aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2021-04-20ipsec: remove WITH_LIBSSL macrosDamjan Marion2-125/+3
We don't use libssl anymore... At least not directly. Type: improvement Change-Id: I9a0fab6e3c576d945498ce46f030bd26c1a14d15 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-04-07crypto: fix ops flags in crypto sw schedulerBenoît Ganne1-0/+2
The crypto op flags must be reset to frame flags minus invalid values depending of the operation, instead of forcing them to specific values. Type: fix Change-Id: Ib02c2a738bbca6962394b3c03088d516d0da56a0 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-03-25stats: python vpp_stats rewrite to access stat segment directlyOle Troan1-5/+4
This module implement Python access to the VPP statistics segment. It accesses the data structures directly in shared memory. VPP uses optimistic locking, so data structures may change underneath us while we are reading. Data is copied out and it's important to spend as little time as possible "holding the lock". Counters are stored in VPP as a two dimensional array. Index by thread and index (typically sw_if_index). Simple counters count only packets, Combined counters count packets and octets. Counters can be accessed in either dimension. stat['/if/rx'] - returns 2D lists stat['/if/rx'][0] - returns counters for all interfaces for thread 0 stat['/if/rx'][0][1] - returns counter for interface 1 on thread 0 stat['/if/rx'][0][1]['packets'] - returns the packet counter for interface 1 on thread 0 stat['/if/rx'][:, 1] - returns the counters for interface 1 on all threads stat['/if/rx'][:, 1].packets() - returns the packet counters for interface 1 on all threads stat['/if/rx'][:, 1].sum_packets() - returns the sum of packet counters for interface 1 on all threads stat['/if/rx-miss'][:, 1].sum() - returns the sum of packet counters for interface 1 on all threads for simple counters Type: refactor Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I1fe7f7c7d11378d06be8276db5e1900ecdb8f515 Signed-off-by: Ole Troan <ot@cisco.com>
2021-03-15ipsec: allow inbound non-tunnel SA through CLIMohammed Hawari1-6/+0
Change-Id: Ia304488900bd9236ab4e7cc6f17ae029ee6f2c00 Type: fix Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2021-03-14ip: extend punt CLI for exception packetsMohammed Hawari2-9/+11
Change-Id: I20e48a5ac8068eccb8d998346d35227c4802bb68 Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Type: feature
2021-03-05ipsec: Support async mode per-SANeale Ranns10-204/+231
Type: feature This feautre only applies to ESP not AH SAs. As well as the gobal switch for ayncs mode, allow individual SAs to be async. If global async is on, all SAs are async. If global async mode is off, then if then an SA can be individually set to async. This preserves the global switch behaviour. the stratergy in the esp encrypt.decrypt nodes is to separate the frame into, 1) sync buffers, 2) async buffers and 3) no-op buffers. Sync buffer will undergo a cyrpto/ath operation, no-op will not, they are dropped or handed-off. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ifc15b10b870b19413ad030ce7f92ed56275d6791
2021-03-05ipsec: Submit fuller async framesNeale Ranns3-125/+117
Type: improvement In the current scheme an async frame is submitted each time the crypto op changes. thus happens each time a different SA is used and thus potentially many times per-node. thi can lead to the submision of many partially filled frames. change the scheme to construct as many full frames as possible in the node and submit them all at the end. the frame owner ship is passed to the user so that there can be more than one open frame per-op at any given time. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ic2305581d7b5aa26133f52115e0cd28ba956ed55
2021-02-26ipsec: move the IPSec SA pool out of ipsec_mainNeale Ranns13-84/+76
Type: refactor this allows the ipsec_sa_get funtion to be moved from ipsec.h to ipsec_sa.h where it belongs. Also use ipsec_sa_get throughout the code base. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I2dce726c4f7052b5507dd8dcfead0ed5604357df
2021-02-25tests: Add tests for IPSec async mode using the crypto SW schedulerNeale Ranns1-1/+2
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Iabc8f2b09ee10a82aacebd36acfe8648cf69b7d7
2021-02-25ipsec: ipsec.h tidy upNeale Ranns6-56/+86
Type: refactor - remove the extern declaration of the nodes. keep the use of them to the files that declare them - remove duplicate declaration of ipsec_set_async_mode - remove unsued ipsec_add_feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6ce7bb4517b508a8f02b11f3bc819e1c5d539c02
