From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6C3AFA04B1; Thu, 24 Sep 2020 11:51:54 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 4F50B1DDAC; Thu, 24 Sep 2020 11:51:54 +0200 (CEST) Received: from hqnvemgate25.nvidia.com (hqnvemgate25.nvidia.com [216.228.121.64]) by dpdk.org (Postfix) with ESMTP id 406601DDBE for ; Thu, 24 Sep 2020 11:51:53 +0200 (CEST) Received: from hqmail.nvidia.com (Not Verified[216.228.121.13]) by hqnvemgate25.nvidia.com (using TLS: TLSv1.2, AES256-SHA) id ; Thu, 24 Sep 2020 02:51:05 -0700 Received: from HQMAIL101.nvidia.com (172.20.187.10) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 24 Sep 2020 09:51:41 +0000 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.174) by HQMAIL101.nvidia.com (172.20.187.10) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 24 Sep 2020 09:51:41 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ICmP0OrgTGb3grCVOC+jVTVktHwfaNqLNf611vq+C+2JL2mHpZvtUepZW3dL6gcN/8Rzz923iWAYGdSL8qm4jHkV4EYcJ81Q1Puf88ARIt9Yl/E/bz/aDgMqIggsfasGPcPCwMwSbOKTWgpbmyBpKi+W44BjUXO5CLm5Fe8iqodQZsMBl/FWNZYA4OhzTBo5X0do4N3D6u5zKd4ePAPabUfkGdW7GMGSJcPnZ6lksfqlokcNwEwVdjUfgb2YDm85h2wV8oQyh1sUvFYfYnAV8D/0I0wz4Yk72rkCzKHxq1FooVzJXRER2+8iPT1dHopm05sCm5oColLunWXm1ZJHBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j+sZ7FJg7Xigl69q7JSz4cS4oPj1c1DMAUYbxPr2ygo=; b=XzgZbayX9cGpT0qIGiUj5l0zBIS34K2K56Zb39GzmeJV2pILDKJ9hQ6zQS0Kwlscg/ETa+dDs4DFlv/6nWoeoAGzi4TUdR/eRyH6HRwITildsVFAo9+M1l3LKsTfWZ1IQ9IZyD2UApbH4hPtGhtneduX8zz8mo3fOlJHzP+vagppEDtdm0L9Xe3I38Ti8AC6H8nTSxkbQuEXP36ELD//+OWVht8AIXzVJMCwxPHX07V2eKao1UaltkZqwlzl2sSBwB8o0r5jfR4a++UanqnoU4nijzF1OU8V62LCiPsL3PVuH2WlGMpZdH96DbwottlW7SQsvTSrbd1zIuL04Wmp7Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none Received: from MN2PR12MB4286.namprd12.prod.outlook.com (2603:10b6:208:199::22) by MN2PR12MB4014.namprd12.prod.outlook.com (2603:10b6:208:16d::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.15; Thu, 24 Sep 2020 09:51:39 +0000 Received: from MN2PR12MB4286.namprd12.prod.outlook.com ([fe80::61fd:a36e:cf4f:2d3f]) by MN2PR12MB4286.namprd12.prod.outlook.com ([fe80::61fd:a36e:cf4f:2d3f%9]) with mapi id 15.20.3391.026; Thu, 24 Sep 2020 09:51:39 +0000 From: Ori Kam To: Tejasree Kondoj , Asaf Penso , Stephen Hemminger CC: Akhil Goyal , Radu Nicolau , Declan Doherty , NBU-Contact-Thomas Monjalon , Ferruh Yigit , "Andrew Rybchenko" , Jerin Jacob Kollanukkaran , Narayana Prasad Raju Athreya , Anoob Joseph , "dev@dpdk.org" Thread-Topic: [dpdk-dev] [PATCH] ethdev: add security flow item Thread-Index: AQHWh4pRZfLbWZ7qe0ynwFOSPm3ATaliFKIAgAqI4wCABj5HgIAAeDEAgAEGxZCAABW9AIAAVs6AgAGUwVCAAPyOgIAARwrQ Date: Thu, 24 Sep 2020 09:51:39 +0000 Message-ID: References: <20200910164441.7245-1-ktejasree@marvell.com> <20200910094558.0398145b@hermes.lan> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: marvell.com; dkim=none (message not signed) header.d=none;marvell.com; dmarc=none action=none header.from=nvidia.com; x-originating-ip: [147.236.152.129] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2ff874eb-0962-4c6c-bd60-08d8606f6ef5 x-ms-traffictypediagnostic: MN2PR12MB4014: x-ld-processed: 43083d15-7273-40c1-b7db-39efd9ccc17a,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: O9ifa9lH5A0KvQv0UDE1Bf5IMe/oQgJWeGVwNtcB9C1Xzzr4I6tCcUhsAR9g/I/7/RkcniPFX6w3y1zpbzhzIG9U7/Xop6HHvqzQ+NvjOxSE3u0ca2rP7wOPx8riTIG2KwFQAnHkK+Rl7QoAmc+myNM9db+dCBwTM/mTc6WDFVUCgs5D0tb327AluAnWcRP6yhfuNasQf2CQoxCEEk7kr3QUrpCjHjLSJnnCr0xhuVI4NhZkh6kFufkMAwG8xFzz+Ck/bNLCRPcJuKvJDrK80Ch59SY3CSfityZMxJbZwBMnZMvhqE4Q0qZCdx4lJ4ihZKuvci8uFpGNF45+ck3twA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR12MB4286.