| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Type: improvement
on the dedicated IPSec interface, the SA describes the peer, so it is
not possible to forward to a peer for which there is no SA. Therefore if
an SA is added with NULL auth and integ then this explicitly states that
this is what the peer desires.
on the contrary on the IP-IP/GRE interface, in the absence of protection
and an SA, then the traffic is sent in the clear. So adding NULL
auth/crypto iSA is a means to describe that the peer should not be sent
traffic.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I7ad2d466cc74eb7ff8c4c84e0d7897d06e2fcf86
|
|
Type: improvement
Change-Id: I0c82722dfce990345fe6eeecdb335678543367e0
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: improvement
Change-Id: Ica75c4e43d6198658a1954640c7ac56ea68bb39a
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: I6fdc4e952097e92ac3aa53e0be3ef99e0d801b28
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8bd50df163aea2798e9f9d35a13dcadc4a4a4b2
|
|
Type: feature
thus allowing NAT traversal,
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Type: improvement
- inline some common encap fixup functions into the midchain
rewrite node so we don't incur the cost of the virtual function call
- change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header
- add adj-midchain-tx to multiarch sources
- don't run adj-midchain-tx as a feature, instead put this node as the
adj's next and at the end of the feature arc.
- cache the feature arc config index (to save the cache miss going to fetch it)
- don't check if features are enabled when taking the arc (since we know they are)
the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc)
for IPSec:
- don't run esp_encrypt as a feature, instead when required insert this
node into the adj's next and into the end of the feature arc. this
implies that encrypt is always 'the last feature' run, which is
symmetric with decrypt always being the first.
- esp_encrpyt for tunnels has adj-midchain-tx as next node
Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: I1068ff1d03883addb5fe1005a8b608eab17e4168
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
There is a statically allocated array for inbound SAs which can hold
4 IDs. The input parameter containing the IDs of th inbound SAs is a
vector and Its possible to pass a vector with more than 4 elements
and write the memory past the end of the array. Fail if more than 4
SAs are passed in the vector.
Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: improvement
allow clients that allocate punt reasons to pass a callback function
that is invoked when the first/last client registers to use/listen on
that punt reason. This allows the client to perform some necessary
configs that might not otherwise be enabled.
IPSec uses this callback to register the ESP proto and UDP handling
nodes, that would not otherwise be enabled unless a tunnel was present.
Change-Id: I9759349903f21ffeeb253d4271e619e6bf46054b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
|
|
Type: fix
1 - big packets; chained buffers and those without enoguh space to add
ESP header
2 - IPv6 extension headers in packets that are encrypted/decrypted
3 - Interface protection with SAs that have null algorithms
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
|
|
APIs for dedicated IPSec tunnels will remain in this release and are
used to programme the IPIP tunnel protect. APIs will be removed in a
future release.
see:
https://wiki.fd.io/view/VPP/IPSec
Type: feature
Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: I4d5546d1f9b3a162291997f6f0c094c5c3d6cf31
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Ib2352ca4c7abf4645f21fa16aaaf27408890a2bf
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Change-Id: I87cc1168466f267e8c4bbec318401982f4bdf03a
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
- this remove the need to iterate through all state when deleting an SA
- and ensures that if the SA is deleted by the client is remains for use
in any state until that state is also removed.
Type: feature
Change-Id: I438cb67588cb65c701e49a7a9518f88641925419
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
please consult the new tunnel proposal at:
https://wiki.fd.io/view/VPP/IPSec
Type: feature
Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
Neale Ranns
Benoît Ganne
Matthew Smith
Filip Tehlar