summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2020-04-24ipsec: add input node bypass/discard functionalityShivaShankarK3-164/+263
add bypass/discard functionality to ipsec4-input-feature node Type: feature Signed-off-by: ShivaShankarK <shivaashankar1204@gmail.com> Change-Id: I152a5dfee0296109cccabe349a330dbbe395cc6c
2020-04-16ipsec: fix use-after-freeBenoît Ganne1-1/+1
Type: fix Change-Id: I1068ff1d03883addb5fe1005a8b608eab17e4168 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-04-14ipsec: validate number of input sasMatthew Smith2-1/+9
Type: fix There is a statically allocated array for inbound SAs which can hold 4 IDs. The input parameter containing the IDs of th inbound SAs is a vector and Its possible to pass a vector with more than 4 elements and write the memory past the end of the array. Fail if more than 4 SAs are passed in the vector. Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-04-02ipsec: provide stat index in sa detailsMatthew Smith2-3/+5
Type: improvement When IPsec SAs are dumped, include the index that can be used to find byte & packet counters for the SA in the stat segment. Removed the field total_data_size from the details since it was not being populated and put the stat index field in its place. Change-Id: If73efc230542a11944551b6e710b57b575450da3 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-03-31ipsec: use id in ipsec_tunnel_protect_detailsMatthew Smith1-4/+6
Type: fix The data populated into an ipsec_tunnel_protect_details message includes an outbound SA and a list of inbound SAs for a tunnel interface. These are populated with SA indices. The values used by an API client to refer to an SA in other messages is the SA id rather than the index. Use the SA id instead of the index. Change-Id: Ifaad32801092a7f87bd0dcf19de418d36613f8dd Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-03-31ipsec: fix chained ESPFilip Tehlar2-50/+145
This fixes a special case when buffer chain enters decrypt node and becomes a single buffer after decryption. Type: fix Change-Id: Id5da9e8a074f83ec3561949631ce613f35528312 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-31ipsec: fix udp-encap in transport modeAlexander Chernavin1-1/+7
Now UDP enacapsulation doesn't work in transport mode with crypto algorithms that have iv_sz=8 like AES GCM or 3DES CBC. That happens because the inserted UDP header overlaps with the old IP header and gets filled before the information from the old IP header can be copied to a new IP header. The result is a broken packet: 00:03:39:620863: esp4-encrypt-tun esp: sa-index 3 spi 3464048590 (0xce792fce) seq 31 sa-seq-hi 0 crypto aes-gcm-128 integrity none udp-encap-enabled 00:03:39:620867: adj-midchain-tx ... 00:03:39:620868: ip4-rewrite ... 00:03:39:620869: GigabitEthernet0/8/0-output GigabitEthernet0/8/0 IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 00:03:39:620870: GigabitEthernet0/8/0-tx GigabitEthernet0/8/0 tx queue 0 ... IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 With this commit, fill UDP header after copying the IP headers in transport mode. Type: fix Change-Id: Ie9a6e562aa05a8378114329d6a9ff395189fa6a8 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-23ipsec: Revert "ipsec: fix chained ESP"Florin Coras2-144/+50
This reverts commit c2c1bfd9b72aec88526c06479b128725eb525866. Reason for revert: Seems it's breaking ipsec esp tests Type: fix Change-Id: Iac590eee23cbf92a10c62dafa789aa9c3b2284dd Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-03-23ipsec: fix chained ESPFilip Tehlar2-50/+144
This fixes a special case when buffer chain enters decrypt node and becomes a single buffer after decryption. Type: fix Change-Id: I1d4da029b952baa97400adb7173aa63fd97d916b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-23ipsec: increment no-tunnel counter in ipsec-tun-inputAlexander Chernavin1-0/+3
If "no-tunnel" error erises, you will not see it in the "show errors" output because the packet will be punted. That fact complicates troubleshooting. Type: improvement Change-Id: Ic08347f81131a4a73a05b66acbfb02797373f5ab Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-21ipsec: efficient layout of ESP per thread dataRajesh Goel1-3/+4
Type: fix Change-Id: I1ba921503a41ca37ce5c920682893617740571a9 Signed-off-by: Rajesh Goel <rajegoel@cisco.com>
2020-03-21ikev2: add support for custom ipsec-over-udp portFilip Tehlar4-10/+25
Type: feature Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-17ipsec: initialize algs to none in 'create ipsec tunnel' cliDamjan Marion1-2/+2
Type: fix Change-Id: I901c9384710eee5847b3fbce060c78e115ba4169 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-03-10ipsec: API cleanupJakub Grajciar2-25/+27
Use consistent API types. Change vl_api_ipsec_proto_t to iana values: ESP 50, AH 51, Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I2becefb343246e0233f290fefbfdd172d8237325 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-05api: ipsec: add missing IS_INBOUND flag.Christian Hopps2-0/+6
