From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4EAABA0C41; Thu, 16 Sep 2021 13:06:33 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AC88140151; Thu, 16 Sep 2021 13:06:32 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mails.dpdk.org (Postfix) with ESMTP id 9B1324003F for ; Thu, 16 Sep 2021 13:06:30 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10108"; a="209628312" X-IronPort-AV: E=Sophos;i="5.85,298,1624345200"; d="scan'208";a="209628312" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Sep 2021 04:06:29 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.85,298,1624345200"; d="scan'208";a="700578657" Received: from orsmsx604.amr.corp.intel.com ([10.22.229.17]) by fmsmga005.fm.intel.com with ESMTP; 16 Sep 2021 04:06:28 -0700 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 16 Sep 2021 04:06:28 -0700 Received: from orsmsx605.amr.corp.intel.com (10.22.229.18) by ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 16 Sep 2021 04:06:28 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Thu, 16 Sep 2021 04:06:28 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.171) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Thu, 16 Sep 2021 04:06:27 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ANXHL7KlFkZRj0fox9rv5VyfzAUkdF9zwxUHkUpSPo/jrlGSuluSZntHrzg4Xy41er6XRpFtn9uE8C9/zXdYJG2rJf4u6fUa1bTJFvVOvUTAb967kecIUuP5sFB3PPM1Hh4YCXfptNE+VJl5k6AUsZVu17DHGc3/JCKaBraq2gjYiIRqZZNixJHeOb0FN3SRsQkV6omOissG+uy0QdmUI0CNxCHEabL7FudlQZs8TyzEtkrB2+1E8iMs94C8Ur3Pi1Vjws2YNGA02ClHyv5I7+uv65hnIdAj6lxdvqBi9dCBOTCmBZcZfMiuU2YziX1HfVzCg7mp8nDW0aLj8X3oKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=e2KShyvfT0xBYFVbtawqoV3JCx8G3V+SYaghPvg/E3c=; b=H4utLdxfPWQf5u2ZJYcM+RGSwPqAaAqZ/GiJGyvHeAc2WGdg5+QyTt/1p9QaHoCnWPX4J90d+te3+8TYFUiQzvy7y8n83ose/f8Fa4OSCyQjrvqVRp+TPOfz2AWqDAR5U96ubc3tZ3ZTFJPIeAI08OOEnoW8AuO58HzlXz9SwPiABIdTTdkX/rahz5RBQmBE4JWT+hgnlSg4KkoG7yCjsJU8ah4j4PN1gwO67hDUSSHZSvRdGYSbn3ewelLrJygBc6Zp2sNY+DPys7hll1gtLTtQ1JymLsh/HoegaTXG9g/R5pNCgVbvS1/o8RACOXpgR73L6eQH8z/BgD5j0J59GA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e2KShyvfT0xBYFVbtawqoV3JCx8G3V+SYaghPvg/E3c=; b=ADzOPJmRtGBXXFpTNUoD5c/Wa5iPMrwxLBYQ75pXQvViCi6QUmrFcQFFYMxE/zyEcqX2JnqmlkGs//NPN2h9mrQh9Zt1CjMZRuiykBhMLVJawkrxTlSWucaT27n1OdXzeANwZgjZJpfQn9ol5BtFAOoSM/pEwDpvguI6F991A8U= Received: from BY5PR11MB4482.namprd11.prod.outlook.com (2603:10b6:a03:1ca::33) by SJ0PR11MB5133.namprd11.prod.outlook.com (2603:10b6:a03:2ac::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.14; Thu, 16 Sep 2021 11:06:27 +0000 Received: from BY5PR11MB4482.namprd11.prod.outlook.com ([fe80::a850:4ae9:9444:7334]) by BY5PR11MB4482.namprd11.prod.outlook.com ([fe80::a850:4ae9:9444:7334%5]) with mapi id 15.20.4523.016; Thu, 16 Sep 2021 11:06:27 +0000 From: "Ananyev, Konstantin" To: Anoob Joseph , Akhil Goyal , "Doherty, Declan" , "Zhang, Roy Fan" CC: Jerin Jacob , Archana Muniganti , Tejasree Kondoj , "Hemant Agrawal" , "Nicolau, Radu" , "Power, Ciara" , Gagandeep Singh , "dev@dpdk.org" Thread-Topic: [PATCH v2 1/6] security: add SA lifetime configuration Thread-Index: AQHXpAZ1lPCiieduqEGBXLtCphnYo6umjG/A Date: Thu, 16 Sep 2021 11:06:26 +0000 Message-ID: References: <1629207767-262-1-git-send-email-anoobj@marvell.com> <1631032372-275-1-git-send-email-anoobj@marvell.com> <1631032372-275-2-git-send-email-anoobj@marvell.com> In-Reply-To: <1631032372-275-2-git-send-email-anoobj@marvell.