diff options
author | Neale Ranns <nranns@cisco.com> | 2020-01-02 04:06:10 +0000 |
---|---|---|
committer | Ole Tr�an <otroan@employees.org> | 2020-11-02 08:49:08 +0000 |
commit | 041add7d12217494934b651e4e38b5eab5216ddc (patch) | |
tree | 42f6ed8c3e4477b7c7cf93b19f227e4fc0afb4cb /src | |
parent | 62877029aac3e05a1e1db579aeaad42bca5a70a4 (diff) |
ipsec: Tunnel SA DSCP behaviour
Type: feature
- use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc
during IPSEC tunnel mode encap.
- use DSCP value to have fixed encap value.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/ikev2/ikev2.c | 8 | ||||
-rw-r--r-- | src/vnet/ip/ip.c | 18 | ||||
-rw-r--r-- | src/vnet/ip/ip6_packet.h | 13 | ||||
-rw-r--r-- | src/vnet/ip/ip_packet.h | 2 | ||||
-rw-r--r-- | src/vnet/ipsec/ah_encrypt.c | 38 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 39 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.api | 48 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 188 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 16 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_format.c | 6 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.c | 11 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 7 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_types.api | 30 | ||||
-rw-r--r-- | src/vnet/tunnel/tunnel_dp.h | 57 |
14 files changed, 434 insertions, 47 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index 05dfb604006..f3ac6f69318 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -1856,13 +1856,17 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) IPSEC_PROTOCOL_ESP, a->encr_type, &a->loc_ckey, a->integ_type, &a->loc_ikey, a->flags, 0, a->salt_local, &zero_addr, - &zero_addr, NULL, a->src_port, a->dst_port); + &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, a->src_port, a->dst_port); + rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi, IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey, a->integ_type, &a->rem_ikey, (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0, a->salt_remote, &zero_addr, - &zero_addr, NULL, a->ipsec_over_udp_port, + &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, + a->ipsec_over_udp_port, a->ipsec_over_udp_port); rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in); diff --git a/src/vnet/ip/ip.c b/src/vnet/ip/ip.c index bceb529ee6f..062f5e7a4ef 100644 --- a/src/vnet/ip/ip.c +++ b/src/vnet/ip/ip.c @@ -155,6 +155,24 @@ format_ip_dscp (u8 * s, va_list * va) return (format (s, "unknown")); } +uword +unformat_ip_dscp (unformat_input_t * input, va_list * args) +{ + ip_dscp_t *dscp = va_arg (*args, ip_dscp_t *); + + if (0) + ; +#define _(n,v) \ + else if (unformat (input, #v)) \ + *dscp = IP_DSCP_##v; + foreach_ip_dscp +#undef _ + else + return 0; + + return 1; +} + u8 * format_ip_ecn (u8 * s, va_list * va) { diff --git a/src/vnet/ip/ip6_packet.h b/src/vnet/ip/ip6_packet.h index 7bbdd197f2f..34bc7a8ec1a 100644 --- a/src/vnet/ip/ip6_packet.h +++ b/src/vnet/ip/ip6_packet.h @@ -310,31 +310,36 @@ typedef struct ip6_address_t src_address, dst_address; } ip6_header_t; +#define IP6_PACKET_TC_MASK 0x0FF00000 +#define IP6_PACKET_DSCP_MASK 0x0FC00000 +#define IP6_PACKET_ECN_MASK 0x00300000 + always_inline ip_dscp_t ip6_traffic_class (const ip6_header_t * i) { - return (i->ip_version_traffic_class_and_flow_label & 0x0FF00000) >> 20; + return (i->ip_version_traffic_class_and_flow_label & IP6_PACKET_TC_MASK) >> + 20; } static_always_inline ip_dscp_t ip6_traffic_class_network_order (const ip6_header_t * ip6) { return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label) - & 0x0ff00000) >> 20; + & IP6_PACKET_TC_MASK) >> 20; } static_always_inline ip_dscp_t ip6_dscp_network_order (const ip6_header_t * ip6) { return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label) - & 0x0fc00000) >> 22; + & IP6_PACKET_DSCP_MASK) >> 22; } static_always_inline ip_ecn_t ip6_ecn_network_order (const ip6_header_t * ip6) { return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label) - & 0x00300000) >> 20; + & IP6_PACKET_ECN_MASK) >> 20; } static_always_inline void diff --git a/src/vnet/ip/ip_packet.h b/src/vnet/ip/ip_packet.h index 52a65e78c24..e1089ec308e 100644 --- a/src/vnet/ip/ip_packet.h +++ b/src/vnet/ip/ip_packet.h @@ -42,6 +42,7 @@ #include <vppinfra/byte_order.h> #include <vppinfra/error.h> +#include <vppinfra/format.h> typedef enum ip_protocol { @@ -119,6 +120,7 @@ typedef enum ip_dscp_t_ } __clib_packed ip_dscp_t; extern u8 *format_ip_dscp (u8 * s, va_list * va); +unformat_function_t unformat_ip_dscp; /** * IP DSCP bit shift diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c index b4e9af34802..d89cb093f26 100644 --- a/src/vnet/ipsec/ah_encrypt.c +++ b/src/vnet/ipsec/ah_encrypt.c @@ -22,6 +22,7 @@ #include <vnet/ipsec/ipsec.h> #include <vnet/ipsec/esp.h> #include <vnet/ipsec/ah.h> +#include <vnet/tunnel/tunnel_dp.h> #define foreach_ah_encrypt_next \ _ (DROP, "error-drop") \ @@ -111,12 +112,13 @@ typedef struct { union { + /* Variable fields in the IP header not covered by the AH + * integrity check */ struct { u8 hop_limit; u32 ip_version_traffic_class_and_flow_label; }; - struct { u8 ttl; @@ -209,8 +211,6 @@ ah_encrypt_inline (vlib_main_t * vm, ssize_t adv; ih0 = vlib_buffer_get_current (b[0]); - pd->ttl = ih0->ip4.ttl; - pd->tos = ih0->ip4.tos; if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0))) { @@ -246,10 +246,20 @@ ah_encrypt_inline (vlib_main_t * vm, ip_hdr_size = sizeof (ip6_header_t); oh6_0 = vlib_buffer_get_current (b[0]); pd->current_data = b[0]->current_data; - pd->hop_limit = ih6_0->ip6.hop_limit; - pd->ip_version_traffic_class_and_flow_label = + + oh6_0->ip6.ip_version_traffic_class_and_flow_label = ih6_0->ip6.ip_version_traffic_class_and_flow_label; + + ip6_set_dscp_network_order (&oh6_0->ip6, sa0->dscp); + + tunnel_encap_fixup_6o6 (sa0->tunnel_flags, + &ih6_0->ip6, &oh6_0->ip6); + + pd->ip_version_traffic_class_and_flow_label = + oh6_0->ip6.ip_version_traffic_class_and_flow_label; + oh6_0->ip6.ip_version_traffic_class_and_flow_label = 0; + if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0))) { next_hdr_type = IP_PROTOCOL_IPV6; @@ -275,8 +285,24 @@ ah_encrypt_inline (vlib_main_t * vm, { ip_hdr_size = sizeof (ip4_header_t); oh0 = vlib_buffer_get_current (b[0]); - clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t)); + pd->ttl = ih0->ip4.ttl; + + if (sa0->dscp) + pd->tos = sa0->dscp << 2; + else + { + pd->tos = ih0->ip4.tos; + if (! + (sa0->tunnel_flags & + TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)) + pd->tos &= 0x3; + if (! + (sa0->tunnel_flags & + TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)) + pd->tos &= 0xfc; + } pd->current_data = b[0]->current_data; + clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t)); if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0))) { diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index f5461684166..ed49cdc97eb 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -24,6 +24,7 @@ #include <vnet/ipsec/ipsec.h> #include <vnet/ipsec/ipsec_tun.h> #include <vnet/ipsec/esp.h> +#include <vnet/tunnel/tunnel_dp.h> #define foreach_esp_encrypt_next \ _(DROP4, "ip4-drop") \ @@ -743,9 +744,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, u16 len = sizeof (ip6_header_t); hdr_len += len; ip6 = (ip6_header_t *) (payload - hdr_len); - clib_memcpy_fast (ip6, &sa0->ip6_hdr, len); - *next_hdr_ptr = (is_ip6 ? - IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); + clib_memcpy_fast (ip6, &sa0->ip6_hdr, sizeof (ip6_header_t)); + + if (is_ip6) + { + *next_hdr_ptr = IP_PROTOCOL_IPV6; + tunnel_encap_fixup_6o6 (sa0->tunnel_flags, + (const ip6_header_t *) payload, + ip6); + } + else + { + *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP; + tunnel_encap_fixup_4o6 (sa0->tunnel_flags, + (const ip4_header_t *) payload, + ip6); + } len = payload_len_total + hdr_len - len; ip6->payload_length = clib_net_to_host_u16 (len); } @@ -755,9 +769,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, u16 len = sizeof (ip4_header_t); hdr_len += len; ip4 = (ip4_header_t *) (payload - hdr_len); - clib_memcpy_fast (ip4, &sa0->ip4_hdr, len); - *next_hdr_ptr = (is_ip6 ? - IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); + clib_memcpy_fast (ip4, &sa0->ip4_hdr, sizeof (ip4_header_t)); + + if (is_ip6) + { + *next_hdr_ptr = IP_PROTOCOL_IPV6; + tunnel_encap_fixup_6o4_w_chksum (sa0->tunnel_flags, + (const ip6_header_t *) + payload, ip4); + } + else + { + *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP; + tunnel_encap_fixup_4o4_w_chksum (sa0->tunnel_flags, + (const ip4_header_t *) + payload, ip4); + } len = payload_len_total + hdr_len; esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0); } diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 89dcdb761de..178c7c6f46e 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -196,12 +196,25 @@ define ipsec_sad_entry_add_del bool is_add; vl_api_ipsec_sad_entry_t entry; }; +define ipsec_sad_entry_add_del_v2 +{ + u32 client_index; + u32 context; + bool is_add; + vl_api_ipsec_sad_entry_v2_t entry; +}; define ipsec_sad_entry_add_del_reply { u32 context; i32 retval; u32 stat_index; }; +define ipsec_sad_entry_add_del_v2_reply +{ + u32 context; + i32 retval; + u32 stat_index; +}; /** \brief Add or Update Protection for a tunnel with IPSEC @@ -439,25 +452,17 @@ define ipsec_sa_dump u32 context; u32 sa_id; }; +define ipsec_sa_v2_dump +{ + u32 client_index; + u32 context; + u32 sa_id; +}; /** \brief IPsec security association database response @param context - sender context which was passed in the request - @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0 + @param entry - The SA details @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0 - @param spi - security parameter index - @param protocol - IPsec protocol (value from ipsec_protocol_t) - @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t) - @param crypto_key_len - length of crypto_key in bytes - @param crypto_key - crypto keying material - @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t) - @param integ_key_len - length of integ_key in bytes - @param integ_key - integrity keying material - @param use_esn - using extended sequence numbers when non-zero - @param use_anti_replay - using anti-replay window when non-zero - @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode - @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6 - @param tunnel_src_addr - Tunnel source address if using tunnel mode - @param tunnel_dst_addr - Tunnel destination address is using tunnel mode @param salt - 4 byte salt @param seq - current sequence number for outbound @param seq_hi - high 32 bits of ESN for outbound @@ -465,7 +470,6 @@ define ipsec_sa_dump @param last_seq_hi - high 32 bits of highest ESN received inbound @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa - @param udp_encap - 1 if UDP encap enabled, 0 otherwise */ define ipsec_sa_details { u32 context; @@ -479,6 +483,18 @@ define ipsec_sa_details { u32 stat_index; }; +define ipsec_sa_v2_details { + u32 context; + vl_api_ipsec_sad_entry_v2_t entry; + + vl_api_interface_index_t sw_if_index; + u32 salt; + u64 seq_outbound; + u64 last_seq_inbound; + u64 replay_window; + + u32 stat_index; +}; /** \brief