aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2018-05-16Drop IPsec packets when interface is downMatthew Smith1-10/+32
Packets arriving on an IPsec tunnel interface are decrypted and forwarded even if the interface is down. Check interface flags. If the interface is down, cause packet to be dropped and increment the counters for drops. Change-Id: I94456bda3bd8eade0f3f522ad7cc341251174e6e Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-05-11VPP-1275 Fix memory leaks in IPsec CLIKlement Sekera1-54/+83
Change-Id: I1f7c634328f25b33580a215af2daeb498cd3b181 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-10Change the way IP header pointer is calculated in esp_decrypt nodesSzymon Sliwa2-3/+11
The pointer to IP header was derived from l3_hdr_offset, which would be ok, if l3_hdr_offset was valid. But it does not have to be, so it was a bad solution. Now the previous nodes mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt we count get ip header pointer by substracting the size of the ip header from the pointer to esp header (which lies in front of the ip header). Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16 Signed-off-by: Szymon Sliwa <szs@semihalf.com>
2018-05-09ipsec: support UDP encap/decap for NAT traversalKlement Sekera8-33/+89
Change-Id: I65c12617ad49e4d5ef242e53988782f0cefa5684 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-04ipsec: allow null/null for crypto/integ algorithms pairRadu Nicolau2-3/+3
Change-Id: Ic1e189c22e3d344d165e0eab05ccb667eef088a9 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-05-04Harmonize vec/pool_get_aligned object sizes and alignment requestsDave Barach1-0/+2
Object sizes must evenly divide alignment requests, or vice versa. Otherwise, only the first object will be aligned as requested. Three choices: add CLIB_CACHE_LINE_ALIGN_MARK(align_me) at the end of structures, manually pad to an even divisor or multiple of the alignment request, or use plain vectors/pools. static assert for enforcement. Change-Id: I41aa6ff1a58267301d32aaf4b9cd24678ac1c147 Signed-off-by: Dave Barach <dbarach@cisco.com>
2018-04-25Fix some build warnings about "Old Style VLA"Juraj Sloboda1-2/+2
Change-Id: I69fee1dcf07a4d2eed69a59f0a36e63e3741ed4e Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-19Allow an IPsec tunnel interface to be renumberedMatthew Smith5-29/+42
When creating an IPsec tunnel interface, allow a numeric identifier to be set for use in the interface's name in place of the dev instance. Default to using the dev instance if no value is explicitly set. When an IPsec tunnel is deleted, the interface is deleted now instead of being kept in a pool of available hw interfaces. Otherwise there was the possibility of conflicting tx node names between deleted tunnels and newly created ones. Change-Id: Ic525466622a0dec38a845fa5871c084f6d9da380 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-04-18Fix the ip header offset counting in vnet/ipsecSzymon Sliwa1-5/+4
IP header is set as data + sizeof(ethernet_header_t), what does not need to be true. The solution is to use l3_hdr_offset. Change-Id: I5d9f41599ba8d8eb14ce2d9d523f82ea6e0fd10d Signed-off-by: Szymon Sliwa <szs@semihalf.com>
2018-04-10Make IPsec tunnel intf work with IPv4 output featuresMatthew Smith1-0/+7
With no IPv4 output features on an IPsec tunnel inferface, when packets are forwarded to that interface, they reach the ipsec-if-output node via the output_node_index on the hw interface and they are handled correctly. When an IPv4 output feature (e.g. output ACL, outbound NAT) is enabled on an IPsec tunnel interface, outbound IPsec stops working for that interface. The last node in the ip4-output feature arc is interface-output. From there a packet is sent to ipsec<N>-output, and then ipsec<N>-tx. The tx function for an IPsec tunnel interface that is called by ipsec<N>-tx is a dummy that doesn't do anything except write a warning message. Enable a feature on the interface-output feature arc for an IPsec tunnel interface so the ipsec-if-output node is reached from the interface-output node. Change-Id: Ia9c73d3932f5930ec7ce0791a0375b1d37148b01 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-03-23IPSEC_AH: broken initialization (VPP-1208)Marco Varlese1-1/+1
The init-path for IPSEC_AH where the CTX gets initialized is broken since the for-loop never executes due to the wrong usage of tm->n_vlib_mains which being subtracted by 1. Change-Id: I4d967f52cd3ca061aa60d824d65f446e06162403 Signed-off-by: Marco Varlese <marco.varlese@suse.com>
2018-03-16IPSec: fix IPv6 policy deletingMatus Fabian1-1/+1
Change-Id: I9f487d6033edde09557709f94f97fc8a70246b09 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-24SCTP stack (RFC4960)Marco Varlese1-2/+6
