DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH] ethdev: add security flow item
@ 2020-09-10 16:44 Tejasree Kondoj
  2020-09-10 16:45 ` Stephen Hemminger
  0 siblings, 1 reply; 15+ messages in thread
From: Tejasree Kondoj @ 2020-09-10 16:44 UTC (permalink / raw)
  To: Akhil Goyal, Radu Nicolau, Declan Doherty, Ori Kam,
	Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko, Jerin Jacob
  Cc: Tejasree Kondoj, Narayana Prasad, Anoob Joseph, dev

Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
distinguish plain packets from IPsec decrypted plain packets.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/prog_guide/rte_flow.rst | 25 +++++++++++++++++++++++++
 lib/librte_ethdev/rte_flow.h       |  9 +++++++++
 2 files changed, 34 insertions(+)

diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst
index 3e5cd1e0d..a51a3e5d6 100644
--- a/doc/guides/prog_guide/rte_flow.rst
+++ b/doc/guides/prog_guide/rte_flow.rst
@@ -712,6 +712,31 @@ action sets metadata for a packet and the metadata will be reported via
    | ``mask`` | ``data`` | bit-mask applies to "spec" and "last" |
    +----------+----------+---------------------------------------+
 
+Item: ``SECURITY``
+^^^^^^^^^^^^^^^^^^
+
+Matches packets that were security processed. It can be used to identify
+packets after inline security processing. For example, in case of inline IPsec,
+the packet headers would change after IPsec decapsulation and this item would
+allow application to differentiate non-IPsec packets from packets after
+inline IPsec processing.
+
+- ``spec``, ``last`` and ``mask`` are ignored.
+
+.. _table_rte_flow_item_security:
+
+.. table:: SECURITY
+
+   +----------+---------+
+   | Field    | Value   |
+   +==========+=========+
+   | ``spec`` | ignored |
+   +----------+---------+
+   | ``last`` | ignored |
+   +----------+---------+
+   | ``mask`` | ignored |
+   +----------+---------+
+
 Data matching item types
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/lib/librte_ethdev/rte_flow.h b/lib/librte_ethdev/rte_flow.h
index da8bfa548..65499b758 100644
--- a/lib/librte_ethdev/rte_flow.h
+++ b/lib/librte_ethdev/rte_flow.h
@@ -537,6 +537,15 @@ enum rte_flow_item_type {
 	 */
 	RTE_FLOW_ITEM_TYPE_ECPRI,
 
+	/**
+	 * [META]
+	 *
+	 * Matches security processed packets.
+	 *
+	 * No associated specification structure.
+	 */
+	RTE_FLOW_ITEM_TYPE_SECURITY,
+
 };
 
 /**
-- 
2.27.0


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-10 16:44 [dpdk-dev] [PATCH] ethdev: add security flow item Tejasree Kondoj
@ 2020-09-10 16:45 ` Stephen Hemminger
  2020-09-17  9:38   ` Asaf Penso
  0 siblings, 1 reply; 15+ messages in thread
From: Stephen Hemminger @ 2020-09-10 16:45 UTC (permalink / raw)
  To: Tejasree Kondoj
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty, Ori Kam,
	Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko, Jerin Jacob,
	Narayana Prasad, Anoob Joseph, dev

On Thu, 10 Sep 2020 22:14:41 +0530
Tejasree Kondoj <ktejasree@marvell.com> wrote:

> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> distinguish plain packets from IPsec decrypted plain packets.
> 
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>

Please provide an implementation, API's without any driver support should not be accepted.

Also, we need a test for this.


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-10 16:45 ` Stephen Hemminger
@ 2020-09-17  9:38   ` Asaf Penso
  2020-09-21  8:58     ` Tejasree Kondoj
  0 siblings, 1 reply; 15+ messages in thread
From: Asaf Penso @ 2020-09-17  9:38 UTC (permalink / raw)
  To: Stephen Hemminger, Tejasree Kondoj
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty, Ori Kam,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob, Narayana Prasad, Anoob Joseph, dev

>-----Original Message-----
>From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen Hemminger
>Sent: Thursday, September 10, 2020 7:46 PM
>To: Tejasree Kondoj <ktejasree@marvell.com>
>Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>; Ori
>Kam <orika@mellanox.com>; NBU-Contact-Thomas Monjalon
><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
>Rybchenko <arybchenko@solarflare.com>; Jerin Jacob <jerinj@marvell.com>;
>Narayana Prasad <pathreya@marvell.com>; Anoob Joseph
><anoobj@marvell.com>; dev@dpdk.org
>Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
>
>On Thu, 10 Sep 2020 22:14:41 +0530
>Tejasree Kondoj <ktejasree@marvell.com> wrote:
>
>> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to distinguish
>> plain packets from IPsec decrypted plain packets.
>>
>> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>
>Please provide an implementation, API's without any driver support should not be
>accepted.
>
>Also, we need a test for this.

+1
Also, I think the word SECURITY is too high-level, and if specifically you mention here an item for IPSec, perhaps you can consider renaming.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-17  9:38   ` Asaf Penso
@ 2020-09-21  8:58     ` Tejasree Kondoj
  2020-09-21 16:09       ` Asaf Penso
  0 siblings, 1 reply; 15+ messages in thread
From: Tejasree Kondoj @ 2020-09-21  8:58 UTC (permalink / raw)
  To: Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty, Ori Kam,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

Please see inline.

Thanks
Tejasree

> -----Original Message-----
> From: Asaf Penso <asafp@nvidia.com>
> Sent: Thursday, September 17, 2020 3:09 PM
> To: Stephen Hemminger <stephen@networkplumber.org>; Tejasree Kondoj
> <ktejasree@marvell.com>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>; Ori
> Kam <orika@nvidia.com>; NBU-Contact-Thomas Monjalon
> <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
> Rybchenko <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> External Email
> 
> ----------------------------------------------------------------------
> >-----Original Message-----
> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen Hemminger
> >Sent: Thursday, September 10, 2020 7:46 PM
> >To: Tejasree Kondoj <ktejasree@marvell.com>
> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> ><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> >Ori Kam <orika@mellanox.com>; NBU-Contact-Thomas Monjalon
> ><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
> >Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
> ><jerinj@marvell.com>; Narayana Prasad <pathreya@marvell.com>; Anoob
> >Joseph <anoobj@marvell.com>; dev@dpdk.org
> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> >On Thu, 10 Sep 2020 22:14:41 +0530
> >Tejasree Kondoj <ktejasree@marvell.com> wrote:
> >
> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> distinguish
> >> plain packets from IPsec decrypted plain packets.
> >>
> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> >
> >Please provide an implementation, API's without any driver support
> >should not be accepted.
> >
> >Also, we need a test for this.

[Tejasree] We would like to defer the patch and add implementation, test case in next cycle.

> 
> +1
> Also, I think the word SECURITY is too high-level, and if specifically you
> mention here an item for IPSec, perhaps you can consider renaming.

[Tejasree] This item matches security processed packets and not specific to IPsec.
Will change commit description as follows:
" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
match packets that were security processed. For example, in case of
inline IPsec, it can be used to distinguish plain packets from IPsec decrypted
plain packets"
Would that be fine?

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-21  8:58     ` Tejasree Kondoj
@ 2020-09-21 16:09       ` Asaf Penso
  2020-09-22  7:51         ` Ori Kam
  0 siblings, 1 reply; 15+ messages in thread
From: Asaf Penso @ 2020-09-21 16:09 UTC (permalink / raw)
  To: Tejasree Kondoj, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty, Ori Kam,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev



Regards,
Asaf Penso

>-----Original Message-----
>From: Tejasree Kondoj <ktejasree@marvell.com>
>Sent: Monday, September 21, 2020 11:59 AM
>To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
><stephen@networkplumber.org>
>Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>; Ori
>Kam <orika@nvidia.com>; NBU-Contact-Thomas Monjalon
><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
>Rybchenko <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
><jerinj@marvell.com>; Narayana Prasad Raju Athreya
><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
>dev@dpdk.org
>Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>
>Please see inline.
>
>Thanks
>Tejasree
>
>> -----Original Message-----
>> From: Asaf Penso <asafp@nvidia.com>
>> Sent: Thursday, September 17, 2020 3:09 PM
>> To: Stephen Hemminger <stephen@networkplumber.org>; Tejasree
>Kondoj
>> <ktejasree@marvell.com>
>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
>> Ori Kam <orika@nvidia.com>; NBU-Contact-Thomas Monjalon
>> <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
>> Rybchenko <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
>> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
>> dev@dpdk.org
>> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>>
>> External Email
>>
>> ----------------------------------------------------------------------
>> >-----Original Message-----
>> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen Hemminger
>> >Sent: Thursday, September 10, 2020 7:46 PM
>> >To: Tejasree Kondoj <ktejasree@marvell.com>
>> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>> ><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
>> >Ori Kam <orika@mellanox.com>; NBU-Contact-Thomas Monjalon
>> ><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
>> >Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
>> ><jerinj@marvell.com>; Narayana Prasad <pathreya@marvell.com>; Anoob
>> >Joseph <anoobj@marvell.com>; dev@dpdk.org
>> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
>> >
>> >On Thu, 10 Sep 2020 22:14:41 +0530
>> >Tejasree Kondoj <ktejasree@marvell.com> wrote:
>> >
>> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
>> distinguish
>> >> plain packets from IPsec decrypted plain packets.
>> >>
>> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>> >
>> >Please provide an implementation, API's without any driver support
>> >should not be accepted.
>> >
>> >Also, we need a test for this.
>
>[Tejasree] We would like to defer the patch and add implementation, test
>case in next cycle.
>
>>
>> +1
>> Also, I think the word SECURITY is too high-level, and if specifically
>> you mention here an item for IPSec, perhaps you can consider renaming.
>
>[Tejasree] This item matches security processed packets and not specific to
>IPsec.
>Will change commit description as follows:
>" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match
>packets that were security processed. For example, in case of inline IPsec, it
>can be used to distinguish plain packets from IPsec decrypted plain packets"
>Would that be fine?

