@@ -983,9 +983,55 @@ typedef struct odp_ipsec_op_flag_t {
* These may be used to override some SA level options
*/
typedef struct odp_ipsec_out_opt_t {
+ /** Union of all flag bits */
+ union {
+ /** Option flags. Set flag for those options that are
+ * used, all other options are ignored. */
+ struct {
+ /** Use fragmentation mode option */
+ uint32_t frag_mode: 1;
+
+ /** Use IP parameters option */
+ uint32_t ip_param: 1;
+
+ /** Use TFC padding length option */
+ uint32_t tfc_pad: 1;
+
+ /** Tunnel mode TFC dummy packet. In tunnel mode, set
+ * this flag to create a TFC dummy packet. The flag
+ * indicates packet data (at L3 offset) does not
+ * contain an inner packet IP header. If SA is
+ * configured to copy IP header fields from inner
+ * packet, those fields must be passed with
+ * IP parameters option. */
+ uint32_t tfc_dummy: 1;
+ } flag;
+
+ /** All flag bits */
+ uint32_t all_flags;
+ };
+
/** Fragmentation mode */
odp_ipsec_frag_mode_t frag_mode;
+ /** Union of IP parameters */
+ union {
+ /** Override IPv4 parameters in outer header creation.
+ * IP addresses are ignored. */
+ odp_ipsec_ipv4_param_t ipv4;
+
+ /** Override IPv6 parameters in outer header creation.
+ * IP addresses are ignored. */
+ odp_ipsec_ipv6_param_t ipv6;
+ };
+
+ /** TFC padding length
+ *
+ * Number of TFC padding bytes added to the packet during IPSEC
+ * processing. Implementation guarantees that the padding does not
+ * contain any confidential information. */
+ uint32_t tfc_pad_len;
+
} odp_ipsec_out_opt_t;
/**
@@ -1210,16 +1256,22 @@ typedef struct odp_ipsec_status_t {
*
* The operation does packet transformation according to IPSEC standards (see
* e.g. RFC 4302 and 4303). Resulting packets are well formed, reconstructed
- * original IP packets, with IPSEC headers removed and valid header field values
- * restored. The amount and content of packet data before the IP header is
- * undefined.
+ * original IP (or TFC dummy) packets, with IPSEC headers removed and valid
+ * header field values restored. The amount and content of packet data before
+ * the IP header is undefined. TFC padding may follow the IP packet payload,
+ * in which case packet length is larger than protocol headers indicate.
+ * TFC dummy packets have both IPv4 and IPv6 flags cleared, although L3 offset
+ * is set also for those.
*
* Each successfully transformed packet has a valid value for these metadata
* regardless of the inner packet parse configuration
* (odp_ipsec_inbound_config_t):
- * - L3 offset: Offset to the first byte of the (outmost) IP header
- * - pktio: For inline IPSEC processed packets, original packet input
- * interface
+ * - l3_offset: Offset to the first byte of the original IP (or TFC dummy)
+ * packet
+ * - has_ipv4/6: Specifies if the original packet is IPv4 or IPv6. For tunnel
+ * mode TFC dummy packets neither flag is set.
+ * - pktio: For inline IPSEC processed packets, original packet input
+ * interface
*
* Other metadata for parse results and error checks depend on configuration
* (selected parse and error check levels).
@@ -1277,7 +1329,13 @@ int odp_ipsec_in(const odp_packet_t pkt_in[], int num_in,
* The operation does packet transformation according to IPSEC standards (see
* e.g. RFC 4302 and 4303). Resulting packets are well formed IP packets
* with IPSEC, etc headers constructed according to the standards. The amount
- * and content of packet data before the IP header is undefined.
+ * and content of packet data before the IP header is undefined. Use outbound
+ * operation parameters to specify the amount of TFC padding appended to
+ * the packet during IPSEC transformation. Options can be used also to create
+ * TFC dummy packets. L3 offset needs to be set also for dummy packets,
+ * although packet data content is ignored. Payload length for the IPSEC
+ * transformation is always odp_packet_len() minus odp_packet_l3_offset() plus
+ * tfc_pad_len (when used).
*
* Each successfully transformed packet has a valid value for these metadata:
* - L3 offset: Offset to the first byte of the (outmost) IP header