From: Akhil Goyal <akhil.goyal@nxp.com>
To: <dev@dpdk.org>
Cc: <declan.doherty@intel.com>, <pablo.de.lara.guarch@intel.com>,
<hemant.agrawal@nxp.com>, <radu.nicolau@intel.com>,
<borisp@mellanox.com>, <aviadye@mellanox.com>,
<thomas@monjalon.net>, <sandeep.malik@nxp.com>,
<jerin.jacob@caviumnetworks.com>, <john.mcnamara@intel.com>,
<konstantin.ananyev@intel.com>, <shahafs@mellanox.com>,
<olivier.matz@6wind.com>
Subject: [dpdk-dev] [PATCH v4 08/12] doc: add details of rte_flow security actions
Date: Sun, 15 Oct 2017 03:47:30 +0530 [thread overview]
Message-ID: <20171014221734.15511-9-akhil.goyal@nxp.com> (raw)
In-Reply-To: <20171014221734.15511-1-akhil.goyal@nxp.com>
From: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: John McNamara <john.mcnamara@intel.com>
---
doc/guides/prog_guide/rte_flow.rst | 84 +++++++++++++++++++++++++++++++++++++-
1 file changed, 82 insertions(+), 2 deletions(-)
diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst
index 13e3dbe..ac1adf9 100644
--- a/doc/guides/prog_guide/rte_flow.rst
+++ b/doc/guides/prog_guide/rte_flow.rst
@@ -187,7 +187,7 @@ Pattern item
Pattern items fall in two categories:
- Matching protocol headers and packet data (ANY, RAW, ETH, VLAN, IPV4,
- IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE and so on), usually
+ IPV6, ICMP, UDP, TCP, SCTP, VXLAN, MPLS, GRE, ESP and so on), usually
associated with a specification structure.
- Matching meta-data or affecting pattern processing (END, VOID, INVERT, PF,
@@ -972,6 +972,14 @@ flow rules.
- ``teid``: tunnel endpoint identifier.
- Default ``mask`` matches teid only.
+Item: ``ESP``
+^^^^^^^^^^^^^
+
+Matches an ESP header.
+
+- ``hdr``: ESP header definition (``rte_esp.h``).
+- Default ``mask`` matches SPI only.
+
Actions
~~~~~~~
@@ -989,7 +997,7 @@ They fall in three categories:
additional processing by subsequent flow rules.
- Other non-terminating meta actions that do not affect the fate of packets
- (END, VOID, MARK, FLAG, COUNT).
+ (END, VOID, MARK, FLAG, COUNT, SECURITY).
When several actions are combined in a flow rule, they should all have
different types (e.g. dropping a packet twice is not possible).
@@ -1371,6 +1379,78 @@ rule or if packets are not addressed to a VF in the first place.
| ``vf`` | VF ID to redirect packets to |
+--------------+--------------------------------+
+Action: ``SECURITY``
+^^^^^^^^^^^^^^^^^^^^
+
+Perform the security action on flows matched by the pattern items
+according to the configuration of the security session.
+
+This action modifies the payload of matched flows. For INLINE_CRYPTO, the
+security protocol headers and IV are fully provided by the application as
+specified in the flow pattern. The payload of matching packets is
+encrypted on egress, and decrypted and authenticated on ingress.
+For INLINE_PROTOCOL, the security protocol is fully offloaded to HW,
+providing full encapsulation and decapsulation of packets in security
+protocols. The flow pattern specifies both the outer security header fields
+and the inner packet fields. The security session specified in the action
+must match the pattern parameters.
+
+The security session specified in the action must be created on the same
+port as the flow action that is being specified.
+
+The ingress/egress flow attribute should match that specified in the
+security session if the security session supports the definition of the
+direction.
+
+Multiple flows can be configured to use the same security session.
+
+- Non-terminating by default.
+
+.. _table_rte_flow_action_security:
+
+.. table:: SECURITY
+
+ +----------------------+--------------------------------------+
+ | Field | Value |
+ +======================+======================================+
+ | ``security_session`` | security session to apply |
+ +----------------------+--------------------------------------+
+
+The following is an example of configuring IPsec inline using the
+INLINE_CRYPTO security session:
+
+The encryption algorithm, keys and salt are part of the opaque
+``rte_security_session``. The SA is identified according to the IP and ESP
+fields in the pattern items.
+
+.. _table_rte_flow_item_esp_inline_example:
+
+.. table:: IPsec inline crypto flow pattern items.
+
+ +-------+----------+
+ | Index | Item |
+ +=======+==========+
+ | 0 | Ethernet |
+ +-------+----------+
+ | 1 | IPv4 |
+ +-------+----------+
+ | 2 | ESP |
+ +-------+----------+
+ | 3 | END |
+ +-------+----------+
+
+.. _table_rte_flow_action_esp_inline_example:
+
+.. table:: IPsec inline flow actions.
