[PATCH v2] api: ipsec: improve inline IPsec config through inline SA scope #1408
Conversation
odpbuild
changed the title
This is WIP for discussion and an alternative to an approach where the concept of "ipsec instance" is added. Add a concept of inline SA scope that defines one or more pktios where an inline SA can be used. The scope can also include look-a-side processing for cases where an SA state can be shared between inline processing and async look-a-side processing. Inline SA scope is added to SA creation parameters. Inline SA scopes of different SAs can overlap. Add new capability functions that take inline SA scope as a parameter. Add new pktio specific inline IPsec config function. Signed-off-by: Janne Peltonen <[email protected]>
JannePeltonen
force-pushed
the
ipsec-inline-scope
branch
from
2f5c1f8 to
a16f168
Compare
odpbuild
changed the title
|
v2: fixed a couple of typos. |
| * @see odp_ipsec_inline_capability(), odp_ipsec_config_init() | ||
| */ | ||
| int odp_ipsec_inline_config(odp_pktio_t pktio, | ||
| const odp_ipsec_config_t *config); |
There was a problem hiding this comment.
Some of the contents in odp_ipsec_config_t such as mode is not probably needed.
Can the required inline related config be part of odp_pktio_config_t instead of this new API ?
| * @retval 0 on success | ||
| * @retval <0 on failure | ||
| */ | ||
| int odp_ipsec_inline_capability(const odp_ipsec_inline_sa_scope_t *scope, |
There was a problem hiding this comment.
This capability can be part of odp_pktio_capability_t ?
There was a problem hiding this comment.
This capability is associated with the SA scope, which consists of one or more pktios and possibly look-a-side too. The same pktio could be used within different scopes. For instance pktio A could support HMAC-MD5 but pktio B not, then the capabilities for the scope that includes both pktio A and B cannot include HMAC-MD5.
Tying inline capabilities directly to pktios would not allow one to express what is supported when an SA state can be shared between multiple pktios (or a pktio and look-a-side).
| /** Scope where this SA can be used. Ignored if inline | ||
| * processing is not enabled. */ | ||
| odp_ipsec_inline_sa_scope_t inline_scope; | ||
| } inline_param; |
There was a problem hiding this comment.
This method of a associating PKTIO with Inline SA looks fine to me.
This is WIP for discussion and an alternative to an approach where
the concept of "ipsec instance" is added.
Add a concept of inline SA scope that defines one or more pktios where an
inline SA can be used. The scope can also include look-a-side processing
for cases where an SA state can be shared between inline processing and
async look-a-side processing.
Inline SA scope is added to SA creation parameters. Inline SA scopes
of different SAs can overlap.
Add new capability functions that take inline SA scope as a parameter.
Add new pktio specific inline IPsec config function.
Signed-off-by: Janne Peltonen [email protected]