diff options
author | Filip Tehlar <ftehlar@cisco.com> | 2020-03-31 05:59:41 +0000 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2020-04-07 12:29:09 +0000 |
commit | 59fea5a6a3fafe0a5a0d2f543db53af790013e3a (patch) | |
tree | 270cef072f0fcb11bb29c02a4119bed43a6f157e | |
parent | 483a3d819abf13a95b5ded65c3efa360e9b4fdf0 (diff) |
ikev2: make liveness params configurable
Introduce new cli for setting liveness check period and max retries for
a peer to consider its partner dead.
ikev2 set liveness <period-in-seconds> <max-retires>
Type: improvement
Change-Id: Iadae1de245d34fe3ee85e09b570f9df8c401772b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
-rw-r--r-- | src/plugins/ikev2/ikev2.api | 16 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2.c | 23 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2.h | 2 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2_api.c | 20 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2_cli.c | 39 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2_priv.h | 6 | ||||
-rw-r--r-- | src/plugins/ikev2/ikev2_test.c | 28 |
7 files changed, 130 insertions, 4 deletions
diff --git a/src/plugins/ikev2/ikev2.api b/src/plugins/ikev2/ikev2.api index bd330163046..8c56c98f13b 100644 --- a/src/plugins/ikev2/ikev2.api +++ b/src/plugins/ikev2/ikev2.api @@ -346,6 +346,22 @@ autoreply define ikev2_profile_set_ipsec_udp_port u16 port; string name[64]; }; + +/** \brief IKEv2: Set liveness parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param period - how often is liveness check performed + @param max_retries - max retries for liveness check +*/ +autoreply define ikev2_profile_set_liveness +{ + u32 client_index; + u32 context; + + u32 period; + u32 max_retries; +}; + /* * Local Variables: * eval: (c-set-style "gnu") diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index 892f57cd1d6..45da023f104 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -29,7 +29,7 @@ #include <plugins/ikev2/ikev2_priv.h> #include <openssl/sha.h> -#define IKEV2_LIVENESS_RETRIES 2 +#define IKEV2_LIVENESS_RETRIES 3 #define IKEV2_LIVENESS_PERIOD_CHECK 30 ikev2_main_t ikev2_main; @@ -2309,7 +2309,7 @@ ikev2_init_sa (ikev2_sa_t * sa) { ikev2_main_t *km = &ikev2_main; sa->liveness_period_check = - vlib_time_now (km->vlib_main) + IKEV2_LIVENESS_PERIOD_CHECK; + vlib_time_now (km->vlib_main) + km->liveness_period; } static uword @@ -3710,6 +3710,8 @@ ikev2_init (vlib_main_t * vm) km->vnet_main = vnet_get_main (); km->vlib_main = vm; + km->liveness_period = IKEV2_LIVENESS_PERIOD_CHECK; + km->liveness_max_retries = IKEV2_LIVENESS_RETRIES; ikev2_crypto_init (km); mhash_init_vec_string (&km->profile_index_by_name, sizeof (uword)); @@ -3847,6 +3849,19 @@ ikev2_set_log_level (ikev2_log_level_t log_level) return 0; } +clib_error_t * +ikev2_set_liveness_params (u32 period, u32 max_retries) +{ + ikev2_main_t *km = &ikev2_main; + + if (period == 0 || max_retries == 0) + return clib_error_return (0, "invalid args"); + + km->liveness_period = period; + km->liveness_max_retries = max_retries; + return 0; +} + static void ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa) { @@ -3963,7 +3978,7 @@ ikev2_mngr_process_responder_sas (ikev2_sa_t * sa) if (!sa->sk_ai || !sa->sk_ar) return 0; - if (sa->liveness_retries > IKEV2_LIVENESS_RETRIES) + if (sa->liveness_retries >= km->liveness_max_retries) return 1; f64 now = vlib_time_now (vm); @@ -3971,7 +3986,7 @@ ikev2_mngr_process_responder_sas (ikev2_sa_t * sa) if (sa->liveness_period_check < now) { sa->liveness_retries++; - sa->liveness_period_check = now + IKEV2_LIVENESS_PERIOD_CHECK; + sa->liveness_period_check = now + km->liveness_period; ikev2_send_informational_request (sa); } return 0; diff --git a/src/plugins/ikev2/ikev2.h b/src/plugins/ikev2/ikev2.h index