diff mbox series

[v5,1/3] security: add anti replay window size

Message ID 20191031131502.12504-1-hemant.agrawal@nxp.com
State Superseded
Headers show
Series [v5,1/3] security: add anti replay window size | expand

Commit Message

Hemant Agrawal Oct. 31, 2019, 1:15 p.m. UTC 
At present the ipsec xfrom is missing the important step
to configure the anti replay window size.
The newly added field will also help in to enable or disable
the anti replay checking, if available in offload by means
of non-zero or zero value.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

---
 doc/guides/rel_notes/release_19_11.rst | 6 +++++-
 lib/librte_security/Makefile           | 2 +-
 lib/librte_security/meson.build        | 2 +-
 lib/librte_security/rte_security.h     | 8 ++++++++
 4 files changed, 15 insertions(+), 3 deletions(-)

-- 
2.17.1

Comments

Anoob Joseph Nov. 1, 2019, 6:16 a.m. UTC | #1 
Hi Hemant,

Please see inline.

> -----Original Message-----

> From: Hemant Agrawal <hemant.agrawal@nxp.com>

> Sent: Thursday, October 31, 2019 6:45 PM

> To: dev@dpdk.org; akhil.goyal@nxp.com

> Cc: konstantin.ananyev@intel.com; Anoob Joseph <anoobj@marvell.com>;

> Hemant Agrawal <hemant.agrawal@nxp.com>

> Subject: [EXT] [PATCH v5 1/3] security: add anti replay window size

> 

> External Email

> 

> ----------------------------------------------------------------------

> At present the ipsec xfrom is missing the important step to configure the anti

> replay window size.

> The newly added field will also help in to enable or disable the anti replay

> checking, if available in offload by means of non-zero or zero value.

> 

> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

> ---

>  doc/guides/rel_notes/release_19_11.rst | 6 +++++-

>  lib/librte_security/Makefile           | 2 +-

>  lib/librte_security/meson.build        | 2 +-

>  lib/librte_security/rte_security.h     | 8 ++++++++

>  4 files changed, 15 insertions(+), 3 deletions(-)

> 

> diff --git a/doc/guides/rel_notes/release_19_11.rst

> b/doc/guides/rel_notes/release_19_11.rst

> index ae8e7b2f0..0508ec545 100644

> --- a/doc/guides/rel_notes/release_19_11.rst

> +++ b/doc/guides/rel_notes/release_19_11.rst

> @@ -365,6 +365,10 @@ ABI Changes

>    align the Ethernet header on receive and all known encapsulations

>    preserve the alignment of the header.

> 

> +* security: A new field ''replay_win_sz'' has been added to the

> +structure

> +  ``rte_security_ipsec_xform``, which specify the Anti replay window

> +size

> +  to enable sequence replay attack handling.

> +

> 

>  Shared Library Versions

>  -----------------------

> @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were

> incremented in this version.

>       librte_reorder.so.1

>       librte_ring.so.2

>     + librte_sched.so.4

> -     librte_security.so.2

> +   + librte_security.so.3

>       librte_stack.so.1

>       librte_table.so.3

>       librte_timer.so.1

> diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index

> 6708effdb..6a268ee2a 100644

> --- a/lib/librte_security/Makefile

> +++ b/lib/librte_security/Makefile

> @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk  LIB = librte_security.a

> 

>  # library version

> -LIBABIVER := 2

> +LIBABIVER := 3

> 

>  # build flags

>  CFLAGS += -O3

> diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build

> index a5130d2f6..6fed01273 100644

> --- a/lib/librte_security/meson.build

> +++ b/lib/librte_security/meson.build

> @@ -1,7 +1,7 @@

>  # SPDX-License-Identifier: BSD-3-Clause  # Copyright(c) 2017-2019 Intel

> Corporation

> 

> -version = 2

> +version = 3

>  sources = files('rte_security.c')

>  headers = files('rte_security.h', 'rte_security_driver.h')  deps += ['mempool',

> 'cryptodev'] diff --git a/lib/librte_security/rte_security.h

> b/lib/librte_security/rte_security.h

> index aaafdfcd7..216e5370f 100644

> --- a/lib/librte_security/rte_security.h

> +++ b/lib/librte_security/rte_security.h

> @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {

>  	/**< Tunnel parameters, NULL for transport mode */

>  	uint64_t esn_soft_limit;

>  	/**< ESN for which the overflow event need to be raised */

> +	uint32_t replay_win_sz;

> +	/**< Anti replay window size to enable sequence replay attack handling.

