aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2020-10-21ipsec: support for multipoint on ipsec interfacesNeale Ranns4-6/+63
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iae9fe35cfbce4c675fa25e0800c0f4629a83e012
2020-10-21ipsec: Add to the SA info directly in the bihashNeale Ranns5-81/+83
Type: improvement this save the cache miss on the protect structure. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I867d5e49df5edfd6b368f17a34747f32840080e4
2020-10-21misc: minimize dependencies on udp.hFlorin Coras4-4/+3
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id13f33843b230a1d169560742c4f7b2dc17d8718
2020-10-20ipsec: Stack the adj from the destination in the SA's TX tableNeale Ranns1-1/+1
Type: fix Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ib7f39243e051cdf44cc7151d14458a7fab42c6a8
2020-10-19ipsec: Layout and prefetching of SA structNeale Ranns3-26/+44
Type: improvement - collect all DP used variables onto 1st or 2nd cache line - prefetch the 2nd cache line - in encrypt prefetch the likely location of the trailer. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I44d58f8d2d469ff71a4f4a71578e7cc1acaeba43
2020-10-16ipsec: fix instance, and cli del for new ipsec interfaceEric Kinzie2-4/+4
- use user instance number in interface name Restore the behavior of previous versions where the IPsec tunnel interface name contained the value of the user-provided instance number. For example, a command similar to create ipsec tunnel local-ip . . . instance 5 would result in the creation of interface "ipsec5". - ipsec: delete tunnel protection when asked The "ipsec tunnel protect" command will parse a "del" argument but does not undo the tunnel protection, leaving the SAs hanging around with reference counts that were incremented by a previous invocation of the command. Allow the tunnel protection to be deleted and also update the help text to indicate that deletion is an option. - test: ipsec: add test for ipsec interface instance Also cleanup (unconfig) after TestIpsecItf4 NULL algo test. Type: fix Fixes: dd4ccf2623b5 ("ipsec: Dedicated IPSec interface type") Signed-off-by: Eric Kinzie <ekinzie@labn.net> Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Idb59ceafa0633040344473c9942b6536e3d941ce
2020-10-08ipsec: Allow SAs with NULL auth &crypto on IPSec interfaceNeale Ranns1-2/+3
Type: improvement on the dedicated IPSec interface, the SA describes the peer, so it is not possible to forward to a peer for which there is no SA. Therefore if an SA is added with NULL auth and integ then this explicitly states that this is what the peer desires. on the contrary on the IP-IP/GRE interface, in the absence of protection and an SA, then the traffic is sent in the clear. So adding NULL auth/crypto iSA is a means to describe that the peer should not be sent traffic. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I7ad2d466cc74eb7ff8c4c84e0d7897d06e2fcf86
2020-10-05ipsec: Use bihash for tunnel lookupNeale Ranns6-123/+269
Type: improvement Change-Id: I0c82722dfce990345fe6eeecdb335678543367e0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-09-17teib: Use ip_address_t not ip46_address_tNeale Ranns1-23/+5
Type: improvement Change-Id: Ica75c4e43d6198658a1954640c7ac56ea68bb39a Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-09-17teib: Add adj-fibs for peers/adjacencies on p2mp interfaceNeale Ranns1-1/+3
Type: fix Change-Id: I6fdc4e952097e92ac3aa53e0be3ef99e0d801b28 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-09-16api: clean up use of deprecated flagOle Troan1-2/+2
The syntax of the deprecated flag has evolved. Clean up usage to be "option deprecated;". Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: If2b639f275eb8db58b36c457f9245fe35a4d8cb1
2020-09-07ipsec: fix padding/alignment for native IPsec encryptionChristian Hopps5-19/+19
Not all ESP crypto algorithms require padding/alignment to be the same as AES block/IV size. CCM, CTR and GCM all have no padding/alignment requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet alignment requirement) should be used unless TFC (traffic flow confidentiality) has been requested. CTR: https://tools.ietf.org/html/rfc3686#section-3.2 GCM: https://tools.ietf.org/html/rfc4106#section-3.2 CCM: https://tools.ietf.org/html/rfc4309#section-3.2 - VPP is incorrectly using the IV/AES block size to pad CTR and GCM. These modes do not require padding (beyond ESPs 4 octet requirement), as a result packets will have unnecessary padding, which will waste bandwidth at least and possibly fail certain network configurations that have finely tuned MTU configurations at worst. Fix this as well as changing the field names from ".