vpp/src/plugins/ikev2/ikev2.c, branch v23.02 Vector Packet Processing http://git.fd.io/vpp/atom?h=v23.02 2022-10-12T14:04:13+00:00 misc: fix issues reported by clang-15 2022-10-12T14:04:13+00:00 Damjan Marion dmarion@me.com 2022-10-12T14:02:18+00:00 urn:sha1:dd298e804a25dbebc9e284b3b2d0dfd9bf674ad8 Type: improvement Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a Signed-off-by: Damjan Marion <dmarion@me.com> ipsec: enable UDP encap for IPv6 ESP tun protect 2022-08-19T14:13:36+00:00 Matthew Smith mgsmith@netgate.com 2022-08-09T22:19:38+00:00 urn:sha1:6f1eb484c85cfdb091cbef18252a02b3310b9aae Type: improvement If an SA protecting an IPv6 tunnel interface has UDP encapsulation enabled, the code in esp_encrypt_inline() inserts a UDP header but does not set the next protocol or the UDP payload length, so the peer that receives the packet drops it. Set the next protocol field and the UDP payload length correctly. The port(s) for UDP encapsulation of IPsec was not registered for IPv6. Add this registration for IPv6 SAs when UDP encapsulation is enabled. Add punt handling for IPv6 IKE on NAT-T port. Add registration of linux-cp for the new punt reason. Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268 ikev2: accept key exchange on CREATE_CHILD_SA 2022-08-18T08:03:13+00:00 Atzm Watanabe atzmism@gmail.com 2022-08-12T05:29:31+00:00 urn:sha1:c65921f7744a0da09ede876b6588628e3a188529 In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload to enable stronger guarantees of forward secrecy. When the KEi payload is included in the CREATE_CHILD_SA request, responder should reply with the KEr payload and complete the key exchange, in accordance with the RFC. Type: improvement Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638 ikev2: fix possible SEGV 2022-08-18T06:31:52+00:00 Atzm Watanabe atzmism@gmail.com 2022-08-05T09:48:25+00:00 urn:sha1:138f65c5b7796c6401cde6ff92edc85f02c367a4 Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: Icbd452b43ecaafe46def1276c98f7e8cbf761e51 ikev2: do not accept rekey until old SA is deleted 2022-08-10T07:44:55+00:00 Atzm Watanabe atzmism@gmail.com 2022-08-09T05:00:03+00:00 urn:sha1:7e6ffba672875f1070348753890d023695d73be6 Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b ikev2: fix rekeying with multiple notify payloads 2022-08-08T07:33:39+00:00 Atzm Watanabe atzmism@gmail.com 2022-08-08T06:45:36+00:00 urn:sha1:03aae9637922023dd77955cb15caafb7ce309200 Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I065bd5c26055d863d786023970e7deeed261b31c ikev2: fix tunnel direction 2022-05-19T14:51:17+00:00 Stanislav Zaikin zstaseg@gmail.com 2022-05-17T17:18:53+00:00 urn:sha1:bf95e3efde3402cf2f7beaf6d70433646cc68280 Type: fix Change-Id: I480b1fcace1c27a5cb2d2956cec80b379105b55d Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com> ikev2: lazy initialization 2021-10-08T11:18:23+00:00 Benoît Ganne bganne@cisco.com 2021-09-28T16:59:53+00:00 urn:sha1:3f59c639609be9768f592111e5f8a8a2c23db3ac - do not initialize resources if ikev2 is not used. - process IKE packets only if we have profile(s) configured Type: improvement Change-Id: I57c95a888532eafd70989096c0555ebb1d7bef25 Signed-off-by: Benoît Ganne <bganne@cisco.com> ikev2: do not require optional IDr on IKE AUTH 2021-10-07T15:22:17+00:00 Benoît Ganne bganne@cisco.com 2021-09-28T09:19:37+00:00 urn:sha1:c7cceeebb738b0fabd93d2c4fdfd561321a2be1d IDr is optional in IKE AUTH from the initiator. In that case, the responder is free to use any matching profile and fills the corresponding IDr in the response. The initiator is then free to accept or reject it. Type: improvement Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4 Signed-off-by: Benoît Ganne <bganne@cisco.com> ikev2: add logs in case of parsing errors 2021-10-07T15:21:55+00:00 Benoît Ganne bganne@cisco.com 2021-09-29T17:02:58+00:00 urn:sha1:b37342c5a7c907e24ab34ab979338cac3b1dfe59 Type: improvement Change-Id: Id0a6a9e68725ea7aa0b7da14cf54d14405a907fb Signed-off-by: Benoît Ganne <bganne@cisco.com>
