Overview¶
Fast Path IPsec IPv4 provides IPv4 IPsec processing in the fast path.
Features¶
FPN-SDK crypto API support to enable crypto processor
AH and ESP support
Transport, tunnel and BEET modes support
Classifier, hash tables to improve IPsec lookup
Linux stack originated packets handover to fast path IPsec
Per SA parameter to control copy of DSCP
Partial dump of SAD
Anti replay window and output sequence number synchronization (multiple fast paths only)
Extended Sequence Number (ESN) and large anti-replay window as described by RFCs 4302, 4303 and 4304.
IPsec 6in4/4in6 tunnel support.
IPsec nat-t (nat traversal) support.
Offload of cryptographic operations to idle fast path cores.
Supported algorithms¶
The following algorithms are supported by the fast path stack using ip xfrm
commands or during the IKE phase 2:
Encryption algorithm |
Generic soft. |
Intel Multi Buffer |
Intel QAT |
Cavium Octeon |
---|---|---|---|---|
NULL |
Supported |
Supported |
Supported |
Supported |
DES-CBC |
Supported |
Software fallback |
Supported |
Supported |
3DES-CBC |
Supported |
Software fallback |
Supported |
Supported |
AES-CBC (128/192/256) |
Supported |
Supported |
Supported |
Supported |
AES-GCM-128 (128/192/256) |
Supported |
Supported |
Supported |
Not supported |
Authentication algorithm |
Generic soft. |
Intel Multi Buffer |
Intel QAT |
Cavium Octeon |
---|---|---|---|---|
NULL |
Supported |
Supported |
Supported |
Supported |
HMAC-MD5-96 |
Supported |
Supported |
Supported |
Supported |
HMAC-SHA1-96 |
Supported |
Supported |
Supported |
Supported |
HMAC-SHA2-256-128 |
Supported |
Supported |
Supported |
Supported |
HMAC-SHA2-384-192 |
Supported |
Supported |
Supported |
Supported |
HMAC-SHA2-512-256 |
Supported |
Supported |
Supported |
Supported |
AES-XCBC-96 |
Supported |
Supported |
Supported |
Supported |
AES-GMAC-128 |
Supported |
Supported |
Supported |
Not supported |
Dependencies¶
6WINDGate modules¶
Linux¶
Control of DSCP copy in tunnel header is a kernel patch (upstream 3.10).
Without this patch, DSCP is always copied to the outer header.
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a947b0a93efa
Partial dump of Linux SA database is a kernel patch.
Without this patch, the whole SAD is dumped.
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d3623099d350
ESN and large anti-replay window support are available since kernel version 2.6.39.
ESN and large anti-replay window static configuration is an iproute2 patch.
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=0151b56d1029
IPsec output delegation is available since kernel version 4.20
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=02b408fae3d5
SVTI IPsec output delegation is available since kernel version 5.5
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95224166a903
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f042365dbffe