*block_size" to ".*block_align" to better represent their actual (and only) use. Rename "block_sz" in esp_encrypt to "esp_align" and set it correctly as well. test: ipsec: Add unit-test to test for RFC correct padding/alignment test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well - Scapy is also incorrectly using the AES block size of 16 to pad CCM, CTR, and GCM cipher modes. A bug report has been opened with the and acknowledged with the upstream scapy project as well: https://github.com/secdev/scapy/issues/2322 Ticket: VPP-1928 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-09-04ipsec: fix trace of GRE_teb packetsChristian Hopps1-2/+5
The issue is not easily hit. When GRE_teb packets are received the post crypto processing adjusts the l2.l2_len value in the vnet_buffer opaque data. This is overwriting the ipsec opaque data. Later the trace code fetches the sa_index from the ipsec opaque data. It's just an accident that this currently works, if the ipsec data is changed so that the sa_index moves around it will be overwritten by the l2_len modification. Indeed, this was found b/c local development changes had moved the sa_index so it was over-lapping with the l2_len memory space, and the UT failed. Type: fix Change-Id: Iaecfa750cf0b36653fd9e75b4d799f323a14d932 Signed-off-by: Christian Hopps <chopps@labn.net>
2020-09-04ipsec: cli: add missing flags for SA addChristian Hopps1-0/+12
Add missing cli options for setting IPsec SA flags, inbound, use-anti-replay, and use-esn. Type: fix Change-Id: Ia7a91b4b0a12be9e4dd0e684be3e04d8ccafb9d4 Signed-off-by: Christian Hopps <chopps@labn.net>
2020-09-02ipsec: add ipsec set async mode apiYulong Pei2-1/+26
Type: improvement Signed-off-by: Yulong Pei <yulong.pei@intel.com> Change-Id: I841f4407ed8c1a448e5102059fc79ae1f7d461de
2020-08-27ipsec: Deprecate old interface APINeale Ranns1-1/+3
Type: feature Change-Id: Ib5d7b7e4735a5dec6c3ed74068206a86782588ca Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-08-20ipsec: fix esp paddingMilan Lenco1-1/+1
Type: fix Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech> Change-Id: Ic8db52b41d7e5af3425099f008984e50afb3da74
2020-07-29ipsec: fix cli uninitialized parametersBenoît Ganne1-15/+37
Type: fix Change-Id: Ia5c1f928f6752314b278127d2446e973f03a5da8 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-07-21ipsec: Dedicated IPSec interface typeNeale Ranns7-19/+748
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8bd50df163aea2798e9f9d35a13dcadc4a4a4b2
2020-05-27ipsec: Add/Del IPSec SA is not MP safeNeale Ranns1-7/+0
Type: fix we can probably do better, but for now this is needed Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I07161f5ac07a70a0e6db6608ba31659d9bc2c9ed
2020-05-24ipsec: fixed chaining ops after add footer and icvPiotrX Kleski1-8/+11
In case there is no free space in first buffer for ICV and footer, additional buffer will be added, but esp_encrypt will stay in single buffer mode. The issue happens for the following payload sizes: - TCP packets with payload 1992 - ICMP packets with payload 2004 This fix moves the single/chained buffer ops selection to after esp_add_footer_and_icv call. Type: fix Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com> Change-Id: Ic5ceba418f738933f96edb3e489ca2d149033b79
2020-05-13ipsec: Support 4o6 and 6o4 for SPD tunnel mode SAsNeale Ranns2-38/+65
Type: feature the es4-encrypt and esp6-encrypt nodes need to be siblings so they both have the same edges for the DPO on which the tunnel mode SA stacks. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I2126589135a1df6c95ee14503dfde9ff406df60a
2020-05-05ipsec: User can choose the UDP source portNeale Ranns9-24/+110
Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-04fib: midchain adjacency optimisationsNeale Ranns4-205/+120
Type: improvement - inline some common encap fixup functions into the midchain rewrite node so we don't incur the cost of the virtual function call - change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header - add adj-midchain-tx to multiarch sources - don't run adj-midchain-tx as a feature, instead put this node as the adj's next and at the end of the feature arc. - cache the feature arc config index (to save the cache miss going to fetch it) - don't check if features are enabled when taking the arc (since we know they are) the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc) for IPSec: - don't run esp_encrypt as a feature, instead when required insert this node into the adj's next and into the end of the feature arc. this implies that encrypt is always 'the last feature' run, which is symmetric with decrypt always being the first. - esp_encrpyt for tunnels has adj-midchain-tx as next node Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-04-30crypto: introduce async crypto infraFan Zhang8-708/+1862
