[dpdk-dev] [PATCH 1/2] security: add anti replay window size
Ananyev, Konstantin
konstantin.ananyev at intel.com
Fri Oct 25 12:00:27 CEST 2019
Hi Hemant,
>
> At present the ipsec xfrom is missing the important step
> to configure the anti replay window size.
> The newly added field will also help in to enable or disable
> the anti replay checking, if available in offload by means
> of non-zero or zero value.
+1 for those changes.
Though AFAIK, it will be an ABI breakage, right?
So probably deserves changes in release notes.
>
> Currently similar field is available in rte_ipsec lib for
> software ipsec usage.
Yep, the only thing why it was put here - to avoid ABI breakage
within rte_security.
Having it in the rte_security_ipsec_xform makes much more sense.
>The newly introduced filed can replace
> that field as well eventually.
My suggestion would be to update librte_ipsec as part of these
patch series.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal at nxp.com>
> ---
> lib/librte_security/rte_security.h | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index aaafdfcd7..195ad5645 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
> /**< Tunnel parameters, NULL for transport mode */
> uint64_t esn_soft_limit;
> /**< ESN for which the overflow event need to be raised */
> + uint32_t replay_win_sz;
> + /**< Anti replay window size to enable sequence replay attack handling.
> + * replay checking is disabled if the window size is 0.
> + */
> };
More information about the dev
mailing list