IPsec_GW Reference Pipeline User Guide (UG1671)

Document ID
Release Date
1.1 English

The Elba DPU has the following inline IPsec encryption/decryption features:

  • Programmable AES-GCM inline encryption/decryption offload support in P4-Ingress and P4-Egress pipelines.
  • Supports ESP (Encapsulating Security Payload) and AH (Authentication Header) protocols.
  • The Inline-crypto blocks (IS block) are positioned next to the P4I and P4E engines. There is one IS block after P4I (between the P4I deparser and PB), and another identical IS block after P4E (between the P4E deparser and PB).
  • P4I and P4E can access these engines for inline, line-rate performance encryption. The IS block supports AES-GCM 128/256 bit Key symmetric algorithms for IPsec/DTLS-like packet-based encryption use cases. In this case, the packet stays in the packet buffer while the IS block encrypts/decrypts the packet in place; therefore, no redirection/copy to memory is required.

The IPsec_GW reference pipeline demonstrates the following features:

  • Supports IPsec fragmentation/reassembly, and IPSec reassembly Idle Aging.
  • Supports UDP encapsulation (can be enabled/disabled).
  • Implements stateless IPsec, and supports both IPsec-tunnel and IPsec-transport modes. IPsec mode is configurable per tunnel.
  • Both IPsec tunnel and transport modes are using ESP protocol.
  • For encryption, the tunnel index is derived from the packet vlan-id. The tunnel table contains the IPsec mode and Encrypt-SA index to encrypt the packet.
  • For decryption, a static entry needs to be programmed for each tunnel in the IPsec_decrypt_sa_lookup table by dp-app to handle the decryption.
  • VXLAN and IPv6 packets are not supported in the IPsec_GW reference pipeline and are dropped in the P4 pipeline.
  • Encryption of encapsulated packet, anti-reply and 64-bit ESN support is not added/verified.
  • Flow-based forwarding is not supported.

The following crypto offloads are supported:

  • AES-GSM/XTS Crypto/Decrypt
  • SHA3-256
  • SHA3-384/512
  • PKE, DRBG, TLS 1.1 & 1.3