[dpdk-dev] [PATCH v4 1/3] security: add anti replay window size
Anoob Joseph
anoobj at marvell.com
Thu Oct 31 07:29:11 CET 2019
Hi Hemant,
How would the PMD specify whether anit-replay is supported or not? Do you have plans to introduce it as a capability? Or do you expect the session creation to fail if the feature is not supported by underlying PMD and the anti replay window size is set.
Thanks,
Anoob
> -----Original Message-----
> From: dev <dev-bounces at dpdk.org> On Behalf Of Hemant Agrawal
> Sent: Thursday, October 31, 2019 10:25 AM
> To: dev at dpdk.org; akhil.goyal at nxp.com
> Cc: konstantin.ananyev at intel.com; Hemant Agrawal
> <hemant.agrawal at nxp.com>
> Subject: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size
>
> At present the ipsec xfrom is missing the important step to configure the anti
> replay window size.
> The newly added field will also help in to enable or disable the anti replay
> checking, if available in offload by means of non-zero or zero value.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal at nxp.com>
> ---
> doc/guides/rel_notes/release_19_11.rst | 6 +++++-
> lib/librte_security/Makefile | 2 +-
> lib/librte_security/meson.build | 2 +-
> lib/librte_security/rte_security.h | 4 ++++
> 4 files changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guides/rel_notes/release_19_11.rst
> b/doc/guides/rel_notes/release_19_11.rst
> index ae8e7b2f0..0508ec545 100644
> --- a/doc/guides/rel_notes/release_19_11.rst
> +++ b/doc/guides/rel_notes/release_19_11.rst
> @@ -365,6 +365,10 @@ ABI Changes
> align the Ethernet header on receive and all known encapsulations
> preserve the alignment of the header.
>
> +* security: A new field ''replay_win_sz'' has been added to the
> +structure
> + ``rte_security_ipsec_xform``, which specify the Anti replay window
> +size
> + to enable sequence replay attack handling.
> +
>
> Shared Library Versions
> -----------------------
> @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were
> incremented in this version.
> librte_reorder.so.1
> librte_ring.so.2
> + librte_sched.so.4
> - librte_security.so.2
> + + librte_security.so.3
> librte_stack.so.1
> librte_table.so.3
> librte_timer.so.1
> diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index
> 6708effdb..6a268ee2a 100644
> --- a/lib/librte_security/Makefile
> +++ b/lib/librte_security/Makefile
> @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a
>
> # library version
> -LIBABIVER := 2
> +LIBABIVER := 3
>
> # build flags
> CFLAGS += -O3
> diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
> index a5130d2f6..6fed01273 100644
> --- a/lib/librte_security/meson.build
> +++ b/lib/librte_security/meson.build
> @@ -1,7 +1,7 @@
> # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel
> Corporation
>
> -version = 2
> +version = 3
> sources = files('rte_security.c')
> headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool',
> 'cryptodev'] diff --git a/lib/librte_security/rte_security.h
> b/lib/librte_security/rte_security.h
> index aaafdfcd7..195ad5645 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
> /**< Tunnel parameters, NULL for transport mode */
> uint64_t esn_soft_limit;
> /**< ESN for which the overflow event need to be raised */
> + uint32_t replay_win_sz;
> + /**< Anti replay window size to enable sequence replay attack handling.
> + * replay checking is disabled if the window size is 0.
> + */
> };
>
> /**
> --
> 2.17.1
More information about the dev
mailing list