[API-NEXT,v1,1/2] api: ipsec: add soft limit expiration event

From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>


If outbound packet was processed in inline mode, soft limit expiration
event is not reported, as packet goes to the interface. Instead report
this as an ODP_IPSEC_STATUS_SA_SOFT_EXPIRED.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

---
/** Email created from pull request 22 (lumag:ipsec-limits)
 ** https://github.com/Linaro/odp/pull/22
 ** Patch: https://github.com/Linaro/odp/pull/22.patch
 ** Base sha: 0707c974ed19c859fb92778c35a2f92bf7cd9fc6
 ** Merge commit sha: bff71bdc47fecb62fced59449c139d3ea4b44def
 **/
 include/odp/api/spec/ipsec.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

> -----Original Message-----

> From: lng-odp [mailto:lng-odp-bounces@lists.linaro.org] On Behalf Of

> Github ODP bot

> Sent: Thursday, May 04, 2017 8:00 PM

> To: lng-odp@lists.linaro.org

> Subject: [lng-odp] [PATCH API-NEXT v1 1/2] api: ipsec: add soft limit

> expiration event

> 

> From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

> 

> If outbound packet was processed in inline mode, soft limit expiration

> event is not reported, as packet goes to the interface. Instead report

> this as an ODP_IPSEC_STATUS_SA_SOFT_EXPIRED.

> 

> Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

> ---

> /** Email created from pull request 22 (lumag:ipsec-limits)

>  ** https://github.com/Linaro/odp/pull/22

>  ** Patch: https://github.com/Linaro/odp/pull/22.patch

>  ** Base sha: 0707c974ed19c859fb92778c35a2f92bf7cd9fc6

>  ** Merge commit sha: bff71bdc47fecb62fced59449c139d3ea4b44def

>  **/

>  include/odp/api/spec/ipsec.h | 5 ++++-

>  1 file changed, 4 insertions(+), 1 deletion(-)

> 

> diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h

> index 384c43d..2f8a007 100644

> --- a/include/odp/api/spec/ipsec.h

> +++ b/include/odp/api/spec/ipsec.h

> @@ -1080,7 +1080,10 @@ typedef struct odp_ipsec_op_result_t {

>   */

>  typedef enum odp_ipsec_status_id_t {

>  	/** Response to SA disable command */

> -	ODP_IPSEC_STATUS_SA_DISABLE = 0

> +	ODP_IPSEC_STATUS_SA_DISABLE = 0,

> +

> +	/** Soft limit expired on this SA */

> +	ODP_IPSEC_STATUS_SA_SOFT_EXPIRED

> 

>  } odp_ipsec_status_id_t;

> 


I was speculating this with Janne. We can to an conclusion that is better not to force every IPsec implementation to run a timer. 

So, either keep the current situation where time expiry is reported only with packets, or remove the time expiry support altogether. Checking time with incoming packets is easy, compared to running timers (which may need a background thread to serve SA timers, etc). In both cases application would run its own timer, if it needs to notice expiry before packets hit it.

-Petri

If this ends up being the selected solution, then I think
there needs to be a bit more documentation in the API on
what this event means and when it will come. And maybe the
application wants to know which of the limits was reached.

	Janne

> -----Original Message-----

> From: lng-odp [mailto:lng-odp-bounces@lists.linaro.org] On Behalf Of Github ODP bot

> Sent: Thursday, May 04, 2017 8:00 PM

> To: lng-odp@lists.linaro.org

> Subject: [lng-odp] [PATCH API-NEXT v1 1/2] api: ipsec: add soft limit expiration event

> 

> From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

> 

> If outbound packet was processed in inline mode, soft limit expiration

> event is not reported, as packet goes to the interface. Instead report

> this as an ODP_IPSEC_STATUS_SA_SOFT_EXPIRED.

> 

> Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

> ---

> /** Email created from pull request 22 (lumag:ipsec-limits)

>  ** https://github.com/Linaro/odp/pull/22

>  ** Patch: https://github.com/Linaro/odp/pull/22.patch

>  ** Base sha: 0707c974ed19c859fb92778c35a2f92bf7cd9fc6

>  ** Merge commit sha: bff71bdc47fecb62fced59449c139d3ea4b44def

>  **/

>  include/odp/api/spec/ipsec.h | 5 ++++-

>  1 file changed, 4 insertions(+), 1 deletion(-)

> 

> diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h

> index 384c43d..2f8a007 100644

> --- a/include/odp/api/spec/ipsec.h

> +++ b/include/odp/api/spec/ipsec.h

> @@ -1080,7 +1080,10 @@ typedef struct odp_ipsec_op_result_t {

>   */

>  typedef enum odp_ipsec_status_id_t {

>  	/** Response to SA disable command */

> -	ODP_IPSEC_STATUS_SA_DISABLE = 0

> +	ODP_IPSEC_STATUS_SA_DISABLE = 0,

> +

> +	/** Soft limit expired on this SA */

> +	ODP_IPSEC_STATUS_SA_SOFT_EXPIRED

> 

>  } odp_ipsec_status_id_t;

>

Asking each application to "fill in" for gaps in ODP doesn't seem the right
way to go since ODP is supposed to be leveraging the capabilities of the
underlying platforms so that applications don't need to do these sort of
things in non-optimized ways.

