From: Akhil Goyal <akhil.goyal@nxp.com>
To: Mariusz Drost <mariuszx.drost@intel.com>,
"radu.nicolau@intel.com" <radu.nicolau@intel.com>,
"konstantin.ananyev@intel.com" <konstantin.ananyev@intel.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>, Lukasz Bartosik <lbartosik@marvell.com>
Subject: Re: [dpdk-dev] [PATCH v2 1/2] examples/ipsec-secgw: fix SAD selection logic
Date: Thu, 10 Oct 2019 13:43:36 +0000 [thread overview]
Message-ID: <VE1PR04MB663982F73052DEDC4FB3A7DCE6940@VE1PR04MB6639.eurprd04.prod.outlook.com> (raw)
In-Reply-To: <20190924103539.12052-2-mariuszx.drost@intel.com>
Hi Mariusz,
> -----Original Message-----
> From: Mariusz Drost <mariuszx.drost@intel.com>
> Sent: Tuesday, September 24, 2019 4:06 PM
> To: radu.nicolau@intel.com; Akhil Goyal <akhil.goyal@nxp.com>;
> konstantin.ananyev@intel.com
> Cc: dev@dpdk.org; Mariusz Drost <mariuszx.drost@intel.com>; Lukasz Bartosik
> <lbartosik@marvell.com>
> Subject: [PATCH v2 1/2] examples/ipsec-secgw: fix SAD selection logic
>
> Ipsec-secgw example application fails to initialize when using default
> configuration file (ep0.cfg) in library mode (librte_ipsec enabled).
>
> The reason is that two of SP rules in ep0.cfg, one for IPv4 and one
> for IPv6, are using the same SPI number. When SA rules are initialized,
> their SPI number is checked against SPIs stored in SPD. For library
> mode, it is not allowed for the same SA to handle both IPv4 and IPv6.
>
> Solution is to split SAD into two separate parts - one for IPv4 and one
> for IPv6. Usage of SAs stays the same. Only change is to pass correct
> SAD (IPv4 or IPv6) in places where previously combined database was
> passed.
Can we have 2 different SAs with same SPI value and with different IPv4 addresses?
Will the IPSec library be able to handle this case. With Setkey it is possible in linux.
Now that we have IPSEC library we should be compatible with what linux can do.
So splitting the SADB with IPv4 and IPv6 will just avoid the issue for IPv4 and IPv6 but the
Issue will still be there. I believe this should be fixed in library rather than application maintaining
Two different databases. Library's intent is to reduce the application overhead for maintaining
IPSec specific stuff.
>
> Split of SA entries is done at initialization stage. Most of given SA
> entries are checked against SPD. If matching entry is in IPv4 SPD, SA
> rule is added to IPv4 SAD (respectively for IPv6). Different splitting
> method is used only when SA entry is for tunnel in inbound direction.
> In that case if IPv4 tunnel should be used, SA entry is added to IPv4
> SAD (respectively for IPv6). Reasoning is that inner IP version can
> be different than outer IP version for tunneled traffic.
>
> Bugzilla ID: 239
> Fixes: 5a032a71c6d3 ("examples/ipsec-secgw: make app to use IPsec library")
>
> Reported-by: Lukasz Bartosik <lbartosik@marvell.com>
> Signed-off-by: Mariusz Drost <mariuszx.drost@intel.com>
> ---
> examples/ipsec-secgw/ipsec-secgw.c | 48 ++--
> examples/ipsec-secgw/ipsec.c | 5 +-
> examples/ipsec-secgw/ipsec.h | 21 +-
> examples/ipsec-secgw/sa.c | 396 ++++++++++++++++++++---------
> 4 files changed, 312 insertions(+), 158 deletions(-)
>
next prev parent reply other threads:[~2019-10-10 13:43 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-05 12:35 [dpdk-dev] [PATCH 0/2] " Mariusz Drost
2019-09-05 12:35 ` [dpdk-dev] [PATCH 1/2] examples/ipsec-secgw: " Mariusz Drost
2019-09-05 12:35 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: tests for split SAD Mariusz Drost
2019-09-24 10:35 ` [dpdk-dev] [PATCH v2 0/2] fix SAD selection logic Mariusz Drost
2019-09-24 10:35 ` [dpdk-dev] [PATCH v2 1/2] examples/ipsec-secgw: " Mariusz Drost
2019-09-24 12:18 ` Ananyev, Konstantin
2019-10-02 15:43 ` Nicolau, Radu
2019-10-10 13:43 ` Akhil Goyal [this message]
2019-10-11 13:24 ` Ananyev, Konstantin
2019-10-11 14:02 ` Akhil Goyal
2019-10-11 16:38 ` Ananyev, Konstantin
2019-10-15 13:53 ` Akhil Goyal
2019-10-16 10:20 ` Ananyev, Konstantin
2019-09-24 10:35 ` [dpdk-dev] [PATCH v2 2/2] examples/ipsec-secgw: tests for split SAD Mariusz Drost
2019-09-24 12:47 ` Ananyev, Konstantin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=VE1PR04MB663982F73052DEDC4FB3A7DCE6940@VE1PR04MB6639.eurprd04.prod.outlook.com \
--to=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
--cc=konstantin.ananyev@intel.com \
--cc=lbartosik@marvell.com \
--cc=mariuszx.drost@intel.com \
--cc=radu.nicolau@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).