Age | Commit message (Collapse) | Author | Files | Lines |
|
Change-Id: I7d8889dce8495607106593ad83320c9af0f2fa07
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
- IKE_SA_INIT and IKE_AUTH initial exchanges
- Delete IKA SA
- Rekey and delete Child SA
- Child SAs lifetime policy
To set up one VPP instance as the initiator use the following CLI commands (or API equivalents):
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
and finally
ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange
Child SA re-keying process:
1. Child SA expires
2. A new Child SA is created using the Child SA rekey exchange
3. For a set time both SAs are alive
4. After the set time interval expires old SA is deleted
Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA)
CLI API additions:
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
ikev2 initiate sa-init <profile id>
ikev2 initiate del-child-sa <child sa ispi>
ikev2 initiate del-sa <sa ispi>
ikev2 initiate rekey-child-sa <profile id> <child sa ispi>
Sample configurations:
Responder:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.responder
ikev2 profile set pr1 id remote fqdn vpp.home.initiator
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
Initiator:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.initiator
ikev2 profile set pr1 id remote fqdn vpp.home.responder
ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20
ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: I322bfb3469b3d0d5b0cac39a6c2dba1c6f83ce3d
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
fixes a problem that occurs with cryptodev ipv6 input.
Change-Id: I1f0c0db45b2aabc243dd785c8d5d5ef990cac903
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: Ib0c8572773499d8dd4d81b3a565c24412ccc3510
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I8bb175cc9673895d4a8856786ecabfd66dd906e9
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Change-Id: I19ec3b769b6512f7408044751393d9faf10d01d5
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I4563208d97c43a200fcee948db491706a8d3e211
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ib1760312df759c29a2c2220e7b783af311d91d1a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I8f5cf447c131a790e4bbd46ef75063329fec7451
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
The idea is to prevent a huge processing burst if, say, the network goes
down 10' for some reason, and so that we don't need to expire 1M timer
sessions on the first call.
The maximum is not an exact value, but a value after which the
expiration process is postponed until the next call.
That way, we don't have to process the same tick twice, nor to unlink
timers once at a time when processing a tick.
The fact that a timer slot could contain many entries should be dealt
with by changing the number of ticks per second.
Change-Id: I892d07f965094102a3d53e7dbf4e6f5ad22d4967
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
Also adds missing gpe nsh address type functions.
Change-Id: I3353a23c0518da9ce3b221ddf8c5bd0364930154
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: I3925d2ebb2d26c676fc61f118d25bdf7fd522f26
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
RADV Pool index was not getting updated
Change-Id: I2d2f14c56f51034d39049d1c7e13c248180a865f
Signed-off-by: Wojciech Dec <wdec@cisco.com>
|
|
Add vat_helper_macros.h to be installed in /usr/include/vlibapi
Define a version for the sample plugin (separate from the VPP versioning).
Hook up vnet_main in plugin init.
Change-Id: I293b9dc824d0813ea2bb8747d535e4210a88b385
Signed-off-by: Anlu Yan <ayan@cisco.com>
|
|
Change-Id: I8d2022b7cb3ef3da736c085bccbb5b9c057a8d76
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
In the CLI parsing of 'set interface ipsec key garbage', the token
'garbage' enters the processing code for the <key>. This enters
unformat_hex_string(..) which looks through the input for 0-9,a-f and
drops out if a non-hex digit is encountered. The problem is that it
returns 1, indicating that input has been processed, but in this case,
no characters have been removed from the input string. This causes the
calling function to go to the top of the loop and process the next
token, which is now the same token and gets stuck in an infinite loop.
Updated unformat_hex_string(..) to return 0 if no characters were
processed.
This funcitons is used in multiple CLI Commands, but most have token
that preceeds the hex string. Since the token is stripped, the CLI
command is able to avoid an infinte loop.
Change-Id: Ib54f04f23c4d3563ec57a2450982d3648cedec0e
Signed-off-by: Billy McFall <bmcfall@redhat.com>
|
|
Change-Id: Ia25a8827ed94877e8fe6c0b2ff6d05c1568eb0e1
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
to be used for node statistics
Also fix tw_timer_stop() description
Change-Id: I84b529e330c4534fd55487e7e2b8b089ee68ca11
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
* use RLOC for IP version detection
* don't check whether RLOC is local when deleting
Change-Id: Icdb84025dd5511eb5348b654bf7b373def15406c
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Change-Id: Ic674cc953b45ddd4811e07821e1a0af28b5f6214
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
snat_static_mapping_dump
Change-Id: Ib560b397700fe058ad1e2970989d98e3debf54aa
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I772b63ac25ebfccaff9ab9d8d0b1445e85f21df7
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic814b805ef77913ffe86f82c009602c75258acfb
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Add doxygen documentation for pcap tx trace CLI command.
In the process of adding the documentation, made the following changes
to the way the command worked:
* If there is an error with any of the attributes, the whole command
fails. The existing behavior was to apply attribute by attribute,
then bail if there was an issue, with partial apply.
* Move the 'on' processing to the end. The existing behavior was to
process the 'on' as it was encountered on the commandline. That meant
that any attributes after the 'on' in the commandline were saved and
displayed, but not really being used in the packet trace.
* Enhanced the 'status' to show all the configured attributes.
NOTE: The packet capture has some weird behavior with regards to how
many packets are written to file and if the file is appended or
overwritten. VPP-634 written to document the issue.
Change-Id: Iab241228b125385052de242865afd9515fa2524f
Signed-off-by: Billy McFall <bmcfall@redhat.com>
|
|
Change-Id: I5063d31f5305c848043afb32fcacff6e61aed79f
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Disable automatic garbage collection and run it manually before
running each test case to minimize stalls. Improve vpp subprocess
cleanup. Reduce helper thread count to one and properly clean that
thread once it's not needed.
Change-Id: I3ea78ed9628552b5ef3ff29cc7bcf2d3fc42f2c3
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Id294dbbd6499ae8221cc8143e1027adc08866ae6
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I0963760a7da95612d5cab19596919b369a4d0f8e
Signed-off-by: Shwetha Bhandari <shwethab@cisco.com>
|
|
Change-Id: I5b308eb39ae770d58d1498d7fafa49b236b3f534
Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
|
|
Change-Id: I51488620a7eeaf7a0edba71437d2b49ae3cf0bf5
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
This happens only on when compiled for older microarchitectures,
where BSF insutruction is used instead of TZCNT. BSF provides
undefined result if operand is 0.
Change-Id: I7a13350786a533428168595097ef01a560fde53b
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- update of CSIT operational branch to be used for VPP-patch test
Change-Id: I43cc99ea3ad6266b4792a7721968de89b7328306
Signed-off-by: Jan Gelety <jgelety@cisco.com>
|
|
File vnet/fib/fib_urpf_list.h was included in vnet/fib/ip6_fib.h but was
exported to be installed in /usr/include/vnet. So out-of-tree builds
relying on an installed package was failing.
Fix is to inlcude fib_urpf_list.h in source file rather than including
it in header file.
Change-Id: Iae39c1d9417dbd31ee67fa1bd2d1915d5e813c73
Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
|
|
When handling the IP_DETAILS and IP_ADDRESS_DETAILS replies,
it is almost certainly going to require having both the is_ipv6
and sw_if_index context to handle them properly. Placing these
values in an essentially global location as the current VAT does
isn't thread-safe. Fruthermore, rather than forcing every
API user to hoop-jump to establish these context values, simply
provide them in their DETAILS reply messages.
Change-Id: I6a9e0cb16ecdbf87fca8fc5c7663e98d3a53c26c
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Change-Id: I97fedb0f70dd18ed9bbe985407cc5fe714e8a2e2
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Refer to jira ticket for more details.
Change-Id: I6facb9ef8553a21464f9a2e612706f152badbb68
Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
|
|
Disguise the string "fd.io coding-style blah blah blah" to avoid spurious
checkstyle failures on the emacs lisp code. DGMS.
Change-Id: I6b88d9588dff7d67c6e509052ae4f32529684de7
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Under stress, it's possible to hit a race condition, when the packet
header is fully written to pcap, but not all packet data - yet.
Scapy is stupid enough to:
1. not detect and report this error, truncating the packet instead
2. continue munching more data from wrong offset
The work around is to scan the file ahead, parse the packet header,
figure out how much data we need, wait for the file to be big
enough, then restore the file position back to where it was
and finally let scapy parse the packet.
Change-Id: I9fc71d3ebdc62ecab6c90b90f177d0eaeb09b8bb
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ie490b7fd5238cbad23f0199161cc14324fd9c554
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I1c93f96a752eb2ffd1117a656552131cde1fa489
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I0b3064a311f28ebf7cd9db0a59cb04c7c25c9d58
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I666e5c0cc71a3693640960c93cdd1907f84fbe23
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Currently ip6 local check fails with error - source lookup miss if
route to source of packet is over a dpo object such as load balance -
recurssive route, tunnel adj - GRE, SR etc.
So unless packet source is of a directly connected neibhor or has
route with both interface and nexthop specified, it will be dropped.
Fix is to check urpf list and if at least one link exists in the list,
then allow packets to be processed, else drop.
Change-Id: Id426311bb63bab506754a79409c602fdb6d0f190
Signed-off-by: AkshayaNadahalli <anadahal@cisco.com>
|
|
Change-Id: Iafb071c684a43e21925e3a43019cd86372347898
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Using -march=native was causing SIGILLs on Atoms.
Change-Id: I98c7fdaa139e3db70c972950dc9c167bf5803656
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I76593632cde97f7cb80bbc395735404f39f3bd3f
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Change-Id: Ifaf46554e45557ebf82009d9c46a9e905a46f884
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Change-Id: Iefffcf7843dc11803d69a875a72704a2543911a1
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Implement fine-grained test filtering by supporting more complicated
filters beside the original file name suffix filter.
Change-Id: If5a166d08cffe8c58cc6cf174e6df861c34dbaa6
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|