From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B93F2A0C46; Fri, 17 Sep 2021 06:48:41 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 71249406B4; Fri, 17 Sep 2021 06:48:41 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id DA63A40689 for ; Fri, 17 Sep 2021 06:48:39 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18H2ADAc002763; Thu, 16 Sep 2021 21:48:39 -0700 Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2170.outbound.protection.outlook.com [104.47.59.170]) by mx0b-0016f401.pphosted.com with ESMTP id 3b4j0b0cdc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 Sep 2021 21:48:39 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ka2nE54nEN7aKgRVtRMW/ziNAKogZ2R9p+dkZwrwrIfs/BzFQHsYOtEeWZNqDjkzfgvUphHY/sjg2p3D0vTmtejyu9/I/wCindhkJ2086p7eyShk+91blXNZQW6lzpg/GeTRttgoKgcI30V+Yq+n8L5fGOqcZDtNAjLc4N9LukKUJNAs2MOIJhDp+EwXHXlF2H5z73BcAn5r/p8IFBho8GBpaPxaN6TEpDviNmid2sYSQ3ruCRti9ldKFJpFmz4WzQI2+QVZssA3Km5YH4W15LiD6n1DRCWE23Ag+YPgREVUyd3Oai1EYyoVrfN1GOYEDd+M2Bu32aL9REWT3HQHDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2n9bTBuW/xiYC991+cyDHGuC7PQYbBlcK2Rgu1iAymI=; b=NR76le4CGiOfGDpLX35KzvLyfebm13QU5bSl8dTDmbN23beARV/ZCI+6zHia/aX8KDXIRGMl3r7WaD5T65DuOXMOCHHli0jJ73VxGWVLl+JQohCc9TgA+P3G7xyDbla4QqDIwe7FPbX/Yffmr5jL7m1RvSQOL8Uq1mxMx7NPP48k1hPPC2nksQKyG1kIz0SKVCQNNaQH014BPZdb4hjP2O/WpCCk/pzcVKTLFaf6NKq53PDVqD+SMSxxP1fEkgloTMFIRsT9tntVFs9YXpVVp9vONvj1vTXe5gqBE5Dd4fx28Vd6vxZW2Qv7gdA3dYCHzBoI9smeYdsuxPF7tZNTvg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=marvell.com; dmarc=pass action=none header.from=marvell.com; dkim=pass header.d=marvell.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2n9bTBuW/xiYC991+cyDHGuC7PQYbBlcK2Rgu1iAymI=; b=PM1h0A9WVBT3yevNlzmBOftAeSZrGLY8+tCytnfjxMnYcw0b3cmK4pmpR/JnBeatRI+XO4cyH3qFVa8PFX2EDgt8GP4iLfX98Sgk3hB9P3lVBPyJdjKA3jkjv3wjl8vDzv5u9lzRvr85Qdn15EzyZ0BCFUjoOaQ/fsdnwu+cohI= Received: from PH0PR18MB4672.namprd18.prod.outlook.com (2603:10b6:510:c9::16) by PH0PR18MB4523.namprd18.prod.outlook.com (2603:10b6:510:e8::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.14; Fri, 17 Sep 2021 04:48:35 +0000 Received: from PH0PR18MB4672.namprd18.prod.outlook.com ([fe80::85aa:3d01:94f6:984]) by PH0PR18MB4672.namprd18.prod.outlook.com ([fe80::85aa:3d01:94f6:984%4]) with mapi id 15.20.4523.017; Fri, 17 Sep 2021 04:48:35 +0000 From: Anoob Joseph To: "Ananyev, Konstantin" , Akhil Goyal , "Doherty, Declan" , "Zhang, Roy Fan" CC: Jerin Jacob Kollanukkaran , Archana Muniganti , Tejasree Kondoj , Hemant Agrawal , "Nicolau, Radu" , "Power, Ciara" , Gagandeep Singh , "dev@dpdk.org" Thread-Topic: [PATCH v2 1/6] security: add SA lifetime configuration Thread-Index: AQHXpAYlMN8O0JXCLk66x0CCUXzgVaumjbwAgAEn6TA= Date: Fri, 17 Sep 2021 04:48:35 +0000 Message-ID: References: <1629207767-262-1-git-send-email-anoobj@marvell.com> <1631032372-275-1-git-send-email-anoobj@marvell.com> <1631032372-275-2-git-send-email-anoobj@marvell.com> In-Reply-To: Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: aa50ffe3-32d9-4930-645d-08d97996689f x-ms-traffictypediagnostic: PH0PR18MB4523: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: