Summary
We need the ability to selectively offload IPsec peers to the VPP dataplane when enabled, with control over which peers should remain in the kernel dataplane.
Use Case
Mixed configurations may exist where:
- Some IPsec peers use the kernel dataplane while others use VPP
- Certain peers support VPP-compatible algorithms, while others do not
Without selective offloading control:
- All SAs and policies would be offloaded to VPP by default
- This could break:
- Traffic to/from peers unreachable via VPP (e.g., when VPP has a 0.0.0.0/0 route to install policies for such peers)
- Tunnels using incompatible algorithms
Requirements
To prevent these issues, we need:
- A mechanism in the linux-cp plugin to specify which peers/tunnels should be offloaded
- Dynamic control via API for real-time adjustments
Additional Considerations
An "exclude" option would also be useful for cases where only a few peers are incompatible.