[v1] lib/ipsec: add support for header construction
Checks
Commit Message
Add support for RFC 4301(5.1.2) to update of
Type of service field and Traffic class field
bits inside ipv4/ipv6 packets for outbound cases
and inbound cases which deals with the update of
the DSCP/ENC bits inside each of the fields.
Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
---
examples/ipsec-secgw/sa.c | 2 +
lib/librte_ipsec/esp_inb.c | 14 ++++-
lib/librte_ipsec/esp_outb.c | 4 +-
lib/librte_ipsec/iph.h | 119 +++++++++++++++++++++++++++++++++++--
lib/librte_ipsec/rte_ipsec_sa.h | 25 ++++++++
lib/librte_ipsec/sa.c | 17 ++++++
lib/librte_ipsec/sa.h | 2 +
lib/librte_net/rte_ip.h | 8 +++
lib/librte_security/rte_security.h | 9 +++
9 files changed, 191 insertions(+), 9 deletions(-)
Comments
Hi,
>
> Add support for RFC 4301(5.1.2) to update of
> Type of service field and Traffic class field
> bits inside ipv4/ipv6 packets for outbound cases
> and inbound cases which deals with the update of
> the DSCP/ENC bits inside each of the fields.
>
> Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
> ---
> examples/ipsec-secgw/sa.c | 2 +
> lib/librte_ipsec/esp_inb.c | 14 ++++-
> lib/librte_ipsec/esp_outb.c | 4 +-
> lib/librte_ipsec/iph.h | 119 +++++++++++++++++++++++++++++++++++--
> lib/librte_ipsec/rte_ipsec_sa.h | 25 ++++++++
> lib/librte_ipsec/sa.c | 17 ++++++
> lib/librte_ipsec/sa.h | 2 +
> lib/librte_net/rte_ip.h | 8 +++
> lib/librte_security/rte_security.h | 9 +++
> 9 files changed, 191 insertions(+), 9 deletions(-)
Looks good in general, some generic comments:
- I think it is better to split the patch into few sub-pathces:
One for rte_security, second for rte_net, third - rte_ipsec, forth - examples/ipsec-secgw
- Would be good to add support for other options too (ttl, etc.)
- Would be good to add new test-case for it into examples/ipsec-secgw/test/
Plus few nits in the code below.
Konstantin
>
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index b850e9839..4d85d09df 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -991,6 +991,8 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss,
> prm->ipsec_xform.mode = (ss->flags == TRANSPORT) ?
> RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT :
> RTE_SECURITY_IPSEC_SA_MODE_TUNNEL;
> + prm->ipsec_xform.options.ecn = 1;
> + prm->ipsec_xform.options.copy_dscp = 1;
>
> if (ss->flags == IP4_TUNNEL) {
> prm->ipsec_xform.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4;
> diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c
> index 4e0e12a85..8a3cb8a15 100644
> --- a/lib/librte_ipsec/esp_inb.c
> +++ b/lib/librte_ipsec/esp_inb.c
> @@ -377,9 +377,10 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
> {
> uint32_t adj, i, k, tl;
> uint32_t hl[num];
> + void *inner_h;
> + const void *outter_h;
> struct esp_tail espt[num];
> struct rte_mbuf *ml[num];
> -
> const uint32_t tlen = sa->icv_len + sizeof(espt[0]);
> const uint32_t cofs = sa->ctp.cipher.offset;
>
> @@ -400,9 +401,16 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
> if (tun_process_check(mb[i], ml[i], espt[i], adj, tl,
> sa->proto) == 0) {
>
> + outter_h = rte_pktmbuf_mtod_offset(mb[i], uint8_t *,
> + mb[i]->l2_len);
> +
> /* modify packet's layout */
> - tun_process_step2(mb[i], ml[i], hl[i], adj,
> - tl, sqn + k);
> + inner_h = tun_process_step2(mb[i], ml[i], hl[i], adj,
> + tl, sqn + k);
> +
> + if ((sa->type & INB_TUN_HDR_MSK) != 0)
> + update_inb_tun_l3_hdr(sa, inner_h, outter_h);
> +
> /* update mbuf's metadata */
> tun_process_step3(mb[i], sa->tx_offload.msk,
> sa->tx_offload.val);
> diff --git a/lib/librte_ipsec/esp_outb.c b/lib/librte_ipsec/esp_outb.c
> index c798bc4c4..a71164e0c 100644
> --- a/lib/librte_ipsec/esp_outb.c
> +++ b/lib/librte_ipsec/esp_outb.c
> @@ -152,8 +152,8 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,
> rte_memcpy(ph, sa->hdr, sa->hdr_len);
>
> /* update original and new ip header fields */
> - update_tun_l3hdr(sa, ph + sa->hdr_l3_off, mb->pkt_len, sa->hdr_l3_off,
> - sqn_low16(sqc));
> + update_outb_tun_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen, mb->pkt_len,
> + sa->hdr_l3_off, sqn_low16(sqc));
>
> /* update spi, seqn and iv */
> esph = (struct esp_hdr *)(ph + sa->hdr_len);
> diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h
> index 58930cf18..f45db5d4a 100644
> --- a/lib/librte_ipsec/iph.h
> +++ b/lib/librte_ipsec/iph.h
> @@ -11,6 +11,11 @@
> * used internally by ipsec library.
