diff mbox series

[API-NEXT,v1,3/4] api: ipsec: TFC padding and dummy packets

Message ID 1516284012-2640-4-git-send-email-odpbot@yandex.ru
State New
Headers show
Series [API-NEXT,v1,1/4] api: ipsec: IP header parameter types | expand

Commit Message

Github ODP bot Jan. 18, 2018, 2 p.m. UTC 
From: Petri Savolainen <petri.savolainen@linaro.org>


Specify how application can recognize/create TFC padding and
dummy packets. At input, packet metadata flags for IPv4 and IPv6
indicate the if original packet was an IP or dummy packet.
At output, application can use odp_ipsec_out_opt_t options to
reguest addition of TFC padding, or creation of a TFC dummy
packet (next header = 59). IP parameter override option is needed
for dummy packet creation as there's no IP header to copy e.g.
DSCP or flow label values.

Signed-off-by: Petri Savolainen <petri.savolainen@linaro.org>

---
/** Email created from pull request 403 (psavol:next-ipsec-tfc)
 ** https://github.com/Linaro/odp/pull/403
 ** Patch: https://github.com/Linaro/odp/pull/403.patch
 ** Base sha: 0c7741d067d9b96e14e420b53a256a1b93096e16
 ** Merge commit sha: 14f0b7020e142ed747602a2856214c93e06ff84e
 **/
 include/odp/api/spec/ipsec.h | 72 +++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 65 insertions(+), 7 deletions(-)
diff mbox series

Patch

diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h
index 471df6192..bb09dd854 100644
--- a/include/odp/api/spec/ipsec.h
+++ b/include/odp/api/spec/ipsec.h
@@ -983,9 +983,55 @@  typedef struct odp_ipsec_op_flag_t {
  * These may be used to override some SA level options
  */
 typedef struct odp_ipsec_out_opt_t {
+	/** Union of all flag bits */
+	union {
+		/** Option flags. Set flag for those options that are
+		 *  used, all other options are ignored. */
+		struct {
+			/** Use fragmentation mode option */
+			uint32_t frag_mode: 1;
+
+			/** Use IP parameters option */
+			uint32_t ip_param:  1;
+
+			/** Use TFC padding length option */
+			uint32_t tfc_pad:   1;
+
+			/** Tunnel mode TFC dummy packet. In tunnel mode, set
+			 *  this flag to create a TFC dummy packet. The flag
+			 *  indicates packet data (at L3 offset) does not
+			 *  contain an inner packet IP header. If SA is
+			 *  configured to copy IP header fields from inner
+			 *  packet, those fields must be passed with
+			 *  IP parameters option. */
+			uint32_t tfc_dummy: 1;
+		} flag;
+
+		/** All flag bits */
+		uint32_t all_flags;
+	};
+
 	/** Fragmentation mode */
 	odp_ipsec_frag_mode_t frag_mode;
 
+	/** Union of IP parameters */
+	union {
+		/** Override IPv4 parameters in outer header creation.
+		 *  IP addresses are ignored. */
+		odp_ipsec_ipv4_param_t ipv4;
+
+		/** Override IPv6 parameters in outer header creation.
+		 *  IP addresses are ignored. */
+		odp_ipsec_ipv6_param_t ipv6;
+	};
+
+	/** TFC padding length
+	 *
+	 *  Number of TFC padding bytes added to the packet during IPSEC
+	 *  processing. Implementation guarantees that the padding does not
+	 *  contain any confidential information. */
+	uint32_t tfc_pad_len;
+
 } odp_ipsec_out_opt_t;
 
 /**
@@ -1210,16 +1256,22 @@  typedef struct odp_ipsec_status_t {
  *
  * The operation does packet transformation according to IPSEC standards (see
  * e.g. RFC 4302 and 4303). Resulting packets are well formed, reconstructed
- * original IP packets, with IPSEC headers removed and valid header field values
- * restored. The amount and content of packet data before the IP header is
- * undefined.
+ * original IP (or TFC dummy) packets, with IPSEC headers removed and valid
+ * header field values restored. The amount and content of packet data before
+ * the IP header is undefined. TFC padding may follow the IP packet payload,
+ * in which case packet length is larger than protocol headers indicate.
+ * TFC dummy packets have both IPv4 and IPv6 flags cleared, although L3 offset
+ * is set also for those.
  *
  * Each successfully transformed packet has a valid value for these metadata
  * regardless of the inner packet parse configuration
  * (odp_ipsec_inbound_config_t):
- * - L3 offset: Offset to the first byte of the (outmost) IP header
- * - pktio:     For inline IPSEC processed packets, original packet input
- *              interface
+ * - l3_offset:  Offset to the first byte of the original IP (or TFC dummy)
+ *               packet
+ * - has_ipv4/6: Specifies if the original packet is IPv4 or IPv6. For tunnel
+ *               mode TFC dummy packets neither flag is set.
+ * - pktio:      For inline IPSEC processed packets, original packet input
+ *               interface
  *
  * Other metadata for parse results and error checks depend on configuration
  * (selected parse and error check levels).
@@ -1277,7 +1329,13 @@  int odp_ipsec_in(const odp_packet_t pkt_in[], int num_in,
  * The operation does packet transformation according to IPSEC standards (see
  * e.g. RFC 4302 and 4303). Resulting packets are well formed IP packets
  * with IPSEC, etc headers constructed according to the standards. The amount
- * and content of packet data before the IP header is undefined.
+ * and content of packet data before the IP header is undefined. Use outbound
+ * operation parameters to specify the amount of TFC padding appended to
+ * the packet during IPSEC transformation. Options can be used also to create
+ * TFC dummy packets. L3 offset needs to be set also for dummy packets,
+ * although packet data content is ignored. Payload length for the IPSEC
+ * transformation is always odp_packet_len() minus odp_packet_l3_offset() plus
+ * tfc_pad_len (when used).
  *
  * Each successfully transformed packet has a valid value for these metadata:
  * - L3 offset: Offset to the first byte of the (outmost) IP header