summaryrefslogtreecommitdiffstats
path: root/src/plugins/ikev2
AgeCommit message (Collapse)AuthorFilesLines
2024-02-09ikev2: accept rekey request for IKE SAAtzm Watanabe3-24/+265
RFC 7296 describes the way to rekey IKE SAs: to rekey an IKE SA, establish a new equivalent IKE SA with the peer to whom the old IKE SA is shared using a CREATE_CHILD_SA within the existing IKE SA. An IKE SA so created inherits all of the original IKE SA's Child SAs, and the new IKE SA is used for all control messages needed to maintain those Child SAs. Type: improvement Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: Icdf43b67c38bf183913a28a08a85236ba16343af
2023-10-30ipsec: huge anti-replay window supportMaxime Peim1-2/+2
Type: improvement Since RFC4303 does not specify the anti-replay window size, VPP should support multiple window size. It is done through a clib_bitmap. Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc
2023-07-27ikev2: cleanup stuck sessionsDenys Haryachyy3-23/+45
The following issues are fixed: * in responder code: do lookup again as the old pointer could be invalidated during the cleanup operation * in initiar code: do the cleanup of session if there're no child SAs or if there's no response from the responder during initial request (this can easily happen if the response packet was lost/dropped/etc) * print the state of ikev2 profile (for easier tshooting) Type: fix Change-Id: I853d9851c0cf131696585e3c98fa97e66789badd Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
2023-01-10build: do not link with libssl if not neededBenoît Ganne1-1/+1
In most cases we only need OpenSSL libcrypto (crypto primitives) but not libssl (tls). Type: improvement Change-Id: I9dce27d23d65bf46aea2d0f8aaf417240701efcc Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-10-12misc: fix issues reported by clang-15Damjan Marion2-5/+6
Type: improvement Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a Signed-off-by: Damjan Marion <dmarion@me.com>
2022-08-19ipsec: enable UDP encap for IPv6 ESP tun protectMatthew Smith1-2/+4
Type: improvement If an SA protecting an IPv6 tunnel interface has UDP encapsulation enabled, the code in esp_encrypt_inline() inserts a UDP header but does not set the next protocol or the UDP payload length, so the peer that receives the packet drops it. Set the next protocol field and the UDP payload length correctly. The port(s) for UDP encapsulation of IPsec was not registered for IPv6. Add this registration for IPv6 SAs when UDP encapsulation is enabled. Add punt handling for IPv6 IKE on NAT-T port. Add registration of linux-cp for the new punt reason. Add unit tests of IPv6 ESP w/ UDP encapsulation on tun protect Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: Ibb28e423ab8c7bcea2c1964782a788a0f4da5268
2022-08-18ikev2: accept key exchange on CREATE_CHILD_SAAtzm Watanabe2-63/+126
In RFC 7296, CREATE_CHILD_SA Exchange may contain the KE payload to enable stronger guarantees of forward secrecy. When the KEi payload is included in the CREATE_CHILD_SA request, responder should reply with the KEr payload and complete the key exchange, in accordance with the RFC. Type: improvement Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I13cf6cf24359c11c3366757e585195bb7e999638
2022-08-18ikev2: fix possible SEGVAtzm Watanabe1-3/+3
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: Icbd452b43ecaafe46def1276c98f7e8cbf761e51
2022-08-10ikev2: do not accept rekey until old SA is deletedAtzm Watanabe2-14/+36
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I11b6107492004a45104857dc2dae01b9a5a01e3b
2022-08-08ikev2: fix rekeying with multiple notify payloadsAtzm Watanabe1-5/+8
Type: fix Signed-off-by: Atzm Watanabe <atzmism@gmail.com> Change-Id: I065bd5c26055d863d786023970e7deeed261b31c
2022-05-19ikev2: fix tunnel directionStanislav Zaikin1-4/+4
Type: fix Change-Id: I480b1fcace1c27a5cb2d2956cec80b379105b55d Signed-off-by: Stanislav Zaikin <zstaseg@gmail.com>
2022-04-04vppinfra: make _vec_len() read-onlyDamjan Marion1-3/+3
Use of _vec_len() to set vector length breaks address sanitizer. Users should use vec_set_len(), vec_inc_len(), vec_dec_len () instead. Type: improvement Change-Id: I441ae948771eb21c23a61f3ff9163bdad74a2cb8 Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-01-27build: fix compilation on OpenSSL 3.0Damjan Marion1-0/+1
So far by suppressing depreciation messages, as there was no transition period. Type: make Change-Id: I9887613fd71a22bf11bf22a04c129aca4a16867f Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-10-08ikev2: lazy initializationBenoît Ganne4-52/+111
