ipsec: make pre-shared keys harder to misuse

Using pre-shared keys is usually a bad idea, one should use eg. IKEv2
instead, but one does not always have the choice.

For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C) whereas for AES-CTR or AES-GCM, the IV should never be reused with
the same key material (see NIST SP800-38a Appendix B and NIST SP800-38d
section 8).
If one uses pre-shared keys and VPP is restarted, the IV counter
restarts at 0 and the same IVs are generated with the same pre-shared
keys materials.

To fix those issues we follow the recommendation from NIST SP800-38a
and NIST SP800-38d:
 - we use a PRNG (not cryptographically secured) to generate IVs to
avoid generating the same IV sequence between VPP restarts. The PRNG is
chosen so that there is a low chance of generating the same sequence
 - for AES-CBC, the generated IV is encrypted as part of the message.
This makes the (predictable) PRNG-generated IV unpredictable as it is
encrypted with the secret key
 - for AES-CTR and GCM, we use the IV as-is as predictable IVs are fine

Most of the changes in this patch are caused by the need to shoehorn an
additional state of 2 u64 for the PRNG in the 1st cacheline of the SA
object.

Type: improvement

Change-Id: I2af89c21ae4b2c4c33dd21aeffcfb79c13c9d84c
Signed-off-by: Benoît Ganne <bganne@cisco.com>

1 files changed, 0 insertions, 3 deletions

diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index 05773a2a328..311882af08e 100644
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -86,9 +86,6 @@ typedef struct esp_aead_t_
 } __clib_packed esp_aead_t;
 
 #define ESP_SEQ_MAX		(4294967295UL)
-#define ESP_MAX_BLOCK_SIZE	(16)
-#define ESP_MAX_IV_SIZE		(16)
-#define ESP_MAX_ICV_SIZE	(32)
 
 u8 *format_esp_header (u8 * s, va_list * args);