Decryption Path

IPsec_GW Reference Pipeline User Guide (UG1671)

Document ID
UG1671
Release Date
2024-02-15
Revision
1.1 English

Packet paths for encryption and decryption follow P4 Ingress to P4 Egress pipelines.

For the Decryption path, where a packet comes in from the uplink encrypted, the packet gets decrypted in P4I. The decrypted packet goes to P4E where it is validated, and can be sent directly to the uplink interface, or can be sent back to the P4 pipeline for a 'flow lookup' on inner packet-header fields for additional services such as packet rewrites, SDN policy offload, flow offloads, NAT, stateful firewall, or observability. See the following figure.

Figure 1. Additional Services

Below is the path taken in the P4 pipeline to perform IPsec decryption:

Ingress
lif → p4i_init → nacl → ipsec_decrypt_sa_lookup → tunnel → ipsec_decrypt → inter_pipe → Egress
Egress
p4e_init → ipsec_decrypt → nexthop → checksum → inter_pipe → Out

The following applies:

  • On tunnel creation, an entry needs to be created in ipsec_decrypt_sa_lookup with a 3-tuple containing the tunnel source/destination IP and security parameter index (SPI).
  • The IPsec decrypt SA index and tunnel info are derived from this ipsec_decrypt_sa_lookup hash table.
  • Based on the SA index, the IPsec decrypt info is derived in the ipsec_decrypt table and passed to the deparser.
  • The deparser gets instruction from the P4 pipeline, sets the IPsec_info_valid bit, and populates the IPsec_info. The modified packet is sent to the Inline IPsec engine.
  • The inline IPsec engine decrypts the encrypted payload and validates the ESP authentication trailer. A new sideband signal is added to carry the Integrity Check Value (ICV) Check Status back to the P4 Pipeline via the Packet Buffer.
  • The decrypted packet goes to P4E for further processing. The parser extracts and passes the icv check status to the P4 Pipeline. The IPsec_info, ESP header and trailer, and ESP authentication trailer are removed by the Deparser. The IPsec_info_valid bit is cleared by the Deparser.
  • The IP protocol is extracted from the ESP trailer next header field, and the reconstructed packet is sent to the designated uplink port.