Hi Ori, Please see inline.
Thanks, Anoob > -----Original Message----- > From: Ori Kam <or...@mellanox.com> > Sent: Thursday, January 16, 2020 7:08 PM > To: Anoob Joseph <ano...@marvell.com>; Medvedkin, Vladimir > <vladimir.medved...@intel.com>; Ananyev, Konstantin > <konstantin.anan...@intel.com>; Akhil Goyal <akhil.go...@nxp.com>; Adrien > Mazarguil <adrien.mazarg...@6wind.com>; Doherty, Declan > <declan.dohe...@intel.com>; Yigit, Ferruh <ferruh.yi...@intel.com>; Jerin > Jacob > Kollanukkaran <jer...@marvell.com>; Thomas Monjalon > <tho...@monjalon.net> > Cc: Ankur Dwivedi <adwiv...@marvell.com>; Hemant Agrawal > <hemant.agra...@nxp.com>; Matan Azrad <ma...@mellanox.com>; Nicolau, > Radu <radu.nico...@intel.com>; Shahaf Shuler <shah...@mellanox.com>; > Narayana Prasad Raju Athreya <pathr...@marvell.com>; dev@dpdk.org > Subject: RE: [dpdk-dev] [EXT] Re: [PATCH] ethdev: allow multiple security > sessions to use one rte flow > > Just one more question inline. > > > -----Original Message----- > > From: dev <dev-boun...@dpdk.org> On Behalf Of Anoob Joseph > > Sent: Thursday, January 16, 2020 2:03 PM > > To: Ori Kam <or...@mellanox.com>; Medvedkin, Vladimir > > <vladimir.medved...@intel.com>; Ananyev, Konstantin > > <konstantin.anan...@intel.com>; Akhil Goyal <akhil.go...@nxp.com>; > > Adrien Mazarguil <adrien.mazarg...@6wind.com>; Doherty, Declan > > <declan.dohe...@intel.com>; Yigit, Ferruh <ferruh.yi...@intel.com>; > > Jerin Jacob Kollanukkaran <jer...@marvell.com>; Thomas Monjalon > > <tho...@monjalon.net> > > Cc: Ankur Dwivedi <adwiv...@marvell.com>; Hemant Agrawal > > <hemant.agra...@nxp.com>; Matan Azrad <ma...@mellanox.com>; > Nicolau, > > Radu <radu.nico...@intel.com>; Shahaf Shuler <shah...@mellanox.com>; > > Narayana Prasad Raju Athreya <pathr...@marvell.com>; dev@dpdk.org > > Subject: Re: [dpdk-dev] [EXT] Re: [PATCH] ethdev: allow multiple > > security sessions to use one rte flow > > > > Hi Ori, > > > > Please see inline. > > > > Thanks, > > Anoob > > > > > -----Original Message----- > > > From: dev <dev-boun...@dpdk.org> On Behalf Of Ori Kam > > > Sent: Thursday, January 16, 2020 5:06 PM > > > To: Anoob Joseph <ano...@marvell.com>; Medvedkin, Vladimir > > > <vladimir.medved...@intel.com>; Ananyev, Konstantin > > > <konstantin.anan...@intel.com>; Akhil Goyal <akhil.go...@nxp.com>; > > Adrien > > > Mazarguil <adrien.mazarg...@6wind.com>; Doherty, Declan > > > <declan.dohe...@intel.com>; Yigit, Ferruh <ferruh.yi...@intel.com>; > > > Jerin > > Jacob > > > Kollanukkaran <jer...@marvell.com>; Thomas Monjalon > > > <tho...@monjalon.net> > > > Cc: Ankur Dwivedi <adwiv...@marvell.com>; Hemant Agrawal > > > <hemant.agra...@nxp.com>; Matan Azrad <ma...@mellanox.com>; > > Nicolau, > > > Radu <radu.nico...@intel.com>; Shahaf Shuler <shah...@mellanox.com>; > > > Narayana Prasad Raju Athreya <pathr...@marvell.com>; dev@dpdk.org > > > Subject: Re: [dpdk-dev] [EXT] Re: [PATCH] ethdev: allow multiple > > > security sessions to use one rte flow > > > > > > > > > > > > > -----Original Message----- > > > > From: dev <dev-boun...@dpdk.org> On Behalf Of Anoob Joseph > > > > Sent: Tuesday, January 14, 2020 11:28 AM > > > > To: Ori Kam <or...@mellanox.com>; Medvedkin, Vladimir > > > > <vladimir.medved...@intel.com>; Ananyev, Konstantin > > > > <konstantin.anan...@intel.com>; Akhil Goyal <akhil.go...@nxp.com>; > > > > Adrien Mazarguil <adrien.mazarg...@6wind.com>; Doherty, Declan > > > > <declan.dohe...@intel.com>; Yigit, Ferruh > > > > <ferruh.yi...@intel.com>; Jerin Jacob Kollanukkaran > > > > <jer...