From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 04E91A2F6B for ; Tue, 8 Oct 2019 15:00:35 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id A2F531C02C; Tue, 8 Oct 2019 15:00:33 +0200 (CEST) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by dpdk.org (Postfix) with ESMTP id 0D5821BFB0 for ; Tue, 8 Oct 2019 15:00:31 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Oct 2019 06:00:31 -0700 X-IronPort-AV: E=Sophos;i="5.67,270,1566889200"; d="scan'208";a="206630544" Received: from fyigit-mobl.ger.corp.intel.com (HELO [10.237.221.10]) ([10.237.221.10]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/AES256-SHA; 08 Oct 2019 06:00:27 -0700 To: Akhil Goyal , Anoob Joseph , Adrien Mazarguil , Declan Doherty , Pablo de Lara , Thomas Monjalon Cc: Jerin Jacob Kollanukkaran , Narayana Prasad Raju Athreya , Ankur Dwivedi , Shahaf Shuler , Hemant Agrawal , Matan Azrad , Yongseok Koh , Wenzhuo Lu , Konstantin Ananyev , Radu Nicolau , "dev@dpdk.org" References: <1563977848-30101-1-git-send-email-anoobj@marvell.com> From: "Yigit, Ferruh" Openpgp: preference=signencrypt Autocrypt: addr=ferruh.yigit@linux.intel.com; keydata= mQINBFXZCFABEADCujshBOAaqPZpwShdkzkyGpJ15lmxiSr3jVMqOtQS/sB3FYLT0/d3+bvy qbL9YnlbPyRvZfnP3pXiKwkRoR1RJwEo2BOf6hxdzTmLRtGtwWzI9MwrUPj6n/ldiD58VAGQ +iR1I/z9UBUN/ZMksElA2D7Jgg7vZ78iKwNnd+vLBD6I61kVrZ45Vjo3r+pPOByUBXOUlxp9 GWEKKIrJ4eogqkVNSixN16VYK7xR+5OUkBYUO+sE6etSxCr7BahMPKxH+XPlZZjKrxciaWQb +dElz3Ab4Opl+ZT/bK2huX+W+NJBEBVzjTkhjSTjcyRdxvS1gwWRuXqAml/sh+KQjPV1PPHF YK5LcqLkle+OKTCa82OvUb7cr+ALxATIZXQkgmn+zFT8UzSS3aiBBohg3BtbTIWy51jNlYdy ezUZ4UxKSsFuUTPt+JjHQBvF7WKbmNGS3fCid5Iag4tWOfZoqiCNzxApkVugltxoc6rG2TyX CmI2rP0mQ0GOsGXA3+3c1MCdQFzdIn/5tLBZyKy4F54UFo35eOX8/g7OaE+xrgY/4bZjpxC1 1pd66AAtKb3aNXpHvIfkVV6NYloo52H+FUE5ZDPNCGD0/btFGPWmWRmkPybzColTy7fmPaGz cBcEEqHK4T0aY4UJmE7Ylvg255Kz7s6wGZe6IR3N0cKNv++O7QARAQABtCVGZXJydWggWWln aXQgPGZlcnJ1aC55aWdpdEBpbnRlbC5jb20+iQJUBBMBCgA+AhsDAh4BAheABQsJCAcDBRUK CQgLBRYCAwEAFiEE0jZTh0IuwoTjmYHH+TPrQ98TYR8FAl1meboFCQlupOoACgkQ+TPrQ98T YR9ACBAAv2tomhyxY0Tp9Up7mNGLfEdBu/7joB/vIdqMRv63ojkwr9orQq5V16V/25+JEAD0 60cKodBDM6HdUvqLHatS8fooWRueSXHKYwJ3vxyB2tWDyZrLzLI1jxEvunGodoIzUOtum0Ce gPynnfQCelXBja0BwLXJMplM6TY1wXX22ap0ZViC0m714U5U4LQpzjabtFtjT8qOUR6L7hfy YQ72PBuktGb00UR/N5UrR6GqB0x4W41aZBHXfUQnvWIMmmCrRUJX36hOTYBzh+x86ULgg7H2 1499tA4o6rvE13FiGccplBNWCAIroAe/G11rdoN5NBgYVXu++38gTa/MBmIt6zRi6ch15oLA Ln2vHOdqhrgDuxjhMpG2bpNE36DG/V9WWyWdIRlz3NYPCDM/S3anbHlhjStXHOz1uHOnerXM 1jEjcsvmj1vSyYoQMyRcRJmBZLrekvgZeh7nJzbPHxtth8M7AoqiZ/o/BpYU+0xZ+J5/szWZ aYxxmIRu5ejFf+Wn9s5eXNHmyqxBidpCWvcbKYDBnkw2+Y9E5YTpL0mS0dCCOlrO7gca27ux ybtbj84aaW1g0CfIlUnOtHgMCmz6zPXThb+A8H8j3O6qmPoVqT3qnq3Uhy6GOoH8Fdu2Vchh TWiF5yo+pvUagQP6LpslffufSnu+RKAagkj7/RSuZV25Ag0EV9ZMvgEQAKc0Db17xNqtSwEv mfp4tkddwW9XA0tWWKtY4KUdd/jijYqc3fDD54ESYpV8QWj0xK4YM0dLxnDU2IYxjEshSB1T qAatVWz9WtBYvzalsyTqMKP3w34FciuL7orXP4AibPtrHuIXWQOBECcVZTTOdZYGAzaYzxiA