From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0052.outbound.protection.outlook.com [104.47.32.52]) by dpdk.org (Postfix) with ESMTP id 93C21DE0 for ; Thu, 31 Aug 2017 11:37:13 +0200 (CEST) Received: from BN6PR03CA0092.namprd03.prod.outlook.com (10.164.122.158) by MWHPR03MB3326.namprd03.prod.outlook.com (10.174.249.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.10; Thu, 31 Aug 2017 09:37:11 +0000 Received: from BL2FFO11FD046.protection.gbl (2a01:111:f400:7c09::169) by BN6PR03CA0092.outlook.office365.com (2603:10b6:405:6f::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1385.9 via Frontend Transport; Thu, 31 Aug 2017 09:37:11 +0000 Authentication-Results: spf=fail (sender IP is 192.88.168.50) smtp.mailfrom=nxp.com; monjalon.net; dkim=none (message not signed) header.d=none;monjalon.net; dmarc=fail action=none header.from=nxp.com; Received-SPF: Fail (protection.outlook.com: domain of nxp.com does not designate 192.88.168.50 as permitted sender) receiver=protection.outlook.com; client-ip=192.88.168.50; helo=tx30smr01.am.freescale.net; Received: from tx30smr01.am.freescale.net (192.88.168.50) by BL2FFO11FD046.mail.protection.outlook.com (10.173.161.208) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1341.15 via Frontend Transport; Thu, 31 Aug 2017 09:37:06 +0000 Received: from [10.232.134.49] (B35197-11.ap.freescale.net [10.232.134.49]) by tx30smr01.am.freescale.net (8.14.3/8.14.0) with ESMTP id v7V9b16R018774; Thu, 31 Aug 2017 02:37:02 -0700 To: Thomas Monjalon CC: , , , , , , , References: <7834b3bd-0800-500c-1c89-3b89e2eb47fa@nxp.com> <20170725112153.29699-1-akhil.goyal@nxp.com> <2166799.Q9jkndJmdM@xps> From: Akhil Goyal Message-ID: <48311141-8bb2-d816-bac8-8a5bb3fd7dee@nxp.com> Date: Thu, 31 Aug 2017 15:07:01 +0530 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <2166799.Q9jkndJmdM@xps> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-EOPAttributedMessage: 0 X-Matching-Connectors: 131486458303456518; (91ab9b29-cfa4-454e-5278-08d120cd25b8); () X-Forefront-Antispam-Report: CIP:192.88.168.50; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(979002)(6009001)(336005)(39380400002)(39860400002)(2980300002)(1109001)(1110001)(339900001)(199003)(377454003)(189002)(24454002)(43544003)(8936002)(6916009)(2950100002)(68736007)(85426001)(110136004)(23676002)(83506001)(229853002)(4326008)(64126003)(6246003)(8656003)(53546010)(53936002)(189998001)(47776003)(356003)(65826007)(305945005)(626005)(4001350100001)(5890100001)(97736004)(104016004)(5660300001)(54906002)(65956001)(81156014)(65806001)(81166006)(498600001)(106466001)(33646002)(31686004)(31696002)(86362001)(77096006)(50466002)(8676002)(105606002)(76176999)(54356999)(50986999)(2906002)(561944003)(36756003)(230700001)(217873001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR03MB3326; H:tx30smr01.am.freescale.net; FPR:; SPF:Fail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11FD046; 