| Message ID | 1493917206-2630-3-git-send-email-odpbot@yandex.ru |
|---|---|
| State | New |
| Headers | show |
| Series | [API-NEXT,v1,1/2] api: ipsec: add soft limit expiration event | expand |
> -----Original Message----- > From: lng-odp [mailto:lng-odp-bounces@lists.linaro.org] On Behalf Of > Github ODP bot > Sent: Thursday, May 04, 2017 8:00 PM > To: lng-odp@lists.linaro.org > Subject: [lng-odp] [PATCH API-NEXT v1 1/2] api: ipsec: add soft limit > expiration event > > From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> > > If outbound packet was processed in inline mode, soft limit expiration > event is not reported, as packet goes to the interface. Instead report > this as an ODP_IPSEC_STATUS_SA_SOFT_EXPIRED. > > Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> > --- > /** Email created from pull request 22 (lumag:ipsec-limits) > ** https://github.com/Linaro/odp/pull/22 > ** Patch: https://github.com/Linaro/odp/pull/22.patch > ** Base sha: 0707c974ed19c859fb92778c35a2f92bf7cd9fc6 > ** Merge commit sha: bff71bdc47fecb62fced59449c139d3ea4b44def > **/ > include/odp/api/spec/ipsec.h | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h > index 384c43d..2f8a007 100644 > --- a/include/odp/api/spec/ipsec.h > +++ b/include/odp/api/spec/ipsec.h > @@ -1080,7 +1080,10 @@ typedef struct odp_ipsec_op_result_t { > */ > typedef enum odp_ipsec_status_id_t { > /** Response to SA disable command */ > - ODP_IPSEC_STATUS_SA_DISABLE = 0 > + ODP_IPSEC_STATUS_SA_DISABLE = 0, > + > + /** Soft limit expired on this SA */ > + ODP_IPSEC_STATUS_SA_SOFT_EXPIRED > > } odp_ipsec_status_id_t; > I was speculating this with Janne. We can to an conclusion that is better not to force every IPsec implementation to run a timer. So, either keep the current situation where time expiry is reported only with packets, or remove the time expiry support altogether. Checking time with incoming packets is easy, compared to running timers (which may need a background thread to serve SA timers, etc). In both cases application would run its own timer, if it needs to notice expiry before packets hit it. -Petri
If this ends up being the selected solution, then I think there needs to be a bit more documentation in the API on what this event means and when it will come. And maybe the application wants to know which of the limits was reached. Janne > -----Original Message----- > From: lng-odp [mailto:lng-odp-bounces@lists.linaro.org] On Behalf Of Github ODP bot > Sent: Thursday, May 04, 2017 8:00 PM > To: lng-odp@lists.linaro.org > Subject: [lng-odp] [PATCH API-NEXT v1 1/2] api: ipsec: add soft limit expiration event > > From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> > > If outbound packet was processed in inline mode, soft limit expiration > event is not reported, as packet goes to the interface. Instead report > this as an ODP_IPSEC_STATUS_SA_SOFT_EXPIRED. > > Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> > --- > /** Email created from pull request 22 (lumag:ipsec-limits) > ** https://github.com/Linaro/odp/pull/22 > ** Patch: https://github.com/Linaro/odp/pull/22.patch > ** Base sha: 0707c974ed19c859fb92778c35a2f92bf7cd9fc6 > ** Merge commit sha: bff71bdc47fecb62fced59449c139d3ea4b44def > **/ > include/odp/api/spec/ipsec.h | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h > index 384c43d..2f8a007 100644 > --- a/include/odp/api/spec/ipsec.h > +++ b/include/odp/api/spec/ipsec.h > @@ -1080,7 +1080,10 @@ typedef struct odp_ipsec_op_result_t { > */ > typedef enum odp_ipsec_status_id_t { > /** Response to SA disable command */ > - ODP_IPSEC_STATUS_SA_DISABLE = 0 > + ODP_IPSEC_STATUS_SA_DISABLE = 0, > + > + /** Soft limit expired on this SA */ > + ODP_IPSEC_STATUS_SA_SOFT_EXPIRED > > } odp_ipsec_status_id_t; >
Asking each application to "fill in" for gaps in ODP doesn't seem the right way to go since ODP is supposed to be leveraging the capabilities of the underlying platforms so that applications don't need to do these sort of things in non-optimized ways. Time based limits are part of the IPsec spec, so they need to be part of any ODP implementation of that spec. SoCs that provide IPsec offload incorporate such capabilities directly, so we'd want ODP to be able to leverage those capabilities for applications. For those implementations that do not, running an implementation timer should be no big deal since data planes typically need many timers and any platform that wants to support such applications needs to be able to deal with timers efficiently anyway. Note that implementations are always free to piggyback "time" based expiration on top of packet processing if that's the best they can do, but from the