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(39860400002)(376002)(136003)(346002)(86362001)(5660300002)(2906002)(478600001)(15650500001)(316002)(7416002)(33656002)(53546011)(55016002)(83380400001)(8676002)(4326008)(6506007)(7696005)(26005)(66476007)(64756008)(66446008)(71200400001)(52536014)(76116006)(66556008)(110136005)(54906003)(9686003)(66946007)(8936002)(186003); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: o5dM4NCwW5NPAQrMSTuaFJaNCDRulDRyKL5Dn+zPMT3r0pV4GmY/ihAu6MTALZ+sIIU5/HR03LvO2gekJYDbypc982R+vG8DcyWWltAs0iAFAJjUgAGY/Flva/BCNfe9DLXw/8NI/Wi6ys5CotY+ckX+OcOT8k8ZHo9HihHhWWLX+7ne1ygCGMJ6VSw5Gf+LaOvlcB6Mq9rMABoiS1ZQKHb9L0DXrOSXBvvEbPSRyKdV11U/mPqUpyq5Grv6y2wRAQGEJ/K2z4NqnwW+BnBa3UxwD60wCgjr7rsbMQLRzw9wreHQ58gqv8euoqRppyQMzPp8jgWKnfQkGwZuP4S1GnGqmfRpR8LD/QgisU+WxKLxOdoIQ0XHghz5xqKg0b305yNvcqpLj2H7pk2j+X210fMANd8FltAH2lwXdeSif8rSz63C+oMt9YKhW6zkH2Ag64vzEO4gkOJM67vLUXvSCymgHAKBOyiqWl5c/hCrZoXSjRghT/8xqwnXmf2plLQEyT82xVRJEIg/fh6NBA5vh+FYve4/Wh2EvjQtFEwrQnpact9yJyBmpF8EAWUn3CnUosPflC0UgG2bWm3i9wWGxtJqA1RG9n5KvRDJcxrhftJoA7iVs7Mxzo5N1d8rwbZJaBFHNWS5kam3lpTR5md75Q== Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MN2PR12MB4286.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2ff874eb-0962-4c6c-bd60-08d8606f6ef5 X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Sep 2020 09:51:39.0238 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 5oZEvzEXNOAujSPwfnVrWEk3V0dBEQbSgqWvCBs7lR4V7kfdA4Y0HzDC01VNH166qt4HOo9OvweD6gSIx74LVA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR12MB4014 X-OriginatorOrg: Nvidia.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1; t=1600941065; bh=j+sZ7FJg7Xigl69q7JSz4cS4oPj1c1DMAUYbxPr2ygo=; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To: CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language:X-MS-Has-Attach: X-MS-TNEF-Correlator:authentication-results:x-originating-ip: x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-ms-traffictypediagnostic:x-ld-processed: x-ms-exchange-transport-forked:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-ms-exchange-senderadcheck: x-microsoft-antispam:x-microsoft-antispam-message-info: x-forefront-antispam-report:x-ms-exchange-antispam-messagedata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-AuthAs: X-MS-Exchange-CrossTenant-AuthSource: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped:X-OriginatorOrg; b=r/vYC69+OEGQ7Tp6gLdDnHNan6/bPDLeAh7aTcCd0ln8SMNSCPumGE7DhrT7RDhFT hX5NZ9eT41mbdDcbEKjsUNmRKGaPQA10OIfHFBGJIw7EmGFa8XvhsRQCc5he2wrPWX XCtTrx/WOc0nMjUhZ+cAi5AB1cWrLXkym5uGUC+W+nM1sfJm9GrOhcxgVZWoBvyaVs gFR1UUXqfevlnLB25R1ah3fbHIQ/4v9Ab3si4ZLai1auF1J1JEdWrURaajSiZDmt3u LLcIHMh5/4uMwgTO5Hd7ZDzPoWZZhv1GwXLrk+s8uFJQuJ97o8vHMWgeOyCvCCymEG Z0AeQFvlJ4s5Q== Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Thanks, Ori > -----Original Message----- > From: Tejasree Kondoj > Sent: Thursday, September 24, 2020 8:31 AM >=20 > Thanks, > Tejasree >=20 > > -----Original Message----- > > From: Ori Kam > > Sent: Wednesday, September 23, 2020 8:00 PM > > To: Tejasree Kondoj ; Asaf Penso > > ; Stephen Hemminger > > Cc: Akhil Goyal ; Radu Nicolau > > ; Declan Doherty ; > > NBU-Contact-Thomas Monjalon ; Ferruh Yigit > > ; Andrew Rybchenko > > ; Jerin Jacob Kollanukkaran > > ; Narayana Prasad Raju Athreya > > ; Anoob Joseph ; > > dev@dpdk.org > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > External Email > > > > ---------------------------------------------------------------------- > > Hi > > > > > -----Original Message----- > > > From: Tejasree Kondoj > > > Sent: Tuesday, September 22, 2020 5:18 PM > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > Hi Ori, > > > > > > Please see inline. > > > > > > Thanks, > > > Tejasree > > > > > > > -----Original Message----- > > > > From: Tejasree Kondoj > > > > Sent: Tuesday, September 22, 2020 2:37 PM > > > > To: Ori Kam ; Asaf Penso ; > > > > Stephen Hemminger > > > > Cc: Akhil Goyal ; Radu Nicolau > > > > ; Declan Doherty = ; > > > > NBU-Contact-Thomas Monjalon ; Ferruh Yigit > > > > ; Andrew Rybchenko > > > > ; Jerin Jacob Kollanukkaran > > > > ; Narayana