Priority-based IPsec Processing

Jump to: navigation, search

Table of Contents >> IPsec/IKE Programmer's Reference


As IPsec and IKE Policies are processed, traffic is matched against policy in a particular order as described by the configuration. This includes both index-based configuration priority-based processing.

To enable priority-based processing, define TM_USE_PRIORITIES in <trsystem.h>.

Priorities must be enabled when using IKE Policies and/or Multiple Phase 2 Proposals. While IKE Policies are always processed in priority order, IPsec Policies can be processed by index or priority.

To enable priority-based IPsec Policy processing, define TM_USE_PRI_PROC. If this macro is not defined, IPsec Policies are processed using Index-based ordering.

Usage

IPsec and IKE Policies share the priority space. As such, only one policy may be assigned to a given policy level. However, unlike indices, priorities do not have to be assigned in ascending order starting with 0.

An IPsec and/or IKE Policy may be assigned any arbitrary available level between 0 and the maximum number of levels as defined by the following macro declared in <tripsecpri.h>:

#define TM_IPSEC_PRIORITY_LEVELS 512


When policies are added (and priority-based processing is enabled), both IPsec and IKE structures include a data member to hold the priority level.

For IPsec, ttIpsecPolicyPair includes the priority reference (as defined in <trsecapi.h>):


typedef struct tsIpsecPolicyPair
{
#ifdef TM_USE_PRIORITIES
ttUser16Bit ippPriority;
#endif /* TM_USE_PRIORITIES */
…
}ttIpsecPolicyPair;

Both IPsec and IKE Policy creation fail when the specified priority is already assigned to another policy or outside the valid range. Lower priority values represent higher precedence, i.e. during policy matching those with lower priority levels will be processed first.

Memory Requirements

Each priority level typically requires 8-bytes (may vary based on target architecture and/or tool chain).


IPsec Functions

The procedure for adding and deleting IPsec Policies with priority-based processing differs slightly.


1. When using tfPolicyAdd(), specify the priority using the priority parameter.

2. When using tfPolicyRestore(), specify the priority using the ippPriority member of the ttIpsecPolicyPair structure specified by the pairListPtr parameter.

3. When deleting IPsec Policies, use tfPolicyDeleteByPriority().

Table of Contents >> IPsec/IKE Programmer's Reference