[dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: add UDP encapsulation support

[Ananyev, Konstantin]

> Hi Konstantin,
> >
> > Hi Akhil,
> > > > > Adding lookaside IPsec UDP encapsulation support
> > > > > for NAT traversal.
> > > > > Added --udp-encap option for application to specify
> > > > > if UDP encapsulation need to be enabled.
> > > > > Example secgw command with UDP encapsultation enabled:
> > > > > <secgw> -c 0x1 -- -P -p 0x1 --config "(0,0,0)" -f ep0.cfg --udp-encap
> > > >
> > > > Can we have it not as global, but a per SA option?
> > > > Add new keyword for SA/SP into ipsec-secgw config file, etc.
> > > > Konstantin
> > > >
> > >
> > > Any specific reason to make udp_encap as per SA?
> > > UDP encapsulation is a feature which I believe should be application vide.
> > > If it supports the feature it should be enabled for all SAs when the UDP port
> > > is 4500 which is reserved for it.
> >
> > Not sure why it has to be application wide?
> > Why it is not possible have let say SA1 in ipv4/ipv6 tunnel mode over port 0,
> > and SA2 with udp encap over port 1?
> > Note that in DPDK librte_security it is per SA option.
> 
> UDP encapsulation can be done only if the UDP port is 4500 as per the specification.
> Please correct me if I am wrong. So if UDP port is NOT 4500 and udp-encap is enabled in the
> Command line, UDP encapsulation will not work.

I am not asking you so support multiple UDP ports for IPsec encapsulation.
What I am saying: it should be possible to use SAs with UDP encapsulation
along with SAs without (plain tunnel/transport mode).
As I understand with your patch it is not possible: if user specified --udp-encap
all SAs (on all crypto-devs) will be treated as UDP encapsulated. 

> 
> Hence it does make sense to make it application vide. It will be tedious for the user to
> Add this in every SA.
> 
> Regards,
> Akhil
>