> */
>
> +#define IPV6_DSCP_MASK (DSCP_MASK << IPV6_HDR_TC_SHIFT)
> +#define IPV6_ECN_MASK (ECN_MASK << IPV6_HDR_TC_SHIFT)
> +#define IPV6_TOS_MASK (IPV6_ECN_MASK | IPV6_DSCP_MASK)
> +#define IPV6_ECN_CE IPV6_ECN_MASK
> +
> /*
> * Move preceding (L3) headers down to remove ESP header and IV.
> */
> @@ -35,6 +40,26 @@ insert_esph(char *np, char *op, uint32_t hlen)
> np[i] = op[i];
> }
>
> +static inline uint8_t
> +get_ipv6_tos(rte_be32_t vtc_flow)
> +{
> + uint32_t v;
> +
> + v = rte_be_to_cpu_32(vtc_flow);
> + return v >> IPV6_HDR_TC_SHIFT;
> +}
> +
> +static inline rte_be32_t
> +set_ipv6_tos(rte_be32_t vtc_flow, uint32_t tos)
> +{
> + uint32_t v;
> +
> + v = rte_cpu_to_be_32(tos << IPV6_HDR_TC_SHIFT);
> + vtc_flow &= ~rte_cpu_to_be_32(IPV6_TOS_MASK);
> +
> + return (v | vtc_flow);
> +}
> +
> /* update original ip header fields for transport case */
> static inline int
> update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
> @@ -64,20 +89,106 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
>
> /* update original and new ip header fields for tunnel case */
> static inline void
> -update_tun_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
> - uint32_t l2len, rte_be16_t pid)
> +update_outb_tun_l3hdr(const struct rte_ipsec_sa *sa, void *outh,
> + const void *inh, uint32_t plen, uint32_t l2len, rte_be16_t pid)
> {
> struct ipv4_hdr *v4h;
> struct ipv6_hdr *v6h;
> + uint32_t itp, otp;
> + const struct ipv4_hdr *v4in_h;
> + const struct ipv6_hdr *v6in_h;
>
> if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
> - v4h = p;
> + v4h = outh;
> v4h->packet_id = pid;
> v4h->total_length = rte_cpu_to_be_16(plen - l2len);
I think it makes sense to invoke the code below, only when:
((sa->type & INB_TUN_HDR_MSK) != 0)
Same as we doing for onbound.
Also probably worth to put it into a separate inline function.
> +
> + if (sa->proto == IPPROTO_IPIP) {
For consistency with the check above, seems a bit better:
if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV4)
> + /* ipv4 inner header */
> + v4in_h = inh;
> +
> + otp = v4h->type_of_service & ~sa->tos_mask;
> + itp = v4in_h->type_of_service & sa->tos_mask;
> + v4h->type_of_service = (otp | itp);
> + } else {
> + /* ipv6 inner header */
> + v6in_h = inh;
> +
> + otp = v4h->type_of_service & ~sa->tos_mask;
> + itp = get_ipv6_tos(v6in_h->vtc_flow) & sa->tos_mask;
> + v4h->type_of_service = (otp | itp);
> + }
> } else {
> - v6h = p;
> + v6h = outh;
> v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
> sizeof(*v6h));
> +
> + if (sa->proto == IPPROTO_IPIP) {
Same comment as above here.