d79a031c490..c701e301ce1 100644 --- a/src/plugins/ikev2/ikev2.h +++ b/src/plugins/ikev2/ikev2.h @@ -431,6 +431,8 @@ uword unformat_ikev2_transform_esn_type (unformat_input_t * input, va_list * args); void ikev2_cli_reference (void); +clib_error_t *ikev2_set_liveness_params (u32 period, u32 max_retries); + #endif /* __included_ikev2_h__ */ diff --git a/src/plugins/ikev2/ikev2_api.c b/src/plugins/ikev2/ikev2_api.c index 0064f57483f..ef97898a747 100644 --- a/src/plugins/ikev2/ikev2_api.c +++ b/src/plugins/ikev2/ikev2_api.c @@ -62,6 +62,26 @@ vl_api_ikev2_plugin_get_version_t_handler (vl_api_ikev2_plugin_get_version_t * } static void + vl_api_ikev2_profile_set_liveness_t_handler + (vl_api_ikev2_profile_set_liveness_t * mp) +{ + vl_api_ikev2_profile_set_liveness_reply_t *rmp; + int rv = 0; + +#if WITH_LIBSSL > 0 + clib_error_t *error; + error = ikev2_set_liveness_params (clib_net_to_host_u32 (mp->period), + clib_net_to_host_u32 (mp->max_retries)); + if (error) + rv = VNET_API_ERROR_UNSPECIFIED; +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_LIVENESS_REPLY); +} + +static void vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp) { vl_api_ikev2_profile_add_del_reply_t *rmp; diff --git a/src/plugins/ikev2/ikev2_cli.c b/src/plugins/ikev2/ikev2_cli.c index 03f9efd696f..ec5867adf87 100644 --- a/src/plugins/ikev2/ikev2_cli.c +++ b/src/plugins/ikev2/ikev2_cli.c @@ -529,6 +529,45 @@ VLIB_CLI_COMMAND (show_ikev2_profile_command, static) = { /* *INDENT-ON* */ static clib_error_t * +set_ikev2_liveness_period_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + clib_error_t *r = 0; + u32 period = 0, max_retries = 0; + + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "%d %d", &period, &max_retries)) + { + r = ikev2_set_liveness_params (period, max_retries); + goto done; + } + else + break; + } + + r = clib_error_return (0, "parse error: '%U'", + format_unformat_error, line_input); + +done: + unformat_free (line_input); + return r; +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (set_ikev2_liveness_command, static) = { + .path = "ikev2 set liveness", + .short_help = "ikev2 set liveness <period> <max-retires>", + .function = set_ikev2_liveness_period_fn, +}; +/* *INDENT-ON* */ + +static clib_error_t * set_ikev2_local_key_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) diff --git a/src/plugins/ikev2/ikev2_priv.h b/src/plugins/ikev2/ikev2_priv.h index c5a632c12a5..a344e716a89 100644 --- a/src/plugins/ikev2/ikev2_priv.h +++ b/src/plugins/ikev2/ikev2_priv.h @@ -490,6 +490,12 @@ typedef struct /* custom ipsec-over-udp ports managed by ike */ uword *udp_ports; + + /* how often a liveness check will be performed */ + u32 liveness_period; + + /* max number of retries before considering peer dead */ + u32 liveness_max_retries; } ikev2_main_t; extern ikev2_main_t ikev2_main; diff --git a/src/plugins/ikev2/ikev2_test.c b/src/plugins/ikev2/ikev2_test.c index 8be42fef427..298125d23b0 100644 --- a/src/plugins/ikev2/ikev2_test.c +++ b/src/plugins/ikev2/ikev2_test.c @@ -106,6 +106,34 @@ api_ikev2_profile_set_ipsec_udp_port (vat_main_t * vam) } static int +api_ikev2_profile_set_liveness (vat_main_t * vam) +{ + unformat_input_t *i = vam->input; + vl_api_ikev2_profile_set_liveness_t *mp; + u32 period = 0, max_retries = 0; + int ret; + + while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) + { + if (!unformat (i, "period %d max-retries %d", &period, &max_retries)) + { + errmsg ("parse error '%U'", format_unformat_error, i); + return -99; + } + } + + M (IKEV2_PROFILE_SET_LIVENESS, mp); + + mp->period = clib_host_to_net_u32 (period); + mp->max_retries = clib_host_to_net_u32 (max_retries); + + S (mp); + W (ret); + + return ret; +} + +static int api_ikev2_profile_add_del (vat_main_t * vam) { unformat_input_t *i = vam->input; |