lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 21 Nov 2022 12:25:21 +0100
From:   Steffen Klassert <steffen.klassert@...unet.com>
To:     Leon Romanovsky <leon@...nel.org>
CC:     "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "Jakub Kicinski" <kuba@...nel.org>, <netdev@...r.kernel.org>
Subject: Re: [PATCH xfrm-next v7 6/8] xfrm: speed-up lookup of HW policies

On Mon, Nov 21, 2022 at 01:15:36PM +0200, Leon Romanovsky wrote:
> On Mon, Nov 21, 2022 at 12:09:26PM +0100, Steffen Klassert wrote:
> > On Mon, Nov 21, 2022 at 12:27:01PM +0200, Leon Romanovsky wrote:
> > > On Mon, Nov 21, 2022 at 10:44:04AM +0100, Steffen Klassert wrote:
> > > > On Sun, Nov 20, 2022 at 09:17:02PM +0200, Leon Romanovsky wrote:
> > > > > On Fri, Nov 18, 2022 at 11:49:07AM +0100, Steffen Klassert wrote:
> > > > > > On Thu, Nov 17, 2022 at 02:51:33PM +0200, Leon Romanovsky wrote:
> > > > > > > On Thu, Nov 17, 2022 at 01:12:43PM +0100, Steffen Klassert wrote:
> > > > > > > > On Wed, Nov 09, 2022 at 02:54:34PM +0200, Leon Romanovsky wrote:
> > > > > > > > > From: Leon Romanovsky <leonro@...dia.com>
> > > > > > > 
> > > > > > > > So this raises the question how to handle acquires with this packet
> > > > > > > > offload. 
> > > > > > > 
> > > > > > > We handle acquires as SW policies and don't offload them.
> > > > > > 
> > > > > > We trigger acquires with states, not policies. The thing is,
> > > > > > we might match a HW policy but create a SW acquire state.
> > > > > > This will not match anymore as soon as the lookup is
> > > > > > implemented correctly.
> > > > > 
> > > > > For now, all such packets will be dropped as we have offlaoded
> > > > > policy but not SA.
> > > > 
> > > > I think you missed my point. If the HW policy does not match
> > > > the SW acquire state, then each packet will geneate a new
> > > > acquire. So you need to make sure that policy and acquire
> > > > state will match to send the acquire just once to userspace.
> > > 
> > > I think that I'm still missing the point.
> > > 
> > > We require both policy and SA to be offloaded. It means that once
> > > we hit HW policy, we must hit SA too (at least this is how mlx5 part
> > > is implemented).
> > 
> > Let's assume a packet hits a HW policy. Then this HW policy must match
> > a HW state. In case there is no matching HW state, we generate an acquire
> > and insert a larval state. Currently, larval states are never marked as HW.
> 
> And this is there our views are different. If HW (in RX) sees policy but
> doesn't have state, this packet will be dropped in HW. It won't get to
> stack and no acquire request will be issues.

This makes no sense. Acquires are always generated at TX, never at RX.

On RX, the state lookup happens first, the policy must match to the
decapsulated packet.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