> + /* ipv4 inner header */
> + v4in_h = inh;
> +
> + otp = get_ipv6_tos(v6h->vtc_flow) & ~sa->tos_mask;
> + itp = v4in_h->type_of_service & sa->tos_mask;
> + v6h->vtc_flow = set_ipv6_tos(v6h->vtc_flow, otp | itp);
> + } else {
> + /* ipv6 inner header */
> + v6in_h = inh;
> +
> + otp = get_ipv6_tos(v6h->vtc_flow) & ~sa->tos_mask;
> + itp = get_ipv6_tos(v6in_h->vtc_flow) & sa->tos_mask;
> + v6h->vtc_flow = set_ipv6_tos(v6h->vtc_flow, otp | itp);
> + }
> + }
> +}
> +
> +static inline void
> +update_inb_tun_l3_hdr(const struct rte_ipsec_sa *sa, void *ip_inner,
> + const void *ip_outter)
> +{
> + struct ipv4_hdr *inner_v4h;
> + const struct ipv4_hdr *outter_v4h;
> + struct ipv6_hdr *inner_v6h;
> + const struct ipv6_hdr *outter_v6h;
> + uint8_t ecn_v4out, ecn_v4in;
> + uint32_t ecn_v6out, ecn_v6in;
> +
> + inner_v4h = ip_inner;
> + outter_v4h = ip_outter;
> +
> + inner_v6h = ip_inner;
> + outter_v6h = ip_outter;
> +
> + /* <update ecn bits in inner IP header> */
> + if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
> +
> + ecn_v4out = outter_v4h->type_of_service & ECN_MASK;
> +
> + if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV4) {
> + ecn_v4in = inner_v4h->type_of_service & ECN_MASK;
> + if (ecn_v4out == ECN_CE && ecn_v4in != 0)
> + inner_v4h->type_of_service |= ECN_CE;
> + } else {
> + ecn_v6in = inner_v6h->vtc_flow &
> + rte_cpu_to_be_32(IPV6_ECN_MASK);
> + if (ecn_v4out == ECN_CE && ecn_v6in != 0)
> + inner_v6h->vtc_flow |=
> + rte_cpu_to_be_32(IPV6_ECN_CE);
> + }
> + } else {
> + ecn_v6out = outter_v6h->vtc_flow &
> + rte_cpu_to_be_32(IPV6_ECN_MASK);
> +
> + if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV6) {
> + ecn_v6in = inner_v6h->vtc_flow &
> + rte_cpu_to_be_32(IPV6_ECN_MASK);
> + if (ecn_v6out == IPV6_ECN_CE && ecn_v6in != 0)
> + inner_v6h->vtc_flow |=
> + rte_cpu_to_be_32(IPV6_ECN_CE);
> + } else {
> + ecn_v4in = inner_v4h->type_of_service & ECN_MASK;
> + if (ecn_v6out == ECN_CE && ecn_v4in != 0)
> + inner_v4h->type_of_service |= ECN_CE;
> + }
> }
> }
>
> diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
> index fd9b3ed60..8f179ee9d 100644
> --- a/lib/librte_ipsec/rte_ipsec_sa.h
> +++ b/lib/librte_ipsec/rte_ipsec_sa.h
> @@ -95,6 +95,11 @@ enum {
> RTE_SATP_LOG2_MODE,
> RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2,
> RTE_SATP_LOG2_ESN,
> + RTE_SATP_LOG2_ECN,
> + RTE_SATP_LOG2_DSCP,
> + RTE_SATP_LOG2_TTL,
> + RTE_SATP_LOG2_DF,
> + RTE_SATP_LOG2_FLABEL,
> RTE_SATP_LOG2_NUM
> };
>
> @@ -123,6 +128,26 @@ enum {
> #define RTE_IPSEC_SATP_ESN_DISABLE (0ULL << RTE_SATP_LOG2_ESN)
> #define RTE_IPSEC_SATP_ESN_ENABLE (1ULL << RTE_SATP_LOG2_ESN)
>
> +#define RTE_IPSEC_SATP_ECN_MASK (1ULL << RTE_SATP_LOG2_ECN)
> +#define RTE_IPSEC_SATP_ECN_DISABLE (0ULL << RTE_SATP_LOG2_ECN)
> +#define RTE_IPSEC_SATP_ECN_ENABLE (1ULL << RTE_SATP_LOG2_ECN)
> +
> +#define RTE_IPSEC_SATP_DSCP_MASK (1ULL << RTE_SATP_LOG2_DSCP)
