[v4,1/3] security: add anti replay window size
Checks
Commit Message
At present the ipsec xfrom is missing the important step
to configure the anti replay window size.
The newly added field will also help in to enable or disable
the anti replay checking, if available in offload by means
of non-zero or zero value.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
doc/guides/rel_notes/release_19_11.rst | 6 +++++-
lib/librte_security/Makefile | 2 +-
lib/librte_security/meson.build | 2 +-
lib/librte_security/rte_security.h | 4 ++++
4 files changed, 11 insertions(+), 3 deletions(-)
Comments
Hi Hemant,
How would the PMD specify whether anit-replay is supported or not? Do you have plans to introduce it as a capability? Or do you expect the session creation to fail if the feature is not supported by underlying PMD and the anti replay window size is set.
Thanks,
Anoob
> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal
> Sent: Thursday, October 31, 2019 10:25 AM
> To: dev@dpdk.org; akhil.goyal@nxp.com
> Cc: konstantin.ananyev@intel.com; Hemant Agrawal
> <hemant.agrawal@nxp.com>
> Subject: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size
>
> At present the ipsec xfrom is missing the important step to configure the anti
> replay window size.
> The newly added field will also help in to enable or disable the anti replay
> checking, if available in offload by means of non-zero or zero value.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> ---
> doc/guides/rel_notes/release_19_11.rst | 6 +++++-
> lib/librte_security/Makefile | 2 +-
> lib/librte_security/meson.build | 2 +-
> lib/librte_security/rte_security.h | 4 ++++
> 4 files changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guides/rel_notes/release_19_11.rst
> b/doc/guides/rel_notes/release_19_11.rst
> index ae8e7b2f0..0508ec545 100644
> --- a/doc/guides/rel_notes/release_19_11.rst
> +++ b/doc/guides/rel_notes/release_19_11.rst
> @@ -365,6 +365,10 @@ ABI Changes
> align the Ethernet header on receive and all known encapsulations
> preserve the alignment of the header.
>
> +* security: A new field ''replay_win_sz'' has been added to the
> +structure
> + ``rte_security_ipsec_xform``, which specify the Anti replay window
> +size
> + to enable sequence replay attack handling.
> +
>
> Shared Library Versions
> -----------------------
> @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were
> incremented in this version.
> librte_reorder.so.1
> librte_ring.so.2
> + librte_sched.so.4
> - librte_security.so.2
> + + librte_security.so.3
> librte_stack.so.1
> librte_table.so.3
> librte_timer.so.1
> diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index
> 6708effdb..6a268ee2a 100644
> --- a/lib/librte_security/Makefile
> +++ b/lib/librte_security/Makefile
> @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a
>
> # library version
> -LIBABIVER := 2
> +LIBABIVER := 3
>
> # build flags
> CFLAGS += -O3
> diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
> index a5130d2f6..6fed01273 100644
> --- a/lib/librte_security/meson.build
> +++ b/lib/librte_security/meson.build
> @@ -1,7 +1,7 @@
> # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel
> Corporation
>
> -version = 2
> +version = 3
> sources = files('rte_security.c')
> headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool',
> 'cryptodev'] diff --git a/lib/librte_security/rte_security.h
> b/lib/librte_security/rte_security.h
> index aaafdfcd7..195ad5645 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
> /**< Tunnel parameters, NULL for transport mode */
> uint64_t esn_soft_limit;
> /**< ESN for which the overflow event need to be raised */
> + uint32_t replay_win_sz;
> + /**< Anti replay window size to enable sequence replay attack handling.
> + * replay checking is disabled if the window size is 0.
> + */
> };
>
> /**
> --
> 2.17.1
Hi Anoop,
> -----Original Message-----
> Hi Hemant,
>
> How would the PMD specify whether anit-replay is supported or not? Do you
> have plans to introduce it as a capability? Or do you expect the session
> creation to fail if the feature is not supported by underlying PMD and the anti
> replay window size is set.
[Hemant] We can add it as part of capability set.
I believe following should help:
uint32_t max_replay_win_sz;
Sending it as 0 will indicate the app that replay_win is not support.
>
> Thanks,
> Anoob
>
> > -----Original Message-----
> > From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal
> > Sent: Thursday, October 31, 2019 10:25 AM
> > To: dev@dpdk.org; akhil.goyal@nxp.com
> > Cc: konstantin.ananyev@intel.com; Hemant Agrawal
> > <hemant.agrawal@nxp.com>
> > Subject: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window
> > size
> >
> > At present the ipsec xfrom is missing the important step to configure
> > the anti replay window size.
> > The newly added field will also help in to enable or disable the anti
> > replay checking, if available in offload by means of non-zero or zero value.
> >
> > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> > ---
> > doc/guides/rel_notes/release_19_11.rst | 6 +++++-
> > lib/librte_security/Makefile | 2 +-
> > lib/librte_security/meson.build | 2 +-
> > lib/librte_security/rte_security.h | 4 ++++
> > 4 files changed, 11 insertions(+), 3 deletions(-)
> >
> > diff --git a/doc/guides/rel_notes/release_19_11.rst
> > b/doc/guides/rel_notes/release_19_11.rst
> > index ae8e7b2f0..0508ec545 100644
> > --- a/doc/guides/rel_notes/release_19_11.rst
> > +++ b/doc/guides/rel_notes/release_19_11.rst
> > @@ -365,6 +365,10 @@ ABI Changes
> > align the Ethernet header on receive and all known encapsulations
> > preserve the alignment of the header.
> >
> > +* security: A new field ''replay_win_sz'' has been added to the
> > +structure
> > + ``rte_security_ipsec_xform``, which specify the Anti replay window
> > +size
> > + to enable sequence replay attack handling.
> > +
> >
> > Shared Library Versions
> > -----------------------
> > @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were
> > incremented in this version.
> > librte_reorder.so.1
> > librte_ring.so.2
> > + librte_sched.so.4
> > - librte_security.so.2
> > + + librte_security.so.3
> > librte_stack.so.1
> > librte_table.so.3
> > librte_timer.so.1
> > diff --git a/lib/librte_security/Makefile
> > b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644
> > --- a/lib/librte_security/Makefile
> > +++ b/lib/librte_security/Makefile
> > @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB =
> > librte_security.a
> >
> > # library version
> > -LIBABIVER := 2
> > +LIBABIVER := 3
> >
> > # build flags
> > CFLAGS += -O3
> > diff --git a/lib/librte_security/meson.build
> > b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644
> > --- a/lib/librte_security/meson.build
> > +++ b/lib/librte_security/meson.build
> > @@ -1,7 +1,7 @@
> > # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019
> > Intel Corporation
> >
> > -version = 2
> > +version = 3
> > sources = files('rte_security.c')
> > headers = files('rte_security.h', 'rte_security_driver.h') deps +=
> > ['mempool', 'cryptodev'] diff --git
> > a/lib/librte_security/rte_security.h
> > b/lib/librte_security/rte_security.h
> > index aaafdfcd7..195ad5645 100644
> > --- a/lib/librte_security/rte_security.h
> > +++ b/lib/librte_security/rte_security.h
> > @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
> > /**< Tunnel parameters, NULL for transport mode */
> > uint64_t esn_soft_limit;
> > /**< ESN for which the overflow event need to be raised */
> > + uint32_t replay_win_sz;
> > + /**< Anti replay window size to enable sequence replay attack
> handling.
> > + * replay checking is disabled if the window size is 0.
> > + */
> > };
> >
> > /**
> > --
> > 2.17.1
> At present the ipsec xfrom is missing the important step
> to configure the anti replay window size.
> The newly added field will also help in to enable or disable
> the anti replay checking, if available in offload by means
> of non-zero or zero value.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> ---
> doc/guides/rel_notes/release_19_11.rst | 6 +++++-
> lib/librte_security/Makefile | 2 +-
> lib/librte_security/meson.build | 2 +-
> lib/librte_security/rte_security.h | 4 ++++
> 4 files changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
> index ae8e7b2f0..0508ec545 100644
> --- a/doc/guides/rel_notes/release_19_11.rst
> +++ b/doc/guides/rel_notes/release_19_11.rst
> @@ -365,6 +365,10 @@ ABI Changes
> align the Ethernet header on receive and all known encapsulations
> preserve the alignment of the header.
>
> +* security: A new field ''replay_win_sz'' has been added to the structure
> + ``rte_security_ipsec_xform``, which specify the Anti replay window size
> + to enable sequence replay attack handling.
> +
>
> Shared Library Versions
> -----------------------
> @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version.
> librte_reorder.so.1
> librte_ring.so.2
> + librte_sched.so.4
> - librte_security.so.2
> + + librte_security.so.3
> librte_stack.so.1
> librte_table.so.3
> librte_timer.so.1
> diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile
> index 6708effdb..6a268ee2a 100644
> --- a/lib/librte_security/Makefile
> +++ b/lib/librte_security/Makefile
> @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk
> LIB = librte_security.a
>
> # library version
> -LIBABIVER := 2
> +LIBABIVER := 3
>
> # build flags
> CFLAGS += -O3
> diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
> index a5130d2f6..6fed01273 100644
> --- a/lib/librte_security/meson.build
> +++ b/lib/librte_security/meson.build
> @@ -1,7 +1,7 @@
> # SPDX-License-Identifier: BSD-3-Clause
> # Copyright(c) 2017-2019 Intel Corporation
>
> -version = 2
> +version = 3
> sources = files('rte_security.c')
> headers = files('rte_security.h', 'rte_security_driver.h')
> deps += ['mempool', 'cryptodev']
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index aaafdfcd7..195ad5645 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
> /**< Tunnel parameters, NULL for transport mode */
> uint64_t esn_soft_limit;
> /**< ESN for which the overflow event need to be raised */
> + uint32_t replay_win_sz;
> + /**< Anti replay window size to enable sequence replay attack handling.
> + * replay checking is disabled if the window size is 0.
> + */
> };
>
> /**
> --
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> 2.17.1
@@ -365,6 +365,10 @@ ABI Changes
align the Ethernet header on receive and all known encapsulations
preserve the alignment of the header.
+* security: A new field ''replay_win_sz'' has been added to the structure
+ ``rte_security_ipsec_xform``, which specify the Anti replay window size
+ to enable sequence replay attack handling.
+
Shared Library Versions
-----------------------
@@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version.
librte_reorder.so.1
librte_ring.so.2
+ librte_sched.so.4
- librte_security.so.2
+ + librte_security.so.3
librte_stack.so.1
librte_table.so.3
librte_timer.so.1
@@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk
LIB = librte_security.a
# library version
-LIBABIVER := 2
+LIBABIVER := 3
# build flags
CFLAGS += -O3
@@ -1,7 +1,7 @@
# SPDX-License-Identifier: BSD-3-Clause
# Copyright(c) 2017-2019 Intel Corporation
-version = 2
+version = 3
sources = files('rte_security.c')
headers = files('rte_security.h', 'rte_security_driver.h')
deps += ['mempool', 'cryptodev']
@@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
/**< Tunnel parameters, NULL for transport mode */
uint64_t esn_soft_limit;
/**< ESN for which the overflow event need to be raised */
+ uint32_t replay_win_sz;
+ /**< Anti replay window size to enable sequence replay attack handling.
+ * replay checking is disabled if the window size is 0.
+ */
};
/**