Hello, On 20/11/17 18:23, Bill Fischofer wrote: > Traffic Flow Confidentiality (TFC) is a feature of SAs according to RFC > 4303 that must be negotiated on a per-SA basis before it is used. So > This would need to be hooked into higher-level protocols. > > From an ODP perspective, it would be an additional set of parameters on > the odp_ipsec_sa_create() API. Not clear this is something we should > worry about for Tiger Moth, but something to consider as an addition in > the future.
In fact I think that control can go to application level. I was thinking about allowing application to specify if outgoing packet is dummy or not. In fact I'm going to propose the possibility to specify if outgoing packet is IPv4, IPv6 or dummy. > > On Mon, Nov 20, 2017 at 8:37 AM, Dmitry Eremin-Solenikov > <[email protected] > <mailto:[email protected]>> wrote: > > Hello, > > I was thinking about another minor part of IPsec RFCs: dummy packets > used to mask traffic statistics. IPsec implementation is required to > drop ESP packets with NH = 59 (no next header) on receiver side and is > expected to be able to generate these packets on transmitter side. > Currently we do not provide a way to inject these packets in any way. > > Possible solutions: > > TX side: > - Add API call to transmit single packet. > > - Extend transmit parameters to specify next header (IPv4, IPv6 or > NoNH) for each packet to be transmitted (per-packet or per-odp call). > > - ??? > > RX side: > - Silently drop NoNH packets > > - Report NoNH packets to app via error or status event mechanism. > > - ??? > > -- > With best wishes > Dmitry > > -- With best wishes Dmitry