> +#define RTE_IPSEC_SATP_DSCP_DISABLE (0ULL << RTE_SATP_LOG2_DSCP)
> +#define RTE_IPSEC_SATP_DSCP_ENABLE (1ULL << RTE_SATP_LOG2_DSCP)
> +
> +#define RTE_IPSEC_SATP_TTL_MASK (1ULL << RTE_SATP_LOG2_TTL)
> +#define RTE_IPSEC_SATP_TTL_DISABLE (0ULL << RTE_SATP_LOG2_TTL)
> +#define RTE_IPSEC_SATP_TTL_ENABLE (1ULL << RTE_SATP_LOG2_TTL)
> +
> +#define RTE_IPSEC_SATP_DF_MASK (1ULL << RTE_SATP_LOG2_DF)
> +#define RTE_IPSEC_SATP_DF_DISABLE (0ULL << RTE_SATP_LOG2_DF)
> +#define RTE_IPSEC_SATP_DF_ENABLE (1ULL << RTE_SATP_LOG2_DF)
> +
> +#define RTE_IPSEC_SATP_FLABEL_MASK (1ULL << RTE_SATP_LOG2_FLABEL)
> +#define RTE_IPSEC_SATP_FLABEL_DISABLE (0ULL << RTE_SATP_LOG2_FLABEL)
> +#define RTE_IPSEC_SATP_FLABEL_ENABLE (1ULL << RTE_SATP_LOG2_FLABEL)
> +
> /**
> * get type of given SA
> * @return
> diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> index 846e317fe..d48acd117 100644
> --- a/lib/librte_ipsec/sa.c
> +++ b/lib/librte_ipsec/sa.c
> @@ -220,6 +220,17 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type)
> else
> tp |= RTE_IPSEC_SATP_SQN_RAW;
>
> + /* check for ECN flag */
> + if (prm->ipsec_xform.options.ecn == 0)
> + tp |= RTE_IPSEC_SATP_ECN_DISABLE;
> + else
> + tp |= RTE_IPSEC_SATP_ECN_ENABLE;
> + /* check for DSCP flag */
> + if (prm->ipsec_xform.options.copy_dscp == 0)
> + tp |= RTE_IPSEC_SATP_DSCP_DISABLE;
> + else
> + tp |= RTE_IPSEC_SATP_DSCP_ENABLE;
> +
> *type = tp;
> return 0;
> }
> @@ -308,6 +319,12 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
> static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
> RTE_IPSEC_SATP_MODE_MASK;
>
> + if (prm->ipsec_xform.options.ecn)
> + sa->tos_mask |= ECN_MASK;
> +
> + if (prm->ipsec_xform.options.copy_dscp)
> + sa->tos_mask |= DSCP_MASK;
> +
> if (cxf->aead != NULL) {
> switch (cxf->aead->algo) {
> case RTE_CRYPTO_AEAD_AES_GCM:
> diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
> index ffb5fb4f8..41e0b78c9 100644
> --- a/lib/librte_ipsec/sa.h
> +++ b/lib/librte_ipsec/sa.h
> @@ -10,6 +10,7 @@
> #define IPSEC_MAX_HDR_SIZE 64
> #define IPSEC_MAX_IV_SIZE 16
> #define IPSEC_MAX_IV_QWORD (IPSEC_MAX_IV_SIZE / sizeof(uint64_t))
> +#define INB_TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK)
>
> /* padding alignment for different algorithms */
> enum {
> @@ -103,6 +104,7 @@ struct rte_ipsec_sa {
> uint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */
> uint8_t iv_len;
> uint8_t pad_align;
> + uint8_t tos_mask;
>
> /* template for tunnel header */
> uint8_t hdr[IPSEC_MAX_HDR_SIZE];
> diff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h
> index f9b909090..6592637f7 100644
> --- a/lib/librte_net/rte_ip.h
> +++ b/lib/librte_net/rte_ip.h
> @@ -47,6 +47,14 @@ struct ipv4_hdr {
> (((c) & 0xff) << 8) | \
> ((d) & 0xff))
>
> +
> +/** RFC 3168 */
> +#define ECN_MASK (0x03)
> +#define ECN_CE ECN_MASK
> +
> +/** Packet Option Masks */
> +#define DSCP_MASK (0xFC)
Might be worth to add some prefix: IP_ECN_...