Set new SA on IPsec interface diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index f623cced0c7..7003791c8c8 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -28,6 +28,7 @@ #include <vnet/tunnel/tunnel_types_api.h> #include <vnet/fib/fib.h> #include <vnet/ipip/ipip.h> +#include <vnet/tunnel/tunnel_types_api.h> #include <vnet/vnet_msg_enum.h> @@ -58,7 +59,9 @@ _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \ _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \ _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \ +_(IPSEC_SAD_ENTRY_ADD_DEL_V2, ipsec_sad_entry_add_del_v2) \ _(IPSEC_SA_DUMP, ipsec_sa_dump) \ +_(IPSEC_SA_V2_DUMP, ipsec_sa_v2_dump) \ _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \ _(IPSEC_SPD_DUMP, ipsec_spd_dump) \ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ @@ -380,7 +383,10 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler crypto_alg, &crypto_key, integ_alg, &integ_key, flags, 0, mp->entry.salt, &tun_src, &tun_dst, - &sa_index, htons (mp->entry.udp_src_port), + TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, + &sa_index, + htons (mp->entry.udp_src_port), htons (mp->entry.udp_dst_port)); else rv = ipsec_sa_unlock_id (id); @@ -398,6 +404,83 @@ out: /* *INDENT-ON* */ } +static void vl_api_ipsec_sad_entry_add_del_v2_t_handler + (vl_api_ipsec_sad_entry_add_del_v2_t * mp) +{ + vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); + vl_api_ipsec_sad_entry_add_del_v2_reply_t *rmp; + ip46_address_t tun_src = { }, tun_dst = + { + }; + tunnel_encap_decap_flags_t tunnel_flags; + ipsec_key_t crypto_key, integ_key; + ipsec_crypto_alg_t crypto_alg; + ipsec_integ_alg_t integ_alg; + ipsec_protocol_t proto; + ipsec_sa_flags_t flags; + u32 id, spi, sa_index = ~0; + int rv; + +#if WITH_LIBSSL > 0 + + id = ntohl (mp->entry.sad_id); + spi = ntohl (mp->entry.spi); + + rv = ipsec_proto_decode (mp->entry.protocol, &proto); + + if (rv) + goto out; + + rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg); + + if (rv) + goto out; + + rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg); + + if (rv) + goto out; + + rv = + tunnel_encap_decap_flags_decode (mp->entry.tunnel_flags, &tunnel_flags); + + if (rv) + goto out; + + ipsec_key_decode (&mp->entry.crypto_key, &crypto_key); + ipsec_key_decode (&mp->entry.integrity_key, &integ_key); + + flags = ipsec_sa_flags_decode (mp->entry.flags); + + ip_address_decode (&mp->entry.tunnel_src, &tun_src); + ip_address_decode (&mp->entry.tunnel_dst, &tun_dst); + + if (mp->is_add) + rv = ipsec_sa_add_and_lock (id, spi, proto, + crypto_alg, &crypto_key, + integ_alg, &integ_key, flags, + 0, mp->entry.salt, &tun_src, &tun_dst, + tunnel_flags, + ip_dscp_decode (mp->entry.dscp), + &sa_index, + htons (mp->entry.udp_src_port), + htons (mp->entry.udp_dst_port)); + else + rv = ipsec_sa_unlock_id (id); + +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + +out: + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V2_REPLY, + { + rmp->stat_index = htonl (sa_index); + }); + /* *INDENT-ON* */ +} + static void send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg, u32 context) @@ -671,7 +754,9 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * &integ_key, (flags | IPSEC_SA_FLAG_IS_INBOUND), ntohl (mp->tx_table_id), - mp->salt, &remote_ip, &local_ip, NULL, + mp->salt, &remote_ip, &local_ip, + TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); if (rv) @@ -686,7 +771,9 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * &integ_key, flags, ntohl (mp->tx_table_id), - mp->salt, &local_ip, &remote_ip, NULL, + mp->salt, &local_ip, &remote_ip, + TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); if (rv) @@ -905,6 +992,101 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) #endif } +static walk_rc_t +send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg) +{ + ipsec_dump_walk_ctx_t *ctx = arg; + vl_api_ipsec_sa_v2_details_t *mp; + ipsec_main_t *im = &ipsec_main; + + mp = vl_msg_api_alloc (sizeof (*mp)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_V2_DETAILS); + mp->context = ctx->context; + + mp->entry.sad_id = htonl (sa->id); + mp->entry.spi = htonl (sa->spi); + mp->entry.protocol = ipsec_proto_encode (sa->protocol); + mp->entry.tx_table_id = + htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4)); + + mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg); + ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key); + + mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg); + ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key); + + mp->entry.flags = ipsec_sad_flags_encode (sa); + mp->entry.salt = clib_host_to_net_u32 (sa->salt); + + if (ipsec_sa_is_set_IS_PROTECT (sa)) + { + ipsec_sa_dump_match_ctx_t ctx = { + .sai = sa - im->sad, + .sw_if_index = ~0, + }; + ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx); + + mp->sw_if_index = htonl (ctx.sw_if_index); + } + else + mp->sw_if_index = ~0; + + if (ipsec_sa_is_set_IS_TUNNEL (sa)) + { + ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY, + &mp->entry.tunnel_src); + ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY, + &mp->entry.tunnel_dst); + } + if (ipsec_sa_is_set_UDP_ENCAP (sa)) + { + mp->entry.udp_src_port = sa->udp_hdr.src_port; + mp->entry.udp_dst_port = sa->udp_hdr.dst_port; + } + + mp->entry.tunnel_flags = tunnel_encap_decap_flags_encode (sa->tunnel_flags); + mp->entry.dscp = ip_dscp_encode (sa->dscp); + + mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); + mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); + if (ipsec_sa_is_set_USE_ESN (sa)) + { + mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); + mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); + } + if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) + mp->replay_window = clib_host_to_net_u64 (sa->replay_window); + + mp->stat_index = clib_host_to_net_u32 (sa->stat_index); + + vl_api_send_msg (ctx->reg, (u8 *) mp); + + return (WALK_CONTINUE); +} + +static void +vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) +{ + vl_api_registration_t *reg; + +#if WITH_LIBSSL > 0 + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + ipsec_dump_walk_ctx_t ctx = { + .reg = reg, + .context = mp->context, + }; + + ipsec_sa_walk (send_ipsec_sa_v2_details, &ctx); + +#else + clib_warning ("unimplemented"); +#endif +} + static void vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) { diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index d7378534eb8..fc79c4ca347 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -90,6 +90,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, u16 udp_src, udp_dst; int is_add, rv; u32 m_args = 0; + ip_dscp_t dscp; salt = 0; error = NULL; @@ -99,6 +100,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, integ_alg = IPSEC_INTEG_ALG_NONE; crypto_alg = IPSEC_CRYPTO_ALG_NONE; udp_src = udp_dst = IPSEC_UDP_PORT_NONE; + dscp = IP_DSCP_CS0; if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -182,7 +184,9 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, &ik, flags, 0, clib_host_to_net_u32 (salt), - &tun_src, &tun_dst, &sai, udp_src, udp_dst); + &tun_src, &tun_dst, + TUNNEL_ENCAP_DECAP_FLAG_NONE, dscp, + &sai, udp_src, udp_dst); } else { @@ -910,16 +914,18 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, local_spi, IPSEC_PROTOCOL_ESP, crypto_alg, &lck, integ_alg, &lik, flags, table_id, clib_host_to_net_u32 (salt), &local_ip, - &remote_ip, NULL, IPSEC_UDP_PORT_NONE, - IPSEC_UDP_PORT_NONE); + &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, + IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); rv |= ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index), remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg, &rck, integ_alg, &rik, (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id, clib_host_to_net_u32 (salt), &remote_ip, - &local_ip, NULL, IPSEC_UDP_PORT_NONE, - IPSEC_UDP_PORT_NONE); + &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, + IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); rv |= ipsec_tun_protect_update_one (sw_if_index, &nh, ipsec_tun_mk_local_sa_id (sw_if_index), diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index 6781fe580c1..bf5ea3750e2 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -322,10 +322,12 @@ format_ipsec_sa (u8 * s, va_list * args) { tx_table_id = fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4); - s = format (s, "\n table-ID %d tunnel src %U dst %U", + s = format (s, "\n table-ID %d tunnel %U src %U dst %U flags %U", tx_table_id, + format_ip_dscp, sa->dscp, format_ip46_address, &sa->tunnel_src_addr, IP46_TYPE_ANY, - format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY); + format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY, + format_tunnel_encap_decap_flags, sa->tunnel_flags); if (!ipsec_sa_is_set_IS_INBOUND (sa)) { s = diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 9b2f2b53fa5..71e86ac5c45 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -178,8 +178,10 @@ ipsec_sa_add_and_lock (u32 id, u32 tx_table_id, u32 salt, const ip46_address_t * tun_src, - const ip46_address_t * tun_dst, u32 * sa_out_index, - u16 src_port, u16 dst_port) + const ip46_address_t * tun_dst, + tunnel_encap_decap_flags_t tunnel_flags, + ip_dscp_t dscp, + u32 * sa_out_index, u16 src_port, u16 dst_port) { vlib_main_t *vm = vlib_get_main (); ipsec_main_t *im = &ipsec_main; @@ -206,6 +208,8 @@ ipsec_sa_add_and_lock (u32 id, sa->stat_index = sa_index; sa->protocol = proto; sa->flags = flags; + sa->tunnel_flags = tunnel_flags; + sa->dscp = dscp; sa->salt = salt; sa->encrypt_thread_index = (vlib_num_workers ())? ~0 : 0; sa->decrypt_thread_index = (vlib_num_workers ())? ~0 : 0; @@ -297,6 +301,8 @@ ipsec_sa_add_and_lock (u32 id, if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa)) { sa->ip6_hdr.ip_version_traffic_class_and_flow_label = 0x60; + ip6_set_dscp_network_order (&sa->ip6_hdr, sa->dscp); + sa->ip6_hdr.hop_limit = 254; sa->ip6_hdr.src_address.as_u64[0] = sa->tunnel_src_addr.ip6.as_u64[0]; @@ -317,6 +323,7 @@ ipsec_sa_add_and_lock (u32 id, sa->ip4_hdr.ttl = 254; sa->ip4_hdr.src_address.as_u32 = sa->tunnel_src_addr.ip4.as_u32; sa->ip4_hdr.dst_address.as_u32 = sa->tunnel_dst_addr.ip4.as_u32; + sa->ip4_hdr.tos = sa->dscp << 2; if (ipsec_sa_is_set_UDP_ENCAP (sa)) sa->ip4_hdr.protocol = IP_PROTOCOL_UDP; diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 02f5eaf03a0..6ed71325f69 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -19,6 +19,7 @@ #include <vnet/crypto/crypto.h> #include <vnet/ip/ip.h> #include <vnet/fib/fib_node.h> +#include <vnet/tunnel/tunnel.h> #define foreach_ipsec_crypto_alg \ _ (0, NONE, "none") \ @@ -163,7 +164,9 @@ typedef struct u32 salt; ipsec_protocol_t protocol; - u8 __pad[3]; + tunnel_encap_decap_flags_t tunnel_flags; + ip_dscp_t dscp; + u8 __pad[1]; /* data accessed by dataplane code should be above this comment */ CLIB_CACHE_LINE_ALIGN_MARK (cacheline2); @@ -258,6 +261,8 @@ extern int ipsec_sa_add_and_lock (u32 id, u32 salt, const ip46_address_t * tunnel_src_addr, const ip46_address_t * tunnel_dst_addr, + tunnel_encap_decap_flags_t tunnel_flags, + ip_dscp_t dscp, u32 * sa_index, u16 src_port, u16 dst_port); extern index_t ipsec_sa_find_and_lock (u32 id); extern int