From: Leon Romanovsky <leon@kernel.org>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev@vger.kernel.org, Raed Salem <raeds@nvidia.com>,
ipsec-devel <devel@linux-ipsec.org>
Subject: Re: [PATCH xfrm-next v2 0/6] Extend XFRM core to allow full offload configuration
Date: Mon, 22 Aug 2022 12:34:44 +0300 [thread overview]
Message-ID: <YwNNtOqQIDM2lSdC@unreal> (raw)
In-Reply-To: <20220822083443.GH2602992@gauss3.secunet.de>
On Mon, Aug 22, 2022 at 10:34:43AM +0200, Steffen Klassert wrote:
> On Thu, Aug 18, 2022 at 04:26:39PM +0300, Leon Romanovsky wrote:
> > On Thu, Aug 18, 2022 at 12:09:30PM +0200, Steffen Klassert wrote:
> > > Hi Leon,
> > >
> > > On Tue, Aug 16, 2022 at 11:59:21AM +0300, Leon Romanovsky wrote:
> > > > From: Leon Romanovsky <leonro@nvidia.com>
> > > >
> > > > Changelog:
> > > > v2:
> > > > * Rebased to latest 6.0-rc1
> > > > * Add an extra check in TX datapath patch to validate packets before
> > > > forwarding to HW.
> > > > * Added policy cleanup logic in case of netdev down event
> > > > v1: https://lore.kernel.org/all/cover.1652851393.git.leonro@nvidia.com
> > > > * Moved comment to be before if (...) in third patch.
> > > > v0: https://lore.kernel.org/all/cover.1652176932.git.leonro@nvidia.com
> > > > -----------------------------------------------------------------------
> > > >
> > > > The following series extends XFRM core code to handle new type of IPsec
> > > > offload - full offload.
> > > >
> > > > In this mode, the HW is going to be responsible for whole data path, so
> > > > both policy and state should be offloaded.
> > >
> > > some general comments about the pachset:
> > >
> > > As implemented, the software does not hold any state.
> > > I.e. there is no sync between hardware and software
> > > regarding stats, liftetime, lifebyte, packet counts
> > > and replay window. IKE rekeying and auditing is based
> > > on these, how should this be done?
> >
> > This is only rough idea as we only started to implement needed
> > support in libreswan, but our plan is to configure IKE with
> > highest possible priority
>
> If it is only a rough idea, then mark it as RFC. I want to see
> the whole picture before we merge it. And btw. tunnel mode
> belongs to the whoule picture too.
It is a rough in a sense that we don't have code to present yet.
We did arch review of this IKE approach and it is how we are
implementing it.
>
> >
> > >
> > > I have not seen anything that catches configurations
> > > that stack multiple tunnels with the outer offloaded.
> > >
> > > Where do we make sure that policy offloading device
> > > is the same as the state offloading device?
> >
> > It is configuration error and we don't check it. Should we?
>
> We should at least make sure to not send out packets untransformed
> in this case.
In TX SW path, if state doesn't exist, the packets will be sent
unencrypted. This "wrong" device configuration in offloaded path
has same behavior as not having state at all.
Thanks
prev parent reply other threads:[~2022-08-22 9:34 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-16 8:59 [PATCH xfrm-next v2 0/6] Extend XFRM core to allow full offload configuration Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 1/6] xfrm: add new full offload flag Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 2/6] xfrm: allow state full offload mode Leon Romanovsky
2022-08-18 10:12 ` Steffen Klassert
2022-08-18 13:28 ` Leon Romanovsky
2022-08-22 8:01 ` Steffen Klassert
2022-08-22 8:46 ` Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 3/6] xfrm: add an interface to offload policy Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 4/6] xfrm: add TX datapath support for IPsec full offload mode Leon Romanovsky
2022-08-18 10:24 ` Steffen Klassert
2022-08-18 13:34 ` Leon Romanovsky
2022-08-22 8:04 ` Steffen Klassert
2022-08-22 8:50 ` Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 5/6] xfrm: add RX datapath protection " Leon Romanovsky
2022-08-18 10:27 ` Steffen Klassert
2022-08-18 13:36 ` Leon Romanovsky
2022-08-22 8:06 ` Steffen Klassert
2022-08-22 9:35 ` Leon Romanovsky
2022-08-16 8:59 ` [PATCH xfrm-next v2 6/6] xfrm: enforce separation between priorities of HW/SW policies Leon Romanovsky
2022-08-17 2:54 ` [PATCH xfrm-next v2 0/6] Extend XFRM core to allow full offload configuration Jakub Kicinski
2022-08-17 5:22 ` Leon Romanovsky
2022-08-17 18:10 ` Jakub Kicinski
2022-08-18 5:24 ` Leon Romanovsky
2022-08-18 10:10 ` Steffen Klassert
2022-08-18 12:51 ` Leon Romanovsky
2022-08-19 1:54 ` Jakub Kicinski
2022-08-19 2:34 ` Jakub Kicinski
2022-08-19 5:52 ` Leon Romanovsky
2022-08-19 15:47 ` Jakub Kicinski
2022-08-19 16:01 ` Jason Gunthorpe
2022-08-19 17:53 ` Jakub Kicinski
2022-08-22 8:41 ` Steffen Klassert
2022-08-22 8:54 ` Leon Romanovsky
2022-08-22 16:33 ` Jakub Kicinski
2022-08-22 21:27 ` Saeed Mahameed
2022-08-23 0:17 ` Jakub Kicinski
2022-08-23 5:22 ` Steffen Klassert
2022-08-23 14:06 ` Leon Romanovsky
2022-08-23 4:48 ` Leon Romanovsky
2022-08-26 12:20 ` Jason Gunthorpe
2022-08-23 5:34 ` Leon Romanovsky
2022-08-18 10:09 ` Steffen Klassert
2022-08-18 13:26 ` Leon Romanovsky
2022-08-22 8:34 ` Steffen Klassert
2022-08-22 9:34 ` Leon Romanovsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YwNNtOqQIDM2lSdC@unreal \
--to=leon@kernel.org \
--cc=davem@davemloft.net \
--cc=devel@linux-ipsec.org \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=raeds@nvidia.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).