Prasad Raju Athreya > > > > ; Anoob Joseph ; > > > > dev@dpdk.org > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > > > Please see inline. > > > > > > > > Thanks > > > > Tejasree > > > > > > > > > -----Original Message----- > > > > > From: Ori Kam > > > > > Sent: Tuesday, September 22, 2020 1:22 PM > > > > > To: Asaf Penso ; Tejasree Kondoj > > > > > ; Stephen Hemminger > > > > > > > > > > Cc: Akhil Goyal ; Radu Nicolau > > > > > ; Declan Doherty > > > > > ; NBU-Contact-Thomas Monjalon > > > > > ; Ferruh Yigit ; > > > > > Andrew Rybchenko ; Jerin Jacob > > > > > Kollanukkaran ; Narayana Prasad Raju Athreya > > > > > ; Anoob Joseph ; > > > > > dev@dpdk.org > > > > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow > > > > > item > > > > > > > > > > External Email > > > > > > > > > > -----------------------------------------------------------------= - > > > > > ---- > > > > > Hi > > > > > > -----Original Message----- > > > > > > From: Asaf Penso > > > > > > Sent: Monday, September 21, 2020 7:09 PM > > > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > Asaf Penso > > > > > > > > > > > > >-----Original Message----- > > > > > > >From: Tejasree Kondoj > > > > > > >Sent: Monday, September 21, 2020 11:59 AM > > > > > > >To: Asaf Penso ; Stephen Hemminger > > > > > > > > > > > > > >Cc: Akhil Goyal ; Radu Nicolau > > > > > > >; Declan Doherty > > > > > > >; Ori Kam ; > > > > > > >NBU-Contact-Thomas Monjalon ; Ferruh > > Yigit > > > > > > >; Andrew Rybchenko > > > > > > >; Jerin Jacob Kollanukkaran > > > > > > >; Narayana Prasad Raju Athreya > > > > > > >; Anoob Joseph ; > > > > > > >dev@dpdk.org > > > > > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > > > > > > > > >Please see inline. > > > > > > > > > > > > > >Thanks > > > > > > >Tejasree > > > > > > > > > > > > > >> -----Original Message----- > > > > > > >> From: Asaf Penso > > > > > > >> Sent: Thursday, September 17, 2020 3:09 PM > > > > > > >> To: Stephen Hemminger ; > > Tejasree > > > > > > >Kondoj > > > > > > >> > > > > > > >> Cc: Akhil Goyal ; Radu Nicolau > > > > > > >> ; Declan Doherty > > > > > > >> ; Ori Kam ; > > > > > > >> NBU-Contact-Thomas Monjalon ; Ferruh > > > > > > >> Yigit ; Andrew Rybchenko > > > > > > >> ; Jerin Jacob Kollanukkaran > > > > > > >> ; Narayana Prasad Raju Athreya > > > > > > >> ; Anoob Joseph ; > > > > > > >> dev@dpdk.org > > > > > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security > > > > > > >> flow item > > > > > > >> > > > > > > >> External Email > > > > > > >> > > > > > > >> ------------------------------------------------------------= - > > > > > > >> ---- > > > > > > >> -- > > > > > > >> --- > > > > > > >> >-----Original Message----- > > > > > > >> >From: dev On Behalf Of Stephen > > > > > Hemminger > > > > > > >> >Sent: Thursday, September 10, 2020 7:46 PM > > > > > > >> >To: Tejasree Kondoj > > > > > > >> >Cc: Akhil Goyal ; Radu Nicolau > > > > > > >> >; Declan Doherty > > > > > > >> >; Ori Kam ; > > > > > > >> >NBU-Contact-Thomas Monjalon ; Ferruh > > > > Yigit > > > > > > >> >; Andrew Rybchenko > > > > > > >> >; Jerin Jacob > > > > > > >> >; Narayana Prasad > > > > > > >> >; Anoob Joseph > > ; > > > > > > >> >dev@dpdk.org > > > > > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow > > > > > > >> >item > > > > > > >> > > > > > > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj > > > > > > >> > wrote: > > > > > > >> > > > > > > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to > > > > > > >> distinguish > > > > > > >> >> plain packets from IPsec decrypted plain packets. > > > > > > >> >> > > > > > > >> >> Signed-off-by: Tejasree Kondoj > > > > > > >> > > > > > > > >> >Please provide an implementation, API's without any driver > > > > > > >> >support should not be accepted. > > > > > > >> > > > > > > > >> >Also, we need a test for this. > > > > > > > > > > > > > >[Tejasree] We