[PATCH RFC 1/4] virtio-net: Add IPsec operation, capabilities and resource objects

public inbox for virtio-comment@lists.linux.dev
 help / color / mirror / Atom feed

From: Srujana Challa <schalla@marvell.com>
To: <virtio-comment@lists.linux.dev>
Cc: <mst@redhat.com>, <pabeni@redhat.com>, <jasowang@redhat.com>,
	<parav@nvidia.com>, <sburla@marvell.com>,
	<ndabilpuram@marvell.com>, <jerinj@marvell.com>,
	<schalla@marvell.com>
Subject: [PATCH RFC 1/4] virtio-net: Add IPsec operation, capabilities and resource objects
Date: Mon, 16 Dec 2024 16:18:56 +0530	[thread overview]
Message-ID: <20241216104859.2720719-2-schalla@marvell.com> (raw)
In-Reply-To: <20241216104859.2720719-1-schalla@marvell.com>

This commit introduces the IPsec Operation to the Net device
along with the capabilities and resource objects. This enables
the offloading of IPsec processing, both before transmission
and after reception, thereby providing inline offload
capabilities.

Capbilities:

1. IPsec Resource Capability (VIRTIO_CRYPTO_IPSEC_RESOURCE_CAP):
   Indicates the device's IPsec resource limits, such as the number of
   encryption and decryption Security Associations (SAs).
2. IPsec SA Capability (VIRTIO_CRYPTO_IPSEC_SA_CAP): Specifies the
   supported IPsec modes, along with the supported cryptographic
   algorithms, authentication algorithms, IPsec options and
   anti-replay window size.

Resource objects:
1. VIRTIO_NET_RESOURCE_OBJ_IPSEC_OUTB_SA
2. VIRTIO_NET_RESOURCE_OBJ_IPSEC_INB_SA

These IPsec SA resource objects encompass parameters necessary
for packet encryption and decryption. These include the SPI,
tunnel headers, IPsec mode, IPsec options, and data specific to cipher
and authentication.

This patch refers the Virtio-crypto IPsec service operation
capabilities and resource objects data structures and crypto algorithm
definitions to avoid duplication, however the admin command type vaule
differs between Virtio-crypto and Virtio-net.

Signed-off-by: Srujana Challa <schalla@marvell.com>
---
 device-types/net/description.tex | 47 ++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/device-types/net/description.tex b/device-types/net/description.tex
index b2a0d39..2a5f635 100644
--- a/device-types/net/description.tex
+++ b/device-types/net/description.tex
@@ -415,6 +415,10 @@ \subsection{Device and driver capabilities}\label{sec:Device Types / Network Dev
 \hline
 0x0802 & \hyperref[par:Device Types / Network Device / Device Operation / Flow filter / Device and driver capabilities / VIRTIO-NET-FF-ACTION-CAP]{VIRTIO_NET_FF_ACTION_CAP} & Flow filter action capability \\
 \hline
+0x0803 & \hyperref[par:Device Types / Crypto Device / Device Operation / IPsec Service Operation / Device and driver capabilities / VIRTIO-CRYPTO-IPSEC-RESOURCE-CAP]{VIRTIO_NET_IPSEC_RESOURCE_CAP} & IPsec resource capability \\
+\hline
+0x0804 & \hyperref[par:Device Types / Crypto Device / Device Operation / IPsec Service Operation / Device and driver capabilities / VIRTIO-CRYPTO-IPSEC-SA-CAP]{VIRTIO_NET_IPSEC_SA_CAP} & IPsec Security Association(SA) capability \\
+\hline
 \end{tabularx}
 
 \subsection{Device resource objects}\label{sec:Device Types / Network Device / Device resource objects}
@@ -431,6 +435,10 @@ \subsection{Device resource objects}\label{sec:Device Types / Network Device / D
 \hline
 0x0202 & \hyperref[par:Device Types / Network Device / Device Operation / Flow filter / Resource objects / VIRTIO-NET-RESOURCE-OBJ-FF-RULE]{VIRTIO_NET_RESOURCE_OBJ_FF_RULE} & Flow filter rule object \\
 \hline
+0x0203 & \hyperref[par:Device Types / Crypto Device / Device Operation / IPsec Service Operation / Resource objects / VIRTIO-CRYPTO-RESOURCE-OBJ-IPSEC-OUTBOUND-SA]{VIRTIO_NET_RESOURCE_OBJ_IPSEC_OUTB_SA} & IPsec outbound SA resource object \\
+\hline
+0x0204 & \hyperref[par:Device Types / Crypto Device / Device Operation / IPsec Service Operation / Resource objects / VIRTIO-CRYPTO-RESOURCE-OBJ-IPSEC-INBOUND-SA]{VIRTIO_NET_RESOURCE_OBJ_IPSEC_INB_SA} & IPsec inbound SA resource object \\
+\hline
 \end{tabularx}
 
 \subsection{Device Operation}\label{sec:Device Types / Network Device / Device Operation}
@@ -3020,6 +3028,45 @@ \subsubsection{Flow filter}\label{sec:Device Types / Network Device / Device Ope
 capability and the classifier object, unless the VIRTIO_NET_FF_MASK_F_PARTIAL_MASK
 is enabled.
 
