From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40055.outbound.protection.outlook.com [40.107.4.55]) by dpdk.org (Postfix) with ESMTP id 2551E2B9D for ; Tue, 25 Sep 2018 09:48:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SCWNx3ONMOzPbdo7yZFE6AFWsla34Nt4QHsvTODNujE=; b=olrwkJJgwef4L9mPl2d+Nq26CAupLHtue+G6n8EiruVFjTwn8YMDpi8CmihqTiJybLJM9UjywACX+YLJ+BI5rInFzAo7DrpJbJRC69GqxtJSpsVo8dlg5VRYgzx+u7qQq6AuQbIdTmTF2JxdAc1XKeKZ9h1e8C1PGTejdcsEXzw= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; Received: from [10.232.134.144] (14.143.30.134) by VI1PR04MB4894.eurprd04.prod.outlook.com (2603:10a6:803:56::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.18; Tue, 25 Sep 2018 07:48:33 +0000 To: "Ananyev, Konstantin" , Jerin Jacob , "Joseph, Anoob" Cc: "dev@dpdk.org" , "Awal, Mohammad Abdul" , "Doherty, Declan" , Narayana Prasad , Hemant Agrawal , "shreyansh.jain@nxp.com" References: <1535129598-27301-1-git-send-email-konstantin.ananyev@intel.com> <358d1b6c-26f2-b125-07a4-cfb1c0e2a57b@caviumnetworks.com> <2601191342CEEE43887BDE71AB977258EA95089D@irsmsx105.ger.corp.intel.com> <475cf471-b46a-671a-5485-0042c652430c@caviumnetworks.com> <2601191342CEEE43887BDE71AB977258EA954BAD@irsmsx105.ger.corp.intel.com> <2601191342CEEE43887BDE71AB977258EA954E9D@irsmsx105.ger.corp.intel.com> <20180916105640.GA4803@jerin> <2601191342CEEE43887BDE71AB977258EA95724C@irsmsx105.ger.corp.intel.com> <2601191342CEEE43887BDE71AB977258EA957E3A@irsmsx105.ger.corp.intel.com> <2601191342CEEE43887BDE71AB977258EA95A705@irsmsx105.ger.corp.intel.com> From: Akhil Goyal Message-ID: <36e1d53b-4c31-1a92-c91f-7066f4358f79@nxp.com> Date: Tue, 25 Sep 2018 13:18:09 +0530 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <2601191342CEEE43887BDE71AB977258EA95A705@irsmsx105.ger.corp.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Originating-IP: [14.143.30.134] X-ClientProxiedBy: MA1PR0101CA0058.INDPRD01.PROD.OUTLOOK.COM (2603:1096:a00:20::20) To VI1PR04MB4894.eurprd04.prod.outlook.com (2603:10a6:803:56::27) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 099f2a87-9e5f-4e30-b7fc-08d622bb4d9f X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR04MB4894; X-Microsoft-Exchange-Diagnostics: 1; VI1PR04MB4894; 3:zEn2W9v+VV73FHCUXJiFFYgmfZGAJEWafXVqiwBzn6sOAibb+cbGmgzExkxV6mbYxxYxa9oVe4ISHHUF9F8pYM0vYXSohhMuzrwpV2x9wT7ZFDsRYj1YB6ngZjzu6zEEhbq4dylj3BEg9VDGLvu3B6+8R0+kM2cM0zUr9Hcs8R31cjxnhTWrUkbSRIlyc+Rya1RdcmavFF1u0zF2/6abSMkO0aNgVhbLZJKVuWhpFoeZyMfY7hHq5ZrZbwRXqqwB; 25:v5qF/XK99SHCcuDiQuPGVEouMY8EMrnjkWQYzxr27+1YnqV0VgenvsTH9aML10susDtVwBGIZADqMWtrv1EvQja2oDgj3r9YpQpipwZmZFu+InBuK6JIxwyKOkgbJq2uUkZCufnj4BNp/OQa2Dj/EAspYRizF+RZD7hcUuDEET2ro0gXTmxmAiRLC0MhDEdShavDkqqJLm+hWeRaOlVy6iyOaJ2nFCPydrZdjgO2ikFfwbzQTDJm28YPkJ64iUcAQPNim6+jv4TXg6Kc0ayqH5ueTCDFAajwE4n00+llt/IoiRGZGLgcM63vD2kJPkB14WY68Yu/y3Jy3EfZKYhSng==; 31:GeP/vLacd7FDd5ht2rlv8q9P/mgpMUsbtvoYq2r/3qysJgrxgYPmO1le6YCws0FRFno6eSeatZcXD7JpPlB7f52C4ImcIDIUXwKX1ZZ5VFTOVmHpF2MCbyLccEKYrobsIajE+pUJN71vLmh+fyKEcYWMGpVBHr/zbaa2SIHy8bSLnGP1rFvodY+65nemk6SBWb/eSMD6k9OgNI/u3lQb7/CGkBNkKwsD+4AYqZBKUqU= X-MS-TrafficTypeDiagnostic: VI1PR04MB4894: X-Microsoft-Exchange-Diagnostics: 1; VI1PR04MB4894; 20:la0dnS8pVUz4kcFQAjH4uDmrLPO8Fdik+ow5K3BPm05Ita+HQUOHzoSkx/uOyFhLjf7ElhSRjkUHJHsz+KucoYqvHQKqtx+4u7pSE/YDDYs+fkSHC9vC0YULfF3skurlpSvq6O04SymoXITYag5Z0C8+lc6uiORtrXInAxxxuZ91On5f8+hm/BPHDkCQ1lmQAabRojna8MQactgrVt4AzotDtQtAvCD47O7JiLKDrzSRRg5yy9PT6gmrxq0nyrsX+Nv9hyQfmeel9PTpmyMklyGO/yHiKhRNaAufazBQc2y1mVMl5a7rLc7AcJWRq4wpW7f8YX08jT4rDWeFl5dX0EmnrVg/g2Rlkb0NVSEAe+U+q4hN7ord0gW2d1Q01qwN3kfCh9FjMQoJA5aT5ShEJbNJdOIhczOB8jQ5dZYUEfCk6hwu3BPAaLN+E58/+p+z4k96KWT5KH3iIfrNSOenl3HBoZr6lW6Ijwu7oykcEkkuFXUraNV4ImpVeDjjRz0d; 4:V1cuHC1m5UA+JO3dkOwgeVI0z1LzBQ3Dnn9CW+CGJFlCXaG5Yae5WAHWktkCYjTBzkmf34qqUMZQrvtoiiEUJx9cJS05AgHrUhIolFBLIaDNquxQ2EkOfgZaJAiHzG9n/J8B/Se5G601x5LvcUqDXAhu4zTNran/s5RIVixoGIysNqTx1ThLBfqxfcwaMTtKE1IQtmNqKWI+6MR+5JiFSZMi2DdBwCUpMT9WaAPRSorUH+0o/qjmJngcjqHg3Utx6saDQRL5iI4OPZn/UlKm33efvEnYXyTHkwTRRE0/hXP7W6UOz6IAZa9iujsrKkPpLpuTfkOZFCDsGhhseZXS8UJp0r132XNwFeEcXY2vqTc= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(17755550239193); X-MS-Exchange-SenderADCheck: 1 X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231355)(944501410)(52105095)(3002001)(93006095)(93001095)(6055026)(149066)(150027)(6041310)(20161123560045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(201708071742011)(7699051); SRVR:VI1PR04MB4894; BCL:0; PCL:0; RULEID:; SRVR:VI1PR04MB4894; X-Forefront-PRVS: 08062C429B X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6049001)(136003)(376002)(396003)(346002)(366004)(39860400002)(43544003)(52314003)(57704003)(199004)(189003)(6666003)(5009440100003)(65826007)(52116002)(65806001)(65956001)(305945005)(3260700006)(53936002)(25786009)(6486002)(93886005)(5024004)(50466002)(44832011)(31696002)(2906002)(11346002)(486006)(47776003)(446003)(53546011)(229853002)(86362001)(66066001)(2616005)(6246003)(956004)(7736002)(31686004)(81166006)(8676002)(106356001)(16526019)(105586002)(77096007)(14444005)(54906003)(386003)(97736004)(67846002)(64126003)(3846002)(6116002)(2870700001)(16576012)(5660300001)(81156014)(4326008)(58126008)(110136005)(23676004)(8936002)(26005)(476003)(76176011)(478600001)(2486003)(68736007)(36756003)(52146003)(316002)(110426005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR04MB4894; H:[10.232.134.144]; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; Received-SPF: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtWSTFQUjA0TUI0ODk0OzIzOktaTmZsVDgxeHltWmhsTlNKY1BQTy83QlZG?= =?utf-8?B?UXA5UUZnRDZQZS9Rc2Z5TlZVcmVvYnJvNmJSTld5b0RPOVRycVllTVJiWE15?= =?utf-8?B?NWRhSTNqZ2hQdnphOXhHRy91T1hVNlVlRlBXU3VqTjNsc21nR0FBVk5jNGhU?= =?utf-8?B?Q1NqZzdHZnBpa3NEdFh0Z3lMSlI5cjFXMGF2QUVJUUpjTld0QjNYTkFaY3pn?= =?utf-8?B?RWlGUWtIM0dTZ1B5MUllc1IvYjV4UysvaVE3enRpS3pmTGRHYitGcEJ3VTJn?