It would be more clear, yes, thank you, but in this case I suggest to have a field in the spec that you can match on it.
For example, is it viable to know if the packet was processed by IPSec and not AES? Maybe you want to have 2 flow with this new item, but still differentiate between the types.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-21 16:09       ` Asaf Penso
@ 2020-09-22  7:51         ` Ori Kam
  2020-09-22  9:07           ` Tejasree Kondoj
  0 siblings, 1 reply; 15+ messages in thread
From: Ori Kam @ 2020-09-22  7:51 UTC (permalink / raw)
  To: Asaf Penso, Tejasree Kondoj, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

Hi 
> -----Original Message-----
> From: Asaf Penso <asafp@nvidia.com>
> Sent: Monday, September 21, 2020 7:09 PM
> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> 
> 
> Regards,
> Asaf Penso
> 
> >-----Original Message-----
> >From: Tejasree Kondoj <ktejasree@marvell.com>
> >Sent: Monday, September 21, 2020 11:59 AM
> >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> ><stephen@networkplumber.org>
> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> ><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>; Ori
> >Kam <orika@nvidia.com>; NBU-Contact-Thomas Monjalon
> ><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
> >Rybchenko <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> ><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> >dev@dpdk.org
> >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> >Please see inline.
> >
> >Thanks
> >Tejasree
> >
> >> -----Original Message-----
> >> From: Asaf Penso <asafp@nvidia.com>
> >> Sent: Thursday, September 17, 2020 3:09 PM
> >> To: Stephen Hemminger <stephen@networkplumber.org>; Tejasree
> >Kondoj
> >> <ktejasree@marvell.com>
> >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> >> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> >> Ori Kam <orika@nvidia.com>; NBU-Contact-Thomas Monjalon
> >> <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
> >> Rybchenko <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> >> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> >> dev@dpdk.org
> >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >>
> >> External Email
> >>
> >> ----------------------------------------------------------------------
> >> >-----Original Message-----
> >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen Hemminger
> >> >Sent: Thursday, September 10, 2020 7:46 PM
> >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> >> ><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> >> >Ori Kam <orika@mellanox.com>; NBU-Contact-Thomas Monjalon
> >> ><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
> >> >Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
> >> ><jerinj@marvell.com>; Narayana Prasad <pathreya@marvell.com>; Anoob
> >> >Joseph <anoobj@marvell.com>; dev@dpdk.org
> >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
> >> >
> >> >On Thu, 10 Sep 2020 22:14:41 +0530
> >> >Tejasree Kondoj <ktejasree@marvell.com> wrote:
> >> >
> >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> >> distinguish
> >> >> plain packets from IPsec decrypted plain packets.
> >> >>
> >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> >> >
> >> >Please provide an implementation, API's without any driver support
> >> >should not be accepted.
> >> >
> >> >Also, we need a test for this.
> >
> >[Tejasree] We would like to defer the patch and add implementation, test
> >case in next cycle.
> >
> >>
> >> +1
> >> Also, I think the word SECURITY is too high-level, and if specifically
> >> you mention here an item for IPSec, perhaps you can consider renaming.
> >
> >[Tejasree] This item matches security processed packets and not specific to
> >IPsec.
> >Will change commit description as follows:
> >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match
> >packets that were security processed. For example, in case of inline IPsec, it
> >can be used to distinguish plain packets from IPsec decrypted plain packets"
> >Would that be fine?
> 
> It would be more clear, yes, thank you, but in this case I suggest to have a field
> in the spec that you can match on it.
> For example, is it viable to know if the packet was processed by IPSec and not
> AES? Maybe you want to have 2 flow with this new item, but still differentiate
> between the types.

Why not use mark/tag/meta to set this value?
The application will insert a flow that sends to security and mark the flow with
some ID then the application can check this ID.

Best,
Ori


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-22  7:51         ` Ori Kam
@ 2020-09-22  9:07           ` Tejasree Kondoj
  2020-09-22 13:28             ` Ori Kam
  2020-09-22 14:18             ` Tejasree Kondoj
  0 siblings, 2 replies; 15+ messages in thread
From: Tejasree Kondoj @ 2020-09-22  9:07 UTC (permalink / raw)
  To: Ori Kam, Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

Please see inline.

Thanks
Tejasree

> -----Original Message-----
> From: Ori Kam <orika@nvidia.com>
> Sent: Tuesday, September 22, 2020 1:22 PM
> To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
> <ktejasree@marvell.com>; Stephen Hemminger
> <stephen@networkplumber.org>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> <ferruh.yigit@intel.com>; Andrew Rybchenko
> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi
> > -----Original Message-----
> > From: Asaf Penso <asafp@nvidia.com>
> > Sent: Monday, September 21, 2020 7:09 PM
> > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> >
> >
> > Regards,
> > Asaf Penso
> >
> > >-----Original Message-----
> > >From: Tejasree Kondoj <ktejasree@marvell.com>
> > >Sent: Monday, September 21, 2020 11:59 AM
> > >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> > ><stephen@networkplumber.org>
> > >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > ><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > >Ori Kam <orika@nvidia.com>; NBU-Contact-Thomas Monjalon
> > ><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
> > >Rybchenko <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > ><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > >dev@dpdk.org
> > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >
> > >Please see inline.
> > >
> > >Thanks
> > >Tejasree
> > >
> > >> -----Original Message-----
> > >> From: Asaf Penso <asafp@nvidia.com>
> > >> Sent: Thursday, September 17, 2020 3:09 PM
> > >> To: Stephen Hemminger <stephen@networkplumber.org>; Tejasree
> > >Kondoj
> > >> <ktejasree@marvell.com>
> > >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > >> <radu.nicolau@intel.com>; Declan Doherty
> > >> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > >> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > >> <ferruh.yigit@intel.com>; Andrew Rybchenko
> > >> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > >> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > >> dev@dpdk.org
> > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > >> item
> > >>
> > >> External Email
> > >>
> > >> -------------------------------------------------------------------
> > >> ---
> > >> >-----Original Message-----
> > >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
> Hemminger
> > >> >Sent: Thursday, September 10, 2020 7:46 PM
> > >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> > >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > >> ><radu.nicolau@intel.com>; Declan Doherty
> > >> ><declan.doherty@intel.com>; Ori Kam <orika@mellanox.com>;
> > >> >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > >> ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > >> ><arybchenko@solarflare.com>; Jerin Jacob <jerinj@marvell.com>;
> > >> >Narayana Prasad <pathreya@marvell.com>; Anoob Joseph
> > >> ><anoobj@marvell.com>; dev@dpdk.org
> > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >> >
> > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
> > >> ><ktejasree@marvell.com> wrote:
> > >> >
> > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > >> distinguish
> > >> >> plain packets from IPsec decrypted plain packets.
> > >> >>
> > >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > >> >
> > >> >Please provide an implementation, API's without any driver support
> > >> >should not be accepted.
> > >> >
> > >> >Also, we need a test for this.
> > >
> > >[Tejasree] We would like to defer the patch and add implementation,
> > >test case in next cycle.
> > >
> > >>
> > >> +1
> > >> Also, I think the word SECURITY is too high-level, and if
> > >> specifically you mention here an item for IPSec, perhaps you can
> consider renaming.
> > >
> > >[Tejasree] This item matches security processed packets and not
> > >specific to IPsec.
> > >Will change commit description as follows:
> > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match
> > >packets that were security processed. For example, in case of inline
> > >IPsec, it can be used to distinguish plain packets from IPsec decrypted
> plain packets"
> > >Would that be fine?
> >
> > It would be more clear, yes, thank you, but in this case I suggest to
> > have a field in the spec that you can match on it.
> > For example, is it viable to know if the packet was processed by IPSec
> > and not AES? Maybe you want to have 2 flow with this new item, but
> > still differentiate between the types.
> 
> Why not use mark/tag/meta to set this value?
> The application will insert a flow that sends to security and mark the flow
> with some ID then the application can check this ID.

[Tejasree] SECURITY itself wouldn't make distinction on protocol.
It would be combined with MARK_ID to know if the packet
was processed by IPsec and not AES.

MARK_ID alone couldn't be used as we wouldn't know if it is
plain packet or security processed plain packet.

Rules would be as follows:
Rule #1
[ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END]
Rule #2 
[SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END]

> 
> Best,
> Ori


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-22  9:07           ` Tejasree Kondoj
@ 2020-09-22 13:28             ` Ori Kam
  2020-09-22 14:18             ` Tejasree Kondoj
  1 sibling, 0 replies; 15+ messages in thread
From: Ori Kam @ 2020-09-22 13:28 UTC (permalink / raw)
  To: Tejasree Kondoj, Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

Hi Tejasree,
PSB

> -----Original Message-----
> From: Tejasree Kondoj <ktejasree@marvell.com>
> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> Please see inline.
> 
> Thanks
> Tejasree
> 
> > -----Original Message-----
> > From: Ori Kam <orika@nvidia.com>
> > Sent: Tuesday, September 22, 2020 1:22 PM
> > To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
> > <ktejasree@marvell.com>; Stephen Hemminger
> > <stephen@networkplumber.org>
> > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > dev@dpdk.org
> > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > Hi
> > > -----Original Message-----
> > > From: Asaf Penso <asafp@nvidia.com>
> > > Sent: Monday, September 21, 2020 7:09 PM
> > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >
> > >
> > >
> > > Regards,
> > > Asaf Penso
> > >
> > > >-----Original Message-----
> > > >From: Tejasree Kondoj <ktejasree@marvell.com>
> > > >Sent: Monday, September 21, 2020 11:59 AM
> > > >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> > > ><stephen@networkplumber.org>
> > > >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > ><radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > > >Ori Kam <orika@nvidia.com>; NBU-Contact-Thomas Monjalon
> > > ><thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>; Andrew
> > > >Rybchenko <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > ><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > >dev@dpdk.org
> > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >
> > > >Please see inline.
> > > >
> > > >Thanks
> > > >Tejasree
> > > >
> > > >> -----Original Message-----
> > > >> From: Asaf Penso <asafp@nvidia.com>
> > > >> Sent: Thursday, September 17, 2020 3:09 PM
> > > >> To: Stephen Hemminger <stephen@networkplumber.org>; Tejasree
> > > >Kondoj
> > > >> <ktejasree@marvell.com>
> > > >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > >> <radu.nicolau@intel.com>; Declan Doherty
> > > >> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > >> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > >> <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > >> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > >> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > >> dev@dpdk.org
> > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > > >> item
> > > >>
> > > >> External Email
> > > >>
> > > >> -------------------------------------------------------------------
> > > >> ---
> > > >> >-----Original Message-----
> > > >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
> > Hemminger
> > > >> >Sent: Thursday, September 10, 2020 7:46 PM
> > > >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> > > >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > >> ><radu.nicolau@intel.com>; Declan Doherty
> > > >> ><declan.doherty@intel.com>; Ori Kam <orika@mellanox.com>;
> > > >> >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > >> ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > >> ><arybchenko@solarflare.com>; Jerin Jacob <jerinj@marvell.com>;
> > > >> >Narayana Prasad <pathreya@marvell.com>; Anoob Joseph
> > > >> ><anoobj@marvell.com>; dev@dpdk.org
> > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >> >
> > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
> > > >> ><ktejasree@marvell.com> wrote:
> > > >> >
> > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > >> distinguish
> > > >> >> plain packets from IPsec decrypted plain packets.
> > > >> >>
> > > >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > >> >
> > > >> >Please provide an implementation, API's without any driver support
> > > >> >should not be accepted.
> > > >> >
> > > >> >Also, we need a test for this.
> > > >
> > > >[Tejasree] We would like to defer the patch and add implementation,
> > > >test case in next cycle.
> > > >
> > > >>
> > > >> +1
> > > >> Also, I think the word SECURITY is too high-level, and if
> > > >> specifically you mention here an item for IPSec, perhaps you can
> > consider renaming.
> > > >
> > > >[Tejasree] This item matches security processed packets and not
> > > >specific to IPsec.
> > > >Will change commit description as follows:
> > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match
> > > >packets that were security processed. For example, in case of inline
> > > >IPsec, it can be used to distinguish plain packets from IPsec decrypted
> > plain packets"
> > > >Would that be fine?
> > >
> > > It would be more clear, yes, thank you, but in this case I suggest to
> > > have a field in the spec that you can match on it.
> > > For example, is it viable to know if the packet was processed by IPSec
> > > and not AES? Maybe you want to have 2 flow with this new item, but
> > > still differentiate between the types.
> >
> > Why not use mark/tag/meta to set this value?
> > The application will insert a flow that sends to security and mark the flow
> > with some ID then the application can check this ID.
> 
> [Tejasree] SECURITY itself wouldn't make distinction on protocol.
> It would be combined with MARK_ID to know if the packet
> was processed by IPsec and not AES.
> 
> MARK_ID alone couldn't be used as we wouldn't know if it is
> plain packet or security processed plain packet.
> 
> Rules would be as follows:
> Rule #1
> [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END]
> Rule #2
> [SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END]
> 
I don't understand why in rule #1 you can't have the mark value
to also mark the security.
From your patch I understand that security is just one bit
This means that you can say if MSB bit in mark is set then it comes from
security.

