From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by dpdk.org (Postfix) with ESMTP id C3D6411D4 for ; Tue, 29 Aug 2017 16:49:09 +0200 (CEST) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 407B920685; Tue, 29 Aug 2017 10:49:09 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute1.internal (MEProxy); Tue, 29 Aug 2017 10:49:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monjalon.net; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=X8xfFLO9BBUkrOv Mmau/Os9UKP/gi9qKfFPe+oSvuIQ=; b=YazdR50aQNvjLyQwmshwfLSkjhotqNG Y0y7B8IwU2LetTrRLK1K0IxexSerlN/DGIv6bCoKhyIJinH3q4xYJ4PzaqVrD1+T F0SbE5JaUbGEzRJwP9txfkFBLAC1l5LCZrRUtpCyDA/JF2yZjl6aCL11aggUH3AB tBJ55y7pZvSM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= fm1; bh=X8xfFLO9BBUkrOvMmau/Os9UKP/gi9qKfFPe+oSvuIQ=; b=MjmReR/V E3v3KaPD6J2bZDFHgAxWUddRR8BVy9s4Cj/ftXcbIEPgcBBAnlTryldOszy3ecQQ qxSJ7eWp0BlDVKrslMTsDFvs1J2nIf5DdrqMRiDKNHxMqUwl8c2Dqu2zqEjBc8bP 5OVgAFDsajppXGEByxg+tfmep4mUPcM4lO0hxKNG3ro6pdFNqn3ZrT3rWxL4OV6Z 3/WxYQT6OaYdKOzb+37NSWRMlF+9z+6q7oao0/4Yyn8aHBq977/yf/SuE8ORnmWw K+5aXXibmizxqGk9gwKU3QHFSrNS7liIlNyPcD60A23BWOk+i2SDJhmgqTBcMJEM /pskTxrEiAl6JA== X-ME-Sender: X-Sasl-enc: epawXX9WtlpGSTcNA5BMsNf2K+WbuxCgUO4MjGtv9vuq 1504018148 Received: from xps.localnet (184.203.134.77.rev.sfr.net [77.134.203.184]) by mail.messagingengine.com (Postfix) with ESMTPA id DED8424434; Tue, 29 Aug 2017 10:49:08 -0400 (EDT) From: Thomas Monjalon To: Akhil Goyal Cc: dev@dpdk.org, borisp@mellanox.com, declan.doherty@intel.com, radu.nicolau@intel.com, aviadye@mellanox.com, sandeep.malik@nxp.com, hemant.agrawal@nxp.com, pablo.de.lara.guarch@intel.com Date: Tue, 29 Aug 2017 16:49:07 +0200 Message-ID: <2166799.Q9jkndJmdM@xps> In-Reply-To: <20170725112153.29699-1-akhil.goyal@nxp.com> References: <7834b3bd-0800-500c-1c89-3b89e2eb47fa@nxp.com> <20170725112153.29699-1-akhil.goyal@nxp.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Subject: Re: [dpdk-dev] [RFC PATCH 0/1] IPSec Inline and look aside crypto offload X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2017 14:49:10 -0000 Hi, I try to understand how things are connected, but too many things are not clear for someone not involved in security. 25/07/2017 13:21, Akhil Goyal: > struct rte_security_session * > rte_security_session_create(struct rte_mempool *mempool); What is the usage of this mempool? [...] > These are very similar to what Declan proposed with a few additions. > This can be updated further for other security protocols like MACSec and DTLS You should avoid referencing another proposal without - link to the proposal - summary of the proposal [...] > Now, after the application configures the session using above APIs, it needs to > attach the session with the crypto_op in case the session is configured for > crypto look aside protocol offload. For IPSec inline/ full protocol offload > using NIC, the mbuf ol_flags can be set as per the RFC suggested by Boris. Again a missing reference (link + summary). Even worst, the RFCv2 references this v1 without copying the explanations. It is too hard to track, or maybe it is cryptic on purpose ;) [...] > Now the application(ipsec-secgw) have 4 paths to decide for the data path. > 1. Non-protocol offload (currently implemented) > 2. IPSec inline(only crypto operations using NIC) > 3. full protocol offload(crypto operations along with all the IPsec header > and trailer processing using NIC) > 4. look aside protocol offload(single-pass encryption and authentication with > additional levels of protocol processing offload using crypto device) I feel these 4 paths are the most important to discuss. Unfortunately there are not enough detailed. Please explain the purpose and implementation of each one. > The application can decide using the below action types > enum rte_security_session_action_type { > RTE_SECURITY_SESS_ETH_INLINE_CRYPTO, > /**< Crypto operations are performed by Network interface */ In this mode, the ethdev port does the same thing as a crypto port? > RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD, > /**< Crypto operations with protocol support are performed > * by Network/ethernet device. > */ > RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD, > /**< Crypto operations with protocol support are performed > * by Crypto device. > */ I guess the difference between ETH_PROTO_OFFLOAD and CRYPTO_PROTO_OFFLOAD is that we must re-inject packets from CRYPTO_PROTO_OFFLOAD to the NIC? > RTE_SECURITY_SESS_NONE > /**< Non protocol offload. Application need to manage everything */ > }; What RTE_SECURITY_SESS_NONE does? It is said to be implemented above.