summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec.h
AgeCommit message (Collapse)AuthorFilesLines
2021-03-05ipsec: Submit fuller async framesNeale Ranns1-0/+1
Type: improvement In the current scheme an async frame is submitted each time the crypto op changes. thus happens each time a different SA is used and thus potentially many times per-node. thi can lead to the submision of many partially filled frames. change the scheme to construct as many full frames as possible in the node and submit them all at the end. the frame owner ship is passed to the user so that there can be more than one open frame per-op at any given time. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ic2305581d7b5aa26133f52115e0cd28ba956ed55
2021-02-26ipsec: move the IPSec SA pool out of ipsec_mainNeale Ranns1-9/+0
Type: refactor this allows the ipsec_sa_get funtion to be moved from ipsec.h to ipsec_sa.h where it belongs. Also use ipsec_sa_get throughout the code base. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I2dce726c4f7052b5507dd8dcfead0ed5604357df
2021-02-25ipsec: ipsec.h tidy upNeale Ranns1-17/+0
Type: refactor - remove the extern declaration of the nodes. keep the use of them to the files that declare them - remove duplicate declaration of ipsec_set_async_mode - remove unsued ipsec_add_feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6ce7bb4517b508a8f02b11f3bc819e1c5d539c02
2021-01-18ipsec: Support MPLS over IPSec[46] interfaceNeale Ranns1-13/+14
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I89dc3815eabfee135cd5b3c910dea5e2e2ef1333
2020-10-21ipsec: Add to the SA info directly in the bihashNeale Ranns1-4/+4
Type: improvement this save the cache miss on the protect structure. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I867d5e49df5edfd6b368f17a34747f32840080e4
2020-10-05ipsec: Use bihash for tunnel lookupNeale Ranns1-2/+7
Type: improvement Change-Id: I0c82722dfce990345fe6eeecdb335678543367e0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-09-07ipsec: fix padding/alignment for native IPsec encryptionChristian Hopps1-1/+1
Not all ESP crypto algorithms require padding/alignment to be the same as AES block/IV size. CCM, CTR and GCM all have no padding/alignment requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet alignment requirement) should be used unless TFC (traffic flow confidentiality) has been requested. CTR: https://tools.ietf.org/html/rfc3686#section-3.2 GCM: https://tools.ietf.org/html/rfc4106#section-3.2 CCM: https://tools.ietf.org/html/rfc4309#section-3.2 - VPP is incorrectly using the IV/AES block size to pad CTR and GCM. These modes do not require padding (beyond ESPs 4 octet requirement), as a result packets will have unnecessary padding, which will waste bandwidth at least and possibly fail certain network configurations that have finely tuned MTU configurations at worst. Fix this as well as changing the field names from ".*block_size" to ".*block_align" to better represent their actual (and only) use. Rename "block_sz" in esp_encrypt to "esp_align" and set it correctly as well. test: ipsec: Add unit-test to test for RFC correct padding/alignment test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well - Scapy is also incorrectly using the AES block size of 16 to pad CCM, CTR, and GCM cipher modes. A bug report has been opened with the and acknowledged with the upstream scapy project as well: https://github.com/secdev/scapy/issues/2322 Ticket: VPP-1928 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-05-05ipsec: User can choose the UDP source portNeale Ranns1-2/+12
Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-04fib: midchain adjacency optimisationsNeale Ranns1-17/+11
Type: improvement - inline some common encap fixup functions into the midchain rewrite node so we don't incur the cost of the virtual function call - change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header - add adj-midchain-tx to multiarch sources - don't run adj-midchain-tx as a feature, instead put this node as the adj's next and at the end of the feature arc. - cache the feature arc config index (to save the cache miss going to fetch it) - don't check if features are enabled when taking the arc (since we know they are) the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc) for IPSec: - don't run esp_encrypt as a feature, instead when required insert this node into the adj's next and into the end of the feature arc. this implies that encrypt is always 'the last feature' run, which is symmetric with decrypt always being the first. - esp_encrpyt for tunnels has adj-midchain-tx as next node Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-04-30crypto: introduce async crypto infraFan Zhang1-1/+8
Type: feature Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Signed-off-by: Dariusz Kazimierski <dariuszx.kazimierski@intel.com> Signed-off-by: Piotr Kleski <piotrx.kleski@intel.com> Change-Id: I4c3fcccf55c36842b7b48aed260fef2802b5c54b
