From: Thomas Monjalon <thomas@monjalon.net>
To: Akhil Goyal <akhil.goyal@nxp.com>
Cc: dev@dpdk.org, borisp@mellanox.com, declan.doherty@intel.com,
radu.nicolau@intel.com, aviadye@mellanox.com,
sandeep.malik@nxp.com, hemant.agrawal@nxp.com,
pablo.de.lara.guarch@intel.com
Subject: Re: [dpdk-dev] [RFC PATCH 0/1] IPSec Inline and look aside crypto offload
Date: Thu, 31 Aug 2017 12:06:00 +0200 [thread overview]
Message-ID: <7410549.rg854U5vhU@xps> (raw)
In-Reply-To: <48311141-8bb2-d816-bac8-8a5bb3fd7dee@nxp.com>
31/08/2017 11:37, Akhil Goyal:
> On 8/29/2017 8:19 PM, Thomas Monjalon wrote:
> > 25/07/2017 13:21, Akhil Goyal:
> >> These are very similar to what Declan proposed with a few additions.
> >> This can be updated further for other security protocols like MACSec and DTLS
> >
> > You should avoid referencing another proposal without
> > - link to the proposal
> > - summary of the proposal
> The link is not mentioned in the cover note but the patches are sent in
> reply to the same thread that I have mentioned. If we see the complete
> thread, then there should not be any gap.
> >
> > [...]
> >> Now, after the application configures the session using above APIs, it needs to
> >> attach the session with the crypto_op in case the session is configured for
> >> crypto look aside protocol offload. For IPSec inline/ full protocol offload
> >> using NIC, the mbuf ol_flags can be set as per the RFC suggested by Boris.
> >
> > Again a missing reference (link + summary).
> >
> > Even worst, the RFCv2 references this v1 without copying the explanations.
> > It is too hard to track, or maybe it is cryptic on purpose ;)
> Same comment, patches are sent within the same thread.
> Please let me know what is not clear with the thread.
>
> Also, I would take care about this comment, that I need to copy the
> content of previous versions, in my future patches.
>
> As this was an RFC series of patches, the content may not 100% stable,
> and things may get finalized during the course of development across
> Intel/NXP/Mellanox and may be others.
>
> As per my understanding all the information is there in the complete
> thread and nothing looks cryptic to me.
I am sure nothing looks cryptic to you :)
But you are not writing it for yourself. My feedback is that it would be
easier to read if you summarize the whole status in the same cover letter.
You are free to consider my feedback or not.
> > [...]
> >> Now the application(ipsec-secgw) have 4 paths to decide for the data path.
> >> 1. Non-protocol offload (currently implemented)
> >> 2. IPSec inline(only crypto operations using NIC)
> >> 3. full protocol offload(crypto operations along with all the IPsec header
> >> and trailer processing using NIC)
> >> 4. look aside protocol offload(single-pass encryption and authentication with
> >> additional levels of protocol processing offload using crypto device)
> >
> > I feel these 4 paths are the most important to discuss.
> > Unfortunately there are not enough detailed.
> > Please explain the purpose and implementation of each one.
> Yes these are 4 paths which can be used for IPSEC.
> 1. Non protocol offload(RTE_SECURITY_SESS_NONE) - the existing
> application works on this path, the crypto devices perform the crypto
> operations without protocol knowledge.
This mode is when using cryptodev API, right?
Are you proposing to use rte_security as a simple wrapper of cryptodev
in the mode RTE_SECURITY_SESS_NONE?
> 2. Ipsec inline(RTE_SECURITY_SESS_ETH_INLINE_CRYPTO) - This is when the
> crypto operations are performed by ethernet device instead of crypto
> device. This is also without protocol knowledge inside the ethernet device
If the ethernet device can act as a crypto device, this function
should be offered via the cryptodev interface.
How is it different from mode RTE_SECURITY_SESS_NONE?
Is there direct Rx/Tx involved in this mode?
> 3. full protocol offload(RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD) - This is
> same as 2 but with protocol support in the ethernet device.
Is there direct Rx/Tx in RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD?
> 4. look aside protocol offload(RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD) -
> This is same as 1 but with protocol support in crypto device.
Who is responsible for Rx/Tx in RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD?
[...]
> >> The application can decide using the below action types
> >> enum rte_security_session_action_type {
> >> RTE_SECURITY_SESS_ETH_INLINE_CRYPTO,
> >> /**< Crypto operations are performed by Network interface */
> >
> > In this mode, the ethdev port does the same thing as a crypto port?
>
> not exactly everything. In this mode, only cipher and auth operations
> are performed by the eth device. No intelligence about the protocol is
> done. This is similar to what the current implementation do with the
> crypto device(Non protocol offload).
Are you saying no but yes?
I say "ethdev port does the same thing as a crypto port"
You say "similar to what the current implementation do with the crypto device"
> >> RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD,
> >> /**< Crypto operations with protocol support are performed
> >> * by Network/ethernet device.