would like to defer the patch and add > > > > > > >implementation, test case in next cycle. > > > > > > > > > > > > > >> > > > > > > >> +1 > > > > > > >> Also, I think the word SECURITY is too high-level, and if > > > > > > >> specifically you mention here an item for IPSec, perhaps you > > > > > > >> can > > > > > consider renaming. > > > > > > > > > > > > > >[Tejasree] This item matches security processed packets and no= t > > > > > > >specific to IPsec. > > > > > > >Will change commit description as follows: > > > > > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to > > > > > > >match packets that were security processed. For example, in > > > > > > >case of inline IPsec, it can be used to distinguish plain > > > > > > >packets from IPsec decrypted > > > > > plain packets" > > > > > > >Would that be fine? > > > > > > > > > > > > It would be more clear, yes, thank you, but in this case I > > > > > > suggest to have a field in the spec that you can match on it. > > > > > > For example, is it viable to know if the packet was processed b= y > > > > > > IPSec and not AES? Maybe you want to have 2 flow with this new > > > > > > item, but still differentiate between the types. > > > > > > > > > > Why not use mark/tag/meta to set this value? > > > > > The application will insert a flow that sends to security and mar= k > > > > > the flow with some ID then the application can check this ID. > > > > > > > > [Tejasree] SECURITY itself wouldn't make distinction on protocol. > > > > It would be combined with MARK_ID to know if the packet was > > > > processed by IPsec and not AES. > > > > > > > > MARK_ID alone couldn't be used as we wouldn't know if it is plain > > > > packet or security processed plain packet. > > > > > > > > Rules would be as follows: > > > > Rule #1 > > > > [ETH] [IP] [ESP] [SPI] =1B$B"*=1B(B [SECURITY] [MARK_ID] [END] Rule= #2 > > > > [SECURITY] [MARK_ID] [ETH] [IP] =1B$B"*=1B(B [QUEUE] [END] > > > > > > > > I don't understand why in rule #1 you can't have the mark value to > > > > also mark the security. > > > > From your patch I understand that security is just one bit This > > > > means that you can say if MSB bit in mark is set then it comes from > > > > security. > > > > > > [Tejasree] We can use MSB of MARK_ID but that would mean we would be > > > reserving it for security. > > > > > [Ori] but why does the PMD needs it? the application know what it needs= so > > it can use it, It is the application decision to send to the security r= ight? So it > > knows what values to set. > > > > Also the application can use tag or any other data item. > > > [Tejasree] PMD needs it to establish connection between security and fina= l > action to be done (queue for example). >=20 > First rule works on the outer packet where the inner packet would be hidd= en by > the protocol (like encrypted payload in IPsec) and the second rule will a= ct on > the de-capsulated packet. So the packets itself are different and we cann= ot > have one rule. >=20 > In IPsec it is valid (and a very trivial usage) to have one outer flow c= onstitute > multiple inner flows. Without this, application will not be able to confi= gure > hardware to treat inner flows differently. >=20 Fully agree with you about the app needs to know if it passed security But this goes also for example simple tunnel where the app may decap the pa= cket in the on the first flow and then do matching on the inner 5 tuple but it w= ill need to know if the packet was decaped or what is the vni. So in your case the app will send traffic to security and mark it as one th= at was gone to security then in the second rule the app will match on the mark and do what it wants= with it. I simply don't see why you need new metadata item just to mark if it passed= security. > > > > > > > > > > > > > > Best, > > > > > Ori