, etc), or if
> incompatible settings are requested (mixing offloaded and
> non-offloaded SCs on a device that cannot do it), return an error.
> 
> If we also export that offload parameter during netlink dumps, we can
> inspect the state of the system, which helps for debugging.

So it seems the ability to enable or disable the offloading on a given
interface is the main missing feature. I'll add that, however I'll
probably (at least at first):

- Have the interface to be fully offloaded or fully handled in s/w (with
  errors being thrown if a given configuration isn't supported). Having
  both at the same time on a given interface would be tricky because of
  the MACsec validation parameter.

- Won't allow to enable/disable the offloading of there are rules in
  place, as we're not sure the same rules would be accepted by the other
  implementation.

I'm not sure if we should allow to mix the implementations on a given
physical interface (by having two MACsec interfaces attached) as the
validation would be impossible to do (we would have no idea if a
packet was correctly handled by the offloading part or just not being
a MACsec packet in the first place, in Rx).

I agree the offloading should be disabled by default, and only enabled
by an user explicitly.

Thanks,
Antoine

-- 
Antoine Ténart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

  reply	other threads:[~2019-08-20 10:01 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-08 14:05 [PATCH net-next v2 0/9] net: macsec: initial support for hardware offloading Antoine Tenart
2019-08-08 14:05 ` [PATCH net-next v2 1/9] net: introduce the MACSEC netdev feature Antoine Tenart
2019-08-08 14:05 ` [PATCH net-next v2 2/9] net: macsec: move some definitions in a dedicated header Antoine Tenart
2019-08-10 12:19   ` Igor Russkikh
2019-08-12  8:17     ` Antoine Tenart
2019-08-08 14:05 ` [PATCH net-next v2 3/9] net: macsec: introduce the macsec_context structure Antoine Tenart
2019-08-08 14:05 ` [PATCH net-next v2 4/9] net: introduce MACsec ops and add a reference in net_device Antoine Tenart
2019-08-09 20:35   ` Jakub Kicinski
2019-08-12  8:18     ` Antoine Tenart
2019-08-08 14:05 ` [PATCH net-next v2 5/9] net: phy: add MACsec ops in phy_device Antoine Tenart
2019-08-14 23:15   ` Florian Fainelli
2019-08-20 10:07     ` Antoine Tenart
2019-08-08 14:05 ` [PATCH net-next v2 6/9] net: macsec: hardware offloading infrastructure Antoine Tenart
2019-08-10 13:20   ` Igor Russkikh
2019-08-13  8:58     ` Antoine Tenart
2019-08-13 13:17       ` Andrew Lunn
2019-08-13 16:18         ` Igor Russkikh
2019-08-13 16:28           ` Andrew Lunn
2019-08-14  8:32             ` Antoine Tenart
2019-08-14 23:28             ` Florian Fainelli
2019-08-16 13:26             ` Sabrina Dubroca
2019-08-20 10:03             ` Antoine Tenart
2019-08-14  8:31           ` Antoine Tenart
2019-08-16 13:29           ` Sabrina Dubroca
2019-08-20 10:01             ` Antoine Tenart [this message]
2019-08-20 14:41               ` Sabrina Dubroca
2019-08-21  0:01                 ` Andrew Lunn
2019-08-21  9:20                 ` Igor Russkikh
2019-08-21  9:27                   ` allan.nielsen
2019-08-21  9:24                 ` allan.nielsen
2019-08-21 10:01                 ` Antoine Tenart
2019-08-21 12:01                   ` Igor Russkikh
2019-08-16 13:25       ` Sabrina Dubroca
2019-08-20 10:07         ` Antoine Tenart
2019-08-10 16:34   ` Andrew Lunn
2019-08-12  8:15     ` Antoine Tenart
2019-08-13 11:46     ` Igor Russkikh
2019-08-08 14:05 ` [PATCH net-next v2 7/9] net: phy: export __phy_read_page/__phy_write_page Antoine Tenart
2019-08-08 14:05 ` [PATCH net-next v2 8/9] net: phy: mscc: macsec initialization Antoine Tenart
2019-08-10 16:53   ` Andrew Lunn
2019-08-12  8:12     ` Antoine Tenart
2019-08-08 14:06 ` [PATCH net-next v2 9/9] net: phy: mscc: macsec support Antoine Tenart
2019-08-09 11:23 ` [PATCH net-next v2 0/9] net: macsec: initial support for hardware offloading Allan W. Nielsen
2019-08-09 11:40   ` Antoine Tenart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190820100140.GA3292@kwain \
    --to=antoine.tenart@bootlin.com \
    --cc=Igor.Russkikh@aquantia.com \
    --cc=Pavel.Belous@aquantia.com \
    --cc=Simon.Edelhaus@aquantia.com \
    --cc=alexandre.belloni@bootlin.com \
    --cc=allan.nielsen@microchip.com \
    --cc=andrew@lunn.ch \
    --cc=camelia.groza@nxp.com \
    --cc=davem@davemloft.net \
    --cc=f.fainelli@gmail.com \
    --cc=hkallweit1@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=sd@queasysnail.net \
    --cc=thomas.petazzoni@bootlin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).