+\subsubsection{IPsec Operation}\label{sec:Device Types / Network Device / Device Operation / IPsec Operation}
+
+A network device can support the programming of IPsec Security Associations (SAs).
+In addition to standard packet processing, the IPsec protocol processing is also
+offloaded to the network device. This offloading occurs both pre-transmit and
+post-receive, providing inline offload capabilities.
+
+IPsec Inbound processing: In receive path the device will perform decryption,
+authentication, integrity checking and remove additional headers, including
+tunnel headers if in tunnel mode, as well as the ESP/AH header from the packet.
+The resulting packet contains only the plain data.
+
+IPsec Outbound processing: In transmit path the device will perform encryption,
+attach ICV, update/add IP headers and add ESP/AH headers/trailers to the packet
+and transmit.
+
+\paragraph{Device and driver capabilities}
+\label{par:Device Types / Network Device / Device Operation / IPsec Operation / Device and driver capabilities}
+
+The device and the driver indicate IPsec SA resource limits using the capability
+\hyperref[par:Device Types / Crypto Device / Device Operation / IPsec Service Operation / Device and driver capabilities / VIRTIO-CRYPTO-IPSEC-RESOURCE-CAP]{VIRTIO_NET_IPSEC_RESOURCE_CAP}
+The \hyperref[par:Device Types / Crypto Device / Device Operation / IPsec Service Operation / Device and driver capabilities / VIRTIO-CRYPTO-IPSEC-SA-CAP]{VIRTIO_NET_IPSEC_SA_CAP}
+capability specifies which IPsec protocol capabilities the device supports. The driver indicates
+the IPsec parameters by setting the IPsec SA capability prior to adding any resource objects.
+
+\paragraph{Resource objects}
+\label{par:Device Types / Network Device / Device Operation / IPsec Operation / Resource objects}
+
+The driver controls the IPsec SA resource objects using administration commands described in
+\ref{sec:Basic Facilities of a Virtio Device / Device groups / Group administration commands / Device resource objects}.
+
+The IPsec SA resource objects encompass crucial parameters necessary for packet
+encryption and decryption. These include the SPI, tunnel headers, IPsec mode,
+IPsec options, and data specific to cipher and authentication.
+
+See \hyperref[par:Device Types / Crypto Device / Device Operation / IPsec Service Operation / Resource objects / VIRTIO-CRYPTO-RESOURCE-OBJ-IPSEC-OUTBOUND-SA]{VIRTIO_NET_RESOURCE_OBJ_IPSEC_OUTB_SA}.
+
+See \hyperref[par:Device Types / Crypto Device / Device Operation / IPsec Service Operation / Resource objects / VIRTIO-CRYPTO-RESOURCE-OBJ-IPSEC-INBOUND-SA]{VIRTIO_NET_RESOURCE_OBJ_IPSEC_INB_SA}.
+
 \subsubsection{Legacy Interface: Framing Requirements}\label{sec:Device
 Types / Network Device / Legacy Interface: Framing Requirements}
 
-- 
2.25.1

next prev parent reply	other threads:[~2024-12-16 10:49 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-16 10:48 [PATCH RFC 0/4] introduce IPsec Operation in virtio-net Srujana Challa
2024-12-16 10:48 ` Srujana Challa [this message]
2025-01-06  5:37   ` [PATCH RFC 1/4] virtio-net: Add IPsec operation, capabilities and resource objects Parav Pandit
2025-01-07 10:09     ` Srujana Challa
2024-12-16 10:48 ` [PATCH RFC 2/4] virtio-net: Add new flow filter selector and action for IPsec Srujana Challa
2025-01-06  5:37   ` Parav Pandit
2025-01-10  6:56     ` Srujana Challa
2024-12-16 10:48 ` [PATCH RFC 3/4] virtio-net: updates to virtio_net_hdr for IPsec support Srujana Challa
2025-01-06  5:37   ` Parav Pandit
2025-01-08 10:27     ` Srujana Challa
2025-01-08 13:56       ` Parav Pandit
2024-12-16 10:48 ` [PATCH RFC 4/4] virtio-net: Add IPsec operation device and driver requirements Srujana Challa
2025-01-06  5:37   ` Parav Pandit
2025-01-07 10:20     ` Srujana Challa

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b2a0d39 dfblob:2a5f635 )
 OR (
bs:"[PATCH RFC 1/4] virtio-net: Add IPsec operation, capabilities and resource objects" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241216104859.2720719-2-schalla@marvell.com \
    --to=schalla@marvell.com \
    --cc=jasowang@redhat.com \
    --cc=jerinj@marvell.com \
    --cc=mst@redhat.com \
    --cc=ndabilpuram@marvell.com \
    --cc=pabeni@redhat.com \
    --cc=parav@nvidia.com \
    --cc=sburla@marvell.com \
    --cc=virtio-comment@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox