From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 2DC2B1B382 for ; Mon, 13 Nov 2017 18:23:11 +0100 (CET) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Nov 2017 09:23:09 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,389,1505804400"; d="scan'208";a="175725978" Received: from rnicolau-mobl.ger.corp.intel.com (HELO [10.237.221.73]) ([10.237.221.73]) by fmsmga006.fm.intel.com with ESMTP; 13 Nov 2017 09:23:08 -0800 To: Anoob Joseph , Akhil Goyal , Declan Doherty , Sergio Gonzalez Monroy Cc: narayanaprasad.athreya@cavium.com, jerin.jacobkollanukkaran@cavium.com, dev@dpdk.org References: <1510589635-8868-1-git-send-email-anoob.joseph@cavium.com> From: Radu Nicolau Message-ID: <4fa0314b-a402-6588-621a-9374d3b90fa4@intel.com> Date: Mon, 13 Nov 2017 17:23:07 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <1510589635-8868-1-git-send-email-anoob.joseph@cavium.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Subject: Re: [dpdk-dev] [PATCH] examples/ipsec-secgw: fix usage of incorrect port X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2017 17:23:12 -0000 Hi, Comments below On 11/13/2017 4:13 PM, Anoob Joseph wrote: > When security offload is enabled, the packet should be forwarded on the > port configured in the SA. Security session will be configured on that > port only, and sending the packet on other ports could result in > unencrypted packets being sent out. With a properly configured SP, SA and routing rule this will not happen, so we don't need to do this fix to make up for a wrongly written configuration file. I'm almost sure that the app will behave in the same way (i.e. forward unencrypted) for lookaside crypto if the configuration is incorrect. > > This would have performance improvements too, as the per packet LPM > lookup would be avoided for IPsec packets, in inline mode. Yes, there will be some performance gain, but not sure how much considering that LPM lookup is reasonably fast. So I'm not sure if ack or nack, maybe Sergio can give a second opinion. But if ack, you will have to update the patch to include in the doc this behavior, the port configured in the SA takes precedence over the one in the routing rule. Regards, Radu