aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec.c
AgeCommit message (Collapse)AuthorFilesLines
2020-09-07ipsec: fix padding/alignment for native IPsec encryptionChristian Hopps1-9/+9
Not all ESP crypto algorithms require padding/alignment to be the same as AES block/IV size. CCM, CTR and GCM all have no padding/alignment requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet alignment requirement) should be used unless TFC (traffic flow confidentiality) has been requested. CTR: https://tools.ietf.org/html/rfc3686#section-3.2 GCM: https://tools.ietf.org/html/rfc4106#section-3.2 CCM: https://tools.ietf.org/html/rfc4309#section-3.2 - VPP is incorrectly using the IV/AES block size to pad CTR and GCM. These modes do not require padding (beyond ESPs 4 octet requirement), as a result packets will have unnecessary padding, which will waste bandwidth at least and possibly fail certain network configurations that have finely tuned MTU configurations at worst. Fix this as well as changing the field names from ".*block_size" to ".*block_align" to better represent their actual (and only) use. Rename "block_sz" in esp_encrypt to "esp_align" and set it correctly as well. test: ipsec: Add unit-test to test for RFC correct padding/alignment test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well - Scapy is also incorrectly using the AES block size of 16 to pad CCM, CTR, and GCM cipher modes. A bug report has been opened with the and acknowledged with the upstream scapy project as well: https://github.com/secdev/scapy/issues/2322 Ticket: VPP-1928 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-05-05ipsec: User can choose the UDP source portNeale Ranns1-0/+55
Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-04fib: midchain adjacency optimisationsNeale Ranns1-24/+6
Type: improvement - inline some common encap fixup functions into the midchain rewrite node so we don't incur the cost of the virtual function call - change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header - add adj-midchain-tx to multiarch sources - don't run adj-midchain-tx as a feature, instead put this node as the adj's next and at the end of the feature arc. - cache the feature arc config index (to save the cache miss going to fetch it) - don't check if features are enabled when taking the arc (since we know they are) the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc) for IPSec: - don't run esp_encrypt as a feature, instead when required insert this node into the adj's next and into the end of the feature arc. this implies that encrypt is always 'the last feature' run, which is symmetric with decrypt always being the first. - esp_encrpyt for tunnels has adj-midchain-tx as next node Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-04-30crypto: introduce async crypto infraFan Zhang1-2/+81
Type: feature Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Signed-off-by: Dariusz Kazimierski <dariuszx.kazimierski@intel.com> Signed-off-by: Piotr Kleski <piotrx.kleski@intel.com> Change-Id: I4c3fcccf55c36842b7b48aed260fef2802b5c54b
2020-02-10ipsec: fix AES-GCM block sizeDamjan Marion1-3/+6
Type: fix Change-Id: I0c9640dab2c0eaba369bc8f3ff7ae56d8e97e170 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-01-22ipsec: re-enable DPDK IPSec for tunnel decap/encap (VPP-1823)Neale Ranns1-0/+14
Type: fix Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-01-04ipsec: Targeted unit testingNeale Ranns1-4/+10
Type: fix 1 - big packets; chained buffers and those without enoguh space to add ESP header 2 - IPv6 extension headers in packets that are encrypted/decrypted 3 - Interface protection with SAs that have null algorithms Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
2019-12-17ipsec: bind an SA to a workerNeale Ranns1-0/+26
the sequence number increment and the anti-replay window checks must be atomic. Given the vector nature of VPP we can't simply use atomic increments for sequence numbers, since a vector on thread 1 with lower sequence numbers could be 'overtaken' by packets on thread 2 with higher sequence numbers. The anti-replay logic requires a critical section, not just atomics, and we don't want that. So when the SA see the first packet it is bound to that worker all subsequent packets, that arrive on a different worker, are subject to a handoff. Type: feature Change-Id: Ia20a8645fb50622ea6235ab015a537f033d531a4 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns1-8/+0
APIs for dedicated IPSec tunnels will remain in this release and are used to programme the IPIP tunnel protect. APIs will be removed in a future release. see: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-08-27ipsec: Fix NULL encryption algorithmNeale Ranns1-0/+7
Type: fix Ticket: VPP-1756 the block-size was set to 0 resulting in incorrect placement of the ESP footer. add tests for NULL encrypt + integ. Change-Id: I8ab3afda8e68f9ff649540cba3f2cac68f12bbba Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-08-16ipsec: fix missed IPSEC_INTEG_ALG_MD5_96Dmitry Vakhrushev1-0/+5
