aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ikev2_priv.h
diff options
context:
space:
mode:
authorRadu Nicolau <radu.nicolau@intel.com>2017-02-16 16:49:46 +0000
committerDamjan Marion <dmarion.lists@gmail.com>2017-02-17 16:32:26 +0000
commitcb33dc2d7a566d571c86b950b4aa92dd7ae01c3c (patch)
treecc767067b6dcaad882982088bd0c62d98a148e23 /src/vnet/ipsec/ikev2_priv.h
parent665e482f2422cab52da221b019bb81993d7950f3 (diff)
Implemented IKEv2 initiator features:
- IKE_SA_INIT and IKE_AUTH initial exchanges - Delete IKA SA - Rekey and delete Child SA - Child SAs lifetime policy To set up one VPP instance as the initiator use the following CLI commands (or API equivalents): ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> and finally ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange Child SA re-keying process: 1. Child SA expires 2. A new Child SA is created using the Child SA rekey exchange 3. For a set time both SAs are alive 4. After the set time interval expires old SA is deleted Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA) CLI API additions: ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> ikev2 initiate sa-init <profile id> ikev2 initiate del-child-sa <child sa ispi> ikev2 initiate del-sa <sa ispi> ikev2 initiate rekey-child-sa <profile id> <child sa ispi> Sample configurations: Responder: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.responder ikev2 profile set pr1 id remote fqdn vpp.home.initiator ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 Initiator: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.initiator ikev2 profile set pr1 id remote fqdn vpp.home.responder ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20 ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048 ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256 ikev2 profile set pr1 sa-lifetime 3600 10 5 0 Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Diffstat (limited to 'src/vnet/ipsec/ikev2_priv.h')
-rw-r--r--src/vnet/ipsec/ikev2_priv.h63
1 files changed, 52 insertions, 11 deletions
diff --git a/src/vnet/ipsec/ikev2_priv.h b/src/vnet/ipsec/ikev2_priv.h
index 9f67ad2ae6f..5a3dc5202f4 100644
--- a/src/vnet/ipsec/ikev2_priv.h
+++ b/src/vnet/ipsec/ikev2_priv.h
@@ -109,6 +109,21 @@ typedef struct
typedef struct
{
+ u32 sw_if_index;
+ ip4_address_t ip4;
+} ikev2_responder_t;
+
+typedef struct
+{
+ ikev2_transform_encr_type_t crypto_alg;
+ ikev2_transform_integ_type_t integ_alg;
+ ikev2_transform_dh_type_t dh_type;
+ u32 crypto_key_size;
+} ikev2_transforms_set;
+
+
+typedef struct
+{
ikev2_id_type_t type:8;
u8 *data;
} ikev2_id_t;
@@ -128,6 +143,11 @@ typedef struct
u8 *sk_ar;
u8 *sk_ei;
u8 *sk_er;
+
+ /* lifetime data */
+ f64 time_to_expiration;
+ u8 is_expired;
+ i8 rekey_retries;
} ikev2_child_sa_t;
typedef struct
@@ -140,6 +160,7 @@ typedef struct
{
u8 protocol_id;
u32 spi;
+ u32 ispi;
ikev2_sa_proposal_t *i_proposal;
ikev2_sa_proposal_t *r_proposal;
ikev2_ts_t *tsi;
@@ -154,6 +175,24 @@ typedef struct
u8 *data;
} ikev2_notify_t;
+typedef struct
+{
+ u8 *name;
+ u8 is_enabled;
+
+ ikev2_auth_t auth;
+ ikev2_id_t loc_id;
+ ikev2_id_t rem_id;
+ ikev2_ts_t loc_ts;
+ ikev2_ts_t rem_ts;
+ ikev2_responder_t responder;
+ ikev2_transforms_set ike_ts;
+ ikev2_transforms_set esp_ts;
+ u64 lifetime;
+ u64 lifetime_maxdata;
+ u32 lifetime_jitter;
+ u32 handover;
+} ikev2_profile_t;
typedef struct
{
@@ -170,6 +209,7 @@ typedef struct
/* DH data */
u16 dh_group;
u8 *dh_shared_key;
+ u8 *dh_private_key;
u8 *i_dh_data;
u8 *r_dh_data;
@@ -208,20 +248,13 @@ typedef struct
u32 last_msg_id;
u8 *last_res_packet_data;
+ u8 is_initiator;
+ u32 last_init_msg_id;
+ ikev2_profile_t *profile;
+
ikev2_child_sa_t *childs;
} ikev2_sa_t;
-typedef struct
-{
- u8 *name;
- u8 is_enabled;
-
- ikev2_auth_t auth;
- ikev2_id_t loc_id;
- ikev2_id_t rem_id;
- ikev2_ts_t loc_ts;
- ikev2_ts_t rem_ts;
-} ikev2_profile_t;
typedef struct
{
@@ -250,6 +283,11 @@ typedef struct
vlib_main_t *vlib_main;
vnet_main_t *vnet_main;
+ /* pool of IKEv2 Security Associations created in initiator mode */
+ ikev2_sa_t *sais;
+ /* hash */
+ uword *sa_by_ispi;
+
ikev2_main_per_thread_data_t *per_thread_data;
} ikev2_main_t;
@@ -269,6 +307,7 @@ v8 *ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data,
v8 *ikev2_decrypt_data (ikev2_sa_t * sa, u8 * data, int len);
int ikev2_encrypt_data (ikev2_sa_t * sa, v8 * src, u8 * dst);
void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
+void ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data);
u8 *ikev2_calc_sign (EVP_PKEY * pkey, u8 * data);
EVP_PKEY *ikev2_load_cert_file (u8 * file);
@@ -291,6 +330,8 @@ typedef struct
void ikev2_payload_add_notify (ikev2_payload_chain_t * c, u16 msg_type,
u8 * data);
+void ikev2_payload_add_notify_2 (ikev2_payload_chain_t * c, u16 msg_type,
+ u8 * data, ikev2_notify_t * notify);
void ikev2_payload_add_sa (ikev2_payload_chain_t * c,
ikev2_sa_proposal_t * proposals);
void ikev2_payload_add_ke (ikev2_payload_chain_t * c, u16 dh_group,