Age | Commit message (Collapse) | Author | Files | Lines |
|
Using pre-shared keys is usually a bad idea, one should use eg. IKEv2
instead, but one does not always have the choice.
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C) whereas for AES-CTR or AES-GCM, the IV should never be reused with
the same key material (see NIST SP800-38a Appendix B and NIST SP800-38d
section 8).
If one uses pre-shared keys and VPP is restarted, the IV counter
restarts at 0 and the same IVs are generated with the same pre-shared
keys materials.
To fix those issues we follow the recommendation from NIST SP800-38a
and NIST SP800-38d:
- we use a PRNG (not cryptographically secured) to generate IVs to
avoid generating the same IV sequence between VPP restarts. The PRNG is
chosen so that there is a low chance of generating the same sequence
- for AES-CBC, the generated IV is encrypted as part of the message.
This makes the (predictable) PRNG-generated IV unpredictable as it is
encrypted with the secret key
- for AES-CTR and GCM, we use the IV as-is as predictable IVs are fine
Most of the changes in this patch are caused by the need to shoehorn an
additional state of 2 u64 for the PRNG in the 1st cacheline of the SA
object.
Type: improvement
Change-Id: I2af89c21ae4b2c4c33dd21aeffcfb79c13c9d84c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Error counters are added on a per-node basis. In Ipsec, it is
useful to also track the errors that occured per SA.
Type: feature
Change-Id: Iabcdcb439f67ad3c6c202b36ffc44ab39abac1bc
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
|
|
To allow a more flexible throttling configuration, the number of bits
used in the throttling bitmap can be chosen.
Type: improvement
Signed-off-by: Maxime Peim <mpeim@cisco.com>
Change-Id: I7bfe391dd64729011b03f3e5b89408dfc340e036
|
|
Type: feature
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I02d9bb5292b32ffb1b2f05daccd8a7d5dba05125
|
|
RPM build errors:
error: Installed (but unpackaged) file(s) found:
/usr/bin/test_infra
Add NO_INSTALL tag in CMakeLists to avoid installing test binary.
Type: fix
Fixes: c3542e17b5df ("vppinfra: widen the scope of test_vector_funcs")
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I359ba79af2e3cb32b47dda3bb8707a5d2fd8586b
|
|
Type: fix
Change-Id: I141e5779aab7eee3068b702dd2f93765420fb920
Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
|
|
Handle a variable length array of fixed strings.
Like:
fixed_string = VPPType("fixed_string", [["string", "data", 32]])
s = VPPType("string_vla", [["u32", "length"], ["fixed_string", "services", 0, "length"]])
Previously instead of packing and unpacking as strings, exception packed as u8 instead
of list.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I501a8a4755828042e1539fd5a54eacec21c5e364
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
API clients can register for peer events (e.g. to be notified when
connection is established). In a multi-worker setup, peer events might
be triggered from a worker thread. In order to send a peer event to the
clients, an API message needs to be allocated and populated.
API messages allocation is only allowed from the main thread. Currently,
the code does not handle the case when a peer event is trying to be sent
from a worker thread. In debug builds, when this happens, it causes
SIGABRT in vl_msg_api_alloc_internal() because assertion "pool == 0 ||
vlib_get_thread_index () == 0" fails. In production builds, when this
happens, it might cause unexplained behavior.
There is a test that is supposed to catch this but all multi-worker
Wireguard tests are currently disabled. This problem is likely to be one
of the reasons they were disabled.
With this fix, when a peer event is triggered from a worker thread,
allocate and send corresponding API message from the main thread using
RPC.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib3fe19f8070563b35732afd16c017411c089437e
|
|
Previously, even if sa defined traffic selectors esp packet src and dst
have been used for fast path inbound spd matching. This patch provides
a fix for that issue.
Type: fix
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: Ibd3ca224b155cc9e0c6aedd0f36aff489b7af5b8
|
|
Using clib_bitmap_vec_validate makes free bitmap vector
to be x64 times bigger (assuming x86_64) than necessary
when non-zero and possible oom due (u32)(0 - 1) math with
zero alloc.
