Setting the soc property for num_sa_per_sc on macsec encrypt and decrypt #11166
Conversation
| @@ -994,3 +994,6 @@ serdes_tx_taps_33=nrz:-5:83:-22:0:0:0 | |||
| serdes_tx_taps_34=nrz:-5:83:-22:0:0:0 | |||
| serdes_tx_taps_35=nrz:-4:75:-21:0:0:0 | |||
| serdes_tx_taps_36=nrz:-8:89:-29:0:0:0 | |||
|
|
|||
| xflow_macsec_secure_chan_to_num_secure_assoc_encrypt=2 | |||
| xflow_macsec_secure_chan_to_num_secure_assoc_decrypt=2 | |||
There was a problem hiding this comment.
Broadcom did share these values for J2C+ based ASIC, could you cross-check.
xflow_macsec_secure_chan_to_num_secure_assoc_encrypt=2
xflow_macsec_secure_chan_to_num_secure_assoc_**decrypt=4**
There was a problem hiding this comment.
The reason we chose to use 2 is because on J2C+ the max_sa_per_sc is 2 (we'll never use ANs 2 or 3) so we can't utilize all 4 SAs on the decrypt side.
So in result using decrypt=4 will just burn half the decrypt table scale.
However for macsec the scale will be limited by the number of ports so I don't think we can even reach half the decrypt scale.
So I think it's fine to use decrypt=4 to be consistent with Broadcom's recommendations.
|
I noticed these changes got approved. |
I misread the code. Can you please update |
|
Hi @arista-nwolfe , can you resolve the conflicts ? |
|
@arista-nwolfe this change cannot be cherry-picked cleanly. Please create PR for 202205 branch. |
|
I created PR 11279 for 202205 branch |
Why I did it
These are the recommended soc property settings by Broadcom.
If we don't specify these it's assumed we have only 1 SA per SC on encrypt.
This causes issues when AN=1 (due to rekey or link flap)
How to verify it
Setup a macsec session and flap 1 of the links.
The macsec session after the link flap should be created successfully.