From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 18455A0C56; Wed, 8 Sep 2021 09:46:36 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D36A84003E; Wed, 8 Sep 2021 09:46:35 +0200 (CEST) Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130084.outbound.protection.outlook.com [40.107.13.84]) by mails.dpdk.org (Postfix) with ESMTP id 3430F4003C for ; Wed, 8 Sep 2021 09:46:34 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hk2XqJRWn5OAvK8KQCjTokPnx5u0xIevDzJFKZGQLQge8AM/ugK1cVSgM20RhYtYyJwRIxraGA+A5uus/HN8+32HFGlP7uCzUe8k2oUWsfMkwkjR2slwAWAlSQzsOWdTHdSlvFtwrYh64dju5aeZGO/m49bhiDxV0OeSJB1XYhPXrQz/8D48rX7QgE6MFy3KoThC3sTPblUASpkZZV8yvS0zmd6mx/f/UkVncCmpivGYWsCKfjS/2FW+rIEOlJz2WX6OVM9gM6W6jFoHW6ih3DARtdIupLt33uuM8P9f++XkS7U/FLqLWkAck4petcAlqcpkO1U2nULV+cno8iRXEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=sXRjNxVB7Y4h6hv49/9libTsC8OAuGCPoYrTzcc/csM=; b=T0QenXnWp6nqUz2EiJBFIZRofCkfwo7rZTOkUv8XwPjus2D4cJv1VK044CW6Adpzh/+djLJs2K928et08/FQzzNV2wPmut4vJnlisgb2D35UcKeAYmX0yprKJ3CKKeLRb1oQUAVf4c3FF9wovf/O0euVukzSbbGd4PZJYodf4hZ7sN3hi+2Ab00L7Jk/s1wwJg/zg8W40DiVaewPP2Qy290PrT/2sh6UlSyCbdL41CI4rkD1N3l66W1rZfHuq7tIWNcXpbKH7J6iihO+9XR1y7pqSZc2F5PmDp9Y9Qh7MiFXi4BnmGhN1c5qZcwkFWAHqFJm4F+ipVMcpQLAu05VYA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oss.nxp.com; dmarc=pass action=none header.from=oss.nxp.com; dkim=pass header.d=oss.nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NXP1.onmicrosoft.com; s=selector2-NXP1-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sXRjNxVB7Y4h6hv49/9libTsC8OAuGCPoYrTzcc/csM=; b=ddDE68LimqovJO3mIT5gZaD6QGcBQf5BAuZym1oqYHKxlWlHQOQwFOlT6dPRedGc+OvX18kpFA/j1TB+FG8Mvum/TjXb7AgDHy17tx8chhNoYcFdaqQyHVdlxEJTpCB3eYRLRMaG+ZM88G5kbpV0ykQPKlPFR1kvDAh1oxmDXf4= Authentication-Results: dpdk.org; dkim=none (message not signed) header.d=none;dpdk.org; dmarc=none action=none header.from=oss.nxp.com; Received: from DU2PR04MB8630.eurprd04.prod.outlook.com (2603:10a6:10:2dd::15) by DU2PR04MB8551.eurprd04.prod.outlook.com (2603:10a6:10:2d6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Wed, 8 Sep 2021 07:46:33 +0000 Received: from DU2PR04MB8630.eurprd04.prod.outlook.com ([fe80::945d:e362:712d:1b80]) by DU2PR04MB8630.eurprd04.prod.outlook.com ([fe80::945d:e362:712d:1b80%4]) with mapi id 15.20.4478.025; Wed, 8 Sep 2021 07:46:33 +0000 To: dev@dpdk.org References: <20210908082111.27396-1-ktejasree@marvell.com> <20210908082111.27396-2-ktejasree@marvell.com> From: Hemant Agrawal Message-ID: <0a3a4991-88b4-c077-f4ec-8a051f464c24@oss.nxp.com> Date: Wed, 8 Sep 2021 13:16:25 +0530 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 In-Reply-To: <20210908082111.27396-2-ktejasree@marvell.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-ClientProxiedBy: SG2PR03CA0098.apcprd03.prod.outlook.com (2603:1096:4:7c::26) To DU2PR04MB8630.eurprd04.prod.outlook.com (2603:10a6:10:2dd::15) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [192.168.1.5] (122.161.79.39) by SG2PR03CA0098.apcprd03.prod.outlook.com (2603:1096:4:7c::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.6 via Frontend Transport; Wed, 8 Sep 2021 07:46:31 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d26d823e-a804-4954-4a2b-08d9729cc6ec X-MS-TrafficTypeDiagnostic: DU2PR04MB8551: X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: HgVXCDIHjbk1Z2+M8rzdKtMuGHVTAcbU+P9nZVIIpfOYe1VUJNvibOL4FB4+N0NZs8ulpRMP92TsSgNkRNB/NAZ8c6CxmmK8tTIjXuUJxDJbX8QuUWGWghugOmWkoQW5vPR1NJ+QtJWd4K/1eYyvLmGMwZMbCTKzkuFFAjir854UhDio3ly4p6mNK/tWBOJTZPANIV+x24baAS3xJ3yCVo6pFsVjUF5VPEBrjGEO+TN3L38Bqmcfh5VITwoCGt5ddqwzwtOITcJ3YjEWOZb8M3V9uoWHP30UZlqp6c4ONCFb8dOOeRzR2WcEHvV6Mk4X+QxSJcDgiLO/cq7ZwPIQrPzryv+iNUGVRdUdMzaRLM7XM70o6ovoOec5fr0C8+UaV2lifkWUzK92o4CzTJEPBxI0tXvVUfLnXPomQ0skaglfodfi+FGrZqcuf/KdtM0TjI6swSG2+mRueGRROwhX76V37cSyzTYP+d6WrxqUyFE5o9gn7M5XJXY4qtKWqT34aiUTTzUwBQw+LSuiCdWhBJByv3H8FJOZE1i/XNFFlDngWLS1uezQyfmg0+kd0tU1WX+LgGj9vb2HcDhEg3fmRxFQHihT9ef0qe14qvMAGoaB0L1mIZViHdlUD642X+TIa1JTHg3XLF62nIvIRF+MtP9iyN2XSflMezOI5Q2TwGpUBn5doAPmKEY0Hrh4l7JPWI2emAio6DQOnNQkn6FSUe8Vym+CJTUCLp7vGpAoJ4gFv7+a5wYyCXlEX9s8y/QssA3xdJiFjTaYiryir7thtw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU2PR04MB8630.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(396003)(346002)(376002)(366004)(136003)(86362001)(186003)(38350700002)(15650500001)(52116002)(66946007)(6486002)(316002)(956004)(2616005)(8936002)(8676002)(5660300002)(16576012)(44832011)(83380400001)(66476007)(31686004)(38100700002)(2906002)(66556008)(26005)(6666004)(31696002)(55236004)(53546011)(478600001)(6916009)(45980500001)(43740500002); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?aHpxdTgzMGRUN2dML1UyNC82Rk5xT1dCdjV1NkVKMlVUdk5nSVFZZVVLS2pn?= =?utf-8?B?WkpRT2V5WGQ5dWRIcHRtWmtpMk1CZDJxb2U0RVVQTnBNdThqdExLTEwxN0Ur?= =?utf-8?B?OUJlV0lyZmtrcVRjRkE4bTNUZ051cW9tNlNWckdmV2dBV2ErenVtVGgyRkFs?= =?utf-8?B?eXJzK2NMTXgwM2FEeHJjMnNUdTlrbm9mT3g5ZHFGNklUR0dxamw4bThpdnVx?= =?utf-8?B?QnNnT3U1a3U2L0t3RmNvVGdMaGJva2lKL1dYVzVNdDNFdGxhL2Znbi9HVy85?= =?utf-8?B?aFRhTk0zcytsMVBFUlk4OUNNbXhqZ1hNdmhIcUVhUkl5OG1NYkhGOWo3ZVlv?= =?utf-8?B?TDE5SWhsb0IzY3F4WWVjVC9aOTYrMXVuTGtsVSswK2w1RFlCaEZNb0tlZDdL?= =?utf-8?B?cE4wcnBpc1E4R1BNcjN1ajREaFQzbkJVRWRuOWJlVlhLbkVIMEdwaW81TFJz?= =?utf-8?B?S2N6eWFnNGRrb3pIbGs5WDIydjlhU0wvMnB6TmpYcW1NVXBBRjFldHpKVDYx?= =?utf-8?B?Q1A2blRXOGhvNUpRaHBlNmMxWW9KMDJvS1BZR0ZnRVNwVEJmNnZQVU1tZXBY?= =?utf-8?B?Rm1IalBuRHJCZjEwRzIzSnRVZDNzNVFwa1BoendmTGdHa3QweURvQVJ1Vm41?= =?utf-8?B?K29KUHdBbmlTUkhqNU9ZWXN3QVJncUhYM2M3a2UrcTlaV3JyYldaUzZmNW14?= =?utf-8?B?eXlFeVR0alhEbVNHeWVjN0Y5TDlNL2ovRVIyWXIwVU5aSHdOYlBKL2VGR0t1?= =?utf-8?B?NWFzd0hyVmpNMUc3eG9vdlhjSnBMeHRxYlg4dUQzR0gxYitYN0NCVmJEL0Zu?= =?utf-8?B?cWVCVmo3d0t5WmJ5ZVFEUzIwRFVmQmdiS2kyTVJib003VGlEcEdLcCtQYS9C?= =?utf-8?B?M0hGdDc0aGZWS3RvdENCRVF2Zkt1bTFUa2ZvT1lJT0pyL1d6alZWSGFiZDQz?= =?utf-8?B?WlJJc05zUGg4UUJ6YWxYbUMyUlFoWjJLdHQ5WGFUajdOZy94SWRHN2E3bE93?= =?utf-8?B?V0pPTHpETzE0Mncra1UyL05nNHZpWjdRVkRja1hCL3d6T2xJcS90MzBzb2tE?= =?utf-8?B?cjJxODl6b1Zxdk03UXdwaThpMzhuS3ZvUm5wTUVzU3V1S3ROdFJqeEdTNy8v?= =?utf-8?B?VHBmRTd2aTB1Z2RTUk9KNEdHNDk3SWpwU3YzNnVhbEpaWmdNUU9hM1pvSjl1?= =?utf-8?B?VytRS1V5bzNBalNIZUVBeFpqbXhFaTdjZ1o1eGxOeDlhazFOWVN6b1VvUkZq?= =?utf-8?B?V0Fqd29UVjBzTGJ3MFp5Y0FkMHpLbGRKbFZDcGxzaUJTZTFOK3BrSWticm90?= =?utf-8?B?bG93ZzVoUCsxRmNlQTRSS2NVYXdmS24xek81RDBzcVBpSkdvZmxSWUdQdm5S?= =?utf-8?B?LzFXcWdZYlJkYTZmNkZmRlJ1OUVXMm1QY0p3RUVTMTc2MG5KSnpWS2pxSEJS?= =?utf-8?B?TTgrMjBNUkVZakRXeS9jTmx3Yk1hdmpVcWJ2OFFhZXlncHc4UTZRemtON0w0?= =?utf-8?B?bHNBRlpyd2RRREpTNWZyZXJqY0dZR1ZsaWhGTlBlbWZEUXBRdzgzTmF4Kzd5?= =?utf-8?B?N0Q1TyttNmozR3V3TCs5cGhpVnI2TEpJMWRoUTZDTEN4R0gxc25OMkFJRkR4?= =?utf-8?B?OU5GaDJKYzVXYkhMU2lmV0xwREtuUzkrRStiQ1phbWRDMmtPNmlHRktNL3B2?