Time based limits are part of the IPsec spec, so they need to be part of
any ODP implementation of that spec. SoCs that provide IPsec offload
incorporate such capabilities directly, so we'd want ODP to be able to
leverage those capabilities for applications. For those implementations
that do not, running an implementation timer should be no big deal since
data planes typically need many timers and any platform that wants to
support such applications needs to be able to deal with timers efficiently
anyway.

Note that implementations are always free to piggyback "time" based
expiration on top of packet processing if that's the best they can do, but
from the application's perspective this should be transparent for all but
degenerate corner cases (e.g., intentionally set up an SA with a limit but
no packets flowing to verify the timer expiration).


On Fri, May 5, 2017 at 8:50 AM, Peltonen, Janne (Nokia - FI/Espoo) <
janne.peltonen@nokia.com> wrote:

> If this ends up being the selected solution, then I think

> there needs to be a bit more documentation in the API on

> what this event means and when it will come. And maybe the

> application wants to know which of the limits was reached.

>

>         Janne

>

> > -----Original Message-----

> > From: lng-odp [mailto:lng-odp-bounces@lists.linaro.org] On Behalf Of

> Github ODP bot

> > Sent: Thursday, May 04, 2017 8:00 PM

> > To: lng-odp@lists.linaro.org

> > Subject: [lng-odp] [PATCH API-NEXT v1 1/2] api: ipsec: add soft limit

> expiration event

> >

> > From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

> >

> > If outbound packet was processed in inline mode, soft limit expiration

> > event is not reported, as packet goes to the interface. Instead report

> > this as an ODP_IPSEC_STATUS_SA_SOFT_EXPIRED.

> >

> > Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@

> linaro.org>

> > ---

> > /** Email created from pull request 22 (lumag:ipsec-limits)

> >  ** https://github.com/Linaro/odp/pull/22

> >  ** Patch: https://github.com/Linaro/odp/pull/22.patch

> >  ** Base sha: 0707c974ed19c859fb92778c35a2f92bf7cd9fc6

> >  ** Merge commit sha: bff71bdc47fecb62fced59449c139d3ea4b44def

> >  **/

> >  include/odp/api/spec/ipsec.h | 5 ++++-

> >  1 file changed, 4 insertions(+), 1 deletion(-)

> >

> > diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h

> > index 384c43d..2f8a007 100644

> > --- a/include/odp/api/spec/ipsec.h

> > +++ b/include/odp/api/spec/ipsec.h

> > @@ -1080,7 +1080,10 @@ typedef struct odp_ipsec_op_result_t {

> >   */

> >  typedef enum odp_ipsec_status_id_t {

> >       /** Response to SA disable command */

> > -     ODP_IPSEC_STATUS_SA_DISABLE = 0

> > +     ODP_IPSEC_STATUS_SA_DISABLE = 0,

> > +

> > +     /** Soft limit expired on this SA */

> > +     ODP_IPSEC_STATUS_SA_SOFT_EXPIRED

> >

> >  } odp_ipsec_status_id_t;

> >

>

>

On 05.05.2017 11:12, Savolainen, Petri (Nokia - FI/Espoo) wrote:
> 

> 

>> -----Original Message-----

>> From: lng-odp [mailto:lng-odp-bounces@lists.linaro.org] On Behalf Of

>> Github ODP bot

>> Sent: Thursday, May 04, 2017 8:00 PM

>> To: lng-odp@lists.linaro.org

>> Subject: [lng-odp] [PATCH API-NEXT v1 1/2] api: ipsec: add soft limit

>> expiration event

>>

>> From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

>>

>> If outbound packet was processed in inline mode, soft limit expiration

>> event is not reported, as packet goes to the interface. Instead report

>> this as an ODP_IPSEC_STATUS_SA_SOFT_EXPIRED.

>>

>> Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

>> ---

>> /** Email created from pull request 22 (lumag:ipsec-limits)

>>  ** https://github.com/Linaro/odp/pull/22

>>  ** Patch: https://github.com/Linaro/odp/pull/22.patch

>>  ** Base sha: 0707c974ed19c859fb92778c35a2f92bf7cd9fc6

>>  ** Merge commit sha: bff71bdc47fecb62fced59449c139d3ea4b44def

>>  **/

>>  include/odp/api/spec/ipsec.h | 5 ++++-

>>  1 file changed, 4 insertions(+), 1 deletion(-)

>>

>> diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h

>> index 384c43d..2f8a007 100644

>> --- a/include/odp/api/spec/ipsec.h

>> +++ b/include/odp/api/spec/ipsec.h

>> @@ -1080,7 +1080,10 @@ typedef struct odp_ipsec_op_result_t {

>>   */

>>  typedef enum odp_ipsec_status_id_t {

>>  	/** Response to SA disable command */

>> -	ODP_IPSEC_STATUS_SA_DISABLE = 0

>> +	ODP_IPSEC_STATUS_SA_DISABLE = 0,

>> +

>> +	/** Soft limit expired on this SA */

>> +	ODP_IPSEC_STATUS_SA_SOFT_EXPIRED

>>

>>  } odp_ipsec_status_id_t;

>>

> 

> I was speculating this with Janne. We can to an conclusion that is better not to force every IPsec implementation to run a timer. 

> 

> So, either keep the current situation where time expiry is reported only with packets, or remove the time expiry support altogether. Checking time with incoming packets is easy, compared to running timers (which may need a background thread to serve SA timers, etc). In both cases application would run its own timer, if it needs to notice expiry before packets hit it.


This was thought as an event for bytes/packets expiry. Not for
time-based expiry.

-- 
With best wishes
Dmitry