= =?utf-8?B?bnQ0d0xYZlBQQW9DQ2tkaUxHVktRMjdKTDFGQkx4WHg2OFV5VElwV1ZBaXl4?= =?utf-8?B?M0dWZTY2NmxjbFhVcEN2cTVndTM2bm04akM2R1B5aVdPTnF3WE1Pd1J0SUVV?= =?utf-8?B?bHR3MnpvNmRaMGJ6S1l6VStPUVd5Zjc1YXdnb0l0ZXlyRDd5a0pITkpMcFpY?= =?utf-8?B?RmNqOEQ3QXl4SmdMQlZMdFA1WXlUQ1hCcTNUTmoxVEhxMzlsajV6TUJUTytQ?= =?utf-8?B?YjVkU3JmWVkzSmZvT1BBRnh5bnhpQkgvK2dJWUFLbW5CcXpCUWtyTWl0dU5D?= =?utf-8?B?MmxsQUxxWGY3Z3ZZNWhJOEdERWYzNWhaSGtkWWpZRVdYT0VUMEZJUm56N2Vo?= =?utf-8?B?MEJEeTVNdGxkTmE0dW5RcUFzTmFKQmQ3THgzOWMya3c2WmtYeW00encxRnk1?= =?utf-8?B?bDVjYWZNVUFCZGIvU2w3UytZQm5yeVJ2Y01jU0RLUVp2YkU1YWRBRDVpRE9w?= =?utf-8?B?UTVYS0p3OUJBdHVyMGZYYnlhQzM4VzJUZ3RYNUZSc2t6Z28wNTJELzE1aW44?= =?utf-8?B?a2NWYW4wVDJrSXdIZ3k4WVp5UXlyUnZMdTk0NjJwZFlFTmI3NkpRYlNITC8y?= =?utf-8?B?ZVlpNW85RmFKSHRhOGRqUC81TnFhV2h4bWxwNDRwdnpLV0VZMUZHOFNhaFFP?= =?utf-8?B?TXpXL0NyV3dDR1JxUHNwQmRRamJIZVdtdFVoWXc0bmFWT1hMdGdoSVdoU29L?= =?utf-8?B?MHlCNldkOGlqU3RrNkd0dmZTbE5XeHdMa0JtNFRZSldnejF2NTd4SmdpeTBL?= =?utf-8?B?UEdLZmFFNkd6ejF2UGFFSi9GcHZ5WlRjWkljTGlKWk45cVhYbmp0ZnBlQ2NT?= =?utf-8?B?c3h3QmtrYUxpTVZzOUplc3kwaWhUbi93b29LVThWUCs0SzBiekljcWpMZ0VM?= =?utf-8?B?VjNGTS8zSEtPV1RaQm1Cd0ZVU3pnTnZmODZKSTdUYWVKOUJ0M1UrOGVVSnR2?= =?utf-8?B?TWdnbmJOUlpRbVlhdzkyTitkVXpyd1hJODV3bFQ1cjNIekU5Y1kwNEF4VGl4?= =?utf-8?B?ZjRLY0tRMDNxNXR0YnJpOStjbmlVQVU0Skx5QVNBLzFucjNmVVRSajhzMllP?= =?utf-8?B?bjRrR3NIcVRSRnlSZFRNOVNkRVpwOXVOQkZxTXlUOUl1UUFUM2Uya0UrbWpj?= =?utf-8?B?dldhWERDOUtJVndQQXZqVUVoK280K3J4ZXJrdS81cWdKblo1alE4Yk5uRDg5?= =?utf-8?B?VWROWkc1MkttRXNBSi9aTGNDd0VDWXZrZDZSaVpEZUhlTDJKZEgrYm1mK0d2?= =?utf-8?B?TUowS05UYTBtU2tHSDg1UUZHMlg0bnFzNk9MLzRHbjVSMThybFlwcGUrNkpX?= =?utf-8?B?azFXTWpjZDN3SE9hSTU5d0MzRFhRQW1LbW5jbG5qdkcyWlc2MFJvKzZUQTB1?= =?utf-8?B?bVdFYW93NEtEdFl4bTFpamROeHhDbSswUUZSMW5YWFIzRnFUVjdaMk9WT3FL?= =?utf-8?B?dmZJYzVMUERicklKekg2V3FSK25Ob2g0RUdPVFg4TnFUWUJWUkcvbDZLS09T?= =?utf-8?B?VXBxMFU0c05mTndoYjA4SXAwUjQ3VjVhWU1xaXAxenNsenZ4WWpaYThVV1JI?= =?utf-8?B?THBNcHJnVThRNThSUlJtS2JDQmdSZG9iNFc1MjllZTVDeE9sQ2p4V2F6T1pi?= =?utf-8?B?UFJ5aWtZT2h5MVVRZit0b3UrMklDRi9SYituWHg0UmhvUjNEeE5NWHdKVWFX?= =?utf-8?B?OTM1NXU1RmJyMEF3M20xTC92dlN2U3FHcVdleTh6ZExoQ1dBWFZsUXBtVlRS?= =?utf-8?B?bGhTNGZpdXUxZmpQZlpJb2VSSzF1YnJUL05DT0RDMk1DWm9wZ2FQUnVMam5l?= =?utf-8?B?V3ZRNFZaKzdSaHJhUWphbUFhNmIvN3VRVjQvSmRiRlVQaTVZVWZHNExzK3RV?= =?utf-8?B?UUhVV2pmNEVwWnkvdWxsL1Z5SjllWDdmL0M1YTdsMzBiNGFhSWVZK2dPSXRn?= =?utf-8?Q?OYI8M/srKLEZVnFrBV?= X-Microsoft-Antispam-Message-Info: pbZjoC3ZwHr8oGhlTUboi5Fpj8m1AxU90jJKNl68DdZDNLikr/2Qi0krOP9g9/R/5xhG5BBB1ZoYUEYteeb0XUVKTJqGGQpmciWbiT6wot2ZOiW2HQPDjYeHwXr29GG3z4BEaWDHIWD84xOOd71/5+LgoKHYLhOcvKjHvqMpcbMGs1uFKl3vzFPpM6L/pqqWO7EBteMwsHO4axjJP8F5IZKLkDnlVXAmuHutQ6/jZ8CXi4weWGIGm2owGWU+/t+fTZR9fHjpFUQcVvCqK4fFbTCqczReQRFtf7THf24r+JMWLJqLYjyok1qXLsewwlCB4wO3o2/78v3gOvg04AwCq1Wumtk+YjGSVAODcy5v+Bw= X-Microsoft-Exchange-Diagnostics: 1; VI1PR04MB4894; 