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.6.200.16 authentication-results: marvell.com; dkim=none (message not signed) header.d=none;marvell.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f5dd7249-2ff9-40ef-4cfd-08d97902075e x-ms-traffictypediagnostic: SJ0PR11MB5133: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: cqFcptFE3XhZTPOPZCtIPrmJpatLK9zZk1hZ95ZkSdBW5N5fP2EEqOfIYRPP4kCkmdlYkjTUHlbycNqA0Kqnec+ayCnOUsbVpM8lpi+O8DwFaacOuzmWOyi14+VwFhKHjoDapv/kLqXuTScMKcfg1hC7osOolyH2fJBNfGo5AdwBTOZU0YYWQArG4S5hWkf0y8d2dk9hefsUMXZylNrK8UUB2/iyYiA2dNNXwrV1DeYnVCP04CLm3DwzGnONL2khx5cx/NzlIXlTFVwk7aXzFgkqcWFJOlSFcNSJlnRsuNanW0E9DdLBCfKQ51V9rJqinIrk743ERuQkvcDYSR/R0OOtUOTHfCADgBru0f9rEM/Hs1k2GUm/xv93o1O4EgQD0qthij8S0yjN5tn/KHw3mdkXn8ivIrfdQgdPQIq0o3/m/5Ye3vwH41tmthMzZvm3qBnWGm1Ajml8CCQDlJlIUl/8qvIZTJZRDIfXyARldSYnoprEWNCJc6pwaJxnrn5LRNW5nnf0IE2AC2z9j/gwMdN7sNwLk+MhRSgYAwiEFdW4Tnf64n2cv0Sg9GavjF0i+zpdf+q0B0BubNTB2h5sp1Ex3EfyCDHFtAnXIe1OJWFKyxWn4faWBmAC6Fqyh5AMKRwU/gzUSkdyHkcVWHob2y/JN49uftZFoGqd4oqdeA7r/V8CRARnoCnyVkqL/NIt+6v2V2sjq9Ja8EnFpD7prw== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4482.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(396003)(346002)(39860400002)(136003)(316002)(8676002)(7696005)(26005)(2906002)(83380400001)(4326008)(8936002)(38070700005)(55236004)(54906003)(86362001)(6506007)(478600001)(110136005)(55016002)(15650500001)(9686003)(52536014)(66556008)(66446008)(76116006)(66476007)(64756008)(122000001)(38100700002)(5660300002)(33656002)(6636002)(66946007)(71200400001)(186003); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?y30Qgooaq5vuh3WhJBYuHpSXuyopmZ+n7e1ZnstaUkgDcIdGzW1xa4ZIZ+Wk?= =?us-ascii?Q?3MDtjnPCBKsUXjp3wSUAofn5saw7BMf3B4j90xKbMOd8tCfPWoNmqOLTVPC7?= =?us-ascii?Q?s9B8mJZmwYMdKDHCmxN+8EEAJOr/pTXgq3u5d8r9NU0AMmoDSlF8uBo1USsu?= =?us-ascii?Q?8fhvNWY6H+q3jJ/p5oO8p88kTtheHguBHpEtajZ+05T41Wkvys0S2NSIQVMM?= =?us-ascii?Q?WOYKa36DdsghJLJJVHfqCq6d6sAX40XCiimNLcx1oGkMptlXc1NQfLI3+TGA?= =?us-ascii?Q?Gmr6ezStZXCpP40TM9GMcWUubiDMQ9b/eZfMr38HPpic9neEqJY2V+fjp65m?= =?us-ascii?Q?ws7aVvdutAg8Lj3/CU3Ya96XFEuFF9lVhQXAU25JcxOHnbpJ5V04IpHqvGMi?= =?us-ascii?Q?OrXETPRjx9RbUWz3Bf1ICi6vsWbsSpuMoYlzFnYO6Ga1ii1bJIEBM0F8Nx3Q?= =?us-ascii?Q?W5is8oDR0rQdkiMBATb+SEHpqL6Lny7SIaDKdl+s+xGWu2BkSq4z+1CW1CeI?= =?us-ascii?Q?yzedjBHdKA4qX2knRa05d78ATLOvB1oh9wZj7Sc+eo2qYIFZg76vFFqCaWAm?= =?us-ascii?Q?PkjYJdldy6z2OyRIDL6fmrfEwpPZKWQ4WKOjMCfDcffSFwRt4Ewlan1vYi6M?= =?us-ascii?Q?EdRDMrWDxdQAsaRO7MTbh/FadJI9L8/BFwYl8V18DO5p/rUNJgnz/6y5sFRd?= =?us-ascii?Q?YtPTNBS2Oa45I25MEibbhJh+8ElEjtCJwVqP/VYCX1gHhvaTXZL7dJQox7MI?= =?us-ascii?Q?I5IGzR/58DbuKm+NpulomJtCnmEJRZs4RB2VC1MM4SSmWhTZJ9dA5WJxG3Gp?= =?us-ascii?Q?h0kf19UbUjysY5QW4yg0nXLxF9inB9EwvWSVKz3bFrV4f0I0+ONHEtdWvsXC?= =?us-ascii?Q?IT5oxIY2IJZvsPR1oeyfJsgBEsHm5TrQtlR8fNHfqlcHvVMxvlp5m5vhVmR8?