1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2018 Intel Corporation
5 #ifndef _RTE_IPSEC_SA_H_
6 #define _RTE_IPSEC_SA_H_
10 * @b EXPERIMENTAL: this API may change without prior notice
12 * Defines API to manage IPsec Security Association (SA) objects.
15 #include <rte_common.h>
16 #include <rte_cryptodev.h>
17 #include <rte_security.h>
24 * An opaque structure to represent Security Association (SA).
29 * SA initialization parameters.
31 struct rte_ipsec_sa_prm {
33 uint64_t userdata; /**< provided and interpreted by user */
34 uint64_t flags; /**< see RTE_IPSEC_SAFLAG_* below */
35 /** ipsec configuration */
36 struct rte_security_ipsec_xform ipsec_xform;
37 /** crypto session configuration */
38 struct rte_crypto_sym_xform *crypto_xform;
41 uint8_t hdr_len; /**< tunnel header len */
42 uint8_t hdr_l3_off; /**< offset for IPv4/IPv6 header */
43 uint8_t next_proto; /**< next header protocol */
44 const void *hdr; /**< tunnel header template */
45 } tun; /**< tunnel mode related parameters */
47 uint8_t proto; /**< next header protocol */
48 } trs; /**< transport mode related parameters */
52 * window size to enable sequence replay attack handling.
53 * replay checking is disabled if the window size is 0.
55 uint32_t replay_win_sz;
59 * SA type is an 64-bit value that contain the following information:
60 * - IP version (IPv4/IPv6)
61 * - IPsec proto (ESP/AH)
63 * - mode (TRANSPORT/TUNNEL)
64 * - for TUNNEL outer IP version (IPv4/IPv6)
76 #define RTE_IPSEC_SATP_IPV_MASK (1ULL << RTE_SATP_LOG2_IPV)
77 #define RTE_IPSEC_SATP_IPV4 (0ULL << RTE_SATP_LOG2_IPV)
78 #define RTE_IPSEC_SATP_IPV6 (1ULL << RTE_SATP_LOG2_IPV)
80 #define RTE_IPSEC_SATP_PROTO_MASK (1ULL << RTE_SATP_LOG2_PROTO)
81 #define RTE_IPSEC_SATP_PROTO_AH (0ULL << RTE_SATP_LOG2_PROTO)
82 #define RTE_IPSEC_SATP_PROTO_ESP (1ULL << RTE_SATP_LOG2_PROTO)
84 #define RTE_IPSEC_SATP_DIR_MASK (1ULL << RTE_SATP_LOG2_DIR)
85 #define RTE_IPSEC_SATP_DIR_IB (0ULL << RTE_SATP_LOG2_DIR)
86 #define RTE_IPSEC_SATP_DIR_OB (1ULL << RTE_SATP_LOG2_DIR)
88 #define RTE_IPSEC_SATP_MODE_MASK (3ULL << RTE_SATP_LOG2_MODE)
89 #define RTE_IPSEC_SATP_MODE_TRANS (0ULL << RTE_SATP_LOG2_MODE)
90 #define RTE_IPSEC_SATP_MODE_TUNLV4 (1ULL << RTE_SATP_LOG2_MODE)
91 #define RTE_IPSEC_SATP_MODE_TUNLV6 (2ULL << RTE_SATP_LOG2_MODE)
94 * get type of given SA
98 uint64_t __rte_experimental
99 rte_ipsec_sa_type(const struct rte_ipsec_sa *sa);
102 * Calculate required SA size based on provided input parameters.
104 * Parameters that wil be used to initialise SA object.
106 * - Actual size required for SA with given parameters.
107 * - -EINVAL if the parameters are invalid.
109 int __rte_experimental
110 rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm);
113 * initialise SA based on provided input parameters.
115 * SA object to initialise.
117 * Parameters used to initialise given SA object.
119 * size of the provided buffer for SA.
121 * - Actual size of SA object if operation completed successfully.
122 * - -EINVAL if the parameters are invalid.
123 * - -ENOSPC if the size of the provided buffer is not big enough.
125 int __rte_experimental
126 rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
132 * Pointer to SA object to de-initialize.
134 void __rte_experimental
135 rte_ipsec_sa_fini(struct rte_ipsec_sa *sa);
141 #endif /* _RTE_IPSEC_SA_H_ */