1:Mm6ddegnYitGFQUGk8ZjoWZbjXE5ahRIhYiLdYSR2Y3SGLrm8bYyIdPszCB8gkEwZqDyNIitubOEDmKizNPh81lvRYMzWb8VZVfrKIXw3CKc8jXh+hJkWSEeZvPv2u7a X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 921547d6-2fe5-4fee-a506-08d4f053da6a X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(300000503095)(300135400095)(2017052603199)(201703131430075)(201703131517081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:MWHPR03MB3326; X-Microsoft-Exchange-Diagnostics: 1; MWHPR03MB3326; 3:6MNkVna2+zhXp/qDKUzUMQrJDtrjcMd5fLs+lxOD1N8J87ie+iIFm0FgacVj1+e5Q/89CYqV+5Jz3dM+U/K9bxXooT05XK1NhOkaI1yowi5gUAg9c2tdf9cpd/W/UIDKfan3kiuFxT1EaUtvNuQcoJf3V0qVtFTgMzzpiyq7zVlrDQ8uN+rmhhjdtd4G8AYcOXedObX8qA8Bjjr3NHre80kwjSfQgEq3NxmoVvE+SYxGD1rv88lORfrp5IaNzDxbFliHyXqHlZdg886PgFUYd0yyGJvidovmHsMPF5d4ZFMsdTJva4xFTDkKgwn18IRPCGqB7UX+YxoEJlHssPPRUsp0YrnpLqUxaVcclz6FD+8=; 25:JtX/utkYrQYdHZHFZjLhifl/x2ToW313wv9C7bXHyFavsj3qUXpylIxdxvdiRst7Stm/RjbXX/cfSDAKurmaeDMZdJlwE9o/akp3DjE4odY8PLpkakCA4ZUfp9LGvxxu0pkRwJWjqbwhAG0uOB4xHDbkUj6NVyqp8HCy8FxkHX1HDLAnIA2F1QeVtpZ6adPyw0V/NATjk06hN1QPYme8ex1RNdlyIixKWPAM9OjmFSGozd7QNUC/qgrn3MczFFbixNX9fev47vXT44oRUL+J7/JXaoUZbCARDErqomqdxxzOZ6BTWhFnFS8iLQD5cdc308aS0ES8eYuRi/Lrw0+UXw== X-MS-TrafficTypeDiagnostic: MWHPR03MB3326: X-Microsoft-Exchange-Diagnostics: 1; MWHPR03MB3326; 31:QNq0XF6JyoiPWDFtSbqB+d81AtbMwIekPvPmiW4yh05elB8aH896QvYWYRe7VJLz2KXWcuUYCXBKd5H2PQ1l4tDCzlrebpoPmLAzPli3b2LwTvi3ZAG+i7XqpoE6A1xQdgWkr32nNqkJcHDuBGrxLWIu0C4LsdsiFc5wGpV7OriO7/Lg6eV92AwPitNBW0Z6W8Mmdb2Dt/239fhimv6IYuqAv1M+nfdFXRFs5Jhnnf4=; 4:cGH7xj6JMVTDgvrm5lqAbbR3qGqU+jgBpGx8SzlAIfYP3V2ouUb/3t+4AtH6uEWH/jXjfoYkNyKXbBAFWRVGjyH3JUYA8AfbPj7qQHw8rpmu9vR4ZQLhuV/KOizg48hZ1EPSBYwMLv11SjB1RZ787l4Sj9wvMeb4bwaITayWDV216qyTSGdD5PYUyei82CKA/l2NhFoB58NAVZrNQAZPJsbl3o33+g+jqxSoYgR0dVW5qsznWDupFccextzXjMJIbinIEgZmkCVVi6JriUyChW7OFZpmcwXZW1ZNPp4Hw1ZiVmah9LXCuU57Nd6EoCV8hHB6PAnkKNi3v8z4h61wAQ== X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(17755550239193); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6095135)(601004)(2401047)(5005006)(8121501046)(13016025)(13018025)(3002001)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(6055026)(6096035)(20161123556025)(20161123565025)(20161123561025)(20161123559100)(201703131430075)(201703131433075)(201703131441075)(201703131448075)(201703161259150)(20161123563025)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:MWHPR03MB3326; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(400006)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:MWHPR03MB3326; X-Forefront-PRVS: 04163EF38A X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtNV0hQUjAzTUIzMzI2OzIzOkZZc2NGcGk5TW1zd29ML1VUMVYwd2FHSWtw?= =?utf-8?B?U1BSb09OTDlwRCswY01jMEU1YmlLMCtoSFBQMGNmQ2V1OHZaSFd0WG1IZWVr?= =?utf-8?B?TDdxdXgyaExyYXRaSjNXcU8xUURZaWluNEpLcnhXQStXdW5jdDBUc0hrbEVM?