From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <konstantin.ananyev@intel.com>
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151])
 by dpdk.org (Postfix) with ESMTP id 590842C52
 for <dev@dpdk.org>; Tue, 20 Nov 2018 11:02:50 +0100 (CET)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
 by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 20 Nov 2018 02:02:49 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,256,1539673200"; d="scan'208";a="87822312"
Received: from irsmsx103.ger.corp.intel.com ([163.33.3.157])
 by fmsmga008.fm.intel.com with ESMTP; 20 Nov 2018 02:02:48 -0800
Received: from irsmsx106.ger.corp.intel.com ([169.254.8.8]) by
 IRSMSX103.ger.corp.intel.com ([169.254.3.253]) with mapi id 14.03.0415.000;
 Tue, 20 Nov 2018 10:02:47 +0000
From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>, "Zhang, Qi Z"
 <qi.z.zhang@intel.com>, "dev@dpdk.org" <dev@dpdk.org>
CC: "Awal, Mohammad Abdul" <mohammad.abdul.awal@intel.com>
Thread-Topic: [dpdk-dev] [PATCH 6/9] ipsec: implement SA data-path API
Thread-Index: AQHUfT6C5a8aeAVimkKS7Dp3HSiKx6VX31mAgACNUPCAAAfc4A==
Date: Tue, 20 Nov 2018 10:02:46 +0000
Message-ID: <2601191342CEEE43887BDE71AB977258010CEBA19A@IRSMSX106.ger.corp.intel.com>
References: <1535129598-27301-1-git-send-email-konstantin.ananyev@intel.com>
 <1542326031-5263-7-git-send-email-konstantin.ananyev@intel.com>
 <039ED4275CED7440929022BC67E70611532E86A8@SHSMSX103.ccr.corp.intel.com>
 <2601191342CEEE43887BDE71AB977258010CEBA13C@IRSMSX106.ger.corp.intel.com>
In-Reply-To: <2601191342CEEE43887BDE71AB977258010CEBA13C@IRSMSX106.ger.corp.intel.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNjM0ODliOTEtOWU5OS00ZmIzLWFmODEtOGFhZDU5MjU1MjhlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiRWVSTmsxbEF3UzNHYWNLSng3QUo1b2FZUUVqaUQ2N2dcL0VSK29iT0NPWXRIdmlLajQrU2h3WnhtZklrNTFBZjQifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.400.15
dlp-reaction: no-action
x-originating-ip: [163.33.239.182]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dpdk-dev] [PATCH 6/9] ipsec: implement SA data-path API
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 10:02:50 -0000



> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Ananyev, Konstantin
> Sent: Tuesday, November 20, 2018 9:44 AM
> To: Zhang, Qi Z <qi.z.zhang@intel.com>; dev@dpdk.org
> Cc: Awal, Mohammad Abdul <mohammad.abdul.awal@intel.com>
> Subject: Re: [dpdk-dev] [PATCH 6/9] ipsec: implement SA data-path API
>=20
>=20
> Hi Qi,
>=20
> >
> > Hi Konstantin and Awal:
> >
> > 	I have couple questions for this patch.
> > 	please forgive me if they are obvious, since I don't have much insight=
 on IPsec, but I may work on related stuff in future :)
> >
> > > +static inline int32_t
> > > +esp_outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,
> > > +	const uint64_t ivp[IPSEC_MAX_IV_QWORD], struct rte_mbuf *mb,
> > > +	union sym_op_data *icv)
> > > +{
> > > +	uint32_t clen, hlen, pdlen, pdofs, tlen;
> > > +	struct rte_mbuf *ml;
> > > +	struct esp_hdr *esph;
> > > +	struct esp_tail *espt;
> > > +	char *ph, *pt;
> > > +	uint64_t *iv;
> > > +
> > > +	/* calculate extra header space required */
> > > +	hlen =3D sa->hdr_len + sa->iv_len + sizeof(*esph);
> > > +
> > > +	/* number of bytes to encrypt */
> > > +	clen =3D mb->pkt_len + sizeof(*espt);
> > > +	clen =3D RTE_ALIGN_CEIL(clen, sa->pad_align);
> > > +
> > > +	/* pad length + esp tail */
> > > +	pdlen =3D clen - mb->pkt_len;
> > > +	tlen =3D pdlen + sa->icv_len;
> > > +
> > > +	/* do append and prepend */
> > > +	ml =3D rte_pktmbuf_lastseg(mb);
> > > +	if (tlen + sa->sqh_len + sa->aad_len > rte_pktmbuf_tailroom(ml))
> > > +		return -ENOSPC;
> > > +
> > > +	/* prepend header */
> > > +	ph =3D rte_pktmbuf_prepend(mb, hlen);
> > > +	if (ph =3D=3D NULL)
> > > +		return -ENOSPC;
> > > +
> > > +	/* append tail */
> > > +	pdofs =3D ml->data_len;
> > > +	ml->data_len +=3D tlen;
> > > +	mb->pkt_len +=3D tlen;
> > > +	pt =3D rte_pktmbuf_mtod_offset(ml, typeof(pt), pdofs);
> > > +
> > > +	/* update pkt l2/l3 len */
> > > +	mb->l2_len =3D sa->hdr_l3_off;
> > > +	mb->l3_len =3D sa->hdr_len - sa->hdr_l3_off;
> > > +
> > > +	/* copy tunnel pkt header */
> > > +	rte_memcpy(ph, sa->hdr, sa->hdr_len);
> >
> > I didn't get this, my understand is:
> >
> > for tunnel mode if an original packet is
> >
> > 	Eth + IP + UDP/TCP + data,
>=20
> It  is assumed that input mbuf doesn't contain L2 header already (only L3=
/L4/...)
> That's why we don't shift L2 header.
> Probably have to put that into public API comments.

After another thought - probably it is better to support the case when L2 i=
s not stripped too here.
After all we do support it for other modes (inbound tunnel/transport, outbo=
und transport).
Will try to add it into v2.
Konstantin

>=20
> >
> > after encap, it should become
> >
> > 	Eth + encap header (IP or IP + UDP) + ESP Header + IP + UDP/TCP + Data=
 + ESP Tailer...
> >
> > So after rte_pktmbuf_prepend shouldn't we do below
> >
> > 1) shift L2 HEAD (Eth) ahead
> > 2) copy encap header and ESP header to the hole.
> > ?
> >
> > But now we just copy the sa->hdr on the pre-pend space directly? What i=
s the sa->hdr supposed to be?
>=20
> Optional L2 header and new L3 header.
>=20
> > but no matter what is it, we encap
> > everything before the packet?
> > BTW, is UDP encapsulation also be considered here?
>=20
> Right now - no.
> Might be later, if there would be a request for it.
>=20
> >, I didn't figure out how a IP + UDP header should be configured with sa=
->hdr , sa-
> > >hdr_l3_off, sa->hdr_len for this case
> >
> > > +static inline int
> > > +esp_inb_tun_single_pkt_process(struct rte_ipsec_sa *sa, struct rte_m=
buf
> > > *mb,
> > > +	uint32_t *sqn)
> > > +{
> > > +	uint32_t hlen, icv_len, tlen;
> > > +	struct esp_hdr *esph;
> > > +	struct esp_tail *espt;
> > > +	struct rte_mbuf *ml;
> > > +	char *pd;
> > > +
> > > +	if (mb->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
> > > +		return -EBADMSG;
> > > +
> > > +	icv_len =3D sa->icv_len;
> > > +
> > > +	ml =3D rte_pktmbuf_lastseg(mb);
> > > +	espt =3D rte_pktmbuf_mtod_offset(ml, struct esp_tail *,
> > > +		ml->data_len - icv_len - sizeof(*espt));
> >
> > What kind of mechanism is to guarantee that last segment will always co=
ver the esp tail?( data_len >=3D icv_len + sizeof (*espt))
> > Is that possible the esp tail be split into multi-segment for jumbo fra=
mes caes?
>=20
> It is possible, though right now we don't support such cases.
> Right now it is up to the caller to make sure last segment contains espt+=
icv.
> Plan to add proper multi-seg support later (most likely 19.05).
> Konstantin