Hi > -----Original Message----- > From: Tejasree Kondoj <[email protected]> > Sent: Tuesday, September 22, 2020 5:18 PM > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > Hi Ori, > > Please see inline. > > Thanks, > Tejasree > > > -----Original Message----- > > From: Tejasree Kondoj > > Sent: Tuesday, September 22, 2020 2:37 PM > > To: Ori Kam <[email protected]>; Asaf Penso <[email protected]>; Stephen > > Hemminger <[email protected]> > > Cc: Akhil Goyal <[email protected]>; Radu Nicolau > > <[email protected]>; Declan Doherty <[email protected]>; > > NBU-Contact-Thomas Monjalon <[email protected]>; Ferruh Yigit > > <[email protected]>; Andrew Rybchenko > > <[email protected]>; Jerin Jacob Kollanukkaran > > <[email protected]>; Narayana Prasad Raju Athreya > > <[email protected]>; Anoob Joseph <[email protected]>; > > [email protected] > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > Please see inline. > > > > Thanks > > Tejasree > > > > > -----Original Message----- > > > From: Ori Kam <[email protected]> > > > Sent: Tuesday, September 22, 2020 1:22 PM > > > To: Asaf Penso <[email protected]>; Tejasree Kondoj > > > <[email protected]>; Stephen Hemminger > > > <[email protected]> > > > Cc: Akhil Goyal <[email protected]>; Radu Nicolau > > > <[email protected]>; Declan Doherty <[email protected]>; > > > NBU-Contact-Thomas Monjalon <[email protected]>; Ferruh Yigit > > > <[email protected]>; Andrew Rybchenko > > > <[email protected]>; Jerin Jacob Kollanukkaran > > > <[email protected]>; Narayana Prasad Raju Athreya > > > <[email protected]>; Anoob Joseph <[email protected]>; > > > [email protected] > > > Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > External Email > > > > > > ---------------------------------------------------------------------- > > > Hi > > > > -----Original Message----- > > > > From: Asaf Penso <[email protected]> > > > > Sent: Monday, September 21, 2020 7:09 PM > > > > Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > > > > > > > > > > > Regards, > > > > Asaf Penso > > > > > > > > >-----Original Message----- > > > > >From: Tejasree Kondoj <[email protected]> > > > > >Sent: Monday, September 21, 2020 11:59 AM > > > > >To: Asaf Penso <[email protected]>; Stephen Hemminger > > > > ><[email protected]> > > > > >Cc: Akhil Goyal <[email protected]>; Radu Nicolau > > > > ><[email protected]>; Declan Doherty > > > > ><[email protected]>; Ori Kam <[email protected]>; > > > > >NBU-Contact-Thomas Monjalon <[email protected]>; Ferruh Yigit > > > > ><[email protected]>; Andrew Rybchenko > > > > ><[email protected]>; Jerin Jacob Kollanukkaran > > > > ><[email protected]>; Narayana Prasad Raju Athreya > > > > ><[email protected]>; Anoob Joseph <[email protected]>; > > > > >[email protected] > > > > >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > > > > > > >Please see inline. > > > > > > > > > >Thanks > > > > >Tejasree > > > > > > > > > >> -----Original Message----- > > > > >> From: Asaf Penso <[email protected]> > > > > >> Sent: Thursday, September 17, 2020 3:09 PM > > > > >> To: Stephen Hemminger <[email protected]>; Tejasree > > > > >Kondoj > > > > >> <[email protected]> > > > > >> Cc: Akhil Goyal <[email protected]>; Radu Nicolau > > > > >> <[email protected]>; Declan Doherty > > > > >> <[email protected]>; Ori Kam <[email protected]>; > > > > >> NBU-Contact-Thomas Monjalon <[email protected]>; Ferruh Yigit > > > > >> <[email protected]>; Andrew Rybchenko > > > > >> <[email protected]>; Jerin Jacob Kollanukkaran > > > > >> <[email protected]>; Narayana Prasad Raju Athreya > > > > >> <[email protected]>; Anoob Joseph <[email protected]>; > > > > >> [email protected] > > > > >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow > > > > >> item > > > > >> > > > > >> External Email > > > > >> > > > > >> ----------------------------------------------------------------- > > > > >> -- > > > > >> --- > > > > >> >-----Original Message----- > > > > >> >From: dev <[email protected]> On Behalf Of Stephen > > > Hemminger > > > > >> >Sent: Thursday, September 10, 2020 7:46 PM > > > > >> >To: Tejasree Kondoj <[email protected]> > > > > >> >Cc: Akhil Goyal <[email protected]>; Radu Nicolau > > > > >> ><[email protected]>; Declan Doherty > > > > >> ><[email protected]>; Ori Kam <[email protected]>; > > > > >> >NBU-Contact-Thomas Monjalon <[email protected]>; Ferruh > > Yigit > > > > >> ><[email protected]>; Andrew Rybchenko > > > > >> ><[email protected]>; Jerin Jacob <[email protected]>; > > > > >> >Narayana Prasad <[email protected]>; Anoob Joseph > > > > >> ><[email protected]>; [email protected] > > > > >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item > > > > >> > > > > > >> >On Thu, 10 Sep 2020 22:14:41 +0530 Tejasree Kondoj > > > > >> ><[email protected]> wrote: > > > > >> > > > > > >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to > > > > >> distinguish > > > > >> >> plain packets from IPsec decrypted plain packets. > > > > >> >> > > > > >> >> Signed-off-by: Tejasree Kondoj <[email protected]> > > > > >> > > > > > >> >Please provide an implementation, API's without any driver > > > > >> >support should not be accepted. > > > > >> > > > > > >> >Also, we need a test for this. > > > > > > > > > >[Tejasree] We would like to defer the patch and add implementation, > > > > >test case in next cycle. > > > > > > > > > >> > > > > >> +1 > > > > >> Also, I think the word SECURITY is too high-level, and if > > > > >> specifically you mention here an item for IPSec, perhaps you can > > > consider renaming. > > > > > > > > > >[Tejasree] This item matches security processed packets and not > > > > >specific to IPsec. > > > > >Will change commit description as follows: > > > > >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match > > > > >packets that were security processed. For example, in case of > > > > >inline IPsec, it can be used to distinguish plain packets from > > > > >IPsec decrypted > > > plain packets" > > > > >Would that be fine? > > > > > > > > It would be more clear, yes, thank you, but in this case I suggest > > > > to have a field in the spec that you can match on it. > > > > For example, is it viable to know if the packet was processed by > > > > IPSec and not AES? Maybe you want to have 2 flow with this new item, > > > > but still differentiate between the types. > > > > > > Why not use mark/tag/meta to set this value? > > > The application will insert a flow that sends to security and mark the > > > flow with some ID then the application can check this ID. > > > > [Tejasree] SECURITY itself wouldn't make distinction on protocol. > > It would be combined with MARK_ID to know if the packet was processed by > > IPsec and not AES. > > > > MARK_ID alone couldn't be used as we wouldn't know if it is plain packet or > > security processed plain packet. > > > > Rules would be as follows: > > Rule #1 > > [ETH] [IP] [ESP] [SPI] → [SECURITY] [MARK_ID] [END] Rule #2 [SECURITY] > > [MARK_ID] [ETH] [IP] → [QUEUE] [END] > > > > I don't understand why in rule #1 you can't have the mark value > > to also mark the security. > > From your patch I understand that security is just one bit > > This means that you can say if MSB bit in mark is set then it comes from > > security. > > [Tejasree] We can use MSB of MARK_ID but that would mean we would be > reserving it for security. > [Ori] but why does the PMD needs it? the application know what it needs so it can use it, It is the application decision to send to the security right? So it knows what values to set.
Also the application can use tag or any other data item. > > > > > > Best, > > > Ori