This algorithm was missed in last improvements. Type:fix Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com> Change-Id: Ib818cbdcdd1a6f298e8b0086dac4189cc201baa3
2019-07-12ipsec: drop outbound ESP when no crypto alg setMatthew Smith1-1/+1
Type: fix If a tunnel interface has the crypto alg set on the outbound SA to IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface, the attempt to write an ESP trailer on the packet occurs at the wrong offset and the vnet buffer opaque data is corrupted, which can result in a SEGV when a subsequent node attempts to use that data. When an outbound SA is set on a tunnel interface which has no crypto alg set, add a node to the ip{4,6}-output feature arcs which drops all packets leaving that interface instead of adding the node which would try to encrypt the packets. Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-06-25ipsec: return error if the engine backend has no handler for theNeale Ranns1-1/+23
requested alogrithm. Type: feature Change-Id: I19a9c14b2bb52ba2fc66246845b7ada73d5095d1 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-20IPSEC: rename default backendNeale Ranns1-2/+2
Change-Id: I3a4883426b558476040af5b89bb7ccc8f151c5cc Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-14IPSEC coverity fixesNeale Ranns1-1/+1
Change-Id: I753fbce091c0ba1004690be5ddeb04f463cf95a3 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-06Add missing init fn dependency to ipsec_initDave Barach1-0/+5
ipsec_init fails if vnet_feature_init hasn't occurred. Can happen if a particular set of plugins are loaded. Change-Id: I67b289d640c28d04e248b9a09ebcc8f205834fd2 Signed-off-by: Dave Barach <dave@barachs.net>
2019-04-25crypto_ipsecmb: use pre-expanded keysDamjan Marion1-1/+1
Change-Id: Ie1d34b7e71554516595e0cd228e2cd54a3b8d629 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-25IPSEC; dpdk backend for tunnel interface encryptionNeale Ranns1-17/+49
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-25crypto: improve key handlingDamjan Marion1-0/+13
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-16IPSEC: support GCM in ESPNeale Ranns1-7/+18
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-07crypto: add support for AEAD and AES-GCMDamjan Marion1-15/+15
Change-Id: Iff6f81a49b9cff5522fbb4914d47472423eac5db Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-04ipsec: trunc_size -> icv_sizeDamjan Marion1-5/+5
Change-Id: Idb661261c2191adda963a7815822fd7a27a9e7a0 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-03IPSEC: correctly size per-thread dataNeale Ranns1-1/+1
Change-Id: Idfc05cd0e09b50a26eaf747b7c49f720b009159a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-26ipsec: esp-encrypt reworkDamjan Marion1-0/+2
Change-Id: Ibe7f806b9d600994e83c9f1be526fdb0a1ef1833 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-20ipsec: bug fix ipsec-init sequenceKingwel Xie1-2/+0
ipsec_tunnel_if_init might be called before ipsec_init this memset in ipsec-init therefore zero the memory allocated by ipsec_tunnel_if_init Change-Id: Ie889f1bf624c76842ef77e5a51ed1d41fed4758d Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-19crypto: introduce crypto infraDamjan Marion1-21/+50
Change-Id: Ibf320b3e7b054b686f3af9a55afd5d5bda9b1048 Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06ipsec: esp-encrypt and esp-decrypt cleanupDamjan Marion1-4/+0
Change-Id: I1e431aa36a282ca7565c6618a940d591674b8cd2 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-05ipsec: cleanup, remove unnecessary code,Kingwel Xie1-2/+3
ipsec_proto_main moved to ipsec.c fix missing '\0' of backend name Change-Id: I90760b3045973a46792c2f098d9b0b1b3d209ad0 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-25IKEv2 to pluginNeale Ranns1-4/+0
for easy integration with ptoducts running their own Ike stack. Without the VPP IKE plugin loaded, the product is free to handle IKE packets as it pleases. Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-13IPSEC: restack SAs on backend changeNeale Ranns1-0/+12
Change-Id: I5852ca02d684fa9d59e1690efcaca06371c5faff Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-01IPSEC: minor refactorNeale Ranns1-488/+1
No function change. Only breaking the monster ipsec.[hc] into smaller constituent parts Change-Id: I3fd4d2d041673db5865d46a4002f6bd383f378af Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-30ipsec: fix check support functionsKlement Sekera1-5/+15
Change-Id: If94c57fbb07a7376a9f2873e1489c00b28152620 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-01-24IPSEC Tests: to per-test setup and tearDownNeale Ranns1-4/+4
don't do the setup and teardown in class methods so that with each test the config is added and deleted. that way we test that delete actually removes state. more helpful error codes from VPP for existing IPSEC state. Change-Id: I5de1578f73b935b420d4cdd85aa98d5fdcc682f6 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-02ipsec: fix support check when using AES-GCMMatthew Smith1-10/+15
When adding an IPsec SA, ipsec_check_support_cb() is called. This invokes a callback for AH and a callback for ESP to check if the algorithms are supported. When using AES-GCM on an ESP SA with the DPDK IPsec backend selected, the AH callback fails. The DPDK IPsec backend has no AH support, so the callback for the default OpenSSL backend is invoked. This checks whether the crypto algorithm is AES-GCM and returns failure. Only invoke the callback to check support for the IPsec protocol of the SA - either AH or ESP rather than doing both. Change-Id: Ic10be6a17b580d06ffb7e82ef5866e53a4f8b525 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-12-12Change ipsec feature node namesPierre Pfister1-16/+16
ipsec4-output and ipsec6-output were conflicting with ipsec interface names ("ipsec<id>") and vnet/interface.c autogenerated output node ("<ifname>-output"). Changing feature names seems to be the less invasive option. This patch also changes "input" feature names for consistency. Change-Id: I4ba10d07e9ba09df20aa2500104252b06b55f8f7 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-11-20IPSEC: remove duplicate memcyNeale Ranns1-6/+0
Change-Id: If91257fa23ba74c09e5c3b5528eb2fd4c4b36b6a Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera1-63/+208
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-23c11 safe string handling supportDave Barach1-2/+2
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-22ipsec: split ipsec nodes into ip4/ip6 nodesKlement Sekera1-16/+37
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-09-26forget to assign spd_index to configKingwel Xie1-0/+2
Change-Id: I35dcb987edf11097f34a633ac36d87cecd12088f Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-08-03ipsec: add udp-encap option to debug cli commandsRadu Nicolau1-3/+1
Change-Id: I3195afd952f6783da87224d7ceb9df13ddd39459 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-06-20ipsec: VPP-1308 fix sorting of SPD entriesKlement Sekera1-10/+8
Change-Id: I761aced55b7cef51a9b47048283b2cb9430bcde2 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-09ipsec: support UDP encap/decap for NAT traversalKlement Sekera1-1/+5
Change-Id: I65c12617ad49e4d5ef242e53988782f0cefa5684 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-03-16IPSec: fix IPv6 policy deletingMatus Fabian1-1/+1
Change-Id: I9f487d6033edde09557709f94f97fc8a70246b09 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-28IPSec AH protocol enhancement in VPP native core“mukeshyadav1984”1-1/+12
Change-Id: Iec5804d768485f4015bbf732d8d19ef2f24e6939 Signed-off-by: “mukeshyadav1984” <mukyadav@cisco.com>
2017-10-26Allow IPsec interface to have SAs resetMatthew Smith1-1/+1
Make it easier to integrate with external IKE daemon. IPsec interfaces can have one or both SAs replaced after creation. This allows for the possibility of setting a new child SA on an interface when rekeying occurs. It also allows for the possibility of creating an interface ahead of time and updating the SA when parameters that are negotiated during IKE exchange become known. Change-Id: I0a31afdcc2bdff7098a924a51abbc58bdab2bd08 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-24Add extern to *_main global variable declarations in header files.Dave Wallace1-0/+2
- Global variables declared in header files without the use of the 'extern' keword will result in multiple instances of the variable to be created by the compiler -- one for each different source file in which the the header file is included. This results in wasted memory allocated in the BSS segments as well as potentially introducing bugs in the application. Change-Id: I6ef1790b60a0bd9dd3994f8510723decf258b0cc Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2017-10-12dpdk/ipsec: coverity fixesSergio Gonzalez Monroy1-9/+20
Change-Id: Ica3bc74ffbb1c0df4e198b0abff8df10cdeb2182 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-10-05dpdk/ipsec: rework plus improved cli commandsSergio Gonzalez Monroy1-5/+3
This patch reworks the DPDK ipsec implementation including the cryptodev management as well as replacing new cli commands for better usability. For the data path: - The dpdk-esp-encrypt-post node is not necessary anymore. - IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead of ip4-input. The DPDK cryptodev cli commands are replaced by the following new commands: - show dpdk crypto devices - show dpdk crypto placement [verbose] - set dpdk crypto placement (<device> <thread> | auto) - clear dpdk crypto placement <device> [<thread>] - show dpdk crypto pools Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-01-27dpdk: rework cryptodev ipsec build and setupSergio Gonzalez Monroy1-23/+28
Build Cryptodev IPsec support by default when DPDK is enabled but only build hardware Cryptodev PMDs. To enable Cryptodev support, a new startup.conf option for dpdk has been introduced 'enable-cryptodev'. During VPP init, if Cryptodev support is not enabled or not enough cryptodev resources are available then default to OpenSSL ipsec implementation. Change-Id: I5aa7e0d5c2676bdb41d775ef40364536a081956d Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>