= =?us-ascii?Q?2gYK+ftmQ5xAQSiTNhIJcF9p8W4EDeO2c6dYpLU0yI3q3zbwD1svcEPCHieX?= =?us-ascii?Q?OACQlNCbRUxjjgU3jynBIm9dcR96ZgezoPSTsN5KRwS1M7pO00FFAqHmSs/M?= =?us-ascii?Q?M7QxTIM0RS7Zuzhd4DBYeyZTKKvWa5/NMG9Nw/s1iSBueoMcYoibuaU6lNAp?= =?us-ascii?Q?nK0b/5u/tNeX0ULJiRyREiMip13CJpVRg37kdsac7Jk5aMJCLi5jpFzUUNZY?= =?us-ascii?Q?VwNDF9LGJYKoBFAy969fSE5+L0yv1Fob/X+I6TFQvEGbwzS2YOElDd4ir55j?= =?us-ascii?Q?kydyTM6bDFoNlGDDfGCz2ZOhPljrxXEr4Djm67j5M9FgZIU/Q4llHBJ2M8V0?= =?us-ascii?Q?qz8dXmknQUsSxdnCBbbU4z/5?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4482.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f5dd7249-2ff9-40ef-4cfd-08d97902075e X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2021 11:06:26.7663 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dNPvBal/8rBfAa5uio1ywkkPXMx0ZI9LMbB0AKzzNfgDqPywPIxB7fYVLni+0z3ohNK+g5tkHjZvuUJk91kuyG/cspMuAD34jr27BzG1WCQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5133 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH v2 1/6] security: add SA lifetime configuration X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" > Add SA lifetime configuration to register soft and hard expiry limits. > Expiry can be in units of number of packets or bytes. Crypto op > status is also updated to include new field, aux_flags, which can be > used to indicate cases such as soft expiry in case of lookaside > protocol operations. >=20 > In case of soft expiry, the packets are successfully IPsec processed but > the soft expiry would indicate that SA needs to be reconfigured. For > inline protocol capable ethdev, this would result in an eth event while > for lookaside protocol capable cryptodev, this can be communicated via > `rte_crypto_op.aux_flags` field. >=20 > In case of hard expiry, the packets will not be IPsec processed and > would result in error. >=20 > Signed-off-by: Anoob Joseph > --- > .../test_cryptodev_security_ipsec_test_vectors.h | 3 --- > doc/guides/rel_notes/deprecation.rst | 5 ---- > doc/guides/rel_notes/release_21_11.rst | 13 ++++++++++ > examples/ipsec-secgw/ipsec.c | 2 +- > examples/ipsec-secgw/ipsec.h | 2 +- > lib/cryptodev/rte_crypto.h | 18 +++++++++++++- > lib/security/rte_security.h | 28 ++++++++++++++++= ++++-- > 7 files changed, 58 insertions(+), 13 deletions(-) >=20 > diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/= test/test_cryptodev_security_ipsec_test_vectors.h > index ae9cd24..38ea43d 100644 > --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h > +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h > @@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm =3D { > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode =3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > .tunnel.type =3D RTE_SECURITY_IPSEC_TUNNEL_IPV4, > - .esn_soft_limit =3D 0, > .replay_win_sz =3D 0, > }, >=20 > @@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm =3D { > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode =3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > .tunnel.type =3D RTE_SECURITY_IPSEC_TUNNEL_IPV4, > - .esn_soft_limit =3D 0, > .replay_win_sz =3D 0, > }, >=20 > @@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm =3D { > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode =3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > .tunnel.type =3D RTE_SECURITY_IPSEC_TUNNEL_IPV4, > - .esn_soft_limit =3D 0, > .replay_win_sz =3D 0, > }, >=20 > diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/= deprecation.rst > index 76a4abf..6118f06 100644 > --- a/doc/guides/rel_notes/deprecation.rst > +++ b/doc/guides/rel_notes/deprecation.rst > @@ -282,8 +282,3 @@ Deprecation Notices > * security: The functions ``rte_security_set_pkt_metadata`` and > ``rte_security_get_userdata`` will be made inline functions and additi= onal > flags will be added in structure ``rte_security_ctx`` in DPDK 21.11. > - > -* cryptodev: The structure ``rte_crypto_op`` would be updated to reduce > - reserved bytes to 2 (from 3), and use 1 byte to indicate warnings and = other > - information from the crypto/security operation. This field will be use= d to > - communicate events such as soft expiry with IPsec in lookaside mode. > diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_note= s/release_21_11.rst > index 9b14c84..0e3ed28 100644 > --- a/doc/guides/rel_notes/release_21_11.rst > +++ b/doc/guides/rel_notes/release_21_11.rst > @@ -102,6 +102,13 @@ API Changes > Also, make sure to start the actual text at the margin. > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D >=20 > +* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags > + > + * Updated the structure ``rte_crypto_op`` to reduce reserved bytes to > + 2 (from 3), and use 1 byte to indicate warnings and other information = from > + the crypto/security operation. This field will be used to communicate = events > + such as soft expiry with IPsec in lookaside mode. > + >=20 > ABI Changes > ----------- > @@ -123,6 +130,12 @@ ABI Changes > * Added IPsec SA option to disable IV generation to allow known vector > tests as well as usage of application provided IV on supported PMDs. >=20 > +* security: add IPsec SA lifetime configuration > + > + * Added IPsec SA lifetime configuration to allow applications to confi= gure > + soft and hard SA expiry limits. Limits can be either in units of pac= kets or > + bytes. > + >=20 > Known Issues > ------------ > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index 5b032fe..4868294 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security= _ipsec_xform *ipsec) > } > /* TODO support for Transport */ > } > - ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->life.packets_soft_limit =3D IPSEC_OFFLOAD_PKTS_SOFTLIMIT; > ipsec->replay_win_sz =3D app_sa_prm.window_size; > ipsec->options.esn =3D app_sa_prm.enable_esn; > ipsec->options.udp_encap =3D sa->udp_encap; > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > index ae5058d..90c81c1 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -23,7 +23,7 @@ >=20 > #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ >=20 > -#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 > +#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00 >=20 > #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ > sizeof(struct rte_crypto_sym_op)) > diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h > index fd5ef3a..d602183 100644 > --- a/lib/cryptodev/rte_crypto.h > +++ b/lib/cryptodev/rte_crypto.h > @@ -66,6 +66,17 @@ enum rte_crypto_op_sess_type { > }; >=20 > /** > + * Auxiliary flags to indicate additional info from the operation > + */ > + > +/** > + * Auxiliary flags related to IPsec offload with RTE_SECURITY > + */ Duplicate comments. > + > +#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0) > +/**< SA soft expiry limit has been reached */ > + > +/** > * Cryptographic Operation. > * > * This structure contains data relating to performing cryptographic > @@ -93,7 +104,12 @@ struct rte_crypto_op { > */ > uint8_t sess_type; > /**< operation session type */ > - uint8_t reserved[3]; > + uint8_t aux_flags; > + /**< Operation specific auxiliary/additional flags. > + * These flags carry additional information from the > + * operation. Processing of the same is optional. > + */ > + uint8_t reserved[2]; > /**< Reserved bytes to fill 64 bits for > * future additions > */ > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h > index b4b6776..95c169d 100644 > --- a/lib/security/rte_security.h > +++ b/lib/security/rte_security.h > @@ -206,6 +206,30 @@ enum rte_security_ipsec_sa_direction { > }; >=20 > /** > + * Configure soft and hard lifetime of an IPsec SA > + * > + * Lifetime of an IPsec SA would specify the maximum number of packets o= r bytes > + * that can be processed. IPsec operations would start failing once any = hard > + * limit is reached. > + * > + * Soft limits can be specified to generate notification when the SA is > + * approaching hard limits for lifetime. For inline operations, reaching= soft > + * expiry limit would result in raising an eth event for the same. For l= ookaside > + * operations, this would result in a warning returned in > + * ``rte_crypto_op.aux_flags``. > + */ > +struct rte_security_ipsec_lifetime { > + uint64_t packets_soft_limit; > + /**< Soft expiry limit in number of packets */ > + uint64_t bytes_soft_limit; > + /**< Soft expiry limit in bytes */ > + uint64_t packets_hard_limit; > + /**< Soft expiry limit in number of packets */ > + uint64_t bytes_hard_limit; > + /**< Soft expiry limit in bytes */ > +}; > + > +/** > * IPsec security association configuration data. > * > * This structure contains data required to create an IPsec SA security = session. > @@ -225,8 +249,8 @@ struct rte_security_ipsec_xform { > /**< IPsec SA Mode - transport/tunnel */ > struct rte_security_ipsec_tunnel_param tunnel; > /**< Tunnel parameters, NULL for transport mode */ > - uint64_t esn_soft_limit; > - /**< ESN for which the overflow event need to be raised */ > + struct rte_security_ipsec_lifetime life; > + /**< IPsec SA lifetime */ > uint32_t replay_win_sz; > /**< Anti replay window size to enable sequence replay attack handling. > * replay checking is disabled if the window size is 0. > -- Acked-by: Konstantin Ananyev > 2.7.4