6:QqVzRMOP4Od1vOehX25L+4edBD9zZ2EllRR4IUT2wE+mn3GOPUUOyB+/o61XXsvWvdRdYuunipmlJSaC4HyVUHnmFMbYDp8O0MKQKfTeuHS2UXmIuXA/+vCiRt+zQiVWm2W6wOhmAsWgAUk/Rd+p2QBku9srIi1W8l2G4lFI5PG9zxiTEiVFlJQGsuFLAVhQT/ls+e9QVi5B5WX45e5Z4+3nYNJSd3GmbJ1ZWy/IOmZ2hrMqt/2XZRzB9GMMeDIIzN0+Bh1vM6ejpouBZEkuGingssWg/CQdoxMfeD3ozpU75t3Vj4r7akiLD3fgTgy7h2PIzexu2Ksq8m+0SrQSG/Qc/SPYY+dhiKuCwJSfwuXMMImQJ1l3DX4NSq6wsdyenzZiysLrfCqywe9jazsj/xNIXjIJHYOF4JaMMi5Nje192OiWDbhslFaYUQkpcwBIjKBKS1Q+iZ3ONdzvd4y7ww==; 5:qE5wQH/EtLpzVzq2uJtXa8NTFjeeZx9XgjzfhEmcw/6Sq10eeMyP57ucW2QlkhA611sxPuuhAfbv06MpxeTCpvKQleQla56PMuI7i6XIPY3RpZtObZcXqcqy+mSb+GATe3TStg5cEiU+NuV//yYfR25gu4WDTa7dvZIDFdJ5/oU=; 7:kkzoeU9nILg8K5HSl20WsTdn8obbTaRAC+BMnM1LVjuKvoPz9Z5mrzqSQGFTQptY+RtyEBZNFBh49LAzaBq5veeGgxe+i6ycruWQfxjAO1JNn0KHAjhfSwJFvR5jcbFsdos2Qg58RutRAN8m1XzhfV4hROh7Ud4BD/lYYK2RU4vOTOUxOS5ngATOgkJQgVfu4vLUme+u20W3HjkVo9fCRspybQD2rDvXqn1l1Hn2jsyLNXPUZngUbS9GJjVCRXf2 SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Sep 2018 07:48:33.2055 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 099f2a87-9e5f-4e30-b7fc-08d622bb4d9f X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB4894 Subject: Re: [dpdk-dev] [RFC] ipsec: new library for IPsec data-path processing X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2018 07:48:40 -0000 Hi Konstantin, On 9/24/2018 4:21 PM, Ananyev, Konstantin wrote: > Hi Akhil, > >> Hi Konstantin, >> >> On 9/18/2018 6:12 PM, Ananyev, Konstantin wrote: >>>>> I am not saying this should be the ONLY way to do as it does not work >>>>> very well with non NPU/FPGA class of SoC. >>>>> >>>>> So how about making the proposed IPSec library as plugin/driver to >>>>> rte_security. >>>> As I mentioned above, I don't think that pushing whole IPSec data-path into rte_security >>>> is the best possible approach. >>>> Though I probably understand your concern: >>>> In RFC code we always do whole prepare/process in SW (attach/remove ESP headers/trailers, so paddings etc.), >>>> i.e. right now only device types: RTE_SECURITY_ACTION_TYPE_NONE and RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO are covered. >>>> Though there are devices where most of prepare/process can be done in HW >>>> (RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL/RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL), >>>> plus in future could be devices where prepare/process would be split between HW/SW in a custom way. >>>> Is that so? >>>> To address that issue I suppose we can do: >>>> 1. Add support for RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL and RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL >>>> security devices into ipsec. >>>> We planned to do it anyway, just don't have it done yet. >>>> 2. For custom case - introduce RTE_SECURITY_ACTION_TYPE_INLINE_CUSTOM and >> RTE_SECURITY_ACTION_TYPE_LOOKASIDE_CUSTOM >>>> and add into rte_security_ops new functions: >>>> uint16_t lookaside_prepare(struct rte_security_session *sess, struct rte_mbuf *mb[], struct struct rte_crypto_op *cop[], uint16_t >> num); >>>> uint16_t