== CONTENT == * SCTP chunks definition as per RFC4960; * Helper functions to set/get values to/from the corresponding chunks; * Hooks to the session/application layers; * Complete state-machine handling; * Implementation for unexpected chunk received in a certain state (state-machine error handling) * Support for 1-single connection; * Sample application to test receive/transmit data-path; * Test to validate SCTP stack; Change-Id: I1b55c455ab400be9513f4e094dadfc3181d2ebc9 Signed-off-by: Marco Varlese <marco.varlese@suse.com>
2018-01-23VPPAPIGEN: vppapigen replacement in Python PLY.Ole Troan1-1/+1
This is a version of the VPP API generator in Python PLY. It supports the existing language, and has a plugin architecture for generators. Currently C and JSON are supported. Changes: - vl_api_version to option version = "major.minor.patch" - enum support - Added error checking and reporting - import support (removed the C pre-processor) - services (tying request/reply together) Version: option version = "1.0.0"; Enum: enum colours { RED, BLUE = 50, }; define foo { vl_api_colours_t colours; }; Services: service { rpc foo returns foo_reply; rpc foo_dump returns stream foo_details; rpc want_stats returns want_stats_reply events ip4_counters, ip6_counters; }; Future planned features: - unions - bool, text - array support (including length) - proto3 output plugin - Refactor C/C++ generator as a plugin - Refactor Java generator as a plugin Change-Id: Ifa289966c790e1b1a8e2938a91e69331e3a58bdf Signed-off-by: Ole Troan <ot@cisco.com>
2018-01-11api: remove transport specific code from handlersFlorin Coras1-12/+13
This does not update api client code. In other words, if the client assumes the transport is shmem based, this patch does not change that. Furthermore, code that checks queue size, for tail dropping, is not updated. Done for the following apis: Plugins - acl - gtpu - memif - nat - pppoe VNET - bfd - bier - tapv2 - vhost user - dhcp - flow - geneve - ip - punt - ipsec/ipsec-gre - l2 - l2tp - lisp-cp/one-cp - lisp-gpe - map - mpls - policer - session - span - udp - tap - vxlan/vxlan-gpe - interface VPP - api/api.c OAM - oam_api.c Stats - stats.c Change-Id: I0e33ecefb2bdab0295698c0add948068a5a83345 Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-01-09api: refactor vlibmemoryFlorin Coras1-5/+4
- separate client/server code for both memory and socket apis - separate memory api code from generic vlib api code - move unix_shared_memory_fifo to svm and rename to svm_fifo_t - overall declutter Change-Id: I90cdd98ff74d0787d58825b914b0f1eafcfa4dc2 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-12-15ESP_AH_test_automation_scripts rev1“mystarrocks”1-7/+0
Change-Id: I941abdc4a02e4c52c66b9d299e380b27caca7c1d Signed-off-by: “mystarrocks” <mystarrocks@yahoo.com>
2017-11-29DES-CBC/3DES-CBC support for VPP IPSec Core“mukeshyadav1984”4-26/+57
Change-Id: I876f215b129e5e59d3acc6447ce40458cc341eba Signed-off-by: “mukeshyadav1984” <mukyadav@cisco.com>
2017-11-28IPSec AH protocol enhancement in VPP native core“mukeshyadav1984”12-55/+889
Change-Id: Iec5804d768485f4015bbf732d8d19ef2f24e6939 Signed-off-by: “mukeshyadav1984” <mukyadav@cisco.com>
2017-11-10Allow Openssl 1.1.0Marco Varlese5-12/+159
This patch addresses all the code changes required to VPP to support openssl 1.1.0 API. All the changes have been done so that VPP can still be built against current openssl API whilst forward-looking to version 1.1.0. Change-Id: I65e22c53c5decde7a15c7eb78a62951ee246b8dc Signed-off-by: Marco Varlese <marco.varlese@suse.com>
2017-11-10Fix bug in key calculation for IPsec tunnel interfaceMatthew Smith1-2/+2
When IPsec tunnel interface has the inbound SA updated, the key used to find the right interface for inbound packets was being generated using the destination address instead of the source. Change-Id: Id5a6fb1511637c912b329aad65188789646a5889 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-26Allow IPsec interface to have SAs resetMatthew Smith5-1/+123
Make it easier to integrate with external IKE daemon. IPsec interfaces can have one or both SAs replaced after creation. This allows for the possibility of setting a new child SA on an interface when rekeying occurs. It also allows for the possibility of creating an interface ahead of time and updating the SA when parameters that are negotiated during IKE exchange become known. Change-Id: I0a31afdcc2bdff7098a924a51abbc58bdab2bd08 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-24Add extern to *_main global variable declarations in header files.Dave Wallace6-3/+8
- Global variables declared in header files without the use of the 'extern' keword will result in multiple instances of the variable to be created by the compiler -- one for each different source file in which the the header file is included. This results in wasted memory allocated in the BSS segments as well as potentially introducing bugs in the application. Change-Id: I6ef1790b60a0bd9dd3994f8510723decf258b0cc Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2017-10-14Add API call to set keys on IPsec tunnel intfMatthew Smith2-0/+75