Ori,

> >
> > Best,
> > Ori


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-22  9:07           ` Tejasree Kondoj
  2020-09-22 13:28             ` Ori Kam
@ 2020-09-22 14:18             ` Tejasree Kondoj
  2020-09-23 14:30               ` Ori Kam
  1 sibling, 1 reply; 15+ messages in thread
From: Tejasree Kondoj @ 2020-09-22 14:18 UTC (permalink / raw)
  To: Ori Kam, Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

Hi Ori,

Please see inline.

Thanks,
Tejasree

> -----Original Message-----
> From: Tejasree Kondoj
> Sent: Tuesday, September 22, 2020 2:37 PM
> To: Ori Kam <orika@nvidia.com>; Asaf Penso <asafp@nvidia.com>; Stephen
> Hemminger <stephen@networkplumber.org>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> <ferruh.yigit@intel.com>; Andrew Rybchenko
> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> dev@dpdk.org
> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> Please see inline.
> 
> Thanks
> Tejasree
> 
> > -----Original Message-----
> > From: Ori Kam <orika@nvidia.com>
> > Sent: Tuesday, September 22, 2020 1:22 PM
> > To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
> > <ktejasree@marvell.com>; Stephen Hemminger
> > <stephen@networkplumber.org>
> > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > dev@dpdk.org
> > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > Hi
> > > -----Original Message-----
> > > From: Asaf Penso <asafp@nvidia.com>
> > > Sent: Monday, September 21, 2020 7:09 PM
> > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >
> > >
> > >
> > > Regards,
> > > Asaf Penso
> > >
> > > >-----Original Message-----
> > > >From: Tejasree Kondoj <ktejasree@marvell.com>
> > > >Sent: Monday, September 21, 2020 11:59 AM
> > > >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> > > ><stephen@networkplumber.org>
> > > >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > ><radu.nicolau@intel.com>; Declan Doherty
> > > ><declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > ><arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > ><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > >dev@dpdk.org
> > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >
> > > >Please see inline.
> > > >
> > > >Thanks
> > > >Tejasree
> > > >
> > > >> -----Original Message-----
> > > >> From: Asaf Penso <asafp@nvidia.com>
> > > >> Sent: Thursday, September 17, 2020 3:09 PM
> > > >> To: Stephen Hemminger <stephen@networkplumber.org>; Tejasree
> > > >Kondoj
> > > >> <ktejasree@marvell.com>
> > > >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > >> <radu.nicolau@intel.com>; Declan Doherty
> > > >> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > >> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > >> <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > >> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > >> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > >> dev@dpdk.org
> > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > > >> item
> > > >>
> > > >> External Email
> > > >>
> > > >> -----------------------------------------------------------------
> > > >> --
> > > >> ---
> > > >> >-----Original Message-----
> > > >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
> > Hemminger
> > > >> >Sent: Thursday, September 10, 2020 7:46 PM
> > > >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> > > >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > >> ><radu.nicolau@intel.com>; Declan Doherty
> > > >> ><declan.doherty@intel.com>; Ori Kam <orika@mellanox.com>;
> > > >> >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh
> Yigit
> > > >> ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > >> ><arybchenko@solarflare.com>; Jerin Jacob <jerinj@marvell.com>;
> > > >> >Narayana Prasad <pathreya@marvell.com>; Anoob Joseph
> > > >> ><anoobj@marvell.com>; dev@dpdk.org
> > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >> >
> > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
> > > >> ><ktejasree@marvell.com> wrote:
> > > >> >
> > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > >> distinguish
> > > >> >> plain packets from IPsec decrypted plain packets.
> > > >> >>
> > > >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > >> >
> > > >> >Please provide an implementation, API's without any driver
> > > >> >support should not be accepted.
> > > >> >
> > > >> >Also, we need a test for this.
> > > >
> > > >[Tejasree] We would like to defer the patch and add implementation,
> > > >test case in next cycle.
> > > >
> > > >>
> > > >> +1
> > > >> Also, I think the word SECURITY is too high-level, and if
> > > >> specifically you mention here an item for IPSec, perhaps you can
> > consider renaming.
> > > >
> > > >[Tejasree] This item matches security processed packets and not
> > > >specific to IPsec.
> > > >Will change commit description as follows:
> > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match
> > > >packets that were security processed. For example, in case of
> > > >inline IPsec, it can be used to distinguish plain packets from
> > > >IPsec decrypted
> > plain packets"
> > > >Would that be fine?
> > >
> > > It would be more clear, yes, thank you, but in this case I suggest
> > > to have a field in the spec that you can match on it.
> > > For example, is it viable to know if the packet was processed by
> > > IPSec and not AES? Maybe you want to have 2 flow with this new item,
> > > but still differentiate between the types.
> >
> > Why not use mark/tag/meta to set this value?
> > The application will insert a flow that sends to security and mark the
> > flow with some ID then the application can check this ID.
> 
> [Tejasree] SECURITY itself wouldn't make distinction on protocol.
> It would be combined with MARK_ID to know if the packet was processed by
> IPsec and not AES.
> 
> MARK_ID alone couldn't be used as we wouldn't know if it is plain packet or
> security processed plain packet.
> 
> Rules would be as follows:
> Rule #1
> [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END] Rule #2 [SECURITY]
> [MARK_ID] [ETH] [IP] → [QUEUE] [END]
> 
> I don't understand why in rule #1 you can't have the mark value
> to also mark the security.
> From your patch I understand that security is just one bit
> This means that you can say if MSB bit in mark is set then it comes from
> security.

[Tejasree] We can use MSB of MARK_ID but that would mean we would be reserving it for security.

> >
> > Best,
> > Ori


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-22 14:18             ` Tejasree Kondoj
@ 2020-09-23 14:30               ` Ori Kam
  2020-09-24  5:30                 ` Tejasree Kondoj
  0 siblings, 1 reply; 15+ messages in thread
From: Ori Kam @ 2020-09-23 14:30 UTC (permalink / raw)
  To: Tejasree Kondoj, Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

Hi

> -----Original Message-----
> From: Tejasree Kondoj <ktejasree@marvell.com>
> Sent: Tuesday, September 22, 2020 5:18 PM
> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> Hi Ori,
> 
> Please see inline.
> 
> Thanks,
> Tejasree
> 
> > -----Original Message-----
> > From: Tejasree Kondoj
> > Sent: Tuesday, September 22, 2020 2:37 PM
> > To: Ori Kam <orika@nvidia.com>; Asaf Penso <asafp@nvidia.com>; Stephen
> > Hemminger <stephen@networkplumber.org>
> > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > dev@dpdk.org
> > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> > Please see inline.
> >
> > Thanks
> > Tejasree
> >
> > > -----Original Message-----
> > > From: Ori Kam <orika@nvidia.com>
> > > Sent: Tuesday, September 22, 2020 1:22 PM
> > > To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
> > > <ktejasree@marvell.com>; Stephen Hemminger
> > > <stephen@networkplumber.org>
> > > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > dev@dpdk.org
> > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >
> > > External Email
> > >
> > > ----------------------------------------------------------------------
> > > Hi
> > > > -----Original Message-----
> > > > From: Asaf Penso <asafp@nvidia.com>
> > > > Sent: Monday, September 21, 2020 7:09 PM
> > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >
> > > >
> > > >
> > > > Regards,
> > > > Asaf Penso
> > > >
> > > > >-----Original Message-----
> > > > >From: Tejasree Kondoj <ktejasree@marvell.com>
> > > > >Sent: Monday, September 21, 2020 11:59 AM
> > > > >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> > > > ><stephen@networkplumber.org>
> > > > >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > ><radu.nicolau@intel.com>; Declan Doherty
> > > > ><declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > > >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > > ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > ><arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > > ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > ><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > >dev@dpdk.org
> > > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > > >
> > > > >Please see inline.
> > > > >
> > > > >Thanks
> > > > >Tejasree
> > > > >
> > > > >> -----Original Message-----
> > > > >> From: Asaf Penso <asafp@nvidia.com>
> > > > >> Sent: Thursday, September 17, 2020 3:09 PM
> > > > >> To: Stephen Hemminger <stephen@networkplumber.org>; Tejasree
> > > > >Kondoj
> > > > >> <ktejasree@marvell.com>
> > > > >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > >> <radu.nicolau@intel.com>; Declan Doherty
> > > > >> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > > >> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > > >> <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > >> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > > >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > >> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > >> dev@dpdk.org
> > > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > > > >> item
> > > > >>
> > > > >> External Email
> > > > >>
> > > > >> -----------------------------------------------------------------
> > > > >> --
> > > > >> ---
> > > > >> >-----Original Message-----
> > > > >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
> > > Hemminger
> > > > >> >Sent: Thursday, September 10, 2020 7:46 PM
> > > > >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> > > > >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > >> ><radu.nicolau@intel.com>; Declan Doherty
> > > > >> ><declan.doherty@intel.com>; Ori Kam <orika@mellanox.com>;
> > > > >> >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh
> > Yigit
> > > > >> ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > >> ><arybchenko@solarflare.com>; Jerin Jacob <jerinj@marvell.com>;
> > > > >> >Narayana Prasad <pathreya@marvell.com>; Anoob Joseph
> > > > >> ><anoobj@marvell.com>; dev@dpdk.org
> > > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > > >> >
> > > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
> > > > >> ><ktejasree@marvell.com> wrote:
> > > > >> >
> > > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > > >> distinguish
> > > > >> >> plain packets from IPsec decrypted plain packets.
> > > > >> >>
> > > > >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > > >> >
> > > > >> >Please provide an implementation, API's without any driver
> > > > >> >support should not be accepted.
> > > > >> >
> > > > >> >Also, we need a test for this.
> > > > >
> > > > >[Tejasree] We would like to defer the patch and add implementation,
> > > > >test case in next cycle.
> > > > >
> > > > >>
> > > > >> +1
> > > > >> Also, I think the word SECURITY is too high-level, and if
> > > > >> specifically you mention here an item for IPSec, perhaps you can
> > > consider renaming.
> > > > >
> > > > >[Tejasree] This item matches security processed packets and not
> > > > >specific to IPsec.
> > > > >Will change commit description as follows:
> > > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match
> > > > >packets that were security processed. For example, in case of
> > > > >inline IPsec, it can be used to distinguish plain packets from
> > > > >IPsec decrypted
> > > plain packets"
> > > > >Would that be fine?
> > > >
> > > > It would be more clear, yes, thank you, but in this case I suggest
> > > > to have a field in the spec that you can match on it.
> > > > For example, is it viable to know if the packet was processed by
> > > > IPSec and not AES? Maybe you want to have 2 flow with this new item,
> > > > but still differentiate between the types.
> > >
> > > Why not use mark/tag/meta to set this value?
> > > The application will insert a flow that sends to security and mark the
> > > flow with some ID then the application can check this ID.
> >
> > [Tejasree] SECURITY itself wouldn't make distinction on protocol.
> > It would be combined with MARK_ID to know if the packet was processed by
> > IPsec and not AES.
> >
> > MARK_ID alone couldn't be used as we wouldn't know if it is plain packet or
> > security processed plain packet.
> >
> > Rules would be as follows:
> > Rule #1
> > [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END] Rule #2 [SECURITY]
> > [MARK_ID] [ETH] [IP] → [QUEUE] [END]
> >
> > I don't understand why in rule #1 you can't have the mark value
> > to also mark the security.
> > From your patch I understand that security is just one bit
> > This means that you can say if MSB bit in mark is set then it comes from
> > security.
> 
> [Tejasree] We can use MSB of MARK_ID but that would mean we would be
> reserving it for security.
> 
[Ori] but why does the PMD needs it? the application know what it needs so it can use it,
It is the application decision to send to the security right? So it knows what values to set.

