DPDK patches and discussions
 help / color / mirror / Atom feed
From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: Akhil Goyal <gakhil@marvell.com>,
	Tejasree Kondoj <ktejasree@marvell.com>,
	 "Nicolau, Radu" <radu.nicolau@intel.com>
Cc: Anoob Joseph <anoobj@marvell.com>,
	Ankur Dwivedi <adwivedi@marvell.com>,
	Jerin Jacob Kollanukkaran <jerinj@marvell.com>,
	"dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support
Date: Tue, 23 Mar 2021 15:46:47 +0000
Message-ID: <DM6PR11MB449175E140653D203308AB969A649@DM6PR11MB4491.namprd11.prod.outlook.com> (raw)
In-Reply-To: <MW2PR18MB2284B928B1C13010A5012539D8649@MW2PR18MB2284.namprd18.prod.outlook.com>


> Hi Konstantin,
> >
> > Hi Akhil,
> > > > > Adding lookaside IPsec UDP encapsulation support
> > > > > for NAT traversal.
> > > > > Added --udp-encap option for application to specify
> > > > > if UDP encapsulation need to be enabled.
> > > > > Example secgw command with UDP encapsultation enabled:
> > > > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap
> > > >
> > > > Can we have it not as global, but a per SA option?
> > > > Add new keyword for SA/SP into ipsec-secgw config file, etc.
> > > > Konstantin
> > > >
> > >
> > > Any specific reason to make udp_encap as per SA?
> > > UDP encapsulation is a feature which I believe should be application vide.
> > > If it supports the feature it should be enabled for all SAs when the UDP port
> > > is 4500 which is reserved for it.
> >
> > Not sure why it has to be application wide?
> > Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode over port 0,
> > and SA2 with udp encap over port 1?
> > Note that in DPDK librte_security it is per SA option.
> 
> UDP encapsulation can be done only if the UDP port is 4500 as per the specification.
> Please correct me if I am wrong. So if UDP port is NOT 4500 and udp-encap is enabled in the
> Command line, UDP encapsulation will not work.

I am not asking you so support multiple UDP ports for IPsec encapsulation.
What I am saying: it should be possible to use SAs with UDP encapsulation
along with SAs without (plain tunnel/transport mode).
As I understand with your patch it is not possible: if user specified --udp-encap
all SAs (on all crypto-devs) will be treated as UDP encapsulated. 

> 
> Hence it does make sense to make it application vide. It will be tedious for the user to
> Add this in every SA.
> 
> Regards,
> Akhil
> 


  reply	other threads:[~2021-03-23 15:46 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-15 10:36 [dpdk-dev] [PATCH 0/3] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
2021-03-15 10:36 ` [dpdk-dev] [PATCH 1/3] crypto/octeontx2: add UDP encapsulation support Tejasree Kondoj
2021-03-15 10:36 ` [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: " Tejasree Kondoj
2021-03-19 16:46   ` Ananyev, Konstantin
2021-03-23  8:02     ` Akhil Goyal
2021-03-23 14:29       ` Ananyev, Konstantin
2021-03-23 15:06         ` Akhil Goyal
2021-03-23 15:46           ` Ananyev, Konstantin [this message]
2021-03-23 17:54             ` Akhil Goyal
2021-03-24  9:45               ` Tejasree Kondoj
2021-03-24 10:39                 ` Ananyev, Konstantin
2021-03-25  8:38                   ` Tejasree Kondoj
2021-03-15 10:36 ` [dpdk-dev] [PATCH 3/3] crypto/octeontx2: support lookaside IPv4 transport mode Tejasree Kondoj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DM6PR11MB449175E140653D203308AB969A649@DM6PR11MB4491.namprd11.prod.outlook.com \
    --to=konstantin.ananyev@intel.com \
    --cc=adwivedi@marvell.com \
    --cc=anoobj@marvell.com \
    --cc=dev@dpdk.org \
    --cc=gakhil@marvell.com \
    --cc=jerinj@marvell.com \
    --cc=ktejasree@marvell.com \
    --cc=radu.nicolau@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

DPDK patches and discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ https://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git