Re: [vpp-dev] One question about fast path ipv4 inbound

Guangming Sun, 12 Feb 2023 18:34:56 -0800

Hi, Piotr
  My question is that the src and dst entry in fp_5tuple in  function 
ipsec_fp_ip4_add_policy   are diffrent from  src and dst entry in fp_5tuple    
in function  ipsec4_input_node.  So inboud match will be not match failed.


You see in IKE code  kernel_vpp_ipsec.c , the mp->entry.local_address and 
mp->entry.remote_address are got from traffic selector address, not ipsec 
tunnmel local and remote address. 
So in VPP code ,    vl_api_ipsec_spd_entry_add_del_t_handler-> 
ipsec_add_del_policy -> ipsec_fp_add_del_policy, all src and dst address in 
ipsec_policy_t is traffic selector address (ipsec tunnnel inner address)
In   ipsec4_input_node, the src and dst in ipsec_fp_in_5tuple_from_ip4_range 
are the ipsec tunmle local and remore adddress(ipsec tunnel  out header 
address). 
This is right for ipsec outbound direction , but for  inbound  direction, add 
policy into fpd table shoud use ipsec tunnel src and  dst address not use 
traffic selector address .


Guangming


zhangguangm...@baicells.com
 
From: Bronowski, PiotrX
Date: 2023-02-13 05:13
To: zhang, Guangming; vpp-dev
Subject: Re: [vpp-dev] One question about fast path ipv4 inbound
Hi  Guangming
I am not sure if I understand your question. There was a bug, in implementation 
of fast path for inbound traffic, where I’ve messed up translation of src and 
dst to the local and remote address, but it has been fixed with
 
commit 1d9780a43fe54a55c7540f3528b8703ede0a5871
Author: Piotr Bronowski piotrx.bronow...@intel.com
Date:   Fri Oct 21 15:48:55 2022 +0000
 
BR,
Piotr
 
From: zhangguangm...@baicells.com <zhangguangm...@baicells.com> 
Sent: Saturday, February 11, 2023 11:04 AM
To: Bronowski, PiotrX <piotrx.bronow...@intel.com>; vpp-dev 
<vpp-dev@lists.fd.io>
Subject: One question about fast path ipv4 inbound
 
Hi Piotr,
     I found you work  on the ipsec policy mode optiimization, introduced a  
fast path about  ipsec policy match . 
     In the fast path ipv4 inbound , add item into hash, you used traffic 
selector src and dst address,  but search item from hash
 you used esp packetr src and dst address( tunne out header address).  Is this 
is bug or you have some speical code that i did not find
 
 
 
Thansk 
 Guangming


zhangguangm...@baicells.com
--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263
This e-mail and any attachments may contain confidential material for the sole 
use of the intended recipient(s). Any review or distribution by others is 
strictly prohibited. If you are not the intended recipient, please contact the 
sender and delete all copies.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22580): https://lists.fd.io/g/vpp-dev/message/22580
Mute This Topic: https://lists.fd.io/mt/96894359/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] One question about fast path ipv4 inbound

Reply via email to