From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id A2588A04B1; Thu, 24 Sep 2020 12:07:37 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 8394E1DDCF; Thu, 24 Sep 2020 12:07:37 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by dpdk.org (Postfix) with ESMTP id 3A4861DDB1 for ; Thu, 24 Sep 2020 12:07:36 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 08OA5f1b010583; Thu, 24 Sep 2020 03:07:35 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pfpt0220; bh=KYslQThavnuCzz/f96xLRLhjijQhP7icUCFoILgbqY0=; b=WWbC4YJNQ8z4M2glyuBg86ysdNO+JS0wlQ1mZZMoSJN98PvkIBCQU50HK8WHSsroq9M/ y10CUr7gg8jPU3puzci7PgP8VPmMjrE5sZYf2fIl9kCQr2x+ZAI7Yyo1u/ZjU1SpIsxC UP1Q/swPtAXvt/IHYwmEZmLWHxG3KtnQkBHqkF4kuwOwscrqE8OckZT3sWau0TITINDb h/e+V+FQ4kWOSiaeZnLDGMTGF5tg6lPBZb2a8f8YLO4QQK6sJUDVwdTl2dWpF0TzmvDQ Dms/yrgWL1IzcGtrk8njZ6enhlkso0fcXNakO11DL0hJ0UfiDI5ozw8MRCKO1dAVvfXn YA== Received: from sc-exch01.marvell.com ([199.233.58.181]) by mx0a-0016f401.pphosted.com with ESMTP id 33nfbq40d6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 24 Sep 2020 03:07:35 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by SC-EXCH01.marvell.com (10.93.176.81) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 24 Sep 2020 03:07:34 -0700 Received: from SC-EXCH02.marvell.com (10.93.176.82) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 24 Sep 2020 03:07:33 -0700 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.101) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 24 Sep 2020 03:07:33 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=etLx021yvyKQAY4gsPl34glBwuEKX46NA11Gqnk9olHcEYe4ei+PSqXLrieca3/e3olc+npe3sAu8YnHGVL/tDiURMYOJo6/v1AkPbajtUNzinCMWxsKwekme/YHL3v2m3xlnVKI0CUa6Us8cxNio1+CeBRQdy8rKerYwkRW5h++KsIK1aVRff3Bx+EMGU7StWJga/WsTEbDwfEGJWXG6QhPtRgDH/cfP2BxgyJIWSDW+K9EB3ovWsVm1HLuGxVrS1uxbO9rOj/HVZEAoQGoOzFulUDKOetLF1FgH8YXjtL7qKEvP0rj00pO6Th2V4bmiH14So6nWvueNmYblDVMcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KYslQThavnuCzz/f96xLRLhjijQhP7icUCFoILgbqY0=; b=kxrPpwv4Qfd9fxWwnp5Xmrt+6qTvdymHovA0++5CaHypQPSffchRxgwz8gVOGaQ1XCU2bYjxLPY4pwW6+0dAvMiHmdTCRpl+KxPUWDIPTIjy7Sol7fOE54aAJkna5ZDnh+kQ06+unAekh8lBluXjzfalvsZB3vRVZvJb7CS7owWlt6zTu8q26vy8c1H00y7BhNCG7Nln4FsntrlL45l6U4narGmRHLX2QJkXpMMCq9VjN+oZx4Gpk2RplTeFGjHYQZygVsW5Swrp7KW2TASVSUwbpWST1CsLIYxTd/Ot37mkWRiV3M3marPxMPTNI9X+wYGooGT1TVbetB2d6yfZEw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=marvell.com; dmarc=pass action=none header.from=marvell.com; dkim=pass header.d=marvell.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KYslQThavnuCzz/f96xLRLhjijQhP7icUCFoILgbqY0=; b=bKt8Ey2aNTNJLm6ccQXGHFDRvrfl4vic6JPRNHQYQlQiG+EMsgFNqYeeItra8RA1uF0HuVs3r46HYhAcqwdV5XX/DZXNkEawEwadZ3/0dUBHIZsK9shvL/ukrYw2qM+wrTZGg5EK8tdV0OCtJAEo9oiWRU3guA4Fs95k+eKP/oc= Received: from DM5PR18MB1100.namprd18.prod.outlook.com (2603:10b6:3:30::18) by DM5PR18MB1260.namprd18.prod.outlook.com (2603:10b6:3:ba::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.22; Thu, 24 Sep 2020 10:07:31 +0000 Received: from DM5PR18MB1100.namprd18.prod.outlook.com ([fe80::51da:b444:cf35:26e]) by DM5PR18MB1100.namprd18.prod.outlook.com ([fe80::51da:b444:cf35:26e%11]) with mapi id 15.20.3391.027; Thu, 24 Sep 2020 10:07:31 +0000 From: Tejasree Kondoj To: Ori Kam , Asaf Penso , "Stephen Hemminger" CC: Akhil Goyal , Radu Nicolau , Declan Doherty , NBU-Contact-Thomas Monjalon , Ferruh Yigit , "Andrew Rybchenko" , Jerin