Or even RTE_IP_ECN_...
> +
> /** Maximal IPv4 packet length (including a header) */
> #define IPV4_MAX_PKT_LEN 65535
>
> diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
> index 76f54e0e0..577eff766 100644
> --- a/lib/librte_security/rte_security.h
> +++ b/lib/librte_security/rte_security.h
> @@ -163,6 +163,15 @@ struct rte_security_ipsec_sa_options {
> * * 0: Inner packet is not modified.
> */
> uint32_t dec_ttl : 1;
> +
> + /**< Explicit Congestion Notification (ECN)
> + *
> + * * ECT(1) (ECN-Capable Transport(1))
> + * * ECT(0) (ECN-Capable Transport(0))
> + * * ECT(CE)(CE (Congestion Experienced))
I think, that comment (possible ECN values) better move into rte_ip.h.
And here explain briefly what would be behavior for ipsec implementation
for 0/1 values.
> + */
> +
> + uint32_t ecn : 1;
> };
>
> /** IPSec security association direction */
> --
> 2.13.6
Hi Marko,
Could you please address to the comments from Konstantin? We have an RC1 date coming.
Thanks,
Akhil
> Hi,
>
> >
> > Add support for RFC 4301(5.1.2) to update of
> > Type of service field and Traffic class field
> > bits inside ipv4/ipv6 packets for outbound cases
> > and inbound cases which deals with the update of
> > the DSCP/ENC bits inside each of the fields.
> >
> > Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
> > ---
> > examples/ipsec-secgw/sa.c | 2 +
> > lib/librte_ipsec/esp_inb.c | 14 ++++-
> > lib/librte_ipsec/esp_outb.c | 4 +-
> > lib/librte_ipsec/iph.h | 119 +++++++++++++++++++++++++++++++++++-
> -
> > lib/librte_ipsec/rte_ipsec_sa.h | 25 ++++++++
> > lib/librte_ipsec/sa.c | 17 ++++++
> > lib/librte_ipsec/sa.h | 2 +
> > lib/librte_net/rte_ip.h | 8 +++
> > lib/librte_security/rte_security.h | 9 +++
> > 9 files changed, 191 insertions(+), 9 deletions(-)
>
> Looks good in general, some generic comments:
> - I think it is better to split the patch into few sub-pathces:
> One for rte_security, second for rte_net, third - rte_ipsec, forth -
> examples/ipsec-secgw
> - Would be good to add support for other options too (ttl, etc.)
> - Would be good to add new test-case for it into examples/ipsec-secgw/test/
>
> Plus few nits in the code below.
> Konstantin
>
@@ -991,6 +991,8 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss,
prm->ipsec_xform.mode = (ss->flags == TRANSPORT) ?
RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT :
RTE_SECURITY_IPSEC_SA_MODE_TUNNEL;
+ prm->ipsec_xform.options.ecn = 1;
+ prm->ipsec_xform.options.copy_dscp = 1;
if (ss->flags == IP4_TUNNEL) {
prm->ipsec_xform.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4;
@@ -377,9 +377,10 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
{
uint32_t adj, i, k, tl;
uint32_t hl[num];
+ void *inner_h;
+ const void *outter_h;
struct esp_tail espt[num];
struct rte_mbuf *ml[num];
-
const uint32_t tlen = sa->icv_len + sizeof(espt[0]);
const uint32_t cofs = sa->ctp.cipher.offset;
@@ -400,9 +401,16 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
if (tun_process_check(mb[i], ml[i], espt[i], adj, tl,
sa->proto) == 0) {
+ outter_h = rte_pktmbuf_mtod_offset(mb[i], uint8_t *,
+ mb[i]->l2_len);
+
/* modify packet's layout */
- tun_process_step2(mb[i], ml[i], hl[i], adj,
- tl, sqn + k);
+ inner_h = tun_process_step2(mb[i], ml[i], hl[i], adj,
+ tl, sqn + k);
+
+ if ((sa->type & INB_TUN_HDR_MSK) != 0)
+ update_inb_tun_l3_hdr(sa, inner_h, outter_h);
+
/* update mbuf's metadata */
tun_process_step3(mb[i], sa->tx_offload.msk,
sa->tx_offload.val);
@@ -152,8 +152,8 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,
rte_memcpy(ph, sa->hdr, sa->hdr_len);
/* update original and new ip header fields */
- update_tun_l3hdr(sa, ph + sa->hdr_l3_off, mb->pkt_len, sa->hdr_l3_off,
- sqn_low16(sqc));
+ update_outb_tun_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen, mb->pkt_len,
+ sa->hdr_l3_off, sqn_low16(sqc));
/* update spi, seqn and iv */
esph = (struct esp_hdr *)(ph + sa->hdr_len);
@@ -11,6 +11,11 @@
* used internally by ipsec library.
*/
+#define IPV6_DSCP_MASK (DSCP_MASK << IPV6_HDR_TC_SHIFT)
+#define IPV6_ECN_MASK (ECN_MASK << IPV6_HDR_TC_SHIFT)
+#define IPV6_TOS_MASK (IPV6_ECN_MASK | IPV6_DSCP_MASK)
+#define IPV6_ECN_CE IPV6_ECN_MASK
+
/*
* Move preceding (L3) headers down to remove ESP header and IV.
*/
@@ -35,6 +40,26 @@ insert_esph(char *np, char *op, uint32_t hlen)
np[i] = op[i];
}
+static inline uint8_t
+get_ipv6_tos(rte_be32_t vtc_flow)
+{
+ uint32_t v;
+
+ v = rte_be_to_cpu_32(vtc_flow);
+ return v >> IPV6_HDR_TC_SHIFT;
+}
+
+static inline rte_be32_t
+set_ipv6_tos(rte_be32_t vtc_flow, uint32_t tos)
+{
+ uint32_t v;
+
+ v = rte_cpu_to_be_32(tos << IPV6_HDR_TC_SHIFT);
+ vtc_flow &= ~rte_cpu_to_be_32(IPV6_TOS_MASK);
+
+ return (v | vtc_flow);
+}
+
/* update original ip header fields for transport case */
static inline int
update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
@@ -64,20 +89,106 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
/* update original and new ip header fields for tunnel case */
static inline void
-update_tun_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
- uint32_t l2len, rte_be16_t pid)
+update_outb_tun_l3hdr(const struct rte_ipsec_sa *sa, void *outh,
+ const void *inh, uint32_t plen, uint32_t l2len, rte_be16_t pid)
{
struct ipv4_hdr *v4h;
struct ipv6_hdr *v6h;
+ uint32_t itp, otp;
