Please see inline. Thanks Tejasree
> -----Original Message----- > From: Ori Kam <[email protected]> > Sent: Tuesday, September 22, 2020 1:22 PM > To: Asaf Penso <[email protected]>; Tejasree Kondoj > <[email protected]>; Stephen Hemminger > <[email protected]> > Cc: Akhil Goyal <[email protected]>; Radu Nicolau > <[email protected]>; Declan Doherty <[email protected]>; > NBU-Contact-Thomas Monjalon <[email protected]>; Ferruh Yigit > <[email protected]>; Andrew Rybchenko > <[email protected]>; Jerin Jacob Kollanukkaran > <[email protected]>; Narayana Prasad Raju Athreya > <[email protected]>; Anoob Joseph <[email protected]>; > [email protected] > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > External Email > > ---------------------------------------------------------------------- > Hi > > -----Original Message----- > > From: Asaf Penso <[email protected]> > > Sent: Monday, September 21, 2020 7:09 PM > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > > > Regards, > > Asaf Penso > > > > >-----Original Message----- > > >From: Tejasree Kondoj <[email protected]> > > >Sent: Monday, September 21, 2020 11:59 AM > > >To: Asaf Penso <[email protected]>; Stephen Hemminger > > ><[email protected]> > > >Cc: Akhil Goyal <[email protected]>; Radu Nicolau > > ><[email protected]>; Declan Doherty <[email protected]>; > > >Ori Kam <[email protected]>; NBU-Contact-Thomas Monjalon > > ><[email protected]>; Ferruh Yigit <[email protected]>; Andrew > > >Rybchenko <[email protected]>; Jerin Jacob Kollanukkaran > > ><[email protected]>; Narayana Prasad Raju Athreya > > ><[email protected]>; Anoob Joseph <[email protected]>; > > >[email protected] > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > >Please see inline. > > > > > >Thanks > > >Tejasree > > > > > >> -----Original Message----- > > >> From: Asaf Penso <[email protected]> > > >> Sent: Thursday, September 17, 2020 3:09 PM > > >> To: Stephen Hemminger <[email protected]>; Tejasree > > >Kondoj > > >> <[email protected]> > > >> Cc: Akhil Goyal <[email protected]>; Radu Nicolau > > >> <[email protected]>; Declan Doherty > > >> <[email protected]>; Ori Kam <[email protected]>; > > >> NBU-Contact-Thomas Monjalon <[email protected]>; Ferruh Yigit > > >> <[email protected]>; Andrew Rybchenko > > >> <[email protected]>; Jerin Jacob Kollanukkaran > > >> <[email protected]>; Narayana Prasad Raju Athreya > > >> <[email protected]>; Anoob Joseph <[email protected]>; > > >> [email protected] > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow > > >> item > > >> > > >> External Email > > >> > > >> ------------------------------------------------------------------- > > >> --- > > >> >-----Original Message----- > > >> >From: dev <[email protected]> On Behalf Of Stephen > Hemminger > > >> >Sent: Thursday, September 10, 2020 7:46 PM > > >> >To: Tejasree Kondoj <[email protected]> > > >> >Cc: Akhil Goyal <[email protected]>; Radu Nicolau > > >> ><[email protected]>; Declan Doherty > > >> ><[email protected]>; Ori Kam <[email protected]>; > > >> >NBU-Contact-Thomas Monjalon <[email protected]>; Ferruh Yigit > > >> ><[email protected]>; Andrew Rybchenko > > >> ><[email protected]>; Jerin Jacob <[email protected]>; > > >> >Narayana Prasad <[email protected]>; Anoob Joseph > > >> ><[email protected]>; [email protected] > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item > > >> > > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj > > >> ><[email protected]> wrote: > > >> > > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to > > >> distinguish > > >> >> plain packets from IPsec decrypted plain packets. > > >> >> > > >> >> Signed-off-by: Tejasree Kondoj <[email protected]> > > >> > > > >> >Please provide an implementation, API's without any driver support > > >> >should not be accepted. > > >> > > > >> >Also, we need a test for this. > > > > > >[Tejasree] We would like to defer the patch and add implementation, > > >test case in next cycle. > > > > > >> > > >> +1 > > >> Also, I think the word SECURITY is too high-level, and if > > >> specifically you mention here an item for IPSec, perhaps you can > consider renaming. > > > > > >[Tejasree] This item matches security processed packets and not > > >specific to IPsec. > > >Will change commit description as follows: > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match > > >packets that were security processed. For example, in case of inline > > >IPsec, it can be used to distinguish plain packets from IPsec decrypted > plain packets" > > >Would that be fine? > > > > It would be more clear, yes, thank you, but in this case I suggest to > > have a field in the spec that you can match on it. > > For example, is it viable to know if the packet was processed by IPSec > > and not AES? Maybe you want to have 2 flow with this new item, but > > still differentiate between the types. > > Why not use mark/tag/meta to set this value? > The application will insert a flow that sends to security and mark the flow > with some ID then the application can check this ID. [Tejasree] SECURITY itself wouldn't make distinction on protocol. It would be combined with MARK_ID to know if the packet was processed by IPsec and not AES. MARK_ID alone couldn't be used as we wouldn't know if it is plain packet or security processed plain packet. Rules would be as follows: Rule #1 [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END] Rule #2 [SECURITY] [MARK_ID] [ETH] [IP] → [QUEUE] [END] > > Best, > Ori