ONzF9eTiwIqe9/oaOjTwTLnOarHt16QApTYQSnxDUQljeNvKYt1lZE/gAUUxNLWsYyTT+22/ vU0GDUahsJxs1+f1yEr+OGrFiEAmqrzpF0lCS3f/3HVTU6rS9cK3glVUeaTF4+1SK5ZNO35p iVQCwphmxa+dwTG/DvvHYCtgOZorTJ+OHfvCnSVjsM4kcXGjJPy3JZmUtyL9UxEbYlrffGPQ I3gLXIGD5AN5XdAXFCjjaID/KR1c9RHd7Oaw0Pdcq9UtMLgM1vdX8RlDuMGPrj5sQrRVbgYH fVU/TQCk1C9KhzOwg4Ap2T3tE1umY/DqrXQgsgH71PXFucVjOyHMYXXugLT8YQ0gcBPHy9mZ qw5mgOI5lCl6d4uCcUT0l/OEtPG/rA1lxz8ctdFBVOQOxCvwRG2QCgcJ/UTn5vlivul+cThi 6ERPvjqjblLncQtRg8izj2qgmwQkvfj+h7Ex88bI8iWtu5+I3K3LmNz/UxHBSWEmUnkg4fJl Rr7oItHsZ0ia6wWQ8lQnABEBAAGJAjwEGAEKACYCGwwWIQTSNlOHQi7ChOOZgcf5M+tD3xNh HwUCXWZ5wAUJB3FgggAKCRD5M+tD3xNhH2O+D/9OEz62YuJQLuIuOfL67eFTIB5/1+0j8Tsu o2psca1PUQ61SZJZOMl6VwNxpdvEaolVdrpnSxUF31kPEvR0Igy8HysQ11pj8AcgH0a9FrvU /8k2Roccd2ZIdpNLkirGFZR7LtRw41Kt1Jg+lafI0efkiHKMT/6D/P1EUp1RxOBNtWGV2hrd 0Yg9ds+VMphHHU69fDH02SwgpvXwG8Qm14Zi5WQ66R4CtTkHuYtA63sS17vMl8fDuTCtvfPF HzvdJLIhDYN3Mm1oMjKLlq4PUdYh68Fiwm+boJoBUFGuregJFlO3hM7uHBDhSEnXQr5mqpPM 6R/7Q5BjAxrwVBisH0yQGjsWlnysRWNfExAE2sRePSl0or9q19ddkRYltl6X4FDUXy2DTXa9 a+Fw4e1EvmcF3PjmTYs9IE3Vc64CRQXkhujcN4ZZh5lvOpU8WgyDxFq7bavFnSS6kx7Tk29/ wNJBp+cf9qsQxLbqhW5kfORuZGecus0TLcmpZEFKKjTJBK9gELRBB/zoN3j41hlEl7uTUXTI JQFLhpsFlEdKLujyvT/aCwP3XWT+B2uZDKrMAElF6ltpTxI53JYi22WO7NH7MR16Fhi4R6vh FHNBOkiAhUpoXRZXaCR6+X4qwA8CwHGqHRBfYFSU/Ulq1ZLR+S3hNj2mbnSx0lBs1eEqe2vh cA== Message-ID: Date: Tue, 8 Oct 2019 14:00:26 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [RFC] ethdev: allow multiple security sessions to use one rte flow X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On 8/19/2019 8:09 AM, Akhil Goyal wrote: > Hi Anoob, >> >> Hi Akhil, >> >>>>>>>> >>>>>>>> The rte_security API which enables inline protocol/crypto >>>>>>>> feature mandates that for every security session an rte_flow is >>> created. >>>>>>>> This would internally translate to a rule in the hardware >>>>>>>> which would do packet >>>>>>> classification. >>>>>>>> >>>>>>>> In rte_securty, one SA would be one security session. And if >>>>>>>> an rte_flow need to be created for every session, the number >>>>>>>> of SAs supported by an inline implementation would be limited >>>>>>>> by the number of rte_flows the PMD would be able to support. >>>>>>>> >>>>>>>> If the fields SPI & IP addresses are allowed to be a range, >>>>>>>> then this limitation can be overcome. Multiple flows will be >>>>>>>> able to use one rule for SECURITY processing. In this case, >>>>>>>> the security session provided as >>>>>>> conf would be NULL. >>>>> >>>>> SPI values are normally used to uniquely identify the SA that need >>>>> to be applied on a particular flow. >>>>> I believe SPI value should not be a range for applying a particular >>>>> SA or session. >>>>> >>>>> Plain packet IP addresses can be a range. That is not an issue. >>>>> Multiple plain packet flows can use the same session/SA. >>>>> >>>>> Why do you feel that security session provided should be NULL to >>>>> support multiple flows. >>>>> How will the keys and