Type: feature Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Signed-off-by: Dariusz Kazimierski <dariuszx.kazimierski@intel.com> Signed-off-by: Piotr Kleski <piotrx.kleski@intel.com> Change-Id: I4c3fcccf55c36842b7b48aed260fef2802b5c54b
2020-04-28ipsec: fix buffer allocFilip Tehlar1-1/+7
Type: fix Change-Id: I0f12c19b79df19b692f18ac13d6c32341853b764 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-04-24ipsec: add input node bypass/discard functionalityShivaShankarK3-164/+263
add bypass/discard functionality to ipsec4-input-feature node Type: feature Signed-off-by: ShivaShankarK <shivaashankar1204@gmail.com> Change-Id: I152a5dfee0296109cccabe349a330dbbe395cc6c
2020-04-16ipsec: fix use-after-freeBenoît Ganne1-1/+1
Type: fix Change-Id: I1068ff1d03883addb5fe1005a8b608eab17e4168 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-04-14ipsec: validate number of input sasMatthew Smith2-1/+9
Type: fix There is a statically allocated array for inbound SAs which can hold 4 IDs. The input parameter containing the IDs of th inbound SAs is a vector and Its possible to pass a vector with more than 4 elements and write the memory past the end of the array. Fail if more than 4 SAs are passed in the vector. Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-04-02ipsec: provide stat index in sa detailsMatthew Smith2-3/+5
Type: improvement When IPsec SAs are dumped, include the index that can be used to find byte & packet counters for the SA in the stat segment. Removed the field total_data_size from the details since it was not being populated and put the stat index field in its place. Change-Id: If73efc230542a11944551b6e710b57b575450da3 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-03-31ipsec: use id in ipsec_tunnel_protect_detailsMatthew Smith1-4/+6
Type: fix The data populated into an ipsec_tunnel_protect_details message includes an outbound SA and a list of inbound SAs for a tunnel interface. These are populated with SA indices. The values used by an API client to refer to an SA in other messages is the SA id rather than the index. Use the SA id instead of the index. Change-Id: Ifaad32801092a7f87bd0dcf19de418d36613f8dd Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-03-31ipsec: fix chained ESPFilip Tehlar2-50/+145
This fixes a special case when buffer chain enters decrypt node and becomes a single buffer after decryption. Type: fix Change-Id: Id5da9e8a074f83ec3561949631ce613f35528312 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-31ipsec: fix udp-encap in transport modeAlexander Chernavin1-1/+7
Now UDP enacapsulation doesn't work in transport mode with crypto algorithms that have iv_sz=8 like AES GCM or 3DES CBC. That happens because the inserted UDP header overlaps with the old IP header and gets filled before the information from the old IP header can be copied to a new IP header. The result is a broken packet: 00:03:39:620863: esp4-encrypt-tun esp: sa-index 3 spi 3464048590 (0xce792fce) seq 31 sa-seq-hi 0 crypto aes-gcm-128 integrity none udp-encap-enabled 00:03:39:620867: adj-midchain-tx ... 00:03:39:620868: ip4-rewrite ... 00:03:39:620869: GigabitEthernet0/8/0-output GigabitEthernet0/8/0 IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 00:03:39:620870: GigabitEthernet0/8/0-tx GigabitEthernet0/8/0 tx queue 0 ... IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 With this commit, fill UDP header after copying the IP headers in transport mode. Type: fix Change-Id: Ie9a6e562aa05a8378114329d6a9ff395189fa6a8 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-23ipsec: Revert "ipsec: fix chained ESP"Florin Coras2-144/+50
This reverts commit c2c1bfd9b72aec88526c06479b128725eb525866. Reason for revert: Seems it's breaking ipsec esp tests Type: fix Change-Id: Iac590eee23cbf92a10c62dafa789aa9c3b2284dd Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-03-23ipsec: fix chained ESPFilip Tehlar2-50/+144
