Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: improvement
on the dedicated IPSec interface, the SA describes the peer, so it is
not possible to forward to a peer for which there is no SA. Therefore if
an SA is added with NULL auth and integ then this explicitly states that
this is what the peer desires.
on the contrary on the IP-IP/GRE interface, in the absence of protection
and an SA, then the traffic is sent in the clear. So adding NULL
auth/crypto iSA is a means to describe that the peer should not be sent
traffic.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I7ad2d466cc74eb7ff8c4c84e0d7897d06e2fcf86
|
|
Type: improvement
Change-Id: I0c82722dfce990345fe6eeecdb335678543367e0
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: improvement
Change-Id: Ica75c4e43d6198658a1954640c7ac56ea68bb39a
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: I6fdc4e952097e92ac3aa53e0be3ef99e0d801b28
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
The syntax of the deprecated flag has evolved.
Clean up usage to be "option deprecated;".
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: If2b639f275eb8db58b36c457f9245fe35a4d8cb1
|
|
Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.
CTR: https://tools.ietf.org/html/rfc3686#section-3.2
GCM: https://tools.ietf.org/html/rfc4106#section-3.2
CCM: https://tools.ietf.org/html/rfc4309#section-3.2
- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.
Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.
test: ipsec: Add unit-test to test for RFC correct padding/alignment
test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well
- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:
https://github.com/secdev/scapy/issues/2322
Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
|
|
The issue is not easily hit. When GRE_teb packets are received the post
crypto processing adjusts the l2.l2_len value in the vnet_buffer opaque
data. This is overwriting the ipsec opaque data. Later the trace code
fetches the sa_index from the ipsec opaque data. It's just an accident
that this currently works, if the ipsec data is changed so that the
sa_index moves around it will be overwritten by the l2_len modification.
Indeed, this was found b/c local development changes had moved the
sa_index so it was over-lapping with the l2_len memory space, and the UT
failed.
Type: fix
Change-Id: Iaecfa750cf0b36653fd9e75b4d799f323a14d932
Signed-off-by: Christian Hopps <chopps@labn.net>
|
|
Add missing cli options for setting IPsec SA flags, inbound,
use-anti-replay, and use-esn.
Type: fix
Change-Id: Ia7a91b4b0a12be9e4dd0e684be3e04d8ccafb9d4
Signed-off-by: Christian Hopps <chopps@labn.net>
|
|
Type: improvement
Signed-off-by: Yulong Pei <yulong.pei@intel.com>
Change-Id: I841f4407ed8c1a448e5102059fc79ae1f7d461de
|
|
Type: feature
Change-Id: Ib5d7b7e4735a5dec6c3ed74068206a86782588ca
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech>
Change-Id: Ic8db52b41d7e5af3425099f008984e50afb3da74
|
|
Type: fix
Change-Id: Ia5c1f928f6752314b278127d2446e973f03a5da8
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8bd50df163aea2798e9f9d35a13dcadc4a4a4b2
|
|
Type: fix
we can probably do better, but for now this is needed
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I07161f5ac07a70a0e6db6608ba31659d9bc2c9ed
|
|
In case there is no free space in first buffer for ICV and footer,
additional buffer will be added, but esp_encrypt will stay in single
buffer mode.
The issue happens for the following payload sizes:
- TCP packets with payload 1992
- ICMP packets with payload 2004
This fix moves the single/chained buffer ops selection to after
esp_add_footer_and_icv call.
Type: fix
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: Ic5ceba418f738933f96edb3e489ca2d149033b79
|
|
Type: feature
the es4-encrypt and esp6-encrypt nodes need to be siblings so they both have the same edges for the DPO on which the tunnel mode SA stacks.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I2126589135a1df6c95ee14503dfde9ff406df60a
|
|
Type: feature
thus allowing NAT traversal,
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Type: improvement
- inline some common encap fixup functions into the midchain
rewrite node so we don't incur the cost of the virtual function call
- change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header
- add adj-midchain-tx to multiarch sources
- don't run adj-midchain-tx as a feature, instead put this node as the
adj's next and at the end of the feature arc.