application's perspective this should be transparent for all but degenerate corner cases (e.g., intentionally set up an SA with a limit but no packets flowing to verify the timer expiration). On Fri, May 5, 2017 at 8:50 AM, Peltonen, Janne (Nokia - FI/Espoo) < janne.peltonen@nokia.com> wrote: > If this ends up being the selected solution, then I think > there needs to be a bit more documentation in the API on > what this event means and when it will come. And maybe the > application wants to know which of the limits was reached. > > Janne > > > -----Original Message----- > > From: lng-odp [mailto:lng-odp-bounces@lists.linaro.org] On Behalf Of > Github ODP bot > > Sent: Thursday, May 04, 2017 8:00 PM > > To: lng-odp@lists.linaro.org > > Subject: [lng-odp] [PATCH API-NEXT v1 1/2] api: ipsec: add soft limit > expiration event > > > > From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> > > > > If outbound packet was processed in inline mode, soft limit expiration > > event is not reported, as packet goes to the interface. Instead report > > this as an ODP_IPSEC_STATUS_SA_SOFT_EXPIRED. > > > > Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@ > linaro.org> > > --- > > /** Email created from pull request 22 (lumag:ipsec-limits) > > ** https://github.com/Linaro/odp/pull/22 > > ** Patch: https://github.com/Linaro/odp/pull/22.patch > > ** Base sha: 0707c974ed19c859fb92778c35a2f92bf7cd9fc6 > > ** Merge commit sha: bff71bdc47fecb62fced59449c139d3ea4b44def > > **/ > > include/odp/api/spec/ipsec.h | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h > > index 384c43d..2f8a007 100644 > > --- a/include/odp/api/spec/ipsec.h > > +++ b/include/odp/api/spec/ipsec.h > > @@ -1080,7 +1080,10 @@ typedef struct odp_ipsec_op_result_t { > > */ > > typedef enum odp_ipsec_status_id_t { > > /** Response to SA disable command */ > > - ODP_IPSEC_STATUS_SA_DISABLE = 0 > > + ODP_IPSEC_STATUS_SA_DISABLE = 0, > > + > > + /** Soft limit expired on this SA */ > > + ODP_IPSEC_STATUS_SA_SOFT_EXPIRED > > > > } odp_ipsec_status_id_t; > > > >
On 05.05.2017 11:12, Savolainen, Petri (Nokia - FI/Espoo) wrote: > > >> -----Original Message----- >> From: lng-odp [mailto:lng-odp-bounces@lists.linaro.org] On Behalf Of >> Github ODP bot >> Sent: Thursday, May 04, 2017 8:00 PM >> To: lng-odp@lists.linaro.org >> Subject: [lng-odp] [PATCH API-NEXT v1 1/2] api: ipsec: add soft limit >> expiration event >> >> From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> >> >> If outbound packet was processed in inline mode, soft limit expiration >> event is not reported, as packet goes to the interface. Instead report >> this as an ODP_IPSEC_STATUS_SA_SOFT_EXPIRED. >> >> Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> >> --- >> /** Email created from pull request 22 (lumag:ipsec-limits) >> ** https://github.com/Linaro/odp/pull/22 >> ** Patch: https://github.com/Linaro/odp/pull/22.patch >> ** Base sha: 0707c974ed19c859fb92778c35a2f92bf7cd9fc6 >> ** Merge commit sha: bff71bdc47fecb62fced59449c139d3ea4b44def >> **/ >> include/odp/api/spec/ipsec.h | 5 ++++- >> 1 file changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h >> index 384c43d..2f8a007 100644 >> --- a/include/odp/api/spec/ipsec.h >> +++ b/include/odp/api/spec/ipsec.h >> @@ -1080,7 +1080,10 @@ typedef struct odp_ipsec_op_result_t { >> */ >> typedef enum odp_ipsec_status_id_t { >> /** Response to SA disable command */ >> - ODP_IPSEC_STATUS_SA_DISABLE = 0 >> + ODP_IPSEC_STATUS_SA_DISABLE = 0, >> + >> + /** Soft limit expired on this SA */ >> + ODP_IPSEC_STATUS_SA_SOFT_EXPIRED >> >> } odp_ipsec_status_id_t; >> > > I was speculating this with Janne. We can to an conclusion that is better not to force every IPsec implementation to run a timer. > > So, either keep the current situation where time expiry is reported only with packets, or remove the time expiry support altogether. Checking time with incoming packets is easy, compared to running timers (which may need a background thread to serve SA timers, etc). In both cases application would run its own timer, if it needs to notice expiry before packets hit it. This was thought as an event for bytes/packets expiry. Not for time-based expiry. -- With best wishes Dmitry
diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h index 384c43d..2f8a007 100644 --- a/include/odp/api/spec/ipsec.h +++ b/include/odp/api/spec/ipsec.h @@ -1080,7 +1080,10 @@ typedef struct odp_ipsec_op_result_t { */ typedef enum odp_ipsec_status_id_t { /** Response to SA disable command */ - ODP_IPSEC_STATUS_SA_DISABLE = 0 + ODP_IPSEC_STATUS_SA_DISABLE = 0, + + /** Soft limit expired on this SA */ + ODP_IPSEC_STATUS_SA_SOFT_EXPIRED } odp_ipsec_status_id_t;