Also the application can use tag or any other data item.



> > >
> > > Best,
> > > Ori


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-23 14:30               ` Ori Kam
@ 2020-09-24  5:30                 ` Tejasree Kondoj
  2020-09-24  9:51                   ` Ori Kam
  0 siblings, 1 reply; 15+ messages in thread
From: Tejasree Kondoj @ 2020-09-24  5:30 UTC (permalink / raw)
  To: Ori Kam, Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

Thanks,
Tejasree

> -----Original Message-----
> From: Ori Kam <orika@nvidia.com>
> Sent: Wednesday, September 23, 2020 8:00 PM
> To: Tejasree Kondoj <ktejasree@marvell.com>; Asaf Penso
> <asafp@nvidia.com>; Stephen Hemminger <stephen@networkplumber.org>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> <ferruh.yigit@intel.com>; Andrew Rybchenko
> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi
> 
> > -----Original Message-----
> > From: Tejasree Kondoj <ktejasree@marvell.com>
> > Sent: Tuesday, September 22, 2020 5:18 PM
> > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> > Hi Ori,
> >
> > Please see inline.
> >
> > Thanks,
> > Tejasree
> >
> > > -----Original Message-----
> > > From: Tejasree Kondoj
> > > Sent: Tuesday, September 22, 2020 2:37 PM
> > > To: Ori Kam <orika@nvidia.com>; Asaf Penso <asafp@nvidia.com>;
> > > Stephen Hemminger <stephen@networkplumber.org>
> > > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > dev@dpdk.org
> > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >
> > > Please see inline.
> > >
> > > Thanks
> > > Tejasree
> > >
> > > > -----Original Message-----
> > > > From: Ori Kam <orika@nvidia.com>
> > > > Sent: Tuesday, September 22, 2020 1:22 PM
> > > > To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
> > > > <ktejasree@marvell.com>; Stephen Hemminger
> > > > <stephen@networkplumber.org>
> > > > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > <radu.nicolau@intel.com>; Declan Doherty
> > > > <declan.doherty@intel.com>; NBU-Contact-Thomas Monjalon
> > > > <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>;
> > > > Andrew Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
> > > > Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > dev@dpdk.org
> > > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > > > item
> > > >
> > > > External Email
> > > >
> > > > ------------------------------------------------------------------
> > > > ----
> > > > Hi
> > > > > -----Original Message-----
> > > > > From: Asaf Penso <asafp@nvidia.com>
> > > > > Sent: Monday, September 21, 2020 7:09 PM
> > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > > >
> > > > >
> > > > >
> > > > > Regards,
> > > > > Asaf Penso
> > > > >
> > > > > >-----Original Message-----
> > > > > >From: Tejasree Kondoj <ktejasree@marvell.com>
> > > > > >Sent: Monday, September 21, 2020 11:59 AM
> > > > > >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> > > > > ><stephen@networkplumber.org>
> > > > > >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > ><radu.nicolau@intel.com>; Declan Doherty
> > > > > ><declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > > > >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh
> Yigit
> > > > > ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > > ><arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > > > ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > > ><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > > >dev@dpdk.org
> > > > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > > > >
> > > > > >Please see inline.
> > > > > >
> > > > > >Thanks
> > > > > >Tejasree
> > > > > >
> > > > > >> -----Original Message-----
> > > > > >> From: Asaf Penso <asafp@nvidia.com>
> > > > > >> Sent: Thursday, September 17, 2020 3:09 PM
> > > > > >> To: Stephen Hemminger <stephen@networkplumber.org>;
> Tejasree
> > > > > >Kondoj
> > > > > >> <ktejasree@marvell.com>
> > > > > >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > >> <radu.nicolau@intel.com>; Declan Doherty
> > > > > >> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > > > >> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh
> > > > > >> Yigit <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > > >> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > > > >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > > >> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > > >> dev@dpdk.org
> > > > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security
> > > > > >> flow item
> > > > > >>
> > > > > >> External Email
> > > > > >>
> > > > > >> -------------------------------------------------------------
> > > > > >> ----
> > > > > >> --
> > > > > >> ---
> > > > > >> >-----Original Message-----
> > > > > >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
> > > > Hemminger
> > > > > >> >Sent: Thursday, September 10, 2020 7:46 PM
> > > > > >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> > > > > >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > >> ><radu.nicolau@intel.com>; Declan Doherty
> > > > > >> ><declan.doherty@intel.com>; Ori Kam <orika@mellanox.com>;
> > > > > >> >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh
> > > Yigit
> > > > > >> ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > > >> ><arybchenko@solarflare.com>; Jerin Jacob
> > > > > >> ><jerinj@marvell.com>; Narayana Prasad
> > > > > >> ><pathreya@marvell.com>; Anoob Joseph
> <anoobj@marvell.com>;
> > > > > >> >dev@dpdk.org
> > > > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow
> > > > > >> >item
> > > > > >> >
> > > > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
> > > > > >> ><ktejasree@marvell.com> wrote:
> > > > > >> >
> > > > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > > > >> distinguish
> > > > > >> >> plain packets from IPsec decrypted plain packets.
> > > > > >> >>
> > > > > >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > > > >> >
> > > > > >> >Please provide an implementation, API's without any driver
> > > > > >> >support should not be accepted.
> > > > > >> >
> > > > > >> >Also, we need a test for this.
> > > > > >
> > > > > >[Tejasree] We would like to defer the patch and add
> > > > > >implementation, test case in next cycle.
> > > > > >
> > > > > >>
> > > > > >> +1
> > > > > >> Also, I think the word SECURITY is too high-level, and if
> > > > > >> specifically you mention here an item for IPSec, perhaps you
> > > > > >> can
> > > > consider renaming.
> > > > > >
> > > > > >[Tejasree] This item matches security processed packets and not
> > > > > >specific to IPsec.
> > > > > >Will change commit description as follows:
> > > > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > > > >match packets that were security processed. For example, in
> > > > > >case of inline IPsec, it can be used to distinguish plain
> > > > > >packets from IPsec decrypted
> > > > plain packets"
> > > > > >Would that be fine?
> > > > >
> > > > > It would be more clear, yes, thank you, but in this case I
> > > > > suggest to have a field in the spec that you can match on it.
> > > > > For example, is it viable to know if the packet was processed by
> > > > > IPSec and not AES? Maybe you want to have 2 flow with this new
> > > > > item, but still differentiate between the types.
> > > >
> > > > Why not use mark/tag/meta to set this value?
> > > > The application will insert a flow that sends to security and mark
> > > > the flow with some ID then the application can check this ID.
> > >
> > > [Tejasree] SECURITY itself wouldn't make distinction on protocol.
> > > It would be combined with MARK_ID to know if the packet was
> > > processed by IPsec and not AES.
> > >
> > > MARK_ID alone couldn't be used as we wouldn't know if it is plain
> > > packet or security processed plain packet.
> > >
> > > Rules would be as follows:
> > > Rule #1
> > > [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END] Rule #2
> > > [SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END]
> > >
> > > I don't understand why in rule #1 you can't have the mark value to
> > > also mark the security.
> > > From your patch I understand that security is just one bit This
> > > means that you can say if MSB bit in mark is set then it comes from
> > > security.
> >
> > [Tejasree] We can use MSB of MARK_ID but that would mean we would be
> > reserving it for security.
> >
> [Ori] but why does the PMD needs it? the application know what it needs so
> it can use it, It is the application decision to send to the security right? So it
> knows what values to set.
> 
> Also the application can use tag or any other data item.
> 
[Tejasree] PMD needs it to establish connection between security and final action to be done (queue for example).
 
First rule works on the outer packet where the inner packet would be hidden by the protocol (like encrypted payload in IPsec) and the second rule will act on the de-capsulated packet. So the packets itself are different and we cannot have one rule.

 In IPsec it is valid (and a very trivial usage) to have one outer flow constitute multiple inner flows. Without this, application will not be able to configure hardware to treat inner flows differently.

> 
> 
> > > >
> > > > Best,
> > > > Ori


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-24  5:30                 ` Tejasree Kondoj
@ 2020-09-24  9:51                   ` Ori Kam
  2020-09-24 10:07                     ` Tejasree Kondoj
  0 siblings, 1 reply; 15+ messages in thread
From: Ori Kam @ 2020-09-24  9:51 UTC (permalink / raw)
  To: Tejasree Kondoj, Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

