summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_cli.c
AgeCommit message (Collapse)AuthorFilesLines
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns1-65/+90
APIs for dedicated IPSec tunnels will remain in this release and are used to programme the IPIP tunnel protect. APIs will be removed in a future release. see: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-09-30ipsec: add insecure option for format of SAChristian E. Hopps1-1/+2
If specified, shows keys, otherwise redacts. This change sets this flag in the existing CLI code (thus maintaining the old behavior). The use case for not specifying the insecure flag (and thus redacting the keys from the show output) is for log messages. Type: feature Signed-off-by: Christian E. Hopps <chopps@chopps.org> Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111
2019-08-27ipsec: Add 'detail' option to 'sh ipsec sa'Neale Ranns1-4/+8
Type: feature with detail option prints all details for all SAs Change-Id: Ic3c423c085dfc849cf9c3e18a6f624b82150d961 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-16ipsec: handle UDP keepalivesNeale Ranns1-0/+52
Type: feature Change-Id: I87cc1168466f267e8c4bbec318401982f4bdf03a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-12ipsec: Reference count the SAsNeale Ranns1-5/+5
- this remove the need to iterate through all state when deleting an SA - and ensures that if the SA is deleted by the client is remains for use in any state until that state is also removed. Type: feature Change-Id: I438cb67588cb65c701e49a7a9518f88641925419 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-11ipsec: Revert "IPSEC: remove byte swap operations in DP during SPD classify"Neale Ranns1-4/+0
Type: fix Fixes: 231c4696872cb344f28648949603840136c0795d This reverts commit 231c4696872cb344f28648949603840136c0795d. Change-Id: I136344555983dd10a31dbc000ee40e2de2c91291 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18ipsec: ipsec-tun protectNeale Ranns1-1/+124
please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-14ipsec: Display user specified SPI ID not VPP's indexNeale Ranns1-1/+3
Type: fix Fixes: 8d7c502002 Change-Id: Ia6de250f20200c17937d9d7b2aab17ccd81d7823 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-07ipsec: remove the set_key APINeale Ranns1-131/+0
there's no use case to just change the key of an SA. instead the SA should be renegociated and the new SA applied to the existing SPD entry or tunnel. the set_key functions were untested. Type: refactor Change-Id: Ib096eebaafb20be7b5501ece5a24aea038373002 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-05IPSEC: some CLI fixesNeale Ranns1-4/+3
Change-Id: I45618347e37440263270baf07b2f82f653f754a5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-15IPSEC: remove CLI check for unsupported IPv6-AH - it is supportedNeale Ranns1-22/+0
Change-Id: I72ec95d4a3009a55b0f1fa7e45f9c53f31ef5fc1 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-14IPSEC coverity fixesNeale Ranns1-1/+3
Change-Id: I753fbce091c0ba1004690be5ddeb04f463cf95a3 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-25IPSEC; dpdk backend for tunnel interface encryptionNeale Ranns1-8/+7
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-23Fix a ipsec command line typoSimon Zhang1-1/+1
Change-Id: Ic75df36e06a77730ff8764f96d3cf53c4e59923b Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
2019-04-17IPSEC: Pass the algorithm salt (used in GCM) over the APINeale Ranns1-2/+5
Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-16IPSEC: support GCM in ESPNeale Ranns1-1/+3
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-03IPSEC: show CLI improvementsNeale Ranns1-31/+146
Change-Id: I48a4b0a16f71cbab04dd0955d3ec4001074b57ed Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-21ipsec: add ipv6 support for ipsec tunnel interfaceKingwel Xie1-3/+2
Change-Id: I6a76907dc7bed2a81282b63669bea2219d6903c9 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com> Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2019-03-19IPSEC: remove byte swap operations in DP during SPD classifyNeale Ranns1-0/+4
Change-Id: I4bfde738f9585b045cb5ba62cf51b141d639b1b2 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-19IPSEC: tidy the policy typesNeale Ranns1-2/+17
Change-Id: I5e981f12ff44243623cfd18d5e0ae06a7dfd1eb8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-07ipsec: cli bug fixesKingwel Xie1-4/+8
1. fix wrong assignemnt of lik/rik 2. keys initialized to 0, to avoid using random data in stack. could cause memory overlapped then crash 3. show sa->id in hex format Change-Id: Id0430aa49bb55c27cee4f97f8c0e4ec87515dcd2 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-04IPSEC: script to bounce IPSEC traffic through a pipe to test encrypt and decrpytNeale Ranns1-0/+33
Change-Id: I262a9412951b5df616920a8fad16c61eae96d0cc Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18IPSEC: move SA counters into the stats segmentNeale Ranns1-0/+1
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-12ipsec: cli bug fixKingwel Xie1-6/+23
1. unformat_ip46_address must have ip-type specified 2. cannot unformat ip46_address_t with unformat_ip4_address Change-Id: I5f1eecfe71a808302428afb39f910ebf0c7cef71 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-07IPSEC: no second lookup after tunnel encapNeale Ranns1-173/+71
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-05IPSEC: SPD counters in the stats sgementNeale Ranns1-196/+15
- return the stats_index of each SPD in the create API call - no ip_any in the API as this creates 2 SPD entries. client must add both v4 and v6 explicitly - only one pool of SPD entries (rhter than one per-SPD) to support this - no packets/bytes in the dump API. Polling the stats segment is much more efficient (if the SA lifetime is based on packet/bytes) - emit the policy index in the packet trace and CLI commands. Change-Id: I7eaf52c9d0495fa24450facf55229941279b8569 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-04ipsec: cli 'create ipsec tunnel' more optionsKingwel Xie1-3/+7
