From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B86D8A0C56; Wed, 8 Sep 2021 12:42:56 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 99E554117B; Wed, 8 Sep 2021 12:42:56 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 44F2B4115D for ; Wed, 8 Sep 2021 12:42:55 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1889TTjt030852; Wed, 8 Sep 2021 03:42:54 -0700 Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2177.outbound.protection.outlook.com [104.47.55.177]) by mx0a-0016f401.pphosted.com with ESMTP id 3axtka883t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 08 Sep 2021 03:42:54 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mwSj40x52TUXgyMtwl2fJ+CfTb1goTJ6M4qgHQiY2kNq/2MfRXLVdybIlM5r6asoMXh1ULldZSR25Uaalv3YwMls6ofPLrU0BuYQ5+LoxSXcKy1eJaV+d4pOeYOeOk30DaMwAsZo5hU5bYP8yQxPmTylj/NPPqfcixybljK5L9jsR4AKS/bSbMpKqieFavOxHIGRr9qOa8Ss1mfoIqxNjOd+LP+XwzVdxu8S+isEk5dXVEDlezJZdGnogUP7xr+ormVG2QMx2Ja8qiRefGK5IQfyNIBf3dkgwr0SVToHcIDQMw2+eHr7+FEbCP4KwCoXUGROGK2DXVmIyuUA7V95rA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=BpkBxS4sGiSscbvE3To7yHACKwM///RnvzbMyvcPdi0=; b=NbdimIRA0aA0bkKwrdcH2WO0A6GMuX5emzqnD3CwlE8vfPWDTntSDXvuEnj+535wMin7UQHdfsAwseK/Ocp3YGjCP5bxevT882J9cpeJphqOlzHXRK574bGQmN9/2boRaNeCb+KGP7ApwMGPjmsi9lMuUsDwC0ltpwSBWKTeIlDMNBcwQIkzbNo3yhkqFRGzpPsImbE9aAr/ZObA+bDTP1yfKzFEminU3aau9oIQ6sOm1E0d3v+mhk1S5DqE+3sdPSV11NbrsRazjGA9ZhZXJuFJDKu31Eam9VrcLUQZL0k6g2Sjgj0Ojc9YzTdOSaatvBEqt/GsgioOabZMyIygQg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=marvell.com; dmarc=pass action=none header.from=marvell.com; dkim=pass header.d=marvell.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BpkBxS4sGiSscbvE3To7yHACKwM///RnvzbMyvcPdi0=; b=BH3N0AlfUs+fBjCR8uAwi0tiuZY6Ibb3B8bUYU0soYWbBrpc+C9exuOxPQPPD9DrXiZniKEH7gEo/5w5SrNyJWr+XmcaEFbJmQ4UJhlwSr7JIcfBW1jjG1NJ2S5r9kQFkyVJbBNmDEUPLZgHXOoEwbrK5SWLiBe4FG+3PNV2Z0U= Received: from CO6PR18MB4484.namprd18.prod.outlook.com (2603:10b6:5:359::9) by CO1PR18MB4604.namprd18.prod.outlook.com (2603:10b6:303:e3::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.22; Wed, 8 Sep 2021 10:42:51 +0000 Received: from CO6PR18MB4484.namprd18.prod.outlook.com ([fe80::411f:5b87:321e:de29]) by CO6PR18MB4484.namprd18.prod.outlook.com ([fe80::411f:5b87:321e:de29%3]) with mapi id 15.20.4478.026; Wed, 8 Sep 2021 10:42:51 +0000 From: Akhil Goyal To: Tejasree Kondoj , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob Kollanukkaran , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , "dev@dpdk.org" Thread-Topic: [PATCH 1/3] security: add option to configure tunnel header verification Thread-Index: AQHXpIMNyCxgMXodaEmcmHOgPPZaWauZ8xcw Date: Wed, 8 Sep 2021 10:42:51 +0000 Message-ID: References: <20210908082111.27396-1-ktejasree@marvell.com> <20210908082111.27396-2-ktejasree@marvell.com> In-Reply-To: <20210908082111.27396-2-ktejasree@marvell.