From patchwork Tue Nov 28 01:00:12 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 119789 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp1058767qgn; Mon, 27 Nov 2017 17:00:52 -0800 (PST) X-Google-Smtp-Source: AGs4zMZxLVfA3hI225c6lYkp9wcjnM55i5lKCVWnKz9fZ2POgPD283eHaQlj5Fy9lZlO5FGSrb+z X-Received: by 10.200.4.7 with SMTP id v7mr30030655qtg.129.1511830851954; Mon, 27 Nov 2017 17:00:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511830851; cv=none; d=google.com; s=arc-20160816; b=PauaJ8bPF5j5lPXolkZ1qvxTM7pfnejS9eG8Cz2xNIgRx7dt7TbL62nFeQtOWULQmw 8ATzR6/c6abrXfg24cnImTFJaDt1FK2GqeYZg/9KTOjgZPHbPxv8tqhRfKWswM5Xpdtj P7jgk7JkxyNMQRFP9DDSXe8+Ha82Oe2Ehut4P6ZUs01MBSx+tUvod9+G4QDaH6nlT2CB XJEVBUquFufA6oHFKDHB/cd8wVRYkOJeRfDzjRsq4tcr5lAp19u7RE3cUFvp5boVhK28 hxHxoztTMNBNkbSAS8lkYSiNITaCt9xA5PVupp3ZqqdX4NsQIRYJSdq9DvPmiRPBmyQ8 YtUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=DdVFLlSh7UbfVIN2JK63/+mRlHLdl5Oc8nCBSlc6rP0=; b=jjXUWjHmdk8TLZQ8pvWd7sr86bVJOl5UbwZk24Y85C0L/p6I+MPk50vc32WTmoMFkh Aqlfpfv5F6U6uj88fbENy5+u7RH+2Y/LMa/9BTiZt60W2Xo9TRPOFUD9A0howQNZjh53 wYiXjmrHFwgWrkws96DMFhUFGMm7WqHOrGWWdqfGnTw21HJKM7htSkCZ5Kc3mvEk1KG8 +LxF8PkVB984B4RP05EHuf+QqnrL17Z79WdxuNHvxJ7d7nbn00PUjzypdzidyAEFPiwd SOeZivBKvXzcQ7Eb/dPoYQTqQi5cBq/IgA+Kkc4Q+TFG+ZnkIOouzIVl3eGL95uVV0k8 7+fg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id u123si9433746qkh.450.2017.11.27.17.00.51; Mon, 27 Nov 2017 17:00:51 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 9F3B6608CD; Tue, 28 Nov 2017 01:00:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 06114608BC; Tue, 28 Nov 2017 01:00:28 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id A32B8606F3; Tue, 28 Nov 2017 01:00:19 +0000 (UTC) Received: from forward106p.mail.yandex.net (forward106p.mail.yandex.net [77.88.28.109]) by lists.linaro.org (Postfix) with ESMTPS id A46C7606A4 for ; Tue, 28 Nov 2017 01:00:16 +0000 (UTC) Received: from mxback4j.mail.yandex.net (mxback4j.mail.yandex.net [IPv6:2a02:6b8:0:1619::10d]) by forward106p.mail.yandex.net (Yandex) with ESMTP id D47172D83C14 for ; Tue, 28 Nov 2017 04:00:14 +0300 (MSK) Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net [2a02:6b8:0:801::ab]) by mxback4j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id A9o8nTRT7s-0EcaH1Pu; Tue, 28 Nov 2017 04:00:14 +0300 Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id bIp3Dd9gL3-0DgiamZc; Tue, 28 Nov 2017 04:00:13 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Tue, 28 Nov 2017 04:00:12 +0300 Message-Id: <1511830812-4600-2-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511830812-4600-1-git-send-email-odpbot@yandex.ru> References: <1511830812-4600-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 296 Subject: [lng-odp] [PATCH API-NEXT v2 1/1] doc: userguide: ipsec state machine changes X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Bill Fischofer Split the single IPsec FSM into separate FSM diagrams showing SA state transitions and IPsec packet operations on SAs. Update User Guide to reflect these changes as well. Signed-off-by: Bill Fischofer --- /** Email created from pull request 296 (Bill-Fischofer-Linaro:ipsec-doc) ** https://github.com/Linaro/odp/pull/296 ** Patch: https://github.com/Linaro/odp/pull/296.patch ** Base sha: 90f2fe4ce26e7a2b66bb5eb13e372ccf3dec0d1c ** Merge commit sha: e5d742a67346cc2f82191973ebaf97e7addefddb **/ doc/images/.gitignore | 3 ++- doc/images/ipsec_fsm.gv | 32 -------------------------------- doc/images/ipsec_op_fsm.gv | 21 +++++++++++++++++++++ doc/images/ipsec_sa_fsm.gv | 18 ++++++++++++++++++ doc/users-guide/Makefile.am | 6 ++++-- doc/users-guide/users-guide-ipsec.adoc | 9 +++++++-- 6 files changed, 52 insertions(+), 37 deletions(-) delete mode 100644 doc/images/ipsec_fsm.gv create mode 100644 doc/images/ipsec_op_fsm.gv create mode 100644 doc/images/ipsec_sa_fsm.gv diff --git a/doc/images/.gitignore b/doc/images/.gitignore index 0aa34793f..1876610e5 100644 --- a/doc/images/.gitignore +++ b/doc/images/.gitignore @@ -1,5 +1,6 @@ resource_management.svg -ipsec_fsm.svg +ipsec_op_fsm.svg +ipsec_sa_fsm.svg pktio_fsm.svg timer_fsm.svg timeout_fsm.svg diff --git a/doc/images/ipsec_fsm.gv b/doc/images/ipsec_fsm.gv deleted file mode 100644 index 1e78c8b85..000000000 --- a/doc/images/ipsec_fsm.gv +++ /dev/null @@ -1,32 +0,0 @@ -digraph ipsec_state_machine { - rankdir=LR; - size="12,12"; - node [fontsize=28]; - edge [fontsize=28]; - node [shape=doublecircle]; Unconfigured Configured SA_Ready SA_Expired; - node [shape=circle]; - Unconfigured -> Configured [label="odp_ipsec_config()" - constraint=false]; - Configured -> SA_Ready [label="odp_ipsec_sa_create()"]; - SA_Ready -> Disable_Pending [label="odp_ipsec_sa_disable()"]; - Disable_Pending -> Disable_Check [label="odp_queue_deq()"]; - Disable_Pending -> Disable_Check [label="odp_schedule()"]; - SA_Disabled -> Configured [label="odp_ipsec_sa_destroy()" - constraint=false]; - SA_Ready -> Processing [label="odp_ipsec_in_enq()"]; - SA_Ready -> Processing [label="odp_ipsec_out_enq()"]; - Processing -> Op_Complete [label="odp_queue_deq()"]; - Processing -> Op_Complete [label="odp_schedule()"]; - Op_Complete -> SA_Expired [label="hard limit reached" constraint=false]; - SA_Ready -> SA_Ready [label="odp_ipsec_in()"]; - SA_Ready -> SA_Ready [label="odp_ipsec_out()"]; - SA_Ready -> SA_Ready [label="odp_ipsec_out_inline()"]; - SA_Ready -> SA_Expired [label="hard limit reached"]; - Op_Complete -> SA_Ready [label="odp_ipsec_result()"] - Op_Complete -> SA_Ready [label="odp_ipsec_status()"] - Disable_Check -> SA_Disabled [label="odp_ipsec_status()" - constraint=false]; - Disable_Check -> Disable_Pending [label="odp_ipsec_result()" - constraint=false]; - SA_Expired -> Disable_Pending [label="odp_ipsec_sa_disable()"]; -} diff --git a/doc/images/ipsec_op_fsm.gv b/doc/images/ipsec_op_fsm.gv new file mode 100644 index 000000000..52b3e861f --- /dev/null +++ b/doc/images/ipsec_op_fsm.gv @@ -0,0 +1,21 @@ +digraph ipsec_op_state_machine { + rankdir=LR; + size="12,12"; + node [fontsize=28]; + edge [fontsize=28]; + node [shape=doublecircle]; SA_Ready + node [shape=circle]; + + SA_Ready -> SA_Ready [label="odp_ipsec_in()"]; + SA_Ready -> SA_Ready [label="odp_ipsec_out()"] + SA_Ready -> SA_Ready [label="odp_ipsec_out_inline()"]; + + SA_Ready -> Processing [label="odp_ipsec_in_enq()"]; + SA_Ready -> Processing [label="odp_ipsec_out_enq()"]; + + Processing -> Op_Complete [label="odp_queue_deq()"]; + Processing -> Op_Complete [label="odp_schedule()"]; + + Op_Complete -> SA_Ready [label="odp_ipsec_result()"]; + Op_Complete -> SA_Ready [label="odp_ipsec_status()"]; +} diff --git a/doc/images/ipsec_sa_fsm.gv b/doc/images/ipsec_sa_fsm.gv new file mode 100644 index 000000000..93e8f5851 --- /dev/null +++ b/doc/images/ipsec_sa_fsm.gv @@ -0,0 +1,18 @@ +digraph ipsec_sa_state_machine { + rankdir=LR; + size="12,12"; + node [fontsize=28]; + edge [fontsize=28]; + node [shape=doublecircle]; Nonexistent SA_Ready SA_Expired + node [shape=circle]; + + SA_Ready -> SA_Ready [label="ODP IPsec packet operations"]; + Nonexistent -> SA_Ready [label="odp_ipsec_sa_create()" + constraint=false]; + SA_Ready -> SA_Expired [label="hard limit reached"]; + SA_Expired -> Disable_Pending [label="odp_ipsec_sa_disable()"]; + SA_Ready -> Disable_Pending [label="odp_ipsec_sa_disable()"]; + Disable_Pending -> Disable_Pending [label="odp_ipsec_result()"]; + Disable_Pending -> SA_Disabled [label="odp_ipsec_status()"]; + SA_Disabled -> Nonexistent [label="odp_ipsec_sa_destroy()"]; +} diff --git a/doc/users-guide/Makefile.am b/doc/users-guide/Makefile.am index 54f87bb63..171e0cf28 100644 --- a/doc/users-guide/Makefile.am +++ b/doc/users-guide/Makefile.am @@ -11,7 +11,8 @@ SRC = users-guide.adoc \ TARGET = users-guide.html IMAGES = $(IMAGES_DIR)/overview.svg \ $(IMAGES_DIR)/atomic_queue.svg \ - $(IMAGES_DIR)/ipsec_fsm.svg \ + $(IMAGES_DIR)/ipsec_op_fsm.svg \ + $(IMAGES_DIR)/ipsec_sa_fsm.svg \ $(IMAGES_DIR)/odp_components.svg \ $(IMAGES_DIR)/ODP-Logo-HQ.svg \ $(IMAGES_DIR)/odp_rx_processing.svg \ @@ -48,7 +49,8 @@ IMAGES += $(IMAGES_DIR)/resource_management.svg endif IMAGES_SRCS = \ - $(IMAGES_DIR)/ipsec_fsm.gv \ + $(IMAGES_DIR)/ipsec_op_fsm.gv \ + $(IMAGES_DIR)/ipsec_sa_fsm.gv \ $(IMAGES_DIR)/pktio_fsm.gv \ $(IMAGES_DIR)/resource_management.msc \ $(IMAGES_DIR)/timeout_fsm.gv \ diff --git a/doc/users-guide/users-guide-ipsec.adoc b/doc/users-guide/users-guide-ipsec.adoc index d560df9c4..ded22abb8 100644 --- a/doc/users-guide/users-guide-ipsec.adoc +++ b/doc/users-guide/users-guide-ipsec.adoc @@ -245,9 +245,14 @@ As can be seen, SAs have a large degree of configurability. ==== SA Lifecycle Management In discussing the lifecycle of an SA, it is useful to refer to the following -state diagram: +two state diagrams. The first shows the SA state transitions: -image::ipsec_fsm.svg[align="center"] +image::ipsec_sa_fsm.svg[align="center"] + +The second shows the state transitions of IPsec operations performed against +SAs: + +image::ipsec_op_fsm.svg[align="center"] After creation, IPsec services are active for this Security Association. The specific APIs that can be used on this SA depends on the IPsec operating mode