DPDK patches and discussions
 help / color / mirror / Atom feed
From: Akhil Goyal <akhil.goyal@nxp.com>
To: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>,
	Hemant Agrawal <hemant.agrawal@nxp.com>,
	"dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz
Date: Wed, 6 Nov 2019 14:29:31 +0000	[thread overview]
Message-ID: <VE1PR04MB6639EB9B457B4516813A33ADE6790@VE1PR04MB6639.eurprd04.prod.outlook.com> (raw)
In-Reply-To: <2601191342CEEE43887BDE71AB97725801A8C811FB@IRSMSX104.ger.corp.intel.com>


> 
> > > > The rte_security lib has introduced replay_win_sz,
> > > > so it can be removed from the rte_ipsec lib.
> > > >
> > > > The relaved tests,app are also update to reflect
> > > > the usages.
> > > >
> > > > Note that esn and anti-replay fileds were earlier used
> > > > only for ipsec library, they were enabling the libipsec
> > > > by default. With this change esn and anti-replay setting
> > > > will not automatically enabled libipsec.
> > > >
> > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> > > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > > > ---
> > > >  app/test/test_ipsec.c                  | 2 +-
> > > >  doc/guides/rel_notes/release_19_11.rst | 7 +++++--
> > > >  examples/ipsec-secgw/ipsec-secgw.c     | 5 -----
> > > >  examples/ipsec-secgw/ipsec.c           | 4 ++++
> > > >  examples/ipsec-secgw/sa.c              | 2 +-
> > > >  lib/librte_ipsec/Makefile              | 2 +-
> > > >  lib/librte_ipsec/meson.build           | 1 +
> > > >  lib/librte_ipsec/rte_ipsec_sa.h        | 6 ------
> > > >  lib/librte_ipsec/sa.c                  | 4 ++--
> > > >  9 files changed, 15 insertions(+), 18 deletions(-)
> > > >
> > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> > > > index 4007eff19..7dc83fee7 100644
> > > > --- a/app/test/test_ipsec.c
> > > > +++ b/app/test/test_ipsec.c
> > > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz,
> uint64_t
> > > flags)
> > > >
> > > >  	prm->userdata = 1;
> > > >  	prm->flags = flags;
> > > > -	prm->replay_win_sz = replay_win_sz;
> > > >
> > > >  	/* setup ipsec xform */
> > > >  	prm->ipsec_xform = ut_params->ipsec_xform;
> > > >  	prm->ipsec_xform.salt = (uint32_t)rte_rand();
> > > > +	prm->ipsec_xform.replay_win_sz = replay_win_sz;
> > > >
> > > >  	/* setup tunnel related fields */
> > > >  	prm->tun.hdr_len = sizeof(ipv4_outer);
> > > > diff --git a/doc/guides/rel_notes/release_19_11.rst
> > > b/doc/guides/rel_notes/release_19_11.rst
> > > > index dcae08002..0504a3443 100644
> > > > --- a/doc/guides/rel_notes/release_19_11.rst
> > > > +++ b/doc/guides/rel_notes/release_19_11.rst
> > > > @@ -369,10 +369,13 @@ ABI Changes
> > > >    align the Ethernet header on receive and all known encapsulations
> > > >    preserve the alignment of the header.
> > > >
> > > > -* security: A new field ''replay_win_sz'' has been added to the structure
> > > > +* security: The field ''replay_win_sz'' has been moved from ipsec library
> > > > +  based ''rte_ipsec_sa_prm'' structure to security library based structure
> > > >    ``rte_security_ipsec_xform``, which specify the Anti replay window size
> > > >    to enable sequence replay attack handling.
> > > >
> > > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure
> > > > +  ''rte_ipsec_sa_prm'' as it has been added to the security library.
> > > >
> > > >  Shared Library Versions
> > > >  -----------------------
> > > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were
> > > incremented in this version.
> > > >       librte_gso.so.1
> > > >       librte_hash.so.2
> > > >       librte_ip_frag.so.1
> > > > -     librte_ipsec.so.1
> > > > +   + librte_ipsec.so.2
> > > >       librte_jobstats.so.1
> > > >       librte_kni.so.2
> > > >       librte_kvargs.so.1
> > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> > > secgw/ipsec-secgw.c
> > > > index b12936470..3b5aaf683 100644
> > > > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > > > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm
> *prm)
> > > >  	printf("librte_ipsec usage: %s\n",
> > > >  		(prm->enable == 0) ? "disabled" : "enabled");
> > > >
> > > > -	if (prm->enable == 0)
> > > > -		return;
> > > > -
> > > >  	printf("replay window size: %u\n", prm->window_size);
> > > >  	printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> > > >  	printf("SA flags: %#" PRIx64 "\n", prm->flags);
> > > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
> > > >  			app_sa_prm.enable = 1;
> > > >  			break;
> > > >  		case 'w':
> > > > -			app_sa_prm.enable = 1;
> > >
> > > That actually will break lib-mode functional tests at:
> > > examples/ipsec-secgw/test/
> > > Due to my laziness I enabled in them library mode via '-w' option,
> > > as that moment legacy mode didn't support replay window...
> > > As these patches already applied, I'll send the fix in a new one in next few.
> >
> > No issues, I will squash your changes with the original patch as it is not applied
> > On master.
> 
> Ok, thanks.
> Patch at:
> http://patches.dpdk.org/patch/62540/ 