- do not initialize resources if ikev2 is not used. - process IKE packets only if we have profile(s) configured Type: improvement Change-Id: I57c95a888532eafd70989096c0555ebb1d7bef25 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-07ikev2: do not require optional IDr on IKE AUTHBenoît Ganne1-8/+26
IDr is optional in IKE AUTH from the initiator. In that case, the responder is free to use any matching profile and fills the corresponding IDr in the response. The initiator is then free to accept or reject it. Type: improvement Change-Id: I07a1c64a40ed22bd41767c259406238bbbab5cf4 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-07ikev2: add logs in case of parsing errorsBenoît Ganne1-6/+24
Type: improvement Change-Id: Id0a6a9e68725ea7aa0b7da14cf54d14405a907fb Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-10-07ikev2: do not send IDi on responder AUTHBenoît Ganne1-1/+0
The IDi is not mentioned in the RFC for the responder AUTH message, and it confuses some IKE implementations. Type: fix Change-Id: I2bcefa1efd315412a6f5fa592668d4e0da510264 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-09-29ikev2: build only when deps requirements are metFilip Tehlar2-113/+5
Type: improvement Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Change-Id: I89bcc1ba804ded676b194dbda52704cd0c54a67e
2021-09-27ikev2: support variable-length noncesBenoît Ganne1-21/+34
IKEv2 nonces can be 16 to 256 bytes. Type: fix Change-Id: Ib332028594355c9e5b462bddb7e4dffbcdc9a927 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-09-27misc: api move continuedFlorin Coras1-1/+1
Move control ping and change dependencies from vpe.api_types to memclnt.api_types Type: refactor Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I9f8bc442e28738c48d64d1f6794082c8c4f5725b
2021-08-26ikev2: check for valid cipher + integrityBenoît Ganne1-6/+6
Type: improvement Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-26ikev2: fix DNS resolution overflowBenoît Ganne1-1/+7
VPP DNS resolver expects NULL-terminated C string, whereas the ikev2 plugin only uses non-NULL terminated vectors. Type: fix Change-Id: I4a2afffb9e1b6b5dd11842621d5f13bc5a145862 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20ikev2: fix use-after-freeBenoît Ganne1-2/+3
Type: fix Change-Id: Ia3bacefdad674807de873b5c457b8470f66193f3 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-08-20ikev2: decrease inliningBenoît Ganne1-26/+26
IKEv2 is not optimized for dataplane processing and do not really benefit from aggressive inlining. Let the compiler decide to improve build time (from 205s to 30s). Type: refactor Change-Id: I5286880b35d338d669ec9382bf049d4486c04947 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-05-13tests: move test source to vpp/testDave Wallace2-2238/+0
- Generate copyright year and version instead of using hard-coded data Type: refactor Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e
2021-03-15ikev2: support responder hostnameFilip Tehlar9-34/+255
Type: feature Ticket: VPP-1901 Change-Id: I1ad222b54363fd35679d0132d458345a9a18362c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-03-04ikev2: fix incorrect api messageFilip Tehlar1-1/+1
Type: fix Change-Id: I9b3f4531070786f583e18609dfae1d95487ce93c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-03-02ikev2: fix authFilip Tehlar1-1/+1
Old auth data is needed when generating new one. Type: fix Change-Id: I15c62346dbb7ece8facdc7a05f30afd1a15a5648 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-26ipsec: move the IPSec SA pool out of ipsec_mainNeale Ranns1-4/+4
Type: refactor this allows the ipsec_sa_get funtion to be moved from ipsec.h to ipsec_sa.h where it belongs. Also use ipsec_sa_get throughout the code base. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I2dce726c4f7052b5507dd8dcfead0ed5604357df
2021-02-25ikev2: Use the IPSec functions for UDP port managementNeale Ranns2-46/+2
Type: refactor IKEv2 registers the IPSec node as the port handler, so it can use the IPSec functions to do that. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: If398dde0a8eb0407eba3ede62a3d5a8c12fe68a7
2021-02-19ikev2: start counting msgid from 0Filip Tehlar1-2/+2
This fixes an issue when initiator is expecting request with intitial msgid being 0 but 1 is received instead which results in retransmission (instead of normally processing the new request). Type: fix Change-Id: I60062276bd93de78128847c5b15f5d6cecf1df65 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-16ikev2: fix coverity warningsFilip Tehlar2-100/+117
Type: fix Change-Id: Ia22b1189b82e885eb380f638ea6d05923a858f01 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-15ikev2: fix rekey against strongSwanFilip Tehlar2-52/+94