Thanks,
Ori

> -----Original Message-----
> From: Tejasree Kondoj <ktejasree@marvell.com>
> Sent: Thursday, September 24, 2020 8:31 AM
> 
> Thanks,
> Tejasree
> 
> > -----Original Message-----
> > From: Ori Kam <orika@nvidia.com>
> > Sent: Wednesday, September 23, 2020 8:00 PM
> > To: Tejasree Kondoj <ktejasree@marvell.com>; Asaf Penso
> > <asafp@nvidia.com>; Stephen Hemminger <stephen@networkplumber.org>
> > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > dev@dpdk.org
> > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> > External Email
> >
> > ----------------------------------------------------------------------
> > Hi
> >
> > > -----Original Message-----
> > > From: Tejasree Kondoj <ktejasree@marvell.com>
> > > Sent: Tuesday, September 22, 2020 5:18 PM
> > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >
> > > Hi Ori,
> > >
> > > Please see inline.
> > >
> > > Thanks,
> > > Tejasree
> > >
> > > > -----Original Message-----
> > > > From: Tejasree Kondoj
> > > > Sent: Tuesday, September 22, 2020 2:37 PM
> > > > To: Ori Kam <orika@nvidia.com>; Asaf Penso <asafp@nvidia.com>;
> > > > Stephen Hemminger <stephen@networkplumber.org>
> > > > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > > > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > dev@dpdk.org
> > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >
> > > > Please see inline.
> > > >
> > > > Thanks
> > > > Tejasree
> > > >
> > > > > -----Original Message-----
> > > > > From: Ori Kam <orika@nvidia.com>
> > > > > Sent: Tuesday, September 22, 2020 1:22 PM
> > > > > To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
> > > > > <ktejasree@marvell.com>; Stephen Hemminger
> > > > > <stephen@networkplumber.org>
> > > > > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > <radu.nicolau@intel.com>; Declan Doherty
> > > > > <declan.doherty@intel.com>; NBU-Contact-Thomas Monjalon
> > > > > <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>;
> > > > > Andrew Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
> > > > > Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > > dev@dpdk.org
> > > > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > > > > item
> > > > >
> > > > > External Email
> > > > >
> > > > > ------------------------------------------------------------------
> > > > > ----
> > > > > Hi
> > > > > > -----Original Message-----
> > > > > > From: Asaf Penso <asafp@nvidia.com>
> > > > > > Sent: Monday, September 21, 2020 7:09 PM
> > > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > > > >
> > > > > >
> > > > > >
> > > > > > Regards,
> > > > > > Asaf Penso
> > > > > >
> > > > > > >-----Original Message-----
> > > > > > >From: Tejasree Kondoj <ktejasree@marvell.com>
> > > > > > >Sent: Monday, September 21, 2020 11:59 AM
> > > > > > >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> > > > > > ><stephen@networkplumber.org>
> > > > > > >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > > ><radu.nicolau@intel.com>; Declan Doherty
> > > > > > ><declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > > > > >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh
> > Yigit
> > > > > > ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > > > ><arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > > > > ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > > > ><pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > > > >dev@dpdk.org
> > > > > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > > > > >
> > > > > > >Please see inline.
> > > > > > >
> > > > > > >Thanks
> > > > > > >Tejasree
> > > > > > >
> > > > > > >> -----Original Message-----
> > > > > > >> From: Asaf Penso <asafp@nvidia.com>
> > > > > > >> Sent: Thursday, September 17, 2020 3:09 PM
> > > > > > >> To: Stephen Hemminger <stephen@networkplumber.org>;
> > Tejasree
> > > > > > >Kondoj
> > > > > > >> <ktejasree@marvell.com>
> > > > > > >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > > >> <radu.nicolau@intel.com>; Declan Doherty
> > > > > > >> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > > > > >> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh
> > > > > > >> Yigit <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > > > >> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > > > > >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > > > >> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > > > >> dev@dpdk.org
> > > > > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security
> > > > > > >> flow item
> > > > > > >>
> > > > > > >> External Email
> > > > > > >>
> > > > > > >> -------------------------------------------------------------
> > > > > > >> ----
> > > > > > >> --
> > > > > > >> ---
> > > > > > >> >-----Original Message-----
> > > > > > >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
> > > > > Hemminger
> > > > > > >> >Sent: Thursday, September 10, 2020 7:46 PM
> > > > > > >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> > > > > > >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > > >> ><radu.nicolau@intel.com>; Declan Doherty
> > > > > > >> ><declan.doherty@intel.com>; Ori Kam <orika@mellanox.com>;
> > > > > > >> >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh
> > > > Yigit
> > > > > > >> ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > > > >> ><arybchenko@solarflare.com>; Jerin Jacob
> > > > > > >> ><jerinj@marvell.com>; Narayana Prasad
> > > > > > >> ><pathreya@marvell.com>; Anoob Joseph
> > <anoobj@marvell.com>;
> > > > > > >> >dev@dpdk.org
> > > > > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow
> > > > > > >> >item
> > > > > > >> >
> > > > > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
> > > > > > >> ><ktejasree@marvell.com> wrote:
> > > > > > >> >
> > > > > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > > > > >> distinguish
> > > > > > >> >> plain packets from IPsec decrypted plain packets.
> > > > > > >> >>
> > > > > > >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > > > > >> >
> > > > > > >> >Please provide an implementation, API's without any driver
> > > > > > >> >support should not be accepted.
> > > > > > >> >
> > > > > > >> >Also, we need a test for this.
> > > > > > >
> > > > > > >[Tejasree] We would like to defer the patch and add
> > > > > > >implementation, test case in next cycle.
> > > > > > >
> > > > > > >>
> > > > > > >> +1
> > > > > > >> Also, I think the word SECURITY is too high-level, and if
> > > > > > >> specifically you mention here an item for IPSec, perhaps you
> > > > > > >> can
> > > > > consider renaming.
> > > > > > >
> > > > > > >[Tejasree] This item matches security processed packets and not
> > > > > > >specific to IPsec.
> > > > > > >Will change commit description as follows:
> > > > > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > > > > >match packets that were security processed. For example, in
> > > > > > >case of inline IPsec, it can be used to distinguish plain
> > > > > > >packets from IPsec decrypted
> > > > > plain packets"
> > > > > > >Would that be fine?
> > > > > >
> > > > > > It would be more clear, yes, thank you, but in this case I
> > > > > > suggest to have a field in the spec that you can match on it.
> > > > > > For example, is it viable to know if the packet was processed by
> > > > > > IPSec and not AES? Maybe you want to have 2 flow with this new
> > > > > > item, but still differentiate between the types.
> > > > >
> > > > > Why not use mark/tag/meta to set this value?
> > > > > The application will insert a flow that sends to security and mark
> > > > > the flow with some ID then the application can check this ID.
> > > >
> > > > [Tejasree] SECURITY itself wouldn't make distinction on protocol.
> > > > It would be combined with MARK_ID to know if the packet was
> > > > processed by IPsec and not AES.
> > > >
> > > > MARK_ID alone couldn't be used as we wouldn't know if it is plain
> > > > packet or security processed plain packet.
> > > >
> > > > Rules would be as follows:
> > > > Rule #1
> > > > [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END] Rule #2
> > > > [SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END]
> > > >
> > > > I don't understand why in rule #1 you can't have the mark value to
> > > > also mark the security.
> > > > From your patch I understand that security is just one bit This
> > > > means that you can say if MSB bit in mark is set then it comes from
> > > > security.
> > >
> > > [Tejasree] We can use MSB of MARK_ID but that would mean we would be
> > > reserving it for security.
> > >
> > [Ori] but why does the PMD needs it? the application know what it needs so
> > it can use it, It is the application decision to send to the security right? So it
> > knows what values to set.
> >
> > Also the application can use tag or any other data item.
> >
> [Tejasree] PMD needs it to establish connection between security and final
> action to be done (queue for example).
> 
> First rule works on the outer packet where the inner packet would be hidden by
> the protocol (like encrypted payload in IPsec) and the second rule will act on
> the de-capsulated packet. So the packets itself are different and we cannot
> have one rule.
> 
>  In IPsec it is valid (and a very trivial usage) to have one outer flow constitute
> multiple inner flows. Without this, application will not be able to configure
> hardware to treat inner flows differently.
> 
Fully agree with you about the app needs to know if it passed security
But this goes also for example simple tunnel where the app may decap the packet
in the on the first flow and then do matching on the inner 5 tuple but it will need to know
if the packet was decaped or what is the vni.

So in your case the app will send traffic to security and mark it as one that was gone to security
then in the second rule the app will match on the mark and do what it wants with it.

I simply don't see why you need new metadata item just to mark if it passed security.

> >
> >
> > > > >
> > > > > Best,
> > > > > Ori


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-24  9:51                   ` Ori Kam
@ 2020-09-24 10:07                     ` Tejasree Kondoj
  2021-02-17 17:36                       ` Ferruh Yigit
  0 siblings, 1 reply; 15+ messages in thread
From: Tejasree Kondoj @ 2020-09-24 10:07 UTC (permalink / raw)
  To: Ori Kam, Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Ferruh Yigit, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

Hi Ori,

Please see inline.

