From: Anoob Joseph <anoobj@marvell.com>
To: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>,
Akhil Goyal <akhil.goyal@nxp.com>,
Adrien Mazarguil <adrien.mazarguil@6wind.com>,
"Doherty, Declan" <declan.doherty@intel.com>,
"Yigit, Ferruh" <ferruh.yigit@intel.com>,
Jerin Jacob Kollanukkaran <jerinj@marvell.com>,
Thomas Monjalon <thomas@monjalon.net>
Cc: Ankur Dwivedi <adwivedi@marvell.com>,
Hemant Agrawal <hemant.agrawal@nxp.com>,
Matan Azrad <matan@mellanox.com>,
"Nicolau, Radu" <radu.nicolau@intel.com>,
Shahaf Shuler <shahafs@mellanox.com>,
"Narayana Prasad Raju Athreya" <pathreya@marvell.com>,
"dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH] ethdev: allow multiple security sessions to use one rte flow
Date: Mon, 9 Dec 2019 13:57:14 +0000 [thread overview]
Message-ID: <MN2PR18MB2877B0C35B11432B9FA02452DF580@MN2PR18MB2877.namprd18.prod.outlook.com> (raw)
In-Reply-To: <BN7PR11MB25478BD0152762D4CB1E16FC9A580@BN7PR11MB2547.namprd11.prod.outlook.com>
Hi Konstantin,
Please see inline.
Thanks,
Anoob
> -----Original Message-----
> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>
> Sent: Monday, December 9, 2019 6:49 PM
> To: Anoob Joseph <anoobj@marvell.com>; Akhil Goyal <akhil.goyal@nxp.com>;
> Adrien Mazarguil <adrien.mazarguil@6wind.com>; Doherty, Declan
> <declan.doherty@intel.com>; Yigit, Ferruh <ferruh.yigit@intel.com>; Jerin Jacob
> Kollanukkaran <jerinj@marvell.com>; Thomas Monjalon
> <thomas@monjalon.net>
> Cc: Ankur Dwivedi <adwivedi@marvell.com>; Hemant Agrawal
> <hemant.agrawal@nxp.com>; Matan Azrad <matan@mellanox.com>; Nicolau,
> Radu <radu.nicolau@intel.com>; Shahaf Shuler <shahafs@mellanox.com>;
> Narayana Prasad Raju Athreya <pathreya@marvell.com>; dev@dpdk.org
> Subject: [EXT] RE: [PATCH] ethdev: allow multiple security sessions to use one
> rte flow
>
> External Email
>
> ----------------------------------------------------------------------
>
> >
> > The rte_security API which enables inline protocol/crypto feature
> > mandates that for every security session an rte_flow is created. This
> > would internally translate to a rule in the hardware which would do
> > packet classification.
> >
> > In rte_securty, one SA would be one security session. And if an
> > rte_flow need to be created for every session, the number of SAs
> > supported by an inline implementation would be limited by the number
> > of rte_flows the PMD would be able to support.
> >
> > If the fields SPI & IP addresses are allowed to be a range, then this
> > limitation can be overcome. Multiple flows will be able to use one
> > rule for SECURITY processing. In this case, the security session
> > provided as conf would be NULL.
>
> Wonder what will be the usage model for it?
> AFAIK, RFC 4301 clearly states that either SPI value alone or in conjunction with
> dst (and src) IP should clearly identify SA for inbound SAD lookup.
> Am I missing something obvious here?
[Anoob] Existing SECURITY action type requires application to create an 'rte_flow' per SA, which is not really required if h/w can use SPI to uniquely identify the security session/SA.
Existing rte_flow usage: IP (dst,src) + ESP + SPI -> security processing enabled on one security session (ie on SA)
The above rule would uniquely identify packets for an SA. But with the above usage, we would quickly exhaust entries available in h/w lookup tables (which are limited on our hardware). But if h/w can use SPI field to index into a table (for example), then the above requirement of one rte_flow per SA is not required.
