[dpdk-dev] [PATCH 1/2] security: add anti replay window size

[Ananyev, Konstantin]

Hi Hemant,

> 
> At present the ipsec xfrom is missing the important step
> to configure the anti replay window size.
> The newly added field will also help in to enable or disable
> the anti replay checking, if available in offload by means
> of non-zero or zero value.

+1 for those changes.
Though AFAIK, it will be an ABI breakage, right?
So probably deserves changes in release notes.

> 
> Currently similar field is available in rte_ipsec lib for
> software ipsec usage. 

Yep, the only thing why it was put here - to avoid ABI breakage
within rte_security.
Having it in the rte_security_ipsec_xform makes much more sense. 

>The newly introduced filed can replace
> that field as well eventually.

My suggestion would be to update librte_ipsec as part of these
patch series.

> 
> Signed-off-by: Hemant Agrawal <hemant.agrawal at nxp.com>
> ---
>  lib/librte_security/rte_security.h | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index aaafdfcd7..195ad5645 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
>  	/**< Tunnel parameters, NULL for transport mode */
>  	uint64_t esn_soft_limit;
>  	/**< ESN for which the overflow event need to be raised */
> +	uint32_t replay_win_sz;
> +	/**< Anti replay window size to enable sequence replay attack handling.
> +	 * replay checking is disabled if the window size is 0.
> +	 */
>  };