From: Akhil Goyal <akhil.goyal@nxp.com>
To: Anoob Joseph <Anoob.Joseph@caviumnetworks.com>,
Declan Doherty <declan.doherty@intel.com>,
Radu Nicolau <radu.nicolau@intel.com>
Cc: Jerin Jacob <jerin.jacob@caviumnetworks.com>,
Narayana Prasad <narayanaprasad.athreya@caviumnetworks.com>,
Nelio Laranjeiro <nelio.laranjeiro@6wind.com>,
dev@dpdk.org
Subject: Re: [dpdk-dev] [PATCH v2 4/5] examples/ipsec-secgw: handle ESN soft limit event
Date: Wed, 21 Mar 2018 13:00:52 +0530 [thread overview]
Message-ID: <c5eeeb00-d209-eb64-48f7-6f833214699c@nxp.com> (raw)
In-Reply-To: <8e5ecbf8-d739-d6ee-1de5-49eaea2ebf1a@caviumnetworks.com>
Hi Anoob,
On 3/21/2018 10:50 AM, Anoob Joseph wrote:
> Hi Akhil,
>
> If you are fine with the existing code, I'll send a revised patchset
> incorporating the comment change you had suggested for 3rd patch. Shall
> I proceed?
>
> Thanks,
> Anoob
>
Yes you can send the patchset with existing code.
BTW we are open for an approach to add sa rediscovery in the application
in future.
Thanks,
Akhil
> On 14/03/18 11:36, Anoob Joseph wrote:
>> Hi Akhil,
>>
>> Please see inline.
>>
>> Thanks,
>> Anoob
>>
>> On 13/03/18 17:54, Akhil Goyal wrote:
>>> Hi Anoob,
>>>
>>> On 3/1/2018 2:51 PM, Anoob Joseph wrote:
>>>> For inline protocol processing, the PMD/device is required to maintain
>>>> the ESN. But the application is required to monitor ESN overflow to
>>>> initiate SA expiry.
>>>>
>>>> For such cases, application would set the ESN soft limit. An IPsec
>>>> event
>>>> would be raised by rte_eth_event framework, when ESN hits the soft
>>>> limit
>>>> set by the application.
>>>>
>>>> Signed-off-by: Anoob Joseph <anoob.joseph@caviumnetworks.com>
>>>> ---
>>>> v2:
>>>> * No change
>>>>
>>>> examples/ipsec-secgw/ipsec-secgw.c | 56
>>>> ++++++++++++++++++++++++++++++++++++++
>>>> examples/ipsec-secgw/ipsec.c | 10 +++++--
>>>> examples/ipsec-secgw/ipsec.h | 2 ++
>>>> 3 files changed, 65 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/examples/ipsec-secgw/ipsec-secgw.c
>>>> b/examples/ipsec-secgw/ipsec-secgw.c
>>>> index 3a8562e..5726fd3 100644
>>>> --- a/examples/ipsec-secgw/ipsec-secgw.c
>>>> +++ b/examples/ipsec-secgw/ipsec-secgw.c
>>>> @@ -40,6 +40,7 @@
>>>> #include <rte_hash.h>
>>>> #include <rte_jhash.h>
>>>> #include <rte_cryptodev.h>
>>>> +#include <rte_security.h>
>>>> #include "ipsec.h"
>>>> #include "parser.h"
>>>> @@ -1640,6 +1641,58 @@ pool_init(struct socket_ctx *ctx, int32_t
>>>> socket_id, uint32_t nb_mbuf)
>>>> printf("Allocated mbuf pool on socket %d\n", socket_id);
>>>> }
>>>> +static inline int
>>>> +inline_ipsec_event_esn_overflow(struct rte_security_ctx *ctx,
>>>> uint64_t md)
>>>> +{
>>>> + struct ipsec_sa *sa;
>>>> +
>>>> + /* For inline protocol processing, the metadata in the event will
>>>> + * uniquely identify the security session which raised the event.
>>>> + * Application would then need the userdata it had registered
>>>> with the
>>>> + * security session to process the event.
>>>> + */
>>>> +
>>>> + sa = (struct ipsec_sa *)rte_security_get_userdata(ctx, md);
>>>> +
>>>> + if (sa == NULL) {
>>>> + /* userdata could not be retrieved */
>>>> + return -1;
>>>> + }
>>>> +
>>>> + /* Sequence number over flow. SA need to be re-established */
>>>
>>>
>>> With this patchset, application will be able to get notification if
>>> the error has occurred. But it is not re-configuring the SA.
>>> Do you intend to add the same?
>> Ideally the application should initiate a SA renegotiation sequence
>> (with IKE etc). But ipsec-secgw uses predetermined SAs, and so
>> addition of SA renegotiation might not fit in with the current design.
>> I was just adding this as a place holder for future expansion (and a
>> model for real applications).
