Hi Martin, DSCP value is currently copied to outer IP header https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blob;f=src/vnet/ipsec/esp_encrypt.c;h=4291e946b3644f9d85a0998359799103d25a52f2;hb=HEAD#l253
Based on RFC4301 (section 4.1) DSCP is not traffic selector parameter of SPD entry/policy and should be part of SAD entry (section 4.4.2.1.). Regards, Matus -----Original Message----- From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Martin Šunal Sent: Thursday, August 30, 2018 12:54 PM To: Klement Sekera -X (ksekera - PANTHEON TECHNOLOGIES at Cisco) <ksek...@cisco.com>; vpp-dev@lists.fd.io Cc: G Wieser <gwie...@frinx.io> Subject: Re: [vpp-dev] DSCP support in VPP Hi Klement, thank you for answer, I am happy to hear it's not difficult. The use case is to: - set DSCP based on some criteria (5-tuple, vlan, etc.) - copy DSCP to outer header - forward to IPSec tunnel based on DSCP value. DSCP value may be combined with other criteria (like 5-tuple) or may be used alone. There is another interesting functionality ABF (ACL Based Forwarding) [1]. Would be possible to use ABF for forwarding to IPSec tunnels? That brings me to another question - how it would behave if ABF and SPD were attached to the same input interface? [1] https://wiki.fd.io/view/VPP/ABF Thank you, Martin -----Original Message----- From: Klement Sekera <ksek...@cisco.com> Sent: Thursday, August 30, 2018 12:06 PM To: Martin Šuňal <msu...@frinx.io>; vpp-dev@lists.fd.io Cc: G Wieser <gwie...@frinx.io> Subject: Re: [vpp-dev] DSCP support in VPP Hi Martin, Can you describe your use case? You're looking at the correct place regarding the matching criteria. Adding the DSCP as additional criteria is not hard. Apart from API functions, definition and CLI funtions, it just needs to be added to a couple of comparison functions. Similarly, adding these new actions (as extensions of 'protect' action), shouldn't be too hard. Thanks, Klement On Mon, 2018-08-27 at 10:48 +0000, Martin Šuňal wrote: > Hello VPP devs, > > I am looking at IPSec in VPP and I found it should be possible to > match and forward traffic to tunnels based on 5-tuple by SPD entry [1] > What I am trying to understand is how difficult is to include DSCP to > the SPD entry as additional matching criteria. > Would be also possible to extend SPD actions with something like "set > DSCP" and "copy DSCP to outer-header"? > Is SPD entry good place for that? > It looks like DSCP is supported in DPDK [2] but I did not find any > reference in VPP. > > > [1] https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#SPD_entry_creation > [2] https://doc.dpdk.org/guides/prog_guide/traffic_management.html?hi > ghlight=dscp#packet-marking > > Thank you for your help, > Martin Šuňal > Technical leader > Frinx s.r.o. > Mlynské Nivy 48 / 821 09 Bratislava / Slovakia > +421 2 20 91 01 41 / msu...@frinx.io<mailto:msu...@frinx.io> / www.fr > inx.io<http://www.frinx.io/>; > [cid:image002.png@01D24FBB.70342570] > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#10295): https://lists.fd.io/g/vpp-dev/message/102 > 95 > Mute This Topic: https://lists.fd.io/mt/24972491/675704 > Group Owner: vpp-dev+ow...@lists.fd.io > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [ksek...@cisco.com] > -=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10334): https://lists.fd.io/g/vpp-dev/message/10334 Mute This Topic: https://lists.fd.io/mt/24972491/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
