[dpdk-dev] [PATCH v2 4/5] examples/ipsec-secgw: handle ESN soft limit event

Akhil Goyal akhil.goyal at nxp.com
Tue Mar 13 13:24:14 CET 2018


Hi Anoob,

On 3/1/2018 2:51 PM, Anoob Joseph wrote:
> For inline protocol processing, the PMD/device is required to maintain
> the ESN. But the application is required to monitor ESN overflow to
> initiate SA expiry.
> 
> For such cases, application would set the ESN soft limit. An IPsec event
> would be raised by rte_eth_event framework, when ESN hits the soft limit
> set by the application.
> 
> Signed-off-by: Anoob Joseph <anoob.joseph at caviumnetworks.com>
> ---
> v2:
> * No change
> 
>   examples/ipsec-secgw/ipsec-secgw.c | 56 ++++++++++++++++++++++++++++++++++++++
>   examples/ipsec-secgw/ipsec.c       | 10 +++++--
>   examples/ipsec-secgw/ipsec.h       |  2 ++
>   3 files changed, 65 insertions(+), 3 deletions(-)
> 
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index 3a8562e..5726fd3 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -40,6 +40,7 @@
>   #include <rte_hash.h>
>   #include <rte_jhash.h>
>   #include <rte_cryptodev.h>
> +#include <rte_security.h>
>   
>   #include "ipsec.h"
>   #include "parser.h"
> @@ -1640,6 +1641,58 @@ pool_init(struct socket_ctx *ctx, int32_t socket_id, uint32_t nb_mbuf)
>   		printf("Allocated mbuf pool on socket %d\n", socket_id);
>   }
>   
> +static inline int
> +inline_ipsec_event_esn_overflow(struct rte_security_ctx *ctx, uint64_t md)
> +{
> +	struct ipsec_sa *sa;
> +
> +	/* For inline protocol processing, the metadata in the event will
> +	 * uniquely identify the security session which raised the event.
> +	 * Application would then need the userdata it had registered with the
> +	 * security session to process the event.
> +	 */
> +
> +	sa = (struct ipsec_sa *)rte_security_get_userdata(ctx, md);
> +
> +	if (sa == NULL) {
> +		/* userdata could not be retrieved */
> +		return -1;
> +	}
> +
> +	/* Sequence number over flow. SA need to be re-established */


With this patchset, application will be able to get notification if the 
error has occurred. But it is not re-configuring the SA.
Do you intend to add the same?

> +	RTE_SET_USED(sa);
> +	return 0;
> +}
> +
> +static int
> +inline_ipsec_event_callback(uint16_t port_id, enum rte_eth_event_type type,
> +		 void *param, void *ret_param)
> +{
> +	struct rte_eth_event_ipsec_desc *event_desc = NULL;
> +	struct rte_security_ctx *ctx = (struct rte_security_ctx *)
> +					rte_eth_dev_get_sec_ctx(port_id);
> +
> +	RTE_SET_USED(param);
> +
> +	if (type != RTE_ETH_EVENT_IPSEC)
> +		return -1;
> +
> +	event_desc = ret_param;
> +	if (event_desc == NULL) {
> +		printf("Event descriptor not set\n");
> +		return -1;
> +	}
> +
> +	if (event_desc->stype == RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW)
> +		return inline_ipsec_event_esn_overflow(ctx, event_desc->md);
> +	else if (event_desc->stype >= RTE_ETH_EVENT_IPSEC_MAX) {
> +		printf("Invalid IPsec event reported\n");
> +		return -1;
> +	}
> +
> +	return -1;
> +}
> +
>   int32_t
>   main(int32_t argc, char **argv)
>   {
> @@ -1727,6 +1780,9 @@ main(int32_t argc, char **argv)
>   		 */
>   		if (promiscuous_on)
>   			rte_eth_promiscuous_enable(portid);
> +
> +		rte_eth_dev_callback_register(portid,
> +			RTE_ETH_EVENT_IPSEC, inline_ipsec_event_callback, NULL);
>   	}
>   
>   	check_all_ports_link_status(nb_ports, enabled_port_mask);
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index 5fb5bc1..acdd189 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -36,6 +36,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
>   		}
>   		/* TODO support for Transport and IPV6 tunnel */
>   	}
> +	ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
>   }
>   
>   static inline int
> @@ -270,11 +271,14 @@ create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
>   			 * the packet is received, this userdata will be
>   			 * retrieved using the metadata from the packet.
>   			 *
> -			 * This is required only for inbound SAs.
> +			 * The PMD is expected to set similar metadata for other
> +			 * operations, like rte_eth_event, which are tied to
> +			 * security session. In such cases, the userdata could
> +			 * be obtained to uniquely identify the security
> +			 * parameters denoted.
>   			 */
>   
> -			if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
> -				sess_conf.userdata = (void *) sa;
> +			sess_conf.userdata = (void *) sa;
>   
>   			sa->sec_session = rte_security_session_create(ctx,
>   					&sess_conf, ipsec_ctx->session_pool);
> diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
> index 6059f6c..c1450f6 100644
> --- a/examples/ipsec-secgw/ipsec.h
> +++ b/examples/ipsec-secgw/ipsec.h
> @@ -21,6 +21,8 @@
>   
>   #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
>   
> +#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
> +
>   #define IV_OFFSET		(sizeof(struct rte_crypto_op) + \
>   				sizeof(struct rte_crypto_sym_op))
>   
> 



More information about the dev mailing list