From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <akhil.goyal@nxp.com>, Radu Nicolau <radu.nicolau@intel.com>
Cc: Tejasree Kondoj <ktejasree@marvell.com>,
Narayana Prasad <pathreya@marvell.com>,
Anoob Joseph <anoobj@marvell.com>, <dev@dpdk.org>
Subject: [dpdk-dev] [PATCH] security: allow application to specify UDP ports to PMD
Date: Thu, 3 Sep 2020 12:12:06 +0530 [thread overview]
Message-ID: <20200903064206.16208-1-ktejasree@marvell.com> (raw)
Add UDP source and destination ports in ipsec_xform to allow application
to specify ports to be used for IPsec UDP encapsulation as they are
dynamically changed by NAT in between. Also adding an extra flag to
indicate whether PMD needs to perform encapsulation header verification
in case of inbound. In case of inline IPsec implementation, verification
of outer IP headers and UDP encapsulation headers need to be handled
in the PMD. For lookaside IPsec, application can optionally offload
this to the PMD.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
lib/librte_security/rte_security.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index 16839e539..670bdeb6b 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -130,6 +130,13 @@ struct rte_security_ipsec_sa_options {
*/
uint32_t udp_encap : 1;
+ /** Verify tunnel header and UDP encapsulation ports in inbound
+ *
+ * * 1: Match outer header source, destination addresses and UDP ports
+ * * 0: Do not match outer IP addresses and UDP ports
+ */
+ uint32_t encap_hdr_verify : 1;
+
/** Copy DSCP bits
*
* * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
@@ -190,6 +197,16 @@ enum rte_security_ipsec_sa_direction {
/**< Verify digest and decrypt */
};
+/**
+ * UDP encapsulation ports
+ */
+struct rte_security_ipsec_udp_encapsulation {
+ uint16_t src_port;
+ /**< UDP source port */
+ uint16_t dst_port;
+ /**< UDP destination port */
+};
+
/**
* IPsec security association configuration data.
*
@@ -216,6 +233,8 @@ struct rte_security_ipsec_xform {
/**< Anti replay window size to enable sequence replay attack handling.
* replay checking is disabled if the window size is 0.
*/
+ struct rte_security_ipsec_udp_encapsulation udp_encap;
+ /**< UDP encapsulation ports */
};
/**
--
2.27.0
next reply other threads:[~2020-09-03 5:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-03 6:42 Tejasree Kondoj [this message]
2020-09-10 19:09 ` Akhil Goyal
2020-09-21 9:13 ` Tejasree Kondoj
2020-09-21 9:30 ` Akhil Goyal
2020-09-21 12:03 ` Tejasree Kondoj
2021-01-11 19:20 ` Akhil Goyal
2021-01-12 6:51 ` Tejasree Kondoj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200903064206.16208-1-ktejasree@marvell.com \
--to=ktejasree@marvell.com \
--cc=akhil.goyal@nxp.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=pathreya@marvell.com \
--cc=radu.nicolau@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).