diff options
| author |   Neale Ranns <nranns@cisco.com> | 2020-10-07 13:58:56 +0000 |
|---|---|---|
| committer |   Damjan Marion <dmarion@me.com> | 2020-10-08 06:20:47 +0000 |
| commit | 970187bd969631da3e81d9bb1691ab88a997f79e (patch) | |
| tree | af2f97c88098f06444434c2678196d9b4f36875c | |
| parent | 21fb4f71ee3824c8f177045f21fea258ece602a9 (diff) | |
ipsec: Allow SAs with NULL auth &crypto on IPSec interface
Type: improvement
on the dedicated IPSec interface, the SA describes the peer, so it is
not possible to forward to a peer for which there is no SA. Therefore if
an SA is added with NULL auth and integ then this explicitly states that
this is what the peer desires.
on the contrary on the IP-IP/GRE interface, in the absence of protection
and an SA, then the traffic is sent in the clear. So adding NULL
auth/crypto iSA is a means to describe that the peer should not be sent
traffic.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I7ad2d466cc74eb7ff8c4c84e0d7897d06e2fcf86
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 5 | ||||
| -rw-r--r-- | test/test_ipsec_tun_if_esp.py | 29 |
2 files changed, 28 insertions, 6 deletions
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index e2e1a3e405b..4a84201210e 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -147,8 +147,9 @@ ipsec_tun_protect_get_adj_next (vnet_link_t linkt, sa = ipsec_sa_get (itp->itp_out_sa); im = &ipsec_main; - if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE && - sa->integ_alg == IPSEC_INTEG_ALG_NONE) + if ((sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE && + sa->integ_alg == IPSEC_INTEG_ALG_NONE) && + !(itp->itp_flags & IPSEC_PROTECT_ITF)) next = (is_ip4 ? im->esp4_no_crypto_tun_node_index : im->esp6_no_crypto_tun_node_index); diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 183012608fe..a722ce77bb1 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -548,17 +548,17 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4): {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_CBC_192), 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. - IPSEC_API_INTEG_ALG_SHA1_96), + IPSEC_API_INTEG_ALG_SHA_512_256), 'scapy-crypto': "AES-CBC", - 'scapy-integ': "HMAC-SHA1-96", + 'scapy-integ': "SHA2-512-256", 'salt': 0, 'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_CBC_256), 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. - IPSEC_API_INTEG_ALG_SHA1_96), + IPSEC_API_INTEG_ALG_SHA_256_128), 'scapy-crypto': "AES-CBC", - 'scapy-integ': "HMAC-SHA1-96", + 'scapy-integ': "SHA2-256-128", 'salt': 0, 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. @@ -2623,6 +2623,27 @@ class TestIpsecItf4(TemplateIpsec, self.unconfig_sa(np) self.unconfig_network(p) + def test_tun_44_null(self): + """IPSEC interface IPv4 NULL auth/crypto""" + + n_pkts = 127 + p = copy.copy(self.ipv4_params) + + p.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t. + IPSEC_API_INTEG_ALG_NONE) + p.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t. + IPSEC_API_CRYPTO_ALG_NONE) + p.crypt_algo = "NULL" + p.auth_algo = "NULL" + + self.config_network(p) + self.config_sa_tun(p, + self.pg0.local_ip4, + self.pg0.remote_ip4) + self.config_protect(p) + + self.verify_tun_44(p, count=n_pkts) + class TemplateIpsecItf6(object): """ IPsec Interface IPv6 """ |