BFD: SHA1 authentication

Add authentication support to BFD feature. Out of three existing
authentication types, implement SHA1 (sole RFC requirement). Simple
password is insecure and MD5 is discouraged by the RFC, so ignore
those.
Add/change APIs to allow configuring BFD authentication keys
and their usage with BFD sessions.

Change-Id: Ifb0fb5b19c2e72196d84c1cde919bd4c074ea415
Signed-off-by: Klement Sekera <ksekera@cisco.com>

1 files changed, 186 insertions, 21 deletions

diff --git a/src/vnet/bfd/bfd.api b/src/vnet/bfd/bfd.api
index 5798ee698ce..17ca35b6004 100644
--- a/src/vnet/bfd/bfd.api
+++ b/src/vnet/bfd/bfd.api
@@ -21,7 +21,8 @@
     @param min_rx - desired min rx interval
     @param detect_mult - desired detection multiplier
 */
-define bfd_set_config {
+define bfd_set_config
+{
   u32 client_index;
   u32 context;
   u32 slow_timer;
@@ -34,14 +35,16 @@ define bfd_set_config {
     @param context - sender context, to match reply w/ request
     @param retval - return code for the request
 */
-define bfd_set_config_reply {
+define bfd_set_config_reply
+{
   u32 context;
   i32 retval;
 };
 
 /** \brief Get BFD configuration
 */
-define bfd_get_config {
+define bfd_get_config
+{
   u32 client_index;
   u32 context;
 };
@@ -54,7 +57,8 @@ define bfd_get_config {
     @param min_rx - desired min rx interval
     @param detect_mult - desired detection multiplier
 */
-define bfd_get_config_reply {
+define bfd_get_config_reply
+{
   u32 client_index;
   u32 context;
   u32 slow_timer;
@@ -69,12 +73,16 @@ define bfd_get_config_reply {
     @param sw_if_index - sw index of the interface
     @param desired_min_tx - desired min transmit interval (microseconds)
     @param required_min_rx - required min receive interval (microseconds)
-    @param detect_mult - detect multiplier (# of packets missed between connection goes down)
     @param local_addr - local address
     @param peer_addr - peer address
     @param is_ipv6 - local_addr, peer_addr are IPv6 if non-zero, otherwise IPv4
+    @param detect_mult - detect multiplier (# of packets missed before connection goes down)
+    @param is_authenticated - non-zero if authentication is required
+    @param bfd_key_id - key id sent out in BFD packets (if is_authenticated)
+    @param conf_key_id - id of already configured key (if is_authenticated)
 */
-define bfd_udp_add {
+define bfd_udp_add
+{
   u32 client_index;
   u32 context;
   u32 sw_if_index;
@@ -84,17 +92,19 @@ define bfd_udp_add {
   u8 peer_addr[16];
   u8 is_ipv6;
   u8 detect_mult;
+  u8 is_authenticated;
+  u8 bfd_key_id;
+  u32 conf_key_id;
 };
 
 /** \brief Add UDP BFD session response
     @param context - sender context, to match reply w/ request
     @param retval - return code for the request
-    @param bs_index - index of the session created
 */
-define bfd_udp_add_reply {
+define bfd_udp_add_reply
+{
   u32 context;
   i32 retval;
-  u32 bs_index;
 };
 
 /** \brief Delete UDP BFD session on interface
@@ -105,7 +115,8 @@ define bfd_udp_add_reply {
     @param peer_addr - peer address
     @param is_ipv6 - local_addr, peer_addr are IPv6 if non-zero, otherwise IPv4
 */
-define bfd_udp_del {
+define bfd_udp_del
+{
   u32 client_index;
   u32 context;
   u32 sw_if_index;
@@ -118,7 +129,8 @@ define bfd_udp_del {
     @param context - sender context, to match reply w/ request
     @param retval - return code for the request
 */
-define bfd_udp_del_reply {
+define bfd_udp_del_reply
+{
   u32 context;
   i32 retval;
 };
@@ -127,48 +139,61 @@ define bfd_udp_del_reply {
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
 */
-define bfd_udp_session_dump {
+define bfd_udp_session_dump
+{
   u32 client_index;
   u32 context;
 };
 
 /** \brief BFD session details structure
     @param context - sender context, to match reply w/ request
-    @param bs_index - index of the session
     @param sw_if_index - sw index of the interface
     @param local_addr - local address
     @param peer_addr - peer address
     @param is_ipv6 - local_addr, peer_addr are IPv6 if non-zero, otherwise IPv4
     @param state - session state
+    @param is_authenticated - non-zero if authentication in-use, zero otherwise
+    @param bfd_key_id - ID of key currently in-use if auth is on
+    @param conf_key_id - configured key ID for this session
 */
-define bfd_udp_session_details {
+define bfd_udp_session_details
+{
   u32 context;
-  u32 bs_index; 
   u32 sw_if_index;
   u8 local_addr[16];
   u8 peer_addr[16];
   u8 is_ipv6;
   u8 state;
+  u8 is_authenticated;
+  u8 bfd_key_id;
+  u32 conf_key_id;
 };
 
