Janne Peltonen 2018-09-07 13:45:53 UTC
The IPsec API supports extended sequence numbers but the underlying implementation does not, even though there is no capability flag that would allow the implementation to not support them.

Comment 1 Bill Fischofer 2018-09-07 13:47:37 UTC
Dmitry, can you take a look at this and comment?

Comment 2 Dmitry Eremin-Solenikov 2018-09-11 10:32:42 UTC
ESN is a tricky part of the standard, especially "retry the high bits". It does not play well with the ODP crypto part. I will work on implementing ESN support, but it will take time.

Related question: do we expect that all hardware that implements IPsec support will also have ESN support or do we need an ESN capability?

Comment 3 Bill Fischofer 2018-09-11 10:55:36 UTC
Per RFC 4303, ESNs are optional in IPsec and must be negotiated by IKE. The odp_ipsec_sa_opt_t has an esn bit, requesting that the SA be created with ESN support. The expected behavior is for the odp_ipsec_sa_create() call to fail if the underlying implementation does not support ESN.

So the first question is, since we currently don't support ESN are requests to create ESN-enabled SAs being failed? If not, that's certainly a bug. If they are then this isn't a bug per se, but rather a request to add support for this optional feature.

Comment 4 Bill Fischofer 2018-09-11 10:56:04 UTC
Sorry, make that RFC 4304 in the above comment.

Comment 5 Janne Peltonen 2018-09-11 12:11:05 UTC
Currently odp_ipsec_sa_create() silently ignores the esn flag and creates an SA with a regular sequence number.

Comment 6 Dmitry Eremin-Solenikov 2018-09-11 12:12:06 UTC
Created https://bugs.linaro.org/show_bug.cgi?id=4002 to track ESN-rejection

ESN feature implementation PR "#1296" submitted.