+
+ +-------+----------+
+ | Index | Action |
+ +=======+==========+
+ | 0 | SECURITY |
+ +-------+----------+
+ | 1 | END |
+ +-------+----------+
+
Negative types
~~~~~~~~~~~~~~
--
2.9.3
next prev parent reply other threads:[~2017-10-14 22:21 UTC|newest]
Thread overview: 195+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-14 8:26 [dpdk-dev] [PATCH 00/11] introduce security offload library Akhil Goyal
2017-09-14 8:26 ` [dpdk-dev] [PATCH 01/11] lib/rte_security: add security library Akhil Goyal
2017-09-15 5:32 ` Hemant Agrawal
2017-09-17 13:31 ` Boris Pismenny
2017-09-20 11:35 ` Akhil Goyal
2017-09-18 13:13 ` Jerin Jacob
2017-09-22 11:55 ` Radu Nicolau
2017-09-14 8:26 ` [dpdk-dev] [PATCH 02/11] doc: add details of rte security Akhil Goyal
2017-09-18 11:13 ` Jerin Jacob
2017-09-20 10:59 ` Akhil Goyal
2017-09-18 15:38 ` Mcnamara, John
2017-09-20 11:00 ` Akhil Goyal
2017-09-14 8:26 ` [dpdk-dev] [PATCH 03/11] cryptodev: extend cryptodev to support security APIs Akhil Goyal
2017-09-14 8:26 ` [dpdk-dev] [PATCH 04/11] lib/librte_net: add ESP header to generic flow steering Akhil Goyal
2017-09-15 4:51 ` Hemant Agrawal
2017-09-17 7:19 ` Boris Pismenny
2017-09-14 8:26 ` [dpdk-dev] [PATCH 05/11] lib/librte_mbuf: add security crypto flags and mbuf fields Akhil Goyal
2017-09-18 7:54 ` Boris Pismenny
2017-09-20 9:43 ` Olivier MATZ
2017-09-26 10:19 ` Boris Pismenny
2017-09-14 8:26 ` [dpdk-dev] [PATCH 06/11] ethdev: extend ethdev to support security APIs Akhil Goyal
2017-09-17 13:45 ` Shahaf Shuler
2017-09-22 11:42 ` Radu Nicolau
2017-09-18 7:57 ` Jerin Jacob
2017-09-22 11:49 ` Radu Nicolau
2017-09-14 8:26 ` [dpdk-dev] [PATCH 07/11] ethdev: add rte flow action for crypto Akhil Goyal
2017-09-21 9:16 ` Jerin Jacob
2017-09-21 16:53 ` Boris Pismenny
2017-09-14 8:26 ` [dpdk-dev] [PATCH 08/11] mk: add rte security into build system Akhil Goyal
2017-09-14 8:26 ` [dpdk-dev] [PATCH 09/11] net/ixgbe: enable inline ipsec Akhil Goyal
2017-09-15 4:48 ` Hemant Agrawal
2017-09-15 13:14 ` Doherty, Declan
2017-09-14 8:26 ` [dpdk-dev] [PATCH 10/11] crypto/dpaa2_sec: add support for protocol offload ipsec Akhil Goyal
2017-09-14 8:26 ` [dpdk-dev] [PATCH 11/11] examples/ipsec-secgw: add support for security offload Akhil Goyal
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 00/12] introduce security offload library Akhil Goyal
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 01/12] lib/rte_security: add security library Akhil Goyal
2017-10-05 15:32 ` De Lara Guarch, Pablo
2017-10-05 16:30 ` Ananyev, Konstantin
2017-10-06 18:11 ` Akhil Goyal
2017-10-09 13:42 ` Ananyev, Konstantin
2017-10-10 12:17 ` Akhil Goyal
2017-10-11 9:02 ` Ananyev, Konstantin
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 02/12] doc: add details of rte security Akhil Goyal
2017-10-03 15:56 ` Mcnamara, John
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 03/12] cryptodev: extend cryptodev to support security APIs Akhil Goyal
2017-10-05 8:49 ` De Lara Guarch, Pablo
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 04/12] lib/librte_net: add ESP header to generic flow steering Akhil Goyal
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 05/12] lib/librte_mbuf: add security crypto flags and mbuf fields Akhil Goyal
2017-10-05 8:54 ` De Lara Guarch, Pablo
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 06/12] ethdev: extend ethdev to support security APIs Akhil Goyal
2017-10-04 10:52 ` Shahaf Shuler
2017-10-06 16:31 ` Radu Nicolau
2017-10-05 18:01 ` Ananyev, Konstantin
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 07/12] ethdev: add rte flow action for crypto Akhil Goyal
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 08/12] doc: add details of rte_flow security actions Akhil Goyal
2017-10-03 15:38 ` Mcnamara, John
2017-10-03 15:39 ` Mcnamara, John
2017-10-05 15:34 ` De Lara Guarch, Pablo
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 09/12] mk: add rte security into build system Akhil Goyal
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 10/12] net/ixgbe: enable inline ipsec Akhil Goyal
2017-10-05 17:55 ` Ananyev, Konstantin
2017-10-06 9:17 ` Radu Nicolau
2017-10-06 18:33 ` Ananyev, Konstantin
2017-10-10 16:10 ` Radu Nicolau
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 11/12] crypto/dpaa2_sec: add support for protocol offload ipsec Akhil Goyal
2017-10-05 9:13 ` De Lara Guarch, Pablo
