Overview

Fast Path IPsec SVTI - XFRMI provides XFRMI support in the fast path.

XFRMI interfaces are generic virtual interfaces ensuring IPsec transformation. They are used to configure route-based VPNs.

XFRMI interfaces handle their own SPD and SAD.

Outgoing traffic routed through an XFRMI interface is submitted to a security policy lookup against the XFRMI interface’s own SPD and, when a matching SP is found, encrypted using an SA from its own SAD matching the SP, or dropped if no match was found.

Incoming IPsec-encrypted traffic is first decrypted with the right SA. If the SA is bound to an XFRMI interface (via an XFRMI id), it is then submitted to a security policy check against the XFRMI interface’s own SPD. If the packet is granted access, the decrypted traffic is received via the XFRMI interface.

Features

• IPsec security policy check against the XFRMI interface’s SPD for outbound traffic routed via an XFRMI interface.

• IPsec security policy check against the XFRMI interface’s SPD for inbound IPsec decrypted packets whose IPsec outer headers match an XFRMI tunnel.

• Possibility to tunnel IPv4 and IPv6 through the same interface.

• Support of XFRM mode tunnel.

• Compatibility with VRF processing. (the encrypted and plaintext traffic may be in a VR other than vrf0).

• Cross-VRF processing (the encrypted and plaintext traffic may be in different VRs, the XFRMI interface performs the VR transition).

Dependencies

6WINDGate modules

• Fast Path IPsec IPv4

• optionally Fast Path IPsec IPv6

Linux

• XFRMI is a kernel patch (upstream 4.19).

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f203b76d7809

• Another kernel patch fixes cross-netns XFRMI in upstream 5.0 (backport in 4.19.31).

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=660899ddf06a