@marvell.com>; Thomas Monjalon <tho...@monjalon.net> > > > > Cc: Ankur Dwivedi <adwiv...@marvell.com>; Hemant Agrawal > > > > <hemant.agra...@nxp.com>; Matan Azrad <ma...@mellanox.com>; > > > Nicolau, > > > > Radu <radu.nico...@intel.com>; Shahaf Shuler > > <shah...@mellanox.com>; > > > > Narayana Prasad Raju Athreya <pathr...@marvell.com>; dev@dpdk.org > > > > Subject: Re: [dpdk-dev] [EXT] Re: [PATCH] ethdev: allow multiple > > > > security sessions to use one rte flow > > > > > > > > Hi Ori, > > > > > > > > Please see inline. > > > > > > > > Thanks, > > > > Anoob > > > > > > > > > -----Original Message----- > > > > > From: Ori Kam <or...@mellanox.com> > > > > > Sent: Thursday, January 9, 2020 1:06 PM > > > > > To: Medvedkin, Vladimir <vladimir.medved...@intel.com>; Ananyev, > > > > > Konstantin <konstantin.anan...@intel.com>; Anoob Joseph > > > > > <ano...@marvell.com>; Akhil Goyal <akhil.go...@nxp.com>; Adrien > > > > > Mazarguil <adrien.mazarg...@6wind.com>; Doherty, Declan > > > > > <declan.dohe...@intel.com>; Yigit, Ferruh > > > > > <ferruh.yi...@intel.com>; Jerin Jacob Kollanukkaran > > > > > <jer...@marvell.com>; Thomas Monjalon <tho...@monjalon.net> > > > > > Cc: Ankur Dwivedi <adwiv...@marvell.com>; Hemant Agrawal > > > > > <hemant.agra...@nxp.com>; Matan Azrad <ma...@mellanox.com>; > > > Nicolau, > > > > > Radu <radu.nico...@intel.com>; Shahaf Shuler > > <shah...@mellanox.com>; > > > > > Narayana Prasad Raju Athreya <pathr...@marvell.com>; > > dev@dpdk.org > > > > > Subject: RE: [dpdk-dev] [EXT] Re: [PATCH] ethdev: allow multiple > > > > > security sessions to use one rte flow > > > > > > > > > > Hi > > > > > sorry for jumping in late. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: dev <dev-boun...@dpdk.org> On Behalf Of Medvedkin, > > Vladimir > > > > > > Sent: Wednesday, January 8, 2020 4:30 PM > > > > > > To: Ananyev, Konstantin <konstantin.anan...@intel.com>; Anoob > > > > Joseph > > > > > > <ano...@marvell.com>; Akhil Goyal <akhil.go...@nxp.com>; > > > > > > Adrien Mazarguil <adrien.mazarg...@6wind.com>; Doherty, Declan > > > > > > <declan.dohe...@intel.com>; Yigit, Ferruh > > > > > > <ferruh.yi...@intel.com>; > > > > Jerin > > > > > > Jacob Kollanukkaran <jer...@marvell.com>; Thomas Monjalon > > > > > > <tho...@monjalon.net> > > > > > > Cc: Ankur Dwivedi <adwiv...@marvell.com>; Hemant Agrawal > > > > > > <hemant.agra...@nxp.com>; Matan Azrad > > <ma...@mellanox.com>; > > > > > > Nicolau, Radu <radu.nico...@intel.com>; Shahaf Shuler > > > > > > <shah...@mellanox.com>; Narayana Prasad Raju Athreya > > > > > > <pathr...@marvell.com>; dev@dpdk.org > > > > > > Subject: Re: [dpdk-dev] [EXT] Re: [PATCH] ethdev: allow > > > > > > multiple security sessions to use one rte flow > > > > > > > > > > > > Hi Anoob, > > > > > > > > > > > > On 23/12/2019 13:34, Ananyev, Konstantin wrote: > > > > > > > > > > > > > >>>>>>>>>>>>>> The rte_security API which enables inline > > > > > protocol/crypto > > > > > > >>>>>>>>>>>>>> feature mandates that for every security > > > > > > >>>>>>>>>>>>>> session > > an > > > > > > rte_flow > > > > > > >>>>>>>>>>>>>> is > > > > > > >>>>> created. > > > > > > >>>>>>>>>>>>>> This would internally translate to a rule in > > > > > > >>>>>>>>>>>>>> the > > > > hardware > > > > > > >>>>>>>>>>>>>> which would do packet classification. > > > > > > >>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>> In rte_securty, one SA would be one security > > session. > > > > > And > > > > > > if > > > > > > >>>>>>>>>>>>>> an rte_flow need to be created for every > > > > > > >>>>>>>>>>>>>> session, the > > > > > > number > > > > > > >>>>>>>>>>>>>> of SAs supported by an inline implementation > > would > > > > be > > > > > > >>>>>>>>>>>>>> limited by the number of rte_flows the PMD > > would be > > > > > > able to > > > > > > >>> support. > > > > > > >>>>>>>>>>>>>> If the fields SPI & IP addresses are allowed to > > > > > > >>>>>>>>>>>>>> be a > > > > > range, > > > > > > >>>>>>>>>>>>>> then this limitation can be overcome. Multiple > > > > > > >>>>>>>>>>>>>> flows > > > > will > > > > > > be > > > > > > >>>>>>>>>>>>>> able to use one rule for SECURITY processing. > > > > > > >>>>>>>>>>>>>> In this > > > > > case, > > > > > > >>>>>>>>>>>>>> the security session provided as conf would be > > NULL. > > > > > > > > > > Why is that? > > > > > If the rte flow can have a range then this means that we need > > > > > one security_session for the entire range, Am I missing > > > > > something? As it is stated in the rte_fow.h security_session > > > > can > > > > > be used for multiple flows. > > > > > > > > [Anoob] One SA would mean one security_session. So if we have one > > > > security_session for the entire range, then it will be like having > > > > single SA for a range of IP & SPI. Do you think we should allow that? > > > > > > > [Ori] I'm less familiar with security, but this is what I understand > > > you are > > trying to > > > do right? > > > > [Anoob] Not exactly. In our implementation, h/w can index into a table > > which would hold security_sessions. So we can have one rte_flow rule, > > which will enable the packet steering in the hardware. Which session > > need to be used will be determined by the SPI. > > > > > > > > > Also, the intent of the patch is to minimize the number of > > > > rte_flow rules required for inline ipsec processing. Since the > > > > security session is per SA, and if we need multiple SPIs to use > > > > same rte_flow rule, then the security_session field in the rte_flow rule > need to be NULL. > > > > Having a non-zero security_session when SPI is a range would be > > incorrect. > > > > > > > [Ori] I'm all in favor decreasing number of flows. > > > Sorry for the basic question, what is the security_session /SA > > > dependent > > on? > > > > [Anoob] No prob! In case of unicast IPsec, every SA would have a unique SPI. > > So we cannot have multiple SPI's referring to the same SA. And one SA > > would mean one security_session. > > > > > Can one SA include number of different SPI? > > > > [Anoob] No. > > > > May be we need to reimagine this. > > > > Currently, an rte_flow with SECURITY enables ipsec processing with a > > specific security_session on the packet. This is enabled on a specific > > IP/SPI specified in the rule. > > > > My proposal: an rte_flow with SECURITY (and session = NULL), would > > enable ipsec processing on a range and SPI from the packet can be used > > by the h/w to further figure out the security_session. > > O.K. so SPI can't be shared between SA (Security_session) while IP can right? > Other why to ask my question is what is allowed to be in range to allow the > same security_session? [Anoob] With a single IP system, SPI is enough to uniquely identify an SA. So for such cases, DST_IP can be a range, and session can be non_null. In other words, in single IP systems, SPI would mean one tunnel and so DST_IP is not required to be looked up. Whether to do lookup on SPI only or DST_IP+SPI is determined by the configuration, and so it makes sense to allow such with rte_flow framework.
