xref: /dpdk/doc/guides/prog_guide/ipsec_lib.rst (revision 401633d9c11288fb1e558455f099527c4f20deda) 
19ef6cb1aSKonstantin Ananyev..  SPDX-License-Identifier: BSD-3-Clause
29ef6cb1aSKonstantin Ananyev    Copyright(c) 2018 Intel Corporation.
39ef6cb1aSKonstantin Ananyev
49ef6cb1aSKonstantin AnanyevIPsec Packet Processing Library
59ef6cb1aSKonstantin Ananyev===============================
69ef6cb1aSKonstantin Ananyev
79ef6cb1aSKonstantin AnanyevDPDK provides a library for IPsec data-path processing.
89ef6cb1aSKonstantin AnanyevThe library utilizes the existing DPDK crypto-dev and
99ef6cb1aSKonstantin Ananyevsecurity API to provide the application with a transparent and
109ef6cb1aSKonstantin Ananyevhigh performant IPsec packet processing API.
119ef6cb1aSKonstantin AnanyevThe library is concentrated on data-path protocols processing
129ef6cb1aSKonstantin Ananyev(ESP and AH), IKE protocol(s) implementation is out of scope
139ef6cb1aSKonstantin Ananyevfor this library.
149ef6cb1aSKonstantin Ananyev
159ef6cb1aSKonstantin AnanyevSA level API
169ef6cb1aSKonstantin Ananyev------------
179ef6cb1aSKonstantin Ananyev
189ef6cb1aSKonstantin AnanyevThis API operates on the IPsec Security Association (SA) level.
199ef6cb1aSKonstantin AnanyevIt provides functionality that allows user for given SA to process
209ef6cb1aSKonstantin Ananyevinbound and outbound IPsec packets.
219ef6cb1aSKonstantin Ananyev
229ef6cb1aSKonstantin AnanyevTo be more specific:
239ef6cb1aSKonstantin Ananyev
249ef6cb1aSKonstantin Ananyev*  for inbound ESP/AH packets perform decryption, authentication, integrity checking, remove ESP/AH related headers
259ef6cb1aSKonstantin Ananyev*  for outbound packets perform payload encryption, attach ICV, update/add IP headers, add ESP/AH headers/trailers,
269ef6cb1aSKonstantin Ananyev*  setup related mbuf fields (ol_flags, tx_offloads, etc.).
279ef6cb1aSKonstantin Ananyev*  initialize/un-initialize given SA based on user provided parameters.
289ef6cb1aSKonstantin Ananyev
299ef6cb1aSKonstantin AnanyevThe SA level API is based on top of crypto-dev/security API and relies on
309ef6cb1aSKonstantin Ananyevthem to perform actual cipher and integrity checking.
319ef6cb1aSKonstantin Ananyev
329ef6cb1aSKonstantin AnanyevDue to the nature of the crypto-dev API (enqueue/dequeue model) the library
339ef6cb1aSKonstantin Ananyevintroduces an asynchronous API for IPsec packets destined to be processed by
349ef6cb1aSKonstantin Ananyevthe crypto-device.
359ef6cb1aSKonstantin Ananyev
369ef6cb1aSKonstantin AnanyevThe expected API call sequence for data-path processing would be:
379ef6cb1aSKonstantin Ananyev
389ef6cb1aSKonstantin Ananyev.. code-block:: c
399ef6cb1aSKonstantin Ananyev
409ef6cb1aSKonstantin Ananyev    /* enqueue for processing by crypto-device */
419ef6cb1aSKonstantin Ananyev    rte_ipsec_pkt_crypto_prepare(...);
429ef6cb1aSKonstantin Ananyev    rte_cryptodev_enqueue_burst(...);
439ef6cb1aSKonstantin Ananyev    /* dequeue from crypto-device and do final processing (if any) */
449ef6cb1aSKonstantin Ananyev    rte_cryptodev_dequeue_burst(...);
459ef6cb1aSKonstantin Ananyev    rte_ipsec_pkt_crypto_group(...); /* optional */
469ef6cb1aSKonstantin Ananyev    rte_ipsec_pkt_process(...);
479ef6cb1aSKonstantin Ananyev
489ef6cb1aSKonstantin AnanyevFor packets destined for inline processing no extra overhead
499ef6cb1aSKonstantin Ananyevis required and the synchronous API call: rte_ipsec_pkt_process()
509ef6cb1aSKonstantin Ananyevis sufficient for that case.
519ef6cb1aSKonstantin Ananyev
529ef6cb1aSKonstantin Ananyev.. note::
539ef6cb1aSKonstantin Ananyev
549ef6cb1aSKonstantin Ananyev    For more details about the IPsec API, please refer to the *DPDK API Reference*.
