From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id 369992B8B for ; Tue, 20 Nov 2018 02:05:02 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Nov 2018 17:05:01 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,254,1539673200"; d="scan'208";a="92465126" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga006.jf.intel.com with ESMTP; 19 Nov 2018 17:05:00 -0800 Received: from fmsmsx155.amr.corp.intel.com (10.18.116.71) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 19 Nov 2018 17:04:43 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX155.amr.corp.intel.com (10.18.116.71) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 19 Nov 2018 17:04:42 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.161]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.199]) with mapi id 14.03.0415.000; Tue, 20 Nov 2018 09:03:59 +0800 From: "Zhang, Qi Z" To: "Ananyev, Konstantin" , "dev@dpdk.org" CC: "Ananyev, Konstantin" , "Awal, Mohammad Abdul" Thread-Topic: [dpdk-dev] [PATCH 6/9] ipsec: implement SA data-path API Thread-Index: AQHUfT6yqbaPhJeqq0izKA7k5vF6saVWnISQ Date: Tue, 20 Nov 2018 01:03:59 +0000 Message-ID: <039ED4275CED7440929022BC67E70611532E86A8@SHSMSX103.ccr.corp.intel.com> References: <1535129598-27301-1-git-send-email-konstantin.ananyev@intel.com> <1542326031-5263-7-git-send-email-konstantin.ananyev@intel.com> In-Reply-To: <1542326031-5263-7-git-send-email-konstantin.ananyev@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNjM0ODliOTEtOWU5OS00ZmIzLWFmODEtOGFhZDU5MjU1MjhlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiRWVSTmsxbEF3UzNHYWNLSng3QUo1b2FZUUVqaUQ2N2dcL0VSK29iT0NPWXRIdmlLajQrU2h3WnhtZklrNTFBZjQifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH 6/9] ipsec: implement SA data-path API X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2018 01:05:03 -0000 Hi Konstantin and Awal: =09 I have couple questions for this patch. please forgive me if they are obvious, since I don't have much insight on = IPsec, but I may work on related stuff in future :) > +static inline int32_t > +esp_outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc, > + const uint64_t ivp[IPSEC_MAX_IV_QWORD], struct rte_mbuf *mb, > + union sym_op_data *icv) > +{ > + uint32_t clen, hlen, pdlen, pdofs, tlen; > + struct rte_mbuf *ml; > + struct esp_hdr *esph; > + struct esp_tail *espt; > + char *ph, *pt; > + uint64_t *iv; > + > + /* calculate extra header space required */ > + hlen =3D sa->hdr_len + sa->iv_len + sizeof(*esph); > + > + /* number of bytes to encrypt */ > + clen =3D mb->pkt_len + sizeof(*espt); > + clen =3D RTE_ALIGN_CEIL(clen, sa->pad_align); > + > + /* pad length + esp tail */ > + pdlen =3D clen - mb->pkt_len; > + tlen =3D pdlen + sa->icv_len; > + > + /* do append and prepend */ > + ml =3D rte_pktmbuf_lastseg(mb); > + if (tlen + sa->sqh_len + sa->aad_len > rte_pktmbuf_tailroom(ml)) > + return -ENOSPC; > + > + /* prepend header */ > + ph =3D rte_pktmbuf_prepend(mb, hlen); > + if (ph =3D=3D NULL) > + return -ENOSPC; > + > + /* append tail */ > + pdofs =3D ml->data_len; > + ml->data_len +=3D tlen; > + mb->pkt_len +=3D tlen; > + pt =3D rte_pktmbuf_mtod_offset(ml, typeof(pt), pdofs); > + > + /* update pkt l2/l3 len */ > + mb->l2_len =3D sa->hdr_l3_off; > + mb->l3_len =3D sa->hdr_len - sa->hdr_l3_off; > + > + /* copy tunnel pkt header */ > + rte_memcpy(ph, sa->hdr, sa->hdr_len); I didn't get this, my understand is:=20 for tunnel mode if an original packet is Eth + IP + UDP/TCP + data, =09 after encap, it should become =09 Eth + encap header (IP or IP + UDP) + ESP Header + IP + UDP/TCP + Data + E= SP Tailer... So after rte_pktmbuf_prepend shouldn't we do below 1) shift L2 HEAD (Eth) ahead=20 2) copy encap header and ESP header to the hole. ? But now we just copy the sa->hdr on the pre-pend space directly? What is th= e sa->hdr supposed to be? but no matter what is it, we encap everything bef= ore the packet? BTW, is UDP encapsulation also be considered here?, I didn't figure out how= a IP + UDP header should be configured with sa->hdr , sa->hdr_l3_off, sa->= hdr_len for this case > +static inline int > +esp_inb_tun_single_pkt_process(struct rte_ipsec_sa *sa, struct rte_mbuf > *mb, > + uint32_t *sqn) > +{ > + uint32_t hlen, icv_len, tlen; > + struct esp_hdr *esph; > + struct esp_tail *espt; > + struct rte_mbuf *ml; > + char *pd; > + > + if (mb->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) > + return -EBADMSG; > + > + icv_len =3D sa->icv_len; > + > + ml =3D rte_pktmbuf_lastseg(mb); > + espt =3D rte_pktmbuf_mtod_offset(ml, struct esp_tail *, > + ml->data_len - icv_len - sizeof(*espt)); What kind of mechanism is to guarantee that last segment will always cover = the esp tail?( data_len >=3D icv_len + sizeof (*espt)) Is that possible the esp tail be split into multi-segment for jumbo frames = caes? Thanks Qi