Removed the fixes line for this patch. Rebased the tree so that script patch is just after this patch.

Applied
> 
> >
> > >
> > > >  			app_sa_prm.window_size = parse_decimal(optarg);
> > > >  			break;
> > > >  		case 'e':
> > > > -			app_sa_prm.enable = 1;
> > > >  			app_sa_prm.enable_esn = 1;
> > > >  			break;
> > > >  		case 'a':
> > > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> > > > index d7761e966..d4b57121a 100644
> > > > --- a/examples/ipsec-secgw/ipsec.c
> > > > +++ b/examples/ipsec-secgw/ipsec.c
> > > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> > > rte_security_ipsec_xform *ipsec)
> > > >  		/* TODO support for Transport */
> > > >  	}
> > > >  	ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> > > > +	ipsec->replay_win_sz = app_sa_prm.window_size;
> > > > +	ipsec->options.esn = app_sa_prm.enable_esn;
> > >
> > > Ok, but what to do for the devices that don't support esn or replay_win_sz?
> > > Should we add some check? Either to the app, or preferably into rte_security
> > > level at  rte_security_session_create()?
> >
> > Ideally app should check the capability of the device before setting it.
> 
> Yes... after another thought - as right now we do create session at run-time,
> probably we need to check these device capabilities at init stage and report an
> error.

Agreed

  reply	other threads:[~2019-11-06 14:29 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-25  6:20 [dpdk-dev] [PATCH 1/2] security: add anti replay window size Hemant Agrawal
2019-10-25  6:20 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for replay win for lookaside Hemant Agrawal
2019-10-25 10:00 ` [dpdk-dev] [PATCH 1/2] security: add anti replay window size Ananyev, Konstantin
2019-10-25 15:56   ` Hemant Agrawal
2019-10-30  6:57 ` [dpdk-dev] [PATCH v2 " Hemant Agrawal
2019-10-30  6:57   ` [dpdk-dev] [PATCH v2 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-30  8:57   ` [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size Hemant Agrawal
2019-10-30  8:57     ` [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-30 13:08       ` Ananyev, Konstantin
2019-10-31  4:54     ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal
2019-10-31  4:54       ` [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-31 10:21         ` Ananyev, Konstantin
2019-10-31  4:54       ` [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-10-31  6:29       ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Anoob Joseph
2019-10-31  7:30         ` Hemant Agrawal
2019-10-31 10:20       ` Ananyev, Konstantin
2019-10-31 13:15       ` [dpdk-dev] [PATCH v5 " Hemant Agrawal
2019-10-31 13:15         ` [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-11-05 22:01           ` Akhil Goyal
2019-11-06  5:16             ` Hemant Agrawal
2019-10-31 13:15         ` [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-11-05 22:07           ` Akhil Goyal
2019-11-06  5:16             ` Hemant Agrawal
2019-11-01  6:16         ` [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size Anoob Joseph
2019-11-01  9:48           ` Hemant Agrawal
2019-11-06  6:54         ` [dpdk-dev] [PATCH v6 " Hemant Agrawal
2019-11-06  6:54           ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-11-06  7:00             ` Akhil Goyal
2019-11-06 13:31             ` Ananyev, Konstantin
2019-11-06 13:40               ` Akhil Goyal
2019-11-06 14:27                 ` Ananyev, Konstantin
2019-11-06 14:29                   ` Akhil Goyal [this message]
2019-11-06  6:54           ` [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-11-06  7:02             ` Akhil Goyal
2019-11-06 13:15           ` [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=VE1PR04MB6639EB9B457B4516813A33ADE6790@VE1PR04MB6639.eurprd04.prod.outlook.com \
    --to=akhil.goyal@nxp.com \
    --cc=dev@dpdk.org \
    --cc=hemant.agrawal@nxp.com \
    --cc=konstantin.ananyev@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).