qEkGYkXNg1Dal75dnSmomFO1Cdb4dYvXoRpUS/Ei9UqHOP74iJSjvJTcNZd4ulMt65tmwizsuUql5OqA043ecAzTKCeJlEN7onCsjIJwbzI6avVY6UFTasMCiGcOiRDGI2P7cSaRDj+DV2otQcX72QHIdZWT+/XekBagBiFVqZdKCB2yBAQegLE0pbLnVuTiaUL1fMelN1HEFhnmgl2g6wvwwBfBDiRoFEq4nqjieY5VVveEq82u2YyAJhY2LzylkxjM38Jg1fZQ1hw7wW9CrF9lucVCFPVFNkLn7+RZhRihGhhfFUEPUW91xWb8hAOyf2FaHCemZdHWlSnLuYYuoJ6Rncc/a0q6b+P7r1mDnvo8SO9bLUuzCiiN0tazl7euoohvFgwJbIoDgeoQND3SC+QERn71Wa57W2XnO5JlLdiYKkpQ0AUnAlsEzUWAUSlUcB4QuzNYykAzmT0yiYRfjlBHPFuCgWjD45pZmv/Vy5wb9gGuQDhK/99hGIeUj6mMNhpLTjWyYKPfXIVplCmCT10p93ia1mZGXnDOtQpb8tOV80sBo8TA14cXDUCpIXeHEaAn7hMp/vFbYZj+4sSucPNiAgP6qQEf76OC0cewK2wjwDzjV8nUhhGI5/ZwVz0gsBkuVuu/2oQ0g6MHO2tZ6xZ0iL0B0xJKXmIskPYJ9yqFZin2CrROpjOlb8dnNSQBMoJ9FbH0tEHMmcSwhq66Iw== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR18MB4672.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(39860400002)(396003)(136003)(366004)(2906002)(478600001)(5660300002)(186003)(4326008)(52536014)(15650500001)(38070700005)(83380400001)(71200400001)(9686003)(33656002)(55016002)(8676002)(8936002)(6506007)(122000001)(110136005)(53546011)(54906003)(38100700002)(316002)(66556008)(7696005)(66946007)(66476007)(64756008)(66446008)(86362001)(76116006); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?L+vEEXcNnLkbpGh4efH7O3rxc90qLsM+5BhP9XxUowq0VSh+DuK0DFAFDVgZ?= =?us-ascii?Q?MAd4wieCemHhztjTHYckkD2yuAfywAFKZGXQYERWuRHxB/TiNLTuLY11d+wG?= =?us-ascii?Q?W3p5K9uEzcAucOe74giDW6xE6h2dXKXlfCDqZf8o02SAEbERwx27volVWSCd?= =?us-ascii?Q?rABD4eWkV5vpTtmvLce7T/c7Dw9yYiF9P6mdRoJ0est+6MxPGh0nGSLIfbhl?= =?us-ascii?Q?SG4TrZEgRX9/3crQqGKVMTmW+hKTy1ERYezG4yExC3WlBTq1Mzvkng748ktV?= =?us-ascii?Q?zYZd0b6GhANavdIXJ/Mm4hvCDDCFXBwW4l401Gj20spoQ0B1+YutLrGG7ihK?= =?us-ascii?Q?0Tl5/W41neutui1USXdiMduzttbVkWxHkzvltyyxSeY8/PqXmqlpgteUc1/1?= =?us-ascii?Q?YURkdqjTF6VnGbWsxR1dtdO/niL+kYYsUQ8otY3e9U5i/xKVKEWDSJNIHN/S?= =?us-ascii?Q?A4YZq5BEbwHq4+25yL9Q9mcsBd2JlSO+zaNwGTjifDtZL88mSCNjNexDkMPe?= =?us-ascii?Q?AUEEubdYTdwM8R8a1fis+F6MmaMXN6KBIzVIl1CxAVp3cQ+YW18EdaZ94DFw?= =?us-ascii?Q?eGk/Cq+gMN/EZyjYlqSqRvyt5AIjWudUhkWwEl6ZpaTGlBIWPBVhqRNIO9Sa?= =?us-ascii?Q?6PP6Az3oAVpGRDFN/TtUSZF/JB4LWyjRS8YG+Z2UGBr3nSBRAqnNPb/HlZH7?= =?us-ascii?Q?j4FwhilaeiRFdzeZp9S/DeXVxDrfKsMQGOCJXhPtaalHFWok395BaQiMHkCX?= =?us-ascii?Q?7gpN70B1a+aUcMK2whTCIqrH4gfoagAM6PCb9iAUu1JULawc5os7QAicNTiv?= =?us-ascii?Q?bK5XFQwPjSShXNEuCyeLERe7vjhxkFynrlhyeeGw8+NcrJfsQeBCK3E07uPe?= =?us-ascii?Q?+8iYme9GE2yC2yk/hS5izV/J6YeraMwlYo4jL//ou/4FAvbtdHLU1VE5knTq?= =?us-ascii?Q?xjWIA+YiAO4vxzkgZU93ULpo8y84V4LbT6eXfJemc2BeeUjdrrACz0QfHltt?= =?us-ascii?Q?sdaIRDvjdJwSfgGKL6eUd1tB9wqP2YitHtcdMwaVf15+t7EY902KLK6h4Ro9?= =?us-ascii?Q?vc/fxaVruDaGRVRHbdzkK1V+ilwxtEPSLatdMbocHBJk932HT35gatcOqhs8?= =?us-ascii?Q?DwjmAYwLxpe0FzRtHY1d3F+3mzSD+qHZ/0/6aMwAs3FvbCRVCsVpx4gGMNSR?= =?us-ascii?Q?NmhCUBaQx54Ou3/OrudDvrEC/A+vEskiWm/4yvriPZxX5txi3kuOfU9pDvcj?= =?us-ascii?Q?vB9/2lYiS7s1pbUiuc3WO4/Cbnu+ww4J2sIzEsy71NowdcHwkvqCn3meDIdD?= =?us-ascii?Q?5doWvHgqod02hDjFN/s0jWQUENd0+jFrFQc9ut1Ug64ZBAChCTJVPZCB+93M?= =?us-ascii?Q?ok2GJp3KMvi038ThpkwQ+Gfpa51+?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: marvell.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR18MB4672.namprd18.