Re: [dpdk-dev] [PATCH 1/3] security: add option to configure tunnel header verification

Re: [dpdk-dev] [PATCH 1/3] security: add option to configure tunnel header verification

[Hemant Agrawal]

On 9/8/2021 1:51 PM, Tejasree Kondoj wrote:
> Add option to indicate whether outer header verification
> need to be done as part of inbound IPsec processing.
>
> With inline IPsec processing, SA lookup would be happening
> in the Rx path of rte_ethdev. When rte_flow is configured to
> support more than one SA, SPI would be used to lookup SA.
> In such cases, additional verification would be required to
> ensure duplicate SPIs are not getting processed in the inline path.
>
> For lookaside cases, the same option can be used by application
> to offload tunnel verification to the PMD.
>
> These verifications would help in averting possible DoS attacks.
>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
>   doc/guides/rel_notes/release_21_11.rst |  5 +++++
>   lib/security/rte_security.h            | 17 +++++++++++++++++
>   2 files changed, 22 insertions(+)
>
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index 0e3ed28378..b0606cb542 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -136,6 +136,11 @@ ABI Changes
>       soft and hard SA expiry limits. Limits can be either in units of packets or
>       bytes.
>   
> +* security: add IPsec SA option to configure tunnel header verification
> +
> +  * Added SA option to indicate whether outer header verification need to be
> +    done as part of inbound IPsec processing.
> +
>   
>   Known Issues
>   ------------
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index 95c169d6cf..2a61cad885 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type {
>   	/**< Outer header is IPv6 */
>   };
>   
> +/**
> + * IPSEC tunnel header verification mode
> + *
> + * Controls how outer IP header is verified in inbound.
> + */
> +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR     0x1
> +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
> +
>   /**
>    * Security context for crypto/eth devices
>    *
> @@ -195,6 +203,15 @@ struct rte_security_ipsec_sa_options {
>   	 * by the PMD.
>   	 */
>   	uint32_t iv_gen_disable : 1;
> +
> +	/** Verify tunnel header in inbound
> +	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
> +	 *   IP address.
> +	 *
> +	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
> +	 *   source and destination IP addresses.
> +	 */
> +	uint32_t tunnel_hdr_verify : 2;
>   };
>   
>   /** IPSec security association direction */
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>

[dpdk-dev] [PATCH 0/3] add option to configure tunnel header verification

[Tejasree Kondoj]

Add option to indicate whether outer header verification need to be done
as part of inbound IPsec processing.
CNXK PMD support and unit tests are also added for the same.

Depends on
https://patches.dpdk.org/project/dpdk/list/?series=18743

Tejasree Kondoj (3):
  security: add option to configure tunnel header verification
  common/cnxk: add support for tunnel header verification
  test/crypto: add tunnel header verification tests

 app/test/test_cryptodev.c                     | 45 +++++++++++++-
 app/test/test_cryptodev_security_ipsec.c      | 25 +++++++-
 app/test/test_cryptodev_security_ipsec.h      |  1 +
 ...st_cryptodev_security_ipsec_test_vectors.h |  3 +
 doc/guides/rel_notes/release_21_11.rst        |  5 ++
 drivers/common/cnxk/cnxk_security.c           | 60 +++++++++++++++++++
 drivers/common/cnxk/roc_ie_ot.h               |  6 +-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  4 ++
 lib/security/rte_security.h                   | 17 ++++++
 9 files changed, 162 insertions(+), 4 deletions(-)

-- 
2.27.0

[dpdk-dev] [PATCH 1/3] security: add option to configure tunnel header verification

[Tejasree Kondoj]

Add option to indicate whether outer header verification
need to be done as part of inbound IPsec processing.

With inline IPsec processing, SA lookup would be happening
in the Rx path of rte_ethdev. When rte_flow is configured to
support more than one SA, SPI would be used to lookup SA.
In such cases, additional verification would be required to
ensure duplicate SPIs are not getting processed in the inline path.

For lookaside cases, the same option can be used by application
to offload tunnel verification to the PMD.

These verifications would help in averting possible DoS attacks.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/rel_notes/release_21_11.rst |  5 +++++
 lib/security/rte_security.h            | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 0e3ed28378..b0606cb542 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -136,6 +136,11 @@ ABI Changes
     soft and hard SA expiry limits. Limits can be either in units of packets or
     bytes.
 
+* security: add IPsec SA option to configure tunnel header verification
+
+  * Added SA option to indicate whether outer header verification need to be
+    done as part of inbound IPsec processing.
+
 
 Known Issues
 ------------
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 95c169d6cf..2a61cad885 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type {
 	/**< Outer header is IPv6 */
 };
 
+/**
+ * IPSEC tunnel header verification mode
+ *
+ * Controls how outer IP header is verified in inbound.
+ */
+#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR     0x1
+#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
+
 /**
  * Security context for crypto/eth devices
  *
@@ -195,6 +203,15 @@ struct rte_security_ipsec_sa_options {
 	 * by the PMD.
 	 */
 	uint32_t iv_gen_disable : 1;
+
+	/** Verify tunnel header in inbound
+	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
+	 *   IP address.
+	 *
+	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
+	 *   source and destination IP addresses.
+	 */
+	uint32_t tunnel_hdr_verify : 2;
 };
 