= =?utf-8?B?WVBvLzVTUWhCY2NzK2NNWnpIWDFzTG9kQlVCZjhxQU1SamFnU1VWTWV3a25G?= =?utf-8?B?MGczbVI0bWY0QndYbFJFTG5xQUx6blc5UmVDZWlwdERvc3dscERKd0NUbFRQ?= =?utf-8?B?V3d1dStvamhYMi94dm05U1dCWnlTVStORldOYW82MktIYXZnUkdxNEVvV3dC?= =?utf-8?B?QlZNOXZYb1dnR2c2TGRSKzBtUXFTUUhDZit3YkRxS0pNMzdGRCs2VFVmR1JI?= =?utf-8?B?Y3FUdUEzN2FDU2dmcDExVkNlUkEya0UxSXJ4ckpEajRqYmxTZU1Pb0tFcGpu?= =?utf-8?B?TTNkRFNrSnhEa3VkdUJhcmZnOWtITTQvMWgxTi9Sb2JCbjBkaU9DQUpyMnZZ?= =?utf-8?B?eXljUFNWdkhuakJVVkliYzRZcmp3c2VKSVJhUkk1emFjTFc5bkJFQkRNVElU?= =?utf-8?B?SnV2aEgvWnkyMThZTDJkSVRlTkFCVkx1eTVaK3NlTElMemFKWUFxWVdSUy9p?= =?utf-8?B?ZkhYd1FOT05hNnpFckxxaE9IR0hHOUdMYzBYc2dzdTZmWnlUeDdQNDMxQVMv?= =?utf-8?B?bWUwbmlzcnBOdWJNTDdBZDczdkp6OWZreTNXeE1oMG5qUTIzbmdKQmp5aTha?= =?utf-8?B?OUgvMGpBQThZUDlyMVM3bWxQN3pjVDJjb0x2UVlnQkpsa1hnYnd2Sm1aNjB1?= =?utf-8?B?R3ZFTG1kNGVaMngrZHlZSjB1YzEvWjArc2VCTXgxZDBuL2VUTUV0ZEpNaUt5?= =?utf-8?B?MHNYc1VseDN2T2V5R05OaUdYVm5iQmpYOWdZTDhBSGJSWUt3NmY2SzJmVjcr?= =?utf-8?B?TnB4K3htbzEzNDZRMDBPUVJ5V0ZHRVhxQ25WVGVOWXV5bTRNQXJNQmIwNWk4?= =?utf-8?B?eVhhelBBMGs2c05EWG5xWnRmNVlBL1hQNTZ2SEtjT2tBZkl3cld0blpENWJD?= =?utf-8?B?bUZqZ2tZTXY5WDFjSGQzT3JRYmNXQzlZV1dPYUJBbFowYkszWDNEN3paaTdI?= =?utf-8?B?MldNZ3Nua2JiUVBwUUI0eVJkOVZhOWZCbUhVUmRMOW96ZDVxS0RMcEdJNWs2?= =?utf-8?B?UUZuMVRZYzFrdGtscHFSNzl1V3daUDBxR29SZDlhbGlkZGd2Sm5nR0ZBRzJQ?= =?utf-8?B?N1dTSnVhQzc5VjIxeE1kdmcxV2x4NWZ1UjgzRzFSSCtJQ1JqWHNrYXBVM2lQ?= =?utf-8?B?RXdmcTNYamtUR3U5S1J0MWkvTW53aFBISURUYzNHbExMWU5wQVhCdis5a29y?= =?utf-8?B?S0s2UHEwZ3c2S3hhQnBuNXljdFlPQzNncldpU2JrcE1ZRFk1MlIxbkJZRm5s?= =?utf-8?B?R2RBWHNRbzJabmVEOExFVkZjWDVTSmtMSjd2Nmd6TWRpRGQ1WUFSSUxhNG1l?= =?utf-8?B?MWIxWFdDemlVd2VHeW1Ddk93dFhsSXl3TFVUQ0EvRHJOUG1TMGhURGhRRHZS?= =?utf-8?B?Vmpmd0VrYTdrSFF0bHRaSmVjOVl3Ym5FZ2kwWmZQRlFOSkF3RkxrOEFXL21m?= =?utf-8?B?MkJ1aWkyY0FUSkFMR3pXV0MxRDdSbGFPV3V1Z01lWTBBWU5xdkdoT2VKWVZC?= =?utf-8?B?MzM1QVdxVGhxVGVva0x1ZWIxOXBSY1FtVHZ3STNIbURBNWVZT3J0VXI5Mm9P?= =?utf-8?B?VlN4U2FmQ3JLRkhPdTFrL3ZIcjhVWTk4bG91dDFldW5HTkhEdFJDMGNlc2cz?= =?utf-8?B?NG1vWXp5UmdHOTVDc09QSVIyWThJSFQ3SlJORUdkWTJlL01ZN25PQjJqb1JU?= =?utf-8?B?ajFIZ1o0RkZ6NmxjTG1wdjh4NENPV3QxNyt6SXhWM1FwNjBacUprR2xoc2Ri?= =?utf-8?B?WGFzbFU1U0t2WlovbjRmcGpRaExhSVBKb1FZOTBvZFFrVjdhV3hRY2MxcG9n?= =?utf-8?B?WHNiRDkvUjJxQ3JjLzYvSHZVemttWWZVOS9vbFRuamdlRzQyMGRyV1R4bndi?= =?utf-8?B?b3BhNGhOdkQxQ1Q2eVNESFVTTDRLUXVJVGdIUHMwaStDWGpkWjVubXdMWmtu?= =?utf-8?Q?gE+O1SJT/xXXUsChcJKllV8=3D?= X-Microsoft-Exchange-Diagnostics: 1; MWHPR03MB3326; 6:6L6ghmw10HqJ7dpAQTRHm+VOx+/IprtQc2iZpNtf0waH4ebszwEnF5b6OWhLb27g8VleVGQIB/BE4LZmzvjOyXaG168BgyocTjNAMUZD+SS7FrvNTlTEkYPZhGEWPZWyCdnygbJVVNfJMpQX9O1x74yUTHhxibiObBeGJakzW4nzNhZ3R59F0DWjOFJLbCILBIlZKdKmO7+rg3O3KOj7YPyOS1WCLYX1fvom6BtTG1ImY4rZv2BdqKrAsKlrBnLmyR2W5Mf803MglZWq8h8S8iOXF+0TQjJknO6x6bYcZyBs3PpRG0iEfihUnWw2atHS2zsgDXUZ+QTkqtsVryHEag==; 5:luXWs1CpxDlFvy5sC5Er6mWag7lGAPJGT1cJgrds1mGVKWXPuAXZVs8QhTT5C2Sp5s3qbth0UOoZwFtYQtE+3iZp9/WH6LOwyLmY0AnFZW6EsOhjIZrFsiY+a9BJfAbcE1Y01bh8oT9T8PGlMb2JIQ==; 