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e0b81dde-989d-4742-64d4-08d972b56867 x-ms-traffictypediagnostic: CO1PR18MB4604: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 1Yptd3z+zSEH3ZPuNWdvH/qcbfE6RjR8zi/hlyBsKxPb4oJpmIbGl0Z44O2ClRX38OpKr1tTS1x0rQHkcE5OGgVPGSpw7ZMwKwLjOHERrS+YxMJu0+VFnknfwOxw82ScV0V/C6e2zLETe5AeCuzD71ywcTimr9hSK8uFqLtv1uIB8lJfCVcBqp/K3LQ/0F0polXty2bLK8Lm8BwIp9q7a0oj+squOTStGaSZ6x/97TF3n/MJ5IpR0T7KPQ7t1Gvk1hZkYOECALBAiGBVQnUMJjsst3SVRVn5sSJfUcCEWfnjapgMvaxRM2NuxJIK3+hWwGLmbUD0sxNLf94IC/bGPbFsylW8424K+t3PymyDhXPcZ+GcM3wnGkBlFPU/01Q7WI13f5e6PQF2lsDP8+HbVd4uO/mXt7Yr3E/aDMqvNouLUvL3tV9C2GYxZZA1xi4DEpcbi2K4/R4vEEDYX2+4pwmdIdh89zJKG+3KhHYMdC7xJXLHShvIPpMRN/CT33OiqTyLxyFy7MtDd1zPucZpAEsbwxzSJ+kR+sS1RwC7UnptfduP+KtQVTSc6121mOIH0dK06DAZuf+6bDToP8JpSzWZMJfSt7rGcJSpjnTAuvIMbl4iT1V99JppQ2u0Oyf1atHktaVzYlMLCWIdjTjdtmcqVTC88N2MDrYcllHqJ7MBBxEmtbr9ovTBgb0Jl+CF3nWwznsI530KBDBuAiQ+MA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR18MB4484.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(376002)(39860400002)(396003)(136003)(55236004)(86362001)(5660300002)(8936002)(6506007)(55016002)(15650500001)(478600001)(71200400001)(83380400001)(7696005)(8676002)(4326008)(33656002)(110136005)(316002)(38100700002)(52536014)(122000001)(186003)(66446008)(64756008)(66556008)(66476007)(9686003)(66946007)(2906002)(26005)(38070700005)(76116006)(54906003); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ewrxEvryuddP+wYLob4cPptXZJiKsdI38+9tvw9kpqUzEd3UZ7Ku8covYnIX?= =?us-ascii?Q?nH6u0A/qVNZErDc7//ouP2KD/gBnuZwHNdOr6tDGZ6ccPehosGmQ2ij+2h6u?= =?us-ascii?Q?fFJfY24dan50bNbjRgKUGLB4a0xVqx7aQUcdaeo43pY66cMeolalPz1wWqGy?= =?us-ascii?Q?HBBQ4rimOXmUSN05Cmjwcp1myn0EL0qYAQasy3Y+YLdWwhRUrcAasX1qrdQo?= =?us-ascii?Q?jcXqm7PWSdOrXgOqFoy0IIW/5MslrEKv7UmNSJPVIPnLemeaX2iVDUo6CuST?= =?us-ascii?Q?J3xLr1FzE+8hy8g/sCfKvzjMbyvyPDnlnEy0DOShHkWNIypHwRiX6mAMKJhY?= =?us-ascii?Q?kwEoZnUr19QPz6J+nwqGtaI/1hzLuUmgsFKHtC0XJksPQwEvqA3TcYqR4edm?= =?us-ascii?Q?PrwYF0cEQ4N+1aGDkNCOc7EV2Bwtj/UZQZEmYU2Ue3vaYugjqNgxHwOkq/xn?= =?us-ascii?Q?1QPZNFZAGyZJUr/eTdzFlmIGQB9QDcESxzUgDLHh6I8J6i95OZSX2zLpEXbu?= =?us-ascii?Q?HheWdjhsAoeoVcjMAWHuiXTI97bh4//m7AEx937peKBBWj/Qsuc2P5enEyrF?= =?us-ascii?Q?3bfYM9bUNEV7kYKAjnXKbj51t/TvVCbKecAGYBtcySWHJ13uXZTXrKdtQ0Vx?= =?us-ascii?Q?bTDtmNzTCHAfegX1pegvPn9JyhaWi9TGI36ao6evonDnrwjW9PaSZOFvqxlw?= =?us-ascii?Q?/HkOopT4mBJsTF3DXW6OfPmGRjkV/ckArc6XbSTPVpkWA7JR5ZwNDQEYSBz5?= =?us-ascii?Q?m6q/CnhpzJJYbEMPnxQcr8wX8YpluhrzxGyZ+H8DHmw6f86384Qab7GNjQIJ?= =?us-ascii?Q?e5K5703FiY63aFeow7/wdPlIElaj/yAqN2vVeN0HAd1j9+gEx7WhQo5NwBp8?= =?us-ascii?Q?mehIZtsQnCgyI4t+OAkm6tDpITvvexUB2Hah0R23MoiwbbfDevQLwbenNFiH?= =?us-ascii?Q?Uty1xleg4PXF263erY2zHcj91PTGCmvYZ3idgysn16urcQBU+jFSULUvQThX?= =?us-ascii?Q?59x6VOINiPr4wo0LJP45w+FfaHz62LO+W3Z8E6/vqlO5QbKriE8NF1yI4wqh?= =?us-ascii?Q?pmrQIuA7mgrkLHZah08A4b2p62QnUopPW5v0qOjukM47Xu7bZRBhU5nSB+4D?= =?us-ascii?Q?ZsTXu+CRz/urhdk0sniD4JQgsy/2Zwxf/qm/CMmekjGSsRWDN0rC4LMG2juI?= =?us-ascii?Q?FlR5B35bg/tDhvCRoxpmY2YQBm49Qp+JvKxPZlJBcIyRtEZHWVweeDpd/s3L?= =?us-ascii?Q?UuAslgPTYJhwV734HvQqsdKj/OFOr8aDUVJQgnwl9sRQfei7Pr2fbk4gEMYR?= =?us-ascii?Q?jv8aAJ6+gmUZD/rZ1Fh/oTBL?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: marvell.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO6PR18MB4484.namprd18.