From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: Akhil Goyal <akhil.goyal@nxp.com>, "dev@dpdk.org" <dev@dpdk.org>
Cc: "thomas@monjalon.net" <thomas@monjalon.net>,
"jerin.jacob@caviumnetworks.com" <jerin.jacob@caviumnetworks.com>,
"anoob.joseph@caviumnetworks.com"
<anoob.joseph@caviumnetworks.com>,
"Nicolau, Radu" <radu.nicolau@intel.com>,
"Doherty, Declan" <declan.doherty@intel.com>,
Hemant Agrawal <hemant.agrawal@nxp.com>
Subject: Re: [dpdk-dev] [PATCH] security: remove experimental tag
Date: Tue, 13 Nov 2018 15:36:03 +0000 [thread overview]
Message-ID: <2601191342CEEE43887BDE71AB977258010CE4A468@IRSMSX106.ger.corp.intel.com> (raw)
In-Reply-To: <VI1PR04MB489343B338C598206CF9A700E6C20@VI1PR04MB4893.eurprd04.prod.outlook.com>
> > >> -----Original Message-----
> > >> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> > >> Sent: Tuesday, November 13, 2018 11:28 AM
> > >> To: dev@dpdk.org
> > >> Cc: thomas@monjalon.net; Ananyev, Konstantin
> > >> <konstantin.ananyev@intel.com>; jerin.jacob@caviumnetworks.com;
> > >> anoob.joseph@caviumnetworks.com; Nicolau, Radu
> > >> <radu.nicolau@intel.com>; Doherty, Declan
> > >> <declan.doherty@intel.com>; Hemant Agrawal
> > >> <hemant.agrawal@nxp.com>; Akhil Goyal <akhil.goyal@nxp.com>
> > >> Subject: [PATCH] security: remove experimental tag
> > >>
> > >> rte_security has been experimental since DPDK 17.11 release.
> > >> Now the library has matured and expermental tag is removed in this
> > >> patch.
> > > I agree that it is present for a while in dpdk.org, but as I can see
> > > we still have unimplemented API here.
> > > Which makes me doubt that it is ok to remove experimental tag from it.
> > > Konstantin
> > 3 vendors(Intel/Cavium/NXP) have tested their PMDs on security and
> > made the changes that they need.
> > Which APIs are missing?
>
> What I am aware about:
> a) rte_security_ops. get_userdata
> [Akhil] I believe Cavium added some patches in ipsec-secgw app for its usage and I believe they do have implementation for that.
ipsec-secgw has some code that refers it, but at present moment there is no PMD in dpdk.org that supports it
(at least I can't find any).
> Also I
> cannot see any changes in rte_security for its support in PMDs.
Might be, but wouldn't you expect function to be at least implemented
to call it 'mature'?
>
> b) RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
>
> [Akhil] Cavium supports it.
Might be, but again it is not in dpdk.org right now
(AFAIK it is planned for 19.02).
>
> c) rte_security_capability.ol_flags:
> RTE_SECURITY_PDCP_ORDERING_CAP
> RTE_SECURITY_PDCP_DUP_DETECT_CAP
>
> [Akhil] PDCP is not currently supported by any of the vendors except NXP and NXP do not support these capabilities.
> For this also, I don’t see any change in the library. It would be only PMD which needs to support it.
>
> RTE_SECURITY_TX_HW_TRAILER_OFFLOAD
> RTE_SECURITY_RX_HW_TRAILER_OFFLOAD
>
> [Akhil] Same here, these are all PMD capabilities which do not require any change in rte_security.
Without real implementation, how can we be certain about it?
Might be while implementing feature X we would realize that something else is needed.
Another question - what users who build their products on top of rte_security
have to do?
Should they include support for all these unimplemented capabilities into their
code or not?
Considering the fact, that right now there is no way for them to test/try it.
>
> >I believe addition of protocols is not an issue even if we remove
> >experimental tag.
>
> After another thought - it is probably unfair to keep whole lib as experimental because few things are missing.
> But I think things that are unimplemented (or related to them) need to stay in 'experimental' state.
>
> [Akhil] I do not foresee any changes in library, so I believe experimental is not required. Please correct me if this is incorrect understanding.
The only change I am personally plan to do in 19.02 -
add opaque userdata field into rte_security_session:
struct rte_security_session {
void *sess_private_data;
/**< Private session material */
+ uint64_t userdata;
+ /**< Opaque user defined data */
};
Might be in future extra changes would be needed to pass ipsec
sqn/replay_window data between HW/SW.
Not aware about any other changes.
Though these future changes is not my main concern.
After all we have a defined process for making changes into non-experimental API.
I just don't see how we can consider API that has un-implemented parts as a 'mature'.
Probably we have different views on what experimental/mature API means.
From my perspective to name it a 'mature' it needs to at least to be implemented and
tested (proved working), plus stable enough(not major changes coming).
Konstantin
next prev parent reply other threads:[~2018-11-13 15:36 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-13 11:28 Akhil Goyal
2018-11-13 11:49 ` Ananyev, Konstantin
2018-11-13 11:59 ` Akhil Goyal
2018-11-13 12:23 ` Ananyev, Konstantin
2018-11-13 12:41 ` Akhil Goyal
2018-11-13 15:36 ` Ananyev, Konstantin [this message]
2018-11-14 8:30 ` Hemant Agrawal
2018-11-14 8:53 ` Ananyev, Konstantin
2018-11-14 9:39 ` Joseph, Anoob
2018-11-14 12:40 ` Hemant Agrawal
2018-11-14 17:07 ` Boris Pismenny
2018-11-18 16:51 ` Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2601191342CEEE43887BDE71AB977258010CE4A468@IRSMSX106.ger.corp.intel.com \
--to=konstantin.ananyev@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=anoob.joseph@caviumnetworks.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
--cc=jerin.jacob@caviumnetworks.com \
--cc=radu.nicolau@intel.com \
--cc=thomas@monjalon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).