There was already a CLI command and a libvnet function to set the keys on an existing IPsec tunnel interface. Expose this via the API. Change-Id: I226a9616f680fc022f04447177a2e8232690657f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-12dpdk/ipsec: coverity fixesSergio Gonzalez Monroy1-9/+20
Change-Id: Ica3bc74ffbb1c0df4e198b0abff8df10cdeb2182 Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-10-09vppapigen: support per-file (major,minor,patch) version stampsDave Barach1-0/+2
Add one of these statements to foo.api: vl_api_version 1.2.3 to generate a version tuple stanza in foo.api.h: /****** Version tuple *****/ vl_api_version_tuple(foo, 1, 2, 3) Change-Id: Ic514439e4677999daa8463a94f948f76b132ff15 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Ole Troan <ot@cisco.com>
2017-10-05dpdk/ipsec: rework plus improved cli commandsSergio Gonzalez Monroy5-44/+100
This patch reworks the DPDK ipsec implementation including the cryptodev management as well as replacing new cli commands for better usability. For the data path: - The dpdk-esp-encrypt-post node is not necessary anymore. - IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead of ip4-input. The DPDK cryptodev cli commands are replaced by the following new commands: - show dpdk crypto devices - show dpdk crypto placement [verbose] - set dpdk crypto placement (<device> <thread> | auto) - clear dpdk crypto placement <device> [<thread>] - show dpdk crypto pools Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-10-04Add API support to dump IPsec SAsMatthew Smith2-0/+175
Add an API request message type to dump IPsec SAs. Either all IPsec SAs can be dumped or it can be limited to a single SA ID (numeric ID set at creation time - not an index). Add a handler for incoming messages with the new request type. Add an API response message type containing the data for an IPsec SA. Add VAT support for new message type. Change-Id: Id7828d000efc637dee7f988a87d3f707a8b466b7 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-09-19Set RX sw_if_index on decrypted routed IPsec buffersMatthew Smith2-0/+3
For routed IPsec, set the RX sw_if_index on inbound packets to the index of the IPsec interface. When a packet is decrypted into a new buffer, bring along the RX sw_if_index of the encrypted packet to the new buffer. Change-Id: I093e9d37def2082c8d2f1deb96b1c5b97126e023 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-09-08Fixes for issues reported by Coverity (VPP-972)Chris Luke1-1/+10
Change-Id: I25238debb7081b4467aec4620dfdef33fbef3295 Signed-off-by: Chris Luke <chrisy@flirble.org>
2017-05-24Add p2p flag to IPsec tunnel interface hw classMatthew Smith1-0/+1
Change-Id: I4ac05ee5974f5e7ab3685d325446a6e77048a948 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-05-17Use counters on ipsec tunnel interfacesMatthew Smith3-6/+107
Increment byte & packet counters when packets are sent or received on an IPsec tunnel interface. Set counters to zero when the interface is deleted. Change-Id: Ie9584aa82778875dd4d0c931005f7720b4d5c76d Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-05-15Add sw_if_index of tunnel interface to API reply for ipsec_tunnel_if_add_delMatthew Smith4-15/+36
Change-Id: If5158f6fa7344dee94548c93dace779430e0647f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-05-09API support for IPsec tunnel interface creationMatthew Smith2-1/+87
Change-Id: I8c9f886cb95e92adbe1c646844789ca0a6bb6140 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-04-27VPP-716: IKEv2 responder fails to authenticate initiatorMatthew Smith1-15/+16
Fix handling of IDi and IDr when processing payloads in ikev2_process_auth_req Change-Id: If0d4441dc89f08f3753f38987406c002d43558ec Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-04-25"autoreply" flag: autogenerate standard xxx_reply_t messagesDave Barach1-205/+19
Change-Id: I72298aaae7d172082ece3a8edea4217c11b28d79 Signed-off-by: Dave Barach <dave@barachs.net>
2017-04-06Use thread local storage for thread indexDamjan Marion6-51/+61
This patch deprecates stack-based thread identification, Also removes requirement that thread stacks are adjacent. Finally, possibly annoying for some folks, it renames all occurences of cpu_index and cpu_number with thread index. Using word "cpu" is misleading here as thread can be migrated ti different CPU, and also it is not related to linux cpu index. Change-Id: I68cdaf661e701d2336fc953dcb9978d10a70f7c1 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-03-10Fix coverity CIDs 161048, 163895Pavel Kotucek1-2/+1
Change-Id: Ic206601413bb366e2a920daf00524e92a47287ef Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-03-01dpdk: be a pluginDamjan Marion1-4/+0