Thanks,
Tejasree

> -----Original Message-----
> From: Ori Kam <orika@nvidia.com>
> Sent: Thursday, September 24, 2020 3:22 PM
> To: Tejasree Kondoj <ktejasree@marvell.com>; Asaf Penso
> <asafp@nvidia.com>; Stephen Hemminger <stephen@networkplumber.org>
> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> <ferruh.yigit@intel.com>; Andrew Rybchenko
> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> External Email
> 
> ----------------------------------------------------------------------
> Thanks,
> Ori
> 
> > -----Original Message-----
> > From: Tejasree Kondoj <ktejasree@marvell.com>
> > Sent: Thursday, September 24, 2020 8:31 AM
> >
> > Thanks,
> > Tejasree
> >
> > > -----Original Message-----
> > > From: Ori Kam <orika@nvidia.com>
> > > Sent: Wednesday, September 23, 2020 8:00 PM
> > > To: Tejasree Kondoj <ktejasree@marvell.com>; Asaf Penso
> > > <asafp@nvidia.com>; Stephen Hemminger
> <stephen@networkplumber.org>
> > > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
> > > NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
> > > <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > dev@dpdk.org
> > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > >
> > > External Email
> > >
> > > --------------------------------------------------------------------
> > > --
> > > Hi
> > >
> > > > -----Original Message-----
> > > > From: Tejasree Kondoj <ktejasree@marvell.com>
> > > > Sent: Tuesday, September 22, 2020 5:18 PM
> > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > >
> > > > Hi Ori,
> > > >
> > > > Please see inline.
> > > >
> > > > Thanks,
> > > > Tejasree
> > > >
> > > > > -----Original Message-----
> > > > > From: Tejasree Kondoj
> > > > > Sent: Tuesday, September 22, 2020 2:37 PM
> > > > > To: Ori Kam <orika@nvidia.com>; Asaf Penso <asafp@nvidia.com>;
> > > > > Stephen Hemminger <stephen@networkplumber.org>
> > > > > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > <radu.nicolau@intel.com>; Declan Doherty
> > > > > <declan.doherty@intel.com>; NBU-Contact-Thomas Monjalon
> > > > > <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>;
> > > > > Andrew Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
> > > > > Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > > <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> > > > > dev@dpdk.org
> > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> > > > >
> > > > > Please see inline.
> > > > >
> > > > > Thanks
> > > > > Tejasree
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Ori Kam <orika@nvidia.com>
> > > > > > Sent: Tuesday, September 22, 2020 1:22 PM
> > > > > > To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
> > > > > > <ktejasree@marvell.com>; Stephen Hemminger
> > > > > > <stephen@networkplumber.org>
> > > > > > Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > > <radu.nicolau@intel.com>; Declan Doherty
> > > > > > <declan.doherty@intel.com>; NBU-Contact-Thomas Monjalon
> > > > > > <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>;
> > > > > > Andrew Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
> > > > > > Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju
> > > > > > Athreya <pathreya@marvell.com>; Anoob Joseph
> > > > > > <anoobj@marvell.com>; dev@dpdk.org
> > > > > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security
> > > > > > flow item
> > > > > >
> > > > > > External Email
> > > > > >
> > > > > > --------------------------------------------------------------
> > > > > > ----
> > > > > > ----
> > > > > > Hi
> > > > > > > -----Original Message-----
> > > > > > > From: Asaf Penso <asafp@nvidia.com>
> > > > > > > Sent: Monday, September 21, 2020 7:09 PM
> > > > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > > > > > > item
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > > Asaf Penso
> > > > > > >
> > > > > > > >-----Original Message-----
> > > > > > > >From: Tejasree Kondoj <ktejasree@marvell.com>
> > > > > > > >Sent: Monday, September 21, 2020 11:59 AM
> > > > > > > >To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
> > > > > > > ><stephen@networkplumber.org>
> > > > > > > >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > > > ><radu.nicolau@intel.com>; Declan Doherty
> > > > > > > ><declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > > > > > >NBU-Contact-Thomas Monjalon <thomas@monjalon.net>;
> Ferruh
> > > Yigit
> > > > > > > ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > > > > ><arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > > > > > ><jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > > > > ><pathreya@marvell.com>; Anoob Joseph
> <anoobj@marvell.com>;
> > > > > > > >dev@dpdk.org
> > > > > > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow
> > > > > > > >item
> > > > > > > >
> > > > > > > >Please see inline.
> > > > > > > >
> > > > > > > >Thanks
> > > > > > > >Tejasree
> > > > > > > >
> > > > > > > >> -----Original Message-----
> > > > > > > >> From: Asaf Penso <asafp@nvidia.com>
> > > > > > > >> Sent: Thursday, September 17, 2020 3:09 PM
> > > > > > > >> To: Stephen Hemminger <stephen@networkplumber.org>;
> > > Tejasree
> > > > > > > >Kondoj
> > > > > > > >> <ktejasree@marvell.com>
> > > > > > > >> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > > > >> <radu.nicolau@intel.com>; Declan Doherty
> > > > > > > >> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
> > > > > > > >> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>;
> Ferruh
> > > > > > > >> Yigit <ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > > > > >> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
> > > > > > > >> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
> > > > > > > >> <pathreya@marvell.com>; Anoob Joseph
> > > > > > > >> <anoobj@marvell.com>; dev@dpdk.org
> > > > > > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add
> > > > > > > >> security flow item
> > > > > > > >>
> > > > > > > >> External Email
> > > > > > > >>
> > > > > > > >> ---------------------------------------------------------
> > > > > > > >> ----
> > > > > > > >> ----
> > > > > > > >> --
> > > > > > > >> ---
> > > > > > > >> >-----Original Message-----
> > > > > > > >> >From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
> > > > > > Hemminger
> > > > > > > >> >Sent: Thursday, September 10, 2020 7:46 PM
> > > > > > > >> >To: Tejasree Kondoj <ktejasree@marvell.com>
> > > > > > > >> >Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
> > > > > > > >> ><radu.nicolau@intel.com>; Declan Doherty
> > > > > > > >> ><declan.doherty@intel.com>; Ori Kam
> > > > > > > >> ><orika@mellanox.com>; NBU-Contact-Thomas Monjalon
> > > > > > > >> ><thomas@monjalon.net>; Ferruh
> > > > > Yigit
> > > > > > > >> ><ferruh.yigit@intel.com>; Andrew Rybchenko
> > > > > > > >> ><arybchenko@solarflare.com>; Jerin Jacob
> > > > > > > >> ><jerinj@marvell.com>; Narayana Prasad
> > > > > > > >> ><pathreya@marvell.com>; Anoob Joseph
> > > <anoobj@marvell.com>;
> > > > > > > >> >dev@dpdk.org
> > > > > > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security
> > > > > > > >> >flow item
> > > > > > > >> >
> > > > > > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
> > > > > > > >> ><ktejasree@marvell.com> wrote:
> > > > > > > >> >
> > > > > > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY
> > > > > > > >> >> to
> > > > > > > >> distinguish
> > > > > > > >> >> plain packets from IPsec decrypted plain packets.
> > > > > > > >> >>
> > > > > > > >> >> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> > > > > > > >> >
> > > > > > > >> >Please provide an implementation, API's without any
> > > > > > > >> >driver support should not be accepted.
> > > > > > > >> >
> > > > > > > >> >Also, we need a test for this.
> > > > > > > >
> > > > > > > >[Tejasree] We would like to defer the patch and add
> > > > > > > >implementation, test case in next cycle.
> > > > > > > >
> > > > > > > >>
> > > > > > > >> +1
> > > > > > > >> Also, I think the word SECURITY is too high-level, and if
> > > > > > > >> specifically you mention here an item for IPSec, perhaps
> > > > > > > >> you can
> > > > > > consider renaming.
> > > > > > > >
> > > > > > > >[Tejasree] This item matches security processed packets and
> > > > > > > >not specific to IPsec.
> > > > > > > >Will change commit description as follows:
> > > > > > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> > > > > > > >match packets that were security processed. For example, in
> > > > > > > >case of inline IPsec, it can be used to distinguish plain
> > > > > > > >packets from IPsec decrypted
> > > > > > plain packets"
> > > > > > > >Would that be fine?
> > > > > > >
> > > > > > > It would be more clear, yes, thank you, but in this case I
> > > > > > > suggest to have a field in the spec that you can match on it.
> > > > > > > For example, is it viable to know if the packet was
> > > > > > > processed by IPSec and not AES? Maybe you want to have 2
> > > > > > > flow with this new item, but still differentiate between the types.
> > > > > >
> > > > > > Why not use mark/tag/meta to set this value?
> > > > > > The application will insert a flow that sends to security and
> > > > > > mark the flow with some ID then the application can check this ID.
> > > > >
> > > > > [Tejasree] SECURITY itself wouldn't make distinction on protocol.
> > > > > It would be combined with MARK_ID to know if the packet was
> > > > > processed by IPsec and not AES.
> > > > >
> > > > > MARK_ID alone couldn't be used as we wouldn't know if it is
> > > > > plain packet or security processed plain packet.
> > > > >
> > > > > Rules would be as follows:
> > > > > Rule #1
> > > > > [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END] Rule #2
> > > > > [SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END]
> > > > >
> > > > > I don't understand why in rule #1 you can't have the mark value
> > > > > to also mark the security.
> > > > > From your patch I understand that security is just one bit This
> > > > > means that you can say if MSB bit in mark is set then it comes
> > > > > from security.
> > > >
> > > > [Tejasree] We can use MSB of MARK_ID but that would mean we would
> > > > be reserving it for security.
> > > >
> > > [Ori] but why does the PMD needs it? the application know what it
> > > needs so it can use it, It is the application decision to send to
> > > the security right? So it knows what values to set.
> > >
> > > Also the application can use tag or any other data item.
> > >
> > [Tejasree] PMD needs it to establish connection between security and
> > final action to be done (queue for example).
> >
> > First rule works on the outer packet where the inner packet would be
> > hidden by the protocol (like encrypted payload in IPsec) and the
> > second rule will act on the de-capsulated packet. So the packets
> > itself are different and we cannot have one rule.
> >
> >  In IPsec it is valid (and a very trivial usage) to have one outer
> > flow constitute multiple inner flows. Without this, application will
> > not be able to configure hardware to treat inner flows differently.
> >
> Fully agree with you about the app needs to know if it passed security But
> this goes also for example simple tunnel where the app may decap the
> packet in the on the first flow and then do matching on the inner 5 tuple but
> it will need to know if the packet was decaped or what is the vni.
> 
> So in your case the app will send traffic to security and mark it as one that
> was gone to security then in the second rule the app will match on the mark
> and do what it wants with it.
> 
> I simply don't see why you need new metadata item just to mark if it passed
> security.
> 

[Tejasree] Plain packets need to be differentiated from protocol processed ones.
In case of regular tunnel, it may or may not be required to differentiate. But with IPsec, it is mandatory to differentiate. So either we will need to reserve MSB of MARK_ID or allow SECURITY.

> > >
> > >
> > > > > >
> > > > > > Best,
> > > > > > Ori


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2020-09-24 10:07                     ` Tejasree Kondoj
@ 2021-02-17 17:36                       ` Ferruh Yigit
  2021-04-20  1:08                         ` Ferruh Yigit
  0 siblings, 1 reply; 15+ messages in thread
From: Ferruh Yigit @ 2021-02-17 17:36 UTC (permalink / raw)
  To: Tejasree Kondoj, Ori Kam, Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