>>
>> What are your thoughts on addition here? Similar handling would be
>> needed for byte & time expiry as well, when that is added. May be we
>> could just log the event and leave it be.
>>>
>>>> + RTE_SET_USED(sa);
>>>> + return 0;
>>>> +}
>>>> +
>>>> +static int
>>>> +inline_ipsec_event_callback(uint16_t port_id, enum
>>>> rte_eth_event_type type,
>>>> + void *param, void *ret_param)
>>>> +{
>>>> + struct rte_eth_event_ipsec_desc *event_desc = NULL;
>>>> + struct rte_security_ctx *ctx = (struct rte_security_ctx *)
>>>> + rte_eth_dev_get_sec_ctx(port_id);
>>>> +
>>>> + RTE_SET_USED(param);
>>>> +
>>>> + if (type != RTE_ETH_EVENT_IPSEC)
>>>> + return -1;
>>>> +
>>>> + event_desc = ret_param;
>>>> + if (event_desc == NULL) {
>>>> + printf("Event descriptor not set\n");
>>>> + return -1;
>>>> + }
>>>> +
>>>> + if (event_desc->stype == RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW)
>>>> + return inline_ipsec_event_esn_overflow(ctx, event_desc->md);
>>>> + else if (event_desc->stype >= RTE_ETH_EVENT_IPSEC_MAX) {
>>>> + printf("Invalid IPsec event reported\n");
>>>> + return -1;
>>>> + }
>>>> +
>>>> + return -1;
>>>> +}
>>>> +
>>>> int32_t
>>>> main(int32_t argc, char **argv)
>>>> {
>>>> @@ -1727,6 +1780,9 @@ main(int32_t argc, char **argv)
>>>> */
>>>> if (promiscuous_on)
>>>> rte_eth_promiscuous_enable(portid);
>>>> +
>>>> + rte_eth_dev_callback_register(portid,
>>>> + RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, NULL);
>>>> }
>>>> check_all_ports_link_status(nb_ports, enabled_port_mask);
>>>> diff --git a/examples/ipsec-secgw/ipsec.c
>>>> b/examples/ipsec-secgw/ipsec.c
>>>> index 5fb5bc1..acdd189 100644
>>>> --- a/examples/ipsec-secgw/ipsec.c
>>>> +++ b/examples/ipsec-secgw/ipsec.c
>>>> @@ -36,6 +36,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
>>>> rte_security_ipsec_xform *ipsec)
>>>> }
>>>> /* TODO support for Transport and IPV6 tunnel */
>>>> }
>>>> + ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
>>>> }
>>>> static inline int
>>>> @@ -270,11 +271,14 @@ create_session(struct ipsec_ctx *ipsec_ctx,
>>>> struct ipsec_sa *sa)
>>>> * the packet is received, this userdata will be
>>>> * retrieved using the metadata from the packet.
>>>> *
>>>> - * This is required only for inbound SAs.
>>>> + * The PMD is expected to set similar metadata for other
>>>> + * operations, like rte_eth_event, which are tied to
>>>> + * security session. In such cases, the userdata could
>>>> + * be obtained to uniquely identify the security
>>>> + * parameters denoted.
>>>> */
>>>> - if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
>>>> - sess_conf.userdata = (void *) sa;
>>>> + sess_conf.userdata = (void *) sa;
>>>> sa->sec_session = rte_security_session_create(ctx,
>>>> &sess_conf, ipsec_ctx->session_pool);
>>>> diff --git a/examples/ipsec-secgw/ipsec.h
>>>> b/examples/ipsec-secgw/ipsec.h
>>>> index 6059f6c..c1450f6 100644
>>>> --- a/examples/ipsec-secgw/ipsec.h
>>>> +++ b/examples/ipsec-secgw/ipsec.h
>>>> @@ -21,6 +21,8 @@
>>>> #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
>>>> +#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
>>>> +
>>>> #define IV_OFFSET (sizeof(struct rte_crypto_op) + \
>>>> sizeof(struct rte_crypto_sym_op))
>>>>
>>>
>>
>
>
next prev parent reply other threads:[~2018-03-21 7:31 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1516626668-9031-0-git-send-email-anoob.joseph@caviumnetworks.com>
2018-02-21 5:37 ` [dpdk-dev] [PATCH 0/5] handle seq no overflow in IPsec offload Anoob Joseph
2018-02-21 5:37 ` [dpdk-dev] [PATCH 1/5] lib/ethdev: support for inline IPsec events Anoob Joseph