> >> */
> >> RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD,
> >> /**< Crypto operations with protocol support are performed
> >> * by Crypto device.
> >> */
> >
> > I guess the difference between ETH_PROTO_OFFLOAD and CRYPTO_PROTO_OFFLOAD
> > is that we must re-inject packets from CRYPTO_PROTO_OFFLOAD to the NIC?
>
> yes
OK
Who is responsible to re-inject packets from CRYPTO_PROTO_OFFLOAD to the NIC?
> >> RTE_SECURITY_SESS_NONE
> >> /**< Non protocol offload. Application need to manage everything */
> >> };
> >
> > What RTE_SECURITY_SESS_NONE does? It is said to be implemented above.
>
> It is non protocol offload mentioned above.
How is it different from using cryptodev?
next prev parent reply other threads:[~2017-08-31 10:06 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-10 7:35 [dpdk-dev] [RFC 0/7] ipsec inline Boris Pismenny
2017-07-10 7:35 ` [dpdk-dev] [RFC 1/7] ethdev: add device ipsec encrypt/decrypt capability flags Boris Pismenny
2017-07-10 7:35 ` [dpdk-dev] [RFC 2/7] ethdev: Add ESP header to generic flow steering Boris Pismenny
2017-07-10 7:35 ` [dpdk-dev] [RFC 3/7] ethdev: add rte flow action for crypto Boris Pismenny
2017-07-10 7:35 ` [dpdk-dev] [RFC 4/7] cryptodev: add ipsec xform Boris Pismenny
2017-07-10 7:35 ` [dpdk-dev] [RFC 5/7] mbuf: Add IPsec crypto flags Boris Pismenny
2017-07-10 7:35 ` [dpdk-dev] [RFC 6/7] mbuf: Added next_esp_proto field Boris Pismenny
2017-07-10 7:35 ` [dpdk-dev] [RFC 7/7] example/ipsec_gw: Support SA offload in datapath Boris Pismenny
2017-07-11 17:06 ` [dpdk-dev] [RFC 0/7] ipsec inline Declan Doherty
2017-07-12 14:08 ` Boris Pismenny
2017-07-14 11:12 ` Akhil Goyal
2017-07-25 11:21 ` [dpdk-dev] [RFC PATCH 0/1] IPSec Inline and look aside crypto offload Akhil Goyal
2017-07-25 11:21 ` [dpdk-dev] [RFC PATCH 1/1] rte_security: proposal Akhil Goyal
2017-07-26 13:46 ` [dpdk-dev] [RFC PATCH 0/1] IPSec Inline and look aside crypto offload Declan Doherty
2017-08-02 13:16 ` Hemant Agrawal
2017-08-03 11:25 ` Akhil Goyal
2017-08-15 6:35 ` [dpdk-dev] [RFC PATCH v2 0/4] " Akhil Goyal
2017-08-15 6:35 ` [dpdk-dev] [RFC PATCH 1/4] rte_security: API definitions Akhil Goyal
2017-08-15 11:04 ` Radu Nicolau
2017-08-16 7:39 ` Akhil Goyal
2017-08-16 15:40 ` Hemant Agrawal
2017-08-18 9:16 ` Thomas Monjalon
2017-08-18 12:20 ` Hemant Agrawal
2017-08-21 10:32 ` Boris Pismenny
2017-08-21 10:54 ` Akhil Goyal
2017-08-15 6:35 ` [dpdk-dev] [RFC PATCH 2/4] cryptodev: entend cryptodev to support security APIs Akhil Goyal
2017-08-15 6:35 ` [dpdk-dev] [RFC PATCH 3/4] crypto/dpaa2_sec: add support for protocol offload ipsec Akhil Goyal
2017-08-15 6:35 ` [dpdk-dev] [RFC PATCH 4/4] example/ipsec-secgw: add support for offloading crypto op Akhil Goyal
2017-08-29 14:49 ` [dpdk-dev] [RFC PATCH 0/1] IPSec Inline and look aside crypto offload Thomas Monjalon
2017-08-31 9:37 ` Akhil Goyal
2017-08-31 10:06 ` Thomas Monjalon [this message]
2017-08-31 10:52 ` Akhil Goyal
2017-08-31 13:14 ` Thomas Monjalon
2017-08-31 14:09 ` Radu Nicolau
2017-09-06 15:53 ` Jerin Jacob
2017-09-08 11:12 ` Akhil Goyal
2017-09-11 18:10 ` Jerin Jacob
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7410549.rg854U5vhU@xps \
--to=thomas@monjalon.net \
--cc=akhil.goyal@nxp.com \
--cc=aviadye@mellanox.com \
--cc=borisp@mellanox.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=radu.nicolau@intel.com \
--cc=sandeep.malik@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).