summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_input.c
diff options
context:
space:
mode:
authorFan Zhang <fanzhang.oss@gmail.com>2024-05-24 16:46:00 +0100
committerBeno�t Ganne <bganne@cisco.com>2024-06-04 12:44:53 +0000
commite7901e88302e8db99a6d02eff19daff785207691 (patch)
tree6ce2b6f1325f6c1cfb6e4302e02350a6ff64f34a /src/vnet/ipsec/ipsec_input.c
parent8c77c1930abd36150edadcf523eceef7810e6487 (diff)
ipsec: fix missing udp port check
Type: fix This patch fixes the missing UDP port check in IPsec NAT-T case. As of RFC3948 UDP encapped ESP traffic should have destination port ID of 4500, which was missing. The related tests are updated with this port ID, too. Change-Id: I73ecc6a93de8d0f4b642313b0f4d9c2f214a7790 Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec_input.c')
-rw-r--r--src/vnet/ipsec/ipsec_input.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index 6ccc0be2622..9cec7dd15d1 100644
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -299,10 +299,11 @@ ipsec_esp_packet_process (vlib_main_t *vm, ipsec_main_t *im, ip4_header_t *ip0,
search_flow_cache = im->input_flow_cache_flag;
udp_or_esp:
- /* SPI ID field in the ESP header MUST NOT be a zero value */
if (esp0->spi == 0)
{
- /* Drop the packet if SPI ID is zero */
+ /* RFC 4303, section 2.1: The SPI value of zero (0 is reserved for
+ * local, implementation-specific use and MUST NOT be sent on the wire.
+ */
*ipsec_unprocessed += 1;
next[0] = IPSEC_INPUT_NEXT_DROP;
return;
@@ -552,12 +553,10 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
udp_header_t *udp0 = NULL;
udp0 = (udp_header_t *) ((u8 *) ip0 + ip4_header_bytes (ip0));
- /* As per rfc3948 in UDP Encapsulated Header, UDP checksum must be
- * Zero, and receivers must not depen upon UPD checksum.
- * inside ESP header , SPI ID value MUST NOT be a zero value
- * */
-
- if (udp0->checksum == 0)
+ /* RFC5996 Section 2.23 "Port 4500 is reserved for
+ * UDP-encapsulated ESP and IKE."
+ */
+ if (clib_host_to_net_u16 (4500) == udp0->dst_port)
{
esp0 = (esp_header_t *) ((u8 *) udp0 + sizeof (udp_header_t));