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<feed xmlns="http://www.w3.org/2005/Atom">
<title>vpp/src/plugins/ikev2/ikev2.c, branch v23.02</title>
<subtitle>Vector Packet Processing</subtitle>
<id>http://git.fd.io/vpp/atom?h=v23.02</id>
<link rel="self" href="http://git.fd.io/vpp/atom?h=v23.02"/>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/"/>
<updated>2022-10-12T14:04:13+00:00</updated>
<entry>
<title>misc: fix issues reported by clang-15</title>
<updated>2022-10-12T14:04:13+00:00</updated>
<author>
<name>Damjan Marion</name>
<email>dmarion@me.com</email>
</author>
<published>2022-10-12T14:02:18+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=dd298e804a25dbebc9e284b3b2d0dfd9bf674ad8"/>
<id>urn:sha1:dd298e804a25dbebc9e284b3b2d0dfd9bf674ad8</id>
<content type="text"> Type: improvement Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a Signed-off-by: Damjan Marion <dmarion@me.com> </content>
</entry>
<entry>
<title>ipsec: enable UDP encap for IPv6 ESP tun protect</title>
<updated>2022-08-19T14:13:36+00:00</updated>
<author>
<name>Matthew Smith</name>
<email>mgsmith@netgate.com</email>
</author>
<published>2022-08-09T22:19:38+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=6f1eb484c85cfdb091cbef18252a02b3310b9aae"/>
<id>urn:sha1:6f1eb484c85cfdb091cbef18252a02b3310b9aae</id>
<content type="text"> Type: improvement If an SA protecting an IPv6 tunnel interface has UDP encapsulation enabled, the code in esp_encrypt_inline() inserts a UDP header but does not set the next protocol or the UDP payload length, so the peer that receives the packet drops it. Set the next protocol field and the UDP payload length correctly. The port(s) for UDP encapsulation of IPsec was not registered for IPv6. Add this registration for IPv6 SAs when UDP encapsulation is enabled. Add punt handling for IPv6 IKE on NAT-T port. Add registration of linux-cp for the new punt reason. Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268 </content>
</entry>
<entry>
<title>ikev2: accept key exchange on CREATE_CHILD_SA</title>
<updated>2022-08-18T08:03:13+00:00</updated>
<author>
<name>Atzm Watanabe</name>
<email>atzmism@gmail.com</email>
</author>
<published>2022-08-12T05:29:31+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=c65921f7744a0da09ede876b6588628e3a188529"/>
<id>urn:sha1:c65921f7744a0da09ede876b6588628e3a188529</id>
<content type="text"> In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload to enable stronger guarantees of forward secrecy. When the KEi payload is included in the CREATE_CHILD_SA request, responder should reply with the KEr payload and complete the key exchange, in accordance with the RFC. Type: improvement Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638 </content>
</entry>
<entry>
<title>ikev2: fix possible SEGV</title>
<updated>2022-08-18T06:31:52+00:00</updated>
<author>
<name>Atzm Watanabe</name>
<email>atzmism@gmail.com</email>
</author>
<published>2022-08-05T09:48:25+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=138f65c5b7796c6401cde6ff92edc85f02c367a4"/>
<id>urn:sha1:138f65c5b7796c6401cde6ff92edc85f02c367a4</id>
