[dpdk-dev] [EXT] [PATCH v4 03/10] security: add ESN field to ipsec_xform

[Anoob Joseph]

Hi Radu,

> Hi Akhil, I suppose they can be complementary, with this one being a hard
> ESN limit that the user can enforce by setting the initial ESN value - but there
> is no requirement to do so. Also, this change doesn't need explicit support
> added in the PMDs.

What is the actual use case of this field (ESN)? My impression was this is to allow application to control sequence number. For normal use cases, it can be like starting sequence number. And this can be used with ``rte_security_session_update`` to allow simulating corner cases (like large anti-replay windows sizes with ESN enabled etc). Did I capture the intended use case correctly?

If it is to set max sequence number to be handled by the session, then I guess, this is getting addressed as part of SA lifetime spec proposal.

Can you confirm what is the intended use case?

Thanks,
Anoob

> -----Original Message-----
> From: Nicolau, Radu <radu.nicolau at intel.com>
> Sent: Monday, September 6, 2021 4:51 PM
> To: Akhil Goyal <gakhil at marvell.com>; Declan Doherty
> <declan.doherty at intel.com>
> Cc: dev at dpdk.org; mdr at ashroe.eu; konstantin.ananyev at intel.com;
> vladimir.medvedkin at intel.com; bruce.richardson at intel.com;
> roy.fan.zhang at intel.com; hemant.agrawal at nxp.com; Anoob Joseph
> <anoobj at marvell.com>; abhijit.sinha at intel.com;
> daniel.m.buckley at intel.com; Archana Muniganti <marchana at marvell.com>;
> Tejasree Kondoj <ktejasree at marvell.com>; matan at nvidia.com
> Subject: Re: [EXT] [PATCH v4 03/10] security: add ESN field to ipsec_xform
> 
> 
> On 9/5/2021 3:47 PM, Akhil Goyal wrote:
> > Hi Radu,
> >
> >> ---------------------------------------------------------------------
> >> - Update ipsec_xform definition to include ESN field.
> >>
> >> Signed-off-by: Declan Doherty <declan.doherty at intel.com>
> >> Signed-off-by: Radu Nicolau <radu.nicolau at intel.com>
> >> Signed-off-by: Abhijit Sinha <abhijit.sinha at intel.com>
> >> Signed-off-by: Daniel Martin Buckley <daniel.m.buckley at intel.com>
> >> ---
> >>   lib/security/rte_security.h | 8 ++++++++
> >>   1 file changed, 8 insertions(+)
> >>
> >> diff --git a/lib/security/rte_security.h
> >> b/lib/security/rte_security.h index 03572b10ab..702de58b48 100644
> >> --- a/lib/security/rte_security.h
> >> +++ b/lib/security/rte_security.h
> >> @@ -240,6 +240,14 @@ struct rte_security_ipsec_xform {
> >>   	 */
> >>   	uint32_t mss;
> >>   	/**< IPsec payload Maximum Segment Size */
> >> +	union {
> >> +		uint64_t value;
> >> +		struct {
> >> +			uint32_t low;
> >> +			uint32_t hi;
> >> +		};
> >> +	} esn;
> >> +	/**< Extended Sequence Number */
> >>   };
> > Can we use the following change for monitoring ESN?
> > https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__patches.dpdk.org_p
> > roject_dpdk_patch_1629207767-2D262-2D2-2Dgit-2Dsend-2Demail-
> 2Danoobj-4
> >
> 0marvell.com_&d=DwICaQ&c=nKjWec2b6R0mOyPaz7xtfQ&r=jPfB8rwwviRS
> xyLWs2n6
> > B-
> WYLn1v9SyTMrT5EQqh2TU&m=u4ceKpeCwgpmKFhuny3rjUzauRZVfhlNdxm
> Cy95gHMs&
> > s=OshWh8UBWrxO0abYCUCBhRZBzj423rwddyfzB9Q9rT0&e=
> >
> > I believe ESN is not required to be set as SA parameter, it is
> > normally maintained by the PMD and application should be notified if a limit
> is reached.
> >
> > Regards,
> > Akhil
> 
> Hi Akhil, I suppose they can be complementary, with this one being a hard
> ESN limit that the user can enforce by setting the initial ESN value - but there
> is no requirement to do so. Also, this change doesn't need explicit support
> added in the PMDs.
>