From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id AEC89A0096 for ; Thu, 6 Jun 2019 12:43:51 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 7971C1B9B1; Thu, 6 Jun 2019 12:43:51 +0200 (CEST) Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id B65791B9B0 for ; Thu, 6 Jun 2019 12:43:49 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Jun 2019 03:43:48 -0700 X-ExtLoop1: 1 Received: from irsmsx151.ger.corp.intel.com ([163.33.192.59]) by orsmga008.jf.intel.com with ESMTP; 06 Jun 2019 03:43:47 -0700 Received: from irsmsx104.ger.corp.intel.com ([169.254.5.227]) by IRSMSX151.ger.corp.intel.com ([169.254.4.152]) with mapi id 14.03.0415.000; Thu, 6 Jun 2019 11:43:47 +0100 From: "Ananyev, Konstantin" To: "Drost, MariuszX" , "Nicolau, Radu" , "akhil.goyal@nxp.com" , "Lu, Wenzhuo" CC: "dev@dpdk.org" Thread-Topic: [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec modes Thread-Index: AQHVGr3FtC8/kLCNQkqK0YvCixL7qaaOc9iA Date: Thu, 6 Jun 2019 10:43:46 +0000 Message-ID: <2601191342CEEE43887BDE71AB97725801688E0FFA@IRSMSX104.ger.corp.intel.com> References: <20190604100644.13724-1-mariuszx.drost@intel.com> <20190604100644.13724-3-mariuszx.drost@intel.com> In-Reply-To: <20190604100644.13724-3-mariuszx.drost@intel.com> Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYTVlNzUyOTYtZjQyMy00ZmNkLWJiNWUtYzgyNGVhMTFjYzc3IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiRHJrVkFFaFI0MFVVVDR2dE4rKzlEMzh4WWR1anloSDRYMjBMaVI2Ykc4RlFTU25jRFBFWldXajNKZnFYWHc0OSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.600.7 dlp-reaction: no-action x-originating-ip: [163.33.239.181] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec modes X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" > -----Original Message----- > From: Drost, MariuszX > Sent: Tuesday, June 4, 2019 11:07 AM > To: Nicolau, Radu ; akhil.goyal@nxp.com; Lu, Wenz= huo ; Ananyev, Konstantin > > Cc: dev@dpdk.org; Drost, MariuszX > Subject: [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec m= odes >=20 > Application ipsec-secgw is not working for IPv4 transport mode and for > IPv6 both transport and tunnel mode. >=20 > IPv6 tunnel mode is not working due to wrongly assigned fields of > security association patterns, as it was IPv4, during creation of > inline crypto session. >=20 > IPv6 and IPv4 transport mode is iterating through security capabilities > until it reaches tunnel, which causes session to be created as tunnel, > instead of transport. Another issue, is that config file does not > provide source and destination ip addresses for transport mode, which > are required by NIC to perform inline crypto. It uses default addresses > stored in security association (all zeroes), which causes dropped > packages. >=20 > To fix that, reorganization of code in create_session() is needed, > to behave appropriately to given protocol (IPv6/IPv4). Change in > iteration through security capabilities is also required, to check > for expected mode (not only tunnel). >=20 > For lack of addresses issue, some resolving mechanism is needed. > Approach is to store addresses in security association, as it is > for tunnel mode. Difference is that they are obtained from sp rules, > instead of config file. To do that, sp[4/6]_spi_present() function > is used to find addresses based on spi value, and then stored in > corresponding sa rule. This approach assumes, that every sp rule > for inline crypto have valid addresses, as well as range of addresses > is not supported. >=20 > New flags for ipsec_sa structure are required to distinguish between > IPv4 and IPv6 transport modes. Because of that, there is need to > change all checks done on these flags, so they work as expected. >=20 > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") >=20 > Signed-off-by: Mariusz Drost > --- Acked-by: Konstantin Ananyev Tested-by: Konstantin Ananyev > -- > 2.17.1