Network device with datagram transport layer security selective software offload

What is claimed is: 1. A system, comprising a networking device, including: a network interface to receive network packets having headers including datagram transport layer security (DTLS) headers from a remote device over a packet data network; packet processing circuitry to: identify first packets of the received packets for DTLS processing in the packet processing circuitry; identify second packets of the received packets to bypass DTLS processing in the packet processing circuitry and to be provided to software to perform DTLS processing on the second packets; and perform DTLS processing on the first packets; and a host interface to: provide the DTLS processed first packets to the software; and provide the second packets to the software to perform DTLS processing on the second packets. 2. The system according to claim 1 , wherein the packet processing circuitry comprises DTLS processing circuitry to: find at least one decryption key based on source and destination data of at least one DTLS header of the first packets; decrypt and authenticate the first packets based on the at least one decryption key; and perform replay protection checks based on DTLS sequence numbers of the first packets. 3. The system according to claim 1 , further comprising a host device including a processor to execute the software to: receive the second packets; and perform DTLS processing on the second packets. 4. The system according to claim 3 , wherein the software is to: find at least one decryption key based on source and destination data of at least one DTLS header of the second packets; decrypt and authenticate the second packets based on the at least one decryption key; and perform replay protection checks based on DTLS sequence numbers of the second packets. 5. The system according to claim 1 , wherein the packet processing circuitry is to generate completion queue elements (CQEs) for the second packets indicating that the packets are being offloaded to the software to perform DTLS processing on the second packets. 6. The system according to claim 1 , wherein the packet processing circuitry comprises DTLS processing circuitry, wherein the packet processing circuitry is to indicate to the DTLS processing circuitry that the second packets are to bypass DTLS processing in the DTLS processing circuitry. 7. The system according to claim 1 , wherein the packet processing circuitry is to: identify the first packets for DTLS processing in the packet processing circuitry based on the first packets belonging to at least one first network flow; and identify the second packets to bypass DTLS processing in the packet processing circuitry and to be provided to the software to perform DTLS processing on the second packets based on the second packets belonging to at least one second network flow. 8. The system according to claim 1 , wherein the packet processing circuitry is to: identify the first packets for DTLS processing in the packet processing circuitry based on the first packets supported by a first version of DTLS; and identify the second packets to bypass DTLS processing in the packet processing circuitry and to be provided to the software to perform DTLS processing on the second packets based on the second packets being supported by a second version of DTLS, different from the first version of DTLS. 9. The system according to claim 1 , wherein the first packets and the second packets belong to a same network flow. 10. The system according to claim 9 , wherein the packet processing circuitry is configured to identify the first packets and the second packets based on header field content type of the first packet and the second packets. 11. The system according to claim 9 , wherein the second packets are handshake packets. 12. The system according to claim 9 , wherein: the second packets bypassing DTLS processing in the packet processing circuitry are packets encrypted by cryptographic material of a new cryptographic key epoch and processed by the packet processing circuitry prior to the cryptographic material of the new cryptographic key epoch being offloaded by the software to the networking device; and the first packets identified for DTLS processing in the packet processing circuitry are packets encrypted by the cryptographic material of the new cryptographic key epoch and processed by the packet processing circuitry after the cryptographic material of the new cryptographic key epoch has been offloaded by the software to the networking device. 13. The system according to claim 12 , wherein the packet processing circuitry is to compare epoch fields in the DTLS headers of the packets against at least one valid epoch installed in the networking device to identify the second packets to bypass the DTLS processing and the first packets for DTLS processing in the packet processing circuitry. 14. A method, comprising: receiving network packets having headers including datagram transport layer security (DTLS) headers from a remote device over a packet data network; identifying first packets of the received packets for DTLS processing in packet processing circuitry; identifying second packets of the received packets to bypass DTLS processing in the packet processing circuitry and to be provided to software to perform DTLS processing on the second packets; performing DTLS processing on the first packets by the packet processing circuitry; providing the DTLS processed first packets to the software; and providing the second packets to the software to perform DTLS processing on the second packets. 15. The method according to claim 14 , wherein the performing the DTLS processing on the first packets comprises: finding at least one decryption key based on source and destination data of at least one DTLS header of the first packets; decrypting and authenticating the first packets based on the at least one decryption key; and performing replay protection checks based on DTLS sequence numbers of the first packets. 16. The method according to claim 14 , further comprising performing DTLS processing by the software including: finding at least one decryption key based on source and destination data of at least one DTLS header of the second packets; decrypting and authenticate the second packets based on the at least one decryption key; and performing replay protection checks based on DTLS sequence numbers of the second packets. 17. The method according to claim 14 , further comprising generating completion queue elements (CQEs) for the second packets indicating that the packets are being offloaded to the software to perform DTLS processing on the second packets. 18. The method according to claim 14 , further comprising indicating to DTLS processing circuitry that the second packets are to bypass DTLS processing in the DTLS processing circuitry. 19. The method according to claim 14 , further comprising: identifying the first packets for DTLS processing in the packet processing circuitry based on the first packets belonging to at least one first network flow; and identifying the second packets to bypass DTLS processing in the packet processing circuitry and to be provided to the software to perform DTLS processing on the second packets based on the second packets belonging to at least one second network flow. 20. The method according to claim 14 , further comprising: identifying the first packets for DTLS processing in the packet processing circuitry based on the first packets supported by a first vers