[dpdk-dev] [PATCH v2 1/2] examples/ipsec-secgw: fix SAD selection logic
konstantin.ananyev at intel.com
Tue Sep 24 14:18:28 CEST 2019
> Ipsec-secgw example application fails to initialize when using default
> configuration file (ep0.cfg) in library mode (librte_ipsec enabled).
> The reason is that two of SP rules in ep0.cfg, one for IPv4 and one
> for IPv6, are using the same SPI number. When SA rules are initialized,
> their SPI number is checked against SPIs stored in SPD. For library
> mode, it is not allowed for the same SA to handle both IPv4 and IPv6.
> Solution is to split SAD into two separate parts - one for IPv4 and one
> for IPv6. Usage of SAs stays the same. Only change is to pass correct
> SAD (IPv4 or IPv6) in places where previously combined database was
> Split of SA entries is done at initialization stage. Most of given SA
> entries are checked against SPD. If matching entry is in IPv4 SPD, SA
> rule is added to IPv4 SAD (respectively for IPv6). Different splitting
> method is used only when SA entry is for tunnel in inbound direction.
> In that case if IPv4 tunnel should be used, SA entry is added to IPv4
> SAD (respectively for IPv6). Reasoning is that inner IP version can
> be different than outer IP version for tunneled traffic.
> Bugzilla ID: 239
> Fixes: 5a032a71c6d3 ("examples/ipsec-secgw: make app to use IPsec library")
> Reported-by: Lukasz Bartosik <lbartosik at marvell.com>
> Signed-off-by: Mariusz Drost <mariuszx.drost at intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev at intel.com>
More information about the dev