24:BR1BZCoksTPrdhrw4SbGJUpy6v5GKUuOg9Ie/vcAMmEMtjhow6CpRLj35402Atl4PO66bc5SkkjpzHIz4ay0KT+ynJ1sa3MLcQVAxDyy5C4=; 7:jymyroiPZahuGpwHGt/T8oo3bHA43qcuR1qqdUXWLbNy19WpFP4365+8alSKl11fzFt43G76f2GefIKVIcgpE6MsSizhEe2VWOeyMXAA6u/NwyEPtVgKDwuEAky3IDV2SaW/2/4OxpMBUlCMjjmx6/Z13lTEipNWABssNE0/gvIQ2S5YOZkiuK+zYgGJUGL8VlOO9G0yfd3y2tUYZsfrS9BY340HODZeyMyLNHO6m10= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Aug 2017 09:37:06.9604 (UTC) X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e; Ip=[192.88.168.50]; Helo=[tx30smr01.am.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR03MB3326 Subject: Re: [dpdk-dev] [RFC PATCH 0/1] IPSec Inline and look aside crypto offload X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2017 09:37:14 -0000 Hi Thomas, On 8/29/2017 8:19 PM, Thomas Monjalon wrote: > Hi, > > I try to understand how things are connected, > but too many things are not clear for someone not involved in security. > > 25/07/2017 13:21, Akhil Goyal: >> struct rte_security_session * >> rte_security_session_create(struct rte_mempool *mempool); > > What is the usage of this mempool? this mempool is used to allocate memory for sessions. This API is similar to the rte_crypto_session_create API. The same session can be used by multiple devices(eth or crypto) and each device can store its own private date. > > [...] >> These are very similar to what Declan proposed with a few additions. >> This can be updated further for other security protocols like MACSec and DTLS > > You should avoid referencing another proposal without > - link to the proposal > - summary of the proposal The link is not mentioned in the cover note but the patches are sent in reply to the same thread that I have mentioned. If we see the complete thread, then there should not be any gap. > > [...] >> Now, after the application configures the session using above APIs, it needs to >> attach the session with the crypto_op in case the session is configured for >> crypto look aside protocol offload. For IPSec inline/ full protocol offload >> using NIC, the mbuf ol_flags can be set as per the RFC suggested by Boris. > > Again a missing reference (link + summary). > > Even worst, the RFCv2 references this v1 without copying the explanations. > It is too hard to track, or maybe it is cryptic on purpose ;) Same comment, patches are sent within the same thread. Please let me know what is not clear with the thread. Also, I would take care about this comment, that I need to copy the content of previous versions, in my future patches. As this was an RFC series of patches, the content may not 100% stable, and things may get finalized during the course of development across Intel/NXP/Mellanox and may be others. As per my understanding all the information is there in the complete thread