+ const struct ipv4_hdr *v4in_h;
+ const struct ipv6_hdr *v6in_h;
if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
- v4h = p;
+ v4h = outh;
v4h->packet_id = pid;
v4h->total_length = rte_cpu_to_be_16(plen - l2len);
+
+ if (sa->proto == IPPROTO_IPIP) {
+ /* ipv4 inner header */
+ v4in_h = inh;
+
+ otp = v4h->type_of_service & ~sa->tos_mask;
+ itp = v4in_h->type_of_service & sa->tos_mask;
+ v4h->type_of_service = (otp | itp);
+ } else {
+ /* ipv6 inner header */
+ v6in_h = inh;
+
+ otp = v4h->type_of_service & ~sa->tos_mask;
+ itp = get_ipv6_tos(v6in_h->vtc_flow) & sa->tos_mask;
+ v4h->type_of_service = (otp | itp);
+ }
} else {
- v6h = p;
+ v6h = outh;
v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
sizeof(*v6h));
+
+ if (sa->proto == IPPROTO_IPIP) {
+ /* ipv4 inner header */
+ v4in_h = inh;
+
+ otp = get_ipv6_tos(v6h->vtc_flow) & ~sa->tos_mask;
+ itp = v4in_h->type_of_service & sa->tos_mask;
+ v6h->vtc_flow = set_ipv6_tos(v6h->vtc_flow, otp | itp);
+ } else {
+ /* ipv6 inner header */
+ v6in_h = inh;
+
+ otp = get_ipv6_tos(v6h->vtc_flow) & ~sa->tos_mask;
+ itp = get_ipv6_tos(v6in_h->vtc_flow) & sa->tos_mask;
+ v6h->vtc_flow = set_ipv6_tos(v6h->vtc_flow, otp | itp);
+ }
+ }
+}
+
+static inline void
+update_inb_tun_l3_hdr(const struct rte_ipsec_sa *sa, void *ip_inner,
+ const void *ip_outter)
+{
+ struct ipv4_hdr *inner_v4h;
+ const struct ipv4_hdr *outter_v4h;
+ struct ipv6_hdr *inner_v6h;
+ const struct ipv6_hdr *outter_v6h;
+ uint8_t ecn_v4out, ecn_v4in;
+ uint32_t ecn_v6out, ecn_v6in;
+
+ inner_v4h = ip_inner;
+ outter_v4h = ip_outter;
+
+ inner_v6h = ip_inner;
+ outter_v6h = ip_outter;
+
+ /* <update ecn bits in inner IP header> */
+ if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
+
+ ecn_v4out = outter_v4h->type_of_service & ECN_MASK;
+
+ if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV4) {
+ ecn_v4in = inner_v4h->type_of_service & ECN_MASK;
+ if (ecn_v4out == ECN_CE && ecn_v4in != 0)
+ inner_v4h->type_of_service |= ECN_CE;
+ } else {
+ ecn_v6in = inner_v6h->vtc_flow &
+ rte_cpu_to_be_32(IPV6_ECN_MASK);
+ if (ecn_v4out == ECN_CE && ecn_v6in != 0)
+ inner_v6h->vtc_flow |=
+ rte_cpu_to_be_32(IPV6_ECN_CE);
+ }
+ } else {
+ ecn_v6out = outter_v6h->vtc_flow &
+ rte_cpu_to_be_32(IPV6_ECN_MASK);
+
+ if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV6) {
+ ecn_v6in = inner_v6h->vtc_flow &
+ rte_cpu_to_be_32(IPV6_ECN_MASK);
+ if (ecn_v6out == IPV6_ECN_CE && ecn_v6in != 0)
+ inner_v6h->vtc_flow |=
+ rte_cpu_to_be_32(IPV6_ECN_CE);
+ } else {
+ ecn_v4in = inner_v4h->type_of_service & ECN_MASK;
+ if (ecn_v6out == ECN_CE && ecn_v4in != 0)
+ inner_v4h->type_of_service |= ECN_CE;
+ }
}
}
@@ -95,6 +95,11 @@ enum {
RTE_SATP_LOG2_MODE,
RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2,
RTE_SATP_LOG2_ESN,
+ RTE_SATP_LOG2_ECN,
+ RTE_SATP_LOG2_DSCP,
+ RTE_SATP_LOG2_TTL,
+ RTE_SATP_LOG2_DF,
+ RTE_SATP_LOG2_FLABEL,
RTE_SATP_LOG2_NUM
};
@@ -123,6 +128,26 @@ enum {
#define RTE_IPSEC_SATP_ESN_DISABLE (0ULL << RTE_SATP_LOG2_ESN)