lookaside_process(struct rte_security_session *sess, struct rte_mbuf *mb[], struct struct rte_crypto_op *cop[], uint16_t >> num); >>>> uint16_t inline_process(struct rte_security_session *sess, struct rte_mbuf *mb[], struct struct rte_crypto_op *cop[], uint16_t num); >>>> So for custom HW, PMD can overwrite normal prepare/process behavior. >>>> >>> Actually after another thought: >>> My previous assumption (probably wrong one) was that for both >>> RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL and RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL >>> devices can do whole data-path ipsec processing totally in HW - no need for any SW support (except init/config). >>> Now looking at dpaa and dpaa2 devices (the only ones that supports RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL right now) >>> I am not so sure about that - looks like some SW help might be needed for replay window updates, etc. >>> Hemant, Shreyansh - can you guys confirm what is expected from RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL devices >>> (HW/SW roses/responsibilities)? >>> About RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL - I didn't find any driver inside DPDK source tree that does support that >> capability. >>> So my question is there any devices/drivers that do support it? >>> If so, where could source code could be found, and what are HW/SW roles/responsibilities for that type of devices? >>> Konstantin >>> >>> >> In case of LOOKASIDE, the protocol errors like antireplay and sequence >> number overflow shall be the responsibility of either PMD or the HW. >> It should notify the application that the error has occurred and >> application need to decide what it needs to decide next. > Ok, thanks for clarification. > Just to confirm - do we have a defined way for it right now in rte_security? As of now, there are no macros defined for antireplay/seq. no. overflow errors in crypto errors(rte_crypto_op_status), but it will be added soon. For inline cases, ipsec-secgw application gets error notification via rte_eth_event. > >> As Jerin said in other email, the roles/responsibility of the PMD in >> case of inline proto and lookaside case, nothing much is required from >> the application to do any processing for ipsec. >> >> As per my understanding, the proposed RFC is to make the application >> code cleaner for  the protocol processing. > Yes, unified data-path API is definitely one of the main goals. > >> 1. For inline proto and lookaside there won't be any change in the data >> path. The main changes would be in the control path. > Yes, from your and Jerin description data-path processing looks > really lightweight for these cases. > For control path - there is no much change, user would have to call > rte_ipsec_sa_init() to start using given SA. > >> 2. But in case of inline crypto and RTE_SECURITY_ACTION_TYPE_NONE, the >> protocol processing will be done in