From: Anoob Joseph <anoobj@marvell.com>
To: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>,
Akhil Goyal <gakhil@marvell.com>,
"Doherty, Declan" <declan.doherty@intel.com>,
"Zhang, Roy Fan" <roy.fan.zhang@intel.com>,
"hemant.agrawal@nxp.com" <hemant.agrawal@nxp.com>,
"ferruh.yigit@intel.com" <ferruh.yigit@intel.com>
Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>,
Ankur Dwivedi <adwivedi@marvell.com>,
Tejasree Kondoj <ktejasree@marvell.com>,
"dev@dpdk.org" <dev@dpdk.org>,
Archana Muniganti <marchana@marvell.com>
Subject: Re: [dpdk-dev] [PATCH 2/2] lib/security: add SA lifetime configuration
Date: Mon, 2 Aug 2021 07:07:24 +0000 [thread overview]
Message-ID: <PH0PR18MB46725EF19EF2FED664B75B18DFEF9@PH0PR18MB4672.namprd18.prod.outlook.com> (raw)
In-Reply-To: <DM6PR11MB44913E42AE538B3A4C63CF169AEB9@DM6PR11MB4491.namprd11.prod.outlook.com>
Hi Konstantin,
> Subject: [EXT] RE: [PATCH 2/2] lib/security: add SA lifetime configuration
>
> External Email
>
> ----------------------------------------------------------------------
> Hi Anoob,
>
> > Now that we have an agreement on bitfields (hoping no one else has an
> > objection), I would like to discuss one more topic. It is more related to
> checksum offload, but it's better that we discuss along with other similar
> items (like soft expiry).
> >
> > L3 & L4 checksum can be tristate (CSUM_OK, CSUM_ERROR,
> CSUM_UNKOWN)
> >
> > 1. Application didn't request. Nothing computed.
> > 2. Application requested. Checksum verification success.
> > 3. Application requested. Checksum verification failed.
> > 4. Application requested. Checksum could not be computed (PMD
> limitations etc).
> >
> > How would we indicate each case?
> >
> > My proposal would be, let's call the field that we called "warning" as
> "aux_flags" (auxiliary or secondary information from the operation).
> >
> > Sequence in the application would be,
> >
> > if (op.status != SUCCESS) {
> > /* handle errors */
> > }
> >
> > #define RTE_SEC_IPSEC_AUX_FLAGS_L4_CHECKSUM_COMPUTED (1 << 0)
> #define
> > RTE_SEC_IPSEC_AUX_FLAGS_L4_CHECSUM_GOOD (1 << 1)
> >
> > if (op.aux_flags &
> RTE_SEC_IPSEC_AUX_FLAGS_L4_CHECKSUM_COMPUTED) {
> > if (op.aux_flags &
> RTE_SEC_IPSEC_AUX_FLAGS_L4_CHECSUM_GOOD)
> > mbuf->l4_checksum_good = 1;
> > else
> > mbuf->l4_checksum_good = 0;
> > } else {
> > if (verify_l4_checksum(mbuf) == SUCCESS) {
> > mbuf->l4_checksum_good = 1;
> > else
> > mbuf->l4_checksum_good = 0;
> > }
> >
> > For an application not worried about aux_flags (ex: ipsec-secgw),
> > additional checks are not required. For applications not interested in
> > checksum, a blind check on op.aux_flags would be enough to bail out early.
> For applications interested in checksum, it can follow above sequence (kinds,
> for demonstration purpose only).
> >
> > Would something like above fine? Or if we want to restrict additional
> > fields for just warnings, (L4_CHECKSUM_ERROR), how would application
> > differentiate between checksum good & checksum not computed? In that
> case, what should be PMDs treatment of "could not compute" v/s
> "computed and wrong".
>
> I am ok with what you suggest.
> My only thought - we already have CSUM flags in mbuf itself, so why not to
> use them instead to pass this information from crypto PMD to user?
> That way it would be compliant with ethdev CSUM approach and no need to
> spend
> 2 bits in 'aux_flags'.
> Konstantin
[Anoob] You are right. We do have CSUM flags in mbuf and that would fully suite our requirement here.
Our problem was, it's called PKT_RX_ and the description text refers to RX.
/**
* Mask of bits used to determine the status of RX IP checksum.
* - PKT_RX_IP_CKSUM_UNKNOWN: no information about the RX IP checksum
* - PKT_RX_IP_CKSUM_BAD: the IP checksum in the packet is wrong
* - PKT_RX_IP_CKSUM_GOOD: the IP checksum in the packet is valid
* - PKT_RX_IP_CKSUM_NONE: the IP checksum is not correct in the packet
* data, but the integrity of the IP header is verified.
*/
But if we overlook that (& may be update documentation), it's a rather great idea. We could use similar PKT_TX_* flags for requesting checksum generation with outbound operations (checksum generation for plain packet before IPsec processing).
/**
* Offload the IP checksum in the hardware. The flag PKT_TX_IPV4 should
* also be set by the application, although a PMD will only check
* PKT_TX_IP_CKSUM.
* - fill the mbuf offload information: l2_len, l3_len
*/
#define PKT_TX_IP_CKSUM (1ULL << 54)
/**
* Packet is IPv4. This flag must be set when using any offload feature
* (TSO, L3 or L4 checksum) to tell the NIC that the packet is an IPv4
* packet. If the packet is a tunneled packet, this flag is related to
* the inner headers.
*/
#define PKT_TX_IPV4 (1ULL << 55)
Do you think above might require some modifications to document behavior with lookaside IPsec?
Also, these flags are probably the best way for checksum for inner packet with inline IPsec. So this looks like overall better idea. Do you agree?
Thanks,
Anoob
next prev parent reply other threads:[~2021-08-02 7:07 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-20 5:46 [dpdk-dev] [PATCH 0/2] Improvements to rte_security Anoob Joseph
2021-07-20 5:46 ` [dpdk-dev] [PATCH 1/2] lib/security: add IV generation Anoob Joseph
2021-07-20 5:46 ` [dpdk-dev] [PATCH 2/2] lib/security: add SA lifetime configuration Anoob Joseph
2021-07-20 6:20 ` Anoob Joseph
2021-07-26 13:50 ` Ananyev, Konstantin
2021-07-26 15:50 ` Akhil Goyal
2021-07-27 11:40 ` Ananyev, Konstantin
2021-07-27 19:29 ` Akhil Goyal
2021-07-28 10:59 ` Ananyev, Konstantin
2021-07-28 12:58 ` Akhil Goyal
2021-07-28 14:38 ` Anoob Joseph
2021-07-29 10:23 ` Ananyev, Konstantin
2021-08-02 7:07 ` Anoob Joseph [this message]
2021-08-03 11:51 ` Ananyev, Konstantin
2021-08-03 12:03 ` Anoob Joseph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH0PR18MB46725EF19EF2FED664B75B18DFEF9@PH0PR18MB4672.namprd18.prod.outlook.com \
--to=anoobj@marvell.com \
--cc=adwivedi@marvell.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=ferruh.yigit@intel.com \
--cc=gakhil@marvell.com \
--cc=hemant.agrawal@nxp.com \
--cc=jerinj@marvell.com \
--cc=konstantin.ananyev@intel.com \
--cc=ktejasree@marvell.com \
--cc=marchana@marvell.com \
--cc=roy.fan.zhang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).