From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: netdev@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Saeed Mahameed <saeed@kernel.org>, Gal Pressman <gal@nvidia.com>
Subject: Re: [PATCH net] macsec: Abort MACSec Rx offload datapath when skb is not marked with MACSec metadata
Date: Wed, 15 Nov 2023 08:21:27 -0800 [thread overview]
Message-ID: <874jhnoum0.fsf@nvidia.com> (raw)
In-Reply-To: <ZVThf1Z-hExKlDE2@hog> (Sabrina Dubroca's message of "Wed, 15 Nov 2023 16:19:27 +0100")
On Wed, 15 Nov, 2023 16:19:27 +0100 Sabrina Dubroca <sd@queasysnail.net> wrote:
> 2023-11-06, 14:15:11 -0800, Rahul Rameshbabu wrote:
>> However, I believe that all macsec offload supporting devices run into
>> the following problem today (including mlx5 devices).
>
> If that's the case, we have to fix all of them.
I have an RFC patch series undergoing internal review for supporting
devices that advertise md_dst for handling non-MACsec multicast traffic
sent to the port. In the cover letter, I describe why I do not believe
the same case can be trivially handled for devices that do not support
setting md_dst since there is no way of knowing whether the traffic
received on the port was MACsec or not.
>
>> When I configure macsec offload on a device and then vlan on top of the
>> macsec interface, I become unable to send traffic through the underlying
>> device.
> [...]
>> ping -I mlx5_1 1.1.1.2
>> PING 1.1.1.2 (1.1.1.2) from 1.1.1.1 mlx5_1: 56(84) bytes of data.
>> From 1.1.1.1 icmp_seq=1 Destination Host Unreachable
>> ping: sendmsg: No route to host
>> From 1.1.1.1 icmp_seq=2 Destination Host Unreachable
>> From 1.1.1.1 icmp_seq=3 Destination Host Unreachable
>
> Which packet gets dropped and why? Where? I don't understand how the
> vlan makes a difference in a packet targeting the lower device.
>
>> I am thinking the solution is a combination of annotating which macsec
>> devices support md_dst and this patch.
>
> Yes, if we know that the offloading device sets md_dst on all its
> offloaded packets, we can just look up the rx_sc based on the sci and
> be done, or pass the packet directly to the real device if md_dst
> wasn't provided. No need to go through the MAC address matching at
> all.
>
This is exactly what the RFC patch series I am proposing looks like.
>> However, I am not sure this fix
>> would be helpful for devices that support macsec offload without
>> utilizing md_dst information (would still be problematic).
>
> Yeah, anything relying on md_dst is not going to help the rest of the
> drivers.
Right, I have an example in the cover letter that elaborates on why I do
not think it's possible to support this on devices that do not set
md_dst. I think the existing handling for multicast messages and
promiscuous mode in handle_not_macsec is the most appropriate for
drivers unable to set md_dst to indicate whether traffic received on the
port is MACsec traffic that will be handled by the NIC's offloading
functionality. Let me try to get that RFC out on the list soon for your
review.
--
Thanks,
Rahul Rameshbabu
prev parent reply other threads:[~2023-11-15 16:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-01 20:02 [PATCH net] macsec: Abort MACSec Rx offload datapath when skb is not marked with MACSec metadata Rahul Rameshbabu
2023-11-01 22:31 ` Sabrina Dubroca
2023-11-06 22:15 ` Rahul Rameshbabu
2023-11-15 15:19 ` Sabrina Dubroca
2023-11-15 16:21 ` Rahul Rameshbabu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874jhnoum0.fsf@nvidia.com \
--to=rrameshbabu@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gal@nvidia.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeed@kernel.org \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).