Jacob Kollanukkaran , Narayana Prasad Raju Athreya , Anoob Joseph , "dev@dpdk.org" Thread-Topic: [dpdk-dev] [PATCH] ethdev: add security flow item Thread-Index: AQHWjNZf0TBFrI4k8kC8OuGRv6Hd3alyykWAgAB/IACAAQdmgIAADNnwgABcHfCAAZiiAIAA8huAgABSbYCAAANPcA== Date: Thu, 24 Sep 2020 10:07:31 +0000 Message-ID: References: <20200910164441.7245-1-ktejasree@marvell.com> <20200910094558.0398145b@hermes.lan> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: nvidia.com; dkim=none (message not signed) header.d=none;nvidia.com; dmarc=none action=none header.from=marvell.com; x-originating-ip: [49.206.51.234] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b3a3abdb-594f-4504-dad4-08d86071a68c x-ms-traffictypediagnostic: DM5PR18MB1260: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Voluy0OoSprHgzlCOPjRVcZ+REB+aLIIH479PjLRJ9uxoFjbnzM7vjcIR6Ln23awyS+5AUlOWNo/D65x5tbGhXswkGS6RvoxokLjXKHettUqp6a6MmBZSnZaFvlLnR0PBss8qg7a1jGIhETiXMsDG4yDeJd8P2zwP5cDwfYrVXNqPaxlVeBoHYWnz6b2mV5HZaL6Z1CWfcSJoP9LAkF+B5Juj6x2PyA4ClyWRncgEs4qziSCgzEwyhtEbocSOzpeVw61qo70zvPdf8S/ebMIVh2htcPpHazaH2BLb6AedanJwuaoztWtn3QVIJIODnC5GVnze8Lr0NoZHMtWllcI5jNZWfjtUkN7XO4w+UbLZmDZIpValRCL4n5tYmEOsgr0 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR18MB1100.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39860400002)(396003)(346002)(136003)(376002)(64756008)(4326008)(8676002)(30864003)(478600001)(83380400001)(7416002)(9686003)(15650500001)(55016002)(8936002)(53546011)(2906002)(186003)(26005)(55236004)(6506007)(66476007)(66946007)(76116006)(66446008)(66556008)(52536014)(54906003)(71200400001)(110136005)(86362001)(33656002)(316002)(5660300002)(7696005); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: 0JjgP7vzgNUmX2DH5GjAa9omz/BMn3yTasZ/TnqOa7IRLCLWhvKXuRD+2qdnyNmm2JLfjUmj55SXuNEqVWfH3dZitWs47rsIpsU3GGenWZ6tHlJ2y3gRT4H/jtwLWJmA86TWviIBpmADyFx17f+sL1Wk8W+078dU3wJSf2Y7ZbUGsFFEMeG7uUE1IBoyhndaMJ9xqxIZRmGOPT0TYeTRSDitlX4M+9o4FgCOckDA9y7krpNoew3syGFrQH/+QAv4ULsmaPOTiWCTXDWDj0fM6fCWVJVlz9KBJnoVrkDrYDKJR5GR8bQdddvYcGENp6j0Kod1fE5Zwg0Nugka00I0QcIdRsc5nhFAPeGCFc/lvG9Y0erVLhozIJwxo0YyCbSQquDS01K1WyxEgAEGAW2eOb+EFInlhPLN5v+nRWy7GJSPb3LfMl8hyRA4VP2CXEKEPJisSRuZH1WM8rxmxys/2awXEzDPmGN50ItEAJapQ+eg1QNwHEtAjj4qohn6e3/l9eAE3ZK9v7AeaHJqbLeC1Gdv977YtMkdZwiu/oL+L87QP1GFUGekagAjeuGu0Dsfhf97KTwn92GkjAj6tbYecDH+EqhNZTdOO+9USMdR6j1ZXNRZOz1N2TASAC5AwEstv8JXTpzWygaAG0xqB0ksTQ== Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM5PR18MB1100.namprd18.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b3a3abdb-594f-4504-dad4-08d86071a68c X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Sep 2020 10:07:31.2376 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: yn8jjjQjnTdDdeLhO2tlyBATxKu5RjLk4Pfcf49pTYRwGgziHM/WLshC1AM0cR3W9kk0qfumk9U1urt6aUiK7Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR18MB1260 X-OriginatorOrg: marvell.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-24_05:2020-09-24, 2020-09-24 signatures=0 Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Ori, Please see inline. Thanks, Tejasree > -----Original Message----- > From: Ori Kam > Sent: Thursday, September 24, 2020 3:22 PM > To: Tejasree Kondoj ; Asaf Penso > ; Stephen Hemminger > Cc: Akhil Goyal ; Radu Nicolau > ; Declan Doherty ; > NBU-Contact-Thomas Monjalon ; Ferruh Yigit > ; Andrew Rybchenko > ; Jerin Jacob Kollanukkaran > ; Narayana Prasad Raju Athreya > ; Anoob Joseph ; > dev@dpdk.org > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item >=20 > External Email >=20 > ---------------------------------------------------------------------- > Thanks, > Ori >=20 > > -----Original Message----- > > From: Tejasree Kondoj > > Sent: Thursday, September 24, 2020 8:31 AM > > > > Thanks, > > Tejasree > > > > > -----Original Message----- > > > From: Ori Kam > > > Sent: Wednesday, September 23, 2020 8:00 PM > > > To: Tejasree Kondoj ; Asaf Penso > > > ; Stephen Hemminger > > > > Cc: Akhil Goyal ; Radu Nicolau > > > ; Declan Doherty ; > > > NBU-Contact-Thomas Monjalon ; Ferruh Yigit > > > ; Andrew Rybchenko > > > ; Jerin Jacob Kollanukkaran > > > ; Narayana Prasad Raju Athreya > > > ; Anoob Joseph ; > > > dev@dpdk.org > > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > External Email > > > > > > -------------------------------------------------------------------- > > > -- > > > Hi > > > > > > > -----Original Message----- > > > > From: Tejasree Kondoj > > > > Sent: Tuesday, September 22, 2020 5:18 PM > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > > > Hi Ori, > > > > > > > > Please see inline. > > > > > > > > Thanks, > > > > Tejasree > > > > > > > > > -----Original Message----- > > > > > From: Tejasree Kondoj > > > > > Sent: Tuesday, September 22, 2020 2:37 PM > > > > > To: Ori Kam ; Asaf Penso ; > > > > > Stephen Hemminger > > > > > Cc: Akhil Goyal ; Radu Nicolau > > > > > ; Declan Doherty > > > > > ; NBU-Contact-Thomas Monjalon > > > > > ; Ferruh Yigit ; > > > > > Andrew Rybchenko ; Jerin Jacob > > > > > Kollanukkaran ; Narayana Prasad Raju Athreya > > > > > ; Anoob Joseph ; > > > > > dev@dpdk.org > > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > > > > > Please see inline. > > > > > > > > > > Thanks > > > > > Tejasree > > > > > > > > > > > -----Original Message----- > > > > > > From: Ori Kam > > > > > > Sent: Tuesday, September 22, 2020 1:22 PM > > > > > > To: Asaf Penso ; Tejasree Kondoj > > > > > > ; Stephen Hemminger > > > > > > > > > > > > Cc: Akhil Goyal ; Radu Nicolau > > > > > > ; Declan Doherty > > > > > > ; NBU-Contact-Thomas Monjalon > > > > > > ; Ferruh Yigit ; > > > > > > Andrew Rybchenko ; Jerin Jacob > > > > > > Kollanukkaran ; Narayana Prasad Raju > > > > > > Athreya ; Anoob Joseph > > > > > > ; dev@dpdk.org > > > > > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security > > > > > > flow item > > > > > > > > > > > > External Email > > > > > > > > > > > > -------------------------------------------------------------- > > > > > > ---- > > > > > > ---- > > > > > > Hi > > > > > > > -----Original Message----- > > > > > > > From: Asaf Penso > > > > > > > Sent: Monday, September 21, 2020 7:09 PM > > > > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow > > > > > > > item > > > > > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > Asaf Penso > > > > > > > > > > > > > > >-----Original Message----- > > > > > > > >From: Tejasree Kondoj > > > > > > > >Sent: Monday, September 21, 2020 11:59 AM > > > > > > > >To: Asaf Penso ; Stephen Hemminger > > > > > > > > > > > > > > > >Cc: Akhil Goyal ; Radu Nicolau > > > > > > > >; Declan Doherty > > > > > > > >; Ori Kam ; > > > > > > > >NBU-Contact-Thomas Monjalon ; > Ferruh > > > Yigit > > > > > > > >; Andrew Rybchenko > > > > > > > >; Jerin Jacob Kollanukkaran > > > > > > > >; Narayana Prasad Raju Athreya > > > > > > > >; Anoob Joseph > ; > > > > > > > >dev@dpdk.org > > > > > > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow > > > > > > > >item > > > > > > > > > > > > > > > >Please see inline. > > > > > > > > > > > > > > > >Thanks > > > > > > > >Tejasree > > > > > > > > > > > > > > > >> -----Original Message----- > > > > > > > >> From: Asaf Penso > > > > > > > >> Sent: Thursday, September 17, 2020 3:09 PM > > > > > > > >> To: Stephen Hemminger ; > > > Tejasree > > > > > > > >Kondoj > > > > > > > >> > > > > > > > >> Cc: Akhil Goyal ; Radu Nicolau > > > > > > > >> ; Declan Doherty > > > > > > > >> ; Ori Kam ; > > > > > > > >> NBU-Contact-Thomas Monjalon ; > Ferruh > > > > > > > >> Yigit ; Andrew Rybchenko > > > > > > > >> ; Jerin Jacob Kollanukkaran > > > > > > > >> ; Narayana Prasad Raju Athreya > > > > > > > >> ; Anoob Joseph > > > > > > > >> ; dev@dpdk.org > > > > > > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add > > > > > > > >> security flow item > > > > > > > >> > > > > > > > >> External Email > > > > > > > >> > > > > > > > >> --------------------------------------------------------- > > > > > > > >> ---- > > > > > > > >> ---- > > > > > > > >> -- > > > > > > > >> --- > > > > > > > >> >-----Original Message----- > > > > > > > >> >From: dev On Behalf Of Stephen > > > > > > Hemminger > > > > > > > >> >Sent: Thursday, September 10, 2020 7:46 PM > > > > > > > >> >To: Tejasree Kondoj > > > > > > > >> >Cc: Akhil Goyal ; Radu Nicolau > > > > > > > >> >; Declan Doherty > > > > > > > >> >; Ori Kam > > > > > > > >> >; NBU-Contact-Thomas Monjalon > > > > > > > >> >; Ferruh > > > > > Yigit > > > > > > > >> >; Andrew Rybchenko > > > > > > > >> >; Jerin Jacob > > > > > > > >> >; Narayana Prasad > > > > > > > >> >; Anoob Joseph > > > ; > > > > > > > >> >dev@dpdk.org > > > > > > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security > > > > > > > >> >flow item > > > > > > > >> > > > > > > > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj > > > > > > > >> > wrote: > > > > > > > >> > > > > > > > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY > > > > > > > >> >> to > > > > > > > >> distinguish > > > > > > > >> >> plain packets from IPsec decrypted plain packets. > > > > > > > >> >> > > > > > > > >> >> Signed-off-by: Tejasree Kondoj > > > > > > > >> > > > > > > > > >> >Please provide an implementation, API's without any > > > > > > > >> >driver support should not be accepted. > > > > > > > >> > > > > > > > > >> >Also, we need a test for this. > > > > > > > > > > > > > > > >[Tejasree] We would like to defer the patch and add > > > > > > > >implementation, test case in next cycle. > > > > > > > > > > > > > > > >> > > > > > > > >> +1 > > > > > > > >> Also, I think the word SECURITY is too high-level, and if > > > > > > > >> specifically you mention here an item for IPSec, perhaps > > > > > > > >> you can > > > > > > consider renaming. > > > > > > > > > > > > > > > >[Tejasree] This item matches security processed packets and > > > > > > > >not specific to IPsec. > > > > > > > >Will change commit description as follows: > > > > > > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to > > > > > > > >match packets that were security processed. For example, in > > > > > > > >case of inline IPsec, it can be used to distinguish plain > > > > > > > >packets from IPsec decrypted > > > > > > plain packets" > > > > > > > >Would that be fine? > > > > > > > > > > > > > > It