From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id 5DE1FA0471 for ; Thu, 20 Jun 2019 15:08:58 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 073331D398; Thu, 20 Jun 2019 15:08:57 +0200 (CEST) Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40088.outbound.protection.outlook.com [40.107.4.88]) by dpdk.org (Postfix) with ESMTP id EAAD51D396 for ; Thu, 20 Jun 2019 15:08:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aUyLIN1Hc4ku2mwjhIGva0MRkH2Qfs0GgEi+bolUcuQ=; b=ZP60B5TYuFMwASCof+liF/ta20OgnSvlQFx0e8I5emaO+ZO9STPCGfeN2q2pjivxYtlnyrTAWRfS3Wza+Fa7Jgus24sFca0i/ZfyAbSgGjZQohzf2h75/gaqfizh4VRgUMLbLmGs8YW03pPFF1ydTvV44+RSNXU59DeM/fSc5kU= Received: from VE1PR04MB6639.eurprd04.prod.outlook.com (20.179.235.82) by VE1PR04MB6669.eurprd04.prod.outlook.com (20.179.235.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.11; Thu, 20 Jun 2019 13:08:54 +0000 Received: from VE1PR04MB6639.eurprd04.prod.outlook.com ([fe80::a929:3d03:7bb7:d5e0]) by VE1PR04MB6639.eurprd04.prod.outlook.com ([fe80::a929:3d03:7bb7:d5e0%7]) with mapi id 15.20.1987.014; Thu, 20 Jun 2019 13:08:54 +0000 From: Akhil Goyal To: Mariusz Drost , "radu.nicolau@intel.com" , "wenzhuo.lu@intel.com" , "konstantin.ananyev@intel.com" CC: "dev@dpdk.org" Thread-Topic: [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec modes Thread-Index: AQHVGr3DdcEXM2VZZU+3H8wl2EMgbqakm8kA Date: Thu, 20 Jun 2019 13:08:53 +0000 Message-ID: References: <20190604100644.13724-1-mariuszx.drost@intel.com> <20190604100644.13724-3-mariuszx.drost@intel.com> In-Reply-To: <20190604100644.13724-3-mariuszx.drost@intel.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-originating-ip: [92.120.1.65] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: a9bce03e-4460-493b-cdad-08d6f58072b1 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:VE1PR04MB6669; x-ms-traffictypediagnostic: VE1PR04MB6669: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-forefront-prvs: 0074BBE012 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(376002)(346002)(366004)(199004)(189003)(66066001)(81156014)(81166006)(6506007)(73956011)(110136005)(305945005)(66946007)(2906002)(6436002)(66476007)(66446008)(76176011)(53936002)(86362001)(64756008)(8676002)(7696005)(71190400001)(6246003)(8936002)(229853002)(99286004)(9686003)(68736007)(26005)(2501003)(55016002)(14454004)(5660300002)(6116002)(71200400001)(25786009)(486006)(186003)(76116006)(3846002)(476003)(33656002)(7736002)(66556008)(4326008)(74316002)(52536014)(11346002)(446003)(44832011)(102836004)(256004)(14444005)(316002)(478600001)(2201001)(21314003); DIR:OUT; SFP:1101; SCL:1; SRVR:VE1PR04MB6669; H:VE1PR04MB6639.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: wMvhdwwieDTgft4J/kLgGViu7FiVr8iyXx8TyjzgOkLHYNKU05sP05PAaJ1ZjNJ+zG57+XztNpD+58+BEKY4Vb1Zw7mN4gBzl56koKocOJ+LUoHHAgUvCfnYax82NvWd3djPJZn1223scLZ8RY3sA2oNhs//u6MG+SvbXXjTtLcKY0fGCxL1bkg6ENrcj6IPR9CLAq6WR51ti3NvnfQ0zs+0shHYiJvJyo+kpXJj8n++PU4i+JohOlzjwai/Yhk0M925N7TbHolm3nJsR33ENEi2CuUxdWRA3d4VD/NWlU8Uef6tLWmJQ6u6bjmKAyWJDeUZB+y0PDuETWPKDSNo1mLq2B9aRF6q52z2etmgaLugieeQkqj0rJhCUT7OFYGt5slOg0YynLkE5EhxPPnsRQhAUCDJBV1T6LnVZw47KoQ= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: a9bce03e-4460-493b-cdad-08d6f58072b1 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jun 2019 13:08:54.3260 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: akhil.goyal@nxp.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR04MB6669 Subject: Re: [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: fix not working inline ipsec modes X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Marius, > Application ipsec-secgw is not working for IPv4 transport mode and for > IPv6 both transport and tunnel mode. >=20 > IPv6 tunnel mode is not working due to wrongly assigned fields of > security association patterns, as it was IPv4, during creation of > inline crypto session. >=20 > IPv6 and IPv4 transport mode is iterating through security capabilities > until it reaches tunnel, which causes session to be created as tunnel, > instead of transport. Another issue, is that config file does not > provide source and destination ip addresses for transport mode, which > are required by NIC to perform inline crypto. It uses default addresses > stored in security association (all zeroes), which causes dropped > packages. >=20 > To fix that, reorganization of code in create_session() is needed, > to behave appropriately to given protocol (IPv6/IPv4). Change in > iteration through security capabilities is also required, to check > for expected mode (not only tunnel). >=20 > For lack of addresses issue, some resolving mechanism is needed. > Approach is to store addresses in security association, as it is > for tunnel mode. Difference is that they are obtained from sp rules, > instead of config file. To do that, sp[4/6]_spi_present() function > is used to find addresses based on spi value, and then stored in > corresponding sa rule. This approach assumes, that every sp rule > for inline crypto have valid addresses, as well as range of addresses > is not supported. >=20 > New flags for ipsec_sa structure are required to distinguish between > IPv4 and IPv6 transport modes. Because of that, there is need to > change all checks done on these flags, so they work as expected. >=20 > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") >=20 This is a very well written description. Thanks. This helps in review of th= e patch. I have a few small comments, rest all is fine. > Signed-off-by: Mariusz Drost > --- > examples/ipsec-secgw/esp.c | 12 +-- > examples/ipsec-secgw/ipsec.c | 19 +++-- > examples/ipsec-secgw/ipsec.h | 21 +++++- > examples/ipsec-secgw/sa.c | 142 ++++++++++++++++++++++++++--------- > examples/ipsec-secgw/sp4.c | 24 +++++- > examples/ipsec-secgw/sp6.c | 42 ++++++++++- > 6 files changed, 205 insertions(+), 55 deletions(-) >=20 > diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c > index f11d095ba..764e08dcf 100644 > --- a/examples/ipsec-secgw/esp.c > +++ b/examples/ipsec-secgw/esp.c > @@ -192,7 +192,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa > *sa, > } > } >=20 > - if (unlikely(sa->flags =3D=3D TRANSPORT)) { > + if (unlikely(IS_TRANSPORT(sa->flags))) { > ip =3D rte_pktmbuf_mtod(m, struct ip *); > ip4 =3D (struct ip *)rte_pktmbuf_adj(m, > sizeof(struct rte_esp_hdr) + sa->iv_len); > @@ -233,13 +233,13 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa > *sa, >=20 > ip4 =3D rte_pktmbuf_mtod(m, struct ip *); > if (likely(ip4->ip_v =3D=3D IPVERSION)) { > - if (unlikely(sa->flags =3D=3D TRANSPORT)) { > + if (unlikely(IS_TRANSPORT(sa->flags))) { > ip_hdr_len =3D ip4->ip_hl * 4; > nlp =3D ip4->ip_p; > } else > nlp =3D IPPROTO_IPIP; > } else if (ip4->ip_v =3D=3D IP6_VERSION) { > - if (unlikely(sa->flags =3D=3D TRANSPORT)) { > + if (unlikely(IS_TRANSPORT(sa->flags))) { > /* XXX No option headers supported */ > ip_hdr_len =3D sizeof(struct ip6_hdr); > ip6 =3D (struct ip6_hdr *)ip4; > @@ -258,13 +258,13 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa > *sa, > pad_len =3D pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m); >=20 > RTE_ASSERT(sa->flags =3D=3D IP4_TUNNEL || sa->flags =3D=3D IP6_TUNNEL |= | > - sa->flags =3D=3D TRANSPORT); > + IS_TRANSPORT(sa->flags)); I can see that at multiple places, sa->flags are accessed without your defi= ned macros. Could you please update this at all places, so that it will be = uniform across the application. >=20 > if (likely(sa->flags =3D=3D IP4_TUNNEL)) > ip_hdr_len =3D sizeof(struct ip); > else if (sa->flags =3D=3D IP6_TUNNEL) > ip_hdr_len =3D sizeof(struct ip6_hdr); > - else if (sa->flags !=3D TRANSPORT) { > + else if (!IS_TRANSPORT(sa->flags)) { > RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n", > sa->flags); > return -EINVAL; > @@ -291,7 +291,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, > rte_prefetch0(padding); > } >=20 > - switch (sa->flags) { > + switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) { I do not get the intent of this macro " WITHOUT_TRANSPORT_VERSION ". could = you explain this in comments or some better name of the macro. > case IP4_TUNNEL: > ip4 =3D ip4ip_outbound(m, sizeof(struct rte_esp_hdr) + sa->iv_len, > &sa->src, &sa->dst); Regards, Akhil