When strongSwan rekeys it sends create child sa request first and then delete request for the old child sa (or vice versa depending on configuration) as opposed to sending just a single create child sa with rekey notify message. Type: fix Change-Id: I1fa55a607ca623cd3a6d887436207153c6f6bbf6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-11tests: tag the tests that do not work with multi-worker configurationAndrew Yourtchenko1-0/+16
If the multi-worker default VPP configuration is triggered by setting VPP_WORKER_CONFIG="workers 2", some of the tests fail for various reasons. It's a substantial number, so this change marks all of the testsets that have this issue, such that they can be addressed later independently. Type: test Change-Id: I4f77196499edef3300afe7eabef9cbff91f794d3 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-02-10ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-23/+37
support Type: feature attmpet 2. this includes changes in ah_encrypt that don't use uninitialised memory when doing tunnel mode fixups. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
2021-02-09Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"Matthew Smith1-37/+23
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f. Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged. Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-08ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-23/+37
support Type: feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
2021-02-05ikev2: fix bad ip in logsFilip Tehlar1-5/+9
Type: fix Change-Id: Icd01491043e9fd1bb8f51f4f55e1252fd78512de Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-05tests: ikev2: non-default table id testFilip Tehlar1-0/+33
Test whether responder sends info requests using correct ip table Type: test Change-Id: I9e97576f9d80686961f92de3cbc3e6f8d6341587 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-04ikev2: add hint to the log when IDs do not matchFilip Tehlar1-1/+10
Type: improvement Ticket: VPP-1908 Change-Id: I1d86ea18fcb6174b86c449d5d9403fd0e5715318 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-02-04ikev2: fix msgidFilip Tehlar1-0/+1
Type: fix In responder initialize msgid in requests to 1 as the previous value (0) was causing retransmision on the initiator. Change-Id: I8f5b84331ecac5943129f4c9a377076768fec455 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-01-27ikev2: add per SA statsFilip Tehlar7-15/+68
Type: feature Change-Id: Ic502d806410ea3c8f3f1eac70b694114ccb053bf Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-01-21ip: Use correct enum type in ip_address_setNeale Ranns1-2/+2
Type: refactor Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ice2bc42838e6d5ba579f449c3f8b0feffebeb719
2021-01-20ikev2: use new counters data model & add more countersFilip Tehlar3-50/+169
Type: feature Ticket: VPP-1916 Change-Id: Ibe612d21f748a532d88b73b286dc4a1dd15d7420 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-01-13ikev2: remove assert conditionFilip Tehlar1-19/+36
Remove assert condition ensuring that a packet was punted with reason spi=0. We can't rely on data in punt_reason because it is defind in an union. This patch adds a new IKE node that handles punted IKE packets separately. Type: fix Change-Id: I2e1b44922e53e049bd8512fa5cb85cee6a2b8aa7 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-01-08ikev2: fix lookup in wrong ip tableFilip Tehlar1-4/+6
In responder mode we need to remember interface index from which IKE session was initiated. Otherwise when sending keep alive packets to the initiator, the default ip table is always used for lookup instead of the one associated with the interface. Type: fix Change-Id: Iade3fc3a490b7ae83c3f6e9014d1f4204e476ac1 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-12-14ikev2: add reason for deleted sa debug logBenoît Ganne1-5/+5
Type: improvement Change-Id: If991165406d10d877aa6c7b2a03b4b741272928c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-12-14ikev2: fix show ikev2 profileBenoît Ganne1-38/+18
format_ip_address() to display {local,remote}_id does not work because we do not store ip_address_t but ip{4,6}_address_t, hence we lack the ip_address_family_t version field. Update format_ikev2_id_type_and_data() to support all types and use it instead. Type: fix Change-Id: I7a81beb0b22fcf1c5d1bf03a32a6cc4f030f4361 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-12-14misc: move to new pool_foreach macrosDamjan Marion3-40/+40
Type: refactor Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-14api: add missing version infoPaul Vinciguerra1-1/+1
Type: fix Change-Id: I269214e3eae72e837f25ee61d714556d976d410f Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>