2018-02-26 9:35 ` Nicolau, Radu
2018-02-27 6:56 ` Anoob Joseph
2018-02-27 10:19 ` Nicolau, Radu
2018-02-27 11:32 ` Anoob Joseph
2018-02-28 9:30 ` Nicolau, Radu
2018-02-21 5:37 ` [dpdk-dev] [PATCH 2/5] lib/security: add ESN soft limit in conf Anoob Joseph
2018-02-21 5:37 ` [dpdk-dev] [PATCH 3/5] lib/security: extend userdata for IPsec events Anoob Joseph
2018-02-21 5:37 ` [dpdk-dev] [PATCH 4/5] examples/ipsec-secgw: handle ESN soft limit event Anoob Joseph
2018-02-21 5:37 ` [dpdk-dev] [PATCH 5/5] app/testpmd: support for IPsec event Anoob Joseph
2018-03-01 9:21 ` [dpdk-dev] [PATCH v2 0/5] handle seq no overflow in IPsec offload Anoob Joseph
2018-03-01 9:21 ` [dpdk-dev] [PATCH v2 1/5] lib/ethdev: support for inline IPsec events Anoob Joseph
2018-03-01 9:21 ` [dpdk-dev] [PATCH v2 2/5] lib/security: add ESN soft limit in conf Anoob Joseph
2018-03-13 12:19 ` Akhil Goyal
2018-03-14 5:15 ` Anoob Joseph
2018-03-01 9:21 ` [dpdk-dev] [PATCH v2 3/5] lib/security: extend userdata for IPsec events Anoob Joseph
2018-03-01 9:21 ` [dpdk-dev] [PATCH v2 4/5] examples/ipsec-secgw: handle ESN soft limit event Anoob Joseph
2018-03-13 12:24 ` Akhil Goyal
2018-03-14 6:06 ` Anoob Joseph
2018-03-21 5:20 ` Anoob Joseph
2018-03-21 7:30 ` Akhil Goyal [this message]
2018-03-01 9:21 ` [dpdk-dev] [PATCH v2 5/5] app/testpmd: support for IPsec event Anoob Joseph
2018-03-08 5:57 ` [dpdk-dev] [PATCH v2 0/5] handle seq no overflow in IPsec offload Anoob Joseph
2018-03-21 11:11 ` [dpdk-dev] " Anoob Joseph
2018-03-21 11:11 ` [dpdk-dev] [PATCH v3 1/5] lib/ethdev: support for inline IPsec events Anoob Joseph
2018-03-21 11:42 ` Akhil Goyal
2018-04-03 14:27 ` Anoob Joseph
2018-04-10 5:10 ` Anoob Joseph
2018-04-10 9:11 ` Thomas Monjalon
2018-04-11 3:20 ` Anoob Joseph
2018-03-21 11:11 ` [dpdk-dev] [PATCH v3 2/5] lib/security: add ESN soft limit in conf Anoob Joseph
2018-04-03 14:27 ` Anoob Joseph
2018-03-21 11:11 ` [dpdk-dev] [PATCH v3 3/5] lib/security: extend userdata for IPsec events Anoob Joseph
2018-04-03 14:28 ` Anoob Joseph
2018-03-21 11:11 ` [dpdk-dev] [PATCH v3 4/5] examples/ipsec-secgw: handle ESN soft limit event Anoob Joseph
2018-04-03 14:28 ` Anoob Joseph
2018-03-21 11:11 ` [dpdk-dev] [PATCH v3 5/5] app/testpmd: support for IPsec event Anoob Joseph
2018-04-03 14:29 ` Anoob Joseph
2018-04-03 14:26 ` [dpdk-dev] [PATCH v3 0/5] handle seq no overflow in IPsec offload Anoob Joseph
2018-04-11 6:40 ` [dpdk-dev] [PATCH v4 " Anoob Joseph
2018-04-11 6:40 ` [dpdk-dev] [PATCH v4 1/5] lib/ethdev: support for inline IPsec events Anoob Joseph
2018-04-19 9:15 ` Anoob Joseph
2018-04-20 15:14 ` Stephen Hemminger
2018-04-19 10:26 ` Thomas Monjalon
2018-04-11 6:40 ` [dpdk-dev] [PATCH v4 2/5] lib/security: add ESN soft limit in conf Anoob Joseph
2018-04-11 6:40 ` [dpdk-dev] [PATCH v4 3/5] lib/security: extend userdata for IPsec events Anoob Joseph
2018-04-11 6:40 ` [dpdk-dev] [PATCH v4 4/5] examples/ipsec-secgw: handle ESN soft limit event Anoob Joseph
2018-04-11 6:40 ` [dpdk-dev] [PATCH v4 5/5] app/testpmd: support for IPsec event Anoob Joseph
2018-04-19 15:44 ` [dpdk-dev] [PATCH v4 0/5] handle seq no overflow in IPsec offload De Lara Guarch, Pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c5eeeb00-d209-eb64-48f7-6f833214699c@nxp.com \
--to=akhil.goyal@nxp.com \
--cc=Anoob.Joseph@caviumnetworks.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=jerin.jacob@caviumnetworks.com \
--cc=narayanaprasad.athreya@caviumnetworks.com \
--cc=nelio.laranjeiro@6wind.com \
--cc=radu.nicolau@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).