diff options
author | Maxime Peim <mpeim@cisco.com> | 2022-12-22 11:26:57 +0000 |
---|---|---|
committer | Beno�t Ganne <bganne@cisco.com> | 2023-10-30 15:23:13 +0000 |
commit | 0e2f188f7c9872d7c946c14d785c6dc7c7c68847 (patch) | |
tree | 1adc39db5e2e0e243811c8ce001d0bd056c0402e /src/plugins | |
parent | 21922cec7339f48989f230248de36a98816c4b1b (diff) |
ipsec: huge anti-replay window support
Type: improvement
Since RFC4303 does not specify the anti-replay window size, VPP should
support multiple window size. It is done through a clib_bitmap.
Signed-off-by: Maxime Peim <mpeim@cisco.com>
Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/ikev2/ikev2.c | 4 | ||||
-rw-r--r-- | src/plugins/unittest/ipsec_test.c | 19 |
2 files changed, 14 insertions, 9 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index 3e808736078..ad36068c34d 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -2041,7 +2041,7 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) rv = ipsec_sa_add_and_lock (a->local_sa_id, a->local_spi, IPSEC_PROTOCOL_ESP, a->encr_type, &a->loc_ckey, a->integ_type, &a->loc_ikey, a->flags, a->salt_local, - a->src_port, a->dst_port, &tun_out, NULL); + a->src_port, a->dst_port, 0, &tun_out, NULL); if (rv) goto err0; @@ -2049,7 +2049,7 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) a->remote_sa_id, a->remote_spi, IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey, a->integ_type, &a->rem_ikey, (a->flags | IPSEC_SA_FLAG_IS_INBOUND), a->salt_remote, - a->ipsec_over_udp_port, a->ipsec_over_udp_port, &tun_in, NULL); + a->ipsec_over_udp_port, a->ipsec_over_udp_port, 0, &tun_in, NULL); if (rv) goto err1; diff --git a/src/plugins/unittest/ipsec_test.c b/src/plugins/unittest/ipsec_test.c index 55fd031b9b9..bb7f2a8d9e2 100644 --- a/src/plugins/unittest/ipsec_test.c +++ b/src/plugins/unittest/ipsec_test.c @@ -18,8 +18,8 @@ #include <vnet/ipsec/ipsec_output.h> static clib_error_t * -test_ipsec_command_fn (vlib_main_t * vm, - unformat_input_t * input, vlib_cli_command_t * cmd) +test_ipsec_command_fn (vlib_main_t *vm, unformat_input_t *input, + vlib_cli_command_t *cmd) { u64 seq_num; u32 sa_id; @@ -48,12 +48,18 @@ test_ipsec_command_fn (vlib_main_t * vm, sa->seq = seq_num & 0xffffffff; sa->seq_hi = seq_num >> 32; + /* clear the window */ + if (ipsec_sa_is_set_ANTI_REPLAY_HUGE (sa)) + clib_bitmap_zero (sa->replay_window_huge); + else + sa->replay_window = 0; + ipsec_sa_unlock (sa_index); } else { - return clib_error_return (0, "unknown SA `%U'", - format_unformat_error, input); + return clib_error_return (0, "unknown SA `%U'", format_unformat_error, + input); } return (NULL); @@ -134,7 +140,7 @@ test_ipsec_spd_outbound_perf_command_fn (vlib_main_t *vm, /* creating a new SA */ rv = ipsec_sa_add_and_lock (sa_id, spi, proto, crypto_alg, &ck, integ_alg, &ik, sa_flags, clib_host_to_net_u32 (salt), - udp_src, udp_dst, &tun, &sai); + udp_src, udp_dst, 0, &tun, &sai); if (rv) { err = clib_error_return (0, "create sa failure"); @@ -368,8 +374,7 @@ VLIB_CLI_COMMAND (test_ipsec_spd_perf_command, static) = { }; /* *INDENT-OFF* */ -VLIB_CLI_COMMAND (test_ipsec_command, static) = -{ +VLIB_CLI_COMMAND (test_ipsec_command, static) = { .path = "test ipsec", .short_help = "test ipsec sa <ID> seq-num <VALUE>", .function = test_ipsec_command_fn, |