#include <sys/types.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netinet/ip6.h>
-
#include <rte_compat.h>
#include <rte_common.h>
#include <rte_crypto.h>
+#include <rte_ip.h>
#include <rte_mbuf.h>
#include <rte_mbuf_dyn.h>
#include <rte_memory.h>
/**< Outer header is IPv6 */
};
+/**
+ * IPSEC tunnel header verification mode
+ *
+ * Controls how outer IP header is verified in inbound.
+ */
+#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
+#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
+
/**
* Security context for crypto/eth devices
*
};
};
+struct rte_security_ipsec_udp_param {
+ uint16_t sport;
+ uint16_t dport;
+};
+
/**
* IPsec Security Association option flags
*/
* * 0: Disable per session security statistics collection for this SA.
*/
uint32_t stats : 1;
+
+ /** Disable IV generation in PMD
+ *
+ * * 1: Disable IV generation in PMD. When disabled, IV provided in
+ * rte_crypto_op will be used by the PMD.
+ *
+ * * 0: Enable IV generation in PMD. When enabled, PMD generated random
+ * value would be used and application is not required to provide
+ * IV.
+ *
+ * Note: For inline cases, IV generation would always need to be handled
+ * by the PMD.
+ */
+ uint32_t iv_gen_disable : 1;
+
+ /** Verify tunnel header in inbound
+ * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
+ * IP address.
+ *
+ * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
+ * source and destination IP addresses.
+ */
+ uint32_t tunnel_hdr_verify : 2;
+
+ /** Verify UDP encapsulation ports in inbound
+ *
+ * * 1: Match UDP source and destination ports
+ * * 0: Do not match UDP ports
+ */
+ uint32_t udp_ports_verify : 1;
+
+ /** Compute/verify inner packet IPv4 header checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet IPv4 header checksum
+ * before tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet IP header checksum is not computed/verified.
+ *
+ * The checksum verification status would be set in mbuf using
+ * RTE_MBUF_F_RX_IP_CKSUM_xxx flags.
+ *
+ * Inner IP checksum computation can also be enabled(per operation)
+ * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf.
+ */
+ uint32_t ip_csum_enable : 1;
+
+ /** Compute/verify inner packet L4 checksum in tunnel mode
+ *
+ * * 1: For outbound, compute inner packet L4 checksum before
+ * tunnel encapsulation and for inbound, verify after
+ * tunnel decapsulation.
+ * * 0: Inner packet L4 checksum is not computed/verified.
+ *
+ * The checksum verification status would be set in mbuf using
+ * RTE_MBUF_F_RX_L4_CKSUM_xxx flags.
+ *
+ * Inner L4 checksum computation can also be enabled(per operation)
+ * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or
+ * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf.
+ */
+ uint32_t l4_csum_enable : 1;
+
+ /** Enable IP reassembly on inline inbound packets.
+ *
+ * * 1: Enable driver to try reassembly of encrypted IP packets for
+ * this SA, if supported by the driver. This feature will work
+ * only if user has successfully set IP reassembly config params
+ * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet
+ * device. PMD need to register mbuf dynamic fields using
+ * rte_eth_ip_reassembly_dynfield_register() and security session
+ * creation would fail if dynfield is not registered successfully.
+ * * 0: Disable IP reassembly of packets (default).
+ */
+ uint32_t ip_reassembly_en : 1;
+
+ /** Reserved bit fields for future extension
+ *
+ * User should ensure reserved_opts is cleared as it may change in
+ * subsequent releases to support new options.
+ *
+ * Note: Reduce number of bits in reserved_opts for every new option.
+ */
+ uint32_t reserved_opts : 17;
};
/** IPSec security association direction */
/**< Verify digest and decrypt */
};
+/**
+ * Configure soft and hard lifetime of an IPsec SA
+ *
+ * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
+ * that can be processed. IPsec operations would start failing once any hard
+ * limit is reached.
+ *
+ * Soft limits can be specified to generate notification when the SA is
+ * approaching hard limits for lifetime. For inline operations, reaching soft
+ * expiry limit would result in raising an eth event for the same. For lookaside
+ * operations, this would result in a warning returned in
+ * ``rte_crypto_op.aux_flags``.
+ */
+struct rte_security_ipsec_lifetime {
+ uint64_t packets_soft_limit;
+ /**< Soft expiry limit in number of packets */
+ uint64_t bytes_soft_limit;
+ /**< Soft expiry limit in bytes */
+ uint64_t packets_hard_limit;
+ /**< Soft expiry limit in number of packets */
+ uint64_t bytes_hard_limit;
+ /**< Soft expiry limit in bytes */
+};
+
/**
* IPsec security association configuration data.
*
/**< IPsec SA Mode - transport/tunnel */
struct rte_security_ipsec_tunnel_param tunnel;
/**< Tunnel parameters, NULL for transport mode */
- uint64_t esn_soft_limit;
- /**< ESN for which the overflow event need to be raised */
+ struct rte_security_ipsec_lifetime life;
+ /**< IPsec SA lifetime */
uint32_t replay_win_sz;
/**< Anti replay window size to enable sequence replay attack handling.
* replay checking is disabled if the window size is 0.
*/
+ union {
+ uint64_t value;
+ struct {
+ uint32_t low;
+ uint32_t hi;
+ };
+ } esn;
+ /**< Extended Sequence Number */
+ struct rte_security_ipsec_udp_param udp;
+ /**< UDP parameters, ignored when udp_encap option not specified */
};
/**