From: Kevin Traynor <email@example.com> To: Mariusz Drost <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com Cc: firstname.lastname@example.org Subject: Re: [dpdk-stable] [PATCH 18.11] examples/ipsec-secgw: fix inline modes Date: Tue, 10 Sep 2019 11:19:03 +0100 Message-ID: <email@example.com> (raw) In-Reply-To: <firstname.lastname@example.org> On 10/09/2019 10:32, Mariusz Drost wrote: > [ upstream commit b1a3ac782d6020e6877e97a067613bbb2b8564b1 ] > > Application ipsec-secgw is not working for IPv4 transport mode and for > IPv6 both transport and tunnel mode. > > IPv6 tunnel mode is not working due to wrongly assigned fields of > security association patterns, as it was IPv4, during creation of > inline crypto session. > > IPv6 and IPv4 transport mode is iterating through security capabilities > until it reaches tunnel, which causes session to be created as tunnel, > instead of transport. Another issue, is that config file does not > provide source and destination ip addresses for transport mode, which > are required by NIC to perform inline crypto. It uses default addresses > stored in security association (all zeroes), which causes dropped > packages. > > To fix that, reorganization of code in create_session() is needed, > to behave appropriately to given protocol (IPv6/IPv4). Change in > iteration through security capabilities is also required, to check > for expected mode (not only tunnel). > > For lack of addresses issue, some resolving mechanism is needed. > Approach is to store addresses in security association, as it is > for tunnel mode. Difference is that they are obtained from sp rules, > instead of config file. To do that, sp[4/6]_spi_present() function > is used to find addresses based on spi value, and then stored in > corresponding sa rule. This approach assumes, that every sp rule > for inline crypto have valid addresses, as well as range of addresses > is not supported. > > New flags for ipsec_sa structure are required to distinguish between > IPv4 and IPv6 transport modes. Because of that, there is need to > change all checks done on these flags, so they work as expected. > > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") > > Signed-off-by: Mariusz Drost <email@example.com> > --- Thanks, added to the queued commits.
next prev parent reply index Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-09-10 9:32 Mariusz Drost 2019-09-10 10:19 ` Kevin Traynor [this message] 2019-09-10 10:32 ` Ananyev, Konstantin
Reply instructions: You may reply publically to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
patches for DPDK stable branches Archives are clonable: git clone --mirror http://inbox.dpdk.org/stable/0 stable/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 stable stable/ http://inbox.dpdk.org/stable \ email@example.com public-inbox-index stable Newsgroup available over NNTP: nntp://inbox.dpdk.org/inbox.dpdk.stable AGPL code for this site: git clone https://public-inbox.org/ public-inbox