- cache the feature arc config index (to save the cache miss going to fetch it)
- don't check if features are enabled when taking the arc (since we know they are)
the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc)
for IPSec:
- don't run esp_encrypt as a feature, instead when required insert this
node into the adj's next and into the end of the feature arc. this
implies that encrypt is always 'the last feature' run, which is
symmetric with decrypt always being the first.
- esp_encrpyt for tunnels has adj-midchain-tx as next node
Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Signed-off-by: Dariusz Kazimierski <dariuszx.kazimierski@intel.com>
Signed-off-by: Piotr Kleski <piotrx.kleski@intel.com>
Change-Id: I4c3fcccf55c36842b7b48aed260fef2802b5c54b
|
|
Type: fix
Change-Id: I0f12c19b79df19b692f18ac13d6c32341853b764
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
add bypass/discard functionality to ipsec4-input-feature node
Type: feature
Signed-off-by: ShivaShankarK <shivaashankar1204@gmail.com>
Change-Id: I152a5dfee0296109cccabe349a330dbbe395cc6c
|
|
Type: fix
Change-Id: I1068ff1d03883addb5fe1005a8b608eab17e4168
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
There is a statically allocated array for inbound SAs which can hold
4 IDs. The input parameter containing the IDs of th inbound SAs is a
vector and Its possible to pass a vector with more than 4 elements
and write the memory past the end of the array. Fail if more than 4
SAs are passed in the vector.
Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: improvement
When IPsec SAs are dumped, include the index that can be used to
find byte & packet counters for the SA in the stat segment.
Removed the field total_data_size from the details since it was not
being populated and put the stat index field in its place.
Change-Id: If73efc230542a11944551b6e710b57b575450da3
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
The data populated into an ipsec_tunnel_protect_details message includes
an outbound SA and a list of inbound SAs for a tunnel interface. These
are populated with SA indices. The values used by an API client
to refer to an SA in other messages is the SA id rather than the index.
Use the SA id instead of the index.
Change-Id: Ifaad32801092a7f87bd0dcf19de418d36613f8dd
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
This fixes a special case when buffer chain enters decrypt node
and becomes a single buffer after decryption.
Type: fix
Change-Id: Id5da9e8a074f83ec3561949631ce613f35528312
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Now UDP enacapsulation doesn't work in transport mode with crypto
algorithms that have iv_sz=8 like AES GCM or 3DES CBC. That happens
because the inserted UDP header overlaps with the old IP header and
gets filled before the information from the old IP header can be
copied to a new IP header. The result is a broken packet:
00:03:39:620863: esp4-encrypt-tun
esp: sa-index 3 spi 3464048590 (0xce792fce) seq 31 sa-seq-hi 0
crypto aes-gcm-128 integrity none udp-encap-enabled
00:03:39:620867: adj-midchain-tx
...
00:03:39:620868: ip4-rewrite
...
00:03:39:620869: GigabitEthernet0/8/0-output
GigabitEthernet0/8/0
IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c
UDP: 10.255.0.10 -> 10.255.0.20
version 0, header length 0
tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff)
dscp CS4 ecn NON_ECN
fragment id 0x0000
UDP: 128 -> 0
length 0, checksum 0x0000
00:03:39:620870: GigabitEthernet0/8/0-tx
GigabitEthernet0/8/0 tx queue 0
...
IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c
UDP: 10.255.0.10 -> 10.255.0.20
version 0, header length 0
tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff)
dscp CS4 ecn NON_ECN
fragment id 0x0000
UDP: 128 -> 0
length 0, checksum 0x0000
With this commit, fill UDP header after copying the IP headers in
transport mode.
Type: fix
Change-Id: Ie9a6e562aa05a8378114329d6a9ff395189fa6a8
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
This reverts commit c2c1bfd9b72aec88526c06479b128725eb525866.
Reason for revert: Seems it's breaking ipsec esp tests
Type: fix
Change-Id: Iac590eee23cbf92a10c62dafa789aa9c3b2284dd
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
This fixes a special case when buffer chain enters decrypt node
and becomes a single buffer after decryption.