Fix it with clib_bitmap_validate which takes bit size, not
index and ensure at least one bit is allocated.
Type: fix
Change-Id: I7e191f4e2fb3722a06bb800e1d075f7c7e2dcec9
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
|
|
In a case where one pounds on a single kvp in a KVP_AT_BUCKET_LEVEL
table, the code would sporadically return a transitional value (junk)
from a half-deleted kvp. At most, 64-bits worth of the kvp will be
written atomically, so using memset(...) to smear 0xFF's across a kvp
to free it left a lot to be desired.
Performance impact: very mild positive, thanks to FC for doing a
multi-thread host stack perf/scale test.
Added an ASSERT to catch attempts to add a (key,value) pair which
contains the magic "free kvp" value.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I6a1aa8a2c30bc70bec4b696ce7b17c2839927065
|
|
Type: refactor
Change-Id: I3d0c57b82e5bdb4575c1ca13e463685fd11b7f11
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: Ibc40a02c8c45fc8d9409c9a86fea7aaf70d9c048
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: Iac1b3a66176c9a38a161246159140f30a1c168da
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: test
Change-Id: Id96448ba3ab69a5b22dfc27812fc17194136b969
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I2b426e9e988c32d261f36367087f358d8cc25e2f
|
|
Type: test
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I967e91e4ea97edff427013c92376b388d6ce5d85
|
|
Exported indentifiers in Go start with capital letters. Only few fields
in hs-test, which are being unmarshaled from yaml are required to be
exported. Every other field name or method name should start with
lower-case letter, to be consistent with this naming convention.
Type: test
Signed-off-by: Maros Ondrejicka <mondreji@cisco.com>
Change-Id: I7eab0eef9fd08a7890c77b6ce1aeb3fa4b80f3cd
|
|
Location changed and binary renamed to test_infra
Also it is built by default.
Type: improvement
Change-Id: I27cd97f274501ceb7a01213e2bc9676cea00f39c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Used on intel client CPUs which suppport VAES instruction set without
AVX512
Type: improvement
Change-Id: I5f816a1ea9f89a8d298d2c0f38d8d7c06f414ba0
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: I64ca5bd3a959190111f61c5311a908d242c10bad
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
DMA batch status was set by hardware. Its value may be variable between
cpus twice accesses. Saving the value of status can fix it.
Type: fix
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Change-Id: Ibc9337239555744a571685b486c986991c3e9b18
|
|
Type: test
Signed-off-by: Maros Ondrejicka <mondreji@cisco.com>
Change-Id: I6444582ce83beddc5cb2fcb31942a4c2e9556bb6
|
|
Recognize and drive google virtual ethernet (gve) in google cloud.
Type: feature
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Change-Id: Ia559615ac059cabbca5d10bcd4049e87beaad638
|
|
Fix the typo in the intrinsic name, which caused incorrect intrinsic to be used.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Ib7fde14d12897e4d1bfb5a01f6d65025473e4f8e
|
|
Rename unused SESSION_IO_EVT_BUILTIN_TX to SESSION_IO_EVT_TX_MAIN and
leverage it for non-connected udp tx.
Non-connected udp sessions are listeners and are therefore allocated on
main thread. Consequently, whenever session queue node is not polling
main, tx events generated by external applications might be missed or
processed with some delay. To solve this, request that apps use
SESSION_IO_EVT_TX_MAIN tx events as opposed to SESSION_IO_EVT_TX and
send that to first worker as opposed to main.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I5df5ac3dc80c0f192b2eefb1d465e9deefe8786b
|
|
Specify the number of max_batches when applying for dma config.
Skip this round when no batch available from vlib_dma_batch_new.
Type: improvement
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Change-Id: Ic6e0acf81ba4fc3ed33aea6ac6990ef841021c59
|
|
Allocate and initialize dma batch structure when adding dma config.
The number of required dma batches is set by max_batches parameter.
Thus dma batches are not allocated dynamically in worker thread.
Application need to check the return value of vlib_dma_batch_new.
