Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: improvement
If an SA protecting an IPv6 tunnel interface has UDP encapsulation
enabled, the code in esp_encrypt_inline() inserts a UDP header but does
not set the next protocol or the UDP payload length, so the peer that
receives the packet drops it. Set the next protocol field and the UDP
payload length correctly.
The port(s) for UDP encapsulation of IPsec was not registered for IPv6.
Add this registration for IPv6 SAs when UDP encapsulation is enabled.
Add punt handling for IPv6 IKE on NAT-T port.
Add registration of linux-cp for the new punt reason.
Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268
|
|
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload
to enable stronger guarantees of forward secrecy.
When the KEi payload is included in the CREATE_CHILD_SA request,
responder should reply with the KEr payload and complete the key
exchange, in accordance with the RFC.
Type: improvement
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
|
|
Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: Icbd452b43ecaafe46def1276c98f7e8cbf761e51
|
|
Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
|
|
Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I065bd5c26055d863d786023970e7deeed261b31c
|
|
Type: fix
Change-Id: I480b1fcace1c27a5cb2d2956cec80b379105b55d
Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
|
|
- do not initialize resources if ikev2 is not used.
- process IKE packets only if we have profile(s) configured
Type: improvement
Change-Id: I57c95a888532eafd70989096c0555ebb1d7bef25
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
IDr is optional in IKE AUTH from the initiator. In that case, the
responder is free to use any matching profile and fills the
corresponding IDr in the response.
The initiator is then free to accept or reject it.
Type: improvement
Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
Change-Id: Id0a6a9e68725ea7aa0b7da14cf54d14405a907fb
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
The IDi is not mentioned in the RFC for the responder AUTH message, and
it confuses some IKE implementations.
Type: fix
Change-Id: I2bcefa1efd315412a6f5fa592668d4e0da510264
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
IKEv2 nonces can be 16 to 256 bytes.
Type: fix
Change-Id: Ib332028594355c9e5b462bddb7e4dffbcdc9a927
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
VPP DNS resolver expects NULL-terminated C string, whereas the ikev2
plugin only uses non-NULL terminated vectors.
Type: fix
Change-Id: I4a2afffb9e1b6b5dd11842621d5f13bc5a145862
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Change-Id: Ia3bacefdad674807de873b5c457b8470f66193f3
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
IKEv2 is not optimized for dataplane processing and do not really
benefit from aggressive inlining. Let the compiler decide to improve
build time (from 205s to 30s).
Type: refactor
Change-Id: I5286880b35d338d669ec9382bf049d4486c04947
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: feature
Ticket: VPP-1901
Change-Id: I1ad222b54363fd35679d0132d458345a9a18362c
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Old auth data is needed when generating new one.
Type: fix
Change-Id: I15c62346dbb7ece8facdc7a05f30afd1a15a5648
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: refactor
this allows the ipsec_sa_get funtion to be moved from ipsec.h to
ipsec_sa.h where it belongs.
Also use ipsec_sa_get throughout the code base.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I2dce726c4f7052b5507dd8dcfead0ed5604357df
|
|
Type: refactor
IKEv2 registers the IPSec node as the port handler, so it can use the
IPSec functions to do that.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: If398dde0a8eb0407eba3ede62a3d5a8c12fe68a7
|
|
This fixes an issue when initiator is expecting request with intitial
msgid being 0 but 1 is received instead which results in retransmission
(instead of normally processing the new request).
Type: fix
Change-Id: I60062276bd93de78128847c5b15f5d6cecf1df65
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Ia22b1189b82e885eb380f638ea6d05923a858f01
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
When strongSwan rekeys it sends create child sa request first and then
delete request for the old child sa (or vice versa depending on
configuration) as opposed to sending just a single create child sa with
rekey notify message.
Type: fix
Change-Id: I1fa55a607ca623cd3a6d887436207153c6f6bbf6
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
support
Type: feature
attmpet 2. this includes changes in ah_encrypt that don't use
uninitialised memory when doing tunnel mode fixups.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
|
|
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f.
Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged.
Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
support
Type: feature
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
|
|
Type: fix
Change-Id: Icd01491043e9fd1bb8f51f4f55e1252fd78512de
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Ticket: VPP-1908
Change-Id: I1d86ea18fcb6174b86c449d5d9403fd0e5715318
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
In responder initialize msgid in requests to 1 as the previous value (0) was
causing retransmision on the initiator.
Change-Id: I8f5b84331ecac5943129f4c9a377076768fec455
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Ic502d806410ea3c8f3f1eac70b694114ccb053bf
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: refactor
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ice2bc42838e6d5ba579f449c3f8b0feffebeb719
|
|
Type: feature
Ticket: VPP-1916
Change-Id: Ibe612d21f748a532d88b73b286dc4a1dd15d7420
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Remove assert condition ensuring that a packet was punted with reason
spi=0. We can't rely on data in punt_reason because it is defind in an
union. This patch adds a new IKE node that handles punted IKE packets
separately.
Type: fix
Change-Id: I2e1b44922e53e049bd8512fa5cb85cee6a2b8aa7
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
In responder mode we need to remember interface index from which IKE
session was initiated. Otherwise when sending keep alive packets to the
initiator, the default ip table is always used for lookup instead of the
one associated with the interface.
Type: fix
Change-Id: Iade3fc3a490b7ae83c3f6e9014d1f4204e476ac1
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: If991165406d10d877aa6c7b2a03b4b741272928c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: refactor
Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Change-Id: Ie723cf680745ec2292a15e2df05c1821436dba19
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: I4289d20adaa3f2872889d5dbaafd9c025df8aca8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I8ed556de4370a03d10c56cce101cd5ea0d0aaf8b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
IPSec punting to IKEv2 is valid only for NAT-T in IPv4.
Fix coverity CID 214915.
Type: fix
Change-Id: I6f2db38abf179565316f50c5d47c78acce3a0d01
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Change-Id: I1d278fc2b03b948c054ff1686315635ac0278ae8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Change-Id: Id922895c269f0d2450e55fcb6871b6857f443462
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I8c66f79f2d8cfff7c6d45e1fc5b529ffb3941491
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Ticket: VPP-1935
Change-Id: I705f84047b112279377590157a1c7b4a34f693d2
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: If87f4b8ae92508215fe91178958fe2ddb91e5a35
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
This helps to resolve sporadic failures in unit tests.
Type: fix
Change-Id: I3abd77ed74310f9729a841e8569eafe6d7758dcb
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: I0db0a9b2f872753fa64d27335838cb34645a9ee8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I33c38c791cc9a28898de402ae831c4862073eb2d
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
- use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc
during IPSEC tunnel mode encap.
- use DSCP value to have fixed encap value.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
|
|
Type: improvement
Ticket: VPP-1894
Change-Id: I5a24a48416bca2ffbd346cdaa813fb25801e6c9b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Ic406aa914d92e802a5fb0f27c2ffa1b98db012b0
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|