#define RTE_IPSEC_SATP_ESN_ENABLE (1ULL << RTE_SATP_LOG2_ESN)
+#define RTE_IPSEC_SATP_ECN_MASK (1ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_DISABLE (0ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_ENABLE (1ULL << RTE_SATP_LOG2_ECN)
+
+#define RTE_IPSEC_SATP_DSCP_MASK (1ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_DISABLE (0ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_ENABLE (1ULL << RTE_SATP_LOG2_DSCP)
+
+#define RTE_IPSEC_SATP_TTL_MASK (1ULL << RTE_SATP_LOG2_TTL)
+#define RTE_IPSEC_SATP_TTL_DISABLE (0ULL << RTE_SATP_LOG2_TTL)
+#define RTE_IPSEC_SATP_TTL_ENABLE (1ULL << RTE_SATP_LOG2_TTL)
+
+#define RTE_IPSEC_SATP_DF_MASK (1ULL << RTE_SATP_LOG2_DF)
+#define RTE_IPSEC_SATP_DF_DISABLE (0ULL << RTE_SATP_LOG2_DF)
+#define RTE_IPSEC_SATP_DF_ENABLE (1ULL << RTE_SATP_LOG2_DF)
+
+#define RTE_IPSEC_SATP_FLABEL_MASK (1ULL << RTE_SATP_LOG2_FLABEL)
+#define RTE_IPSEC_SATP_FLABEL_DISABLE (0ULL << RTE_SATP_LOG2_FLABEL)
+#define RTE_IPSEC_SATP_FLABEL_ENABLE (1ULL << RTE_SATP_LOG2_FLABEL)
+
/**
* get type of given SA
* @return
@@ -220,6 +220,17 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type)
else
tp |= RTE_IPSEC_SATP_SQN_RAW;
+ /* check for ECN flag */
+ if (prm->ipsec_xform.options.ecn == 0)
+ tp |= RTE_IPSEC_SATP_ECN_DISABLE;
+ else
+ tp |= RTE_IPSEC_SATP_ECN_ENABLE;
+ /* check for DSCP flag */
+ if (prm->ipsec_xform.options.copy_dscp == 0)
+ tp |= RTE_IPSEC_SATP_DSCP_DISABLE;
+ else
+ tp |= RTE_IPSEC_SATP_DSCP_ENABLE;
+
*type = tp;
return 0;
}
@@ -308,6 +319,12 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
RTE_IPSEC_SATP_MODE_MASK;
+ if (prm->ipsec_xform.options.ecn)
+ sa->tos_mask |= ECN_MASK;
+
+ if (prm->ipsec_xform.options.copy_dscp)
+ sa->tos_mask |= DSCP_MASK;
+
if (cxf->aead != NULL) {
switch (cxf->aead->algo) {
case RTE_CRYPTO_AEAD_AES_GCM:
@@ -10,6 +10,7 @@
#define IPSEC_MAX_HDR_SIZE 64
#define IPSEC_MAX_IV_SIZE 16
#define IPSEC_MAX_IV_QWORD (IPSEC_MAX_IV_SIZE / sizeof(uint64_t))
+#define INB_TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK)
/* padding alignment for different algorithms */
enum {
@@ -103,6 +104,7 @@ struct rte_ipsec_sa {
uint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */
uint8_t iv_len;
uint8_t pad_align;
+ uint8_t tos_mask;
/* template for tunnel header */
uint8_t hdr[IPSEC_MAX_HDR_SIZE];
@@ -47,6 +47,14 @@ struct ipv4_hdr {
(((c) & 0xff) << 8) | \
((d) & 0xff))
+
+/** RFC 3168 */
+#define ECN_MASK (0x03)
+#define ECN_CE ECN_MASK
+
+/** Packet Option Masks */
+#define DSCP_MASK (0xFC)
+
/** Maximal IPv4 packet length (including a header) */
#define IPV4_MAX_PKT_LEN 65535
@@ -163,6 +163,15 @@ struct rte_security_ipsec_sa_options {
* * 0: Inner packet is not modified.
*/
uint32_t dec_ttl : 1;
+
+ /**< Explicit Congestion Notification (ECN)
+ *
+ * * ECT(1) (ECN-Capable Transport(1))
+ * * ECT(0) (ECN-Capable Transport(0))
+ * * ECT(CE)(CE (Congestion Experienced))
+ */
+
+ uint32_t ecn : 1;
};
/** IPSec security association direction */