DPDK patches and discussions
 help / color / mirror / Atom feed
From: Ori Kam <orika@nvidia.com>
To: Tejasree Kondoj <ktejasree@marvell.com>,
	Asaf Penso <asafp@nvidia.com>,
	Stephen Hemminger <stephen@networkplumber.org>
Cc: Akhil Goyal <akhil.goyal@nxp.com>,
	Radu Nicolau <radu.nicolau@intel.com>,
	 Declan Doherty <declan.doherty@intel.com>,
	NBU-Contact-Thomas Monjalon <thomas@monjalon.net>,
	Ferruh Yigit <ferruh.yigit@intel.com>,
	"Andrew Rybchenko" <arybchenko@solarflare.com>,
	Jerin Jacob Kollanukkaran <jerinj@marvell.com>,
	Narayana Prasad Raju Athreya <pathreya@marvell.com>,
	Anoob Joseph <anoobj@marvell.com>, "dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
Date: Tue, 22 Sep 2020 13:28:25 +0000	[thread overview]
Message-ID: <MN2PR12MB4286044218709F88BE41C146D63B0@MN2PR12MB4286.namprd12.prod.outlook.com> (raw)
In-Reply-To: <MWHPR18MB1104EB908FF05B7FF8391D36A83B0@MWHPR18MB1104.namprd18.prod.outlook.com>

Hi Tejasree,
PSB

> -----Original Message-----
> From: Tejasree Kondoj <ktejasree@marvell.com>
> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> Please see inline.
> 
> Thanks
> Tejasree
> 
> > -----Original Message-----
> > From: Ori Kam <orika@nvidia.com>
> > Sent: Tuesday, September 22, 2020 1:22 PM
> > To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
> > <ktejasree@marvell.com>; Stephen Hemminger
> > <stephen@networkplumber.org>
> > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > dev@dpdk.org
> > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > Hi
> > > -----Original Message-----
> > > From: Asaf Penso <asafp@nvidia.com>
> > > Sent: Monday, September 21, 2020 7:09 PM
> > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >
> > >
> > >
> > > Regards,
> > > Asaf Penso
> > >
> > > >-----Original Message-----
> > > >From: Tejasree Kondoj <ktejasree@marvell.com>
> > > >Sent: Monday, September 21, 2020 11:59 AM
> > > >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> > > ><stephen@networkplumber.org>
> > > >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > ><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > > >Ori Kam <orika@nvidia.com>; NBU-Contact-Thomas Monjalon
> > > ><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
> > > >Rybchenko <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > ><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > >dev@dpdk.org
> > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >
> > > >Please see inline.
> > > >
> > > >Thanks
> > > >Tejasree
> > > >
> > > >> -----Original Message-----
> > > >> From: Asaf Penso <asafp@nvidia.com>
> > > >> Sent: Thursday, September 17, 2020 3:09 PM
> > > >> To: Stephen Hemminger <stephen@networkplumber.org>; Tejasree
> > > >Kondoj
> > > >> <ktejasree@marvell.com>
> > > >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > >> <radu.nicolau@intel.com>; Declan Doherty
> > > >> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > >> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > >> <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > >> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > >> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > >> dev@dpdk.org
> > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > > >> item
> > > >>
> > > >> External Email
> > > >>
> > > >> -------------------------------------------------------------------
> > > >> ---
> > > >> >-----Original Message-----
> > > >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
> > Hemminger
> > > >> >Sent: Thursday, September 10, 2020 7:46 PM
> > > >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> > > >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > >> ><radu.nicolau@intel.com>; Declan Doherty
> > > >> ><declan.doherty@intel.com>; Ori Kam <orika@mellanox.com>;
> > > >> >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > >> ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > >> ><arybchenko@solarflare.com>; Jerin Jacob <jerinj@marvell.com>;
> > > >> >Narayana Prasad <pathreya@marvell.com>; Anoob Joseph
> > > >> ><anoobj@marvell.com>; dev@dpdk.org
> > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >> >
> > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
> > > >> ><ktejasree@marvell.com> wrote:
> > > >> >
> > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > >> distinguish
> > > >> >> plain packets from IPsec decrypted plain packets.
> > > >> >>
> > > >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > >> >
> > > >> >Please provide an implementation, API's without any driver support
> > > >> >should not be accepted.
> > > >> >
> > > >> >Also, we need a test for this.
> > > >
> > > >[Tejasree] We would like to defer the patch and add implementation,
> > > >test case in next cycle.
> > > >
> > > >>
> > > >> +1
> > > >> Also, I think the word SECURITY is too high-level, and if
> > > >> specifically you mention here an item for IPSec, perhaps you can
> > consider renaming.
> > > >
> > > >[Tejasree] This item matches security processed packets and not
> > > >specific to IPsec.
> > > >Will change commit description as follows:
> > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match
> > > >packets that were security processed. For example, in case of inline
> > > >IPsec, it can be used to distinguish plain packets from IPsec decrypted
> > plain packets"
> > > >Would that be fine?
> > >
> > > It would be more clear, yes, thank you, but in this case I suggest to
> > > have a field in the spec that you can match on it.
> > > For example, is it viable to know if the packet was processed by IPSec
> > > and not AES? Maybe you want to have 2 flow with this new item, but
> > > still differentiate between the types.
> >
> > Why not use mark/tag/meta to set this value?
> > The application will insert a flow that sends to security and mark the flow
> > with some ID then the application can check this ID.
> 
> [Tejasree] SECURITY itself wouldn't make distinction on protocol.
> It would be combined with MARK_ID to know if the packet
> was processed by IPsec and not AES.
> 
> MARK_ID alone couldn't be used as we wouldn't know if it is
> plain packet or security processed plain packet.
> 
> Rules would be as follows:
> Rule #1
> [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END]
> Rule #2
> [SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END]
> 
I don't understand why in rule #1 you can't have the mark value
to also mark the security.
From your patch I understand that security is just one bit
This means that you can say if MSB bit in mark is set then it comes from
security.

