Traffic Flow Confidentiality (TFC) is a feature of SAs according to RFC 4303 that must be negotiated on a per-SA basis before it is used. So This would need to be hooked into higher-level protocols.
>From an ODP perspective, it would be an additional set of parameters on the odp_ipsec_sa_create() API. Not clear this is something we should worry about for Tiger Moth, but something to consider as an addition in the future. On Mon, Nov 20, 2017 at 8:37 AM, Dmitry Eremin-Solenikov < dmitry.ereminsoleni...@linaro.org> wrote: > Hello, > > I was thinking about another minor part of IPsec RFCs: dummy packets > used to mask traffic statistics. IPsec implementation is required to > drop ESP packets with NH = 59 (no next header) on receiver side and is > expected to be able to generate these packets on transmitter side. > Currently we do not provide a way to inject these packets in any way. > > Possible solutions: > > TX side: > - Add API call to transmit single packet. > > - Extend transmit parameters to specify next header (IPv4, IPv6 or > NoNH) for each packet to be transmitted (per-packet or per-odp call). > > - ??? > > RX side: > - Silently drop NoNH packets > > - Report NoNH packets to app via error or status event mechanism. > > - ??? > > -- > With best wishes > Dmitry >