mbox

[v7,0/4] add fallback session

Message ID 20191014134842.3084-1-marcinx.smoczynski@intel.com (mailing list archive)
Headers

Message

Marcin Smoczynski Oct. 14, 2019, 1:48 p.m. UTC
Add fallback session feature allowing to process packets that inline
processor is unable to handle (e.g. fragmented traffic). Processing
takes place in a secondary session defined for SA in a configuration
file.

This feature is limited to ingress IPsec traffic only. IPsec
anti-replay window and ESN are supported in conjunction with fallback
session when following conditions are met:
 * primary session is 'inline-crypto-offload,
 * fallback sessions is 'lookaside-none'.
Due to different processing times of inline and lookaside modes,
fallback session introduces some packet reordering, therefore when
using with IPsec window, its value should be increased.

v6 to v7 changes:
 - remove partial support for "*-protocol" fall-back session types
 - rebase on master (31b798a)

v5 to v6 changes:
 - add sanity check: fail to parse SA configuration if fallback session
   is configured but primary session is not inline crypto
 - update documentation for ipsec-secgw tests (MULTI_SEG_TESTS var
   described)
 - add release notes
 - minor commit log changes

v4 to v5 changes:
 - fix build errors related to frag TTL command line option and
   parse_decimal method

v3 to v4 changes:
 - add info about packet reordering to the documentation regarding
   fallback session
 - add patch with --frag-ttl command line option which allows to change
   fragment lifetime

v2 to v3 changes:
 - doc and commit log update - explicitly state feature limitations

v1 to v2 changes:
 - disable fallback offload for outbound SAs
 - add test scripts

Marcin Smoczynski (4):
  examples/ipsec-secgw: sa structure cleanup
  examples/ipsec-secgw: add fallback session feature
  examples/ipsec-secgw: add frag TTL cmdline option
  examples/ipsec-secgw: add offload fallback tests

 doc/guides/rel_notes/release_19_11.rst        |   8 +
 doc/guides/sample_app_ug/ipsec_secgw.rst      |  34 +++-
 examples/ipsec-secgw/esp.c                    |  35 ++--
 examples/ipsec-secgw/ipsec-secgw.c            |  56 ++++--
 examples/ipsec-secgw/ipsec.c                  | 101 +++++------
 examples/ipsec-secgw/ipsec.h                  |  61 +++++--
 examples/ipsec-secgw/ipsec_process.c          | 113 ++++++++-----
 examples/ipsec-secgw/sa.c                     | 159 +++++++++++++-----
 .../test/trs_aesgcm_common_defs.sh            |   4 +-
 .../trs_aesgcm_inline_crypto_fallback_defs.sh |   5 +
 .../test/tun_aesgcm_common_defs.sh            |   6 +-
 .../tun_aesgcm_inline_crypto_fallback_defs.sh |   5 +
 12 files changed, 409 insertions(+), 178 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_inline_crypto_fallback_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_inline_crypto_fallback_defs.sh

--
2.17.1