External IKE daemons need to be able to flag an SA as inbound (just as the included ike plugin does). This commit adds this flag to the API. This change is backward bug-compatible as not setting the flag (old clients) continues to mean all SAs are created as outbound and fib nodes are created for them. The addition of this flag inhibits this forwarding node creation as well as properly flagging the SA as inbound. Ticket: VPP-1845 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I195e32c430e51155fac2d9f33671e06ef42a3f7f
2020-02-26ipsec: Revert API cleanupOle Trøan2-27/+25
This reverts commit 666ece35cd2625bbd8b6ddadb6e87444a617df4d. Reason for revert: Awaiting CSIT CRC job to catch up Type: fix Change-Id: Ib38bbd5879ff761496a6819186f1af1dbee48590 Signed-off-by: Ole Troan <ot@cisco.com>
2020-02-26ipsec: API cleanupJakub Grajciar2-25/+27
Use consistent API types. Change vl_api_ipsec_proto_t to iana values: ESP 50, AH 51, Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: Ic961130ffa519d1c904d872c34f9a7461b1be77e Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-02-25feature: provide a u16 version of vnet_feature_nextNeale Ranns1-3/+1
Type: improvement when using vlib_buffer_enqueue_to_next the 'nexts' parameter is an array of u16, but vnet_feautre_next takes a u32. this is a simple wrapper to address the impedence mismatch. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I0fa86629e979e313344eb68442dc35a7b9537a8f
2020-02-25vlib: Punt reason allocation listener enable/disable callbackNeale Ranns3-23/+75
Type: improvement allow clients that allocate punt reasons to pass a callback function that is invoked when the first/last client registers to use/listen on that punt reason. This allows the client to perform some necessary configs that might not otherwise be enabled. IPSec uses this callback to register the ESP proto and UDP handling nodes, that would not otherwise be enabled unless a tunnel was present. Change-Id: I9759349903f21ffeeb253d4271e619e6bf46054b Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-02-21ipsec: IPSec protection for multi-point tunnel interfacesNeale Ranns8-141/+556
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
2020-02-17misc: fix coverity warningsDave Barach1-1/+1
Add an ALWAYS_ASSERT (...) macro, to (a) shut up coverity, and (b) check the indicated condition in production images. As in: p = hash_get(...); ALWAYS_ASSERT(p) /* was ASSERT(p) */ elt = pool_elt_at_index(pool, p[0]); This may not be the best way to handle a specific case, but failure to check return values at all followed by e.g. a pointer dereference isn't ok. Type: fix Ticket: VPP-1837 Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ia97c641cefcfb7ea7d77ea5a55ed4afea0345acb
2020-02-11ipsec: add support for chained buffersFilip Tehlar3-97/+534
Type: feature Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-02-10ipsec: fix AES-GCM block sizeDamjan Marion1-3/+6
Type: fix Change-Id: I0c9640dab2c0eaba369bc8f3ff7ae56d8e97e170 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-02-10ipsec: remove dead codeFilip Tehlar1-29/+0
Type: style Change-Id: Ifda9597bf4aee89cf1dfd287429a2772fed8f535 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-02-05ipsec: set l2_len for GRE-TEB tunnel decapJohn Lo1-0/+2
Type: fix Ticket: VPP-1831 Signed-off-by: John Lo <loj@cisco.com> Change-Id: I655964b22021ac38cbced577091a1156286d4fd6
2020-01-27ipip: Multi-point interfaceNeale Ranns2-2/+2
Type: feature plus fixes for gre Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I0eca5f94b8b8ea0fcfb058162cafea4491708db6
2020-01-27tunnel: Common types for IP tunnelsNeale Ranns2-2/+4
Type: refactor Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I18dcdb7af3e327f6cacdbcb1e52b89f13d6ba6e2
2020-01-22ipsec: re-enable DPDK IPSec for tunnel decap/encap (VPP-1823)Neale Ranns3-9/+28
Type: fix Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-01-10docs: Edit FEATURE.yaml files so they can be publishedJohn DeNisco1-1/+1
Type: docs Signed-off-by: John DeNisco <jdenisco@cisco.com> Change-Id: I7280e5c5ad10a66c0787a5282291a2ef000bff5f
2020-01-07ipsec: Add FEATURE/yamlNeale Ranns1-0/+11
Type: docs Change-Id: I9cb093589b84fdca3f4239da90c431e8bc4d74f1 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-01-04ipsec: AH copy destination and source address from templateNeale Ranns1-1/+1
Type: fix Change-Id: I63d4df68eed6589763b5ce62bcd7f3fd867c60e1 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-01-04ipsec: Targeted unit testingNeale Ranns6-97/+114
Type: fix 1 - big packets; chained buffers and those without enoguh space to add ESP header 2 - IPv6 extension headers in packets that are encrypted/decrypted 3 - Interface protection with SAs that have null algorithms Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
2019-12-23ipsec: Test and fix IPSec worker hand-offNeale Ranns3-6/+6
