On 23 March 2017 at 21:10, Peltonen, Janne (Nokia - FI/Espoo) <janne.pelto...@nokia.com> wrote: >> > This is part of odp_ipsec_sa_param_t, so lookup config is per SA. >> >> Does that mean that both SPI lookup and DEST ADDR lookup are mandatory? >> Is there a reason lookup mode is per SA? > > The lookup mode is per SA to make it possible to have SAs for which > not ODP but the application performs the lookup (e.g. currently for > multicast IPsec SAs that do not have unique SPIs and require src > address lookup too, or for any other SAs with weird lookup rules) > and uses look-a-side IPsec ops with an explicit SA to do the > IPsec transforms. > > Thus, I think at minimum the ODP_IPSEC_LOOKUP_DISABLED needs to > be per-SA even if the SPI versus SPI+dstaddr selection would be > global.
If I understand your requirement correctly then we could add a boolean "enable_lookup" per SA which when disabled will remove the SA from any lookup and we can configure the lookup mode as a global configuration. Regards, Bala > > Janne > > >> -----Original Message----- >> From: lng-odp [mailto:lng-odp-boun...@lists.linaro.org] On Behalf Of Bala >> Manoharan >> Sent: Thursday, March 23, 2017 4:42 PM >> To: Savolainen, Petri (Nokia - FI/Espoo) >> <petri.savolai...@nokia-bell-labs.com> >> Cc: lng-odp-forward <lng-odp@lists.linaro.org> >> Subject: Re: [lng-odp] [API-NEXT PATCH v2 2/3] api: ipsec: add inline IPSEC >> support >> >> Regards, >> Bala >> >> >> On 23 March 2017 at 17:40, Savolainen, Petri (Nokia - FI/Espoo) >> <petri.savolai...@nokia-bell-labs.com> wrote: >> >> > >> >> > /** >> >> > @@ -381,11 +547,29 @@ typedef enum odp_ipsec_lookup_mode_t { >> >> > ODP_IPSEC_LOOKUP_DISABLED = 0, >> >> > >> >> > /** Inbound SA lookup is enabled. Used SPI values must be >> >> unique. */ >> >> > - ODP_IPSEC_LOOKUP_IN_UNIQUE_SA >> >> > + ODP_IPSEC_LOOKUP_IN_UNIQUE_SPI, >> >> > + >> >> > + /** Inbound SA lookup is enabled. Lookup matches both SPI and >> >> > + * destination IP address. Used SPI values must be unique. */ >> >> > + ODP_IPSEC_LOOKUP_IN_DSTADDR_UNIQUE_SPI >> >> > >> >> > } odp_ipsec_lookup_mode_t; >> >> >> >> odp_ipsec_lookup_mode_t is not added either in odp_ipsec_config() or >> >> in odp_ipsec_capability(). >> >> I believe this should be added in both these struct? >> > >> > >> > This is part of odp_ipsec_sa_param_t, so lookup config is per SA. >> >> Does that mean that both SPI lookup and DEST ADDR lookup are mandatory? >> Is there a reason lookup mode is per SA? >> >> > >> > >> >> >> >> > >> >> > >> >> > /** >> >> > + * Result event destination >> >> > + */ >> >> > +typedef enum odp_ipsec_dest_mode_t { >> >> > + /** Destination for IPSEC result events is a queue. */ >> >> > + ODP_IPSEC_DEST_QUEUE = 0, >> >> > + >> >> > + /** Destination for IPSEC result events is the classifier. >> >> > + * IPSEC capability 'cls_inline' determines if inline >> >> classification >> >> > + * is supported. */ >> >> > + ODP_IPSEC_DEST_CLS >> >> > + >> >> > +} odp_ipsec_dest_mode_t; >> >> >> >> Should'nt we add a dest_mode ODP_IPSEC_DEST_PKTIO for outbound inline >> >> when the packet is sent out through interface directly. >> > >> > This selection is for result events. For output direction, queue are the >> > only option >> (for events). Queue vs inline pktout is selected by odp_ipsec_out_enq() vs >> odp_ipsec_out_inline(). Selection of output pktio (or TM queue in the >> future) is >> parameters to odp_ipsec_out_inline(). >> >> Yes. But the odp_ipsec_dest_mode_t is available in SA params and if >> the SA is configured in outbound direction and linked to the pktio >> then the configuration of dest_mode cannot be ODP_IPSEC_DEST_QUEUE. >> >> > >> > -Petri >> > >> > >> >
