From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9409FA2EEB for ; Tue, 10 Sep 2019 12:32:57 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 799971BEFA; Tue, 10 Sep 2019 12:32:57 +0200 (CEST) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by dpdk.org (Postfix) with ESMTP id 185041EE59 for ; Tue, 10 Sep 2019 12:32:55 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Sep 2019 03:32:55 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,489,1559545200"; d="scan'208";a="359772254" Received: from irsmsx153.ger.corp.intel.com ([163.33.192.75]) by orsmga005.jf.intel.com with ESMTP; 10 Sep 2019 03:32:54 -0700 Received: from irsmsx105.ger.corp.intel.com ([169.254.7.164]) by IRSMSX153.ger.corp.intel.com ([169.254.9.123]) with mapi id 14.03.0439.000; Tue, 10 Sep 2019 11:32:53 +0100 From: "Ananyev, Konstantin" To: "Drost, MariuszX" , "Nicolau, Radu" , "akhil.goyal@nxp.com" CC: "stable@dpdk.org" Thread-Topic: [PATCH 18.11] examples/ipsec-secgw: fix inline modes Thread-Index: AQHVZ7rcxwiC1nF8E0y/NJiFaURs9acktm+g Date: Tue, 10 Sep 2019 10:32:53 +0000 Message-ID: <2601191342CEEE43887BDE71AB977258019196224B@irsmsx105.ger.corp.intel.com> References: <20190910093240.16448-1-mariuszx.drost@intel.com> In-Reply-To: <20190910093240.16448-1-mariuszx.drost@intel.com> Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOTgwNGNhOGQtNjljNS00NjE3LWI0NjAtYzY5YWQ0NmU4NzhkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiOTNqbVN1SURcLzZoSWd1eGRcL0Z1eEVPalpva2VQOHdDWERhMVFvbWhLR0M3SDBaZ2sxdHRjb2RlZ0hyVjJoVVJsIn0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [163.33.239.181] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-stable] [PATCH 18.11] examples/ipsec-secgw: fix inline modes X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" > -----Original Message----- > From: Drost, MariuszX > Sent: Tuesday, September 10, 2019 10:33 AM > To: Nicolau, Radu ; akhil.goyal@nxp.com; Ananyev,= Konstantin > Cc: stable@dpdk.org; Drost, MariuszX > Subject: [PATCH 18.11] examples/ipsec-secgw: fix inline modes >=20 > [ upstream commit b1a3ac782d6020e6877e97a067613bbb2b8564b1 ] >=20 > Application ipsec-secgw is not working for IPv4 transport mode and for > IPv6 both transport and tunnel mode. >=20 > IPv6 tunnel mode is not working due to wrongly assigned fields of > security association patterns, as it was IPv4, during creation of > inline crypto session. >=20 > IPv6 and IPv4 transport mode is iterating through security capabilities > until it reaches tunnel, which causes session to be created as tunnel, > instead of transport. Another issue, is that config file does not > provide source and destination ip addresses for transport mode, which > are required by NIC to perform inline crypto. It uses default addresses > stored in security association (all zeroes), which causes dropped > packages. >=20 > To fix that, reorganization of code in create_session() is needed, > to behave appropriately to given protocol (IPv6/IPv4). Change in > iteration through security capabilities is also required, to check > for expected mode (not only tunnel). >=20 > For lack of addresses issue, some resolving mechanism is needed. > Approach is to store addresses in security association, as it is > for tunnel mode. Difference is that they are obtained from sp rules, > instead of config file. To do that, sp[4/6]_spi_present() function > is used to find addresses based on spi value, and then stored in > corresponding sa rule. This approach assumes, that every sp rule > for inline crypto have valid addresses, as well as range of addresses > is not supported. >=20 > New flags for ipsec_sa structure are required to distinguish between > IPv4 and IPv6 transport modes. Because of that, there is need to > change all checks done on these flags, so they work as expected. >=20 > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") >=20 > Signed-off-by: Mariusz Drost > --- Acked-by: Konstantin Ananyev > 2.17.1