Type: fix Change-Id: I5cb9a3845ddbc5f4de4eb4e9c481f606fe5cec9a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-18ipsec: Fix decap of IPSEC/GRE in transport modeNeale Ranns1-6/+44
Type: fix in transport mode the header sequence is: MAC - IP (tun) - ESP - GRE - L2 so popping the GRE header is done in the ESP decrypt node. Change-Id: Ia125eb65b9300368617d2bffca09683851e43be0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-17ipsec: bind an SA to a workerNeale Ranns10-43/+642
the sequence number increment and the anti-replay window checks must be atomic. Given the vector nature of VPP we can't simply use atomic increments for sequence numbers, since a vector on thread 1 with lower sequence numbers could be 'overtaken' by packets on thread 2 with higher sequence numbers. The anti-replay logic requires a critical section, not just atomics, and we don't want that. So when the SA see the first packet it is bound to that worker all subsequent packets, that arrive on a different worker, are subject to a handoff. Type: feature Change-Id: Ia20a8645fb50622ea6235ab015a537f033d531a4 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-10ipsec: Init salt value in SA creation CLI (so it's not random)Neale Ranns1-0/+1
Type: fix Change-Id: Idf4d0b59a1eb2c739a67a4786470884050f81561 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-10api: multiple connections per processDave Barach1-1/+1
Type: feature Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I2272521d6e69edcd385ef684af6dd4eea5eaa953
2019-12-09ipsec: make sure pad_bytes does not exceed pad data sizeBenoît Ganne1-1/+5
This helps GCC understand the memcpy will not overflow pad_data. GCC-6 (default on Debian 9) in particular got confused. Type: fix Change-Id: I176eb01531b9d5c7ebec40f015e510b2d56e77c4 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-12-03ipip: Tunnel flags controlling copying data to/from payload/encapNeale Ranns2-3/+4
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I9467f11775936754406892b8e9e275f989ac9b30
2019-12-03ipsec: Changes to make ipsec encoder/decoders reusable by the pluginsPrashant Maheshwari6-255/+365
Type: fix Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com> Change-Id: I81b937fc8cfec36f8fb5de711ffbb02f23f3664e Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com>
2019-11-22ipsec: fix trailing data overflowFilip Tehlar1-23/+21
IPsec writes trailing data at the end of the buffer without checking if there is enough space. If the packet length equals buffer size this leads to rewiting of the next buffer header in the pool. Type: fix Change-Id: Iceb27bb724c7243863a4b532aad0808051b7d74c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-11-20ipsec: Honour the renumber argument when selecting show instnaceNeale Ranns1-1/+1
Type: fix Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If41f154c354772f5b32cfd35ea231b8f59c2c0c5
2019-11-18ipsec: Coverity warningsNeale Ranns2-8/+12
Type: fix Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I6bb6c6be62f98ac9a059469c81a5f4476b96e96e
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns15-1654/+494
APIs for dedicated IPSec tunnels will remain in this release and are used to programme the IPIP tunnel protect. APIs will be removed in a future release. see: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-05ipsec: ipsec-input: check for too-short packetsBenoît Ganne1-12/+25
Make sure packet is big enough before processing it. Policy matching is done speculatively but is discarded if packet is too short. Type: fix Change-Id: I647db2c4e568b0d9bf2cfd5056e1b1c2e25132fe Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-10-31ipsec: fix esp trace seq number overflowBenoît Ganne2-4/+12
Do not copy invalid seq number if packet is too small. Type: fix Change-Id: I1e78f5920e9645521f57efccaf35bbf9ce0676a8 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-10-22ikev2: fix GCM cipherFilip Tehlar1-9/+17
Type: fix Change-Id: I382499061ff4b1c2cc1b70ebbf9725ff0e1be325 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-10-18ipsec: fix tunnel protection removalFilip Tehlar1-1/+1
Type: fix Change-Id: I4d5546d1f9b3a162291997f6f0c094c5c3d6cf31 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-09-30ipsec: fix use-after-freeBenoît Ganne1-3/+7
When deleting interface from the API, 'hi' gets removed before 'h->sw_if_index' is copied. Type: fix Change-Id: I8e10108e9bdf95ab2fe002790d98262d583ca58c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-09-30ipsec: add insecure option for format of SAChristian E. Hopps3-3/+9
If specified, shows keys, otherwise redacts. This change sets this flag in the existing CLI code (thus maintaining the old behavior). The use case for not specifying the insecure flag (and thus redacting the keys from the show output) is for log messages. Type: feature Signed-off-by: Christian E. Hopps <chopps@chopps.org> Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111