This fixes a special case when buffer chain enters decrypt node and becomes a single buffer after decryption. Type: fix Change-Id: I1d4da029b952baa97400adb7173aa63fd97d916b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-23ipsec: increment no-tunnel counter in ipsec-tun-inputAlexander Chernavin1-0/+3
If "no-tunnel" error erises, you will not see it in the "show errors" output because the packet will be punted. That fact complicates troubleshooting. Type: improvement Change-Id: Ic08347f81131a4a73a05b66acbfb02797373f5ab Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-21ipsec: efficient layout of ESP per thread dataRajesh Goel1-3/+4
Type: fix Change-Id: I1ba921503a41ca37ce5c920682893617740571a9 Signed-off-by: Rajesh Goel <rajegoel@cisco.com>
2020-03-21ikev2: add support for custom ipsec-over-udp portFilip Tehlar4-10/+25
Type: feature Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-17ipsec: initialize algs to none in 'create ipsec tunnel' cliDamjan Marion1-2/+2
Type: fix Change-Id: I901c9384710eee5847b3fbce060c78e115ba4169 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-03-10ipsec: API cleanupJakub Grajciar2-25/+27
Use consistent API types. Change vl_api_ipsec_proto_t to iana values: ESP 50, AH 51, Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I2becefb343246e0233f290fefbfdd172d8237325 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-05api: ipsec: add missing IS_INBOUND flag.Christian Hopps2-0/+6
External IKE daemons need to be able to flag an SA as inbound (just as the included ike plugin does). This commit adds this flag to the API. This change is backward bug-compatible as not setting the flag (old clients) continues to mean all SAs are created as outbound and fib nodes are created for them. The addition of this flag inhibits this forwarding node creation as well as properly flagging the SA as inbound. Ticket: VPP-1845 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I195e32c430e51155fac2d9f33671e06ef42a3f7f
2020-02-26ipsec: Revert API cleanupOle Trøan2-27/+25
This reverts commit 666ece35cd2625bbd8b6ddadb6e87444a617df4d. Reason for revert: Awaiting CSIT CRC job to catch up Type: fix Change-Id: Ib38bbd5879ff761496a6819186f1af1dbee48590 Signed-off-by: Ole Troan <ot@cisco.com>
2020-02-26ipsec: API cleanupJakub Grajciar2-25/+27
Use consistent API types. Change vl_api_ipsec_proto_t to iana values: ESP 50, AH 51, Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: Ic961130ffa519d1c904d872c34f9a7461b1be77e Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-02-25feature: provide a u16 version of vnet_feature_nextNeale Ranns1-3/+1
Type: improvement when using vlib_buffer_enqueue_to_next the 'nexts' parameter is an array of u16, but vnet_feautre_next takes a u32. this is a simple wrapper to address the impedence mismatch. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I0fa86629e979e313344eb68442dc35a7b9537a8f
2020-02-25vlib: Punt reason allocation listener enable/disable callbackNeale Ranns3-23/+75
Type: improvement allow clients that allocate punt reasons to pass a callback function that is invoked when the first/last client registers to use/listen on that punt reason. This allows the client to perform some necessary configs that might not otherwise be enabled. IPSec uses this callback to register the ESP proto and UDP handling nodes, that would not otherwise be enabled unless a tunnel was present. Change-Id: I9759349903f21ffeeb253d4271e619e6bf46054b Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-02-21ipsec: IPSec protection for multi-point tunnel interfacesNeale Ranns8-141/+556
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
2020-02-17misc: fix coverity warningsDave Barach1-1/+1
Add an ALWAYS_ASSERT (...) macro, to (a) shut up coverity, and (b) check the indicated condition in production images. As in: p = hash_get(...); ALWAYS_ASSERT(p) /* was ASSERT(p) */ elt = pool_elt_at_index(pool, p[0]); This may not be the best way to handle a specific case, but failure to check return values at all followed by e.g. a pointer dereference isn't ok. Type: fix Ticket: VPP-1837 Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ia97c641cefcfb7ea7d77ea5a55ed4afea0345acb
2020-02-11ipsec: add support for chained buffersFilip Tehlar3-97/+534
Type: feature Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-02-10ipsec: fix AES-GCM block sizeDamjan Marion1-3/+6
Type: fix Change-Id: I0c9640dab2c0eaba369bc8f3ff7ae56d8e97e170 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-02-10ipsec: remove dead codeFilip Tehlar1-29/+0
Type: style Change-Id: Ifda9597bf4aee89cf1dfd287429a2772fed8f535 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>