summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_if.c
AgeCommit message (Collapse)AuthorFilesLines
2019-07-12ipsec: drop outbound ESP when no crypto alg setMatthew Smith1-4/+23
Type: fix If a tunnel interface has the crypto alg set on the outbound SA to IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface, the attempt to write an ESP trailer on the packet occurs at the wrong offset and the vnet buffer opaque data is corrupted, which can result in a SEGV when a subsequent node attempts to use that data. When an outbound SA is set on a tunnel interface which has no crypto alg set, add a node to the ip{4,6}-output feature arcs which drops all packets leaving that interface instead of adding the node which would try to encrypt the packets. Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-07-12ipsec: Reference count the SAsNeale Ranns1-40/+35
- this remove the need to iterate through all state when deleting an SA - and ensures that if the SA is deleted by the client is remains for use in any state until that state is also removed. Type: feature Change-Id: I438cb67588cb65c701e49a7a9518f88641925419 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18ipsec: ipsec-tun protectNeale Ranns1-82/+2
please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-17ipsec: return original SA create error for tunnel createNeale Ranns1-2/+2
rather than SRC/DST address error which is not so helpfull Type: fix Fixes: af3f0783 Change-Id: Ie2143e4e29de87d93e79bd96284c041bdbffd98e Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-07ipsec: remove the set_key APINeale Ranns1-59/+0
there's no use case to just change the key of an SA. instead the SA should be renegociated and the new SA applied to the existing SPD entry or tunnel. the set_key functions were untested. Type: refactor Change-Id: Ib096eebaafb20be7b5501ece5a24aea038373002 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-25IPSEC; dpdk backend for tunnel interface encryptionNeale Ranns1-16/+22
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-25crypto: improve key handlingDamjan Marion1-0/+13
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-18IPSEC: tunnel rekey fix and test (VPP-1652)Neale Ranns1-21/+24
Change-Id: I1c2b3e40c689bedcdcea7887792b6b6b6aeb48d5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-16IPSEC: support GCM in ESPNeale Ranns1-0/+2
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-02IPSEC: tunnel scaling - don't stack the inbould SANeale Ranns1-1/+1
Change-Id: I0b47590400aebea09aa1b27de753be638e1ba870 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-29IPSEC-GRE: fixes and API update to common types.Neale Ranns1-5/+10
Change-Id: Icdcbac7453baa837a9c0c4a2401dff4a6aa6cba0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-29IPSEC: tunnel fragmentationNeale Ranns1-0/+3
Change-Id: I63741a22bc82f5f861e1c0f26a93b5569cc52061 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESNDamjan Marion1-1/+1
Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-28IPSEC: fix build breakage from ships in the night mergesNeale Ranns1-2/+6
Change-Id: Iec7da9adc970d005cd7d3d42839b5e51b0b5f5c3 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28IPSEC: run encrpyt as a feautre on the tunnelNeale Ranns1-119/+95
Change-Id: I6527e3fd8bbbca2d5f728621fc66b3856b39d505 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-27ipsec: compress ipsec_sa_t so data used by dataplane code fits in cachelineDamjan Marion1-4/+6
Change-Id: I81ecdf9fdcfcb017117b47dc031f93208e004d7c Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-26IPSEC: more expressive API errorsNeale Ranns1-2/+2
Change-Id: I517a7bdae03abfea58451819e7854974397d77f8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-21ipsec: add ipv6 support for ipsec tunnel interfaceKingwel Xie1-49/+131
Change-Id: I6a76907dc7bed2a81282b63669bea2219d6903c9 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com> Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2019-03-20IPSEC: Tunnel SA not deletedNeale Ranns1-3/+6
p is overwritten by hash_unset so an incorrect value is passed to ipsec_sa_del Change-Id: I97300dd4421c62d7cfa47b8e7e9789becb2370e9 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-20ipsec: keep crypto data inside SADamjan Marion1-4/+4
Change-Id: Ie8986bd3652d25c4befe681cea77df95aba37ebc Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-07ipsec: ipsec-if optimizations & bug fixesKingwel Xie1-0/+4
1. changed to vlib_buffer_enqueue_to_next 2. error counter fixes; stats added to last_sw_if_index when interface changed 3. udp-encap support Change-Id: I70b0814aa37181fea4d70fa3c96c608adb5afe49 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-06IPSEC: tunnel encap/decap dual loop speedupsNeale Ranns1-88/+69
baseline: ipsec0-tx 1.27e1 ipsec-if-input 8.19e1 this change: ipsec0-tx 6.17e0 ipsec-if-input 6.39e1 this also fixes the double tunnel TX counts by removing the duplicate from the TX node. Change-Id: Ie4608acda08dc653b6fb9e2c85185d83625efd40 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-01IPSEC: tunnel-input; don't load the HW interface structNeale Ranns1-7/+21