-/** \brief Set flags of BFD session
+/** \brief Set flags of BFD UDP session
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
-    @param bs_index - index of the bfd session to set flags on
+    @param sw_if_index - sw index of the interface
+    @param local_addr - local address
+    @param peer_addr - peer address
+    @param is_ipv6 - local_addr, peer_addr are IPv6 if non-zero, otherwise IPv4
     @param admin_up_down - set the admin state, 1 = up, 0 = down
 */
-define bfd_session_set_flags {
+define bfd_udp_session_set_flags
+{
   u32 client_index;
   u32 context;
-  u32 bs_index;
+  u32 sw_if_index;
+  u8 local_addr[16];
+  u8 peer_addr[16];
+  u8 is_ipv6;
   u8 admin_up_down;
 };
 
-/** \brief Reply to bfd_session_set_flags 
+/** \brief Reply to bfd_udp_session_set_flags
     @param context - sender context which was passed in the request
     @param retval - return code of the set flags request
 */
-define bfd_session_set_flags_reply
+define bfd_udp_session_set_flags_reply
 {
   u32 context;
   i32 retval;
@@ -198,6 +223,146 @@ define want_bfd_events_reply
   i32 retval;
 };
 
+/** \brief BFD UDP - add/replace key to configuration
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param conf_key_id - key ID to add/replace/delete
+    @param key_len - length of key (must be non-zero)
+    @param auth_type - authentication type (RFC 5880/4.1/Auth Type)
+    @param key - key data
+*/
+define bfd_auth_set_key
+{
+  u32 client_index;
+  u32 context;
+  u32 conf_key_id;
+  u8 key_len;
+  u8 auth_type;
+  u8 key[20];
+};
+
+/** \brief BFD UDP - add/replace key reply
+    @param context - returned sender context, to match reply w/ request
+    @param retval - return code
+*/
+define bfd_auth_set_key_reply
+{
+  u32 context;
+  i32 retval;
+};
+
+/** \brief BFD UDP - delete key from configuration
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param conf_key_id - key ID to add/replace/delete
+    @param key_len - length of key (must be non-zero)
+    @param key - key data
+*/
+define bfd_auth_del_key
+{
+  u32 client_index;
+  u32 context;
+  u32 conf_key_id;
+};
+
+/** \brief BFD UDP - delete key reply
+    @param context - returned sender context, to match reply w/ request
+    @param retval - return code
+*/
+define bfd_auth_del_key_reply
+{
+  u32 context;
+  i32 retval;
+};
+
+/** \brief Get a list of configured authentication keys
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+*/
+define bfd_auth_keys_dump
+{
+  u32 client_index;
+  u32 context;
+};
+
+/** \brief BFD authentication key details
+    @param context - sender context, to match reply w/ request
+    @param conf_key_id - configured key ID
+    @param use_count - how many BFD sessions currently use this key
+    @param auth_type - authentication type (RFC 5880/4.1/Auth Type)
+*/
+define bfd_auth_keys_details
+{
+  u32 context;
+  u32 conf_key_id;
+  u32 use_count;
+  u8 auth_type;
+};
+
+/** \brief BFD UDP - activate/change authentication
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_index - sw index of the interface
+    @param local_addr - local address
+    @param peer_addr - peer address
+    @param is_ipv6 - local_addr, peer_addr are IPv6 if non-zero, otherwise IPv4
+    @param is_delayed - change is applied once peer applies the change (on first received packet with this auth)
+    @param bfd_key_id - key id sent out in BFD packets
+    @param conf_key_id - id of already configured key
+*/
+define bfd_udp_auth_activate
+{
+  u32 client_index;
+  u32 context;
+  u32 sw_if_index;
+  u8 local_addr[16];
+  u8 peer_addr[16];
+  u8 is_ipv6;
+  u8 is_delayed;
+  u8 bfd_key_id;
+  u32 conf_key_id;
+};
+
+/** \brief BFD UDP - activate/change authentication reply
+    @param context - returned sender context, to match reply w/ request
+    @param retval - return code
+*/
+define bfd_udp_auth_activate_reply
+{
+  u32 context;
+  i32 retval;
+};
+
+/** \brief BFD UDP - deactivate authentication
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_index - sw index of the interface
+    @param local_addr - local address
+    @param peer_addr - peer address
+    @param is_ipv6 - local_addr, peer_addr are IPv6 if non-zero, otherwise IPv4
+    @param is_delayed - change is applied once peer applies the change (on first received non-authenticated packet)
+*/
+define bfd_udp_auth_deactivate
+{
+  u32 client_index;
+  u32 context;
+  u32 sw_if_index;
+  u8 local_addr[16];
+  u8 peer_addr[16];
+  u8 is_ipv6;
+  u8 is_delayed;
+};
+
+/** \brief BFD UDP - deactivate authentication reply
+    @param context - returned sender context, to match reply w/ request
+    @param retval - return code
+*/
+define bfd_udp_auth_deactivate_reply
+{
+  u32 context;
+  i32 retval;
+};
+
 /*
  * Local Variables:
  * eval: (c-set-style "gnu")