From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 35A90A0A02; Thu, 25 Mar 2021 09:38:56 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id A99C04067B; Thu, 25 Mar 2021 09:38:55 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 7DE7840147 for ; Thu, 25 Mar 2021 09:38:54 +0100 (CET) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 12P8Zr06001176; Thu, 25 Mar 2021 01:38:53 -0700 Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by mx0a-0016f401.pphosted.com with ESMTP id 37ft17nkat-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 25 Mar 2021 01:38:53 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oU0qzRwbbS995Y2FvapsB0Numfv4TxNx7No7Y1h2FtbBp91D3oIWAAjyapAv5PmM4N47Nx0ABMddEy/L14aUOhwgW8EkV6v9Z84WB++LxyVaPHNRckcw8ACngbqYtBMiOgYmkYU4BvXGRpnd0LKHOazXWq4gkySj1p+jM/bQr3zZar1qIoRSPcJYhJ+5t+ZOxvoQrVH2NtiTJRigQQGAKjKuSJlcHCEIeZMcpgHB1E/pULHrwXCYFJUzIdQrdMVfGi9yjAwJltMw6JIqSaHCwuJKpYNGsSssOetE4k+GRd8Wh1Nu5t+PlJR9PdXUwj1+Alo9VOvfFP2zVaXLQnnt6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mZZODutMGcTALxJ1JG2nA/cQamFMAC3msIbu69+oCbM=; b=oG/lrLw/edjwGIF+9ZH+3CtTjPSaELYfzsljZsMRN8/ExzWEoN+6Lg2yyu38N7PxVkrhIItCb8c/j5XQCOhUaHcWZ2x3Ikcb7gpVDWT7WKRruPJIi3amt40foH3D7VGstFK5PXVl3uQaipbZdgadkzX6zxxEg7h/a0op0u+xvRx1RR3sRnD7S1dzLsH7A1h/Q3b0FxV4Fi/1mG06gewZoCr00FHQduC3d0rY2HCxmRVW8lP6TwsJY+LIXFip9eDKorkxlzG35/9d9X5H8ues87To0f+1XaaHZLJWjQcBL3n8lZAezbXZyQ3TLcHIEHfm1XEhDKT8mpO6qoxTm6+39w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=marvell.com; dmarc=pass action=none header.from=marvell.com; dkim=pass header.d=marvell.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mZZODutMGcTALxJ1JG2nA/cQamFMAC3msIbu69+oCbM=; b=Myj9IbhjBtZotNh0+/Lm2y2FruSAv5NJ6W6y69F7G9ZfgJNDP+7UaOq5nf9nSMn3tiYflVTYnoBcq1+KUnb2b7FWnD52ARc25UjU9e68BzziIQl3xnZRHYyFhXnmrE0l2cTRzU/deqwnj1xYVdDWIYN9LIflT8BKxeOWm5XTROQ= Received: from PH0PR18MB3864.namprd18.prod.outlook.com (2603:10b6:510:26::6) by PH0PR18MB3974.namprd18.prod.outlook.com (2603:10b6:510:23::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.24; Thu, 25 Mar 2021 08:38:49 +0000 Received: from PH0PR18MB3864.namprd18.prod.outlook.com ([fe80::ad37:a202:280:7732]) by PH0PR18MB3864.namprd18.prod.outlook.com ([fe80::ad37:a202:280:7732%7]) with mapi id 15.20.3977.029; Thu, 25 Mar 2021 08:38:49 +0000 From: Tejasree Kondoj To: "Ananyev, Konstantin" , Akhil Goyal , "Nicolau, Radu" CC: Anoob Joseph , Ankur Dwivedi , Jerin Jacob Kollanukkaran , "dev@dpdk.org" Thread-Topic: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support Thread-Index: AQHXGX8sTZRzF1mvxUSJg1AleBCEEqqLi/MAgAW2woCAAGwaAIAACkgAgAALYYCAACOrgIABBU9ggAATjgCAAW4m8A== Date: Thu, 25 Mar 2021 08:38:49 +0000 Message-ID: References: <20210315103616.31364-1-ktejasree@marvell.com> <20210315103616.31364-3-ktejasree@marvell.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=marvell.com; x-originating-ip: [49.206.33.187] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 49bbbeb3-8c3e-4609-c8ca-08d8ef6969bc x-ms-traffictypediagnostic: PH0PR18MB3974: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 77vRYILtCwjl+ZWvdIZyUwPBQhKlmTOZqMEt1YsSHaKB2xRilrbyebJ0albLyf0L3fnGvwjWWOMywoNnMQUbyWlXFOv7AJLR1E8bpKkyr8ICxbiM2xvNPk23+jLzlM3SEMGypz3VR5r33b1zBwTGN12oLqc4Ib+8RcxHvPRd6TxUlj8b5VpWx9NFaIUnXsW0a6J2ngBKrYiWwayf/a67lt/D8wWfWVWb4RQLARWpft18oC+02eFRKSah+4M+Q0q3+9QWhP6IVZnlLvkkDK+gKREbb0dja+DZzG5fqsikdOyOYhb363sivmhjEval5i1LpL+OOMmOW4LVHf/sYpQkrQWqjTm4Nr8hFGlWyf1Gghw+daudgc0Qpqk7kvHugzhY/1Hyj7OZ7ZyRNI5Eyr3mMHbLPnxv3QmsS6LlZBu5y6Nv8CEW+JvMFBYoCUECO6sLTfRL8wjMFKmE7LgVxSYjSAYDx0NCGkQuiyIHqTUdXzXGV4TDmVsTcVWLJ62cBOEC2sIgFGxgIWg+ORQoQmmjkOexyIE9OFyocD2Pwpmk1J2hq0O+ybpLAUK8l2uXCve7vEwz9cH85WKxpmG8GcIyMwa4tFit858/b/k1/GBJBEUs3dUIO74w5qo+snfJa/BTz1PqoL7BuFTKw4lapSf5pvRwZmmrQvTENora9icdmSc= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR18MB3864.