ipsec_sa_unlock_id (u32 id); diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api index 715f3de0e12..ca1b3788e64 100644 --- a/src/vnet/ipsec/ipsec_types.api +++ b/src/vnet/ipsec/ipsec_types.api @@ -17,6 +17,7 @@ option version = "3.0.0"; import "vnet/ip/ip_types.api"; +import "vnet/tunnel/tunnel_types.api"; /* * @brief Support cryptographic algorithms @@ -108,6 +109,8 @@ typedef key TX. It is ignored for RX. @param udp_dst_port - If using UDP Encapsulation, use this destination port for TX. Expect traffic on this port for RX. + @param tunnel_flags - Flags controlling the copying of encap/decap value + @param dscp - Fixed DSCP vaule for tunnel encap */ typedef ipsec_sad_entry { @@ -133,6 +136,33 @@ typedef ipsec_sad_entry u16 udp_dst_port [default=4500]; }; +typedef ipsec_sad_entry_v2 +{ + u32 sad_id; + + u32 spi; + + vl_api_ipsec_proto_t protocol; + + vl_api_ipsec_crypto_alg_t crypto_algorithm; + vl_api_key_t crypto_key; + + vl_api_ipsec_integ_alg_t integrity_algorithm; + vl_api_key_t integrity_key; + + vl_api_ipsec_sad_flags_t flags; + + vl_api_address_t tunnel_src; + vl_api_address_t tunnel_dst; + vl_api_tunnel_encap_decap_flags_t tunnel_flags; + vl_api_ip_dscp_t dscp; + u32 tx_table_id; + u32 salt; + u16 udp_src_port [default=4500]; + u16 udp_dst_port [default=4500]; +}; + + /* * Local Variables: * eval: (c-set-style "gnu") diff --git a/src/vnet/tunnel/tunnel_dp.h b/src/vnet/tunnel/tunnel_dp.h index a00a3b3e222..f84e764f7ea 100644 --- a/src/vnet/tunnel/tunnel_dp.h +++ b/src/vnet/tunnel/tunnel_dp.h @@ -34,6 +34,41 @@ tunnel_encap_fixup_4o4 (tunnel_encap_decap_flags_t flags, } static_always_inline void +tunnel_encap_fixup_4o4_w_chksum (tunnel_encap_decap_flags_t flags, + const ip4_header_t * inner, + ip4_header_t * outer) +{ + if (flags & (TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP | + TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)) + { + ip_csum_t sum = outer->checksum; + u8 tos = outer->tos; + + if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP) + ip4_header_set_dscp (outer, ip4_header_get_dscp (inner)); + if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN) + ip4_header_set_ecn (outer, ip4_header_get_ecn (inner)); + + sum = + ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, tos); + outer->checksum = ip_csum_fold (sum); + } + if ((flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DF) && + ip4_header_get_df (inner)) + { + ip_csum_t sum = outer->checksum; + u16 tos = outer->flags_and_fragment_offset; + + ip4_header_set_df (outer); + + sum = + ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, + flags_and_fragment_offset); + outer->checksum = ip_csum_fold (sum); + } +} + +static_always_inline void tunnel_encap_fixup_6o4 (tunnel_encap_decap_flags_t flags, const ip6_header_t * inner, ip4_header_t * outer) { @@ -44,6 +79,28 @@ tunnel_encap_fixup_6o4 (tunnel_encap_decap_flags_t flags, } static_always_inline void +tunnel_encap_fixup_6o4_w_chksum (tunnel_encap_decap_flags_t flags, + const ip6_header_t * inner, + ip4_header_t * outer) +{ + if (flags & (TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP | + TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)) + { + ip_csum_t sum = outer->checksum; + u8 tos = outer->tos; + + if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP) + ip4_header_set_dscp (outer, ip6_dscp_network_order (inner)); + if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN) + ip4_header_set_ecn (outer, ip6_ecn_network_order ((inner))); + + sum = + ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, tos); + outer->checksum = ip_csum_fold (sum); + } +} + +static_always_inline void tunnel_encap_fixup_6o6 (tunnel_encap_decap_flags_t flags, const ip6_header_t * inner, ip6_header_t * outer) { |