Change-Id: I238258cdeb77035adc5e88903d824593d0a1da90 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-03-01VPP-598: tcp stack initial commitDave Barach3-3/+3
Change-Id: I49e5ce0aae6e4ff634024387ceaf7dbc432a0351 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-02-22VPP-635: CLI Memory leak with invalid parameterBilly McFall1-55/+122
In the CLI parsing, below is a common pattern: /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "x")) x = 1; : else return clib_error_return (0, "unknown input `%U'", format_unformat_error, line_input); } unformat_free (line_input); The 'else' returns if an unknown string is encountered. There a memory leak because the 'unformat_free(line_input)' is not called. There is a large number of instances of this pattern. Replaced the previous pattern with: /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "x")) x = 1; : else { error = clib_error_return (0, "unknown input `%U'", format_unformat_error, line_input); goto done: } } /* ...Remaining code... */ done: unformat_free (line_input); return error; } In multiple files, 'unformat_free (line_input);' was never called, so there was a memory leak whether an invalid string was entered or not. Also, there were multiple instance where: error = clib_error_return (0, "unknown input `%U'", format_unformat_error, line_input); used 'input' as the last parameter instead of 'line_input'. The result is that output did not contain the substring in error, instead just an empty string. Fixed all of those as well. There are a lot of file, and very mind numbing work, so tried to keep it to a pattern to avoid mistakes. Change-Id: I8902f0c32a47dd7fb3bb3471a89818571702f1d2 Signed-off-by: Billy McFall <bmcfall@redhat.com> Signed-off-by: Dave Barach <dave@barachs.net>
2017-02-17Implemented IKEv2 initiator features:Radu Nicolau11-186/+2176
- IKE_SA_INIT and IKE_AUTH initial exchanges - Delete IKA SA - Rekey and delete Child SA - Child SAs lifetime policy To set up one VPP instance as the initiator use the following CLI commands (or API equivalents): ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> and finally ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange Child SA re-keying process: 1. Child SA expires 2. A new Child SA is created using the Child SA rekey exchange 3. For a set time both SAs are alive 4. After the set time interval expires old SA is deleted Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA) CLI API additions: ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> ikev2 initiate sa-init <profile id> ikev2 initiate del-child-sa <child sa ispi> ikev2 initiate del-sa <sa ispi> ikev2 initiate rekey-child-sa <profile id> <child sa ispi> Sample configurations: Responder: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.responder ikev2 profile set pr1 id remote fqdn vpp.home.initiator ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 Initiator: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.initiator ikev2 profile set pr1 id remote fqdn vpp.home.responder ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20 ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048 ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256 ikev2 profile set pr1 sa-lifetime 3600 10 5 0 Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-02-17ipsec: changed ipsec-input-ip6 node to be a sibling of ipsec-input-ip4, ↵Radu Nicolau1-6/+1
fixes a problem that occurs with cryptodev ipv6 input. Change-Id: I1f0c0db45b2aabc243dd785c8d5d5ef990cac903 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-01-30Fixed set int state up for ipsec interfacesRadu Nicolau1-2/+2
Change-Id: I2330cb7c2ba0f5eaeb4e7a4c3de4f22283d3923d Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2017-01-27dpdk: rework cryptodev ipsec build and setupSergio Gonzalez Monroy9-203/+148
Build Cryptodev IPsec support by default when DPDK is enabled but only build hardware Cryptodev PMDs. To enable Cryptodev support, a new startup.conf option for dpdk has been introduced 'enable-cryptodev'. During VPP init, if Cryptodev support is not enabled or not enough cryptodev resources are available then default to OpenSSL ipsec implementation. Change-Id: I5aa7e0d5c2676bdb41d775ef40364536a081956d Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-01-16Add --without-libssl configure parameterDamjan Marion2-13/+13
This replaces --without-ipsec and --without-ipv6sr and allows other parts of the code to be disabled if libssl is not available. Change-Id: Id97ff3685a7924d7f86622952e0405d94ceb5957 Signed-off-by: Damjan Marion <damarion@cisco.com>
2016-12-28Reorganize source tree to use single autotools instanceDamjan Marion21-0/+10534
Change-Id: I7b51f88292e057c6443b12224486f2d0c9f8ae23 Signed-off-by: Damjan Marion <damarion@cisco.com>