2021-02-25ipsec: enable input features on tunnelsBrian Russell3-22/+75
Make the ipsec[46]-tun-input nodes siblings of device-input so that input features can be enabled on them. Register ipsec-tun for feature updates. When a feature is enabled on the device-input arc and the ifindex is an IPSec tunnel, change the end node of the arc for that ifindex to be the appropriate ESP decrypt node. Set a flag on the tunnel to indicate that the feature arc should be started for packets input on the tunnel. Test input policing on ESP IPSec tunnels. Type: improvement Signed-off-by: Brian Russell <brian@graphiant.com> Change-Id: I3b9f047e5e737f3ea4c58fc82cd3c15700b6f9f7
2021-02-15vlib: refactor checksum offload supportMohsin Kazmi1-35/+40
Type: refactor This patch refactors the offload flags in vlib_buffer_t. There are two main reasons behind this refactoring. First, offload flags are insufficient to represent outer and inner headers offloads. Second, room for these flags in first cacheline of vlib_buffer_t is also limited. This patch introduces a generic offload flag in first cacheline. And detailed offload flags in 2nd cacheline of the structure for performance optimization. Change-Id: Icc363a142fb9208ec7113ab5bbfc8230181f6004 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-02-12ipsec: Store thread-index in buffer meta-data during SA handoffNeale Ranns6-32/+19
Type: improvement negates the need to load the SA in the handoff node. don't prefetch the packet data, it's not needed. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I340472dc437f050cc1c3c11dfeb47ab09c609624
2021-02-10ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns13-259/+365
support Type: feature attmpet 2. this includes changes in ah_encrypt that don't use uninitialised memory when doing tunnel mode fixups. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
2021-02-09Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"Matthew Smith13-329/+230
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f. Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged. Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-08ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns13-230/+329
support Type: feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
2021-02-08ipsec: Checking wrong DB for initialistationNeale Ranns1-17/+17
Type: fix Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I2325d311a6fd7343c7041dc516777f4db0029823
2021-02-08tunnel: support copying TTL and flow label from inner to outerNeale Ranns1-5/+4
Type: feature The added functionality is to support copying TTL and flow label from inner to outer. The .api was extened to support expressing this and also adding a common tunnel endpoint type. i find it best to make API changes in one patch so there are less versions of the API. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I755c1e3f4c475058792af39c1abeda92129efb76
2021-02-06ipsec: CLI improvement for udp port encapMohammed Hawari1-0/+5
Change-Id: I59f55db7209549ad43a1205470a2f5ea9ea8a1c7 Signed-off-by: Mohammed Hawari <mohammed@hawari.fr> Type: feature
2021-02-05ipsec: add support for AES CTRBenoît Ganne6-139/+182
Type: feature Change-Id: I9f7742cb12ce30592b0b022c314b71c81fa7223a Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-02-04ipsec: one thread index per-SANeale Ranns8-57/+36
Type: improvement AN SA is uni-drectional therefore it can be used only for encrypt or decrypt, not both. So it only needs one thread ID. free up some space on the 1st cacheline. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I21cb7cff70a763cbe2bffead860b574bc80b3136
2021-01-21ipsec: Honour IPSec SA table-ID over APINeale Ranns2-11/+9
Type: fix Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ib08fe356e4dc710dd60a96736c48b27129f06786
2021-01-21ipsec: Tunnelled packets are locally generatedNeale Ranns1-0/+1
Type: fix this means we 1) don't decrement TTL and (for v6) can fragment. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I0f718da7dcaba834ad495ae9242a9a58c9e7c184
2021-01-18ipsec: Support MPLS over IPSec[46] interfaceNeale Ranns7-101/+227
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I89dc3815eabfee135cd5b3c910dea5e2e2ef1333
2021-01-07ipsec: Deprecated the old IPsec Tunnel interfaceNeale Ranns5-594/+4
Type: fix it's been 2 releases since it was marked deprecated. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I0eba7ed607826ed0d00e7d2d8f9b27d09e8e9a6e
2021-01-06ipsec: Mark the interface create reply deprecatedNeale Ranns1-0/+1
Type: fix I should have done this wehn i marked the request as deprecated. The reply also needs to be marked deprecated so the API compliance script can remove it along with the request. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I8391257944b6cff7b32a01a479dd1dcab30cd33b
2021-01-05ipsec: ipsec cli nexthop erroryedg1-1/+1
Type: fix Signed-off-by: yedonggang <yedg@wangsu.com> Change-Id: Icc3681b591e6deb93c3ff1fda5f9471fa3c96cc6
2020-12-18ipsec: fixed esp_decrypt pkt len after icv movedPiotrX Kleski1-6/+11
Type: fix This change makes esp_move_icv() update pd->current_length if the first buffer's length is updated. In case that ICV is split over two buffers, esp_move_icv() copies ICV to last buffer, it also updates the before_last buffer's current_length. However, in esp_decrypt_post_crypto(), pd->current_lenght is used to update first buffer lenght, but pd is not updated in esp_move_icv() and the total pkt lenght ends up incorrect. This only happens in tunnel mode when ICV is split between 1st and 2nd buffers. Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com> Change-Id: Ic39d87454ec0d022c050775acb64c5c25ccf7f13
2020-12-14misc: move to new pool_foreach macrosDamjan Marion6-35/+35
Type: refactor Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-01ipsec: change predictionFan Zhang2-2/+2
Type: improvement This patch changes the prediction of the comparison between SA owner thread index and the current thread index. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: I48de0bb2c57dbb09cfab63925bf8dc96613d8bcf
2020-11-26gre: Move to new API generated types/messagesNeale Ranns1-1/+1
Type: improvement also clean up GRE includes across the code base. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I90928b0da3927b7ca1a23683aa80d4b53bbf63fd
2020-11-25ipsec: A P2MP ipsec interface is NBMANeale Ranns1-0/+1
Type: fix Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I1922463683201215933e9f85b587d7c7123f3bfd
2020-11-09ipsec: fix unformat typesBenoît Ganne1-2/+2
ipsec_{crypto,integ}_alg_t are packed and smaller than u32. Callers are using those enums so unformat functions should too instead of u32 to not overflow the stack. Type: fix Change-Id: Ifc86366f1928ca6352f06f390a88ac64668289d5 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-11-06ipsec: add support for tx-table-id in cli + exampleBenoît Ganne2-3/+17
Type: improvement Change-Id: I840741dfe040718b682935cdbcb0ba958d45a591 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-11-02ipsec: Tunnel SA DSCP behaviourNeale Ranns9-41/+342
Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
2020-10-28misc: Break the big IP header files to improve compile timeNeale Ranns1-0/+1
Type: refactor Signed-off-by: Neale Ranns <neale.ranns@cisco.com> Change-Id: Id1801519638a9b97175847d7ed58824fb83433d6
2020-10-24ipsec: remove pending nodeFan Zhang3-104/+127
This patch removes esp-encrypt-pending and esp-decrypt-pending graph nodes from ipsec data-path. Type: improvement Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: Icd90837eafdbfbfdf348681dcafb872593978980
2020-10-21ipsec: support for multipoint on ipsec interfacesNeale Ranns4-6/+63
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iae9fe35cfbce4c675fa25e0800c0f4629a83e012
2020-10-21ipsec: Add to the SA info directly in the bihashNeale Ranns5-81/+83
Type: improvement this save the cache miss on the protect structure. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I867d5e49df5edfd6b368f17a34747f32840080e4
2020-10-21misc: minimize dependencies on udp.hFlorin Coras4-4/+3
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id13f33843b230a1d169560742c4f7b2dc17d8718
2020-10-20ipsec: Stack the adj from the destination in the SA's TX tableNeale Ranns1-1/+1
Type: fix Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ib7f39243e051cdf44cc7151d14458a7fab42c6a8
2020-10-19ipsec: Layout and prefetching of SA structNeale Ranns3-26/+44
Type: improvement - collect all DP used variables onto 1st or 2nd cache line - prefetch the 2nd cache line - in encrypt prefetch the likely location of the trailer. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I44d58f8d2d469ff71a4f4a71578e7cc1acaeba43
2020-10-16ipsec: fix instance, and cli del for new ipsec interfaceEric Kinzie2-4/+4
- use user instance number in interface name Restore the behavior of previous versions where the IPsec tunnel interface name contained the value of the user-provided instance number. For example, a command similar to create ipsec tunnel local-ip . . . instance 5 would result in the creation of interface "ipsec5". - ipsec: delete tunnel protection when asked The "ipsec tunnel protect" command will parse a "del" argument but does not undo the tunnel protection, leaving the SAs hanging around with reference counts that were incremented by a previous invocation of the command. Allow the tunnel protection to be deleted and also update the help text to indicate that deletion is an option. - test: ipsec: add test for ipsec interface instance Also cleanup (unconfig) after TestIpsecItf4 NULL algo test. Type: fix Fixes: dd4ccf2623b5 ("ipsec: Dedicated IPSec interface type") Signed-off-by: Eric Kinzie <ekinzie@labn.net> Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Idb59ceafa0633040344473c9942b6536e3d941ce
2020-10-08ipsec: Allow SAs with NULL auth &crypto on IPSec interfaceNeale Ranns1-2/+3
Type: improvement on the dedicated IPSec interface, the SA describes the peer, so it is not possible to forward to a peer for which there is no SA. Therefore if an SA is added with NULL auth and integ then this explicitly states that this is what the peer desires. on the contrary on the IP-IP/GRE interface, in the absence of protection and an SA, then the traffic is sent in the clear. So adding NULL auth/crypto iSA is a means to describe that the peer should not be sent traffic. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I7ad2d466cc74eb7ff8c4c84e0d7897d06e2fcf86
2020-10-05ipsec: Use bihash for tunnel lookupNeale Ranns6-123/+269
Type: improvement Change-Id: I0c82722dfce990345fe6eeecdb335678543367e0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-09-17teib: Use ip_address_t not ip46_address_tNeale Ranns1-23/+5
Type: improvement Change-Id: Ica75c4e43d6198658a1954640c7ac56ea68bb39a Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-09-17teib: Add adj-fibs for peers/adjacencies on p2mp interfaceNeale Ranns1-1/+3
Type: fix Change-Id: I6fdc4e952097e92ac3aa53e0be3ef99e0d801b28 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-09-16api: clean up use of deprecated flagOle Troan1-2/+2
The syntax of the deprecated flag has evolved. Clean up usage to be "option deprecated;". Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: If2b639f275eb8db58b36c457f9245fe35a4d8cb1
2020-09-07ipsec: fix padding/alignment for native IPsec encryptionChristian Hopps5-19/+19
Not all ESP crypto algorithms require padding/alignment to be the same as AES block/IV size. CCM, CTR and GCM all have no padding/alignment requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet alignment requirement) should be used unless TFC (traffic flow confidentiality) has been requested. CTR: https://tools.ietf.org/html/rfc3686#section-3.2 GCM: https://tools.ietf.org/html/rfc4106#section-3.2 CCM: https://tools.ietf.org/html/rfc4309#section-3.2 - VPP is incorrectly using the IV/AES block size to pad CTR and GCM. These modes do not require padding (beyond ESPs 4 octet requirement), as a result packets will have unnecessary padding, which will waste bandwidth at least and possibly fail certain network configurations that have finely tuned MTU configurations at worst. Fix this as well as changing the field names from ".*block_size" to ".*block_align" to better represent their actual (and only) use. Rename "block_sz" in esp_encrypt to "esp_align" and set it correctly as well. test: ipsec: Add unit-test to test for RFC correct padding/alignment test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well - Scapy is also incorrectly using the AES block size of 16 to pad CCM, CTR, and GCM cipher modes. A bug report has been opened with the and acknowledged with the upstream scapy project as well: https://github.com/secdev/scapy/issues/2322 Ticket: VPP-1928 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-09-04ipsec: fix trace of GRE_teb packetsChristian Hopps1-2/+5
The issue is not easily hit. When GRE_teb packets are received the post crypto processing adjusts the l2.l2_len value in the vnet_buffer opaque data. This is overwriting the ipsec opaque data. Later the trace code fetches the sa_index from the ipsec opaque data. It's just an accident that this currently works, if the ipsec data is changed so that the sa_index moves around it will be overwritten by the l2_len modification. Indeed, this was found b/c local development changes had moved the sa_index so it was over-lapping with the l2_len memory space, and the UT failed. Type: fix Change-Id: Iaecfa750cf0b36653fd9e75b4d799f323a14d932 Signed-off-by: Christian Hopps <chopps@labn.net>