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(376002)(366004)(346002)(39860400002)(2906002)(66446008)(66476007)(76116006)(66556008)(110136005)(53546011)(55016002)(33656002)(86362001)(83380400001)(64756008)(66946007)(54906003)(9686003)(316002)(38100700001)(26005)(55236004)(8936002)(478600001)(6506007)(186003)(4326008)(5660300002)(71200400001)(7696005)(52536014)(8676002); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?yR9F+An1oeyPlXnDKHnvIHk9CoxC8s/F4G8eqH0EYBdXWFdJbC/CTcW+XPs5?= =?us-ascii?Q?cYbqIKYWd8DgVso8iHJ8D1CuKvntFTeTcLJb755S+kxKrm0FdaB7Dq6aKDOr?= =?us-ascii?Q?4SQLYiClu0ge4K11TFPf7nDjiHpxhsJAAZB+ewwsJrpgae5tC8KIrJCiJUxk?= =?us-ascii?Q?ZbOfOKmuGk+iVSMNR+swHBreBmBIUq2BlOivRpl1awbM9laiNo329gFJlofY?= =?us-ascii?Q?kNCJhWn28JBbe8bcoy0rdz/50R5Pd4bjBdLsaOSrl8gdI90GYt8maEg7UW9H?= =?us-ascii?Q?dPLLooLnoivxxQbjW5/aFUnKOVOGMFqGiMIuVWie34AVFB1fTTEjHuH/amNN?= =?us-ascii?Q?8AsBngI6zvODz6eXTLQCLdgOS5EsBeoryLAnLeEGMiuJKJpjyEhRfcV27ad8?= =?us-ascii?Q?/UpzuQBrgry8PprOS0/UtKJhcrBXsvMcXQohmHe6osyuaeASCBZsE4Mbpr5g?= =?us-ascii?Q?/OJVTazwQUwUFhwAvPZ8DRBew4W52XbXT+OS4hEWm2MEGkwL55Kfcyi9VlqT?= =?us-ascii?Q?tXA9xCVp+RQWxsoi3hKGcJSYFmHFce+3EMncX9xH/Z1bkCJax7WF2320PY7A?= =?us-ascii?Q?rfzZh9iQWA6rPfw+/oGG+Xazxlf71xbE+01hAl6Ezk4ohZITYE0g/7LwL86v?= =?us-ascii?Q?BC/NELLPI7gOdcSBoIz06E0qA28yUxtN4slNJml5PDfsZLVOknhWGXxHQKWi?= =?us-ascii?Q?SjkNVWN5wxyliJyB8AlO+Azwc/S4aHES0sPJMonv5XRM1rqkSV1x7/1zurrI?= =?us-ascii?Q?E0GaPrK+OiCgOpsgK6DosVFPDNkmeSsmrRBSVb8n206ld1bvjDjhI4hjIxMO?= =?us-ascii?Q?EZ7Twprm6K5Fkvzryo5KcnxM0cq4x6VEg6iVWj4GktiCGp5HtToT3gwJdkG4?= =?us-ascii?Q?hwCBoC5ezGFu5okRLO1xKgKH8DBDAO5UIBgpaucD1TKh8FdB+1R3QT6siKJs?= =?us-ascii?Q?f14XqBb3voN0lw1yCKsyoSHldd4FwlMCy7J9jm78CdmkcJWlb7fwvvXx0R68?= =?us-ascii?Q?bcqlNyQE0YwAjfgi94t1ez4Fpko3yUxwQK8M+Ab2yCo+U+B06l+vdKFp2XnR?= =?us-ascii?Q?36umjO8dSfvTUPARagXpC6gLKxvLa8Yrea6C81xHvFsz1cQyjrO9cCnNJHCj?= =?us-ascii?Q?3CHmBzd//nREC409b4WCnrcSULoM4NGsJO+YH1jEeXih0s5xnRg100G152Ie?= =?us-ascii?Q?CeiMh8CV5YxwIj4gtz4xUNNhwvBnmm+3bajvwqZzkEyA/gb1q+YMGm2h9eYk?= =?us-ascii?Q?CTtQiVISupEA7JrvtYVlLi1tfjhLbJl8bAekeRIoGSyZjdYW6aLPUuN4HA1j?= =?us-ascii?Q?6eY=3D?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: marvell.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR18MB3864.namprd18.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 49bbbeb3-8c3e-4609-c8ca-08d8ef6969bc X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2021 08:38:49.4532 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: qTDUCSSHb7+veZnE3BHVtpSdozaQzOXg+wlteOSPk5Pdz4UUJBliWtEo3v0+QEzmn/i3a++T6kvpAZwMaN1wXw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR18MB3974 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-25_01:2021-03-24, 2021-03-25 signatures=0 Subject: Re: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Konstantin, Please see inline. Thanks Tejasree > -----Original Message----- > From: Ananyev, Konstantin > Sent: Wednesday, March 24, 2021 4:10 PM > To: Tejasree Kondoj ; Akhil Goyal > ; Nicolau, Radu > Cc: Anoob Joseph ; Ankur Dwivedi > ; Jerin Jacob Kollanukkaran ; > dev@dpdk.org > Subject: [EXT] RE: [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP > encapsulation support >=20 > External Email >=20 > ---------------------------------------------------------------------- > Hi Tejasree, >=20 > > > > > > > > > Adding lookaside IPsec UDP encapsulation support for NAT > > > > > > > > > traversal. > > > > > > > > > Added --udp-encap option for application to specify if UD= P > > > > > > > > > encapsulation need to be enabled. > > > > > > > > > Example secgw command with UDP encapsultation enabled: > > > > > > > > > -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg > > > > > > > > > --udp-encap > > > > > > > > > > > > > > > > Can we have it not as global, but a per SA option? > > > > > > > > Add new keyword for SA/SP into ipsec-secgw config file, etc= . > > > > > > > > Konstantin > > > > > > > > > > > > > > > > > > > > > > Any specific reason to make udp_encap as per SA? > > > > > > > UDP encapsulation is a feature which I believe should be > > > > > > > application > > > > vide. > > > > > > > If it supports the feature it should be enabled for all SAs w= hen > > > > > > > the UDP > > > > port > > > > > > > is 4500 which is reserved for it. > > > > > > > > > > > > Not sure why it has to be application wide? > > > > > > Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mod= e > > > > > > over port > > > > 0, > > > > > > and SA2 with udp encap over port 1? > > > > > > Note that in DPDK librte_security it is per SA option. > > > > > > > > > > UDP encapsulation can be done only if the UDP port is 4500 as per > > > > > the > > > > specification. > > > > > Please correct me if I am wrong. So if UDP port is NOT 4500 and > > > > > udp-encap > > > > is enabled in the > > > > > Command line, UDP encapsulation will not work. > > > > > > > > I am not asking you so support multiple UDP ports for IPsec > encapsulation. > > > > > > Multiple ports are not required to be supported as per specification. > > > UDP encapsulation work only on one port i.e. 4500. > > > By specification, it says, port 4500 is reserved for NAT traversal an= d if a > > > Packet has this port, then it has to be processed accordingly. > > > > > > > What I am saying: it should be possible to use SAs with UDP > > > > encapsulation along with SAs without (plain tunnel/transport mode). > > > > > > Yes it is possible with the current patch. > > > If a packet has a UDP port =3D 4500 then it is UDP encapsulated other= wise it > is > > > not. > > > Hence, a packet with UDP port other than 4500 will work as it is work= ing > > > without --udp-encap param. > > > > > > > As I understand with your patch it is not possible: if user specifi= ed > > > > --udp- encap all SAs (on all crypto-devs) will be treated as UDP > > > > encapsulated. > > > > > > Just to correct this statement. > > > > > > If user specified --udp-encap all SAs (on all crypto-devs) will be tr= eated as > > > UDP encapsulated if and only if the UDP port =3D 4500 and not otherwi= se. > > > > > > I hope this statement clears your concern and it makes more sense to > make it > > > application vide, just like esn and anti-replay. > > > > > > > [Tejasree] Just realized that all SAs are treated as UDP encapsulated > > if the packet type is other than UDP. Will add per SA support. > > > > Concern with per SA support: we cannot have "udp_encap=3D=3D1" check in= the > prepare_one_packet() > > function as SA info is not available at that time and plain UDP packets= with > port 4500 are > > treated as IPsec and results could be unpredictable. >=20 > If you think global udp_encap would be helpful (let say for > prepare_one_packet), > I think it is possible to keep it. By default it will be 0, and can be in= itialized to > 1, > if we have at least one session with udp_encap enabled (after config fil= e > parsing). > My thought about it was: > -prepare_packet() - mark both ip/esp and ip/udp(sport,dport=3D4500) as ES= P > ones, > plus set mbuf.packet_type properly (UDP/ESP) (should we set l4_len also= ?). > - sad_lookup() - based on packet type (l4_len?) determine location of ESP > header > and do the lookup. Then if lookup was successful, for UDP packets check > does > SA.udp_encap=3D=3D1. If no, then drop the packet. >=20 >=20 >=20 >=20 [Tejasree] l4_len setting is not needed. mbuf.packet_type can be used. Will send v2 with per SA support.