[1/2] security: add anti replay window size

Message ID 20191025062021.18052-1-hemant.agrawal@nxp.com
State New
Headers show
Series
  • [1/2] security: add anti replay window size
Related show

Commit Message

Hemant Agrawal Oct. 25, 2019, 6:20 a.m.
At present the ipsec xfrom is missing the important step
to configure the anti replay window size.
The newly added field will also help in to enable or disable
the anti replay checking, if available in offload by means
of non-zero or zero value.

Currently similar field is available in rte_ipsec lib for
software ipsec usage. The newly introduced filed can replace
that field as well eventually.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

---
 lib/librte_security/rte_security.h | 4 ++++
 1 file changed, 4 insertions(+)

-- 
2.17.1

Comments

Ananyev, Konstantin Oct. 25, 2019, 10 a.m. | #1
Hi Hemant,

> 

> At present the ipsec xfrom is missing the important step

> to configure the anti replay window size.

> The newly added field will also help in to enable or disable

> the anti replay checking, if available in offload by means

> of non-zero or zero value.


+1 for those changes.
Though AFAIK, it will be an ABI breakage, right?
So probably deserves changes in release notes.

> 

> Currently similar field is available in rte_ipsec lib for

> software ipsec usage. 


Yep, the only thing why it was put here - to avoid ABI breakage
within rte_security.
Having it in the rte_security_ipsec_xform makes much more sense. 

>The newly introduced filed can replace

> that field as well eventually.


My suggestion would be to update librte_ipsec as part of these
patch series.

> 

> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

> ---

>  lib/librte_security/rte_security.h | 4 ++++

>  1 file changed, 4 insertions(+)

> 

> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h

> index aaafdfcd7..195ad5645 100644

> --- a/lib/librte_security/rte_security.h

> +++ b/lib/librte_security/rte_security.h

> @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {

>  	/**< Tunnel parameters, NULL for transport mode */

>  	uint64_t esn_soft_limit;

>  	/**< ESN for which the overflow event need to be raised */

> +	uint32_t replay_win_sz;

> +	/**< Anti replay window size to enable sequence replay attack handling.

> +	 * replay checking is disabled if the window size is 0.

> +	 */

>  };
Hemant Agrawal Oct. 25, 2019, 3:56 p.m. | #2
Hi Konstantin,

> -----Original Message-----

> From: Ananyev, Konstantin <konstantin.ananyev@intel.com>

> Sent: Friday, October 25, 2019 3:30 PM

> To: Hemant Agrawal <hemant.agrawal@nxp.com>; dev@dpdk.org; Akhil

> Goyal <akhil.goyal@nxp.com>; Doherty, Declan <declan.doherty@intel.com>

> Subject: RE: [dpdk-dev] [PATCH 1/2] security: add anti replay window size

> Importance: High

> 

> Hi Hemant,

> 

> >

> > At present the ipsec xfrom is missing the important step to configure

> > the anti replay window size.

> > The newly added field will also help in to enable or disable the anti

> > replay checking, if available in offload by means of non-zero or zero

> > value.

> 

> +1 for those changes.

> Though AFAIK, it will be an ABI breakage, right?

> So probably deserves changes in release notes.


[Hemant] ok
> 

> >

> > Currently similar field is available in rte_ipsec lib for software

> > ipsec usage.

> 

> Yep, the only thing why it was put here - to avoid ABI breakage within

> rte_security.

> Having it in the rte_security_ipsec_xform makes much more sense.

> 

> >The newly introduced filed can replace

> > that field as well eventually.

> 

> My suggestion would be to update librte_ipsec as part of these patch series.

> 

[Hemant] will do it in v2

> >

> > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

> > ---

> >  lib/librte_security/rte_security.h | 4 ++++

> >  1 file changed, 4 insertions(+)

> >

> > diff --git a/lib/librte_security/rte_security.h

> > b/lib/librte_security/rte_security.h

> > index aaafdfcd7..195ad5645 100644

> > --- a/lib/librte_security/rte_security.h

> > +++ b/lib/librte_security/rte_security.h

> > @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {

> >  	/**< Tunnel parameters, NULL for transport mode */

> >  	uint64_t esn_soft_limit;

> >  	/**< ESN for which the overflow event need to be raised */

> > +	uint32_t replay_win_sz;

> > +	/**< Anti replay window size to enable sequence replay attack

> handling.

> > +	 * replay checking is disabled if the window size is 0.

> > +	 */

> >  };

> 

> 

>

Patch

diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index aaafdfcd7..195ad5645 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -212,6 +212,10 @@  struct rte_security_ipsec_xform {
 	/**< Tunnel parameters, NULL for transport mode */
 	uint64_t esn_soft_limit;
 	/**< ESN for which the overflow event need to be raised */
+	uint32_t replay_win_sz;
+	/**< Anti replay window size to enable sequence replay attack handling.
+	 * replay checking is disabled if the window size is 0.
+	 */
 };
 
 /**