From: Akhil Goyal <akhil.goyal@nxp.com>
To: Mariusz Drost <mariuszx.drost@intel.com>, "dev@dpdk.org" <dev@dpdk.org>
Cc: Konstantin Ananyev <konstantin.ananyev@intel.com>
Subject: Re: [dpdk-dev] [PATCH v2 2/2] examples/ipsec-secgw: fix not working inline ipsec modes
Date: Mon, 1 Jul 2019 11:38:33 +0000 [thread overview]
Message-ID: <VE1PR04MB66393C45BE6090CFDCA8A69AE6F90@VE1PR04MB6639.eurprd04.prod.outlook.com> (raw)
In-Reply-To: <20190626132617.10576-3-mariuszx.drost@intel.com>
>
> Application ipsec-secgw is not working for IPv4 transport mode and for
> IPv6 both transport and tunnel mode.
>
> IPv6 tunnel mode is not working due to wrongly assigned fields of
> security association patterns, as it was IPv4, during creation of
> inline crypto session.
>
> IPv6 and IPv4 transport mode is iterating through security capabilities
> until it reaches tunnel, which causes session to be created as tunnel,
> instead of transport. Another issue, is that config file does not
> provide source and destination ip addresses for transport mode, which
> are required by NIC to perform inline crypto. It uses default addresses
> stored in security association (all zeroes), which causes dropped
> packages.
>
> To fix that, reorganization of code in create_session() is needed,
> to behave appropriately to given protocol (IPv6/IPv4). Change in
> iteration through security capabilities is also required, to check
> for expected mode (not only tunnel).
>
> For lack of addresses issue, some resolving mechanism is needed.
> Approach is to store addresses in security association, as it is
> for tunnel mode. Difference is that they are obtained from sp rules,
> instead of config file. To do that, sp[4/6]_spi_present() function
> is used to find addresses based on spi value, and then stored in
> corresponding sa rule. This approach assumes, that every sp rule
> for inline crypto have valid addresses, as well as range of addresses
> is not supported.
>
> New flags for ipsec_sa structure are required to distinguish between
> IPv4 and IPv6 transport modes. Because of that, there is need to
> change all checks done on these flags, so they work as expected.
>
> Fixes: ec17993a145a ("examples/ipsec-secgw: support security offload")
> Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec")
>
> Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com>
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> ---
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
next prev parent reply other threads:[~2019-07-01 11:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <–20190604100644.13724-1-mariuszx.drost@intel.com>
2019-06-26 13:26 ` [dpdk-dev] [PATCH v2 0/2] fixes for inline-crypto ipsec Mariusz Drost
2019-06-26 13:26 ` [dpdk-dev] [PATCH v2 1/2] net/ixgbe: fix lack of ip type for crypto session Mariusz Drost
2019-06-26 13:26 ` [dpdk-dev] [PATCH v2 2/2] examples/ipsec-secgw: fix not working inline ipsec modes Mariusz Drost
2019-07-01 11:38 ` Akhil Goyal [this message]
2019-07-01 11:39 ` [dpdk-dev] [PATCH v2 0/2] fixes for inline-crypto ipsec Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=VE1PR04MB66393C45BE6090CFDCA8A69AE6F90@VE1PR04MB6639.eurprd04.prod.outlook.com \
--to=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
--cc=mariuszx.drost@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).