summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_tun_in.c
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-12-20 00:54:57 +0000
committerNeale Ranns <nranns@cisco.com>2020-01-04 04:50:47 +0000
commit02950406c49a743f631395ed52073921744e1afd (patch)
tree2891403e2fe8cc879f43d4e46e314a2f412763cb /src/vnet/ipsec/ipsec_tun_in.c
parent2f04cb9f142abef82cd379432cecdafef9e776db (diff)
ipsec: Targeted unit testing
Type: fix 1 - big packets; chained buffers and those without enoguh space to add ESP header 2 - IPv6 extension headers in packets that are encrypted/decrypted 3 - Interface protection with SAs that have null algorithms Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
Diffstat (limited to 'src/vnet/ipsec/ipsec_tun_in.c')
-rw-r--r--src/vnet/ipsec/ipsec_tun_in.c52
1 files changed, 0 insertions, 52 deletions
diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c
index f25a76319f1..e6ad67b433a 100644
--- a/src/vnet/ipsec/ipsec_tun_in.c
+++ b/src/vnet/ipsec/ipsec_tun_in.c
@@ -311,58 +311,6 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
n_bytes = len0;
}
- /*
- * compare the packet's outer IP headers to that of the tunnels
- */
- if (is_ip6)
- {
- if (PREDICT_FALSE
- (!ip46_address_is_equal_v6
- (&itp0->itp_crypto.dst, &ip60->src_address)
- || !ip46_address_is_equal_v6 (&itp0->itp_crypto.src,
- &ip60->dst_address)))
- {
- b[0]->error =
- node->errors
- [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
- next[0] = IPSEC_INPUT_NEXT_DROP;
- goto trace00;
- }
- }
- else
- {
- if (PREDICT_FALSE
- (!ip46_address_is_equal_v4
- (&itp0->itp_crypto.dst, &ip40->src_address)
- || !ip46_address_is_equal_v4 (&itp0->itp_crypto.src,
- &ip40->dst_address)))
- {
- b[0]->error =
- node->errors
- [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
- next[0] = IPSEC_INPUT_NEXT_DROP;
- goto trace00;
- }
- }
-
- /*
- * There are two encap possibilities
- * 1) the tunnel and ths SA are prodiving encap, i.e. it's
- * MAC | SA-IP | TUN-IP | ESP | PAYLOAD
- * implying the SA is in tunnel mode (on a tunnel interface)
- * 2) only the tunnel provides encap
- * MAC | TUN-IP | ESP | PAYLOAD
- * implying the SA is in transport mode.
- *
- * For 2) we need only strip the tunnel encap and we're good.
- * since the tunnel and crypto ecnap (int the tun=protect
- * object) are the same and we verified above that these match
- * for 1) we need to strip the SA-IP outer headers, to
- * reveal the tunnel IP and then check that this matches
- * the configured tunnel. this we can;t do here since it
- * involves a lookup in the per-tunnel-type DB - so ship
- * the packet to the tunnel-types provided node to do that
- */
next[0] = IPSEC_TUN_PROTECT_NEXT_DECRYPT;
}
trace00: