diff options
| author |   Maxime Peim <mpeim@cisco.com> | 2022-12-22 11:26:57 +0000 |
|---|---|---|
| committer |   Beno�t Ganne <bganne@cisco.com> | 2023-10-30 15:23:13 +0000 |
| commit | 0e2f188f7c9872d7c946c14d785c6dc7c7c68847 (patch) | |
| tree | 1adc39db5e2e0e243811c8ce001d0bd056c0402e /src/vnet/ipsec/ipsec_cli.c | |
| parent | 21922cec7339f48989f230248de36a98816c4b1b (diff) | |
ipsec: huge anti-replay window support
Type: improvement
Since RFC4303 does not specify the anti-replay window size, VPP should
support multiple window size. It is done through a clib_bitmap.
Signed-off-by: Maxime Peim <mpeim@cisco.com>
Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc
Diffstat (limited to 'src/vnet/ipsec/ipsec_cli.c')
| -rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 6cb9aba4d8a..5aef630a33f 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -88,6 +88,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, unformat_input_t _line_input, *line_input = &_line_input; ipsec_crypto_alg_t crypto_alg; ipsec_integ_alg_t integ_alg; + u32 anti_replay_window_size; ipsec_protocol_t proto; ipsec_sa_flags_t flags; clib_error_t *error; @@ -105,6 +106,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, is_add = 0; flags = IPSEC_SA_FLAG_NONE; proto = IPSEC_PROTOCOL_ESP; + anti_replay_window_size = 0; integ_alg = IPSEC_INTEG_ALG_NONE; crypto_alg = IPSEC_CRYPTO_ALG_NONE; udp_src = udp_dst = IPSEC_UDP_PORT_NONE; @@ -153,6 +155,9 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, udp_src = i; else if (unformat (line_input, "udp-dst-port %d", &i)) udp_dst = i; + else if (unformat (line_input, "anti-replay-size %d", + &anti_replay_window_size)) + flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; else if (unformat (line_input, "inbound")) flags |= IPSEC_SA_FLAG_IS_INBOUND; else if (unformat (line_input, "use-anti-replay")) @@ -184,9 +189,10 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, error = clib_error_return (0, "missing spi"); goto done; } - rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, - &ik, flags, clib_host_to_net_u32 (salt), - udp_src, udp_dst, &tun, &sai); + rv = + ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, &ik, + flags, clib_host_to_net_u32 (salt), udp_src, + udp_dst, anti_replay_window_size, &tun, &sai); } else { |