From: Ori Kam <orika@nvidia.com>
To: Tejasree Kondoj <ktejasree@marvell.com>,
Asaf Penso <asafp@nvidia.com>,
Stephen Hemminger <stephen@networkplumber.org>
Cc: Akhil Goyal <akhil.goyal@nxp.com>,
Radu Nicolau <radu.nicolau@intel.com>,
Declan Doherty <declan.doherty@intel.com>,
NBU-Contact-Thomas Monjalon <thomas@monjalon.net>,
Ferruh Yigit <ferruh.yigit@intel.com>,
"Andrew Rybchenko" <arybchenko@solarflare.com>,
Jerin Jacob Kollanukkaran <jerinj@marvell.com>,
Narayana Prasad Raju Athreya <pathreya@marvell.com>,
Anoob Joseph <anoobj@marvell.com>, "dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
Date: Tue, 22 Sep 2020 13:28:25 +0000 [thread overview]
Message-ID: <MN2PR12MB4286044218709F88BE41C146D63B0@MN2PR12MB4286.namprd12.prod.outlook.com> (raw)
In-Reply-To: <MWHPR18MB1104EB908FF05B7FF8391D36A83B0@MWHPR18MB1104.namprd18.prod.outlook.com>
Hi Tejasree,
PSB
> -----Original Message-----
> From: Tejasree Kondoj <ktejasree@marvell.com>
> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>
> Please see inline.
>
> Thanks
> Tejasree
>
> > -----Original Message-----
> > From: Ori Kam <orika@nvidia.com>
> > Sent: Tuesday, September 22, 2020 1:22 PM
> > To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
> > <ktejasree@marvell.com>; Stephen Hemminger
> > <stephen@networkplumber.org>
> > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > dev@dpdk.org
> > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > Hi
> > > -----Original Message-----
> > > From: Asaf Penso <asafp@nvidia.com>
> > > Sent: Monday, September 21, 2020 7:09 PM
> > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >
> > >
> > >
> > > Regards,
> > > Asaf Penso
> > >
> > > >-----Original Message-----
> > > >From: Tejasree Kondoj <ktejasree@marvell.com>
> > > >Sent: Monday, September 21, 2020 11:59 AM
> > > >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> > > ><stephen@networkplumber.org>
> > > >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > ><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > > >Ori Kam <orika@nvidia.com>; NBU-Contact-Thomas Monjalon
> > > ><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
> > > >Rybchenko <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > ><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > >dev@dpdk.org
> > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >
> > > >Please see inline.
> > > >
> > > >Thanks
> > > >Tejasree
> > > >
> > > >> -----Original Message-----
> > > >> From: Asaf Penso <asafp@nvidia.com>
> > > >> Sent: Thursday, September 17, 2020 3:09 PM
> > > >> To: Stephen Hemminger <stephen@networkplumber.org>; Tejasree
> > > >Kondoj
> > > >> <ktejasree@marvell.com>
> > > >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > >> <radu.nicolau@intel.com>; Declan Doherty
> > > >> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > >> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > >> <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > >> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > >> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > >> dev@dpdk.org
> > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > > >> item
> > > >>
> > > >> External Email
> > > >>
> > > >> -------------------------------------------------------------------
> > > >> ---
> > > >> >-----Original Message-----
> > > >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
> > Hemminger
> > > >> >Sent: Thursday, September 10, 2020 7:46 PM
> > > >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> > > >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > >> ><radu.nicolau@intel.com>; Declan Doherty
> > > >> ><declan.doherty@intel.com>; Ori Kam <orika@mellanox.com>;
> > > >> >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > >> ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > >> ><arybchenko@solarflare.com>; Jerin Jacob <jerinj@marvell.com>;
> > > >> >Narayana Prasad <pathreya@marvell.com>; Anoob Joseph
> > > >> ><anoobj@marvell.com>; dev@dpdk.org
> > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >> >
> > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
> > > >> ><ktejasree@marvell.com> wrote:
> > > >> >
> > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > >> distinguish
> > > >> >> plain packets from IPsec decrypted plain packets.
> > > >> >>
> > > >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > >> >
> > > >> >Please provide an implementation, API's without any driver support
> > > >> >should not be accepted.
> > > >> >
> > > >> >Also, we need a test for this.
> > > >
> > > >[Tejasree] We would like to defer the patch and add implementation,
> > > >test case in next cycle.
> > > >
> > > >>
> > > >> +1
> > > >> Also, I think the word SECURITY is too high-level, and if
> > > >> specifically you mention here an item for IPSec, perhaps you can
> > consider renaming.
> > > >
> > > >[Tejasree] This item matches security processed packets and not
> > > >specific to IPsec.
> > > >Will change commit description as follows:
> > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match
> > > >packets that were security processed. For example, in case of inline
> > > >IPsec, it can be used to distinguish plain packets from IPsec decrypted
> > plain packets"
> > > >Would that be fine?
> > >
> > > It would be more clear, yes, thank you, but in this case I suggest to
> > > have a field in the spec that you can match on it.
> > > For example, is it viable to know if the packet was processed by IPSec
> > > and not AES? Maybe you want to have 2 flow with this new item, but
> > > still differentiate between the types.
> >
> > Why not use mark/tag/meta to set this value?
> > The application will insert a flow that sends to security and mark the flow
> > with some ID then the application can check this ID.
>
> [Tejasree] SECURITY itself wouldn't make distinction on protocol.
> It would be combined with MARK_ID to know if the packet
> was processed by IPsec and not AES.
>
> MARK_ID alone couldn't be used as we wouldn't know if it is
> plain packet or security processed plain packet.
>
> Rules would be as follows:
> Rule #1
> [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END]
> Rule #2
> [SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END]
>
I don't understand why in rule #1 you can't have the mark value
to also mark the security.
From your patch I understand that security is just one bit
This means that you can say if MSB bit in mark is set then it comes from
security.
Ori,
> >
> > Best,
> > Ori
next prev parent reply other threads:[~2020-09-22 13:28 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-10 16:44 Tejasree Kondoj
2020-09-10 16:45 ` Stephen Hemminger
2020-09-17 9:38 ` Asaf Penso
2020-09-21 8:58 ` Tejasree Kondoj
2020-09-21 16:09 ` Asaf Penso
2020-09-22 7:51 ` Ori Kam
2020-09-22 9:07 ` Tejasree Kondoj
2020-09-22 13:28 ` Ori Kam [this message]
2020-09-22 14:18 ` Tejasree Kondoj
2020-09-23 14:30 ` Ori Kam
2020-09-24 5:30 ` Tejasree Kondoj
2020-09-24 9:51 ` Ori Kam
2020-09-24 10:07 ` Tejasree Kondoj
2021-02-17 17:36 ` Ferruh Yigit
2021-04-20 1:08 ` Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MN2PR12MB4286044218709F88BE41C146D63B0@MN2PR12MB4286.namprd12.prod.outlook.com \
--to=orika@nvidia.com \
--cc=akhil.goyal@nxp.com \
--cc=anoobj@marvell.com \
--cc=arybchenko@solarflare.com \
--cc=asafp@nvidia.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=ferruh.yigit@intel.com \
--cc=jerinj@marvell.com \
--cc=ktejasree@marvell.com \
--cc=pathreya@marvell.com \
--cc=radu.nicolau@intel.com \
--cc=stephen@networkplumber.org \
--cc=thomas@monjalon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).