ikev2: add per SA stats

Type: feature

Change-Id: Ic502d806410ea3c8f3f1eac70b694114ccb053bf
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>

7 files changed, 68 insertions, 15 deletions

diff --git a/src/plugins/ikev2/ikev2.api b/src/plugins/ikev2/ikev2.api
index f936e525e4b..32e1a91d1e8 100644
--- a/src/plugins/ikev2/ikev2.api
+++ b/src/plugins/ikev2/ikev2.api
@@ -563,7 +563,7 @@ counters ikev2 {
     units "packets";
     description "IKE rekey requests received";
   };
-  exchange_sa_req {
+  init_sa_req {
     severity info;
     type counter64;
     units "packets";
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index d6ee8f592e2..9b13991cd47 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -50,14 +50,6 @@ typedef struct
   u32 sw_if_index;
 } ikev2_trace_t;
 
-typedef struct
-{
-  u16 n_keepalives;
-  u16 n_rekey_req;
-  u16 n_exchange_sa_req;
-  u16 n_ike_auth_req;
-} ikev2_stats_t;
-
 static u8 *
 format_ikev2_trace (u8 * s, va_list * args)
 {
@@ -2439,6 +2431,7 @@ ikev2_generate_message (vlib_buffer_t *b, ikev2_sa_t *sa, ike_header_t *ike,
 	    {
 	      ASSERT (stats != 0);
 	      stats->n_keepalives++;
+	      sa->stats.n_keepalives++;
 	    }
 	}
     }
@@ -2623,6 +2616,7 @@ ikev2_retransmit_sa_init_one (ikev2_sa_t * sa, ike_header_t * ike,
 	  /* req is retransmit */
 	  if (sa->state == IKEV2_STATE_SA_INIT)
 	    {
+	      sa->stats.n_init_retransmit++;
 	      tmp = (ike_header_t *) sa->last_sa_init_res_packet_data;
 	      u32 slen = clib_net_to_host_u32 (tmp->length);
 	      ike->ispi = tmp->ispi;
@@ -2700,6 +2694,7 @@ ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike)
   /* retransmitted req */
   if (msg_id == sa->last_msg_id)
     {
+      sa->stats.n_retransmit++;
       ike_header_t *tmp = (ike_header_t *) sa->last_res_packet_data;
       u32 slen = clib_net_to_host_u32 (tmp->length);
       ike->ispi = tmp->ispi;
@@ -2832,10 +2827,10 @@ ikev2_update_stats (vlib_main_t *vm, u32 node_index, ikev2_stats_t *s)
 			       s->n_keepalives);
   vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_REKEY_REQ,
 			       s->n_rekey_req);
-  vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_EXCHANGE_SA_REQ,
-			       s->n_exchange_sa_req);
+  vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_INIT_SA_REQ,
+			       s->n_sa_init_req);
   vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_IKE_AUTH_REQ,
-			       s->n_ike_auth_req);
+			       s->n_sa_auth_req);
 }
 
 static_always_inline uword
@@ -2932,7 +2927,8 @@ ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node,
 
 	  if (ike_hdr_is_initiator (ike0))
 	    {
-	      stats->n_exchange_sa_req++;
+	      sa0->stats.n_sa_init_req++;
+	      stats->n_sa_init_req++;
 	      if (ike0->rspi == 0)
 		{
 		  if (is_ip4)
@@ -3104,7 +3100,8 @@ ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node,
 		}
 	      else
 		{
-		  stats->n_ike_auth_req++;
+		  sa0->stats.n_sa_auth_req++;
+		  stats->n_sa_auth_req++;
 		  ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
 		  slen =
 		    ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
@@ -3241,6 +3238,7 @@ ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node,
 		  else
 		    {
 		      stats->n_rekey_req++;
+		      sa0->stats.n_rekey_req++;
 		      ike0->flags = IKEV2_HDR_FLAG_RESPONSE;
 		      slen =
 			ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats);
diff --git a/src/plugins/ikev2/ikev2_api.c b/src/plugins/ikev2/ikev2_api.c
index 00d71143a5d..01a7373a6ae 100644
--- a/src/plugins/ikev2/ikev2_api.c
+++ b/src/plugins/ikev2/ikev2_api.c
@@ -195,6 +195,17 @@ vl_api_ikev2_profile_dump_t_handler (vl_api_ikev2_profile_dump_t * mp)
 }
 
 static void
+ikev2_copy_stats (vl_api_ikev2_sa_stats_t *dst, const ikev2_stats_t *src)
+{
+  dst->n_rekey_req = src->n_rekey_req;
+  dst->n_keepalives = src->n_keepalives;
+  dst->n_retransmit = src->n_retransmit;
+  dst->n_init_sa_retransmit = src->n_init_retransmit;
+  dst->n_sa_init_req = src->n_sa_init_req;
+  dst->n_sa_auth_req = src->n_sa_auth_req;
+}
+
+static void
 send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index)
 {
   vl_api_ikev2_sa_details_t *rmp = 0;
@@ -253,6 +264,8 @@ send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index)
     k->sk_pr_len = vec_len (sa->sk_pr);
     clib_memcpy (&k->sk_pr, sa->sk_pr, k->sk_pr_len);
 