= =?utf-8?B?VksxS0oybFE5NWZxYWJ6UDlGWFVvdVpPZ1pvYzlXWDNzUXlUMHZQSmVVK0Nz?= =?utf-8?B?UktqV3RxMVEzeDVoa2RzUnVxVFQvM2pjOVYrejBoQld0YUc3d2xOTjZ3Z3Jk?= =?utf-8?B?cGdqeHdYSmxOMmR6NStUZz09?= X-OriginatorOrg: oss.nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: d26d823e-a804-4954-4a2b-08d9729cc6ec X-MS-Exchange-CrossTenant-AuthSource: DU2PR04MB8630.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Sep 2021 07:46:32.8739 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ar3VmN9Aq7vzELG132LmXAZ5qDIJpbpwuG0uytJ+SObU9j9d7x074PlLPs11qDf27d4NcqykI2lCbdUCf3iGEw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2PR04MB8551 Subject: Re: [dpdk-dev] [PATCH 1/3] security: add option to configure tunnel header verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: hemant.agrawal@nxp.com Errors-To: dev-bounces@dpdk.org Sender: "dev" On 9/8/2021 1:51 PM, Tejasree Kondoj wrote: > Add option to indicate whether outer header verification > need to be done as part of inbound IPsec processing. > > With inline IPsec processing, SA lookup would be happening > in the Rx path of rte_ethdev. When rte_flow is configured to > support more than one SA, SPI would be used to lookup SA. > In such cases, additional verification would be required to > ensure duplicate SPIs are not getting processed in the inline path. > > For lookaside cases, the same option can be used by application > to offload tunnel verification to the PMD. > > These verifications would help in averting possible DoS attacks. > > Signed-off-by: Tejasree Kondoj > --- > doc/guides/rel_notes/release_21_11.rst | 5 +++++ > lib/security/rte_security.h | 17 +++++++++++++++++ > 2 files changed, 22 insertions(+) > > diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst > index 0e3ed28378..b0606cb542 100644 > --- a/doc/guides/rel_notes/release_21_11.rst > +++ b/doc/guides/rel_notes/release_21_11.rst > @@ -136,6 +136,11 @@ ABI Changes > soft and hard SA expiry limits. Limits can be either in units of packets or > bytes. > > +* security: add IPsec SA option to configure tunnel header verification > + > + * Added SA option to indicate whether outer header verification need to be > + done as part of inbound IPsec processing. > + > > Known Issues > ------------ > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h > index 95c169d6cf..2a61cad885 100644 > --- a/lib/security/rte_security.h > +++ b/lib/security/rte_security.h > @@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type { > /**< Outer header is IPv6 */ > }; > > +/** > + * IPSEC tunnel header verification mode > + * > + * Controls how outer IP header is verified in inbound. > + */ > +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 > +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 > + > /** > * Security context for crypto/eth devices > * > @@ -195,6 +203,15 @@ struct rte_security_ipsec_sa_options { > * by the PMD. > */ > uint32_t iv_gen_disable : 1; > + > + /** Verify tunnel header in inbound > + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination > + * IP address. > + * > + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both > + * source and destination IP addresses. > + */ > + uint32_t tunnel_hdr_verify : 2; > }; > > /** IPSec security association direction */ Acked-by: Hemant Agrawal