<content type="text"> Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: Icbd452b43ecaafe46def1276c98f7e8cbf761e51 </content>
</entry>
<entry>
<title>ikev2: do not accept rekey until old SA is deleted</title>
<updated>2022-08-10T07:44:55+00:00</updated>
<author>
<name>Atzm Watanabe</name>
<email>atzmism@gmail.com</email>
</author>
<published>2022-08-09T05:00:03+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=7e6ffba672875f1070348753890d023695d73be6"/>
<id>urn:sha1:7e6ffba672875f1070348753890d023695d73be6</id>
<content type="text"> Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b </content>
</entry>
<entry>
<title>ikev2: fix rekeying with multiple notify payloads</title>
<updated>2022-08-08T07:33:39+00:00</updated>
<author>
<name>Atzm Watanabe</name>
<email>atzmism@gmail.com</email>
</author>
<published>2022-08-08T06:45:36+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=03aae9637922023dd77955cb15caafb7ce309200"/>
<id>urn:sha1:03aae9637922023dd77955cb15caafb7ce309200</id>
<content type="text"> Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I065bd5c26055d863d786023970e7deeed261b31c </content>
</entry>
<entry>
<title>ikev2: fix tunnel direction</title>
<updated>2022-05-19T14:51:17+00:00</updated>
<author>
<name>Stanislav Zaikin</name>
<email>zstaseg@gmail.com</email>
</author>
<published>2022-05-17T17:18:53+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=bf95e3efde3402cf2f7beaf6d70433646cc68280"/>
<id>urn:sha1:bf95e3efde3402cf2f7beaf6d70433646cc68280</id>
<content type="text"> Type: fix Change-Id: I480b1fcace1c27a5cb2d2956cec80b379105b55d Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com> </content>
</entry>
<entry>
<title>ikev2: lazy initialization</title>
<updated>2021-10-08T11:18:23+00:00</updated>
<author>
<name>Benoît Ganne</name>
<email>bganne@cisco.com</email>
</author>
<published>2021-09-28T16:59:53+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=3f59c639609be9768f592111e5f8a8a2c23db3ac"/>
<id>urn:sha1:3f59c639609be9768f592111e5f8a8a2c23db3ac</id>
<content type="text"> - do not initialize resources if ikev2 is not used. - process IKE packets only if we have profile(s) configured Type: improvement Change-Id: I57c95a888532eafd70989096c0555ebb1d7bef25 Signed-off-by: Benoît Ganne <bganne@cisco.com> </content>
</entry>
<entry>
<title>ikev2: do not require optional IDr on IKE AUTH</title>
<updated>2021-10-07T15:22:17+00:00</updated>
<author>
<name>Benoît Ganne</name>
<email>bganne@cisco.com</email>
</author>
<published>2021-09-28T09:19:37+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=c7cceeebb738b0fabd93d2c4fdfd561321a2be1d"/>
<id>urn:sha1:c7cceeebb738b0fabd93d2c4fdfd561321a2be1d</id>
<content type="text"> IDr is optional in IKE AUTH from the initiator. In that case, the responder is free to use any matching profile and fills the corresponding IDr in the response. The initiator is then free to accept or reject it. Type: improvement Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4 Signed-off-by: Benoît Ganne <bganne@cisco.com> </content>
</entry>
<entry>
<title>ikev2: add logs in case of parsing errors</title>
<updated>2021-10-07T15:21:55+00:00</updated>
<author>
<name>Benoît Ganne</name>
<email>bganne@cisco.com</email>
</author>
<published>2021-09-29T17:02:58+00:00</published>
<link rel="alternate" type="text/html" href="http://git.fd.io/vpp/commit/?id=b37342c5a7c907e24ab34ab979338cac3b1dfe59"/>
<id>urn:sha1:b37342c5a7c907e24ab34ab979338cac3b1dfe59</id>
<content type="text"> Type: improvement Change-Id: Id0a6a9e68725ea7aa0b7da14cf54d14405a907fb Signed-off-by: Benoît Ganne <bganne@cisco.com> </content>
</entry>
</feed>