+    ikev2_copy_stats (&rsa->stats, &sa->stats);
+
     vl_api_ikev2_sa_t_endian(rsa);
   });
   /* *INDENT-ON* */
diff --git a/src/plugins/ikev2/ikev2_cli.c b/src/plugins/ikev2/ikev2_cli.c
index efd0a209ebc..7778166254c 100644
--- a/src/plugins/ikev2/ikev2_cli.c
+++ b/src/plugins/ikev2/ikev2_cli.c
@@ -191,6 +191,14 @@ format_ikev2_sa (u8 * s, va_list * va)
 		format_ikev2_child_sa, child, child - sa->childs);
   }
 
+  s = format (s, "Stats:\n");
+  s = format (s, " keepalives :%u\n", sa->stats.n_keepalives);
+  s = format (s, " rekey :%u\n", sa->stats.n_rekey_req);
+  s = format (s, " SA init :%u (retransmit: %u)\n", sa->stats.n_sa_init_req,
+	      sa->stats.n_init_retransmit);
+  s = format (s, " retransmit: %u\n", sa->stats.n_retransmit);
+  s = format (s, " SA auth :%u\n", sa->stats.n_sa_auth_req);
+
   return s;
 }
 
diff --git a/src/plugins/ikev2/ikev2_priv.h b/src/plugins/ikev2/ikev2_priv.h
index fa302dcf21a..799c64372ac 100644
--- a/src/plugins/ikev2/ikev2_priv.h
+++ b/src/plugins/ikev2/ikev2_priv.h
@@ -367,6 +367,16 @@ typedef enum
 
 typedef struct
 {
+  u16 n_keepalives;
+  u16 n_rekey_req;
+  u16 n_sa_auth_req;
+  u16 n_sa_init_req;
+  u16 n_init_retransmit;
+  u16 n_retransmit;
+} ikev2_stats_t;
+
+typedef struct
+{
   ikev2_state_t state;
   u8 unsupported_cp;
   u8 initial_contact;
@@ -446,6 +456,8 @@ typedef struct
   /* is NAT traversal mode */
   ikev2_natt_state_t natt_state;
   u8 keys_generated;
+
+  ikev2_stats_t stats;
 } ikev2_sa_t;
 
 
diff --git a/src/plugins/ikev2/ikev2_types.api b/src/plugins/ikev2/ikev2_types.api
index 9add084f9e3..b279026c2b9 100644
--- a/src/plugins/ikev2/ikev2_types.api
+++ b/src/plugins/ikev2/ikev2_types.api
@@ -128,6 +128,16 @@ typedef ikev2_child_sa
   vl_api_ikev2_sa_transform_t esn;
 };
 
+typedef ikev2_sa_stats
+{
+  u16 n_keepalives;
+  u16 n_rekey_req;
+  u16 n_sa_init_req;
+  u16 n_sa_auth_req;
+  u16 n_retransmit;
+  u16 n_init_sa_retransmit;
+};
+
 typedef ikev2_sa
 {
   u32 sa_index;
@@ -148,4 +158,6 @@ typedef ikev2_sa
   vl_api_ikev2_sa_transform_t integrity;
   vl_api_ikev2_sa_transform_t prf;
   vl_api_ikev2_sa_transform_t dh;
+
+  vl_api_ikev2_sa_stats_t stats;
 };
diff --git a/src/plugins/ikev2/test/test_ikev2.py b/src/plugins/ikev2/test/test_ikev2.py
index e6ccef7786a..9f72ffb4ae5 100644
--- a/src/plugins/ikev2/test/test_ikev2.py
+++ b/src/plugins/ikev2/test/test_ikev2.py
@@ -1325,9 +1325,14 @@ class TemplateResponder(IkePeer):
 
     def verify_counters(self):
         self.assert_counter(2, 'processed', self.IKE_NODE_SUFFIX)
-        self.assert_counter(1, 'exchange_sa_req', self.IKE_NODE_SUFFIX)
+        self.assert_counter(1, 'init_sa_req', self.IKE_NODE_SUFFIX)
         self.assert_counter(1, 'ike_auth_req', self.IKE_NODE_SUFFIX)
 
+        r = self.vapi.ikev2_sa_dump()
+        s = r[0].sa.stats
+        self.assertEqual(1, s.n_sa_auth_req)
+        self.assertEqual(1, s.n_sa_init_req)
+
     def test_responder(self):
         self.send_sa_init_req()
         self.send_sa_auth()
@@ -1862,6 +1867,9 @@ class TestResponderRekey(TestResponderPsk):
         self.sa.calc_child_keys()
         self.verify_ike_sas()
         self.verify_ipsec_sas(is_rekey=True)
+        self.assert_counter(1, 'rekey_req', 'ip4')
+        r = self.vapi.ikev2_sa_dump()
+        self.assertEqual(r[0].sa.stats.n_rekey_req, 1)
 
 
 class TestResponderRsaSign(TemplateResponder, Ikev2Params):
@@ -1942,6 +1950,8 @@ class TestInitiatorKeepaliveMsg(TestInitiatorPsk):
         plain = self.sa.hmac_and_decrypt(ih)
         self.assertEqual(plain, b'')
         self.assert_counter(1, 'keepalive', 'ip4')
+        r = self.vapi.ikev2_sa_dump()
+        self.assertEqual(1, r[0].sa.stats.n_keepalives)
 
     def test_initiator(self):
         super(TestInitiatorKeepaliveMsg, self).test_initiator()