19ef6cb1aSKonstantin Ananyev.. SPDX-License-Identifier: BSD-3-Clause 2957394f7SMarcin Smoczynski Copyright(c) 2018-2020 Intel Corporation. 39ef6cb1aSKonstantin Ananyev 49ef6cb1aSKonstantin AnanyevIPsec Packet Processing Library 59ef6cb1aSKonstantin Ananyev=============================== 69ef6cb1aSKonstantin Ananyev 79ef6cb1aSKonstantin AnanyevDPDK provides a library for IPsec data-path processing. 89ef6cb1aSKonstantin AnanyevThe library utilizes the existing DPDK crypto-dev and 99ef6cb1aSKonstantin Ananyevsecurity API to provide the application with a transparent and 109ef6cb1aSKonstantin Ananyevhigh performant IPsec packet processing API. 119ef6cb1aSKonstantin AnanyevThe library is concentrated on data-path protocols processing 129ef6cb1aSKonstantin Ananyev(ESP and AH), IKE protocol(s) implementation is out of scope 139ef6cb1aSKonstantin Ananyevfor this library. 149ef6cb1aSKonstantin Ananyev 159ef6cb1aSKonstantin AnanyevSA level API 169ef6cb1aSKonstantin Ananyev------------ 179ef6cb1aSKonstantin Ananyev 189ef6cb1aSKonstantin AnanyevThis API operates on the IPsec Security Association (SA) level. 199ef6cb1aSKonstantin AnanyevIt provides functionality that allows user for given SA to process 209ef6cb1aSKonstantin Ananyevinbound and outbound IPsec packets. 219ef6cb1aSKonstantin Ananyev 229ef6cb1aSKonstantin AnanyevTo be more specific: 239ef6cb1aSKonstantin Ananyev 249ef6cb1aSKonstantin Ananyev* for inbound ESP/AH packets perform decryption, authentication, integrity checking, remove ESP/AH related headers 259ef6cb1aSKonstantin Ananyev* for outbound packets perform payload encryption, attach ICV, update/add IP headers, add ESP/AH headers/trailers, 269ef6cb1aSKonstantin Ananyev* setup related mbuf fields (ol_flags, tx_offloads, etc.). 279ef6cb1aSKonstantin Ananyev* initialize/un-initialize given SA based on user provided parameters. 289ef6cb1aSKonstantin Ananyev 299ef6cb1aSKonstantin AnanyevThe SA level API is based on top of crypto-dev/security API and relies on 309ef6cb1aSKonstantin Ananyevthem to perform actual cipher and integrity checking. 319ef6cb1aSKonstantin Ananyev 329ef6cb1aSKonstantin AnanyevDue to the nature of the crypto-dev API (enqueue/dequeue model) the library 339ef6cb1aSKonstantin Ananyevintroduces an asynchronous API for IPsec packets destined to be processed by 349ef6cb1aSKonstantin Ananyevthe crypto-device. 359ef6cb1aSKonstantin Ananyev 369ef6cb1aSKonstantin AnanyevThe expected API call sequence for data-path processing would be: 379ef6cb1aSKonstantin Ananyev 389ef6cb1aSKonstantin Ananyev.. code-block:: c 399ef6cb1aSKonstantin Ananyev 409ef6cb1aSKonstantin Ananyev /* enqueue for processing by crypto-device */ 419ef6cb1aSKonstantin Ananyev rte_ipsec_pkt_crypto_prepare(...); 429ef6cb1aSKonstantin Ananyev rte_cryptodev_enqueue_burst(...); 439ef6cb1aSKonstantin Ananyev /* dequeue from crypto-device and do final processing (if any) */ 449ef6cb1aSKonstantin Ananyev rte_cryptodev_dequeue_burst(...); 459ef6cb1aSKonstantin Ananyev rte_ipsec_pkt_crypto_group(...); /* optional */ 469ef6cb1aSKonstantin Ananyev rte_ipsec_pkt_process(...); 479ef6cb1aSKonstantin Ananyev 489ef6cb1aSKonstantin AnanyevFor packets destined for inline processing no extra overhead 499ef6cb1aSKonstantin Ananyevis required and the synchronous API call: rte_ipsec_pkt_process() 509ef6cb1aSKonstantin Ananyevis sufficient for that case. 519ef6cb1aSKonstantin Ananyev 529ef6cb1aSKonstantin Ananyev.. note:: 539ef6cb1aSKonstantin Ananyev 549ef6cb1aSKonstantin Ananyev For more details about the IPsec API, please refer to the *DPDK API Reference*. 