| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Change-Id: Ife66395b89e1e9f9206666e5f0fd441b3c241bb2
Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
|
|
Change-Id: Ibb55427ed49d0277854a352922c6c4bb007bf072
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I45b97cfd0c3785bfbf6d142d362bd3d4d56bae00
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
The pointer to IP header was derived from l3_hdr_offset,
which would be ok, if l3_hdr_offset was valid. But it does not
have to be, so it was a bad solution. Now the previous nodes
mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt
we count get ip header pointer by substracting the size
of the ip header from the pointer to esp header (which lies
in front of the ip header).
Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
IP header is set as data + sizeof(ethernet_header_t),
what does not need to be true. The solution is to use
l3_hdr_offset.
Change-Id: I5d9f41599ba8d8eb14ce2d9d523f82ea6e0fd10d
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
Change-Id: I876f215b129e5e59d3acc6447ce40458cc341eba
Signed-off-by: “mukeshyadav1984” <mukyadav@cisco.com>
|
|
Change-Id: Iec5804d768485f4015bbf732d8d19ef2f24e6939
Signed-off-by: “mukeshyadav1984” <mukyadav@cisco.com>
|
|
This patch addresses all the code changes required to VPP to support
openssl 1.1.0 API.
All the changes have been done so that VPP can still be built against
current openssl API whilst forward-looking to version 1.1.0.
Change-Id: I65e22c53c5decde7a15c7eb78a62951ee246b8dc
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
For routed IPsec, set the RX sw_if_index on inbound packets
to the index of the IPsec interface. When a packet is
decrypted into a new buffer, bring along the RX sw_if_index
of the encrypted packet to the new buffer.
Change-Id: I093e9d37def2082c8d2f1deb96b1c5b97126e023
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
This patch deprecates stack-based thread identification,
Also removes requirement that thread stacks are adjacent.
Finally, possibly annoying for some folks, it renames
all occurences of cpu_index and cpu_number with thread
index. Using word "cpu" is misleading here as thread can
be migrated ti different CPU, and also it is not related
to linux cpu index.
Change-Id: I68cdaf661e701d2336fc953dcb9978d10a70f7c1
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- IKE_SA_INIT and IKE_AUTH initial exchanges
- Delete IKA SA
- Rekey and delete Child SA
- Child SAs lifetime policy
To set up one VPP instance as the initiator use the following CLI commands (or API equivalents):
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
and finally
ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange
Child SA re-keying process:
1. Child SA expires
2. A new Child SA is created using the Child SA rekey exchange
3. For a set time both SAs are alive
4. After the set time interval expires old SA is deleted
Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA)
CLI API additions:
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
ikev2 initiate sa-init <profile id>
ikev2 initiate del-child-sa <child sa ispi>
ikev2 initiate del-sa <sa ispi>
ikev2 initiate rekey-child-sa <profile id> <child sa ispi>
Sample configurations:
Responder:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.responder
ikev2 profile set pr1 id remote fqdn vpp.home.initiator
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
Initiator:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.initiator
ikev2 profile set pr1 id remote fqdn vpp.home.responder
ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20
ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: I7b51f88292e057c6443b12224486f2d0c9f8ae23
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
jackiechen1985
Klement Sekera
Neale Ranns
Dave Barach
Szymon Sliwa
“mukeshyadav1984”
Marco Varlese
Matthew Smith
Damjan Marion
Radu Nicolau