• State Resolved
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 99 subscribers
  • Views 1296 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Having trouble with decryption IPSEC packet on Security Accelerator

Yakup ORHAN
Prodigy 50 points

Hi,

I am working on IPSEC using Security Accelerator (SA). My aim is that firstly to prepare IPSEC packet( with ESP protocol) and then to solve it with using SA. My design does not include Packet Accelerator (PA). Packet is sent from host to SA to encrypt and then SA pushes packet to Host. After encryption process, I manually send encrypted packet to SA and SA pushes packet to Host decryptedly. I tried to express below.

HOST----to encryption process----> SA ----encrypted packet-----> HOST ------to decryption process---->SA------decrypted packet------>HOST 

I have created SA channel and opened it IPSEC MODE, encrypted and authenticated IP packet properly so far. There is no problem until here. I verified ipsec packet some ways.

However, I have trouble when I tried to decrypt packet which encrypted before. When I saw the SA statistics to understand what problem is, authentication failure counter is increased. To avoid authentication failure, I applied no authentication and SA worked this time but  decrypted wrongly.

I discovered something that if I give data offset 4 byte more, SA decrypted packet properly. However if I use one of authentication method as well, problem is stil going on. 

When I analyzed your example code (IPSec ESP TEST_1_1 of SA_UnitTest_K2KBiosTestProject), PA and SA are used together. My question is that can I use same SA channel with IPSEC mode to decrypt packet without using PA? Is that possible or not?

NOTE: By the way when I investigated "NWAL library", SA channels are opened in DATA MODE in order to decrypt packet without using PA. Do I have to open SA channel in DATA MODE when I dont want to use PA?

Thanks for your reply

Yakup

 

  • 0
    TI__Guru* 81335 points

    Welcome to the TI E2E forum. I hope you will find many good answers here and in the TI.com documents and in the TI Wiki Pages (for processor issues). Be sure to search those for helpful information and to browse for the questions others may have asked on similar topics (e2e.ti.com). Please read all the links below my signature.

    We will get back to you on the above query shortly. Thank you for your patience.

  • 0 in reply to Raja
    Prodigy 50 points
    Thank you,

    I am looking forward to your answer...

    Yakup
  • 0 in reply to Yakup ORHAN
    TI__Genius 12805 points

    Yakup

    I would like to understand your system better.  I assume (correct me if I am wrong) that you want to send and receive encrypted messages not through the PA, like point to point direct interface.  The more you tell me about your application the better I can advise you.


    To answer your question. IPSEC mode was design with PA in mind.  I think that you can use IPSEC mode without the PA but you have to be careful that the descriptors' format and data that you build will be identical to what the PA builds and send to the SA for processing. And the TX and RX format is not necessary the same format. 

    The DATA_MODE was design for your case.  Look at the examples in the release.  I think that you need two channels for the DATA_MODE, one for TX and one for RX and you have to compare the authentication manually in the application.

    Does it make sense?

    Ran

  • 0 in reply to ran35366
    Prodigy 50 points

    Hi Ran,

    First of all I would like to thank you for your fast answer. Yes, you have understood me correctly. I just want to use SA between two points as you said.

    I will try to tell you my aim under my question. We assume that LUT1_1 table is fully loaded in PA. So, it means that I will not be able to use PA to classify according to SPI parameters in ESP/AH header. Therefore I must do classification process at software and prepare descriptor appropriate format. After that it is necessery to push descriptor SA manually. 

    By the way, I know that I have to prepare same descriptor format like packet accelerator makes. Altough it is clear how descriptors are prepared for TX direction, there is no sample code or any explanation for RX side( I mean while not using PA). If you have an information about descriptor format for RX direction, could you inform me? Because it is clear that I am missing a point.

    Thanks...

    Yakup

  • 0 in reply to Yakup ORHAN
    TI__Genius 12805 points

    The reason why you do not see much information about the RX format is because the descriptor is built by the PA and not by software so "there was no need to describe how to build it"

    I will do some research to find where the RX descriptor format is explained, but it might take me a day or two.

    Best Regards

    Ran

  • 0 in reply to ran35366
    Prodigy 50 points
    I really appreciate that your interest.

    Regards...

    Yakup
  • 0 in reply to Yakup ORHAN
    Prodigy 50 points
    Hi Ran,

    I did some research about my question above. I couldn't find any info. Did you get some information?

    Thanks

    Yakup
  • 0 in reply to Yakup ORHAN
    TI__Genius 12805 points

    As we said before, the mode that TI prefers for you case is DATA_MODE so we do not have much documentation

    If you still want not to use DATA_MODE you can start by doing some reverse engineering. Look at the source files.

    The long information is defined under pasahost.h located under ti\drv\pasahost.h and you can refer to pasahoLongInfo_t structure and bit fields associated with each word in that structure

    Ran

  • 0 in reply to ran35366
    TI__Genius 12805 points

    More information from the expert in engineering:

    Please find the descriptor that needs to be built by host instead of PA (if PA is not in the path) for the Rx Side as below. I have provided the Tx Side also for completeness. Fundamentally, the descriptor needs to be updated as below:

     

    On the Tx Side:

    1. After the channel is created, call the SA LLD API to perform the protocol specific operations using Sa_chanSendData (Sa_ChanHandle, Sa_PktInfo_t*, flag_to_indicate_force_non_encryption)
      1. This would return the swInfo for that channel, that needs to be filled in the Host Descriptor’s SwInfo0 and SwInfo1 fields using Cppi_setSoftwareInfo API
      2. Prepare the PS information command, psInfo (8 byte long, where second word can be zeros) as “psInfo[0] = PASAHO_SINFO_FORMAT_CMD(payloadOffset, payloadLen);”

                                                                   i.      Note: #define PASAHO_SINFO_FORMAT_CMD(offset, len)   (((offset) << 16) | (len) | (PASAHO_SA_SHORT_INFO << 29))   where PASAHO_SA_SHORT_INFO = 1

    1. Set the 8 byte PS Data in the descriptor as Cppi_setPSData (Cppi_DescType_HOST, (Cppi_Desc *)hd, (uint8_t *)psInfo, 8);

     

    On the Rx Side:

    1.            Get the associated SwInfo for that Channel and update the descriptor with the corresponding SwInfo0 and SwInfo1 for the packet in that channel of interest to be decrypted.

          - SwInfo0 and SwInfo1 for that channel can be obtained from the information SA LLD provided to application during Channel registration process, SA LLD has below call out function that is implemented in Application.

     

    /**

    *  @brief  Callout to externally supplied system to register the security channel with its software

    *  routing information to be programmed into the PASS lookup table in the from-Network direction.

     *  It may be triggered by the Sa_chanControl(), Sa_chanSendData() and Sa_chanReceiveData() APIs.

    *  This is a function pointer and must point to a valid function which meets the API requirements.

    *

    *  @param[in]   handle       SALLD channel instance identifier.

    *  @param[in]   chanSwInfo   Pointer to SALLD software routing information structure.

    *

    *  @sa Sa_SWInfo_t

    *

    */

       void (*ChanRegister) (Sa_ChanHandle handle, Sa_SWInfo_t* chanSwInfo);

     

      

     2.           Set the 24 byte PS data information in the descriptor as below.

    Construct 6 32-bit word (24-byte) PS data as below.

    Uint32_t Word0                = start_offset;

    Uint32_t Word1                = end_offset << 16;

    Uint32_t Word2                = esp_ah_offset;

    Uint32_t Word3                = Word4 = Word5 = 0;

     

    Where esp_ah_offset is offset_to_ESP_header and Start Offset is offset_to_ESP_header + 8, end_offset is offset to end of Ip payload.

    Ran