559ef6cb1aSKonstantin Ananyev
569ef6cb1aSKonstantin AnanyevThe current implementation supports all four currently defined
579ef6cb1aSKonstantin Ananyevrte_security types:
589ef6cb1aSKonstantin Ananyev
599ef6cb1aSKonstantin AnanyevRTE_SECURITY_ACTION_TYPE_NONE
609ef6cb1aSKonstantin Ananyev~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
619ef6cb1aSKonstantin Ananyev
629ef6cb1aSKonstantin AnanyevIn that mode the library functions perform
639ef6cb1aSKonstantin Ananyev
649ef6cb1aSKonstantin Ananyev* for inbound packets:
659ef6cb1aSKonstantin Ananyev
669ef6cb1aSKonstantin Ananyev  - check SQN
679ef6cb1aSKonstantin Ananyev  - prepare *rte_crypto_op* structure for each input packet
68d629b7b5SJohn McNamara  - verify that integrity check and decryption performed by crypto device
699ef6cb1aSKonstantin Ananyev    completed successfully
709ef6cb1aSKonstantin Ananyev  - check padding data
719ef6cb1aSKonstantin Ananyev  - remove outer IP header (tunnel mode) / update IP header (transport mode)
729ef6cb1aSKonstantin Ananyev  - remove ESP header and trailer, padding, IV and ICV data
739ef6cb1aSKonstantin Ananyev  - update SA replay window
749ef6cb1aSKonstantin Ananyev
759ef6cb1aSKonstantin Ananyev* for outbound packets:
769ef6cb1aSKonstantin Ananyev
779ef6cb1aSKonstantin Ananyev  - generate SQN and IV
789ef6cb1aSKonstantin Ananyev  - add outer IP header (tunnel mode) / update IP header (transport mode)
799ef6cb1aSKonstantin Ananyev  - add ESP header and trailer, padding and IV data
809ef6cb1aSKonstantin Ananyev  - prepare *rte_crypto_op* structure for each input packet
819ef6cb1aSKonstantin Ananyev  - verify that crypto device operations (encryption, ICV generation)
829ef6cb1aSKonstantin Ananyev    were completed successfully
839ef6cb1aSKonstantin Ananyev
849ef6cb1aSKonstantin AnanyevRTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO
859ef6cb1aSKonstantin Ananyev~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
869ef6cb1aSKonstantin Ananyev
879ef6cb1aSKonstantin AnanyevIn that mode the library functions perform
889ef6cb1aSKonstantin Ananyev
899ef6cb1aSKonstantin Ananyev* for inbound packets:
909ef6cb1aSKonstantin Ananyev
91d629b7b5SJohn McNamara  - verify that integrity check and decryption performed by *rte_security*
929ef6cb1aSKonstantin Ananyev    device completed successfully
939ef6cb1aSKonstantin Ananyev  - check SQN
949ef6cb1aSKonstantin Ananyev  - check padding data
959ef6cb1aSKonstantin Ananyev  - remove outer IP header (tunnel mode) / update IP header (transport mode)
969ef6cb1aSKonstantin Ananyev  - remove ESP header and trailer, padding, IV and ICV data
979ef6cb1aSKonstantin Ananyev  - update SA replay window
989ef6cb1aSKonstantin Ananyev
999ef6cb1aSKonstantin Ananyev* for outbound packets:
1009ef6cb1aSKonstantin Ananyev
1019ef6cb1aSKonstantin Ananyev  - generate SQN and IV
1029ef6cb1aSKonstantin Ananyev  - add outer IP header (tunnel mode) / update IP header (transport mode)
1039ef6cb1aSKonstantin Ananyev  - add ESP header and trailer, padding and IV data
104d629b7b5SJohn McNamara  - update *ol_flags* inside *struct  rte_mbuf* to indicate that
1059ef6cb1aSKonstantin Ananyev    inline-crypto processing has to be performed by HW on this packet
1069ef6cb1aSKonstantin Ananyev  - invoke *rte_security* device specific *set_pkt_metadata()* to associate
107d629b7b5SJohn McNamara    security device specific data with the packet
1089ef6cb1aSKonstantin Ananyev
1099ef6cb1aSKonstantin AnanyevRTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
1109ef6cb1aSKonstantin Ananyev~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1119ef6cb1aSKonstantin Ananyev
1129ef6cb1aSKonstantin AnanyevIn that mode the library functions perform
1139ef6cb1aSKonstantin Ananyev
1149ef6cb1aSKonstantin Ananyev* for inbound packets:
1159ef6cb1aSKonstantin Ananyev
