[dpdk-dev] [EXT] [PATCH v4 02/10] security: add UDP params for IPsec NAT-T

Hemant Agrawal hemant.agrawal at oss.nxp.com
Fri Sep 24 11:11:39 CEST 2021

Previous message (by thread): [dpdk-dev] [EXT] [PATCH v4 02/10] security: add UDP params for IPsec NAT-T
Next message (by thread): [dpdk-dev] [EXT] [PATCH v4 02/10] security: add UDP params for IPsec NAT-T
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/6/2021 4:39 PM, Nicolau, Radu wrote:
>
> On 9/5/2021 3:19 PM, Akhil Goyal wrote:
>> Hi Radu,
>>
>>> Add support for specifying UDP port params for UDP encapsulation 
>>> option.
>>>
>>> Signed-off-by: Declan Doherty <declan.doherty at intel.com>
>>> Signed-off-by: Radu Nicolau <radu.nicolau at intel.com>
>>> Signed-off-by: Abhijit Sinha <abhijit.sinha at intel.com>
>>> Signed-off-by: Daniel Martin Buckley <daniel.m.buckley at intel.com>
>> Do we really need to specify the port numbers for NAT-T?
>> I suppose they are fixed as 4500.
>> Could you please specify what the user need to set here for session
>> creation?
>
> From what I'm seeing here 
> https://datatracker.ietf.org/doc/html/rfc3948#section-2.1 there is no 
> requirement in general for UDP encapsulation so I think it's better to 
> make the API flexible as to allow any port to be used.


This section states that :

o  the Source Port and Destination Port MUST be the same as that used by IKE traffic,

IKE usages port 4500

am I missing something?

>
>
>>
>>> ---
>>>   lib/security/rte_security.h | 8 ++++++++
>>>   1 file changed, 8 insertions(+)
>>>
>>> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
>>> index 45896a77d0..03572b10ab 100644
>>> --- a/lib/security/rte_security.h
>>> +++ b/lib/security/rte_security.h
>>> @@ -112,6 +112,12 @@ struct rte_security_ipsec_tunnel_param {
>>>       };
>>>   };
>>>
>>> +struct rte_security_ipsec_udp_param {
>>> +
>>> +    uint16_t sport;
>>> +    uint16_t dport;
>>> +};
>>> +
>>>   /**
>>>    * IPsec Security Association option flags
>>>    */
>>> @@ -224,6 +230,8 @@ struct rte_security_ipsec_xform {
>>>       /**< IPsec SA Mode - transport/tunnel */
>>>       struct rte_security_ipsec_tunnel_param tunnel;
>>>       /**< Tunnel parameters, NULL for transport mode */
>>> +    struct rte_security_ipsec_udp_param udp;
>>> +    /**< UDP parameters, ignored when udp_encap option not specified
>>> */
>>>       uint64_t esn_soft_limit;
>>>       /**< ESN for which the overflow event need to be raised */
>>>       uint32_t replay_win_sz;
>>> -- 
>>> 2.25.1

Previous message (by thread): [dpdk-dev] [EXT] [PATCH v4 02/10] security: add UDP params for IPsec NAT-T
Next message (by thread): [dpdk-dev] [EXT] [PATCH v4 02/10] security: add UDP params for IPsec NAT-T
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list