would be more clear, yes, thank you, but in this case I > > > > > > > suggest to have a field in the spec that you can match on it. > > > > > > > For example, is it viable to know if the packet was > > > > > > > processed by IPSec and not AES? Maybe you want to have 2 > > > > > > > flow with this new item, but still differentiate between the = types. > > > > > > > > > > > > Why not use mark/tag/meta to set this value? > > > > > > The application will insert a flow that sends to security and > > > > > > mark the flow with some ID then the application can check this = ID. > > > > > > > > > > [Tejasree] SECURITY itself wouldn't make distinction on protocol. > > > > > It would be combined with MARK_ID to know if the packet was > > > > > processed by IPsec and not AES. > > > > > > > > > > MARK_ID alone couldn't be used as we wouldn't know if it is > > > > > plain packet or security processed plain packet. > > > > > > > > > > Rules would be as follows: > > > > > Rule #1 > > > > > [ETH] [IP] [ESP] [SPI] =1B$B"*=1B(B [SECURITY] [MARK_ID] [END] Ru= le #2 > > > > > [SECURITY] [MARK_ID] [ETH] [IP] =1B$B"*=1B(B [QUEUE] [END] > > > > > > > > > > I don't understand why in rule #1 you can't have the mark value > > > > > to also mark the security. > > > > > From your patch I understand that security is just one bit This > > > > > means that you can say if MSB bit in mark is set then it comes > > > > > from security. > > > > > > > > [Tejasree] We can use MSB of MARK_ID but that would mean we would > > > > be reserving it for security. > > > > > > > [Ori] but why does the PMD needs it? the application know what it > > > needs so it can use it, It is the application decision to send to > > > the security right? So it knows what values to set. > > > > > > Also the application can use tag or any other data item. > > > > > [Tejasree] PMD needs it to establish connection between security and > > final action to be done (queue for example). > > > > First rule works on the outer packet where the inner packet would be > > hidden by the protocol (like encrypted payload in IPsec) and the > > second rule will act on the de-capsulated packet. So the packets > > itself are different and we cannot have one rule. > > > > In IPsec it is valid (and a very trivial usage) to have one outer > > flow constitute multiple inner flows. Without this, application will > > not be able to configure hardware to treat inner flows differently. > > > Fully agree with you about the app needs to know if it passed security Bu= t > this goes also for example simple tunnel where the app may decap the > packet in the on the first flow and then do matching on the inner 5 tuple= but > it will need to know if the packet was decaped or what is the vni. >=20 > So in your case the app will send traffic to security and mark it as one = that > was gone to security then in the second rule the app will match on the ma= rk > and do what it wants with it. >=20 > I simply don't see why you need new metadata item just to mark if it pass= ed > security. >=20 [Tejasree] Plain packets need to be differentiated from protocol processed = ones. In case of regular tunnel, it may or may not be required to differentiate. = But with IPsec, it is mandatory to differentiate. So either we will need to= reserve MSB of MARK_ID or allow SECURITY. > > > > > > > > > > > > > > > > > > Best, > > > > > > Ori