On Mon, Aug 28, 2023 at 11:53 PM Alexander Kozyrev <akozy...@nvidia.com> wrote:
>
> Support the IP Encapsulating Security Payload (ESP) in transport mode.
As per IPSEC ESP RFC 4303, for both tunnel mode or transport mode,
next proto 50, so we cannot identify a packet is for tunnel mode or
transport mode by just packet parsing.
Am I missing something ?
>
> Signed-off-by: Alexander Kozyrev <akozy...@nvidia.com>
> Acked-by: Morten Brørup <m...@smartsharesystems.com>
> ---
> lib/mbuf/rte_mbuf_ptype.h | 36 ++++++++++++++++++++++++++++++------
> 1 file changed, 30 insertions(+), 6 deletions(-)
>
> diff --git a/lib/mbuf/rte_mbuf_ptype.h b/lib/mbuf/rte_mbuf_ptype.h
> index 17a2dd3576..cdd6fd460e 100644
> --- a/lib/mbuf/rte_mbuf_ptype.h
> +++ b/lib/mbuf/rte_mbuf_ptype.h
> @@ -247,7 +247,7 @@ extern "C" {
> * It refers to those packets of any IP types, which can be recognized as
> * fragmented. A fragmented packet cannot be recognized as any other L4 types
> * (RTE_PTYPE_L4_TCP, RTE_PTYPE_L4_UDP, RTE_PTYPE_L4_SCTP, RTE_PTYPE_L4_ICMP,
> - * RTE_PTYPE_L4_NONFRAG).
> + * RTE_PTYPE_L4_NONFRAG, RTE_PTYPE_L4_IGMP, RTE_PTYPE_L4_ESP).
> *
> * Packet format:
> * <'ether type'=0x0800
> @@ -290,14 +290,15 @@ extern "C" {
> *
> * It refers to those packets of any IP types, while cannot be recognized as
> * any of above L4 types (RTE_PTYPE_L4_TCP, RTE_PTYPE_L4_UDP,
> - * RTE_PTYPE_L4_FRAG, RTE_PTYPE_L4_SCTP, RTE_PTYPE_L4_ICMP).
> + * RTE_PTYPE_L4_FRAG (for IPv6), RTE_PTYPE_L4_SCTP, RTE_PTYPE_L4_ICMP,
> + * RTE_PTYPE_L4_IGMP (for IPv4), RTE_PTYPE_L4_ESP).
> *
> * Packet format:
> * <'ether type'=0x0800
> - * | 'version'=4, 'protocol'!=[6|17|132|1], 'MF'=0, 'frag_offset'=0>
> + * | 'version'=4, 'protocol'!=[1|2|6|17|50|132], 'MF'=0, 'frag_offset'=0>
> * or,
> * <'ether type'=0x86DD
> - * | 'version'=6, 'next header'!=[6|17|44|132|1]>
> + * | 'version'=6, 'next header'!=[1|6|17|44|50|132]>
> */
> #define RTE_PTYPE_L4_NONFRAG 0x00000600
> /**
> @@ -308,6 +309,17 @@ extern "C" {
> * | 'version'=4, 'protocol'=2, 'MF'=0, 'frag_offset'=0>
> */
> #define RTE_PTYPE_L4_IGMP 0x00000700
> +/**
> + * ESP (IP Encapsulating Security Payload) transport packet type.
> + *
> + * Packet format:
> + * <'ether type'=0x0800
> + * | 'version'=4, 'protocol'=50, 'MF'=0, 'frag_offset'=0>
> + * or,
> + * <'ether type'=0x86DD
> + * | 'version'=6, 'next header'=50>
> + */
> +#define RTE_PTYPE_L4_ESP 0x00000800
Currently there is already a PTYPE `RTE_PTYPE_TUNNEL_ESP` being used
by all drivers / ipsec-secgw to indicate ESP packet. So why is this
needed ?
There is also a documentation issue with `RTE_PTYPE_TUNNEL_ESP` where
it indicates next-proto of 51 but it should have been 50.
next-proto of 51 is for IPSEC AH.
> /**
> * Mask of layer 4 packet types.
> * It is used for outer packet for tunneling cases.
> @@ -652,12 +664,24 @@ extern "C" {
> *
> * Packet format (inner only):
> * <'ether type'=0x0800
> - * | 'version'=4, 'protocol'!=[6|17|132|1], 'MF'=0, 'frag_offset'=0>
> + * | 'version'=4, 'protocol'!=[1|6|17|50|132], 'MF'=0, 'frag_offset'=0>
> * or,
> * <'ether type'=0x86DD
> - * | 'version'=6, 'next header'!=[6|17|44|132|1]>
> + * | 'version'=6, 'next header'!=[1|6|17|44|50|132]>
> */
> #define RTE_PTYPE_INNER_L4_NONFRAG 0x06000000
> +/**
> + * ESP (IP Encapsulating Security Payload) transport packet type.
> + * It is used for inner packet only.
> + *
> + * Packet format (inner only):
> + * <'ether type'=0x0800
> + * | 'version'=4, 'protocol'=50, 'MF'=0, 'frag_offset'=0>
> + * or,
> + * <'ether type'=0x86DD
> + * | 'version'=6, 'next header'=50>
> + */
> +#define RTE_PTYPE_INNER_L4_ESP 0x08000000
> /**
> * Mask of inner layer 4 packet types.
> */
> --
> 2.18.2
>
