Hi Pavel, > From: Pavel Belous <pavel.bel...@aquantia.com> > > This RFC suggest possible API to implement generic MACSEC HW > offload in DPDK infrastructure. > > Right now two PMDs implementing MACSEC hw offload via private > API: ixgbe (Intel) and atlantic (Aquantia). > > During that private API discussion it was decided to go further > with well defined public API, based most probably on rte_security > infrastructure. > > Here is that previous discussion: > > http://inbox.dpdk.org/dev/20190416101145.nVecHKp3w14Ptd_hne-DqHhKyzbre88PwNI-OAowXJM@z/ > > Declaring macsec API via rte_security gives a good data-centric view on > parameters > and operations macsec supports. Old, pure functional API (basically ixbe only > API) > presented function calls with big argument lists which is hard to extend and > analyse. > > However, I'd like to note rte_security has to be used via explicitly created > mempools - this hardens abit the usage. > It also may be hard to extend the structures in the ABI compatible way. > > One of the problems with MACSEC is that internally implementation and > hardware > support could be either very simple, doing only endpoint encryption with a > single > TX SC (Secure Connection), or quite complex, capable to do flexible filtering > and SC matching based on mac, vlan, ethertype and other. > > Different macsec hardware supports some custom features and from our > experience > users would like to configure these as well. Therefore there will probably be > needed a number of PMD specific macsec operators support. > > Examples include: custom in-the-clear tag (matched by vlan id or mask), > configurable internal logic to allow both secure and unsecure traffic, > bypass filters on specific ethertypes. > To support such extensions, suggest use rte_security_macsec_op enum with > vendor specific operation codes. > > In context of rte_security, MACSEC operations should normally be based on > security session create and update calls. > > Session create is used to setup overall session. Thats equivalent of old > `macsec enable` operation. > > Session update is used to update security connections and associations. > Here xform->op contains the required operation: rx/tx session/association > add/update/removal. >
The patches look good from rte_security perspective. You can send the formal Patches for 20.05 window.
