| Bug ID | 1669 |
|---|---|
| Summary | Cannot use ESN with GMAC authentication |
| Product | DPDK |
| Version | unspecified |
| Hardware | All |
| OS | All |
| Status | UNCONFIRMED |
| Severity | normal |
| Priority | Normal |
| Component | cryptodev |
| Assignee | dev@dpdk.org |
| Reporter | arieltraver@gmail.com |
| Target Milestone | --- |
Hi all, I want to use NULL encryption and AES GMAC with an Extended Sequence Number (ESN), but it seems like DPDK doesn't support doing so. According to RFC 4303, only the lower-order 32 bits of an ESN are stored in the packet itself. The whole ESN is passed in separately, as part of the Additional Authenticated Data (AAD). DPDK allows you to set this AAD for AEAD encryption modes by adjusting rte_crypto_op->sym->aead.aad.data and rte_crypto_op->sym->aead.aad.phys_addr. However, DPDK treats AES GMAC as a separate authentication transform, not as an AEAD transform with null plaintext. If you aren't using AEAD encryption, there doesn't seem to be any way to include AAD, either in the crypto op or in the rte_crypto_auth_xform struct. As such, you can't supply an ESN without including it in the packet itself, which violates RFC 4303:2.2.1, or copying the whole packet + ESN to another buffer just to authenticate. I'm a new DPDK developer, so apologies if I misunderstood the situation. I did my best to carefully read all of the crypto examples and even investigated the implementation of some of the drivers to see how they handle AES GMAC. So far I have found no clues.