| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Make it easier to integrate with external IKE daemon.
IPsec interfaces can have one or both SAs replaced after
creation. This allows for the possibility of setting a
new child SA on an interface when rekeying occurs. It also
allows for the possibility of creating an interface ahead
of time and updating the SA when parameters that are
negotiated during IKE exchange become known.
Change-Id: I0a31afdcc2bdff7098a924a51abbc58bdab2bd08
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
- Global variables declared in header files without
the use of the 'extern' keword will result in multiple
instances of the variable to be created by the compiler
-- one for each different source file in which the
the header file is included. This results in wasted
memory allocated in the BSS segments as well as
potentially introducing bugs in the application.
Change-Id: I6ef1790b60a0bd9dd3994f8510723decf258b0cc
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
This patch reworks the DPDK ipsec implementation including the cryptodev
management as well as replacing new cli commands for better usability.
For the data path:
- The dpdk-esp-encrypt-post node is not necessary anymore.
- IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead
of ip4-input.
The DPDK cryptodev cli commands are replaced by the following new commands:
- show dpdk crypto devices
- show dpdk crypto placement [verbose]
- set dpdk crypto placement (<device> <thread> | auto)
- clear dpdk crypto placement <device> [<thread>]
- show dpdk crypto pools
Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Change-Id: If5158f6fa7344dee94548c93dace779430e0647f
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
This patch deprecates stack-based thread identification,
Also removes requirement that thread stacks are adjacent.
Finally, possibly annoying for some folks, it renames
all occurences of cpu_index and cpu_number with thread
index. Using word "cpu" is misleading here as thread can
be migrated ti different CPU, and also it is not related
to linux cpu index.
Change-Id: I68cdaf661e701d2336fc953dcb9978d10a70f7c1
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- IKE_SA_INIT and IKE_AUTH initial exchanges
- Delete IKA SA
- Rekey and delete Child SA
- Child SAs lifetime policy
To set up one VPP instance as the initiator use the following CLI commands (or API equivalents):
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
and finally
ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange
Child SA re-keying process:
1. Child SA expires
2. A new Child SA is created using the Child SA rekey exchange
3. For a set time both SAs are alive
4. After the set time interval expires old SA is deleted
Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA)
CLI API additions:
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
ikev2 initiate sa-init <profile id>
ikev2 initiate del-child-sa <child sa ispi>
ikev2 initiate del-sa <sa ispi>
ikev2 initiate rekey-child-sa <profile id> <child sa ispi>
Sample configurations:
Responder:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.responder
ikev2 profile set pr1 id remote fqdn vpp.home.initiator
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
Initiator:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.initiator
ikev2 profile set pr1 id remote fqdn vpp.home.responder
ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20
ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Build Cryptodev IPsec support by default when DPDK is enabled but only build
hardware Cryptodev PMDs.
To enable Cryptodev support, a new startup.conf option for dpdk has been
introduced 'enable-cryptodev'.
During VPP init, if Cryptodev support is not enabled or not enough cryptodev
resources are available then default to OpenSSL ipsec implementation.
Change-Id: I5aa7e0d5c2676bdb41d775ef40364536a081956d
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Change-Id: I7b51f88292e057c6443b12224486f2d0c9f8ae23
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
Matthew Smith
Dave Wallace
Sergio Gonzalez Monroy
Damjan Marion
Radu Nicolau