Hi Anoob, > > Hi all, > > Reminder...! > Sorry for a delayed response.
> If there are no concerns, I'll send the patch after adding the required > changes in > ipsec-secgw as well. > > Thanks, > Anoob > > > -----Original Message----- > > From: Anoob Joseph <ano...@marvell.com> > > Sent: Friday, August 2, 2019 11:05 AM > > To: Anoob Joseph <ano...@marvell.com>; Akhil Goyal > > <akhil.go...@nxp.com>; Adrien Mazarguil <adrien.mazarg...@6wind.com>; > > Declan Doherty <declan.dohe...@intel.com>; Pablo de Lara > > <pablo.de.lara.gua...@intel.com>; Thomas Monjalon > > <tho...@monjalon.net> > > Cc: Jerin Jacob Kollanukkaran <jer...@marvell.com>; Narayana Prasad Raju > > Athreya <pathr...@marvell.com>; Ankur Dwivedi > > <adwiv...@marvell.com>; Shahaf Shuler <shah...@mellanox.com>; > > Hemant Agrawal <hemant.agra...@nxp.com>; Matan Azrad > > <ma...@mellanox.com>; Yongseok Koh <ys...@mellanox.com>; Wenzhuo > > Lu <wenzhuo...@intel.com>; Konstantin Ananyev > > <konstantin.anan...@intel.com>; Radu Nicolau <radu.nico...@intel.com>; > > dev@dpdk.org > > Subject: RE: [RFC] ethdev: allow multiple security sessions to use one rte > > flow > > > > Hi Akhil, Adrien, Declan, Pablo, > > > > Can you review this proposal and share your feedback? > > > > Thanks, > > Anoob > > > > > -----Original Message----- > > > From: Anoob Joseph <ano...@marvell.com> > > > Sent: Wednesday, July 24, 2019 7:47 PM > > > To: Akhil Goyal <akhil.go...@nxp.com>; Adrien Mazarguil > > > <adrien.mazarg...@6wind.com>; Declan Doherty > > > <declan.dohe...@intel.com>; Pablo de Lara > > > <pablo.de.lara.gua...@intel.com>; Thomas Monjalon > > > <tho...@monjalon.net> > > > Cc: Anoob Joseph <ano...@marvell.com>; Jerin Jacob Kollanukkaran > > > <jer...@marvell.com>; Narayana Prasad Raju Athreya > > > <pathr...@marvell.com>; Ankur Dwivedi <adwiv...@marvell.com>; > > Shahaf > > > Shuler <shah...@mellanox.com>; Hemant Agrawal > > > <hemant.agra...@nxp.com>; Matan Azrad <ma...@mellanox.com>; > > Yongseok > > > Koh <ys...@mellanox.com>; Wenzhuo Lu <wenzhuo...@intel.com>; > > > Konstantin Ananyev <konstantin.anan...@intel.com>; Radu Nicolau > > > <radu.nico...@intel.com>; dev@dpdk.org > > > Subject: [RFC] ethdev: allow multiple security sessions to use one rte > > > flow > > > > > > The rte_security API which enables inline protocol/crypto feature > > > mandates that for every security session an rte_flow is created. This > > > would internally translate to a rule in the hardware which would do packet > > classification. > > > > > > In rte_securty, one SA would be one security session. And if an > > > rte_flow need to be created for every session, the number of SAs > > > supported by an inline implementation would be limited by the number > > > of rte_flows the PMD would be able to support. > > > > > > If the fields SPI & IP addresses are allowed to be a range, then this > > > limitation can be overcome. Multiple flows will be able to use one > > > rule for SECURITY processing. In this case, the security session provided > > > as > > conf would be NULL. SPI values are normally used to uniquely identify the SA that need to be applied on a particular flow. I believe SPI value should not be a range for applying a particular SA or session. Plain packet IP addresses can be a range. That is not an issue. Multiple plain packet flows can use the same session/SA. Why do you feel that security session provided should be NULL to support multiple flows. How will the keys and other SA related info will be passed to the driver/HW. > > > > > > Application should do an rte_flow_validate() to make sure the flow is > > > supported on the PMD. > > > > > > Signed-off-by: Anoob Joseph <ano...@marvell.com> > > > --- > > > lib/librte_ethdev/rte_flow.h | 6 ++++++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/lib/librte_ethdev/rte_flow.h > > > b/lib/librte_ethdev/rte_flow.h index f3a8fb1..4977d3c 100644 > > > --- a/lib/librte_ethdev/rte_flow.h > > > +++ b/lib/librte_ethdev/rte_flow.h > > > @@ -1879,6 +1879,12 @@ struct rte_flow_action_meter { > > > * direction. > > > * > > > * Multiple flows can be configured to use the same security session. > > > + * > > > + * The NULL value is allowed for security session. If security > > > + session is NULL, > > > + * then SPI field in ESP flow item and IP addresses in flow items > > > + 'IPv4' and > > > + * 'IPv6' will be allowed to be a range. The rule thus created can > > > + enable > > > + * SECURITY processing on multiple flows. > > > + * > > > */ > > > struct rte_flow_action_security { > > > void *security_session; /**< Pointer to security session structure. > > > */ > > > -- > > > 2.7.4