Type: fix
Change-Id: I1d4da029b952baa97400adb7173aa63fd97d916b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
If "no-tunnel" error erises, you will not see it in the "show errors"
output because the packet will be punted. That fact complicates
troubleshooting.
Type: improvement
Change-Id: Ic08347f81131a4a73a05b66acbfb02797373f5ab
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Type: fix
Change-Id: I1ba921503a41ca37ce5c920682893617740571a9
Signed-off-by: Rajesh Goel <rajegoel@cisco.com>
|
|
Type: feature
Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I901c9384710eee5847b3fbce060c78e115ba4169
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Use consistent API types.
Change vl_api_ipsec_proto_t to iana values:
ESP 50,
AH 51,
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: I2becefb343246e0233f290fefbfdd172d8237325
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
External IKE daemons need to be able to flag an SA as inbound (just as
the included ike plugin does). This commit adds this flag to the API.
This change is backward bug-compatible as not setting the flag (old
clients) continues to mean all SAs are created as outbound and fib nodes
are created for them. The addition of this flag inhibits this forwarding
node creation as well as properly flagging the SA as inbound.
Ticket: VPP-1845
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: I195e32c430e51155fac2d9f33671e06ef42a3f7f
|
|
This reverts commit 666ece35cd2625bbd8b6ddadb6e87444a617df4d.
Reason for revert: Awaiting CSIT CRC job to catch up
Type: fix
Change-Id: Ib38bbd5879ff761496a6819186f1af1dbee48590
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Use consistent API types.
Change vl_api_ipsec_proto_t to iana values:
ESP 50,
AH 51,
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: Ic961130ffa519d1c904d872c34f9a7461b1be77e
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
Type: improvement
when using vlib_buffer_enqueue_to_next the 'nexts' parameter is an array
of u16, but vnet_feautre_next takes a u32. this is a simple wrapper to
address the impedence mismatch.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I0fa86629e979e313344eb68442dc35a7b9537a8f
|
|
Type: improvement
allow clients that allocate punt reasons to pass a callback function
that is invoked when the first/last client registers to use/listen on
that punt reason. This allows the client to perform some necessary
configs that might not otherwise be enabled.
IPSec uses this callback to register the ESP proto and UDP handling
nodes, that would not otherwise be enabled unless a tunnel was present.
Change-Id: I9759349903f21ffeeb253d4271e619e6bf46054b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
|
|
Add an ALWAYS_ASSERT (...) macro, to (a) shut up coverity, and (b)
check the indicated condition in production images.
As in:
p = hash_get(...);
ALWAYS_ASSERT(p) /* was ASSERT(p) */
elt = pool_elt_at_index(pool, p[0]);
This may not be the best way to handle a specific case, but failure to
check return values at all followed by e.g. a pointer dereference
isn't ok.
Type: fix
Ticket: VPP-1837
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Ia97c641cefcfb7ea7d77ea5a55ed4afea0345acb
|
|
Type: feature
Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I0c9640dab2c0eaba369bc8f3ff7ae56d8e97e170
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: style
Change-Id: Ifda9597bf4aee89cf1dfd287429a2772fed8f535
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Ticket: VPP-1831
Signed-off-by: John Lo <loj@cisco.com>
Change-Id: I655964b22021ac38cbced577091a1156286d4fd6
|
|
Type: feature
plus fixes for gre
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I0eca5f94b8b8ea0fcfb058162cafea4491708db6
|
|
Type: refactor
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I18dcdb7af3e327f6cacdbcb1e52b89f13d6ba6e2
|
|
Type: fix
Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: docs
Signed-off-by: John DeNisco <jdenisco@cisco.com>
Change-Id: I7280e5c5ad10a66c0787a5282291a2ef000bff5f
|
|
Type: docs
Change-Id: I9cb093589b84fdca3f4239da90c431e8bc4d74f1
Signed-off-by: Neale Ranns <nranns@cisco.com>
|