Age | Commit message (Collapse) | Author | Files | Lines |
|
- IKE_SA_INIT and IKE_AUTH initial exchanges
- Delete IKA SA
- Rekey and delete Child SA
- Child SAs lifetime policy
To set up one VPP instance as the initiator use the following CLI commands (or API equivalents):
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
and finally
ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange
Child SA re-keying process:
1. Child SA expires
2. A new Child SA is created using the Child SA rekey exchange
3. For a set time both SAs are alive
4. After the set time interval expires old SA is deleted
Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA)
CLI API additions:
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
ikev2 initiate sa-init <profile id>
ikev2 initiate del-child-sa <child sa ispi>
ikev2 initiate del-sa <sa ispi>
ikev2 initiate rekey-child-sa <profile id> <child sa ispi>
Sample configurations:
Responder:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.responder
ikev2 profile set pr1 id remote fqdn vpp.home.initiator
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
Initiator:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.initiator
ikev2 profile set pr1 id remote fqdn vpp.home.responder
ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20
ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: I19ec3b769b6512f7408044751393d9faf10d01d5
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Add doxygen documentation for pcap tx trace CLI command.
In the process of adding the documentation, made the following changes
to the way the command worked:
* If there is an error with any of the attributes, the whole command
fails. The existing behavior was to apply attribute by attribute,
then bail if there was an issue, with partial apply.
* Move the 'on' processing to the end. The existing behavior was to
process the 'on' as it was encountered on the commandline. That meant
that any attributes after the 'on' in the commandline were saved and
displayed, but not really being used in the packet trace.
* Enhanced the 'status' to show all the configured attributes.
NOTE: The packet capture has some weird behavior with regards to how
many packets are written to file and if the file is appended or
overwritten. VPP-634 written to document the issue.
Change-Id: Iab241228b125385052de242865afd9515fa2524f
Signed-off-by: Billy McFall <bmcfall@redhat.com>
|
|
Change-Id: I5b308eb39ae770d58d1498d7fafa49b236b3f534
Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
|
|
This happens only on when compiled for older microarchitectures,
where BSF insutruction is used instead of TZCNT. BSF provides
undefined result if operand is 0.
Change-Id: I7a13350786a533428168595097ef01a560fde53b
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I4433eaed3f4e201edc329c4842cbbf74beb19a9a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I3d8b7947ae6d721e9b514a59a7d2de49aed419b5
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Running trex in a VM with a bad config, trex sent a bogus pack from
the VM to the Virtual interface. It caused a crash.
Change-Id: I64d0197b444265553ab4c24f21e6a962e89cb587
Signed-off-by: Steven <sluong@cisco.com>
|
|
Change-Id: I165b64fdc12dd2936df1958348e93b709ce0e784
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Build Cryptodev IPsec support by default when DPDK is enabled but only build
hardware Cryptodev PMDs.
To enable Cryptodev support, a new startup.conf option for dpdk has been
introduced 'enable-cryptodev'.
During VPP init, if Cryptodev support is not enabled or not enough cryptodev
resources are available then default to OpenSSL ipsec implementation.
Change-Id: I5aa7e0d5c2676bdb41d775ef40364536a081956d
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
When mac address is set prior bringing interface up incorrect rx filter
being installed into the e1000 mac.
Change-Id: If59a2bf16f732e45221b3787d271307d369e54d3
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
|
|
This patch adds multithreading support for af_packet interfaces.
Change-Id: Ief5d1117e7ffeaa59dbc2831e583d5d8e8d4fa7a
Signed-off-by: Mohsin KAZMI <sykazmi@cisco.com>
|
|
Change-Id: Ib0144ba3a9a09971d3946c932e8fed6d5c1ad278
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Vhost-user pool getting freed prematurely
Change-Id: I952821ec85efa68923d09a643c70b6b309ea2574
Signed-off-by: Wojciech Dec <wdec@cisco.com>
|
|
Change-Id: Idc17b4a32d40012556d5d8550942db0372ebf23d
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Iaecebae25ee4b8df8ca919992a0433e92e82e90c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ibf7fc9a54d3fbee431b4814fa8abc5ba29ed9eef
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I8e2e8f94a884ab2f9909d0c83ba00edd38cdab77
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Add doxygen documentation for netmap CLI commands.
Change-Id: I8d3ce12b1cfa5af30ddcd31cb476ca4652cfc2f3
Signed-off-by: Billy McFall <bmcfall@redhat.com>
|
|
Host interfaces created via the command-line arguments are missed named
(i.e. - UnknownEthernet0 instead of af_packet0). In DPDK 16.11, they
changed the driver names from eth_xxx to net_xxx. However, looks like
the AF_PACKET driver still returns "AF_PACKET PMD" as the driver name
in the rte_eth_dev_info_get(..) call. I modified the driver name look
table in vnet/devices/dpdk/dpdk.h to revert the name back.
Change-Id: I2b0a9f6b4d5245b76548027891d40f81a56b230d
Signed-off-by: Billy McFall <bmcfall@redhat.com>
|
|
Change-Id: I69bbc447e1989adea40f052eac4550036b6e2e1e
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Change-Id: If2541be803a0303401b013390e117c26fd1d9739
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
|
|
With the CLI command 'create host-interface', no longer need to
support af_packet interface creation via Command-line Arg. However,
this is mostly implemented by passing arguments to DPDK. Instead of
blocking functionality, put a warning in the log directing the user
to the CLI.
Change-Id: I6c6fba6096f32ef232f1da0c5d39396c6d13f54f
Signed-off-by: Billy McFall <bmcfall@redhat.com>
|
|
Change-Id: I2c6c16688be35e2e122c2377ded467c68a4c5a97
Signed-off-by: Billy McFall <bmcfall@redhat.com>
|
|
The unix connect() in vhost-user driver in VPP is blocking, and
a non-expedient accept() on the other side causes the entire VPP to hang.
Solution: set the nonblocking flag for the socket fd before calling
connect(), and set the socket back to blocking after the accept() succeeds.
Change-Id: Ia5ee782037eeffabdad71db8241f476a048a4f6f
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Fix for VPP-573.
Change-Id: If7d9690901efebf62fdf28219097153d98c79c0c
Signed-off-by: Wojciech Dec <wdec@cisco.com>
|
|
Change-Id: I7b51f88292e057c6443b12224486f2d0c9f8ae23
Signed-off-by: Damjan Marion <damarion@cisco.com>
|