use-esp use-anti-replay Change-Id: I977b65eee926adaded0cb923e14feb0ee90fc32c Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-01-25IPSEC: tests use opbject registryNeale Ranns1-1/+11
this means we test the dumps - to some extent Change-Id: I8d90745701012012b41a7b3aaf9be97b4dd2bdf8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-12-11Add IPSec interface FIB index for TX packetPierre Pfister1-3/+13
This patch adds a configuration parameter to IPSec tunnels, enabling custom FIB selection for encapsulated packets. Although this option could also be used for policy-based IPSec, this change only enables it for virtual-tunnel-interface mode. Note that this patch does change the API default behavior regarding TX fib selection for encapsulated packets. Previous behavior was to use the same FIB after and before encap. The new default behavior consists in using the FIB 0 as default. Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-12-02IPSEC-AH: anti-replay testingNeale Ranns1-2/+4
Change-Id: Ia5d45db73e4bdb32214ed4f365d5eec8e28115f3 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-26Fix IPSec CLI key parsingPierre Pfister1-2/+2
strncpy stops copying when a byte set to 0 is read. The fix is to use mempcy instead. This patch also adds spd id to ipsec input trace. Change-Id: Ibed071d3607fa76c3f6ee065f94128f1aca9b2e2 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera1-3/+139
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-23c11 safe string handling supportDave Barach1-4/+4
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra1-3/+3
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-08-03ipsec: add udp-encap option to debug cli commandsRadu Nicolau1-4/+10
Change-Id: I3195afd952f6783da87224d7ceb9df13ddd39459 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-06-29ipsec: fix VPP-1333 - crash in ipsec policy cliKlement Sekera1-0/+6
Change-Id: I843d094b6bbd1cefba82d6026174be005e66d510 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-11VPP-1275 Fix memory leaks in IPsec CLIKlement Sekera1-54/+83
Change-Id: I1f7c634328f25b33580a215af2daeb498cd3b181 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-09ipsec: support UDP encap/decap for NAT traversalKlement Sekera1-3/+4
Change-Id: I65c12617ad49e4d5ef242e53988782f0cefa5684 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-04ipsec: allow null/null for crypto/integ algorithms pairRadu Nicolau1-2/+2
Change-Id: Ic1e189c22e3d344d165e0eab05ccb667eef088a9 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-04-19Allow an IPsec tunnel interface to be renumberedMatthew Smith1-1/+3
When creating an IPsec tunnel interface, allow a numeric identifier to be set for use in the interface's name in place of the dev instance. Default to using the dev instance if no value is explicitly set. When an IPsec tunnel is deleted, the interface is deleted now instead of being kept in a pool of available hw interfaces. Otherwise there was the possibility of conflicting tx node names between deleted tunnels and newly created ones. Change-Id: Ic525466622a0dec38a845fa5871c084f6d9da380 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-11-28IPSec AH protocol enhancement in VPP native core“mukeshyadav1984”1-3/+16
Change-Id: Iec5804d768485f4015bbf732d8d19ef2f24e6939 Signed-off-by: “mukeshyadav1984” <mukyadav@cisco.com>
2017-02-22VPP-635: CLI Memory leak with invalid parameterBilly McFall1-55/+122
In the CLI parsing, below is a common pattern: /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "x")) x = 1; : else return clib_error_return (0, "unknown input `%U'", format_unformat_error, line_input); } unformat_free (line_input); The 'else' returns if an unknown string is encountered. There a memory leak because the 'unformat_free(line_input)' is not called. There is a large number of instances of this pattern. Replaced the previous pattern with: /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "x")) x = 1; : else { error = clib_error_return (0, "unknown input `%U'", format_unformat_error, line_input); goto done: } } /* ...Remaining code... */ done: unformat_free (line_input); return error; } In multiple files, 'unformat_free (line_input);' was never called, so there was a memory leak whether an invalid string was entered or not. Also, there were multiple instance where: error = clib_error_return (0, "unknown input `%U'", format_unformat_error, line_input); used 'input' as the last parameter instead of 'line_input'. The result is that output did not contain the substring in error, instead just an empty string. Fixed all of those as well. There are a lot of file, and very mind numbing work, so tried to keep it to a pattern to avoid mistakes. Change-Id: I8902f0c32a47dd7fb3bb3471a89818571702f1d2 Signed-off-by: Billy McFall <bmcfall@redhat.com> Signed-off-by: Dave Barach <dave@barachs.net>
2017-01-27dpdk: rework cryptodev ipsec build and setupSergio Gonzalez Monroy1-21/+10
Build Cryptodev IPsec support by default when DPDK is enabled but only build hardware Cryptodev PMDs. To enable Cryptodev support, a new startup.conf option for dpdk has been introduced 'enable-cryptodev'. During VPP init, if Cryptodev support is not enabled or not enough cryptodev resources are available then default to OpenSSL ipsec implementation. Change-Id: I5aa7e0d5c2676bdb41d775ef40364536a081956d Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-12-28Reorganize source tree to use single autotools instanceDamjan Marion1-0/+807
Change-Id: I7b51f88292e057c6443b12224486f2d0c9f8ae23 Signed-off-by: Damjan Marion <damarion@cisco.com>