2020-02-11ipsec: add support for chained buffersFilip Tehlar1-0/+4
Type: feature Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-01-22ipsec: re-enable DPDK IPSec for tunnel decap/encap (VPP-1823)Neale Ranns1-0/+10
Type: fix Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-01-04ipsec: Targeted unit testingNeale Ranns1-4/+8
Type: fix 1 - big packets; chained buffers and those without enoguh space to add ESP header 2 - IPv6 extension headers in packets that are encrypted/decrypted 3 - Interface protection with SAs that have null algorithms Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
2019-12-17ipsec: bind an SA to a workerNeale Ranns1-4/+23
the sequence number increment and the anti-replay window checks must be atomic. Given the vector nature of VPP we can't simply use atomic increments for sequence numbers, since a vector on thread 1 with lower sequence numbers could be 'overtaken' by packets on thread 2 with higher sequence numbers. The anti-replay logic requires a critical section, not just atomics, and we don't want that. So when the SA see the first packet it is bound to that worker all subsequent packets, that arrive on a different worker, are subject to a handoff. Type: feature Change-Id: Ia20a8645fb50622ea6235ab015a537f033d531a4 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-03ipsec: Changes to make ipsec encoder/decoders reusable by the pluginsPrashant Maheshwari1-0/+1
Type: fix Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com> Change-Id: I81b937fc8cfec36f8fb5de711ffbb02f23f3664e Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com>
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns1-4/+0
APIs for dedicated IPSec tunnels will remain in this release and are used to programme the IPIP tunnel protect. APIs will be removed in a future release. see: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-09-30ipsec: add insecure option for format of SAChristian E. Hopps1-0/+1
If specified, shows keys, otherwise redacts. This change sets this flag in the existing CLI code (thus maintaining the old behavior). The use case for not specifying the insecure flag (and thus redacting the keys from the show output) is for log messages. Type: feature Signed-off-by: Christian E. Hopps <chopps@chopps.org> Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111
2019-07-12ipsec: drop outbound ESP when no crypto alg setMatthew Smith1-0/+7
Type: fix If a tunnel interface has the crypto alg set on the outbound SA to IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface, the attempt to write an ESP trailer on the packet occurs at the wrong offset and the vnet buffer opaque data is corrupted, which can result in a SEGV when a subsequent node attempts to use that data. When an outbound SA is set on a tunnel interface which has no crypto alg set, add a node to the ip{4,6}-output feature arcs which drops all packets leaving that interface instead of adding the node which would try to encrypt the packets. Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-06-18ipsec: ipsec-tun protectNeale Ranns1-0/+2
please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-25IPSEC; dpdk backend for tunnel interface encryptionNeale Ranns1-0/+10
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-25crypto: improve key handlingDamjan Marion1-0/+2
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-16IPSEC: support GCM in ESPNeale Ranns1-0/+1
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-07crypto: add support for AEAD and AES-GCMDamjan Marion1-3/+3
Change-Id: Iff6f81a49b9cff5522fbb4914d47472423eac5db Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-04ipsec: trunc_size -> icv_sizeDamjan Marion1-1/+1
Change-Id: Idb661261c2191adda963a7815822fd7a27a9e7a0 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-03IPSEC: show CLI improvementsNeale Ranns1-0/+6
Change-Id: I48a4b0a16f71cbab04dd0955d3ec4001074b57ed Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28IPSEC: run encrpyt as a feautre on the tunnelNeale Ranns1-0/+8
Change-Id: I6527e3fd8bbbca2d5f728621fc66b3856b39d505 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-26ipsec: esp-encrypt reworkDamjan Marion1-0/+9
Change-Id: Ibe7f806b9d600994e83c9f1be526fdb0a1ef1833 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-21ipsec: add ipv6 support for ipsec tunnel interfaceKingwel Xie1-2/+4
Change-Id: I6a76907dc7bed2a81282b63669bea2219d6903c9 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com> Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2019-03-19crypto: introduce crypto infraDamjan Marion1-42/+12
Change-Id: Ibf320b3e7b054b686f3af9a55afd5d5bda9b1048 Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06ipsec: esp-encrypt and esp-decrypt cleanupDamjan Marion1-23/+0