Type: improvement
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Change-Id: I5d05a67b59634cf2862a377d5ab77cb1040343ce
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Id87c41c472898d4f66b0771f18f822d1069bbfd0
|
|
Make sure endpoint freelist is drained before alloc of fixed local
source port is tried.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I302deee5609a463af8135185af71722ac8c55a27
|
|
Disabled by default..
Type: improvement
Change-Id: I36176c009e0873c048874ae38a7ea0a91449235c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Those CPUs are announcing VAES capability but they don't support AVX512.
Type: fix
Fixes: 73a60b2
Change-Id: I7b4be95e91bb6f367cd71461f1126690f3ecd988
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Fixes: ab4d917
Change-Id: I226044f64e1577033798fd203a2e981c894830d6
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
udp_output_get_connection handles correctly if the connection
is a listener whereas udp_connection_get does not which may lead
to a crash.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I40b57287a8686820d29872cae2cfd6ae27a57c26
|
|
Exploiting AVX-512 operations on avf_tx_prepare().
Type: improvement
Signed-off-by: Leyi Rong <leyi.rong@intel.com>
Change-Id: I01e0b4a2e2d440659b4298668a868d983f5091c3
|
|
This avoids printing ldp debug messages while debug is disabled and vcl
is initializing.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I5dfd1d59032db937fea146b6b84b8e26307a0de0
|
|
Process 8 packets perf batch in vlib_buffer_free_inline() when
CLIB_HAVE_VEC512 is enabled.
Type: improvement
Signed-off-by: Leyi Rong <leyi.rong@intel.com>
Change-Id: I78b8a525bce25ee355c9bf0e0f651698a8c45bda
|
|
Type: fix
In vpp, file descriptor handler closes the fd upon error
if there is no error handling function is registered.
This patch fixes the issue for af_packet interface by
registering the error handling function.
Errors will also be gracefully logged.
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I260d780ac54ffd0199dcd6ca5b95e5afe957e968
|
|
Also make sure that only sessions with fifos try to set deq notification
flag on fifo
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I878c2d2e18bb98109ee03b42a4f0f8c48aa23e9f
|
|
Make sure session has a tx fifo.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ibde40645b401ca0255da298ea4ba691ee924a2d2
|
|
For non-connected udp, when retrieving the subscriber session to send
the notification, it uses the current worker thread index whereas the
subscriber session is actually on the main thread. Using the worker
thread may cause a crash since the corresponding session may not be
valid in the worker thread context and even if it is valid, it is the
wrong session. This scenario is seen when the application forks
and adds subscribers to the worker thread session.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I236ee9d9ff9f3b2f7f9f8e782d70d1080aa1b627
|
|
- Skip addition of docker apt source/key if
already installed.
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I747e4dd5e79e23b64e6eb11c6a9348e2ae1a157f
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ic11069c912a5e59bb3ea0e0c6de6cfcc879c5f4e
|
|
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I449cd4ad71e33a2dd41e53accc6b325803a32c70
|
|
Type: test
Add a helper wrapper script for vppctl called vppcli to vpp docker image
with proper cli socket path.
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I1a51aa54bc91c1c812698501a56401c525d498e8
|
|
Type: test
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I776e0f1f7ea700439d1fe6a598772776ae6a1493
|
|
This patch enables RSS action of avf flow.
Type: feature
Signed-off-by: Xinyao Cai <xinyao.cai@intel.com>
Change-Id: I65de18d0c2eaa415893959563ea917a6b1956550
|
|
If not, worker threads may continue own loops after deinit and/or
thread0 exit with related crashes due no rpc capability, unmapped
shared memory, etc. Main loop exit handlers that uses barrier sync
will be happy too as long as recursive barrier sync is supported.
Type: feature
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Change-Id: I255a796b06936d96715683e3f062128060233dc6
|
|
Remove extra line_input and unformat_user.
Type: fix
Fixes: b4ff07a2f843 ("Intel Adaptive Virtual Function native device driver plugin")
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I9e502f3b254d0b1c7d8fd4b80925338a18da8269
|
|
format_udp_connection takes 2 arguments from the caller.
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ie618a809936a01c094982f9a8c81309826e0b087
|