On 9/24/2020 11:07 AM, Tejasree Kondoj wrote:
> Hi Ori,
> 
> Please see inline.
> 
> Thanks,
> Tejasree
> 
>> -----Original Message-----
>> From: Ori Kam <orika@nvidia.com>
>> Sent: Thursday, September 24, 2020 3:22 PM
>> To: Tejasree Kondoj <ktejasree@marvell.com>; Asaf Penso
>> <asafp@nvidia.com>; Stephen Hemminger <stephen@networkplumber.org>
>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
>> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
>> <ferruh.yigit@intel.com>; Andrew Rybchenko
>> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
>> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
>> dev@dpdk.org
>> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>>
>> External Email
>>
>> ----------------------------------------------------------------------
>> Thanks,
>> Ori
>>
>>> -----Original Message-----
>>> From: Tejasree Kondoj <ktejasree@marvell.com>
>>> Sent: Thursday, September 24, 2020 8:31 AM
>>>
>>> Thanks,
>>> Tejasree
>>>
>>>> -----Original Message-----
>>>> From: Ori Kam <orika@nvidia.com>
>>>> Sent: Wednesday, September 23, 2020 8:00 PM
>>>> To: Tejasree Kondoj <ktejasree@marvell.com>; Asaf Penso
>>>> <asafp@nvidia.com>; Stephen Hemminger
>> <stephen@networkplumber.org>
>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
>>>> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
>>>> <ferruh.yigit@intel.com>; Andrew Rybchenko
>>>> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
>>>> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>>>> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
>>>> dev@dpdk.org
>>>> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>>>>
>>>> External Email
>>>>
>>>> --------------------------------------------------------------------
>>>> --
>>>> Hi
>>>>
>>>>> -----Original Message-----
>>>>> From: Tejasree Kondoj <ktejasree@marvell.com>
>>>>> Sent: Tuesday, September 22, 2020 5:18 PM
>>>>> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>>>>>
>>>>> Hi Ori,
>>>>>
>>>>> Please see inline.
>>>>>
>>>>> Thanks,
>>>>> Tejasree
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Tejasree Kondoj
>>>>>> Sent: Tuesday, September 22, 2020 2:37 PM
>>>>>> To: Ori Kam <orika@nvidia.com>; Asaf Penso <asafp@nvidia.com>;
>>>>>> Stephen Hemminger <stephen@networkplumber.org>
>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>> <declan.doherty@intel.com>; NBU-Contact-Thomas Monjalon
>>>>>> <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>;
>>>>>> Andrew Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
>>>>>> Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>>>>>> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
>>>>>> dev@dpdk.org
>>>>>> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>>>>>>
>>>>>> Please see inline.
>>>>>>
>>>>>> Thanks
>>>>>> Tejasree
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Ori Kam <orika@nvidia.com>
>>>>>>> Sent: Tuesday, September 22, 2020 1:22 PM
>>>>>>> To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
>>>>>>> <ktejasree@marvell.com>; Stephen Hemminger
>>>>>>> <stephen@networkplumber.org>
>>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>>> <declan.doherty@intel.com>; NBU-Contact-Thomas Monjalon
>>>>>>> <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>;
>>>>>>> Andrew Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
>>>>>>> Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju
>>>>>>> Athreya <pathreya@marvell.com>; Anoob Joseph
>>>>>>> <anoobj@marvell.com>; dev@dpdk.org
>>>>>>> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security
>>>>>>> flow item
>>>>>>>
>>>>>>> External Email
>>>>>>>
>>>>>>> --------------------------------------------------------------
>>>>>>> ----
>>>>>>> ----
>>>>>>> Hi
>>>>>>>> -----Original Message-----
>>>>>>>> From: Asaf Penso <asafp@nvidia.com>
>>>>>>>> Sent: Monday, September 21, 2020 7:09 PM
>>>>>>>> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow
>>>>>>>> item
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Asaf Penso
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Tejasree Kondoj <ktejasree@marvell.com>
>>>>>>>>> Sent: Monday, September 21, 2020 11:59 AM
>>>>>>>>> To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
>>>>>>>>> <stephen@networkplumber.org>
>>>>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>>>>> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
>>>>>>>>> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>;
>> Ferruh
>>>> Yigit
>>>>>>>>> <ferruh.yigit@intel.com>; Andrew Rybchenko
>>>>>>>>> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
>>>>>>>>> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>>>>>>>>> <pathreya@marvell.com>; Anoob Joseph
>> <anoobj@marvell.com>;
>>>>>>>>> dev@dpdk.org
>>>>>>>>> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow
>>>>>>>>> item
>>>>>>>>>
>>>>>>>>> Please see inline.
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> Tejasree
>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Asaf Penso <asafp@nvidia.com>
>>>>>>>>>> Sent: Thursday, September 17, 2020 3:09 PM
>>>>>>>>>> To: Stephen Hemminger <stephen@networkplumber.org>;
>>>> Tejasree
>>>>>>>>> Kondoj
>>>>>>>>>> <ktejasree@marvell.com>
>>>>>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>>>>>> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
>>>>>>>>>> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>;
>> Ferruh
>>>>>>>>>> Yigit <ferruh.yigit@intel.com>; Andrew Rybchenko
>>>>>>>>>> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
>>>>>>>>>> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>>>>>>>>>> <pathreya@marvell.com>; Anoob Joseph
>>>>>>>>>> <anoobj@marvell.com>; dev@dpdk.org
>>>>>>>>>> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add
>>>>>>>>>> security flow item
>>>>>>>>>>
>>>>>>>>>> External Email
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------------
>>>>>>>>>> ----
>>>>>>>>>> ----
>>>>>>>>>> --
>>>>>>>>>> ---
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
>>>>>>> Hemminger
>>>>>>>>>>> Sent: Thursday, September 10, 2020 7:46 PM
>>>>>>>>>>> To: Tejasree Kondoj <ktejasree@marvell.com>
>>>>>>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>>>>>>> <declan.doherty@intel.com>; Ori Kam
>>>>>>>>>>> <orika@mellanox.com>; NBU-Contact-Thomas Monjalon
>>>>>>>>>>> <thomas@monjalon.net>; Ferruh
>>>>>> Yigit
>>>>>>>>>>> <ferruh.yigit@intel.com>; Andrew Rybchenko
>>>>>>>>>>> <arybchenko@solarflare.com>; Jerin Jacob
>>>>>>>>>>> <jerinj@marvell.com>; Narayana Prasad
>>>>>>>>>>> <pathreya@marvell.com>; Anoob Joseph
>>>> <anoobj@marvell.com>;
>>>>>>>>>>> dev@dpdk.org
>>>>>>>>>>> Subject: Re: [dpdk-dev] [PATCH] ethdev: add security
>>>>>>>>>>> flow item
>>>>>>>>>>>
>>>>>>>>>>> On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
>>>>>>>>>>> <ktejasree@marvell.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY
>>>>>>>>>>>> to
>>>>>>>>>> distinguish
>>>>>>>>>>>> plain packets from IPsec decrypted plain packets.
>>>>>>>>>>>>
>>>>>>>>>>>> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>>>>>>>>>>>
>>>>>>>>>>> Please provide an implementation, API's without any
>>>>>>>>>>> driver support should not be accepted.
>>>>>>>>>>>
>>>>>>>>>>> Also, we need a test for this.
>>>>>>>>>
>>>>>>>>> [Tejasree] We would like to defer the patch and add
>>>>>>>>> implementation, test case in next cycle.
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> +1
>>>>>>>>>> Also, I think the word SECURITY is too high-level, and if
>>>>>>>>>> specifically you mention here an item for IPSec, perhaps
>>>>>>>>>> you can
>>>>>>> consider renaming.
>>>>>>>>>
>>>>>>>>> [Tejasree] This item matches security processed packets and
>>>>>>>>> not specific to IPsec.
>>>>>>>>> Will change commit description as follows:
>>>>>>>>> " Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
>>>>>>>>> match packets that were security processed. For example, in
>>>>>>>>> case of inline IPsec, it can be used to distinguish plain
>>>>>>>>> packets from IPsec decrypted
>>>>>>> plain packets"
>>>>>>>>> Would that be fine?
>>>>>>>>
>>>>>>>> It would be more clear, yes, thank you, but in this case I
>>>>>>>> suggest to have a field in the spec that you can match on it.
>>>>>>>> For example, is it viable to know if the packet was
>>>>>>>> processed by IPSec and not AES? Maybe you want to have 2
>>>>>>>> flow with this new item, but still differentiate between the types.
>>>>>>>
>>>>>>> Why not use mark/tag/meta to set this value?
>>>>>>> The application will insert a flow that sends to security and
>>>>>>> mark the flow with some ID then the application can check this ID.
>>>>>>
>>>>>> [Tejasree] SECURITY itself wouldn't make distinction on protocol.
>>>>>> It would be combined with MARK_ID to know if the packet was
>>>>>> processed by IPsec and not AES.
>>>>>>
>>>>>> MARK_ID alone couldn't be used as we wouldn't know if it is
>>>>>> plain packet or security processed plain packet.
>>>>>>
>>>>>> Rules would be as follows:
>>>>>> Rule #1
>>>>>> [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END] Rule #2
>>>>>> [SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END]
>>>>>>
>>>>>> I don't understand why in rule #1 you can't have the mark value
>>>>>> to also mark the security.
>>>>>>  From your patch I understand that security is just one bit This
>>>>>> means that you can say if MSB bit in mark is set then it comes
>>>>>> from security.
>>>>>
>>>>> [Tejasree] We can use MSB of MARK_ID but that would mean we would
>>>>> be reserving it for security.
>>>>>
>>>> [Ori] but why does the PMD needs it? the application know what it
>>>> needs so it can use it, It is the application decision to send to
>>>> the security right? So it knows what values to set.
>>>>
>>>> Also the application can use tag or any other data item.
>>>>
>>> [Tejasree] PMD needs it to establish connection between security and
>>> final action to be done (queue for example).
>>>
>>> First rule works on the outer packet where the inner packet would be
>>> hidden by the protocol (like encrypted payload in IPsec) and the
>>> second rule will act on the de-capsulated packet. So the packets
>>> itself are different and we cannot have one rule.
>>>
>>>   In IPsec it is valid (and a very trivial usage) to have one outer
>>> flow constitute multiple inner flows. Without this, application will
>>> not be able to configure hardware to treat inner flows differently.
>>>
>> Fully agree with you about the app needs to know if it passed security But
>> this goes also for example simple tunnel where the app may decap the
>> packet in the on the first flow and then do matching on the inner 5 tuple but
>> it will need to know if the packet was decaped or what is the vni.
>>
>> So in your case the app will send traffic to security and mark it as one that
>> was gone to security then in the second rule the app will match on the mark
>> and do what it wants with it.
>>
>> I simply don't see why you need new metadata item just to mark if it passed
>> security.
>>
> 
> [Tejasree] Plain packets need to be differentiated from protocol processed ones.
> In case of regular tunnel, it may or may not be required to differentiate. But with IPsec, it is mandatory to differentiate. So either we will need to reserve MSB of MARK_ID or allow SECURITY.
> 

Reserving a bit in MARK is same as using SECURITY item, I didn't get why any 
arbitrary MARK value can't be used for this as suggested.

Can't application do as following:
[flow A] -> [decrypt] [mark id=0x10 all processed packets]
[packets with mark id=0x10] -> [queue 3]

Since application knows the mark value for first rule, it can use same value for 
second rule.

Or are we missing something? Like packets are decrypted without a specific rule, 
hence preventing to mark them, but you still want to apply an action to 
processed packets?
Missing implementation makes it harder to understand your intention.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [dpdk-dev] [PATCH] ethdev: add security flow item
  2021-02-17 17:36                       ` Ferruh Yigit
@ 2021-04-20  1:08                         ` Ferruh Yigit
  0 siblings, 0 replies; 15+ messages in thread
From: Ferruh Yigit @ 2021-04-20  1:08 UTC (permalink / raw)
  To: Tejasree Kondoj, Ori Kam, Asaf Penso, Stephen Hemminger
  Cc: Akhil Goyal, Radu Nicolau, Declan Doherty,
	NBU-Contact-Thomas Monjalon, Andrew Rybchenko,
	Jerin Jacob Kollanukkaran, Narayana Prasad Raju Athreya,
	Anoob Joseph, dev