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: e0b81dde-989d-4742-64d4-08d972b56867 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2021 10:42:51.2763 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: zE/tW8Nb6NOFya8V4WvBWH6PYHtnn6gfyvOQQmO4CeOZ+6Th5Oqdel+Xla+KNhV7Iv11S0gWING8Pc+rxIxruQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR18MB4604 X-Proofpoint-GUID: GJdItujEJYmeJJ95QfDmxl3WDc6hvIzR X-Proofpoint-ORIG-GUID: GJdItujEJYmeJJ95QfDmxl3WDc6hvIzR X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-08_05,2021-09-07_02,2020-04-07_01 Subject: Re: [dpdk-dev] [PATCH 1/3] security: add option to configure tunnel header verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" > Add option to indicate whether outer header verification > need to be done as part of inbound IPsec processing. >=20 > With inline IPsec processing, SA lookup would be happening > in the Rx path of rte_ethdev. When rte_flow is configured to > support more than one SA, SPI would be used to lookup SA. > In such cases, additional verification would be required to > ensure duplicate SPIs are not getting processed in the inline path. >=20 > For lookaside cases, the same option can be used by application > to offload tunnel verification to the PMD. >=20 > These verifications would help in averting possible DoS attacks. >=20 > Signed-off-by: Tejasree Kondoj > --- > doc/guides/rel_notes/release_21_11.rst | 5 +++++ Deprecation notice should also be removed for this feature addition/ ABI breakage. Other than that Acked-by: Akhil Goyal > lib/security/rte_security.h | 17 +++++++++++++++++ > 2 files changed, 22 insertions(+) >=20 > diff --git a/doc/guides/rel_notes/release_21_11.rst > b/doc/guides/rel_notes/release_21_11.rst > index 0e3ed28378..b0606cb542 100644 > --- a/doc/guides/rel_notes/release_21_11.rst > +++ b/doc/guides/rel_notes/release_21_11.rst > @@ -136,6 +136,11 @@ ABI Changes > soft and hard SA expiry limits. Limits can be either in units of pac= kets or > bytes. >=20 > +* security: add IPsec SA option to configure tunnel header verification > + > + * Added SA option to indicate whether outer header verification need t= o > be > + done as part of inbound IPsec processing. > + >=20 > Known Issues > ------------ > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h > index 95c169d6cf..2a61cad885 100644 > --- a/lib/security/rte_security.h > +++ b/lib/security/rte_security.h > @@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type { > /**< Outer header is IPv6 */ > }; >=20 > +/** > + * IPSEC tunnel header verification mode > + * > + * Controls how outer IP header is verified in inbound. > + */ > +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 > +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 > + > /** > * Security context for crypto/eth devices > * > @@ -195,6 +203,15 @@ struct rte_security_ipsec_sa_options { > * by the PMD. > */ > uint32_t iv_gen_disable : 1; > + > + /** Verify tunnel header in inbound > + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify > destination > + * IP address. > + * > + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify > both > + * source and destination IP addresses. > + */ > + uint32_t tunnel_hdr_verify : 2; > }; >=20 > /** IPSec security association direction */ > -- > 2.27.0