From: Anoob Joseph <anoob.joseph@caviumnetworks.com>
To: "Nicolau, Radu" <radu.nicolau@intel.com>,
Akhil Goyal <akhil.goyal@nxp.com>
Cc: anoob.joseph@caviumnetworks.com, "Doherty,
Declan" <declan.doherty@intel.com>,
"Gonzalez Monroy, Sergio" <sergio.gonzalez.monroy@intel.com>,
Jerin Jacob <jerin.jacob@caviumnetworks.com>,
Narayana Prasad <narayanaprasad.athreya@caviumnetworks.com>,
Nelio Laranjeiro <nelio.laranjeiro@6wind.com>,
"dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] [RFC 0/3] set protocol specific metadata using set_pkt_metadata API
Date: Mon, 29 Jan 2018 23:31:28 +0530 [thread overview]
Message-ID: <b63bccd3-9136-55c0-3417-943f68610e9b@caviumnetworks.com> (raw)
In-Reply-To: <763A2F19A5EFF34F8B7F1657C992EE297B320AA5@IRSMSX104.ger.corp.intel.com>
Hi Radu,
On 01/29/2018 03:31 PM, Nicolau, Radu wrote:
>
>> -----Original Message-----
>> From: Anoob Joseph [mailto:anoob.joseph@caviumnetworks.com]
>> Sent: Monday, January 29, 2018 8:04 AM
>> To: Akhil Goyal <akhil.goyal@nxp.com>; Nicolau, Radu
>> <radu.nicolau@intel.com>
>> Cc: anoob.joseph@caviumnetworks.com; Doherty, Declan
>> <declan.doherty@intel.com>; Gonzalez Monroy, Sergio
>> <sergio.gonzalez.monroy@intel.com>; Jerin Jacob
>> <jerin.jacob@caviumnetworks.com>; Narayana Prasad
>> <narayanaprasad.athreya@caviumnetworks.com>; Nelio Laranjeiro
>> <nelio.laranjeiro@6wind.com>; dev@dpdk.org
>> Subject: Re: [RFC 0/3] set protocol specific metadata using set_pkt_metadata
>> API
>>
>> Hi Akhil, Radu,
>>
>>
>> On 01/29/2018 01:02 PM, Akhil Goyal wrote:
>>> On 1/26/2018 8:38 PM, Nicolau, Radu wrote:
>>>>
>>>>> -----Original Message-----
>>>>> From: Anoob Joseph [mailto:anoob.joseph@caviumnetworks.com]
>>>>> Sent: Friday, January 26, 2018 2:38 PM
>>>>> To: Nicolau, Radu <radu.nicolau@intel.com>; Akhil Goyal
>>>>> <akhil.goyal@nxp.com>
>>>>> Cc: anoob.joseph@caviumnetworks.com; Doherty, Declan
>>>>> <declan.doherty@intel.com>; Gonzalez Monroy, Sergio
>>>>> <sergio.gonzalez.monroy@intel.com>; Jerin Jacob
>>>>> <jerin.jacob@caviumnetworks.com>; Narayana Prasad
>>>>> <narayanaprasad.athreya@caviumnetworks.com>; Nelio Laranjeiro
>>>>> <nelio.laranjeiro@6wind.com>; dev@dpdk.org
>>>>> Subject: Re: [RFC 0/3] set protocol specific metadata using
>>>>> set_pkt_metadata API
>>>>>
>>>>> Hi Radu,
>>>>>
>>>>> On 01/26/2018 04:52 PM, Nicolau, Radu wrote:
>>>>>>> -----Original Message-----
>>>>>>> From: Anoob Joseph [mailto:anoob.joseph@caviumnetworks.com]
>>>>>>> Sent: Thursday, January 25, 2018 5:13 PM
>>>>>>> To: Akhil Goyal <akhil.goyal@nxp.com>; Nicolau, Radu
>>>>>>> <radu.nicolau@intel.com>
>>>>>>> Cc: Doherty, Declan <declan.doherty@intel.com>; Gonzalez Monroy,
>>>>>>> Sergio <sergio.gonzalez.monroy@intel.com>;
>>>>>>> anoob.joseph@caviumnetworks.com; Jerin Jacob
>>>>>>> <jerin.jacob@caviumnetworks.com>; Narayana Prasad
>>>>>>> <narayanaprasad.athreya@caviumnetworks.com>; Nelio Laranjeiro
>>>>>>> <nelio.laranjeiro@6wind.com>; dev@dpdk.org
>>>>>>> Subject: Re: [RFC 0/3] set protocol specific metadata using
>>>>>>> set_pkt_metadata API
>>>>>>>
>>>>>>> Hi Akhil, Radu,
>>>>>>>
>>>>>>> Could you review the patch and share your thoughts on the proposed
>>>>>>> change?