> +	 * replay checking is disabled if the window size is 0.

> +	 */

>  };

> 

>  /**

> @@ -563,6 +567,10 @@ struct rte_security_capability {

>  			/**< IPsec SA direction */

>  			struct rte_security_ipsec_sa_options options;

>  			/**< IPsec SA supported options */

> +			uint32_t replay_win_sz_max;

> +			/**< IPsec Anti Replay Window Size. A '0' value

> +			 * indicates that Anti Replay Window is not supported.


[Anoob] Minor comment. Should it be "Anti Replay is not supported."?
 
> +			 */

>  		} ipsec;

>  		/**< IPsec capability */

>  		struct {

> --

> 2.17.1	


Acked-by: Anoob Joseph <anoobj@marvell.com>
Hemant Agrawal Nov. 1, 2019, 9:48 a.m. UTC | #2 
Hi Anoop,
	Thanks for the comment.

> > +			 * indicates that Anti Replay Window is not

> supported.

> 

> [Anoob] Minor comment. Should it be "Anti Replay is not supported."?


Akhil, will you please take care of it while applying?

Regards,
Hemant
diff mbox series

Patch

diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
index ae8e7b2f0..0508ec545 100644
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -365,6 +365,10 @@  ABI Changes
   align the Ethernet header on receive and all known encapsulations
   preserve the alignment of the header.
 
+* security: A new field ''replay_win_sz'' has been added to the structure
+  ``rte_security_ipsec_xform``, which specify the Anti replay window size
+  to enable sequence replay attack handling.
+
 
 Shared Library Versions
 -----------------------
@@ -437,7 +441,7 @@  The libraries prepended with a plus sign were incremented in this version.
      librte_reorder.so.1
      librte_ring.so.2
    + librte_sched.so.4
-     librte_security.so.2
+   + librte_security.so.3
      librte_stack.so.1
      librte_table.so.3
      librte_timer.so.1
diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile
index 6708effdb..6a268ee2a 100644
--- a/lib/librte_security/Makefile
+++ b/lib/librte_security/Makefile
@@ -7,7 +7,7 @@  include $(RTE_SDK)/mk/rte.vars.mk
 LIB = librte_security.a
 
 # library version
-LIBABIVER := 2
+LIBABIVER := 3
 
 # build flags
 CFLAGS += -O3
diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
index a5130d2f6..6fed01273 100644
--- a/lib/librte_security/meson.build
+++ b/lib/librte_security/meson.build
@@ -1,7 +1,7 @@ 
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright(c) 2017-2019 Intel Corporation
 
-version = 2
+version = 3
 sources = files('rte_security.c')
 headers = files('rte_security.h', 'rte_security_driver.h')
 deps += ['mempool', 'cryptodev']
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index aaafdfcd7..216e5370f 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -212,6 +212,10 @@  struct rte_security_ipsec_xform {
 	/**< Tunnel parameters, NULL for transport mode */
 	uint64_t esn_soft_limit;
 	/**< ESN for which the overflow event need to be raised */
+	uint32_t replay_win_sz;
+	/**< Anti replay window size to enable sequence replay attack handling.
+	 * replay checking is disabled if the window size is 0.
+	 */
 };
 
 /**
@@ -563,6 +567,10 @@  struct rte_security_capability {
 			/**< IPsec SA direction */
 			struct rte_security_ipsec_sa_options options;
 			/**< IPsec SA supported options */
+			uint32_t replay_win_sz_max;
+			/**< IPsec Anti Replay Window Size. A '0' value
+			 * indicates that Anti Replay Window is not supported.
+			 */
 		} ipsec;
 		/**< IPsec capability */
 		struct {