other SA related info will be passed to the >>> driver/HW. >>>> >>>> [Anoob] The SA configuration would be done via rte_security session. >>>> The proposal here only changes the 1:1 dependency of rte_flow and >>>> rte_security session. >>> >>> I don't see this dependency for rte_flow and security session. >>> Multiple flows can be configured to use the same security session. >>> >>>> >>>> The h/w could use SPI field in the received packet to identify SA(ie, >>>> rte_security session). If the h/w allows to index into a table which >>>> holds SA information, then per SPI rte_flow is not required. This is >>>> in fact our case. And for PMDs which doesn't do it this way, >>>> rte_flow_validate() would fail and then per SPI rte_flow would require to >>> be created. >>> >>> I am not able to understand the issue here. Flow are validated based on >>> some pattern, You can identify the flow based on some parameter(currently >>> it is spi in case of inline crypto and also your case). >>> You can perform some action based on the security session that you have >>> created before validating the flow And that session creation is nowhere >>> linked to the type of flow. You can use the same session for as many flows >>> you want. >>> >>>> >>>> In the present model, a security session is created, and then rte_flow >>>> will connect ESP packets with one SPI to one security session. >>>> Instead, when we create the security session, h/w can populate entries >>>> in a DB that would be accessed during data path handling. And the >>>> rte_flow could say, all SPI in some range gets inline processed with the >>> security session identified with its SPI. >>>> >>>> Our PMD supports limited number of flow entries but our h/w can do SA >>>> lookup without flow entries(using SPI instead). So the current >>>> approach of one flow per session is creating an artificial limit to the number >>> of SAs that can be supported. >>> >>> Ok now I got it. You want to configure a single flow with multiple sessions in >>> it. >>> But defining a range in SPI and tunnel IP addresses does not make sense. In >>> real world applications, Sessions can be created and destroyed at any time >>> with varied values of SPI and tunnel IPs. How can One put a range to that. >>> >>> I would rather say, you actually do not need the rte_flows to be configured >>> for Inline protocol processing. You have configured all the session info in the >>> hw while Creating the session and your H/W will be able to identify on the >>> basis of SPI value which It has stored in the DB and do all the processing. >> >> [Anoob] Yes. That is the model being followed right now. Concern is, whether >> this would be deviating from the spec. In other words, we could have devices >> which would need rte_flow for every rte_security session (ixgbe needs for inline >> crypto), and then we could have devices which doesn't need per session >> rte_flow (which is our