The current version of PASS does not support IP reassembly, the IP fragments can be detected by PASS, forwarded to and reassembled at host. The reassembled IP packet may be forwarded back to PASS for continuous classification. The drawback of this approach is that the order of the incoming packets will not be maintained.
To provide better support for IP reassembly, the PA-assisted IP Reassembly operation is introduced and summarized below:
- Array of traffic flows which consist of source IP, destination IP, protocol and counter are maintained at PASS PDSP.
- A traffic flow is activated by the PDSP when the first IP fragment with the source and destination IP and protocol is detected and forwarded.
- The traffic flow is freed when its packet count reaches 0
- All packets belong to any active traffic flow will be forwarded to the host so the packet order will be maintained.
- IP fragments should be forwarded to host with "not availeable" traffic flow id if no traffic flow is available. In this case, the packet order is not guaranteed to be maintained.
- PASS supports up to 32 active traffic flows for outer IP (PDSP1) and inner IP (PDSP2) respectively.
- The PA-assisted IP Reassembly Operation will be enabled by invoking API Pa_control with the IP reassembly configuration paIpReassmConfig_t.
- Note:
- The minimum size packet wire rate throughput will not be guaranteed when this feature is enabled and there are active traffic flows.
The host IP reassembly module should interact with PASS and perform the full IP reassembly operation. The module user may choose to implement a simplified version of IP reassembly algorithm to save CPU cycle in controlled IP environment. A sample reassembly module is provided in the PA LLD release package, which demonstrates how to interact with the NetCP to perform the IP reassembly operation.
The sample code implements a simplified version of IP reassembly algorithm which supports non-overlapping segments only. The sample code performs the following tasks:
- Maintain the IP reassembly contexts consist of source IP, destination IP, IP identification, protocol, fragments count and the corresponding traffic flow id.
- Forward the non-fragmented IP packet with its flow id and count = 1 to PA PDSP queue. This avoids reordering the non-fragmented packets.
- For IPSEC inner IP fragments, call SA LLD to perform the post-decryption operation including padding check and IPSEC header and authentication tag removal.
- Forward the reassembled IP packet with its flow id and fragments count to PA PDSP queue.
- Send a null packet with its flow id and fragments count to PA PDSP queue if the fragments are discarded due to timeout or other error.