From: "Nicolau, Radu" <radu.nicolau@intel.com>
To: Anoob Joseph <ajoseph@caviumnetworks.com>,
Anoob Joseph <anoob.joseph@cavium.com>,
Akhil Goyal <akhil.goyal@nxp.com>,
"Doherty, Declan" <declan.doherty@intel.com>,
"Gonzalez Monroy, Sergio" <sergio.gonzalez.monroy@intel.com>
Cc: "narayanaprasad.athreya@cavium.com"
<narayanaprasad.athreya@cavium.com>,
"jerin.jacobkollanukkaran@cavium.com"
<jerin.jacobkollanukkaran@cavium.com>,
"dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH] examples/ipsec-secgw: fix usage of incorrect port
Date: Tue, 14 Nov 2017 12:01:05 +0000 [thread overview]
Message-ID: <763A2F19A5EFF34F8B7F1657C992EE297B2F892D@IRSMSX104.ger.corp.intel.com> (raw)
In-Reply-To: <b953c406-81af-8584-afdc-87554f029bdf@caviumnetworks.com>
Hi,
Please send a v2 with the doc update that describes the new behavior and I will ack it.
Regards,
Radu
> -----Original Message-----
> From: Anoob Joseph [mailto:ajoseph@caviumnetworks.com]
> Sent: Monday, November 13, 2017 7:25 PM
> To: Nicolau, Radu <radu.nicolau@intel.com>; Anoob Joseph
> <anoob.joseph@cavium.com>; Akhil Goyal <akhil.goyal@nxp.com>;
> Doherty, Declan <declan.doherty@intel.com>; Gonzalez Monroy, Sergio
> <sergio.gonzalez.monroy@intel.com>
> Cc: narayanaprasad.athreya@cavium.com;
> jerin.jacobkollanukkaran@cavium.com; dev@dpdk.org
> Subject: Re: [PATCH] examples/ipsec-secgw: fix usage of incorrect port
>
> Hi,
>
> Comments below
>
>
> On 13-11-2017 22:53, Radu Nicolau wrote:
> > Hi,
> >
> > Comments below
> >
> > On 11/13/2017 4:13 PM, Anoob Joseph wrote:
> >> When security offload is enabled, the packet should be forwarded on
> >> the port configured in the SA. Security session will be configured on
> >> that port only, and sending the packet on other ports could result in
> >> unencrypted packets being sent out.
> > With a properly configured SP, SA and routing rule this will not
> > happen, so we don't need to do this fix to make up for a wrongly
> > written configuration file.
> > I'm almost sure that the app will behave in the same way (i.e. forward
> > unencrypted) for lookaside crypto if the configuration is incorrect.
> The lookaside crypto will ensure encryption, even if the LPM port is different.
> >>
> >> This would have performance improvements too, as the per packet LPM
> >> lookup would be avoided for IPsec packets, in inline mode.
> > Yes, there will be some performance gain, but not sure how much
> > considering that LPM lookup is reasonably fast.
> The 2nd lookup is significant for inline protocol for which I plan to submit
> some patches. In case of inline protocol, the packet need not have final
> headers by the time it is submitted to the ethernet driver.
> For example, in case of ESP in tunnel mode, tunnel IPs from the SA need to
> be used for LPM lookup. So all such cases(tunnel/transport, ipv4 tunnel in
> ipv6 and vice versa etc) need to be valuated and the final addresses need to
> be determined before an LPM lookup can be done, which adds significant
> overhead per packet.
> >
> > So I'm not sure if ack or nack, maybe Sergio can give a second opinion.
> > But if ack, you will have to update the patch to include in the doc
> > this behavior, the port configured in the SA takes precedence over the
> > one in the routing rule.
> >
> > Regards,
> > Radu
>
> Thanks,
> Anoob
next prev parent reply other threads:[~2017-11-14 12:01 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-13 16:13 Anoob Joseph
2017-11-13 17:23 ` Radu Nicolau
2017-11-13 19:24 ` Anoob Joseph
2017-11-14 12:01 ` Nicolau, Radu [this message]
2017-11-14 15:37 ` [dpdk-dev] [PATCH v2] " Anoob Joseph
2017-11-14 16:16 ` Radu Nicolau
2017-11-15 9:41 ` [dpdk-dev] [PATCH v3] " Anoob Joseph
2017-11-24 9:28 ` Akhil Goyal
2017-11-24 9:58 ` Anoob
2017-11-24 10:49 ` Akhil Goyal
2017-11-29 4:21 ` Anoob Joseph
2017-12-04 7:49 ` Akhil Goyal
2017-12-06 11:08 ` Anoob
2017-12-11 10:26 ` Radu Nicolau
2017-12-11 10:38 ` Anoob Joseph
2017-12-11 15:35 ` [dpdk-dev] [PATCH v4] " Anoob Joseph
2017-12-12 6:54 ` Anoob Joseph
2017-12-12 7:34 ` Akhil Goyal
2017-12-12 8:32 ` [dpdk-dev] [PATCH v5] " Anoob Joseph
2017-12-12 11:27 ` Radu Nicolau
2017-12-14 9:01 ` De Lara Guarch, Pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=763A2F19A5EFF34F8B7F1657C992EE297B2F892D@IRSMSX104.ger.corp.intel.com \
--to=radu.nicolau@intel.com \
--cc=ajoseph@caviumnetworks.com \
--cc=akhil.goyal@nxp.com \
--cc=anoob.joseph@cavium.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=jerin.jacobkollanukkaran@cavium.com \
--cc=narayanaprasad.athreya@cavium.com \
--cc=sergio.gonzalez.monroy@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).