Message ID | 1494543609-26126-3-git-send-email-odpbot@yandex.ru |
---|---|
State | Superseded |
Headers | show |
Series | [API-NEXT,v4,1/10] api: ipsec: add soft limit expiration event | expand |
Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> wrote: > > Add an explicit note telling that soft_exp bits are set only once, for > the packet actually crossing the boundary. They will not be set for > further packets. Isn't this perhaps a bit too restrictive on implementations that may process packets in parallel and may not be easily track the number of bytes and packets per SA with per-packet accuracy? Would it be better to define the bits so that the soft_exp bits are set for at least one packet when the limit is crossed or slightly before that but may also be set for later packets? Or at least allow the bit to be set for more than single packet when the soft limit is being crossed? Then I wonder what happens when inline inbound IPsec traffic exceeds the processing capacity of the SW and packets get dropped. If the soft expiration bit it set only for one packet or some packets, then the information may get lost if just that packet or those packets get dropped before SW processing. Janne
On 15.05.2017 15:21, Peltonen, Janne (Nokia - FI/Espoo) wrote: > > Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> wrote: >> >> Add an explicit note telling that soft_exp bits are set only once, for >> the packet actually crossing the boundary. They will not be set for >> further packets. > > Isn't this perhaps a bit too restrictive on implementations that > may process packets in parallel and may not be easily track > the number of bytes and packets per SA with per-packet accuracy? Interesting question. Even with parallel packet processing, it is easy to track limits. > > Would it be better to define the bits so that the soft_exp bits > are set for at least one packet when the limit is crossed or > slightly before that but may also be set for later packets? Or > at least allow the bit to be set for more than single packet > when the soft limit is being crossed? IIRC, I was told that hardware works this way. There will be one packet, carrying respective 'expired' flag. > Then I wonder what happens when inline inbound IPsec traffic exceeds > the processing capacity of the SW and packets get dropped. If the > soft expiration bit it set only for one packet or some packets, > then the information may get lost if just that packet or those > packets get dropped before SW processing. That was one of the reasons for initial proposal, adding SOFT_EXPIRED status message to both ASYNC and INLINE. -- With best wishes Dmitry
diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h index 03742c6..b1c81b1 100644 --- a/include/odp/api/spec/ipsec.h +++ b/include/odp/api/spec/ipsec.h @@ -493,8 +493,10 @@ typedef struct odp_ipsec_sa_opt_t { * * These limits are used for setting up SA lifetime. IPSEC operations check * against the limits and output a status code (e.g. soft_exp_bytes) when - * a limit is crossed. Any number of limits may be used simultaneously. - * Use zero when there is no limit. + * a limit is crossed. The soft_exp_* bits will be set only for the first + * packet crossing the boundary. Any further packets will not have those bits + * set. Any number of limits may be used simultaneously. Use zero when there + * is no limit. */ typedef struct odp_ipsec_lifetime_t { /** Soft expiry limits for the session */