.. SPDX-License-Identifier: BSD-3-Clause
Copyright(c) 2018 Intel Corporation.
IPsec Packet Processing Library
===============================
DPDK provides a library for IPsec data-path processing.
The library utilizes the existing DPDK crypto-dev and
security API to provide the application with a transparent and
high performant IPsec packet processing API.
The library is concentrated on data-path protocols processing
(ESP and AH), IKE protocol(s) implementation is out of scope
for this library.
SA level API
------------
This API operates on the IPsec Security Association (SA) level.
It provides functionality that allows user for given SA to process
inbound and outbound IPsec packets.
To be more specific:
* for inbound ESP/AH packets perform decryption, authentication, integrity checking, remove ESP/AH related headers
* for outbound packets perform payload encryption, attach ICV, update/add IP headers, add ESP/AH headers/trailers,
* setup related mbuf fields (ol_flags, tx_offloads, etc.).
* initialize/un-initialize given SA based on user provided parameters.
The SA level API is based on top of crypto-dev/security API and relies on
them to perform actual cipher and integrity checking.
Due to the nature of the crypto-dev API (enqueue/dequeue model) the library
introduces an asynchronous API for IPsec packets destined to be processed by
the crypto-device.
The expected API call sequence for data-path processing would be:
.. code-block:: c
/* enqueue for processing by crypto-device */
rte_ipsec_pkt_crypto_prepare(...);
rte_cryptodev_enqueue_burst(...);
/* dequeue from crypto-device and do final processing (if any) */
rte_cryptodev_dequeue_burst(...);
rte_ipsec_pkt_crypto_group(...); /* optional */
rte_ipsec_pkt_process(...);
For packets destined for inline processing no extra overhead
is required and the synchronous API call: rte_ipsec_pkt_process()
is sufficient for that case.
.. note::
For more details about the IPsec API, please refer to the *DPDK API Reference*.
The current implementation supports all four currently defined
rte_security types:
RTE_SECURITY_ACTION_TYPE_NONE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In that mode the library functions perform
* for inbound packets:
- check SQN
- prepare *rte_crypto_op* structure for each input packet
- verify that integity check and decryption performed by crypto device
completed successfully
- check padding data
- remove outer IP header (tunnel mode) / update IP header (transport mode)
- remove ESP header and trailer, padding, IV and ICV data
- update SA replay window
* for outbound packets:
- generate SQN and IV
- add outer IP header (tunnel mode) / update IP header (transport mode)
- add ESP header and trailer, padding and IV data
- prepare *rte_crypto_op* structure for each input packet
- verify that crypto device operations (encryption, ICV generation)
were completed successfully
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In that mode the library functions perform
* for inbound packets:
- verify that integity check and decryption performed by *rte_security*
device completed successfully
- check SQN
- check padding data
- remove outer IP header (tunnel mode) / update IP header (transport mode)
- remove ESP header and trailer, padding, IV and ICV data
- update SA replay window
* for outbound packets:
- generate SQN and IV
- add outer IP header (tunnel mode) / update IP header (transport mode)
- add ESP header and trailer, padding and IV data
- update *ol_flags* inside *struct rte_mbuf* to inidicate that
inline-crypto processing has to be performed by HW on this packet
- invoke *rte_security* device specific *set_pkt_metadata()* to associate
secuirty device specific data with the packet
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In that mode the library functions perform
* for inbound packets:
- verify that integity check and decryption performed by *rte_security*
device completed successfully
* for outbound packets:
- update *ol_flags* inside *struct rte_mbuf* to inidicate that
inline-crypto processing has to be performed by HW on this packet
- invoke *rte_security* device specific *set_pkt_metadata()* to associate
secuirty device specific data with the packet
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In that mode the library functions perform
* for inbound packets:
- prepare *rte_crypto_op* structure for each input packet
- verify that integity check and decryption performed by crypto device
completed successfully
* for outbound packets:
- prepare *rte_crypto_op* structure for each input packet
- verify that crypto device operations (encryption, ICV generation)
were completed successfully
To accommodate future custom implementations function pointers
model is used for both *crypto_prepare* and *process* implementations.
Supported features
------------------
* ESP protocol tunnel mode both IPv4/IPv6.
* ESP protocol transport mode both IPv4/IPv6.
* ESN and replay window.
* algorithms: AES-CBC, AES-GCM, HMAC-SHA1, NULL.
Limitations
-----------
The following features are not properly supported in the current version:
* ESP transport mode for IPv6 packets with extension headers.
* Multi-segment packets.
* Updates of the fields in inner IP header for tunnel mode
(as described in RFC 4301, section 5.1.2).
* Hard/soft limit for SA lifetime (time interval/byte count).