Change-Id: I1e431aa36a282ca7565c6618a940d591674b8cd2 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-06IPSEC: tunnel encap/decap dual loop speedupsNeale Ranns1-1/+0
baseline: ipsec0-tx 1.27e1 ipsec-if-input 8.19e1 this change: ipsec0-tx 6.17e0 ipsec-if-input 6.39e1 this also fixes the double tunnel TX counts by removing the duplicate from the TX node. Change-Id: Ie4608acda08dc653b6fb9e2c85185d83625efd40 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-01IPSEC: tunnel-input; don't load the HW interface structNeale Ranns1-0/+1
also fix the stats to include all the data in the tunnel. And don't load the SA. Change-Id: I7cd2e8d879f19683175fd0de78a606a2836e6da2 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-22IPSEC: header exportsNeale Ranns1-1/+0
Change-Id: I7d48a4e236c6e7b11b0c9750a30fb68e829d64a5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-07IPSEC: remove unused members of main structNeale Ranns1-4/+0
Change-Id: Ib55deb620f4f58cac07da7cb69418a3a30ff3136 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-05IPSEC: SPD counters in the stats sgementNeale Ranns1-3/+3
- return the stats_index of each SPD in the create API call - no ip_any in the API as this creates 2 SPD entries. client must add both v4 and v6 explicitly - only one pool of SPD entries (rhter than one per-SPD) to support this - no packets/bytes in the dump API. Polling the stats segment is much more efficient (if the SA lifetime is based on packet/bytes) - emit the policy index in the packet trace and CLI commands. Change-Id: I7eaf52c9d0495fa24450facf55229941279b8569 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-01IPSEC: minor refactorNeale Ranns1-266/+5
No function change. Only breaking the monster ipsec.[hc] into smaller constituent parts Change-Id: I3fd4d2d041673db5865d46a4002f6bd383f378af Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-31IPSEC: API modernisationNeale Ranns1-2/+4
- use enums to enumerate the algoritms and protocols that are supported - use address_t types to simplify encode/deocde - use typedefs of entry objects to get consistency between add/del API and dump Change-Id: I7e7c58c06a150e2439633ba9dca58bc1049677ee Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-12-11Add IPSec interface FIB index for TX packetPierre Pfister1-0/+2
This patch adds a configuration parameter to IPSec tunnels, enabling custom FIB selection for encapsulated packets. Although this option could also be used for policy-based IPSec, this change only enables it for virtual-tunnel-interface mode. Note that this patch does change the API default behavior regarding TX fib selection for encapsulated packets. Previous behavior was to use the same FIB after and before encap. The new default behavior consists in using the FIB 0 as default. Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-11-29ipsec: move ipsec defs to ipsec.hKlement Sekera1-0/+54
Change-Id: Ia3dcd98edb6188deb96a3a99d831e71b2ffa0060 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera1-41/+104
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-22ipsec: split ipsec nodes into ip4/ip6 nodesKlement Sekera1-22/+36
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra1-2/+2
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-08-03ipsec: add udp-encap option to debug cli commandsRadu Nicolau1-2/+2
Change-Id: I3195afd952f6783da87224d7ceb9df13ddd39459 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-07-19Remove unused argument to vlib_feature_nextDamjan Marion1-2/+1
Change-Id: Ieb8b53977fc8484c19780941e232ee072b667de3 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-11avoid using thread local storage for thread indexDamjan Marion1-1/+1
It is cheaper to get thread index from vlib_main_t if available... Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-06-24Revert "Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums""Klement Sekera1-2/+0
This reverts commit e0d2bd6bd7fc59c0c6ac48195d7f825dc99bfd91. Change-Id: If491e16f9ea66b2493a6a7c7f3c684ed585f8f51 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-22Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums"Ole Troan1-0/+2
This reverts commit a98346f664aae148d26a8e158008b773d73db96f. Change-Id: Iee5b3a5ddff0e8fd3a30fe5973cee24de434fe12 Signed-off-by: Ole Troan <ot@cisco.com>
2018-06-21ipsec: VPP-1316 calculate IP/TCP/UDP inner checksumsKlement Sekera1-2/+0
Calculate IP/TCP/UDP checksums in software before adding authentication. Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-20ipsec: VPP-1308 fix sorting of SPD entriesKlement Sekera1-0/+3
Change-Id: I761aced55b7cef51a9b47048283b2cb9430bcde2 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-09ipsec: support UDP encap/decap for NAT traversalKlement Sekera1-1/+3
Change-Id: I65c12617ad49e4d5ef242e53988782f0cefa5684 Signed-off-by: Klement Sekera <ksekera@cisco.com>