diff options
| author |   Neale Ranns <nranns@cisco.com> | 2019-12-20 00:54:57 +0000 |
|---|---|---|
| committer | Neale Ranns <nranns@cisco.com> | 2020-01-04 04:50:47 +0000 |
| commit | 02950406c49a743f631395ed52073921744e1afd (patch) | |
| tree | 2891403e2fe8cc879f43d4e46e314a2f412763cb /src/vnet/ipsec/ipsec_tun_in.c | |
| parent | 2f04cb9f142abef82cd379432cecdafef9e776db (diff) | |
ipsec: Targeted unit testing
Type: fix
1 - big packets; chained buffers and those without enoguh space to add
ESP header
2 - IPv6 extension headers in packets that are encrypted/decrypted
3 - Interface protection with SAs that have null algorithms
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
Diffstat (limited to 'src/vnet/ipsec/ipsec_tun_in.c')
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun_in.c | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c index f25a76319f1..e6ad67b433a 100644 --- a/src/vnet/ipsec/ipsec_tun_in.c +++ b/src/vnet/ipsec/ipsec_tun_in.c @@ -311,58 +311,6 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, n_bytes = len0; } - /* - * compare the packet's outer IP headers to that of the tunnels - */ - if (is_ip6) - { - if (PREDICT_FALSE - (!ip46_address_is_equal_v6 - (&itp0->itp_crypto.dst, &ip60->src_address) - || !ip46_address_is_equal_v6 (&itp0->itp_crypto.src, - &ip60->dst_address))) - { - b[0]->error = - node->errors - [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH]; - next[0] = IPSEC_INPUT_NEXT_DROP; - goto trace00; - } - } - else - { - if (PREDICT_FALSE - (!ip46_address_is_equal_v4 - (&itp0->itp_crypto.dst, &ip40->src_address) - || !ip46_address_is_equal_v4 (&itp0->itp_crypto.src, - &ip40->dst_address))) - { - b[0]->error = - node->errors - [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH]; - next[0] = IPSEC_INPUT_NEXT_DROP; - goto trace00; - } - } - - /* - * There are two encap possibilities - * 1) the tunnel and ths SA are prodiving encap, i.e. it's - * MAC | SA-IP | TUN-IP | ESP | PAYLOAD - * implying the SA is in tunnel mode (on a tunnel interface) - * 2) only the tunnel provides encap - * MAC | TUN-IP | ESP | PAYLOAD - * implying the SA is in transport mode. - * - * For 2) we need only strip the tunnel encap and we're good. - * since the tunnel and crypto ecnap (int the tun=protect - * object) are the same and we verified above that these match - * for 1) we need to strip the SA-IP outer headers, to - * reveal the tunnel IP and then check that this matches - * the configured tunnel. this we can;t do here since it - * involves a lookup in the per-tunnel-type DB - so ship - * the packet to the tunnel-types provided node to do that - */ next[0] = IPSEC_TUN_PROTECT_NEXT_DECRYPT; } trace00: |