From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <konstantin.ananyev@intel.com>
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
 by dpdk.org (Postfix) with ESMTP id 1283A2B9E
 for <dev@dpdk.org>; Tue, 20 Nov 2018 10:44:15 +0100 (CET)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
 by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 20 Nov 2018 01:44:15 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,256,1539673200"; d="scan'208";a="87818202"
Received: from irsmsx153.ger.corp.intel.com ([163.33.192.75])
 by fmsmga008.fm.intel.com with ESMTP; 20 Nov 2018 01:44:14 -0800
Received: from irsmsx111.ger.corp.intel.com (10.108.20.4) by
 IRSMSX153.ger.corp.intel.com (163.33.192.75) with Microsoft SMTP Server (TLS)
 id 14.3.408.0; Tue, 20 Nov 2018 09:44:14 +0000
Received: from irsmsx106.ger.corp.intel.com ([169.254.8.8]) by
 irsmsx111.ger.corp.intel.com ([169.254.2.195]) with mapi id 14.03.0415.000;
 Tue, 20 Nov 2018 09:44:14 +0000
From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: "Zhang, Qi Z" <qi.z.zhang@intel.com>, "dev@dpdk.org" <dev@dpdk.org>
CC: "Awal, Mohammad Abdul" <mohammad.abdul.awal@intel.com>
Thread-Topic: [dpdk-dev] [PATCH 6/9] ipsec: implement SA data-path API
Thread-Index: AQHUfT6C5a8aeAVimkKS7Dp3HSiKx6VX31mAgACNUPA=
Date: Tue, 20 Nov 2018 09:44:13 +0000
Message-ID: <2601191342CEEE43887BDE71AB977258010CEBA13C@IRSMSX106.ger.corp.intel.com>
References: <1535129598-27301-1-git-send-email-konstantin.ananyev@intel.com>
 <1542326031-5263-7-git-send-email-konstantin.ananyev@intel.com>
 <039ED4275CED7440929022BC67E70611532E86A8@SHSMSX103.ccr.corp.intel.com>
In-Reply-To: <039ED4275CED7440929022BC67E70611532E86A8@SHSMSX103.ccr.corp.intel.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNjM0ODliOTEtOWU5OS00ZmIzLWFmODEtOGFhZDU5MjU1MjhlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiRWVSTmsxbEF3UzNHYWNLSng3QUo1b2FZUUVqaUQ2N2dcL0VSK29iT0NPWXRIdmlLajQrU2h3WnhtZklrNTFBZjQifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.400.15
dlp-reaction: no-action
x-originating-ip: [163.33.239.182]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dpdk-dev] [PATCH 6/9] ipsec: implement SA data-path API
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 09:44:16 -0000


Hi Qi,

>=20
> Hi Konstantin and Awal:
>=20
> 	I have couple questions for this patch.
> 	please forgive me if they are obvious, since I don't have much insight o=
n IPsec, but I may work on related stuff in future :)
>=20
> > +static inline int32_t
> > +esp_outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,
> > +	const uint64_t ivp[IPSEC_MAX_IV_QWORD], struct rte_mbuf *mb,
> > +	union sym_op_data *icv)
> > +{
> > +	uint32_t clen, hlen, pdlen, pdofs, tlen;
> > +	struct rte_mbuf *ml;
> > +	struct esp_hdr *esph;
> > +	struct esp_tail *espt;
> > +	char *ph, *pt;
> > +	uint64_t *iv;
> > +
> > +	/* calculate extra header space required */
> > +	hlen =3D sa->hdr_len + sa->iv_len + sizeof(*esph);
> > +
> > +	/* number of bytes to encrypt */
> > +	clen =3D mb->pkt_len + sizeof(*espt);
> > +	clen =3D RTE_ALIGN_CEIL(clen, sa->pad_align);
> > +
> > +	/* pad length + esp tail */
> > +	pdlen =3D clen - mb->pkt_len;
> > +	tlen =3D pdlen + sa->icv_len;
> > +
> > +	/* do append and prepend */
> > +	ml =3D rte_pktmbuf_lastseg(mb);
> > +	if (tlen + sa->sqh_len + sa->aad_len > rte_pktmbuf_tailroom(ml))
> > +		return -ENOSPC;
> > +
> > +	/* prepend header */
> > +	ph =3D rte_pktmbuf_prepend(mb, hlen);
> > +	if (ph =3D=3D NULL)
> > +		return -ENOSPC;
> > +
> > +	/* append tail */
> > +	pdofs =3D ml->data_len;
> > +	ml->data_len +=3D tlen;
> > +	mb->pkt_len +=3D tlen;
> > +	pt =3D rte_pktmbuf_mtod_offset(ml, typeof(pt), pdofs);
> > +
> > +	/* update pkt l2/l3 len */
> > +	mb->l2_len =3D sa->hdr_l3_off;
> > +	mb->l3_len =3D sa->hdr_len - sa->hdr_l3_off;
> > +
> > +	/* copy tunnel pkt header */
> > +	rte_memcpy(ph, sa->hdr, sa->hdr_len);
>=20
> I didn't get this, my understand is:
>=20
> for tunnel mode if an original packet is
>=20
> 	Eth + IP + UDP/TCP + data,

It  is assumed that input mbuf doesn't contain L2 header already (only L3/L=
4/...)
That's why we don't shift L2 header.
Probably have to put that into public API comments.

>=20
> after encap, it should become
>=20
> 	Eth + encap header (IP or IP + UDP) + ESP Header + IP + UDP/TCP + Data +=
 ESP Tailer...
>=20
> So after rte_pktmbuf_prepend shouldn't we do below
>=20
> 1) shift L2 HEAD (Eth) ahead
> 2) copy encap header and ESP header to the hole.
> ?
>=20
> But now we just copy the sa->hdr on the pre-pend space directly? What is =
the sa->hdr supposed to be?

Optional L2 header and new L3 header.

> but no matter what is it, we encap
> everything before the packet?
> BTW, is UDP encapsulation also be considered here?

Right now - no.
Might be later, if there would be a request for it.

>, I didn't figure out how a IP + UDP header should be configured with sa->=
hdr , sa-
> >hdr_l3_off, sa->hdr_len for this case
>=20
> > +static inline int
> > +esp_inb_tun_single_pkt_process(struct rte_ipsec_sa *sa, struct rte_mbu=
f
> > *mb,
> > +	uint32_t *sqn)
> > +{
> > +	uint32_t hlen, icv_len, tlen;
> > +	struct esp_hdr *esph;
> > +	struct esp_tail *espt;
> > +	struct rte_mbuf *ml;
> > +	char *pd;
> > +
> > +	if (mb->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
> > +		return -EBADMSG;
> > +
> > +	icv_len =3D sa->icv_len;
> > +
> > +	ml =3D rte_pktmbuf_lastseg(mb);
> > +	espt =3D rte_pktmbuf_mtod_offset(ml, struct esp_tail *,
> > +		ml->data_len - icv_len - sizeof(*espt));
>=20
> What kind of mechanism is to guarantee that last segment will always cove=
r the esp tail?( data_len >=3D icv_len + sizeof (*espt))
> Is that possible the esp tail be split into multi-segment for jumbo frame=
s caes?

It is possible, though right now we don't support such cases.
Right now it is up to the caller to make sure last segment contains espt+ic=
v (plus enough free space for AAD, ESN.hi, etc.).
Plan to add proper multi-seg support later (most likely 19.05).
Konstantin