Proposed rte_flow usage: IP (any) + ESP + SPI (any) -> security processing enabled on all ESP packets
Now h/w could use SPI to index into a pre-populated table to get security session. Please do note that, SPI is not ignored during the actual lookup. Just that it is not used while creating 'rte_flow'.
The usage of one 'rte_flow' for multiple SAs is not mandatory. It is only required when application requires large number of SAs. The proposed change is to allow more efficient usage of h/w resources where it's permitted by the PMD.
>
> >
> > Application should do an rte_flow_validate() to make sure the flow is
> > supported on the PMD.
> >
> > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > ---
> > lib/librte_ethdev/rte_flow.h | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/lib/librte_ethdev/rte_flow.h
> > b/lib/librte_ethdev/rte_flow.h index 452d359..21fa7ed 100644
> > --- a/lib/librte_ethdev/rte_flow.h
> > +++ b/lib/librte_ethdev/rte_flow.h
> > @@ -2239,6 +2239,12 @@ struct rte_flow_action_meter {
> > * direction.
> > *
> > * Multiple flows can be configured to use the same security session.
> > + *
> > + * The NULL value is allowed for security session. If security
> > + session is NULL,
> > + * then SPI field in ESP flow item and IP addresses in flow items
> > + 'IPv4' and
> > + * 'IPv6' will be allowed to be a range. The rule thus created can
> > + enable
> > + * SECURITY processing on multiple flows.
> > + *
> > */
> > struct rte_flow_action_security {
> > void *security_session; /**< Pointer to security session structure.
> > */
> > --
> > 2.7.4
next prev parent reply other threads:[~2019-12-09 13:57 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-08 10:41 Anoob Joseph
2019-12-09 7:37 ` Jerin Jacob
2019-12-10 20:47 ` Ori Kam
2020-01-20 9:51 ` Thomas Monjalon
2019-12-09 13:18 ` Ananyev, Konstantin
2019-12-09 13:57 ` Anoob Joseph [this message]
2019-12-11 11:06 ` Ananyev, Konstantin
2019-12-11 17:33 ` Anoob Joseph
2019-12-13 11:55 ` Ananyev, Konstantin
2019-12-15 6:07 ` Anoob Joseph
2019-12-16 12:54 ` Ananyev, Konstantin
2019-12-16 15:37 ` Anoob Joseph
2019-12-16 15:58 ` Medvedkin, Vladimir
2019-12-16 16:16 ` [dpdk-dev] [EXT] " Anoob Joseph
2019-12-17 11:21 ` Medvedkin, Vladimir
2019-12-17 14:24 ` Anoob Joseph
2019-12-17 17:44 ` Medvedkin, Vladimir
2019-12-18 3:54 ` Anoob Joseph
2019-12-18 13:52 ` Medvedkin, Vladimir
2019-12-19 4:37 ` Anoob Joseph
2019-12-19 17:45 ` Medvedkin, Vladimir
2019-12-23 13:34 ` Ananyev, Konstantin
2020-01-08 14:29 ` Medvedkin, Vladimir
2020-01-09 7:35 ` Ori Kam
2020-01-14 9:27 ` Anoob Joseph
2020-01-16 11:36 ` Ori Kam
2020-01-16 12:03 ` Anoob Joseph
2020-01-16 13:37 ` Ori Kam
2020-01-18 8:11 ` Anoob Joseph
2020-01-19 7:25 ` Ori Kam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MN2PR18MB2877B0C35B11432B9FA02452DF580@MN2PR18MB2877.namprd18.prod.outlook.com \
--to=anoobj@marvell.com \
--cc=adrien.mazarguil@6wind.com \
--cc=adwivedi@marvell.com \
--cc=akhil.goyal@nxp.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=ferruh.yigit@intel.com \
--cc=hemant.agrawal@nxp.com \
--cc=jerinj@marvell.com \
--cc=konstantin.ananyev@intel.com \
--cc=matan@mellanox.com \
--cc=pathreya@marvell.com \
--cc=radu.nicolau@intel.com \
--cc=shahafs@mellanox.com \
--cc=thomas@monjalon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).