IPsec Offload

The Inline IPsec offload feature uses the IPDK Infrastructure Application Interface to enable cryptographically-secure data traffic. The IPsec control plane (IKE protocol) is offloaded, thus avoiding specialized drivers or control planes burdening compute instances. Further details are available on the IPDK Inline Acceleration - IPsec page.

This feature works in conjunction with the IPsec Recipe, which provides strongSwan plugin code to configure and program control messages into the target.

The IPsec offload feature is only supported on the Intel® IPU E2100 target.

Feature overview

The infrap4d process provides the gRPC server-side support for P4RT and gNMI messages. strongSwan acts as the gRPC client in this context. You can also use other clients that implement the IKE stack. The client uses P4Runtime to program the Security Policy Database (SPD), and it uses gNMI to configure Security Association Database (SAD) entries, which includes encryption keys, re-keying etc.

The openconfig-ipsec-offload YANG model is used to configure IPsec offload.

Enabling IPsec

Follow the sequence of steps listed below to enable IPsec functionality. The fxp-net_linux-networking P4 program is a combined recipe which implements and supports both the Linux Networking and the IPsec portion of the program.

Compile P4 program

Compile the ipsec-offload program according to the instructions in Compiling P4 programs to generate crypto P4 artifacts for programming the pipelines.

Load `fxp-net_linux-networking` P4 package

Follow the instructions in Deploying P4 programs to load the hardware FXP pipeline with the IPsec package.

Configure and run infrap4d

Follow the instructions in Running infrap4d and prepare the system with generated TDI.json and context.json file references. In order to offload IPsec, fixed function support must be enabled in infrap4d.

The /usr/share/stratum/es2k/es2k_skip_p4.conf file must include the fixed function configuration reference.

"fixed_functions" : [
  {
   "name": "crypto",
   "tdi": "/tmp/fixed/tdi.json",
   "ctx": "/tmp/fixed/crypto-mgr-ctx.json"
  }
],

Update this configuration before starting infrap4d.

Configure strongSwan

Follow the instructions in the strongSwan documentation to configure host for the use-case selected. This includes details such as certificate location, IPs, lifetime thresholds, etc.

Start IPsec

With the strongSwan application configured, starting IPsec (see ipsec-recipe for details) will initiate the pipeline, program the SPD rules as per the P4 program, and configure/re-configure SAD entries based on negotiated encryption parameters between local and peer system.