[dpdk-dev] [PATCH 08/11] examples/ipsec-secgw: iv should be be64

Sergio Gonzalez Monroy sergio.gonzalez.monroy at intel.com
Mon Oct 16 13:59:59 CEST 2017


On 16/10/2017 11:35, Aviad Yehezkel wrote:
>
> On 10/16/2017 12:42 PM, Sergio Gonzalez Monroy wrote:
>> On 14/10/2017 14:28, aviadye at dev.mellanox.co.il wrote:
>>> From: Aviad Yehezkel <aviadye at mellanox.com>
>>>
>>> To be compatibile with Linux kernel
>>
>> I am not sure what you are trying to achieve with this change.
>> The requirement is that the IV is unique, IMO changing the endianess 
>> is irrelevant here.
>> Can you provide case/example where current code does not work?
>>
>> Thanks,
>> Sergio
> You are right, according to rfc4106 the IV should be unique and can be
> implemented as counter.
> The changed was created because I put analyzer on wire and compare
> packets generated by this application and Linux kernel.
> Linux kernel sets IV as BE, so I thought it is worth to do the same for
> future debug / comparison.
>

I guess the performance impact is small (for LE platforms), so it would 
be good to add this (or similar) information to the commit message.

Thanks,
Sergio

> Thanks,
> Aviad.
>
>>
>>> Signed-off-by: Aviad Yehezkel <aviadye at mellanox.com>
>>> ---
>>>   examples/ipsec-secgw/esp.c | 8 ++++----
>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
>>> index aa2233d..81ebf55 100644
>>> --- a/examples/ipsec-secgw/esp.c
>>> +++ b/examples/ipsec-secgw/esp.c
>>> @@ -336,7 +336,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>>> *sa,
>>>       if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
>>>           uint8_t *aad;
>>>   -        *iv = sa->seq;
>>> +        *iv = rte_cpu_to_be_64(sa->seq);
>>>           sym_cop->aead.data.offset = ip_hdr_len +
>>>               sizeof(struct esp_hdr) + sa->iv_len;
>>>           sym_cop->aead.data.length = pad_payload_len;
>>> @@ -349,7 +349,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>>> *sa,
>>>             struct cnt_blk *icb = get_cnt_blk(m);
>>>           icb->salt = sa->salt;
>>> -        icb->iv = sa->seq;
>>> +        icb->iv = rte_cpu_to_be_64(sa->seq);
>>>           icb->cnt = rte_cpu_to_be_32(1);
>>>             aad = get_aad(m);
>>> @@ -371,7 +371,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>>> *sa,
>>>               sym_cop->cipher.data.length = pad_payload_len + 
>>> sa->iv_len;
>>>               break;
>>>           case RTE_CRYPTO_CIPHER_AES_CTR:
>>> -            *iv = sa->seq;
>>> +            *iv = rte_cpu_to_be_64(sa->seq);
>>>               sym_cop->cipher.data.offset = ip_hdr_len +
>>>                   sizeof(struct esp_hdr) + sa->iv_len;
>>>               sym_cop->cipher.data.length = pad_payload_len;
>>> @@ -390,7 +390,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa 
>>> *sa,
>>>             struct cnt_blk *icb = get_cnt_blk(m);
>>>           icb->salt = sa->salt;
>>> -        icb->iv = sa->seq;
>>> +        icb->iv = rte_cpu_to_be_64(sa->seq);
>>>           icb->cnt = rte_cpu_to_be_32(1);
>>>             switch (sa->auth_algo) {
>>
>>
>



More information about the dev mailing list