Hi Akhil, Adrien, Declan, Pablo,
Can you review this proposal and share your feedback?
Thanks,
Anoob
> -----Original Message-----
> From: Anoob Joseph <ano...@marvell.com>
> Sent: Wednesday, July 24, 2019 7:47 PM
> To: Akhil Goyal <akhil.go...@nxp.com>; Adrien Mazarguil
> <adrien.mazarg...@6wind.com>; Declan Doherty
> <declan.dohe...@intel.com>; Pablo de Lara
> <pablo.de.lara.gua...@intel.com>; Thomas Monjalon
> <tho...@monjalon.net>
> Cc: Anoob Joseph <ano...@marvell.com>; Jerin Jacob Kollanukkaran
> <jer...@marvell.com>; Narayana Prasad Raju Athreya
> <pathr...@marvell.com>; Ankur Dwivedi <adwiv...@marvell.com>; Shahaf
> Shuler <shah...@mellanox.com>; Hemant Agrawal
> <hemant.agra...@nxp.com>; Matan Azrad <ma...@mellanox.com>;
> Yongseok Koh <ys...@mellanox.com>; Wenzhuo Lu
> <wenzhuo...@intel.com>; Konstantin Ananyev
> <konstantin.anan...@intel.com>; Radu Nicolau <radu.nico...@intel.com>;
> dev@dpdk.org
> Subject: [RFC] ethdev: allow multiple security sessions to use one rte flow
>
> The rte_security API which enables inline protocol/crypto feature mandates
> that for every security session an rte_flow is created. This would internally
> translate to a rule in the hardware which would do packet classification.
>
> In rte_securty, one SA would be one security session. And if an rte_flow
> need to be created for every session, the number of SAs supported by an
> inline implementation would be limited by the number of rte_flows the PMD
> would be able to support.
>
> If the fields SPI & IP addresses are allowed to be a range, then this
> limitation
> can be overcome. Multiple flows will be able to use one rule for SECURITY
> processing. In this case, the security session provided as conf would be NULL.
>
> Application should do an rte_flow_validate() to make sure the flow is
> supported on the PMD.
>
> Signed-off-by: Anoob Joseph <ano...@marvell.com>
> ---
> lib/librte_ethdev/rte_flow.h | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/lib/librte_ethdev/rte_flow.h b/lib/librte_ethdev/rte_flow.h index
> f3a8fb1..4977d3c 100644
> --- a/lib/librte_ethdev/rte_flow.h
> +++ b/lib/librte_ethdev/rte_flow.h
> @@ -1879,6 +1879,12 @@ struct rte_flow_action_meter {
> * direction.
> *
> * Multiple flows can be configured to use the same security session.
> + *
> + * The NULL value is allowed for security session. If security session
> + is NULL,
> + * then SPI field in ESP flow item and IP addresses in flow items
> + 'IPv4' and
> + * 'IPv6' will be allowed to be a range. The rule thus created can
> + enable
> + * SECURITY processing on multiple flows.
> + *
> */
> struct rte_flow_action_security {
> void *security_session; /**< Pointer to security session structure. */
> --
> 2.7.4