the library and there would be >> changes in both control and data path. > Yes. > >> As the rte_security currently provide generic APIs for control path only >> and we may have it expanded for protocol specific datapath processing. >> So for the application, working with inline crypto/ inline proto would >> be quite similar and it won't need to do some extra processing for >> inline crypto. >> Same will be the case for RTE_SECURITY_ACTION_TYPE_NONE and lookaside. >> >> We may have the protocol specific APIs reside inside the rte_security >> and we can use either the crypto/net PMD underneath it. > As I understand, you suggest instead of introducing new library, > introduce similar data-path functions inside rte_security. > Probably something like: > > uint16_t rte_security_process(struct rte_security_session *s, struct rte_mbuf *mb[], uint16_t num); > uint16_t rte_security_crypto_prepare(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], > struct rte_crypto_op *cop[], uint16_t num); > ... > Is that correct? "rte_security_process_ipsec" and "rte_security_crypto_prepare_ipsec" will be better. We can have such APIs for other protocols as well. Also, we should leave the existing functionality as is and we should let the user decide whether it needs to manage the ipsec on it's own or with the new APIs. > > I thought about that approach too, and indeed from one side it looks cleaner and easier > to customize - each of these functions would just call related function inside rte_security_ops. > The problem with that approach - it would mean that each SA would be able to work with one > device only. > So if someone needs an SA that could be processed by multiple cores and multiple crypto-devices > in parallel such approach wouldn’t fit. One SA should be processed by a single core or else we need to have an event based application which support ordered queues, because if we process packets of single SA on multiple cores, then packets will get re-ordered and we will get the anti-replay late errors on decap side. And if we have event based solution, then the scheduler will be able to handle the load balancing accordingly. > That was the main reason to keep rte_security as it is right now and go ahead with new library. > One thing that worries me - do we need a way to share SQN and replay window information > between rte_security and upper layer (rte_ipsec)? > If 'no', then ok, if 'yes' then probably we need to discuss how to do it now? anti-replay window size shall be a parameter in ipsec_xform, which shall be added. And the error notification  - in case of using crypto, then use rte_crypto_op_status - in case of inline cases, then use rte_eth_event callbacks. I don't see rte_ipsec needs to take care of that in your initial approach. However, if you plan to include session reset inside rte_ipsec, then you may need that inside the rte_ipsec. And yes that would be tricky. -Akhil