559ef6cb1aSKonstantin Ananyev 569ef6cb1aSKonstantin AnanyevThe current implementation supports all four currently defined 579ef6cb1aSKonstantin Ananyevrte_security types: 589ef6cb1aSKonstantin Ananyev 599ef6cb1aSKonstantin AnanyevRTE_SECURITY_ACTION_TYPE_NONE 609ef6cb1aSKonstantin Ananyev~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 619ef6cb1aSKonstantin Ananyev 629ef6cb1aSKonstantin AnanyevIn that mode the library functions perform 639ef6cb1aSKonstantin Ananyev 649ef6cb1aSKonstantin Ananyev* for inbound packets: 659ef6cb1aSKonstantin Ananyev 669ef6cb1aSKonstantin Ananyev - check SQN 679ef6cb1aSKonstantin Ananyev - prepare *rte_crypto_op* structure for each input packet 68d629b7b5SJohn McNamara - verify that integrity check and decryption performed by crypto device 699ef6cb1aSKonstantin Ananyev completed successfully 709ef6cb1aSKonstantin Ananyev - check padding data 719ef6cb1aSKonstantin Ananyev - remove outer IP header (tunnel mode) / update IP header (transport mode) 729ef6cb1aSKonstantin Ananyev - remove ESP header and trailer, padding, IV and ICV data 739ef6cb1aSKonstantin Ananyev - update SA replay window 749ef6cb1aSKonstantin Ananyev 759ef6cb1aSKonstantin Ananyev* for outbound packets: 769ef6cb1aSKonstantin Ananyev 779ef6cb1aSKonstantin Ananyev - generate SQN and IV 789ef6cb1aSKonstantin Ananyev - add outer IP header (tunnel mode) / update IP header (transport mode) 799ef6cb1aSKonstantin Ananyev - add ESP header and trailer, padding and IV data 809ef6cb1aSKonstantin Ananyev - prepare *rte_crypto_op* structure for each input packet 819ef6cb1aSKonstantin Ananyev - verify that crypto device operations (encryption, ICV generation) 829ef6cb1aSKonstantin Ananyev were completed successfully 839ef6cb1aSKonstantin Ananyev 84957394f7SMarcin SmoczynskiRTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 85957394f7SMarcin Smoczynski~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 86957394f7SMarcin Smoczynski 87957394f7SMarcin SmoczynskiIn that mode the library functions perform same operations as in 88957394f7SMarcin Smoczynski``RTE_SECURITY_ACTION_TYPE_NONE``. The only difference is that crypto operations 89957394f7SMarcin Smoczynskiare performed with CPU crypto synchronous API. 90957394f7SMarcin Smoczynski 91957394f7SMarcin Smoczynski 929ef6cb1aSKonstantin AnanyevRTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO 939ef6cb1aSKonstantin Ananyev~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 949ef6cb1aSKonstantin Ananyev 959ef6cb1aSKonstantin AnanyevIn that mode the library functions perform 969ef6cb1aSKonstantin Ananyev 979ef6cb1aSKonstantin Ananyev* for inbound packets: 989ef6cb1aSKonstantin Ananyev 99d629b7b5SJohn McNamara - verify that integrity check and decryption performed by *rte_security* 1009ef6cb1aSKonstantin Ananyev device completed successfully 1019ef6cb1aSKonstantin Ananyev - check SQN 1029ef6cb1aSKonstantin Ananyev - check padding data 1039ef6cb1aSKonstantin Ananyev - remove outer IP header (tunnel mode) / update IP header (transport mode) 1049ef6cb1aSKonstantin Ananyev - remove ESP header and trailer, padding, IV and ICV data 1059ef6cb1aSKonstantin Ananyev - update SA replay window 1069ef6cb1aSKonstantin Ananyev 