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: aa50ffe3-32d9-4930-645d-08d97996689f X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2021 04:48:35.4528 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: gTL5UrPDhZ27JAPgEtqUtUdLewnGS3MnAeHnwuMWd3xhB3af13smsAq8bIDerskLBK8XFkcsBx36VmTpunHjKQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR18MB4523 X-Proofpoint-GUID: LUdmipjsvnL3ONBaZOvcaqpR-97A1XeB X-Proofpoint-ORIG-GUID: LUdmipjsvnL3ONBaZOvcaqpR-97A1XeB X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-17_02,2021-09-16_01,2020-04-07_01 Subject: Re: [dpdk-dev] [PATCH v2 1/6] security: add SA lifetime configuration X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Konstantin, Please see inline. Thanks, Anoob > -----Original Message----- > From: Ananyev, Konstantin > Sent: Thursday, September 16, 2021 4:36 PM > To: Anoob Joseph ; Akhil Goyal > ; Doherty, Declan ; > Zhang, Roy Fan > Cc: Jerin Jacob Kollanukkaran ; Archana Muniganti > ; Tejasree Kondoj ; > Hemant Agrawal ; Nicolau, Radu > ; Power, Ciara ; > Gagandeep Singh ; dev@dpdk.org > Subject: [EXT] RE: [PATCH v2 1/6] security: add SA lifetime configuration >=20 > External Email >=20 > ---------------------------------------------------------------------- >=20 > > Add SA lifetime configuration to register soft and hard expiry limits. > > Expiry can be in units of number of packets or bytes. Crypto op status > > is also updated to include new field, aux_flags, which can be used to > > indicate cases such as soft expiry in case of lookaside protocol > > operations. > > > > In case of soft expiry, the packets are successfully IPsec processed > > but the soft expiry would indicate that SA needs to be reconfigured. > > For inline protocol capable ethdev, this would result in an eth event > > while for lookaside protocol capable cryptodev, this can be > > communicated via `rte_crypto_op.aux_flags` field. > > > > In case of hard expiry, the packets will not be IPsec processed and > > would result in error. > > > > Signed-off-by: Anoob Joseph > > --- > > .../test_cryptodev_security_ipsec_test_vectors.h | 3 --- > > doc/guides/rel_notes/deprecation.rst | 5 ---- > > doc/guides/rel_notes/release_21_11.rst | 13 ++++++++++ > > examples/ipsec-secgw/ipsec.c | 2 +- > > examples/ipsec-secgw/ipsec.h | 2 +- > > lib/cryptodev/rte_crypto.h | 18 +++++++++++++- > > lib/security/rte_security.h | 28 ++++++++++++++= ++++++-- > > 7 files changed, 58 insertions(+), 13 deletions(-) > > > > diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h > > b/app/test/test_cryptodev_security_ipsec_test_vectors.h > > index ae9cd24..38ea43d 100644 > > --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h > > +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h > > @@ -98,7 +98,6 @@ struct ipsec_test_data pkt_aes_128_gcm =3D { > > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode =3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > > .tunnel.type =3D RTE_SECURITY_IPSEC_TUNNEL_IPV4, > > - .esn_soft_limit =3D 0, > > .replay_win_sz =3D 0, > > }, > > > > @@ -195,7 +194,6 @@ struct ipsec_test_data pkt_aes_192_gcm =3D { > > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode =3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > > .tunnel.type =3D RTE_SECURITY_IPSEC_TUNNEL_IPV4, > > - .esn_soft_limit =3D 0, > > .replay_win_sz =3D 0, > > }, > > > > @@ -295,7 +293,6 @@ struct ipsec_test_data pkt_aes_256_gcm =3D { > > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode =3D RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > > .tunnel.type =3D RTE_SECURITY_IPSEC_TUNNEL_IPV4, > > - .esn_soft_limit =3D 0, > > .replay_win_sz =3D 0, > > }, > > > > diff --git a/doc/guides/rel_notes/deprecation.rst > > b/doc/guides/rel_notes/deprecation.rst > > index 76a4abf..6118f06 100644 > > --- a/doc/guides/rel_notes/deprecation.rst > > +++ b/doc/guides/rel_notes/deprecation.rst > > @@ -282,8 +282,3 @@ Deprecation Notices > > * security: The functions ``rte_security_set_pkt_metadata`` and > > ``rte_security_get_userdata`` will be made inline functions and addi= tional > > flags will be added in structure ``rte_security_ctx`` in DPDK 21.11. > > - > > -* cryptodev: The structure ``rte_crypto_op`` would be updated to > > reduce > > - reserved bytes to 2 (from 3), and use 1 byte to indicate warnings > > and other > > - information from the crypto/security operation. This field will be > > used to > > - communicate events such as soft expiry with IPsec in lookaside mode. > > diff --git a/doc/guides/rel_notes/release_21_11.rst > > b/doc/guides/rel_notes/release_21_11.rst > > index 9b14c84..0e3ed28 100644 > > --- a/doc/guides/rel_notes/release_21_11.rst > > +++ b/doc/guides/rel_notes/release_21_11.rst > > @@ -102,6 +102,13 @@ API Changes > > Also, make sure to start the actual text at the margin. > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D > > > > +* cryptodev: use 1 reserved byte from ``rte_crypto_op`` for aux flags > > + > > + * Updated the structure ``rte_crypto_op`` to reduce reserved bytes > > + to > > + 2 (from 3), and use 1 byte to indicate warnings and other > > + information from the crypto/security operation. This field will be > > + used to communicate events such as soft expiry with IPsec in lookasi= de > mode. > > + > > > > ABI Changes > > ----------- > > @@ -123,6 +130,12 @@ ABI Changes > > * Added IPsec SA option to disable IV generation to allow known vect= or > > tests as well as usage of application provided IV on supported PMD= s. > > > > +* security: add IPsec SA lifetime configuration > > + > > + * Added IPsec SA lifetime configuration to allow applications to con= figure > > + soft and hard SA expiry limits. Limits can be either in units of p= ackets or > > + bytes. > > + > > > > Known Issues > > ------------ > > diff --git a/examples/ipsec-secgw/ipsec.c > > b/examples/ipsec-secgw/ipsec.c index 5b032fe..4868294 100644 > > --- a/examples/ipsec-secgw/ipsec.c > > +++ b/examples/ipsec-secgw/ipsec.c > > @@ -49,7 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > > } > > /* TODO support for Transport */ > > } > > - ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > + ipsec->life.packets_soft_limit =3D IPSEC_OFFLOAD_PKTS_SOFTLIMIT; > > ipsec->replay_win_sz =3D app_sa_prm.window_size; > > ipsec->options.esn =3D app_sa_prm.enable_esn; > > ipsec->options.udp_encap =3D sa->udp_encap; diff --git > > a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index > > ae5058d..90c81c1 100644 > > --- a/examples/ipsec-secgw/ipsec.h > > +++ b/examples/ipsec-secgw/ipsec.h > > @@ -23,7 +23,7 @@ > > > > #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ > > > > -#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 > > +#define IPSEC_OFFLOAD_PKTS_SOFTLIMIT 0xffffff00 > > > > #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ > > sizeof(struct rte_crypto_sym_op)) diff --git > > a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h index > > fd5ef3a..d602183 100644 > > --- a/lib/cryptodev/rte_crypto.h > > +++ b/lib/cryptodev/rte_crypto.h > > @@ -66,6 +66,17 @@ enum rte_crypto_op_sess_type { }; > > > > /** > > + * Auxiliary flags to indicate additional info from the operation */ > > + > > +/** > > + * Auxiliary flags related to IPsec offload with RTE_SECURITY */ >=20 > Duplicate comments. [Anoob] The proposal is to make auxiliary flags custom to operation. Like, = flags related to IPsec offload may not be applicable for PDCP offload (and = vice versa). But then, I agree these could be updated as we add new fields = related to other kinds of operations. I'll drop the extra comments in the n= ext version. =20 >=20 > > + > > +#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0) /**< > SA > > +soft expiry limit has been reached */ > > + > > +/** > > * Cryptographic Operation. > > * > > * This structure contains data relating to performing cryptographic > > @@ -93,7 +104,12 @@ struct rte_crypto_op { > > */ > > uint8_t sess_type; > > /**< operation session type */ > > - uint8_t reserved[3]; > > + uint8_t aux_flags; > > + /**< Operation specific auxiliary/additional flags. > > + * These flags carry additional information from the > > + * operation. Processing of the same is optional. > > + */ > > + uint8_t reserved[2]; > > /**< Reserved bytes to fill 64 bits for > > * future additions > > */ > > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h > > index b4b6776..95c169d 100644 > > --- a/lib/security/rte_security.h > > +++ b/lib/security/rte_security.h > > @@ -206,6 +206,30 @@ enum rte_security_ipsec_sa_direction { }; > > > > /** > > + * Configure soft and hard lifetime of an IPsec SA > > + * > > + * Lifetime of an IPsec SA would specify the maximum number of > > +packets or bytes > > + * that can be processed. IPsec operations would start failing once > > +any hard > > + * limit is reached. > > + * > > + * Soft limits can be specified to generate notification when the SA > > +is > > + * approaching hard limits for lifetime. For inline operations, > > +reaching soft > > + * expiry limit would result in raising an eth event for the same. > > +For lookaside > > + * operations, this would result in a warning returned in > > + * ``rte_crypto_op.aux_flags``. > > + */ > > +struct rte_security_ipsec_lifetime { > > + uint64_t packets_soft_limit; > > + /**< Soft expiry limit in number of packets */ > > + uint64_t bytes_soft_limit; > > + /**< Soft expiry limit in bytes */ > > + uint64_t packets_hard_limit; > > + /**< Soft expiry limit in number of packets */ > > + uint64_t bytes_hard_limit; > > + /**< Soft expiry limit in bytes */ > > +}; > > + > > +/** > > * IPsec security association configuration data. > > * > > * This structure contains data required to create an IPsec SA securit= y > session. > > @@ -225,8 +249,8 @@ struct rte_security_ipsec_xform { > > /**< IPsec SA Mode - transport/tunnel */ > > struct rte_security_ipsec_tunnel_param tunnel; > > /**< Tunnel parameters, NULL for transport mode */ > > - uint64_t esn_soft_limit; > > - /**< ESN for which the overflow event need to be raised */ > > + struct rte_security_ipsec_lifetime life; > > + /**< IPsec SA lifetime */ > > uint32_t replay_win_sz; > > /**< Anti replay window size to enable sequence replay attack > handling. > > * replay checking is disabled if the window size is 0. > > -- >=20 > Acked-by: Konstantin Ananyev >=20 > > 2.7.4