ipsec: bind an SA to a worker the sequence number increment and the anti-replay window checks must be atomic. Given the vector nature of VPP we can't simply use atomic increments for sequence numbers, since a vector on thread 1 with lower sequence numbers could be 'overtaken' by packets on thread 2 with higher sequence numbers. The anti-replay logic requires a critical section, not just atomics, and we don't want that. So when the SA see the first packet it is bound to that worker all subsequent packets, that arrive on a different worker, are subject to a handoff. Type: feature Change-Id: Ia20a8645fb50622ea6235ab015a537f033d531a4 Signed-off-by: Neale Ranns <nranns@cisco.com>

commit: f62a8c013c6e22c012b9d7df2ef463a6370cf1ce [log] [tgz]
author: Neale Ranns <nranns@cisco.com> Tue Apr 02 08:13:33 2019 +0000
committer: Damjan Marion <dmarion@me.com> Tue Dec 17 17:57:24 2019 +0000
tree: 0448d4b53340b84e1a8aca87ec57133c503026da
parent: f2bde7ac51123a0a46334b4ec55e2aceae031db7 [diff] [blame]
diff --git a/src/vnet/CMakeLists.txt b/src/vnet/CMakeLists.txt
index 9867b7c..37f7810 100644
--- a/src/vnet/CMakeLists.txt
+++ b/src/vnet/CMakeLists.txt

@@ -581,6 +581,7 @@
   ipsec/ipsec.c
   ipsec/ipsec_cli.c
   ipsec/ipsec_format.c
+  ipsec/ipsec_handoff.c
   ipsec/ipsec_input.c
   ipsec/ipsec_punt.c
   ipsec/ipsec_sa.c
@@ -602,6 +603,7 @@
   ipsec/esp_decrypt.c
   ipsec/ah_decrypt.c
   ipsec/ah_encrypt.c
+  ipsec/ipsec_handoff.c
   ipsec/ipsec_output.c
   ipsec/ipsec_input.c
   ipsec/ipsec_tun_in.c
commit	f62a8c013c6e22c012b9d7df2ef463a6370cf1ce	[log] [tgz]
author	Neale Ranns <nranns@cisco.com>	Tue Apr 02 08:13:33 2019 +0000
committer	Damjan Marion <dmarion@me.com>	Tue Dec 17 17:57:24 2019 +0000
tree	0448d4b53340b84e1a8aca87ec57133c503026da
parent	f2bde7ac51123a0a46334b4ec55e2aceae031db7 [diff] [blame]