 /** IPSec security association direction */
-- 
2.27.0

[dpdk-dev] [PATCH 2/3] common/cnxk: add support for tunnel header verification

[Tejasree Kondoj]

Adding support to verify tunnel header in IPsec inbound.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 drivers/common/cnxk/cnxk_security.c           | 60 +++++++++++++++++++
 drivers/common/cnxk/roc_ie_ot.h               |  6 +-
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  4 ++
 3 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 215d9fd4d1..cc5daf333c 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -199,6 +199,62 @@ ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa)
 	return size;
 }
 
+static int
+ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa,
+			     struct rte_security_ipsec_xform *ipsec_xfrm)
+{
+	struct rte_security_ipsec_tunnel_param *tunnel;
+
+	if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+		return 0;
+
+	if (ipsec_xfrm->options.tunnel_hdr_verify == 0)
+		return 0;
+
+	tunnel = &ipsec_xfrm->tunnel;
+
+	switch (tunnel->type) {
+	case RTE_SECURITY_IPSEC_TUNNEL_IPV4:
+		sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
+		memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip,
+		       sizeof(struct in_addr));
+		memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip,
+		       sizeof(struct in_addr));
+
+		/* IP Source and Dest are in LE/CPU endian */
+		sa->outer_hdr.ipv4.src_addr =
+			rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr);
+		sa->outer_hdr.ipv4.dst_addr =
+			rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr);
+
+		break;
+	case RTE_SECURITY_IPSEC_TUNNEL_IPV6:
+		sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
+		memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr,
+		       sizeof(struct in6_addr));
+		memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr,
+		       sizeof(struct in6_addr));
+
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	switch (ipsec_xfrm->options.tunnel_hdr_verify) {
+	case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR:
+		sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR;
+		break;
+	case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR:
+		sa->w2.s.ip_hdr_verify =
+			ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR;
+		break;
+	default:
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
 int
 cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 			  struct rte_security_ipsec_xform *ipsec_xfrm,
@@ -229,6 +285,10 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa,
 		sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5;
 	}
 
+	rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm);
+	if (rc)
+		return rc;
+
 	/* Default options for pkt_out and pkt_fmt are with
 	 * second pass meta and no defrag.
 	 */
diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h
index 1ff468841d..12c75afac2 100644
--- a/drivers/common/cnxk/roc_ie_ot.h
+++ b/drivers/common/cnxk/roc_ie_ot.h
@@ -180,7 +180,11 @@ union roc_ot_ipsec_sa_word2 {
 		uint64_t auth_type : 4;
 
 		uint64_t encap_type : 2;
-		uint64_t rsvd1 : 6;
+		uint64_t et_ovrwr_ddr_en : 1;
+		uint64_t esn_en : 1;
+		uint64_t tport_l4_incr_csum : 1;
+		uint64_t ip_hdr_verify : 2;
+		uint64_t rsvd5 : 1;
 
 		uint64_t rsvd2 : 7;
 		uint64_t async_mode : 1;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 4b97639e56..8a0cf289fd 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
 #ifdef LA_IPSEC_DEBUG
 		sec_cap->ipsec.options.iv_gen_disable = 1;
 #endif
+	} else {
+		if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+			sec_cap->ipsec.options.tunnel_hdr_verify =
+				RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
 	}
 }
 
-- 
2.27.0

[dpdk-dev] [PATCH 3/3] test/crypto: add tunnel header verification tests

[Tejasree Kondoj]

Add test cases to verify tunnel header in IPsec inbound.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                     | 45 ++++++++++++++++++-
 app/test/test_cryptodev_security_ipsec.c      | 25 ++++++++++-
 app/test/test_cryptodev_security_ipsec.h      |  1 +
 ...st_cryptodev_security_ipsec_test_vectors.h |  3 ++
 4 files changed, 71 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index e513f38765..ab7b63f37f 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8876,6 +8876,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 	int salt_len, i, ret = TEST_SUCCESS;
 	struct rte_security_ctx *ctx;
 	uint8_t *input_text;
+	uint32_t verify;
 
 	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
 	gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
@@ -8885,11 +8886,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 	/* Copy IPsec xform */
 	memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
 
+	dir = ipsec_xform.direction;
+	verify = flags->tunnel_hdr_verify;
+
+	if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) {
+		if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR)
+			src += 1;
+		else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR)
+			dst += 1;
+	}
+
 	memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
 	memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
 
-	dir = ipsec_xform.direction;
-
 	ctx = rte_cryptodev_get_sec_ctx(dev_id);
 
 	sec_cap_idx.action = ut_params->type;
@@ -9181,6 +9190,30 @@ test_ipsec_proto_udp_encap(const void *data __rte_unused)
 	return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR;
+
+	return test_ipsec_proto_all(&flags);
+}
+
 static int
 test_PDCP_PROTO_all(void)
 {
@@ -14124,6 +14157,14 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Negative test: ICV corruption",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_err_icv_corrupt),
+		TEST_CASE_NAMED_ST(
+			"Tunnel dst addr verification",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_tunnel_dst_addr_verify),
+		TEST_CASE_NAMED_ST(
+			"Tunnel src and dst addr verification",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_tunnel_src_dst_addr_verify),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 046536cc9c..f040630655 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -86,6 +86,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 		return -ENOTSUP;
 	}
 
+	if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+	    (ipsec_xform->options.tunnel_hdr_verify >
+	    sec_cap->ipsec.options.tunnel_hdr_verify)) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Tunnel header verify is not supported\n");
+		return -ENOTSUP;
+	}
+
 	return 0;
 }
 
@@ -207,6 +216,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		if (flags->udp_encap)
 			td_inb[i].ipsec_xform.options.udp_encap = 1;
 
+		td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
+			flags->tunnel_hdr_verify;
+
 		/* Clear outbound specific flags */
 		td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
 	}
@@ -292,7 +304,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	/* For tests with status as error for test success, skip verification */
 	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
 	    (flags->icv_corrupt ||
-	     flags->sa_expiry_pkts_hard))
+	     flags->sa_expiry_pkts_hard ||
+	     flags->tunnel_hdr_verify))
 		return TEST_SUCCESS;
 
 	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -420,6 +433,16 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 		}
 	}
 
+	if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+	    flags->tunnel_hdr_verify) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("Tunnel header verify test case failed\n");
+			return TEST_FAILED;
+		} else {
+			return TEST_SUCCESS;
+		}
+	}
+
 	if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
 		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
 			printf("ICV corruption test case failed\n");
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 18f3c64bb7..a65cb54eae 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -53,6 +53,7 @@ struct ipsec_test_flags {
 	bool sa_expiry_pkts_hard;
 	bool icv_corrupt;
 	bool iv_gen;
+	uint32_t tunnel_hdr_verify;
 	bool udp_encap;
 };
 
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 38ea43d157..4e147ec19c 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -94,6 +94,7 @@ struct ipsec_test_data pkt_aes_128_gcm = {
 		.options.dec_ttl = 0,
 		.options.ecn = 0,
 		.options.stats = 0,
+		.options.tunnel_hdr_verify = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -190,6 +191,7 @@ struct ipsec_test_data pkt_aes_192_gcm = {
 		.options.dec_ttl = 0,
 		.options.ecn = 0,
 		.options.stats = 0,
+		.options.tunnel_hdr_verify = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -289,6 +291,7 @@ struct ipsec_test_data pkt_aes_256_gcm = {
 		.options.dec_ttl = 0,
 		.options.ecn = 0,
 		.options.stats = 0,
+		.options.tunnel_hdr_verify = 0,
 		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
 		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
-- 
2.27.0

Re: [dpdk-dev] [PATCH 1/3] security: add option to configure tunnel header verification

[Akhil Goyal]

> Add option to indicate whether outer header verification
> need to be done as part of inbound IPsec processing.
> 
> With inline IPsec processing, SA lookup would be happening
> in the Rx path of rte_ethdev. When rte_flow is configured to
> support more than one SA, SPI would be used to lookup SA.
> In such cases, additional verification would be required to
> ensure duplicate SPIs are not getting processed in the inline path.
> 
> For lookaside cases, the same option can be used by application
> to offload tunnel verification to the PMD.
> 
> These verifications would help in averting possible DoS attacks.
> 
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
>  doc/guides/rel_notes/release_21_11.rst |  5 +++++

Deprecation notice should also be removed for this feature addition/
ABI breakage.

Other than that
Acked-by: Akhil Goyal <gakhil@marvell.com>

>  lib/security/rte_security.h            | 17 +++++++++++++++++
>  2 files changed, 22 insertions(+)
> 
> diff --git a/doc/guides/rel_notes/release_21_11.rst
> b/doc/guides/rel_notes/release_21_11.rst
> index 0e3ed28378..b0606cb542 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -136,6 +136,11 @@ ABI Changes
>      soft and hard SA expiry limits. Limits can be either in units of packets or
>      bytes.
> 
> +* security: add IPsec SA option to configure tunnel header verification
> +
> +  * Added SA option to indicate whether outer header verification need to
> be
> +    done as part of inbound IPsec processing.
> +
> 
>  Known Issues
>  ------------
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index 95c169d6cf..2a61cad885 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type {
>  	/**< Outer header is IPv6 */
>  };
> 
> +/**
> + * IPSEC tunnel header verification mode
> + *
> + * Controls how outer IP header is verified in inbound.
> + */
> +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR     0x1
> +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
> +
>  /**
>   * Security context for crypto/eth devices
>   *
> @@ -195,6 +203,15 @@ struct rte_security_ipsec_sa_options {
>  	 * by the PMD.
>  	 */
>  	uint32_t iv_gen_disable : 1;
> +
> +	/** Verify tunnel header in inbound
> +	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify
> destination
> +	 *   IP address.
> +	 *
> +	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify
> both
> +	 *   source and destination IP addresses.
> +	 */
> +	uint32_t tunnel_hdr_verify : 2;
>  };
> 
>  /** IPSec security association direction */
> --
> 2.27.0