Intel 82599 10 GbE Controller Datasheet ®

Intel

®

82599 10 GbE Controller—Packets and Frames

Offset

28+D+F

28+D+F+S

32+D+F+S

36+D+F+S

# of bytes

S Attributes

Field

4

4

4

Count

Eof

Data len

Value (hex)

-

-

-

-

Action

Ignore

Ignore

Ignore

Ignore

Comment

Attr_flow=1? S=84:

S=0

In this case the packet is split after (36+D+F) bytes should be added to the UDP/TCP type that was already parsed.

A.3 IPsec Formats Run Over the Wire

This section describes the IPsec packet encapsulation formats run over the wire by IPsec packets concerned with the off load in either Tx or Rx direction.

The following legend is valid for the figures Figure A-12

through Figure A-17

of this appendix.

Shaded fields correspond to the portion of the data that is protected by the integrity check.

Yellow colored fields are mutable fields that might be changed when traveling between the source and the destination and shall thus be zeroed when computing ICV or when encrypting/decrypting.

Cyan colored fields correspond to the portion of data that is protected for both integrity and confidentiality.

Non-colored fields are not protected either for integrity or for confidentiality.

A.3.1 AH Formats

• IPv4 header:

— IP total length (2 bytes) - Total IP packet length in bytes, including IP header, AH header, TCP/UDP header, and TCP/UDP payload.

— Protocol (1 byte) - AH protocol number, i.e. value 51.

• IPv6 header:

— IP payload length (2 bytes) - IP payload length in bytes, including AH header,

TCP/UDP header, and TCP/UDP payload.

— Next header (1 byte) - AH protocol number, i.e. value 51.

• AH header:

— Next header (1 byte) - Layer4 protocol number, 6 for TCP, 17 for UDP, etc.

— AH length (1 byte) - Authentication Header length in 32-bits Dwords units, minus

“2”, i.e. for AES-128 its value is 7 for IPv4 and 8 for IPv6.

1042 331520-004

Packets and Frames—Intel

®

82599 10 GbE Controller

— Reserved (2 bytes) - must be set to zero.

— SPI (4 bytes) - arbitrary 32-bits Security Parameters Index allocated by the receiver to identify the SA to which the incoming packet is bound. It is required that the local OS will allocate SPIs in a unique manner per local IP address.

— SN (4 bytes) - unsigned 32-bit Sequence Number that contains a counter value that increases by one for each Ethernet frame sent. It is initialized to 0 by the sender (and the receiver) when the SA is established, i.e. the first packet sent using a given SA will have a sequence number of 1.

— IV (8 bytes) - Initialization Vector to be used ‘as is’ in the nonce input to AES-128 crypto engine, but it must be zeroed prior to using it in the AAD input to the engine.

— ICV (16 bytes) - Integrity Check Value for this packet, authentication tag output of the AES-128 crypto engine. As being part of the AH header, this field is also included in the AAD input to the crypto engine, and it should be zeroed prior to the computation.

— ICV Padding (4 bytes) -

explicit

padding bytes appended to the ICV field in IPv6, as it is required to maintain the (Authentication) extension header length as a multiple of 64-bits. By

explicit

we mean that these bytes are sent over the wire.

It is formed by 4 arbitrary bytes that need not be random to achieve security. For

TSO, it will be replicated from the header provided by the driver in every frame.

• L4 header (for example - TCP/UDP): Length (in bytes) depend on the protocol.

• L4 payload (for example - TCP/UDP): Can be any length in bytes

331520-004 1043

1044

Intel

®

82599 10 GbE Controller—Packets and Frames

8

9

1

6

7

4

5

2

3

5

1

3

4

1

2

0 88 3 4 56 7 8 88888888 15 16 8 18

Ver Hlen TOS flags

TTL

Identification

Protocol = AH

19 88888888888888 31

IP total length

Fragment offset

Header checksum

Next header

Source IPv4 address

Destination IPv4 address

AH length Reserved

Security Parameter Index (SPI)

Sequence Number (SN)

Initialization Vector (IV)

1

Integrity Check Value (ICV)

L4 header (TCP/UDP)

L4 payload (TCP/UDP)

N

Figure A-12 AH packet over IPv4

1. IV field has been colored in Yellow as it must be zeroed in the AAD input to AES-128 crypto engine, in spite of this it is NOT zeroed in the nonce input to the engine.

331520-004

Packets and Frames—Intel

®

82599 10 GbE Controller

10

1

8

9

6

7

4

5

2

3

1

8

9

6

7

10

4

5

2

3

0 88

Ver

3 4 88 7 8 88 11 12 88 15 16 888888 23

Traffic

Class

IP payload length

Flow label

Next hdr = AH

Source IPv6 address

Destination IPv6 address

1

Next Header

24

AH length

Security Parameter Index (SPI)

Reserved

Sequence Number (SN)

888888

Hop limit

31

Initialization Vector (IV)

1

Integrity Check Value (ICV)

ICV Padding

L4 header (TCP/UDP)

L4 payload (TCP/UDP)

N

Figure A-13 AH packet over IPv6

1. IV field has been colored in Yellow as it must be zeroed in the AAD input to AES-128 crypto engine, in spite of this, it is NOT zeroed in the nonce input to the engine.

331520-004 1045