From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 77D36A2EFC
	for <public@inbox.dpdk.org>; Thu, 19 Sep 2019 00:19:13 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 279DA1D517;
	Thu, 19 Sep 2019 00:19:12 +0200 (CEST)
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151])
 by dpdk.org (Postfix) with ESMTP id E15671D443
 for <dev@dpdk.org>; Thu, 19 Sep 2019 00:19:10 +0200 (CEST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga008.jf.intel.com ([10.7.209.65])
 by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 18 Sep 2019 15:19:09 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.64,522,1559545200"; d="scan'208";a="181268356"
Received: from irsmsx152.ger.corp.intel.com ([163.33.192.66])
 by orsmga008.jf.intel.com with ESMTP; 18 Sep 2019 15:19:08 -0700
Received: from irsmsx105.ger.corp.intel.com ([169.254.7.164]) by
 IRSMSX152.ger.corp.intel.com ([169.254.6.150]) with mapi id 14.03.0439.000;
 Wed, 18 Sep 2019 23:19:07 +0100
From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: Anoob Joseph <anoobj@marvell.com>, "Smoczynski, MarcinX"
 <marcinx.smoczynski@intel.com>, "akhil.goyal@nxp.com" <akhil.goyal@nxp.com>
CC: "dev@dpdk.org" <dev@dpdk.org>, Narayana Prasad Raju Athreya
 <pathreya@marvell.com>, Jerin Jacob Kollanukkaran <jerinj@marvell.com>,
 Archana Muniganti <marchana@marvell.com>
Thread-Topic: [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback
 session
Thread-Index: AQHVbey4eK1ocoT+m02CjRaKZhOAgacxHZ4AgAAhoACAAMB6oA==
Date: Wed, 18 Sep 2019 22:19:05 +0000
Message-ID: <2601191342CEEE43887BDE71AB9772580191966FFC@irsmsx105.ger.corp.intel.com>
References: <20190814204847.15600-1-marcinx.smoczynski@intel.com>
 <20190904141642.14820-1-marcinx.smoczynski@intel.com>
 <MN2PR18MB287794C6774A2E55E3214FC6DF8E0@MN2PR18MB2877.namprd18.prod.outlook.com>
 <2601191342CEEE43887BDE71AB9772580191966C6D@irsmsx105.ger.corp.intel.com>
 <MN2PR18MB28779572F08E15EA6F8FD41EDF8E0@MN2PR18MB2877.namprd18.prod.outlook.com>
In-Reply-To: <MN2PR18MB28779572F08E15EA6F8FD41EDF8E0@MN2PR18MB2877.namprd18.prod.outlook.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYzM0MzM1ZjQtNzVkNi00YzY4LWJmMDktMWQ4MjIzMjNmZWE5IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiNUpISDhTV0tzaTlheVNDRVVjdDN6RWI4NDJYVkl1VXF6YmM0RlBIakJpY0VmQTU2dWd2RDAyM3QxdG5iU3pDSiJ9
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [163.33.239.181]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add fallback
 session
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>



Hi Anoob,

> > > Sorry for the late response. But how do you plan to handle "inline pr=
otocol"
> > processed packets?
> >
> > Right now that feature is supported for "inline crypto" only.
>=20
> [Anoob] The description says "inline processed" packets. Hence the confus=
ion.
>=20
> > For the case when SA doesn't enable replay window and/or ESN current
> > patch should also work for "inline proto" too, but this is just my
> > understanding (not tested, etc.).
>=20
> [Anoob] In case of inline ipsec processing, the ipsec state (which would =
track sequence number etc) will be internal to the PMDs. So anti-
> replay/ESN would have to be done either in the h/w or PMD. This would mea=
n application will not have state information regarding ipsec
> processing. Hence fallback handling with the above scheme will not work i=
n that case.

Agree, that's why I wrote above that current wok might work for inline-prot=
o
*only* if replay window and ESN is disabled.=20

>=20
> To address this properly for inline protocol, we will have to come up wit=
h some logic to share session private data b/w "eligible" PMDs. This
> would involve library changes to rte_security, etc.

Again, totally agree.
As I remember we already discussed it about a year ago, but didn't come up =
with any concrete proposal.

> Once that is proposed, there will be one kind of handling for inline prot=
ocol processing
> and another kind for inline crypto processing. Would you be fine with tha=
t?

For sure something needs to be changed for inline-proto to sync replay-wind=
ow/ESN related data
between HW/PMD and SW.=20
What it should be - new function, or something else - hard to tell right no=
w.=20
Konstantin

>=20
> > Konstantin
> >
> > >
> > > Thanks,
> > > Anoob
> > >
> > > > -----Original Message-----
> > > > From: dev <dev-bounces@dpdk.org> On Behalf Of Marcin Smoczynski
> > > > Sent: Wednesday, September 4, 2019 7:47 PM
> > > > To: konstantin.ananyev@intel.com; akhil.goyal@nxp.com
> > > > Cc: dev@dpdk.org; Marcin Smoczynski <marcinx.smoczynski@intel.com>
> > > > Subject: [dpdk-dev] [PATCH v2 0/3] examples/ipsec-secgw: add
> > > > fallback session
> > > >
> > > > Inline processing is limited to a specified subset of traffic. It i=
s
> > > > often unable to handle more complicated situations, such as
> > > > fragmented traffic. When using inline processing such traffic is dr=
opped.
> > > >
> > > > Introduce multiple sessions per SA allowing to configure a fallback
> > > > lookaside session for packets that normally would be dropped.
> > > > A fallback session type in the SA configuration by adding 'fallback=
'
> > > > with 'lookaside-none' or 'lookaside-protocol' parameter to determin=
e
> > > > type of session.
> > > >
> > > > Fallback session feature is available only when using librte_ipsec.
> > > >
> > > > v1 to v2 changes:
> > > >  - disable fallback offload for outbound SAs
> > > >  - add test scripts
> > > >
> > > > Marcin Smoczynski (3):
> > > >   examples/ipsec-secgw: ipsec_sa structure cleanup
> > > >   examples/ipsec-secgw: add fallback session feature
> > > >   examples/ipsec-secgw: add offload fallback tests
> > > >
> > > >  doc/guides/sample_app_ug/ipsec_secgw.rst      |  17 +-
> > > >  examples/ipsec-secgw/esp.c                    |  35 ++--
> > > >  examples/ipsec-secgw/ipsec-secgw.c            |  16 +-
> > > >  examples/ipsec-secgw/ipsec.c                  |  99 ++++++-----
> > > >  examples/ipsec-secgw/ipsec.h                  |  61 +++++--
> > > >  examples/ipsec-secgw/ipsec_process.c          | 113 +++++++-----
> > > >  examples/ipsec-secgw/sa.c                     | 164 +++++++++++++-=
----
> > > >  .../test/trs_aesgcm_common_defs.sh            |   4 +-
> > > >  .../trs_aesgcm_inline_crypto_fallback_defs.sh |   5 +
> > > >  .../test/tun_aesgcm_common_defs.sh            |   6 +-
> > > >  .../tun_aesgcm_inline_crypto_fallback_defs.sh |   5 +
> > > >  11 files changed, 358 insertions(+), 167 deletions(-)  create mode
> > > > 100644
> > > > examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
> > > >  create mode 100644 examples/ipsec-
> > > > secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh
> > > >
> > > > --
> > > > 2.21.0.windows.1