On 2/17/2021 5:36 PM, Ferruh Yigit wrote:
> On 9/24/2020 11:07 AM, Tejasree Kondoj wrote:
>> Hi Ori,
>>
>> Please see inline.
>>
>> Thanks,
>> Tejasree
>>
>>> -----Original Message-----
>>> From: Ori Kam <orika@nvidia.com>
>>> Sent: Thursday, September 24, 2020 3:22 PM
>>> To: Tejasree Kondoj <ktejasree@marvell.com>; Asaf Penso
>>> <asafp@nvidia.com>; Stephen Hemminger <stephen@networkplumber.org>
>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
>>> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
>>> <ferruh.yigit@intel.com>; Andrew Rybchenko
>>> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
>>> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>>> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
>>> dev@dpdk.org
>>> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>>>
>>> External Email
>>>
>>> ----------------------------------------------------------------------
>>> Thanks,
>>> Ori
>>>
>>>> -----Original Message-----
>>>> From: Tejasree Kondoj <ktejasree@marvell.com>
>>>> Sent: Thursday, September 24, 2020 8:31 AM
>>>>
>>>> Thanks,
>>>> Tejasree
>>>>
>>>>> -----Original Message-----
>>>>> From: Ori Kam <orika@nvidia.com>
>>>>> Sent: Wednesday, September 23, 2020 8:00 PM
>>>>> To: Tejasree Kondoj <ktejasree@marvell.com>; Asaf Penso
>>>>> <asafp@nvidia.com>; Stephen Hemminger
>>> <stephen@networkplumber.org>
>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>> <radu.nicolau@intel.com>; Declan Doherty <declan.doherty@intel.com>;
>>>>> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>; Ferruh Yigit
>>>>> <ferruh.yigit@intel.com>; Andrew Rybchenko
>>>>> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
>>>>> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>>>>> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
>>>>> dev@dpdk.org
>>>>> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>>>>>
>>>>> External Email
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> -- 
>>>>> Hi
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Tejasree Kondoj <ktejasree@marvell.com>
>>>>>> Sent: Tuesday, September 22, 2020 5:18 PM
>>>>>> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>>>>>>
>>>>>> Hi Ori,
>>>>>>
>>>>>> Please see inline.
>>>>>>
>>>>>> Thanks,
>>>>>> Tejasree
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Tejasree Kondoj
>>>>>>> Sent: Tuesday, September 22, 2020 2:37 PM
>>>>>>> To: Ori Kam <orika@nvidia.com>; Asaf Penso <asafp@nvidia.com>;
>>>>>>> Stephen Hemminger <stephen@networkplumber.org>
>>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>>> <declan.doherty@intel.com>; NBU-Contact-Thomas Monjalon
>>>>>>> <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>;
>>>>>>> Andrew Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
>>>>>>> Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>>>>>>> <pathreya@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
>>>>>>> dev@dpdk.org
>>>>>>> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
>>>>>>>
>>>>>>> Please see inline.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Tejasree
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Ori Kam <orika@nvidia.com>
>>>>>>>> Sent: Tuesday, September 22, 2020 1:22 PM
>>>>>>>> To: Asaf Penso <asafp@nvidia.com>; Tejasree Kondoj
>>>>>>>> <ktejasree@marvell.com>; Stephen Hemminger
>>>>>>>> <stephen@networkplumber.org>
>>>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>>>> <declan.doherty@intel.com>; NBU-Contact-Thomas Monjalon
>>>>>>>> <thomas@monjalon.net>; Ferruh Yigit <ferruh.yigit@intel.com>;
>>>>>>>> Andrew Rybchenko <arybchenko@solarflare.com>; Jerin Jacob
>>>>>>>> Kollanukkaran <jerinj@marvell.com>; Narayana Prasad Raju
>>>>>>>> Athreya <pathreya@marvell.com>; Anoob Joseph
>>>>>>>> <anoobj@marvell.com>; dev@dpdk.org
>>>>>>>> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security
>>>>>>>> flow item
>>>>>>>>
>>>>>>>> External Email
>>>>>>>>
>>>>>>>> --------------------------------------------------------------
>>>>>>>> ----
>>>>>>>> ----
>>>>>>>> Hi
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: Asaf Penso <asafp@nvidia.com>
>>>>>>>>> Sent: Monday, September 21, 2020 7:09 PM
>>>>>>>>> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow
>>>>>>>>> item
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Asaf Penso
>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Tejasree Kondoj <ktejasree@marvell.com>
>>>>>>>>>> Sent: Monday, September 21, 2020 11:59 AM
>>>>>>>>>> To: Asaf Penso <asafp@nvidia.com>; Stephen Hemminger
>>>>>>>>>> <stephen@networkplumber.org>
>>>>>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>>>>>> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
>>>>>>>>>> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>;
>>> Ferruh
>>>>> Yigit
>>>>>>>>>> <ferruh.yigit@intel.com>; Andrew Rybchenko
>>>>>>>>>> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
>>>>>>>>>> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>>>>>>>>>> <pathreya@marvell.com>; Anoob Joseph
>>> <anoobj@marvell.com>;
>>>>>>>>>> dev@dpdk.org
>>>>>>>>>> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow
>>>>>>>>>> item
>>>>>>>>>>
>>>>>>>>>> Please see inline.
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>> Tejasree
>>>>>>>>>>
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: Asaf Penso <asafp@nvidia.com>
>>>>>>>>>>> Sent: Thursday, September 17, 2020 3:09 PM
>>>>>>>>>>> To: Stephen Hemminger <stephen@networkplumber.org>;
>>>>> Tejasree
>>>>>>>>>> Kondoj
>>>>>>>>>>> <ktejasree@marvell.com>
>>>>>>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>>>>>>> <declan.doherty@intel.com>; Ori Kam <orika@nvidia.com>;
>>>>>>>>>>> NBU-Contact-Thomas Monjalon <thomas@monjalon.net>;
>>> Ferruh
>>>>>>>>>>> Yigit <ferruh.yigit@intel.com>; Andrew Rybchenko
>>>>>>>>>>> <arybchenko@solarflare.com>; Jerin Jacob Kollanukkaran
>>>>>>>>>>> <jerinj@marvell.com>; Narayana Prasad Raju Athreya
>>>>>>>>>>> <pathreya@marvell.com>; Anoob Joseph
>>>>>>>>>>> <anoobj@marvell.com>; dev@dpdk.org
>>>>>>>>>>> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add
>>>>>>>>>>> security flow item
>>>>>>>>>>>
>>>>>>>>>>> External Email
>>>>>>>>>>>
>>>>>>>>>>> ---------------------------------------------------------
>>>>>>>>>>> ----
>>>>>>>>>>> ----
>>>>>>>>>>> -- 
>>>>>>>>>>> ---
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: dev <dev-bounces@dpdk.org> On Behalf Of Stephen
>>>>>>>> Hemminger
>>>>>>>>>>>> Sent: Thursday, September 10, 2020 7:46 PM
>>>>>>>>>>>> To: Tejasree Kondoj <ktejasree@marvell.com>
>>>>>>>>>>>> Cc: Akhil Goyal <akhil.goyal@nxp.com>; Radu Nicolau
>>>>>>>>>>>> <radu.nicolau@intel.com>; Declan Doherty
>>>>>>>>>>>> <declan.doherty@intel.com>; Ori Kam
>>>>>>>>>>>> <orika@mellanox.com>; NBU-Contact-Thomas Monjalon
>>>>>>>>>>>> <thomas@monjalon.net>; Ferruh
>>>>>>> Yigit
>>>>>>>>>>>> <ferruh.yigit@intel.com>; Andrew Rybchenko
>>>>>>>>>>>> <arybchenko@solarflare.com>; Jerin Jacob
>>>>>>>>>>>> <jerinj@marvell.com>; Narayana Prasad
>>>>>>>>>>>> <pathreya@marvell.com>; Anoob Joseph
>>>>> <anoobj@marvell.com>;
>>>>>>>>>>>> dev@dpdk.org
>>>>>>>>>>>> Subject: Re: [dpdk-dev] [PATCH] ethdev: add security
>>>>>>>>>>>> flow item
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj
>>>>>>>>>>>> <ktejasree@marvell.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY
>>>>>>>>>>>>> to
>>>>>>>>>>> distinguish
>>>>>>>>>>>>> plain packets from IPsec decrypted plain packets.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>>>>>>>>>>>>
>>>>>>>>>>>> Please provide an implementation, API's without any
>>>>>>>>>>>> driver support should not be accepted.
>>>>>>>>>>>>
>>>>>>>>>>>> Also, we need a test for this.
>>>>>>>>>>
>>>>>>>>>> [Tejasree] We would like to defer the patch and add
>>>>>>>>>> implementation, test case in next cycle.
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> +1
>>>>>>>>>>> Also, I think the word SECURITY is too high-level, and if
>>>>>>>>>>> specifically you mention here an item for IPSec, perhaps
>>>>>>>>>>> you can
>>>>>>>> consider renaming.
>>>>>>>>>>
>>>>>>>>>> [Tejasree] This item matches security processed packets and
>>>>>>>>>> not specific to IPsec.
>>>>>>>>>> Will change commit description as follows:
>>>>>>>>>> " Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
>>>>>>>>>> match packets that were security processed. For example, in
>>>>>>>>>> case of inline IPsec, it can be used to distinguish plain
>>>>>>>>>> packets from IPsec decrypted
>>>>>>>> plain packets"
>>>>>>>>>> Would that be fine?
>>>>>>>>>
>>>>>>>>> It would be more clear, yes, thank you, but in this case I
>>>>>>>>> suggest to have a field in the spec that you can match on it.
>>>>>>>>> For example, is it viable to know if the packet was
>>>>>>>>> processed by IPSec and not AES? Maybe you want to have 2
>>>>>>>>> flow with this new item, but still differentiate between the types.
>>>>>>>>
>>>>>>>> Why not use mark/tag/meta to set this value?
>>>>>>>> The application will insert a flow that sends to security and
>>>>>>>> mark the flow with some ID then the application can check this ID.
>>>>>>>
>>>>>>> [Tejasree] SECURITY itself wouldn't make distinction on protocol.
>>>>>>> It would be combined with MARK_ID to know if the packet was
>>>>>>> processed by IPsec and not AES.
>>>>>>>
>>>>>>> MARK_ID alone couldn't be used as we wouldn't know if it is
>>>>>>> plain packet or security processed plain packet.
>>>>>>>
>>>>>>> Rules would be as follows:
>>>>>>> Rule #1
>>>>>>> [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END] Rule #2
>>>>>>> [SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END]
>>>>>>>
>>>>>>> I don't understand why in rule #1 you can't have the mark value
>>>>>>> to also mark the security.
>>>>>>>  From your patch I understand that security is just one bit This
>>>>>>> means that you can say if MSB bit in mark is set then it comes
>>>>>>> from security.
>>>>>>
>>>>>> [Tejasree] We can use MSB of MARK_ID but that would mean we would
>>>>>> be reserving it for security.
>>>>>>
>>>>> [Ori] but why does the PMD needs it? the application know what it
>>>>> needs so it can use it, It is the application decision to send to
>>>>> the security right? So it knows what values to set.
>>>>>
>>>>> Also the application can use tag or any other data item.
>>>>>
>>>> [Tejasree] PMD needs it to establish connection between security and
>>>> final action to be done (queue for example).
>>>>
>>>> First rule works on the outer packet where the inner packet would be
>>>> hidden by the protocol (like encrypted payload in IPsec) and the
>>>> second rule will act on the de-capsulated packet. So the packets
>>>> itself are different and we cannot have one rule.
>>>>
>>>>   In IPsec it is valid (and a very trivial usage) to have one outer
>>>> flow constitute multiple inner flows. Without this, application will
>>>> not be able to configure hardware to treat inner flows differently.
>>>>
>>> Fully agree with you about the app needs to know if it passed security But
>>> this goes also for example simple tunnel where the app may decap the
>>> packet in the on the first flow and then do matching on the inner 5 tuple but
>>> it will need to know if the packet was decaped or what is the vni.
>>>
>>> So in your case the app will send traffic to security and mark it as one that
>>> was gone to security then in the second rule the app will match on the mark
>>> and do what it wants with it.
>>>
>>> I simply don't see why you need new metadata item just to mark if it passed
>>> security.
>>>
>>
>> [Tejasree] Plain packets need to be differentiated from protocol processed ones.
>> In case of regular tunnel, it may or may not be required to differentiate. But 
>> with IPsec, it is mandatory to differentiate. So either we will need to 
>> reserve MSB of MARK_ID or allow SECURITY.
>>
> 
> Reserving a bit in MARK is same as using SECURITY item, I didn't get why any 
> arbitrary MARK value can't be used for this as suggested.
> 
> Can't application do as following:
> [flow A] -> [decrypt] [mark id=0x10 all processed packets]
> [packets with mark id=0x10] -> [queue 3]
> 
> Since application knows the mark value for first rule, it can use same value for 
> second rule.
> 
> Or are we missing something? Like packets are decrypted without a specific rule, 
> hence preventing to mark them, but you still want to apply an action to 
> processed packets?
> Missing implementation makes it harder to understand your intention.

The patch is stale, rejecting it, please send a new version if required.

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2021-04-20  1:08 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-10 16:44 [dpdk-dev] [PATCH] ethdev: add security flow item Tejasree Kondoj
2020-09-10 16:45 ` Stephen Hemminger
2020-09-17  9:38   ` Asaf Penso
2020-09-21  8:58     ` Tejasree Kondoj
2020-09-21 16:09       ` Asaf Penso
2020-09-22  7:51         ` Ori Kam
2020-09-22  9:07           ` Tejasree Kondoj
2020-09-22 13:28             ` Ori Kam
2020-09-22 14:18             ` Tejasree Kondoj
2020-09-23 14:30               ` Ori Kam
2020-09-24  5:30                 ` Tejasree Kondoj
2020-09-24  9:51                   ` Ori Kam
2020-09-24 10:07                     ` Tejasree Kondoj
2021-02-17 17:36                       ` Ferruh Yigit
2021-04-20  1:08                         ` Ferruh Yigit

DPDK patches and discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ https://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git