From: Igor Russkikh <irusskikh@marvell.com>
To: Antoine Tenart <antoine.tenart@bootlin.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"David S . Miller" <davem@davemloft.net>,
Mark Starovoytov <mstarovoitov@marvell.com>,
"Dmitry Bogdanov" <dbogdanov@marvell.com>,
"sd@queasysnail.net" <sd@queasysnail.net>
Subject: RE: [EXT] Re: [RFC 00/18] net: atlantic: MACSec support for AQC devices
Date: Wed, 26 Feb 2020 08:12:31 +0000 [thread overview]
Message-ID: <BYAPR18MB2630CB1BE0BCD0878612F86BB7EA0@BYAPR18MB2630.namprd18.prod.outlook.com> (raw)
In-Reply-To: <20200221145751.GA3530@kwain>
> Hello Igor,
>
> Thanks for sending this series!
>
> Please Cc Sabrina Dubroca <sd@queasysnail.net> (the IEEE 802.1AE driver
> author) on such series.
>
> Antoine
Hi Antoine, thanks for reviewing this, your comments are all correct, will respin.
I'd also like to stress on the following patch:
> > 1) patch 0008:
> > multicast/broadcast when offloading is needed to handle ARP requests,
> > because they have broadcast destination address;
> > With this patch we also match and encrypt/decrypt packets between
> macsec
> > hw and realdev based on device's mac address.
> > This potentially can be used to support multiple macsec offloaded
> interfaces
> > on top of one realdev.
> > On some environments however this could lead to problems, e.g. bridge
> over
> > macsec configuration will expect packets with unknown src MAC
> > should come through macsec.
> > The patch is questionable, we've used it because our current hw setup
> and
> > requirements assumes decryption is only done based on mac address
> match.
> > This could be changed by encrypting/decripting all the traffic (except
> control).
We now basically see two different approaches on macsec traffic routing between the devices.
If HW supports per mac decryption rules, this could be used to implement multiple secy channels, all offloaded.
But macsec code then should use dst MAC to route decrypted packets to the correct macsec device.
Another usecase we have to support in our system is having a bridge device on top of macsec device. To support this
we had to encrypt/decrypt all the traffic against the single macsec dev (i.e. unconditionally, without mac addr filtering).
And this imposes a limitation of having only a single secy.
Internally, we now separate these usecases basically by private module param (not in this patchset).
But it'd be good to hear from you and possibly other users if these are legitimate configurations and
if this somehow should be supported in the offloading API.
Regards,
Igor
next prev parent reply other threads:[~2020-02-26 8:12 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-14 15:02 [RFC 00/18] net: atlantic: MACSec support for AQC devices Igor Russkikh
2020-02-14 15:02 ` [RFC 01/18] net: introduce the MACSEC netdev feature Igor Russkikh
2020-02-14 15:02 ` [RFC 02/18] net: add a reference to MACsec ops in net_device Igor Russkikh
2020-02-14 15:02 ` [RFC 03/18] net: macsec: allow to reference a netdev from a MACsec context Igor Russkikh
2020-02-14 15:02 ` [RFC 04/18] net: macsec: add support for offloading to the MAC Igor Russkikh
2020-02-14 15:02 ` [RFC 05/18] net: macsec: init secy pointer in macsec_context Igor Russkikh
2020-02-21 15:09 ` Antoine Tenart
2020-02-14 15:02 ` [RFC 06/18] net: macsec: invoke mdo_upd_secy callback when mac address changed Igor Russkikh
2020-02-21 15:07 ` Antoine Tenart
2020-02-14 15:02 ` [RFC 07/18] net: macsec: allow multiple macsec devices with offload Igor Russkikh
2020-02-14 15:02 ` [RFC 08/18] net: macsec: support multicast/broadcast when offloading Igor Russkikh
2020-02-14 15:02 ` [RFC 09/18] net: macsec: add support for getting offloaded stats Igor Russkikh
2020-02-21 17:48 ` Antoine Tenart
2020-02-14 15:02 ` [RFC 10/18] net: macsec: enable HW offloading by default (when available) Igor Russkikh
2020-02-21 18:04 ` Antoine Tenart
2020-02-14 15:02 ` [RFC 11/18] net: macsec: report real_dev features when HW offloading is enabled Igor Russkikh
2020-02-14 15:02 ` [RFC 12/18] net: atlantic: MACSec offload skeleton Igor Russkikh
2020-02-21 18:21 ` Antoine Tenart
2020-02-14 15:02 ` [RFC 13/18] net: atlantic: MACSec egress offload HW bindings Igor Russkikh
2020-02-14 15:02 ` [RFC 14/18] net: atlantic: MACSec egress offload implementation Igor Russkikh
2020-02-14 15:02 ` [RFC 15/18] net: atlantic: MACSec ingress offload HW bindings Igor Russkikh
2020-02-14 15:02 ` [RFC 16/18] net: atlantic: MACSec ingress offload implementation Igor Russkikh
2020-02-14 15:02 ` [RFC 17/18] net: atlantic: MACSec offload statistics HW bindings Igor Russkikh
2020-02-14 15:02 ` [RFC 18/18] net: atlantic: MACSec offload statistics implementation Igor Russkikh
2020-02-21 14:57 ` [RFC 00/18] net: atlantic: MACSec support for AQC devices Antoine Tenart
2020-02-26 8:12 ` Igor Russkikh [this message]
2020-02-26 15:50 ` [EXT] " Antoine Tenart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BYAPR18MB2630CB1BE0BCD0878612F86BB7EA0@BYAPR18MB2630.namprd18.prod.outlook.com \
--to=irusskikh@marvell.com \
--cc=antoine.tenart@bootlin.com \
--cc=davem@davemloft.net \
--cc=dbogdanov@marvell.com \
--cc=mstarovoitov@marvell.com \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).