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I've had a quick look. From what I can see you can do everything
>>>>>> you do in
>>>>> this patch with the current API. For example you can store an
>>>>> internal struct pointer in the private section of the security
>>>>> context and you can increment the ESP SN with every tx or set
>>>>> metadata call.
>>>>> With the current API, PMD could store the ESN with the security
>>>>> session, but there is no means for the application to read this.
>>>>> Application should be aware of the sequence number used per packet.
>>>>> This is required to monitor sequence number overflow.In the
>>>>> proposal, the sequence number field is IN-OUT. So application could
>>>>> either dictate the sequence number, or read the value from the PMD.
>>>>>
>>>>> Thanks,
>>>>> Anoob
>>>> My concern is that we are adding too much and too specific to the
>>>> security API.
>>>> Overflow situation can be monitored with a tx callback event or a
>>>> crypto callback event, depending on the device type.
>>>>
>>> Agreed with Radu, this looks too specific information.
>>> Instead, we can do overflow checking in the driver and add a macro in
>>> rte_crypto_op_status for overflow.
>> We could do the callback when sequence number over flow happens, and
>> IPsec processing fails subsequently. But ideally, application should be able to
>> detect that the sequence number is about to over flow and renegotiate the
>> SA while the original SA is still valid. I agree that we would be better off by
>> handling this in the driver. But application would need some sort of event
>> which would say, "sequence number is about to overflow, renegotiate SA",
>> before the current SA becomes invalid.
>>
>> Do we have any mechanism to register a callback (acting on mbuf), when a
>> particular event occurs (without dropping the mbuf)? If yes, we could move
>> to that approach.
>>
>> rte_crypto_op_status could be leveraged for lookaside_protocol, but can we
>> do something similar for inline protocol? Thoughts?
> You can look at rx/tx callbacks (http://dpdk.org/doc/api/examples_2rxtx_callbacks_2main_8c-example.html#a26) but probably events are more suitable: http://dpdk.org/doc/api/rte__ethdev_8h.html#ac0bef2920a6ade4041cab5103f4700d9 There is already a "RTE_ETH_EVENT_MACSEC MACsec offload related event" so you can add a security related event.
Rx/tx callbacks would be either for all packets or for packets which
encountered error. Neither is our case. So rx/tx callbacks might not fit
in our model.
I need to attempt the implementation with events to see if that will
solve the issue. The implementation could be a bit complex as
"eth_event" is mostly to control the state of ports, rather than acting
on packets. In that case, PMD could return a security session in the
callback argument, and the application would be required to find out the
SA from the security session. I'll give this a shot and see if this can
solve the problem.
Thanks,
Anoob
prev parent reply other threads:[~2018-01-29 18:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-22 13:11 Anoob Joseph
2018-01-22 13:11 ` [dpdk-dev] [RFC 1/3] lib/security: set/retrieve per packet protocol metadata Anoob Joseph
2018-01-22 13:11 ` [dpdk-dev] [RFC 2/3] net/ixgbe: use structure for passing metadata Anoob Joseph
2018-01-22 13:11 ` [dpdk-dev] [RFC 3/3] examples/ipsec-secgw: support for setting seq no Anoob Joseph
2018-01-25 17:13 ` [dpdk-dev] [RFC 0/3] set protocol specific metadata using set_pkt_metadata API Anoob Joseph
2018-01-26 11:22 ` Nicolau, Radu
2018-01-26 14:38 ` Anoob Joseph
2018-01-26 15:08 ` Nicolau, Radu
2018-01-29 7:32 ` Akhil Goyal
2018-01-29 8:03 ` Anoob Joseph
2018-01-29 9:08 ` Akhil Goyal
2018-01-29 11:44 ` Anoob Joseph
2018-01-29 10:01 ` Nicolau, Radu
2018-01-29 18:01 ` Anoob Joseph [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b63bccd3-9136-55c0-3417-943f68610e9b@caviumnetworks.com \
--to=anoob.joseph@caviumnetworks.com \
--cc=akhil.goyal@nxp.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=jerin.jacob@caviumnetworks.com \
--cc=narayanaprasad.athreya@caviumnetworks.com \
--cc=nelio.laranjeiro@6wind.com \
--cc=radu.nicolau@intel.com \
--cc=sergio.gonzalez.monroy@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).