> -----Original Message----- > From: Anoob Joseph <[email protected]> > Sent: Friday, August 11, 2023 8:17 AM > To: Thomas Monjalon <[email protected]>; Akhil Goyal > <[email protected]>; Jerin Jacob <[email protected]>; Konstantin Ananyev > <[email protected]> > Cc: Hemant Agrawal <[email protected]>; [email protected]; Matz, > Olivier <[email protected]>; Vidya Sagar Velumuri > <[email protected]> > Subject: [RFC PATCH 0/3] add TLS record processing security offload > > Add Transport Layer Security (TLS) and Datagram Transport Layer Security > (DTLS). The protocols provide communications privacy for L4 protocols > such as TCP & UDP. > > TLS (and DTLS) protocol is composed of two layers, > 1. TLS Record Protocol > 2. TLS Handshake Protocol > > While TLS Handshake Protocol helps in establishing security parameters > by which client and server can communicate, TLS Record Protocol provides > the connection security. TLS Record Protocol leverages symmetric > cryptographic operations such as data encryption and authentication for > providing security to the communications. > > Cryptodevs that are capable of offloading TLS Record Protocol may > perform other operations like IV generation, header insertion, atomic > sequence number updates and anti-replay window check in addition to > cryptographic transformations. > > In record write operations, message content type is a per packet field > which is used in constructing the TLS header. One session is expected > to handle all types of content types and so, 'rte_crypto_op.aux_flags' > is used for passing the same. > > The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2. > > Akhil Goyal (1): > net: add headers for TLS/DTLS packets > > Anoob Joseph (2): > security: add TLS record processing > cryptodev: add details of datapath handling of TLS records
Hi Folks, I've reviewed these 3 patches, generally fine, with two main opens; 1) The part that I do not fully understand how it is defined is the 'rte_crypto_op.aux_flags' field usage, and what values to read/write there. 2) Error handling (again with aux_flags) is not well defined, and is critical to correct (high-bw/high-packet-count) usage. I do not understand how to do correct error handling today with aux_flags, so more docs/examples required. Some detail-level comments inline in the patch files. Regards -Harry <snip>