2017-10-03 13:14 ` [dpdk-dev] [PATCH v2 12/12] examples/ipsec-secgw: add support for security offload Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 00/12] introduce security offload library Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 01/12] lib/rte_security: add security library Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 02/12] doc: add details of rte security Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 03/12] cryptodev: support security APIs Akhil Goyal
2017-10-10 13:43 ` De Lara Guarch, Pablo
2017-10-21 15:22 ` Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 04/12] net: add ESP header to generic flow steering Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 05/12] mbuf: add security crypto flags and mbuf fields Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 06/12] ethdev: support security APIs Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 07/12] ethdev: add rte flow action for crypto Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 08/12] doc: add details of rte_flow security actions Akhil Goyal
2017-10-12 13:41 ` Mcnamara, John
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 09/12] mk: add rte security into build system Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 10/12] net/ixgbe: enable inline ipsec Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 11/12] crypto/dpaa2_sec: add support for protocol offload ipsec Akhil Goyal
2017-10-06 18:11 ` [dpdk-dev] [PATCH v3 12/12] examples/ipsec-secgw: add support for security offload Akhil Goyal
2017-10-09 13:49 ` [dpdk-dev] [PATCH v3 00/12] introduce security offload library Ananyev, Konstantin
2017-10-10 12:22 ` Akhil Goyal
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 " Akhil Goyal
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 01/12] lib/rte_security: add security library Akhil Goyal
2017-10-15 12:47 ` Aviad Yehezkel
2017-10-19 9:30 ` Ananyev, Konstantin
2017-10-21 15:54 ` Akhil Goyal
2017-10-20 9:37 ` Thomas Monjalon
2017-10-20 9:39 ` Thomas Monjalon
2017-10-21 19:46 ` Akhil Goyal
2017-10-21 19:45 ` Akhil Goyal
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 02/12] doc: add details of rte security Akhil Goyal
2017-10-15 12:47 ` Aviad Yehezkel
2017-10-20 9:41 ` Thomas Monjalon
2017-10-21 19:48 ` Akhil Goyal
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 03/12] cryptodev: support security APIs Akhil Goyal
2017-10-15 12:48 ` Aviad Yehezkel
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 04/12] net: add ESP header to generic flow steering Akhil Goyal
2017-10-15 12:48 ` Aviad Yehezkel
2017-10-20 10:15 ` Thomas Monjalon
2017-10-21 19:49 ` Akhil Goyal
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 05/12] mbuf: add security crypto flags and mbuf fields Akhil Goyal
2017-10-15 12:49 ` Aviad Yehezkel
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 06/12] ethdev: support security APIs Akhil Goyal
2017-10-15 12:49 ` Aviad Yehezkel
2017-10-15 13:13 ` Shahaf Shuler
2017-10-16 8:46 ` Nicolau, Radu
2017-10-19 9:23 ` Ananyev, Konstantin
2017-10-21 16:00 ` Akhil Goyal
2017-10-23 9:56 ` Ananyev, Konstantin
2017-10-23 13:08 ` Nicolau, Radu
2017-10-20 10:58 ` Thomas Monjalon
2017-10-21 19:50 ` Akhil Goyal
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 07/12] ethdev: add rte flow action for crypto Akhil Goyal
2017-10-15 12:49 ` Aviad Yehezkel
2017-10-14 22:17 ` Akhil Goyal [this message]
2017-10-15 12:50 ` [dpdk-dev] [PATCH v4 08/12] doc: add details of rte_flow security actions Aviad Yehezkel
2017-10-16 19:17 ` Mcnamara, John
2017-10-20 11:00 ` Thomas Monjalon
2017-10-21 19:50 ` Akhil Goyal
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 09/12] mk: add rte security into build system Akhil Goyal
2017-10-15 12:50 ` Aviad Yehezkel
2017-10-20 11:06 ` Thomas Monjalon
2017-10-21 19:44 ` Akhil Goyal
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 10/12] net/ixgbe: enable inline ipsec Akhil Goyal
2017-10-15 12:51 ` Aviad Yehezkel
2017-10-16 10:41 ` Thomas Monjalon
2017-10-18 21:29 ` Ananyev, Konstantin
2017-10-19 10:51 ` Radu Nicolau
2017-10-19 11:04 ` Ananyev, Konstantin
2017-10-19 11:57 ` Nicolau, Radu
2017-10-19 12:16 ` Ananyev, Konstantin
2017-10-19 12:29 ` Ananyev, Konstantin
2017-10-19 13:14 ` Radu Nicolau
2017-10-19 13:22 ` Ananyev, Konstantin
2017-10-19 14:19 ` Nicolau, Radu
2017-10-19 14:36 ` Ananyev, Konstantin
