mbox

[v4,0/4] add fallback session

Message ID 20190927091028.19316-1-marcinx.smoczynski@intel.com (mailing list archive)
Headers

Message

Marcin Smoczynski Sept. 27, 2019, 9:10 a.m. UTC
Add fallback session feature allowing to process packets that inline
processor is unable to handle (e.g. fragmented traffic). Processing
takes place in a secondary session defined for SA in a configuration
file.

This feature is limited to ingress IPsec traffic only. IPsec
anti-replay window and ESN are supported in conjunction with fallback
session when following conditions are met:
 * primary session is 'inline-crypto-offload,
 * fallback sessions is 'lookaside-none'.
Due to different processing times of inline and lookaside modes,
fallback session introduces some packet reordering, therefore when
using with IPsec window, its value should be increased.

v3 to v4 changes:
 - add info about packet reordering to the documentation regarding
   fallback session
 - add patch with --frag-ttl command line option which allows to change
   fragment lifetime

v2 to v3 changes:
 - doc and commit log update - explicitly state feature limitations

v1 to v2 changes:
 - disable fallback offload for outbound SAs
 - add test scripts

Marcin Smoczynski (4):
  examples/ipsec-secgw: ipsec_sa structure cleanup
  examples/ipsec-secgw: add fallback session feature
  examples/ipsec-secgw: add frag TTL cmdline option
  examples/ipsec-secgw: add offload fallback tests

 doc/guides/sample_app_ug/ipsec_secgw.rst      |  31 +++-
 examples/ipsec-secgw/esp.c                    |  35 ++--
 examples/ipsec-secgw/ipsec-secgw.c            |  56 ++++--
 examples/ipsec-secgw/ipsec.c                  |  99 ++++++-----
 examples/ipsec-secgw/ipsec.h                  |  61 +++++--
 examples/ipsec-secgw/ipsec_process.c          | 113 +++++++-----
 examples/ipsec-secgw/sa.c                     | 164 +++++++++++++-----
 .../test/trs_aesgcm_common_defs.sh            |   4 +-
 .../trs_aesgcm_inline_crypto_fallback_defs.sh |   5 +
 .../test/tun_aesgcm_common_defs.sh            |   6 +-
 .../tun_aesgcm_inline_crypto_fallback_defs.sh |   5 +
 11 files changed, 402 insertions(+), 177 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh