From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
"Singhai, Anjali" <anjali.singhai@intel.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"willemdebruijn.kernel@gmail.com"
<willemdebruijn.kernel@gmail.com>,
Boris Pismenny <borisp@nvidia.com>,
"gal@nvidia.com" <gal@nvidia.com>,
"cratiu@nvidia.com" <cratiu@nvidia.com>,
"rrameshbabu@nvidia.com" <rrameshbabu@nvidia.com>,
"steffen.klassert@secunet.com" <steffen.klassert@secunet.com>,
"tariqt@nvidia.com" <tariqt@nvidia.com>,
Jakub Kicinski <kuba@kernel.org>,
"Samudrala, Sridhar" <sridhar.samudrala@intel.com>,
"Acharya, Arun Kumar" <arun.kumar.acharya@intel.com>
Subject: Re: [RFC net-next 00/15] add basic PSP encryption for TCP connections
Date: Wed, 19 Jun 2024 04:47:46 -0400 [thread overview]
Message-ID: <66729b32d6391_276353294be@willemb.c.googlers.com.notmuch> (raw)
In-Reply-To: <66729953651ba_2751bc294fa@willemb.c.googlers.com.notmuch>
> > 3. About the PSP and UDP header addition, why is the driver doing it? I guess it's because the SW equivalent for PSP support in the kernel does not exist and just an offload for the device. Again in this case the assumption is either the driver does it or the device will do it.
> > Hope that is irrelevant for the stack. In our case most likely it will be the device doing it.
> >
> > 4. Why is the driver adding the PSP trailer? Hoping this is between the driver and the device, in our case it's the device that will add the trailer.
>
> This does not adhere to the spec:
>
> "An option must be provided that enables upper-level software to send packets that are
> pre-formatted to include the headers required for PSP encapsulation. In this case, the
> NIC will modify the contents of the headers appropriately, apply
> encryption/authentication, and add the PSP trailer to the packet."
>
> https://raw.githubusercontent.com/google/psp/main/doc/PSP_Arch_Spec.pdf
I responded to the wrong statement. This is in response to point 3.
In general, PSP can work in tunnel and transport mode. In transport
mode, it is here assumed to be not transparent, but under control of
the operating system. That inserts the outer encapsulation headers and
prepares all fields as it sees fit. E.g., using the inner 4-tuple as
entropy for the outer UDP source port, and selecting the right SPI.
next prev parent reply other threads:[~2024-06-19 8:47 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-18 23:54 [RFC net-next 00/15] add basic PSP encryption for TCP connections Singhai, Anjali
2024-06-19 8:39 ` Willem de Bruijn
2024-06-19 8:47 ` Willem de Bruijn [this message]
2024-06-20 21:32 ` Singhai, Anjali
2024-06-21 12:05 ` Willem de Bruijn
2024-06-22 0:30 ` Jakub Kicinski
2024-06-25 22:05 ` Singhai, Anjali
2024-06-25 23:17 ` Jakub Kicinski
-- strict thread matches above, loose matches on Subject: below --
2024-05-22 12:56 Paul Wouters
2024-05-22 13:03 ` Boris Pismenny
2024-05-28 9:42 ` Steffen Klassert
2024-05-28 13:49 ` Willem de Bruijn
2024-05-28 15:33 ` Paul Wouters
2024-05-28 18:09 ` Jakub Kicinski
2024-05-28 18:11 ` Willem de Bruijn
2024-05-31 6:09 ` Steffen Klassert
2024-05-31 14:46 ` Willem de Bruijn
2024-05-10 3:04 Jakub Kicinski
2024-05-29 9:16 ` Boris Pismenny
2024-05-29 18:50 ` Jakub Kicinski
2024-05-29 20:01 ` Boris Pismenny
2024-05-29 20:38 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=66729b32d6391_276353294be@willemb.c.googlers.com.notmuch \
--to=willemdebruijn.kernel@gmail.com \
--cc=anjali.singhai@intel.com \
--cc=arun.kumar.acharya@intel.com \
--cc=borisp@nvidia.com \
--cc=cratiu@nvidia.com \
--cc=gal@nvidia.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rrameshbabu@nvidia.com \
--cc=sridhar.samudrala@intel.com \
--cc=steffen.klassert@secunet.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).