2017-10-19 13:09 ` Radu Nicolau
2017-10-19 9:04 ` Ananyev, Konstantin
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 11/12] crypto/dpaa2_sec: add support for protocol offload ipsec Akhil Goyal
2017-10-14 22:17 ` [dpdk-dev] [PATCH v4 12/12] examples/ipsec-secgw: add support for security offload Akhil Goyal
2017-10-15 12:51 ` Aviad Yehezkel
2017-10-16 10:44 ` [dpdk-dev] [PATCH v4 00/12] introduce security offload library Thomas Monjalon
2017-10-20 9:32 ` Thomas Monjalon
2017-10-21 16:13 ` Akhil Goyal
2017-10-22 20:37 ` Akhil Goyal
2017-10-22 20:59 ` Thomas Monjalon
2017-10-23 11:44 ` Aviad Yehezkel
2017-10-24 9:41 ` Akhil Goyal
2017-10-24 9:52 ` Thomas Monjalon
2017-10-24 14:27 ` Akhil Goyal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 00/11] " Akhil Goyal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 01/11] lib/rte_security: add security library Akhil Goyal
2017-10-24 15:15 ` De Lara Guarch, Pablo
2017-10-25 11:06 ` Akhil Goyal
2017-10-24 20:47 ` Thomas Monjalon
2017-10-25 11:08 ` Akhil Goyal
2017-10-25 5:13 ` Hemant Agrawal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 02/11] doc: add details of rte security Akhil Goyal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 03/11] cryptodev: support security APIs Akhil Goyal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 04/11] net: add ESP header to generic flow steering Akhil Goyal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 05/11] mbuf: add security crypto flags and mbuf fields Akhil Goyal
2017-10-25 9:38 ` Olivier MATZ
2017-10-25 12:05 ` Akhil Goyal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 06/11] ethdev: support security APIs Akhil Goyal
2017-10-25 5:05 ` Hemant Agrawal
2017-10-25 7:01 ` Shahaf Shuler
2017-10-25 12:35 ` Aviad Yehezkel
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 07/11] ethdev: add rte flow action for crypto Akhil Goyal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 08/11] mk: add rte security into build system Akhil Goyal
2017-10-24 20:48 ` Thomas Monjalon
2017-10-25 11:12 ` Akhil Goyal
2017-10-25 5:04 ` Hemant Agrawal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 09/11] net/ixgbe: enable inline ipsec Akhil Goyal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 10/11] crypto/dpaa2_sec: add support for protocol offload ipsec Akhil Goyal
2017-10-24 14:15 ` [dpdk-dev] [PATCH v5 11/11] examples/ipsec-secgw: add support for security offload Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 00/10] introduce security offload library Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 01/10] cryptodev: support security APIs Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 02/10] net: add ESP header to generic flow steering Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 03/10] mbuf: add security crypto flags and mbuf fields Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 04/10] ethdev: support security APIs Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 05/10] ethdev: add rte flow action for crypto Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 06/10] security: introduce security API and framework Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 07/10] doc: add details of rte security Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 08/10] net/ixgbe: enable inline ipsec Akhil Goyal
2017-10-26 7:09 ` David Marchand
2017-10-26 7:19 ` David Marchand
2017-11-01 19:58 ` Thomas Monjalon
2017-11-01 20:10 ` Ferruh Yigit
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 09/10] crypto/dpaa2_sec: add support for protocol offload ipsec Akhil Goyal
2017-10-25 15:07 ` [dpdk-dev] [PATCH v6 10/10] examples/ipsec-secgw: add support for security offload Akhil Goyal
2017-10-26 1:16 ` [dpdk-dev] [PATCH v6 00/10] introduce security offload library Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171014221734.15511-9-akhil.goyal@nxp.com \
--to=akhil.goyal@nxp.com \
--cc=aviadye@mellanox.com \
--cc=borisp@mellanox.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=hemant.agrawal@nxp.com \
--cc=jerin.jacob@caviumnetworks.com \
--cc=john.mcnamara@intel.com \
--cc=konstantin.ananyev@intel.com \
--cc=olivier.matz@6wind.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=radu.nicolau@intel.com \
--cc=sandeep.malik@nxp.com \
--cc=shahafs@mellanox.com \
--cc=thomas@monjalon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).