case). What do you think is the right approach for >> supporting both kinds of devices? > > Inline proto case is not using rte_flow at the moment. > And as far as I understand, you also do not need rte_flow to be configured. > Inline crypto cases are mainly for Intel and Mellanox cases which only supported > Inline crypto. For Protocol offload cases, I don't feel we need rte_flow as all information > related to ipsec is already there when we call the session create. Rte_flows are used > For segregation of ethernet traffic for classification which can be configured for various factors > as well. > >> >>> >>> What are the changes that you need in the ipsec-secgw for inline proto to >>> work, there is No flow processing currently in the inline proto case. Will it not >>> work as is for you? >> >> [Anoob] In ipsec-secgw, a default flow would be created per security enabled >> port with 'conf=NULL' & SPI = 'ANY'. Flow validate would be done to make sure >> the underlying PMD supports it. For PMDs which doesn't support this model, per >> SA flow would be created. > > Why do you need that flow as well. You have all the information in the session already. > You can process the packets based on that information. Isn't it? > Current implementation in application is good enough in my opinion. > >> >>> Atleast for NXP devices we are able to work as is without any issue. >> >> [Anoob] Just curious, would having such a dependency on rte_flow be an issue >> for NXP devices? > > As of now I do not have any comment on this. We are not using rte_flow in our work as of now. > It is kind of POC for us, we may not upstream it. > This will depend on the changes that will be done. Is there any follow up to the RFC? Is it still valid? > >> >>> >>>> >>>>> >>>>>>>> >>>>>>>> Application should do an rte_flow_validate() to make sure the >>>>>>>> flow is supported on the PMD. >>>>>>>> >>>>>>>> Signed-off-by: Anoob Joseph >>>>>>>> --- >>>>>>>> lib/librte_ethdev/rte_flow.h | 6 ++++++ >>>>>>>> 1 file changed, 6 insertions(+) >>>>>>>> >>>>>>>> diff --git a/lib/librte_ethdev/rte_flow.h >>>>>>>> b/lib/librte_ethdev/rte_flow.h index f3a8fb1..4977d3c 100644 >>>>>>>> --- a/lib/librte_ethdev/rte_flow.h >>>>>>>> +++ b/lib/librte_ethdev/rte_flow.h >>>>>>>> @@ -1879,6 +1879,12 @@ struct rte_flow_action_meter { >>>>>>>> * direction. >>>>>>>> * >>>>>>>> * Multiple flows can be configured to use the same security >>> session. >>>>>>>> + * >>>>>>>> + * The NULL value is allowed for security session. If >>>>>>>> + security session is NULL, >>>>>>>> + * then SPI field in ESP flow item and IP addresses in flow >>>>>>>> + items 'IPv4' and >>>>>>>> + * 'IPv6' will be allowed to be a range. The rule thus >>>>>>>> + created can enable >>>>>>>> + * SECURITY processing on multiple flows. >>> >>> What you intent here is " The rule thus created can enable multiple security >>> sessions on a single rte flow" >>> >>> >>> Regards, >>> Akhil