From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: Anoob Joseph <anoobj@marvell.com>, "dev@dpdk.org" <dev@dpdk.org>,
Akhil Goyal <akhil.goyal@nxp.com>
Cc: "konstantin.ananyev@intel.com" <konstantin.ananyev@intel.com>
Subject: Re: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size
Date: Thu, 31 Oct 2019 07:30:07 +0000 [thread overview]
Message-ID: <VI1PR0401MB2541526D3F18667F50643AFB89630@VI1PR0401MB2541.eurprd04.prod.outlook.com> (raw)
In-Reply-To: <MN2PR18MB2877DA2A353FC92472DA0744DF630@MN2PR18MB2877.namprd18.prod.outlook.com>
Hi Anoop,
> -----Original Message-----
> Hi Hemant,
>
> How would the PMD specify whether anit-replay is supported or not? Do you
> have plans to introduce it as a capability? Or do you expect the session
> creation to fail if the feature is not supported by underlying PMD and the anti
> replay window size is set.
[Hemant] We can add it as part of capability set.
I believe following should help:
uint32_t max_replay_win_sz;
Sending it as 0 will indicate the app that replay_win is not support.
>
> Thanks,
> Anoob
>
> > -----Original Message-----
> > From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal
> > Sent: Thursday, October 31, 2019 10:25 AM
> > To: dev@dpdk.org; akhil.goyal@nxp.com
> > Cc: konstantin.ananyev@intel.com; Hemant Agrawal
> > <hemant.agrawal@nxp.com>
> > Subject: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window
> > size
> >
> > At present the ipsec xfrom is missing the important step to configure
> > the anti replay window size.
> > The newly added field will also help in to enable or disable the anti
> > replay checking, if available in offload by means of non-zero or zero value.
> >
> > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> > ---
> > doc/guides/rel_notes/release_19_11.rst | 6 +++++-
> > lib/librte_security/Makefile | 2 +-
> > lib/librte_security/meson.build | 2 +-
> > lib/librte_security/rte_security.h | 4 ++++
> > 4 files changed, 11 insertions(+), 3 deletions(-)
> >
> > diff --git a/doc/guides/rel_notes/release_19_11.rst
> > b/doc/guides/rel_notes/release_19_11.rst
> > index ae8e7b2f0..0508ec545 100644
> > --- a/doc/guides/rel_notes/release_19_11.rst
> > +++ b/doc/guides/rel_notes/release_19_11.rst
> > @@ -365,6 +365,10 @@ ABI Changes
> > align the Ethernet header on receive and all known encapsulations
> > preserve the alignment of the header.
> >
> > +* security: A new field ''replay_win_sz'' has been added to the
> > +structure
> > + ``rte_security_ipsec_xform``, which specify the Anti replay window
> > +size
> > + to enable sequence replay attack handling.
> > +
> >
> > Shared Library Versions
> > -----------------------
> > @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were
> > incremented in this version.
> > librte_reorder.so.1
> > librte_ring.so.2
> > + librte_sched.so.4
> > - librte_security.so.2
> > + + librte_security.so.3
> > librte_stack.so.1
> > librte_table.so.3
> > librte_timer.so.1
> > diff --git a/lib/librte_security/Makefile
> > b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644
> > --- a/lib/librte_security/Makefile
> > +++ b/lib/librte_security/Makefile
> > @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB =
> > librte_security.a
> >
> > # library version
> > -LIBABIVER := 2
> > +LIBABIVER := 3
> >
> > # build flags
> > CFLAGS += -O3
> > diff --git a/lib/librte_security/meson.build
> > b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644
> > --- a/lib/librte_security/meson.build
> > +++ b/lib/librte_security/meson.build
> > @@ -1,7 +1,7 @@
> > # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019
> > Intel Corporation
> >
> > -version = 2
> > +version = 3
> > sources = files('rte_security.c')
> > headers = files('rte_security.h', 'rte_security_driver.h') deps +=
> > ['mempool', 'cryptodev'] diff --git
> > a/lib/librte_security/rte_security.h
> > b/lib/librte_security/rte_security.h
> > index aaafdfcd7..195ad5645 100644
> > --- a/lib/librte_security/rte_security.h
> > +++ b/lib/librte_security/rte_security.h
> > @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
> > /**< Tunnel parameters, NULL for transport mode */
> > uint64_t esn_soft_limit;
> > /**< ESN for which the overflow event need to be raised */
> > + uint32_t replay_win_sz;
> > + /**< Anti replay window size to enable sequence replay attack
> handling.
> > + * replay checking is disabled if the window size is 0.
> > + */
> > };
> >
> > /**
> > --
> > 2.17.1
next prev parent reply other threads:[~2019-10-31 7:30 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 6:20 [dpdk-dev] [PATCH 1/2] " Hemant Agrawal
2019-10-25 6:20 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for replay win for lookaside Hemant Agrawal
2019-10-25 10:00 ` [dpdk-dev] [PATCH 1/2] security: add anti replay window size Ananyev, Konstantin
2019-10-25 15:56 ` Hemant Agrawal
2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 " Hemant Agrawal
2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size Hemant Agrawal
2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-30 13:08 ` Ananyev, Konstantin
2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal
2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-31 10:21 ` Ananyev, Konstantin
2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-10-31 6:29 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Anoob Joseph
2019-10-31 7:30 ` Hemant Agrawal [this message]
2019-10-31 10:20 ` Ananyev, Konstantin
2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal
2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-11-05 22:01 ` Akhil Goyal
2019-11-06 5:16 ` Hemant Agrawal
2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-11-05 22:07 ` Akhil Goyal
2019-11-06 5:16 ` Hemant Agrawal
2019-11-01 6:16 ` [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size Anoob Joseph
2019-11-01 9:48 ` Hemant Agrawal
2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal
2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-11-06 7:00 ` Akhil Goyal
2019-11-06 13:31 ` Ananyev, Konstantin
2019-11-06 13:40 ` Akhil Goyal
2019-11-06 14:27 ` Ananyev, Konstantin
2019-11-06 14:29 ` Akhil Goyal
2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-11-06 7:02 ` Akhil Goyal
2019-11-06 13:15 ` [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=VI1PR0401MB2541526D3F18667F50643AFB89630@VI1PR0401MB2541.eurprd04.prod.outlook.com \
--to=hemant.agrawal@nxp.com \
--cc=akhil.goyal@nxp.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).