1079ef6cb1aSKonstantin Ananyev* for outbound packets: 1089ef6cb1aSKonstantin Ananyev 1099ef6cb1aSKonstantin Ananyev - generate SQN and IV 1109ef6cb1aSKonstantin Ananyev - add outer IP header (tunnel mode) / update IP header (transport mode) 1119ef6cb1aSKonstantin Ananyev - add ESP header and trailer, padding and IV data 112d629b7b5SJohn McNamara - update *ol_flags* inside *struct rte_mbuf* to indicate that 1139ef6cb1aSKonstantin Ananyev inline-crypto processing has to be performed by HW on this packet 1149ef6cb1aSKonstantin Ananyev - invoke *rte_security* device specific *set_pkt_metadata()* to associate 115d629b7b5SJohn McNamara security device specific data with the packet 1169ef6cb1aSKonstantin Ananyev 1179ef6cb1aSKonstantin AnanyevRTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL 1189ef6cb1aSKonstantin Ananyev~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1199ef6cb1aSKonstantin Ananyev 1209ef6cb1aSKonstantin AnanyevIn that mode the library functions perform 1219ef6cb1aSKonstantin Ananyev 1229ef6cb1aSKonstantin Ananyev* for inbound packets: 1239ef6cb1aSKonstantin Ananyev 124d629b7b5SJohn McNamara - verify that integrity check and decryption performed by *rte_security* 1259ef6cb1aSKonstantin Ananyev device completed successfully 1269ef6cb1aSKonstantin Ananyev 1279ef6cb1aSKonstantin Ananyev* for outbound packets: 1289ef6cb1aSKonstantin Ananyev 129d629b7b5SJohn McNamara - update *ol_flags* inside *struct rte_mbuf* to indicate that 1309ef6cb1aSKonstantin Ananyev inline-crypto processing has to be performed by HW on this packet 1319ef6cb1aSKonstantin Ananyev - invoke *rte_security* device specific *set_pkt_metadata()* to associate 132d629b7b5SJohn McNamara security device specific data with the packet 1339ef6cb1aSKonstantin Ananyev 1349ef6cb1aSKonstantin AnanyevRTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL 1359ef6cb1aSKonstantin Ananyev~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1369ef6cb1aSKonstantin Ananyev 1379ef6cb1aSKonstantin AnanyevIn that mode the library functions perform 1389ef6cb1aSKonstantin Ananyev 1399ef6cb1aSKonstantin Ananyev* for inbound packets: 1409ef6cb1aSKonstantin Ananyev 1419ef6cb1aSKonstantin Ananyev - prepare *rte_crypto_op* structure for each input packet 142d629b7b5SJohn McNamara - verify that integrity check and decryption performed by crypto device 1439ef6cb1aSKonstantin Ananyev completed successfully 1449ef6cb1aSKonstantin Ananyev 1459ef6cb1aSKonstantin Ananyev* for outbound packets: 1469ef6cb1aSKonstantin Ananyev 1479ef6cb1aSKonstantin Ananyev - prepare *rte_crypto_op* structure for each input packet 1489ef6cb1aSKonstantin Ananyev - verify that crypto device operations (encryption, ICV generation) 1499ef6cb1aSKonstantin Ananyev were completed successfully 1509ef6cb1aSKonstantin Ananyev 1519ef6cb1aSKonstantin AnanyevTo accommodate future custom implementations function pointers 1529ef6cb1aSKonstantin Ananyevmodel is used for both *crypto_prepare* and *process* implementations. 1539ef6cb1aSKonstantin Ananyev 154401633d9SVladimir MedvedkinSA database API 155401633d9SVladimir Medvedkin---------------- 156401633d9SVladimir Medvedkin 157401633d9SVladimir MedvedkinSA database(SAD) is a table with <key, value> pairs. 158401633d9SVladimir Medvedkin 159401633d9SVladimir MedvedkinValue is an opaque user provided pointer to the user defined SA data structure. 160401633d9SVladimir Medvedkin 161401633d9SVladimir MedvedkinAccording to RFC4301 each SA can be uniquely identified by a key 162401633d9SVladimir Medvedkinwhich is either: 163401633d9SVladimir Medvedkin 164401633d9SVladimir Medvedkin - security parameter index(SPI) 165401633d9SVladimir Medvedkin - or SPI and destination IP(DIP) 166401633d9SVladimir Medvedkin - or SPI, DIP and source IP(SIP) 167401633d9SVladimir Medvedkin 168401633d9SVladimir MedvedkinIn case of multiple matches, longest matching key will be returned. 1699ef6cb1aSKonstantin Ananyev 1703feb2360SVladimir MedvedkinCreate/destroy 1713feb2360SVladimir Medvedkin~~~~~~~~~~~~~~ 1723feb2360SVladimir Medvedkin 1733feb2360SVladimir Medvedkinlibrte_ipsec SAD implementation provides ability to create/destroy SAD tables. 1743feb2360SVladimir Medvedkin 1753feb2360SVladimir MedvedkinTo create SAD table user has to specify how many entries of each key type is 1763feb2360SVladimir Medvedkinrequired and IP protocol type (IPv4/IPv6). 1773feb2360SVladimir MedvedkinAs an example: 1783feb2360SVladimir Medvedkin 1793feb2360SVladimir Medvedkin 1803feb2360SVladimir Medvedkin.. code-block:: c 1813feb2360SVladimir Medvedkin 1823feb2360SVladimir Medvedkin struct rte_ipsec_sad *sad; 1833feb2360SVladimir Medvedkin struct rte_ipsec_sad_conf conf; 1843feb2360SVladimir Medvedkin 1853feb2360SVladimir Medvedkin conf.socket_id = -1; 1863feb2360SVladimir Medvedkin conf.max_sa[RTE_IPSEC_SAD_SPI_ONLY] = some_nb_rules_spi_only; 1873feb2360SVladimir Medvedkin conf.max_sa[RTE_IPSEC_SAD_SPI_DIP] = some_nb_rules_spi_dip; 1883feb2360SVladimir Medvedkin conf.max_sa[RTE_IPSEC_SAD_SPI_DIP_SIP] = some_nb_rules_spi_dip_sip; 1893feb2360SVladimir Medvedkin conf.flags = RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY; 1903feb2360SVladimir Medvedkin 1913feb2360SVladimir Medvedkin sad = rte_ipsec_sad_create("test", &conf); 1923feb2360SVladimir Medvedkin 1933feb2360SVladimir Medvedkin.. note:: 1943feb2360SVladimir Medvedkin 1953feb2360SVladimir Medvedkin for more information please refer to ipsec library API reference 1963feb2360SVladimir Medvedkin 197b2ee2692SVladimir MedvedkinAdd/delete rules 198b2ee2692SVladimir Medvedkin~~~~~~~~~~~~~~~~ 199b2ee2692SVladimir Medvedkin 200b2ee2692SVladimir MedvedkinLibrary also provides methods to add or delete key/value pairs from the SAD. 201b2ee2692SVladimir MedvedkinTo add user has to specify key, key type and a value which is an opaque pointer to SA. 202b2ee2692SVladimir MedvedkinThe key type reflects a set of tuple fields that will be used for lookup of the SA. 203b2ee2692SVladimir MedvedkinAs mentioned above there are 3 types of a key and the representation of a key type is: 204b2ee2692SVladimir Medvedkin 205b2ee2692SVladimir Medvedkin.. code-block:: c 206b2ee2692SVladimir Medvedkin 207b2ee2692SVladimir Medvedkin RTE_IPSEC_SAD_SPI_ONLY, 208b2ee2692SVladimir Medvedkin RTE_IPSEC_SAD_SPI_DIP, 209b2ee2692SVladimir Medvedkin RTE_IPSEC_SAD_SPI_DIP_SIP, 210b2ee2692SVladimir Medvedkin 211b2ee2692SVladimir MedvedkinAs an example, to add new entry into the SAD for IPv4 addresses: 212b2ee2692SVladimir Medvedkin 213b2ee2692SVladimir Medvedkin.. code-block:: c 214b2ee2692SVladimir Medvedkin 215b2ee2692SVladimir Medvedkin struct rte_ipsec_sa *sa; 216b2ee2692SVladimir Medvedkin union rte_ipsec_sad_key key; 217b2ee2692SVladimir Medvedkin 218b2ee2692SVladimir Medvedkin key.v4.spi = rte_cpu_to_be_32(spi_val); 219b2ee2692SVladimir Medvedkin if (key_type >= RTE_IPSEC_SAD_SPI_DIP) /* DIP is optional*/ 220b2ee2692SVladimir Medvedkin key.v4.dip = rte_cpu_to_be_32(dip_val); 221b2ee2692SVladimir Medvedkin if (key_type == RTE_IPSEC_SAD_SPI_DIP_SIP) /* SIP is optional*/ 222b2ee2692SVladimir Medvedkin key.v4.sip = rte_cpu_to_be_32(sip_val); 223b2ee2692SVladimir Medvedkin 224b2ee2692SVladimir Medvedkin rte_ipsec_sad_add(sad, &key, key_type, sa); 225b2ee2692SVladimir Medvedkin 226b2ee2692SVladimir Medvedkin.. note:: 227b2ee2692SVladimir Medvedkin 228b2ee2692SVladimir Medvedkin By performance reason it is better to keep spi/dip/sip in net byte order 229b2ee2692SVladimir Medvedkin to eliminate byteswap on lookup 230b2ee2692SVladimir Medvedkin 231b2ee2692SVladimir MedvedkinTo delete user has to specify key and key type. 232b2ee2692SVladimir Medvedkin 233b2ee2692SVladimir MedvedkinDelete code would look like: 234b2ee2692SVladimir Medvedkin 235b2ee2692SVladimir Medvedkin.. code-block:: c 236b2ee2692SVladimir Medvedkin 237b2ee2692SVladimir Medvedkin union rte_ipsec_sad_key key; 238b2ee2692SVladimir Medvedkin 239b2ee2692SVladimir Medvedkin key.v4.spi = rte_cpu_to_be_32(necessary_spi); 240b2ee2692SVladimir Medvedkin if (key_type >= RTE_IPSEC_SAD_SPI_DIP) /* DIP is optional*/ 241b2ee2692SVladimir Medvedkin key.v4.dip = rte_cpu_to_be_32(necessary_dip); 242b2ee2692SVladimir Medvedkin if (key_type == RTE_IPSEC_SAD_SPI_DIP_SIP) /* SIP is optional*/ 243b2ee2692SVladimir Medvedkin key.v4.sip = rte_cpu_to_be_32(necessary_sip); 244b2ee2692SVladimir Medvedkin 245b2ee2692SVladimir Medvedkin rte_ipsec_sad_del(sad, &key, key_type); 246b2ee2692SVladimir Medvedkin 247b2ee2692SVladimir Medvedkin 248b2ee2692SVladimir MedvedkinLookup 249b2ee2692SVladimir Medvedkin~~~~~~ 250b2ee2692SVladimir MedvedkinLibrary provides lookup by the given {SPI,DIP,SIP} tuple of 251b2ee2692SVladimir Medvedkininbound ipsec packet as a key. 252b2ee2692SVladimir Medvedkin 253b2ee2692SVladimir MedvedkinThe search key is represented by: 254b2ee2692SVladimir Medvedkin 255b2ee2692SVladimir Medvedkin.. code-block:: c 256b2ee2692SVladimir Medvedkin 257b2ee2692SVladimir Medvedkin union rte_ipsec_sad_key { 258b2ee2692SVladimir Medvedkin struct rte_ipsec_sadv4_key v4; 259b2ee2692SVladimir Medvedkin struct rte_ipsec_sadv6_key v6; 260b2ee2692SVladimir Medvedkin }; 261b2ee2692SVladimir Medvedkin 262b2ee2692SVladimir Medvedkinwhere v4 is a tuple for IPv4: 263b2ee2692SVladimir Medvedkin 264b2ee2692SVladimir Medvedkin.. code-block:: c 265b2ee2692SVladimir Medvedkin 266b2ee2692SVladimir Medvedkin struct rte_ipsec_sadv4_key { 267b2ee2692SVladimir Medvedkin uint32_t spi; 268b2ee2692SVladimir Medvedkin uint32_t dip; 269b2ee2692SVladimir Medvedkin uint32_t sip; 270b2ee2692SVladimir Medvedkin }; 271b2ee2692SVladimir Medvedkin 272b2ee2692SVladimir Medvedkinand v6 is a tuple for IPv6: 273b2ee2692SVladimir Medvedkin 274b2ee2692SVladimir Medvedkin.. code-block:: c 275b2ee2692SVladimir Medvedkin 276b2ee2692SVladimir Medvedkin struct rte_ipsec_sadv6_key { 277b2ee2692SVladimir Medvedkin uint32_t spi; 278*9ac91e2fSRobin Jarry struct rte_ipv6_addr dip; 279*9ac91e2fSRobin Jarry struct rte_ipv6_addr sip; 280b2ee2692SVladimir Medvedkin }; 281b2ee2692SVladimir Medvedkin 282b2ee2692SVladimir MedvedkinAs an example, lookup related code could look like that: 283b2ee2692SVladimir Medvedkin 284b2ee2692SVladimir Medvedkin.. code-block:: c 285b2ee2692SVladimir Medvedkin 286b2ee2692SVladimir Medvedkin int i; 287b2ee2692SVladimir Medvedkin union rte_ipsec_sad_key keys[BURST_SZ]; 288b2ee2692SVladimir Medvedkin const union rte_ipsec_sad_key *keys_p[BURST_SZ]; 289b2ee2692SVladimir Medvedkin void *vals[BURST_SZ]; 290b2ee2692SVladimir Medvedkin 291b2ee2692SVladimir Medvedkin for (i = 0; i < BURST_SZ_MAX; i++) { 292b2ee2692SVladimir Medvedkin keys[i].v4.spi = esp_hdr[i]->spi; 293b2ee2692SVladimir Medvedkin keys[i].v4.dip = ipv4_hdr[i]->dst_addr; 294b2ee2692SVladimir Medvedkin keys[i].v4.sip = ipv4_hdr[i]->src_addr; 295b2ee2692SVladimir Medvedkin keys_p[i] = &keys[i]; 296b2ee2692SVladimir Medvedkin } 297b2ee2692SVladimir Medvedkin rte_ipsec_sad_lookup(sad, keys_p, vals, BURST_SZ); 298b2ee2692SVladimir Medvedkin 299b2ee2692SVladimir Medvedkin for (i = 0; i < BURST_SZ_MAX; i++) { 300b2ee2692SVladimir Medvedkin if (vals[i] == NULL) 301b2ee2692SVladimir Medvedkin printf("SA not found for key index %d\n", i); 302b2ee2692SVladimir Medvedkin else 303b2ee2692SVladimir Medvedkin printf("SA pointer is %p\n", vals[i]); 304b2ee2692SVladimir Medvedkin } 305b2ee2692SVladimir Medvedkin 306b2ee2692SVladimir Medvedkin 3079ef6cb1aSKonstantin AnanyevSupported features 3089ef6cb1aSKonstantin Ananyev------------------ 3099ef6cb1aSKonstantin Ananyev 3109ef6cb1aSKonstantin Ananyev* ESP protocol tunnel mode both IPv4/IPv6. 3119ef6cb1aSKonstantin Ananyev 3129ef6cb1aSKonstantin Ananyev* ESP protocol transport mode both IPv4/IPv6. 3139ef6cb1aSKonstantin Ananyev 3149ef6cb1aSKonstantin Ananyev* ESN and replay window. 3159ef6cb1aSKonstantin Ananyev 31601eef590SRadu Nicolau* NAT-T / UDP encapsulated ESP. 31701eef590SRadu Nicolau 318ff4a29d1SRadu Nicolau* TSO (only for inline crypto mode) 319ff4a29d1SRadu Nicolau 320c99d2619SRadu Nicolau* algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, AES_CCM, CHACHA20_POLY1305, 321c99d2619SRadu Nicolau AES_GMAC, HMAC-SHA1, NULL. 3229ef6cb1aSKonstantin Ananyev 3239ef6cb1aSKonstantin Ananyev 32468977baaSRadu NicolauTelemetry support 32568977baaSRadu Nicolau------------------ 326aae98b8cSAakash Sasidharan 32768977baaSRadu NicolauTelemetry support implements SA details and IPsec packet add data counters 32868977baaSRadu Nicolaustatistics. Per SA telemetry statistics can be enabled using 32968977baaSRadu Nicolau``rte_ipsec_telemetry_sa_add`` and disabled using 33068977baaSRadu Nicolau``rte_ipsec_telemetry_sa_del``. Note that these calls are not thread safe. 33168977baaSRadu Nicolau 332aae98b8cSAakash SasidharanStateless IPsec packet processing 333aae98b8cSAakash Sasidharan--------------------------------- 334aae98b8cSAakash Sasidharan 335aae98b8cSAakash SasidharanSupport for stateless IPsec packet processing allows use of custom 336aae98b8cSAakash Sasidharansequence number to be used for IPsec outbound processing. 337aae98b8cSAakash Sasidharan 338aae98b8cSAakash Sasidharan``rte_ipsec_pkt_stateless_prepare()`` takes as input the state parameter 339aae98b8cSAakash Sasidharanfrom the application and prepares the packet for IPsec processing. 34068977baaSRadu Nicolau 3419ef6cb1aSKonstantin AnanyevLimitations 3429ef6cb1aSKonstantin Ananyev----------- 3439ef6cb1aSKonstantin Ananyev 3449ef6cb1aSKonstantin AnanyevThe following features are not properly supported in the current version: 3459ef6cb1aSKonstantin Ananyev 3469ef6cb1aSKonstantin Ananyev* Hard/soft limit for SA lifetime (time interval/byte count). 347