116d629b7b5SJohn McNamara  - verify that integrity check and decryption performed by *rte_security*
1179ef6cb1aSKonstantin Ananyev    device completed successfully
1189ef6cb1aSKonstantin Ananyev
1199ef6cb1aSKonstantin Ananyev* for outbound packets:
1209ef6cb1aSKonstantin Ananyev
121d629b7b5SJohn McNamara  - update *ol_flags* inside *struct  rte_mbuf* to indicate that
1229ef6cb1aSKonstantin Ananyev    inline-crypto processing has to be performed by HW on this packet
1239ef6cb1aSKonstantin Ananyev  - invoke *rte_security* device specific *set_pkt_metadata()* to associate
124d629b7b5SJohn McNamara    security device specific data with the packet
1259ef6cb1aSKonstantin Ananyev
1269ef6cb1aSKonstantin AnanyevRTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
1279ef6cb1aSKonstantin Ananyev~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1289ef6cb1aSKonstantin Ananyev
1299ef6cb1aSKonstantin AnanyevIn that mode the library functions perform
1309ef6cb1aSKonstantin Ananyev
1319ef6cb1aSKonstantin Ananyev* for inbound packets:
1329ef6cb1aSKonstantin Ananyev
1339ef6cb1aSKonstantin Ananyev  - prepare *rte_crypto_op* structure for each input packet
134d629b7b5SJohn McNamara  - verify that integrity check and decryption performed by crypto device
1359ef6cb1aSKonstantin Ananyev    completed successfully
1369ef6cb1aSKonstantin Ananyev
1379ef6cb1aSKonstantin Ananyev* for outbound packets:
1389ef6cb1aSKonstantin Ananyev
1399ef6cb1aSKonstantin Ananyev  - prepare *rte_crypto_op* structure for each input packet
1409ef6cb1aSKonstantin Ananyev  - verify that crypto device operations (encryption, ICV generation)
1419ef6cb1aSKonstantin Ananyev    were completed successfully
1429ef6cb1aSKonstantin Ananyev
1439ef6cb1aSKonstantin AnanyevTo accommodate future custom implementations function pointers
1449ef6cb1aSKonstantin Ananyevmodel is used for both *crypto_prepare* and *process* implementations.
1459ef6cb1aSKonstantin Ananyev
146*401633d9SVladimir MedvedkinSA database API
147*401633d9SVladimir Medvedkin----------------
148*401633d9SVladimir Medvedkin
149*401633d9SVladimir MedvedkinSA database(SAD) is a table with <key, value> pairs.
150*401633d9SVladimir Medvedkin
151*401633d9SVladimir MedvedkinValue is an opaque user provided pointer to the user defined SA data structure.
152*401633d9SVladimir Medvedkin
153*401633d9SVladimir MedvedkinAccording to RFC4301 each SA can be uniquely identified by a key
154*401633d9SVladimir Medvedkinwhich is either:
155*401633d9SVladimir Medvedkin
156*401633d9SVladimir Medvedkin  - security parameter index(SPI)
157*401633d9SVladimir Medvedkin  - or SPI and destination IP(DIP)
158*401633d9SVladimir Medvedkin  - or SPI, DIP and source IP(SIP)
159*401633d9SVladimir Medvedkin
160*401633d9SVladimir MedvedkinIn case of multiple matches, longest matching key will be returned.
1619ef6cb1aSKonstantin Ananyev
1629ef6cb1aSKonstantin AnanyevSupported features
1639ef6cb1aSKonstantin Ananyev------------------
1649ef6cb1aSKonstantin Ananyev
1659ef6cb1aSKonstantin Ananyev*  ESP protocol tunnel mode both IPv4/IPv6.
1669ef6cb1aSKonstantin Ananyev
1679ef6cb1aSKonstantin Ananyev*  ESP protocol transport mode both IPv4/IPv6.
1689ef6cb1aSKonstantin Ananyev
1699ef6cb1aSKonstantin Ananyev*  ESN and replay window.
1709ef6cb1aSKonstantin Ananyev
1713ed37e09SFan Zhang*  algorithms: 3DES-CBC, AES-CBC, AES-CTR, AES-GCM, HMAC-SHA1, NULL.
1729ef6cb1aSKonstantin Ananyev
1739ef6cb1aSKonstantin Ananyev
1749ef6cb1aSKonstantin AnanyevLimitations
1759ef6cb1aSKonstantin Ananyev-----------
1769ef6cb1aSKonstantin Ananyev
1779ef6cb1aSKonstantin AnanyevThe following features are not properly supported in the current version:
1789ef6cb1aSKonstantin Ananyev
1799ef6cb1aSKonstantin Ananyev*  Hard/soft limit for SA lifetime (time interval/byte count).
180