DPDK  24.07.0
Data Fields
rte_security_ipsec_sa_options Struct Reference

#include <rte_security.h>

Data Fields

uint32_t esn: 1
 
uint32_t udp_encap: 1
 
uint32_t copy_dscp: 1
 
uint32_t copy_flabel: 1
 
uint32_t copy_df: 1
 
uint32_t dec_ttl: 1
 
uint32_t ecn: 1
 
uint32_t stats: 1
 
uint32_t iv_gen_disable: 1
 
uint32_t tunnel_hdr_verify: 2
 
uint32_t udp_ports_verify: 1
 
uint32_t ip_csum_enable: 1
 
uint32_t l4_csum_enable: 1
 
uint32_t ip_reassembly_en: 1
 
uint32_t ingress_oop: 1
 

Detailed Description

IPsec Security Association option flags

Definition at line 111 of file rte_security.h.

Field Documentation

◆ esn

uint32_t esn

Extended Sequence Numbers (ESN)

  • 1: Use extended (64 bit) sequence numbers
  • 0: Use normal sequence numbers
Examples:
examples/ipsec-secgw/ipsec.c, and examples/ipsec-secgw/sa.c.

Definition at line 117 of file rte_security.h.

◆ udp_encap

uint32_t udp_encap

UDP encapsulation

  • 1: Do UDP encapsulation/decapsulation so that IPSEC packets can traverse through NAT boxes.
  • 0: No UDP encapsulation
Examples:
examples/ipsec-secgw/ipsec.c, and examples/ipsec-secgw/sa.c.

Definition at line 125 of file rte_security.h.

◆ copy_dscp

uint32_t copy_dscp

Copy DSCP bits

  • 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to the outer IP header in encapsulation, and vice versa in decapsulation.
  • 0: Do not change DSCP field.
Examples:
examples/ipsec-secgw/ipsec.c, and examples/ipsec-secgw/sa.c.

Definition at line 134 of file rte_security.h.

◆ copy_flabel

uint32_t copy_flabel

Copy IPv6 Flow Label

  • 1: Copy IPv6 flow label from inner IPv6 header to the outer IPv6 header.
  • 0: Outer header is not modified.
Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 142 of file rte_security.h.

◆ copy_df

uint32_t copy_df

Copy IPv4 Don't Fragment bit

  • 1: Copy the DF bit from the inner IPv4 header to the outer IPv4 header.
  • 0: Outer header is not modified.
Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 150 of file rte_security.h.

◆ dec_ttl

uint32_t dec_ttl

Decrement inner packet Time To Live (TTL) field

  • 1: In tunnel mode, decrement inner packet IPv4 TTL or IPv6 Hop Limit after tunnel decapsulation, or before tunnel encapsulation.
  • 0: Inner packet is not modified.
Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 159 of file rte_security.h.

◆ ecn

uint32_t ecn

Explicit Congestion Notification (ECN)

  • 1: In tunnel mode, enable outer header ECN Field copied from inner header in tunnel encapsulation, or inner header ECN field construction in decapsulation.
  • 0: Inner/outer header are not modified.
Examples:
examples/ipsec-secgw/ipsec.c, and examples/ipsec-secgw/sa.c.

Definition at line 168 of file rte_security.h.

◆ stats

uint32_t stats

Security statistics

  • 1: Enable per session security statistics collection for this SA, if supported by the driver.
  • 0: Disable per session security statistics collection for this SA.
Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 176 of file rte_security.h.

◆ iv_gen_disable

uint32_t iv_gen_disable

Disable IV generation in PMD

  • 1: Disable IV generation in PMD. When disabled, IV provided in rte_crypto_op will be used by the PMD.
  • 0: Enable IV generation in PMD. When enabled, PMD generated random value would be used and application is not required to provide IV.

Note: For inline cases, IV generation would always need to be handled by the PMD.

Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 190 of file rte_security.h.

◆ tunnel_hdr_verify

uint32_t tunnel_hdr_verify

Verify tunnel header in inbound

  • RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR: Verify destination IP address.
  • RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR: Verify both source and destination IP addresses.
Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 199 of file rte_security.h.

◆ udp_ports_verify

uint32_t udp_ports_verify

Verify UDP encapsulation ports in inbound

  • 1: Match UDP source and destination ports
  • 0: Do not match UDP ports
Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 206 of file rte_security.h.

◆ ip_csum_enable

uint32_t ip_csum_enable

Compute/verify inner packet IPv4 header checksum in tunnel mode

  • 1: For outbound, compute inner packet IPv4 header checksum before tunnel encapsulation and for inbound, verify after tunnel decapsulation.
  • 0: Inner packet IP header checksum is not computed/verified.

The checksum verification status would be set in mbuf using RTE_MBUF_F_RX_IP_CKSUM_xxx flags.

Inner IP checksum computation can also be enabled(per operation) by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf.

Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 221 of file rte_security.h.

◆ l4_csum_enable

uint32_t l4_csum_enable

Compute/verify inner packet L4 checksum in tunnel mode

  • 1: For outbound, compute inner packet L4 checksum before tunnel encapsulation and for inbound, verify after tunnel decapsulation.
  • 0: Inner packet L4 checksum is not computed/verified.

The checksum verification status would be set in mbuf using RTE_MBUF_F_RX_L4_CKSUM_xxx flags.

Inner L4 checksum computation can also be enabled(per operation) by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf.

Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 237 of file rte_security.h.

◆ ip_reassembly_en

uint32_t ip_reassembly_en

Enable IP reassembly on inline inbound packets.

  • 1: Enable driver to try reassembly of encrypted IP packets for this SA, if supported by the driver. This feature will work only if user has successfully set IP reassembly config params using rte_eth_ip_reassembly_conf_set() for the inline Ethernet device. PMD need to register mbuf dynamic fields using rte_eth_ip_reassembly_dynfield_register() and security session creation would fail if dynfield is not registered successfully.
  • 0: Disable IP reassembly of packets (default).
Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 250 of file rte_security.h.

◆ ingress_oop

uint32_t ingress_oop

Enable out of place processing on inline inbound packets.

  • 1: Enable driver to perform Out-of-place(OOP) processing for this inline inbound SA if supported by driver. PMD need to register mbuf dynamic field using rte_security_oop_dynfield_register() and security session creation would fail if dynfield is not registered successfully.
  • 0: Disable OOP processing for this session (default).

Definition at line 261 of file rte_security.h.


The documentation for this struct was generated from the following file: