summaryrefslogtreecommitdiffstats
path: root/src/vnet/bfd/bfd_main.h
diff options
context:
space:
mode:
authorKlement Sekera <ksekera@cisco.com>2017-01-09 07:43:48 +0100
committerDamjan Marion <dmarion.lists@gmail.com>2017-02-02 12:04:30 +0000
commitb17dd9607ee8ecba5ae3ef69c7b4915b57de292a (patch)
treeaa8d22ac4a9ea3adc2f96c4d754273af505950d5 /src/vnet/bfd/bfd_main.h
parent402ed3128512efc091a560729ce1e772a86e9f74 (diff)
BFD: SHA1 authentication
Add authentication support to BFD feature. Out of three existing authentication types, implement SHA1 (sole RFC requirement). Simple password is insecure and MD5 is discouraged by the RFC, so ignore those. Add/change APIs to allow configuring BFD authentication keys and their usage with BFD sessions. Change-Id: Ifb0fb5b19c2e72196d84c1cde919bd4c074ea415 Signed-off-by: Klement Sekera <ksekera@cisco.com>
Diffstat (limited to 'src/vnet/bfd/bfd_main.h')
-rw-r--r--src/vnet/bfd/bfd_main.h79
1 files changed, 68 insertions, 11 deletions
diff --git a/src/vnet/bfd/bfd_main.h b/src/vnet/bfd/bfd_main.h
index 20da381ac23..b66b79e71a0 100644
--- a/src/vnet/bfd/bfd_main.h
+++ b/src/vnet/bfd/bfd_main.h
@@ -25,7 +25,7 @@
#include <vnet/bfd/bfd_udp.h>
#define foreach_bfd_transport(F) \
- F (UDP4, "ip4-rewrite") \
+ F (UDP4, "ip4-rewrite") \
F (UDP6, "ip6-rewrite")
typedef enum
@@ -48,6 +48,24 @@ typedef enum
typedef struct
{
+ /* global configuration key ID */
+ u32 conf_key_id;
+
+ /* keeps track of how many sessions reference this key */
+ u32 use_count;
+
+ /*
+ * key data directly usable for bfd purposes - already padded with zeroes
+ * (so we don't need the actual length)
+ */
+ u8 key[20];
+
+ /* authentication type for this key */
+ bfd_auth_type_e auth_type;
+} bfd_auth_key_t;
+
+typedef struct
+{
/* index in bfd_main.sessions pool */
u32 bs_idx;
@@ -120,6 +138,40 @@ typedef struct
/* detection time */
u64 detection_time_clocks;
+ /* authentication information */
+ struct
+ {
+ /* current key in use */
+ bfd_auth_key_t *curr_key;
+
+ /*
+ * set to next key to use if delayed switch is enabled - in that case
+ * the key is switched when first incoming packet is signed with next_key
+ */
+ bfd_auth_key_t *next_key;
+
+ /* sequence number incremented occasionally or always (if meticulous) */
+ u32 local_seq_number;
+
+ /* remote sequence number */
+ u32 remote_seq_number;
+
+ /* set to 1 if remote sequence number is known */
+ u8 remote_seq_number_known;
+
+ /* current key ID sent out in bfd packet */
+ u8 curr_bfd_key_id;
+
+ /* key ID to use when switched to next_key */
+ u8 next_bfd_key_id;
+
+ /*
+ * set to 1 if delayed action is pending, which might be activation
+ * of authentication, change of key or deactivation
+ */
+ u8 is_delayed;
+ } auth;
+
/* transport type for this session */
bfd_transport_t transport;
@@ -131,12 +183,6 @@ typedef struct
typedef struct
{
- u32 client_index;
- u32 client_pid;
-} event_subscriber_t;
-
-typedef struct
-{
/* pool of bfd sessions context data */
bfd_session_t *sessions;
@@ -162,6 +208,12 @@ typedef struct
/* for generating random numbers */
u32 random_seed;
+ /* pool of authentication keys */
+ bfd_auth_key_t *auth_keys;
+
+ /* hashmap - index in pool auth_keys by conf_key_id */
+ u32 *auth_key_by_conf_key_id;
+
} bfd_main_t;
extern bfd_main_t bfd_main;
@@ -202,12 +254,17 @@ bfd_session_t *bfd_find_session_by_disc (bfd_main_t * bm, u32 disc);
void bfd_session_start (bfd_main_t * bm, bfd_session_t * bs);
void bfd_consume_pkt (bfd_main_t * bm, const bfd_pkt_t * bfd, u32 bs_idx);
int bfd_verify_pkt_common (const bfd_pkt_t * pkt);
-int bfd_verify_pkt_session (const bfd_pkt_t * pkt, u16 pkt_size,
- const bfd_session_t * bs);
+int bfd_verify_pkt_auth (const bfd_pkt_t * pkt, u16 pkt_size,
+ bfd_session_t * bs);
void bfd_event (bfd_main_t * bm, bfd_session_t * bs);
-void bfd_send_final (vlib_main_t * vm, vlib_buffer_t * b, bfd_session_t * bs);
+void bfd_init_final_control_frame (vlib_main_t * vm, vlib_buffer_t * b,
+ bfd_session_t * bs);
u8 *format_bfd_session (u8 * s, va_list * args);
-
+void bfd_session_set_flags (bfd_session_t * bs, u8 admin_up_down);
+unsigned bfd_auth_type_supported (bfd_auth_type_e auth_type);
+vnet_api_error_t bfd_auth_activate (bfd_session_t * bs, u32 conf_key_id,
+ u8 bfd_key_id, u8 is_delayed);
+vnet_api_error_t bfd_auth_deactivate (bfd_session_t * bs, u8 is_delayed);
#define USEC_PER_MS 1000LL
#define USEC_PER_SECOND (1000 * USEC_PER_MS)