also fix the stats to include all the data in the tunnel. And don't load the SA. Change-Id: I7cd2e8d879f19683175fd0de78a606a2836e6da2 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-11IPSEC-tun: The tunnel DB uses the network order SPI to save the byte swap in ↵Neale Ranns1-6/+10
the DP Change-Id: I78a1c39682d5afd356a3cfe70097fc682e8cb938 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-11ipsec: multi-arch, next-node-index cleanupKingwel Xie1-4/+6
1. specify ipsec_xxx_node.c in MULTIARCH_SOURCES 2. cleanup foreach_ipsec_output_next & foreach_ipsec_input_next, as next-nodes are actually added by ipsec_register_xx_backend dynamically thus, ipsec4-input-feature will point to ah4/esp4-encrypt, instead of pointing to ah6/esp6-encrypt 3. remove an unused count and add counter IPSEC_INPUT_ERROR_RX_MATCH_PKTS in ipsec-input Change-Id: Ifcf167812d2cc18187c2cea84b657a52b67e17d4 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-07IPSEC: no second lookup after tunnel encapNeale Ranns1-76/+71
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-30ipsec: fix check support functionsKlement Sekera1-0/+2
Change-Id: If94c57fbb07a7376a9f2873e1489c00b28152620 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-12-12fix spurious error setting SA on ipsec intfMatthew Smith1-1/+1
Reverse the polarity on test to determine if old SA session deletion succeeded. 0 == success, not failure. Change-Id: I499cb04c7f13165e6c92367d4385057b77fe3836 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-12-11Add IPSec interface FIB index for TX packetPierre Pfister1-0/+8
This patch adds a configuration parameter to IPSec tunnels, enabling custom FIB selection for encapsulated packets. Although this option could also be used for policy-based IPSec, this change only enables it for virtual-tunnel-interface mode. Note that this patch does change the API default behavior regarding TX fib selection for encapsulated packets. Previous behavior was to use the same FIB after and before encap. The new default behavior consists in using the FIB 0 as default. Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera1-39/+17
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-23c11 safe string handling supportDave Barach1-4/+4
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-22ipsec: split ipsec nodes into ip4/ip6 nodesKlement Sekera1-4/+4
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-08-03ipsec: add udp-encap option to debug cli commandsRadu Nicolau1-0/+2
Change-Id: I3195afd952f6783da87224d7ceb9df13ddd39459 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-07-11avoid using thread local storage for thread indexDamjan Marion1-1/+1
It is cheaper to get thread index from vlib_main_t if available... Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-08Fix IPsec intf tx node setup at intf creationMatthew Smith1-2/+2
When using a DPDK cryptodev with IPsec, sending outbound packets results in a crash on division by zero if using an algorithm not supported by the OpenSSL ESP nodes. This includes AES-GCM and MD5. At IPsec intf creation time, the next node at slot IPSEC_OUTPUT_NEXT_ESP_ENCRYPT for ipsec_if_tx_node_fn is set to the node named esp-encrypt. This is the OpenSSL ESP encrypt function. If DPDK cryptodevs are configured, dpdk-esp-encrypt is the correct next node. Change to setting the next node according to the value in ipsec_main.esp_encrypt_node_index. That value is set to esp-encrypt by default. If DPDK cryptodevs are configured it gets set to dpdk-esp-encrypt. Change-Id: I83896c76b975d74aead247a162c85eccca9575a8 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-06-24Revert "Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums""Klement Sekera1-7/+131
This reverts commit e0d2bd6bd7fc59c0c6ac48195d7f825dc99bfd91. Change-Id: If491e16f9ea66b2493a6a7c7f3c684ed585f8f51 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-22Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums"Ole Troan1-131/+7
This reverts commit a98346f664aae148d26a8e158008b773d73db96f. Change-Id: Iee5b3a5ddff0e8fd3a30fe5973cee24de434fe12 Signed-off-by: Ole Troan <ot@cisco.com>
2018-06-21ipsec: VPP-1316 calculate IP/TCP/UDP inner checksumsKlement Sekera1-7/+131
Calculate IP/TCP/UDP checksums in software before adding authentication. Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-04-19Allow an IPsec tunnel interface to be renumberedMatthew Smith1-28/+29
When creating an IPsec tunnel interface, allow a numeric identifier to be set for use in the interface's name in place of the dev instance. Default to using the dev instance if no value is explicitly set. When an IPsec tunnel is deleted, the interface is deleted now instead of being kept in a pool of available hw interfaces. Otherwise there was the possibility of conflicting tx node names between deleted tunnels and newly created ones. Change-Id: Ic525466622a0dec38a845fa5871c084f6d9da380 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-04-10Make IPsec tunnel intf work with IPv4 output featuresMatthew Smith1-0/+7
