[API-NEXT,v5,6/7] api: ipsec: outbound TFC padding and dummy packets

Message ID 1517410819-24732-7-git-send-email-odpbot@yandex.ru
State New
Headers show
Series
  • api: ipsec: TFC padding and dummy packets
Related show

Commit Message

Github ODP bot Jan. 31, 2018, 3 p.m.
From: Petri Savolainen <petri.savolainen@linaro.org>


Specify how application can request TFC padding and dummy
packet creation at output. Application can use
odp_ipsec_out_opt_t options to reguest addition of TFC
padding, or creation of a TFC dummy packet
(next header = 59). IP parameter override options are needed
for tunnel mode dummy packet creation as there's no IP header
to copy e.g. DSCP or flow label values to tunnel IP header.

Signed-off-by: Petri Savolainen <petri.savolainen@linaro.org>

---
/** Email created from pull request 403 (psavol:next-ipsec-tfc)
 ** https://github.com/Linaro/odp/pull/403
 ** Patch: https://github.com/Linaro/odp/pull/403.patch
 ** Base sha: 5718327018debbb02aacb464493504c95fbe57a3
 ** Merge commit sha: a8d85f63d9e1de7ba709e84b37a06e3482bdea1d
 **/
 include/odp/api/spec/ipsec.h | 44 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

Patch

diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h
index 721f96856..665dc07bc 100644
--- a/include/odp/api/spec/ipsec.h
+++ b/include/odp/api/spec/ipsec.h
@@ -991,6 +991,22 @@  typedef struct odp_ipsec_out_opt_t {
 			/** Use fragmentation mode option */
 			uint32_t frag_mode: 1;
 
+			/** Use TFC padding length option */
+			uint32_t tfc_pad:   1;
+
+			/** Tunnel mode TFC dummy packet. This can be used only
+			 *  in tunnel mode. When the flag is set, packet length
+			 *  and content is ignored and instead a TFC dummy
+			 *  packet is created during IPSEC operation. The dummy
+			 *  packet length is defined by 'tfc_pad_len' option.
+			 *  If the SA is configured to copy IP header fields
+			 *  from inner IP packet, those fields must be passed
+			 *  with IP parameters option. */
+			uint32_t tfc_dummy: 1;
+
+			/** Use IP parameters option */
+			uint32_t ip_param:  1;
+
 		} flag;
 
 		/** All flag bits */
@@ -1000,6 +1016,26 @@  typedef struct odp_ipsec_out_opt_t {
 	/** Fragmentation mode */
 	odp_ipsec_frag_mode_t frag_mode;
 
+	/** TFC padding length
+	 *
+	 *  Number of TFC padding bytes added to the packet during IPSEC
+	 *  processing. Resulting packet should not exceed the maximum packet
+	 *  length of the pool, otherwise IPSEC operation may fail.
+	 *  Implementation guarantees that the padding does not contain any
+	 *  confidential information. */
+	uint32_t tfc_pad_len;
+
+	/** Union of IP parameters */
+	union {
+		/** Override IPv4 parameters in outer header creation.
+		 *  IP addresses are ignored. */
+		odp_ipsec_ipv4_param_t ipv4;
+
+		/** Override IPv6 parameters in outer header creation.
+		 *  IP addresses are ignored. */
+		odp_ipsec_ipv6_param_t ipv6;
+	};
+
 } odp_ipsec_out_opt_t;
 
 /**
@@ -1302,7 +1338,13 @@  int odp_ipsec_in(const odp_packet_t pkt_in[], int num_in,
  * The operation does packet transformation according to IPSEC standards (see
  * e.g. RFC 4302 and 4303). Resulting packets are well formed IP packets
  * with IPSEC, etc headers constructed according to the standards. The amount
- * and content of packet data before the IP header is undefined.
+ * and content of packet data before the IP header is undefined. Use outbound
+ * operation parameters to specify the amount of TFC padding appended to
+ * the packet during IPSEC transformation. Options can be used also to create
+ * TFC dummy packets. Packet data content is ignored in tunnel mode TFC dummy
+ * packet creation as tfc_pad_len option defines solely the packet length.
+ * In all other cases, payload length for the IPSEC transformation is specified
+ * by odp_packet_len() minus odp_packet_l3_offset() plus tfc_pad_len option.
  *
  * Each successfully transformed packet has a valid value for these metadata:
  * - L3 offset: Offset to the first byte of the (outmost) IP header