From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 433A6A2EEB for ; Tue, 10 Sep 2019 12:19:08 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 2567B11A2; Tue, 10 Sep 2019 12:19:08 +0200 (CEST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id D3D7111A2 for ; Tue, 10 Sep 2019 12:19:06 +0200 (CEST) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1742218CCF05; Tue, 10 Sep 2019 10:19:06 +0000 (UTC) Received: from [10.36.118.30] (unknown [10.36.118.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id C623560BE2; Tue, 10 Sep 2019 10:19:04 +0000 (UTC) To: Mariusz Drost , radu.nicolau@intel.com, akhil.goyal@nxp.com, konstantin.ananyev@intel.com Cc: stable@dpdk.org References: <20190910093240.16448-1-mariuszx.drost@intel.com> From: Kevin Traynor Message-ID: <38d128d1-b6d8-cc06-9fd6-6516200b1705@redhat.com> Date: Tue, 10 Sep 2019 11:19:03 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: <20190910093240.16448-1-mariuszx.drost@intel.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.63]); Tue, 10 Sep 2019 10:19:06 +0000 (UTC) Subject: Re: [dpdk-stable] [PATCH 18.11] examples/ipsec-secgw: fix inline modes X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" On 10/09/2019 10:32, Mariusz Drost wrote: > [ upstream commit b1a3ac782d6020e6877e97a067613bbb2b8564b1 ] > > Application ipsec-secgw is not working for IPv4 transport mode and for > IPv6 both transport and tunnel mode. > > IPv6 tunnel mode is not working due to wrongly assigned fields of > security association patterns, as it was IPv4, during creation of > inline crypto session. > > IPv6 and IPv4 transport mode is iterating through security capabilities > until it reaches tunnel, which causes session to be created as tunnel, > instead of transport. Another issue, is that config file does not > provide source and destination ip addresses for transport mode, which > are required by NIC to perform inline crypto. It uses default addresses > stored in security association (all zeroes), which causes dropped > packages. > > To fix that, reorganization of code in create_session() is needed, > to behave appropriately to given protocol (IPv6/IPv4). Change in > iteration through security capabilities is also required, to check > for expected mode (not only tunnel). > > For lack of addresses issue, some resolving mechanism is needed. > Approach is to store addresses in security association, as it is > for tunnel mode. Difference is that they are obtained from sp rules, > instead of config file. To do that, sp[4/6]_spi_present() function > is used to find addresses based on spi value, and then stored in > corresponding sa rule. This approach assumes, that every sp rule > for inline crypto have valid addresses, as well as range of addresses > is not supported. > > New flags for ipsec_sa structure are required to distinguish between > IPv4 and IPv6 transport modes. Because of that, there is need to > change all checks done on these flags, so they work as expected. > > Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload") > Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec") > > Signed-off-by: Mariusz Drost > --- Thanks, added to the queued commits.