summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_tun_in.c
AgeCommit message (Collapse)AuthorFilesLines
2021-02-25ipsec: enable input features on tunnelsBrian Russell1-18/+25
Make the ipsec[46]-tun-input nodes siblings of device-input so that input features can be enabled on them. Register ipsec-tun for feature updates. When a feature is enabled on the device-input arc and the ifindex is an IPSec tunnel, change the end node of the arc for that ifindex to be the appropriate ESP decrypt node. Set a flag on the tunnel to indicate that the feature arc should be started for packets input on the tunnel. Test input policing on ESP IPSec tunnels. Type: improvement Signed-off-by: Brian Russell <brian@graphiant.com> Change-Id: I3b9f047e5e737f3ea4c58fc82cd3c15700b6f9f7
2020-10-21ipsec: Add to the SA info directly in the bihashNeale Ranns1-23/+21
Type: improvement this save the cache miss on the protect structure. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I867d5e49df5edfd6b368f17a34747f32840080e4
2020-10-05ipsec: Use bihash for tunnel lookupNeale Ranns1-29/+37
Type: improvement Change-Id: I0c82722dfce990345fe6eeecdb335678543367e0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-03-23ipsec: increment no-tunnel counter in ipsec-tun-inputAlexander Chernavin1-0/+3
If "no-tunnel" error erises, you will not see it in the "show errors" output because the packet will be punted. That fact complicates troubleshooting. Type: improvement Change-Id: Ic08347f81131a4a73a05b66acbfb02797373f5ab Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-02-21ipsec: IPSec protection for multi-point tunnel interfacesNeale Ranns1-1/+1
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
2020-01-22ipsec: re-enable DPDK IPSec for tunnel decap/encap (VPP-1823)Neale Ranns1-9/+4
Type: fix Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-01-04ipsec: Targeted unit testingNeale Ranns1-52/+0
Type: fix 1 - big packets; chained buffers and those without enoguh space to add ESP header 2 - IPv6 extension headers in packets that are encrypted/decrypted 3 - Interface protection with SAs that have null algorithms Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns1-7/+8
APIs for dedicated IPSec tunnels will remain in this release and are used to programme the IPIP tunnel protect. APIs will be removed in a future release. see: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-10-31ipsec: fix esp trace seq number overflowBenoît Ganne1-1/+3
Do not copy invalid seq number if packet is too small. Type: fix Change-Id: I1e78f5920e9645521f57efccaf35bbf9ce0676a8 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-07-16ipsec: handle UDP keepalivesNeale Ranns1-6/+39
Type: feature Change-Id: I87cc1168466f267e8c4bbec318401982f4bdf03a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-12ip ipsec: Remove IPSec SPI-0 punt reasonNeale Ranns1-11/+4
Type: fix There's no call for an SPI-0 punt reason with UDP encap, since it's only with UDP encap that the ambiguity between IKE or IPSEC occurs (and SPI=0 determines IKE). Enhance the punt API to dum ponly the reason requested, so a client can use this as a get-ID API Change-Id: I5c6d72b03885e88c489117677e72f1ef5da90dfc Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18ipsec: ipsec-tun protectNeale Ranns1-0/+436
please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns <nranns@cisco.com>