[dpdk-dev] [PATCH] ethdev: add security flow item

Ori Kam orika at nvidia.com
Tue Sep 22 09:51:53 CEST 2020


Hi 
> -----Original Message-----
> From: Asaf Penso <asafp at nvidia.com>
> Sent: Monday, September 21, 2020 7:09 PM
> Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> 
> 
> 
> Regards,
> Asaf Penso
> 
> >-----Original Message-----
> >From: Tejasree Kondoj <ktejasree at marvell.com>
> >Sent: Monday, September 21, 2020 11:59 AM
> >To: Asaf Penso <asafp at nvidia.com>; Stephen Hemminger
> ><stephen at networkplumber.org>
> >Cc: Akhil Goyal <akhil.goyal at nxp.com>; Radu Nicolau
> ><radu.nicolau at intel.com>; Declan Doherty <declan.doherty at intel.com>; Ori
> >Kam <orika at nvidia.com>; NBU-Contact-Thomas Monjalon
> ><thomas at monjalon.net>; Ferruh Yigit <ferruh.yigit at intel.com>; Andrew
> >Rybchenko <arybchenko at solarflare.com>; Jerin Jacob Kollanukkaran
> ><jerinj at marvell.com>; Narayana Prasad Raju Athreya
> ><pathreya at marvell.com>; Anoob Joseph <anoobj at marvell.com>;
> >dev at dpdk.org
> >Subject: RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >
> >Please see inline.
> >
> >Thanks
> >Tejasree
> >
> >> -----Original Message-----
> >> From: Asaf Penso <asafp at nvidia.com>
> >> Sent: Thursday, September 17, 2020 3:09 PM
> >> To: Stephen Hemminger <stephen at networkplumber.org>; Tejasree
> >Kondoj
> >> <ktejasree at marvell.com>
> >> Cc: Akhil Goyal <akhil.goyal at nxp.com>; Radu Nicolau
> >> <radu.nicolau at intel.com>; Declan Doherty <declan.doherty at intel.com>;
> >> Ori Kam <orika at nvidia.com>; NBU-Contact-Thomas Monjalon
> >> <thomas at monjalon.net>; Ferruh Yigit <ferruh.yigit at intel.com>; Andrew
> >> Rybchenko <arybchenko at solarflare.com>; Jerin Jacob Kollanukkaran
> >> <jerinj at marvell.com>; Narayana Prasad Raju Athreya
> >> <pathreya at marvell.com>; Anoob Joseph <anoobj at marvell.com>;
> >> dev at dpdk.org
> >> Subject: [EXT] RE: [dpdk-dev] [PATCH] ethdev: add security flow item
> >>
> >> External Email
> >>
> >> ----------------------------------------------------------------------
> >> >-----Original Message-----
> >> >From: dev <dev-bounces at dpdk.org> On Behalf Of Stephen Hemminger
> >> >Sent: Thursday, September 10, 2020 7:46 PM
> >> >To: Tejasree Kondoj <ktejasree at marvell.com>
> >> >Cc: Akhil Goyal <akhil.goyal at nxp.com>; Radu Nicolau
> >> ><radu.nicolau at intel.com>; Declan Doherty <declan.doherty at intel.com>;
> >> >Ori Kam <orika at mellanox.com>; NBU-Contact-Thomas Monjalon
> >> ><thomas at monjalon.net>; Ferruh Yigit <ferruh.yigit at intel.com>; Andrew
> >> >Rybchenko <arybchenko at solarflare.com>; Jerin Jacob
> >> ><jerinj at marvell.com>; Narayana Prasad <pathreya at marvell.com>; Anoob
> >> >Joseph <anoobj at marvell.com>; dev at dpdk.org
> >> >Subject: Re: [dpdk-dev] [PATCH] ethdev: add security flow item
> >> >
> >> >On Thu, 10 Sep 2020 22:14:41 +0530
> >> >Tejasree Kondoj <ktejasree at marvell.com> wrote:
> >> >
> >> >> Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to
> >> distinguish
> >> >> plain packets from IPsec decrypted plain packets.
> >> >>
> >> >> Signed-off-by: Tejasree Kondoj <ktejasree at marvell.com>
> >> >
> >> >Please provide an implementation, API's without any driver support
> >> >should not be accepted.
> >> >
> >> >Also, we need a test for this.
> >
> >[Tejasree] We would like to defer the patch and add implementation, test
> >case in next cycle.
> >
> >>
> >> +1
> >> Also, I think the word SECURITY is too high-level, and if specifically
> >> you mention here an item for IPSec, perhaps you can consider renaming.
> >
> >[Tejasree] This item matches security processed packets and not specific to
> >IPsec.
> >Will change commit description as follows:
> >" Introduce a new item type RTE_FLOW_ITEM_TYPE_SECURITY to match
> >packets that were security processed. For example, in case of inline IPsec, it
> >can be used to distinguish plain packets from IPsec decrypted plain packets"
> >Would that be fine?
> 
> It would be more clear, yes, thank you, but in this case I suggest to have a field
> in the spec that you can match on it.
> For example, is it viable to know if the packet was processed by IPSec and not
> AES? Maybe you want to have 2 flow with this new item, but still differentiate
> between the types.

Why not use mark/tag/meta to set this value?
The application will insert a flow that sends to security and mark the flow with
some ID then the application can check this ID.

Best,
Ori



More information about the dev mailing list