Ori,

> >
> > Best,
> > Ori


  reply	other threads:[~2020-09-22 13:28 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-10 16:44 Tejasree Kondoj
2020-09-10 16:45 ` Stephen Hemminger
2020-09-17  9:38   ` Asaf Penso
2020-09-21  8:58     ` Tejasree Kondoj
2020-09-21 16:09       ` Asaf Penso
2020-09-22  7:51         ` Ori Kam
2020-09-22  9:07           ` Tejasree Kondoj
2020-09-22 13:28             ` Ori Kam [this message]
2020-09-22 14:18             ` Tejasree Kondoj
2020-09-23 14:30               ` Ori Kam
2020-09-24  5:30                 ` Tejasree Kondoj
2020-09-24  9:51                   ` Ori Kam
2020-09-24 10:07                     ` Tejasree Kondoj
2021-02-17 17:36                       ` Ferruh Yigit
2021-04-20  1:08                         ` Ferruh Yigit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=MN2PR12MB4286044218709F88BE41C146D63B0@MN2PR12MB4286.namprd12.prod.outlook.com \
    --to=orika@nvidia.com \
    --cc=akhil.goyal@nxp.com \
    --cc=anoobj@marvell.com \
    --cc=arybchenko@solarflare.com \
    --cc=asafp@nvidia.com \
    --cc=declan.doherty@intel.com \
    --cc=dev@dpdk.org \
    --cc=ferruh.yigit@intel.com \
    --cc=jerinj@marvell.com \
    --cc=ktejasree@marvell.com \
    --cc=pathreya@marvell.com \
    --cc=radu.nicolau@intel.com \
    --cc=stephen@networkplumber.org \
    --cc=thomas@monjalon.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).