With no IPv4 output features on an IPsec tunnel inferface, when packets are forwarded to that interface, they reach the ipsec-if-output node via the output_node_index on the hw interface and they are handled correctly. When an IPv4 output feature (e.g. output ACL, outbound NAT) is enabled on an IPsec tunnel interface, outbound IPsec stops working for that interface. The last node in the ip4-output feature arc is interface-output. From there a packet is sent to ipsec<N>-output, and then ipsec<N>-tx. The tx function for an IPsec tunnel interface that is called by ipsec<N>-tx is a dummy that doesn't do anything except write a warning message. Enable a feature on the interface-output feature arc for an IPsec tunnel interface so the ipsec-if-output node is reached from the interface-output node. Change-Id: Ia9c73d3932f5930ec7ce0791a0375b1d37148b01 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-11-10Fix bug in key calculation for IPsec tunnel interfaceMatthew Smith1-2/+2
When IPsec tunnel interface has the inbound SA updated, the key used to find the right interface for inbound packets was being generated using the destination address instead of the source. Change-Id: Id5a6fb1511637c912b329aad65188789646a5889 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-26Allow IPsec interface to have SAs resetMatthew Smith1-0/+79
Make it easier to integrate with external IKE daemon. IPsec interfaces can have one or both SAs replaced after creation. This allows for the possibility of setting a new child SA on an interface when rekeying occurs. It also allows for the possibility of creating an interface ahead of time and updating the SA when parameters that are negotiated during IKE exchange become known. Change-Id: I0a31afdcc2bdff7098a924a51abbc58bdab2bd08 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-05dpdk/ipsec: rework plus improved cli commandsSergio Gonzalez Monroy1-35/+43
This patch reworks the DPDK ipsec implementation including the cryptodev management as well as replacing new cli commands for better usability. For the data path: - The dpdk-esp-encrypt-post node is not necessary anymore. - IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead of ip4-input. The DPDK cryptodev cli commands are replaced by the following new commands: - show dpdk crypto devices - show dpdk crypto placement [verbose] - set dpdk crypto placement (<device> <thread> | auto) - clear dpdk crypto placement <device> [<thread>] - show dpdk crypto pools Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-05-24Add p2p flag to IPsec tunnel interface hw classMatthew Smith1-0/+1
Change-Id: I4ac05ee5974f5e7ab3685d325446a6e77048a948 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-05-17Use counters on ipsec tunnel interfacesMatthew Smith1-0/+9
Increment byte & packet counters when packets are sent or received on an IPsec tunnel interface. Set counters to zero when the interface is deleted. Change-Id: Ie9584aa82778875dd4d0c931005f7720b4d5c76d Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-05-15Add sw_if_index of tunnel interface to API reply for ipsec_tunnel_if_add_delMatthew Smith1-11/+11
Change-Id: If5158f6fa7344dee94548c93dace779430e0647f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-04-06Use thread local storage for thread indexDamjan Marion1-1/+1
This patch deprecates stack-based thread identification, Also removes requirement that thread stacks are adjacent. Finally, possibly annoying for some folks, it renames all occurences of cpu_index and cpu_number with thread index. Using word "cpu" is misleading here as thread can be migrated ti different CPU, and also it is not related to linux cpu index. Change-Id: I68cdaf661e701d2336fc953dcb9978d10a70f7c1 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-01-30Fixed set int state up for ipsec interfacesRadu Nicolau1-2/+2
Change-Id: I2330cb7c2ba0f5eaeb4e7a4c3de4f22283d3923d Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-01-27dpdk: rework cryptodev ipsec build and setupSergio Gonzalez Monroy1-21/+52
Build Cryptodev IPsec support by default when DPDK is enabled but only build hardware Cryptodev PMDs. To enable Cryptodev support, a new startup.conf option for dpdk has been introduced 'enable-cryptodev'. During VPP init, if Cryptodev support is not enabled or not enough cryptodev resources are available then default to OpenSSL ipsec implementation. Change-Id: I5aa7e0d5c2676bdb41d775ef40364536a081956d Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-12-28Reorganize source tree to use single autotools instanceDamjan Marion1-0/+372
Change-Id: I7b51f88292e057c6443b12224486f2d0c9f8ae23 Signed-off-by: Damjan Marion <damarion@cisco.com>