diff options
| author | Petri Savolainen <petri.savolainen@linaro.org> | 2018-01-23 13:50:24 +0200 |
|---|---|---|
| committer | Maxim Uvarov <maxim.uvarov@linaro.org> | 2018-02-26 14:07:18 +0300 |
| commit | c01a96f12606fae1c039de3773a7193652c16425 (patch) | |
| tree | a8d017d0063a24bc4da8e343a442575cdeb98406 /include | |
| parent | e169c33a873d462845e3ebafa1e334c26205224c (diff) | |
api: ipsec: outbound TFC padding and dummy packets
Specify how application can request TFC padding and dummy
packet creation at output. Application can use
odp_ipsec_out_opt_t options to reguest addition of TFC
padding, or creation of a TFC dummy packet
(next header = 59). IP parameter override options are needed
for tunnel mode dummy packet creation as there's no IP header
to copy e.g. DSCP or flow label values to tunnel IP header.
Signed-off-by: Petri Savolainen <petri.savolainen@linaro.org>
Reviewed-by: Balasubramanian Manoharan <bala.manoharan@linaro.org>
Reviewed-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/odp/api/spec/ipsec.h | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h index 721f96856..665dc07bc 100644 --- a/include/odp/api/spec/ipsec.h +++ b/include/odp/api/spec/ipsec.h @@ -991,6 +991,22 @@ typedef struct odp_ipsec_out_opt_t { /** Use fragmentation mode option */ uint32_t frag_mode: 1; + /** Use TFC padding length option */ + uint32_t tfc_pad: 1; + + /** Tunnel mode TFC dummy packet. This can be used only + * in tunnel mode. When the flag is set, packet length + * and content is ignored and instead a TFC dummy + * packet is created during IPSEC operation. The dummy + * packet length is defined by 'tfc_pad_len' option. + * If the SA is configured to copy IP header fields + * from inner IP packet, those fields must be passed + * with IP parameters option. */ + uint32_t tfc_dummy: 1; + + /** Use IP parameters option */ + uint32_t ip_param: 1; + } flag; /** All flag bits */ @@ -1000,6 +1016,26 @@ typedef struct odp_ipsec_out_opt_t { /** Fragmentation mode */ odp_ipsec_frag_mode_t frag_mode; + /** TFC padding length + * + * Number of TFC padding bytes added to the packet during IPSEC + * processing. Resulting packet should not exceed the maximum packet + * length of the pool, otherwise IPSEC operation may fail. + * Implementation guarantees that the padding does not contain any + * confidential information. */ + uint32_t tfc_pad_len; + + /** Union of IP parameters */ + union { + /** Override IPv4 parameters in outer header creation. + * IP addresses are ignored. */ + odp_ipsec_ipv4_param_t ipv4; + + /** Override IPv6 parameters in outer header creation. + * IP addresses are ignored. */ + odp_ipsec_ipv6_param_t ipv6; + }; + } odp_ipsec_out_opt_t; /** @@ -1302,7 +1338,13 @@ int odp_ipsec_in(const odp_packet_t pkt_in[], int num_in, * The operation does packet transformation according to IPSEC standards (see * e.g. RFC 4302 and 4303). Resulting packets are well formed IP packets * with IPSEC, etc headers constructed according to the standards. The amount - * and content of packet data before the IP header is undefined. + * and content of packet data before the IP header is undefined. Use outbound + * operation parameters to specify the amount of TFC padding appended to + * the packet during IPSEC transformation. Options can be used also to create + * TFC dummy packets. Packet data content is ignored in tunnel mode TFC dummy + * packet creation as tfc_pad_len option defines solely the packet length. + * In all other cases, payload length for the IPSEC transformation is specified + * by odp_packet_len() minus odp_packet_l3_offset() plus tfc_pad_len option. * * Each successfully transformed packet has a valid value for these metadata: * - L3 offset: Offset to the first byte of the (outmost) IP header |