and nothing looks cryptic to me. > > [...] >> Now the application(ipsec-secgw) have 4 paths to decide for the data path. >> 1. Non-protocol offload (currently implemented) >> 2. IPSec inline(only crypto operations using NIC) >> 3. full protocol offload(crypto operations along with all the IPsec header >> and trailer processing using NIC) >> 4. look aside protocol offload(single-pass encryption and authentication with >> additional levels of protocol processing offload using crypto device) > > I feel these 4 paths are the most important to discuss. > Unfortunately there are not enough detailed. > Please explain the purpose and implementation of each one. Yes these are 4 paths which can be used for IPSEC. 1. Non protocol offload(RTE_SECURITY_SESS_NONE) - the existing application works on this path, the crypto devices perform the crypto operations without protocol knowledge. 2. Ipsec inline(RTE_SECURITY_SESS_ETH_INLINE_CRYPTO) - This is when the crypto operations are performed by ethernet device instead of crypto device. This is also without protocol knowledge inside the ethernet device 3. full protocol offload(RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD) - This is same as 2 but with protocol support in the ethernet device. 4. look aside protocol offload(RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD) - This is same as 1 but with protocol support in crypto device. The current application support only the first path. The patchset introduces how the other paths can be configured in the application/library/driver. > >> The application can decide using the below action types >> enum rte_security_session_action_type { >> RTE_SECURITY_SESS_ETH_INLINE_CRYPTO, >> /**< Crypto operations are performed by Network interface */ > > In this mode, the ethdev port does the same thing as a crypto port? not exactly everything. In this mode, only cipher and auth operations are performed by the eth device. No intelligence about the protocol is done. This is similar to what the current implementation do with the crypto device(Non protocol offload). > >> RTE_SECURITY_SESS_ETH_PROTO_OFFLOAD, >> /**< Crypto operations with protocol support are performed >> * by Network/ethernet device. >> */ >> RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD, >> /**< Crypto operations with protocol support are performed >> * by Crypto device. >> */ > > I guess the difference between ETH_PROTO_OFFLOAD and CRYPTO_PROTO_OFFLOAD > is that we must re-inject packets from CRYPTO_PROTO_OFFLOAD to the NIC? yes > >> RTE_SECURITY_SESS_NONE >> /**< Non protocol offload. Application need to manage everything */ >> }; > > What RTE_SECURITY_SESS_NONE does? It is said to be implemented above. It is non protocol offload mentioned above. > > Thanks for reviewing the patch set. Please let me know if you have any more queries. Regards, Akhil