Age | Commit message (Collapse) | Author | Files | Lines |
|
If "no-tunnel" error erises, you will not see it in the "show errors"
output because the packet will be punted. That fact complicates
troubleshooting.
Type: improvement
Change-Id: Ic08347f81131a4a73a05b66acbfb02797373f5ab
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Type: fix
Change-Id: I1ba921503a41ca37ce5c920682893617740571a9
Signed-off-by: Rajesh Goel <rajegoel@cisco.com>
|
|
Type: feature
Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I901c9384710eee5847b3fbce060c78e115ba4169
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Use consistent API types.
Change vl_api_ipsec_proto_t to iana values:
ESP 50,
AH 51,
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: I2becefb343246e0233f290fefbfdd172d8237325
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
External IKE daemons need to be able to flag an SA as inbound (just as
the included ike plugin does). This commit adds this flag to the API.
This change is backward bug-compatible as not setting the flag (old
clients) continues to mean all SAs are created as outbound and fib nodes
are created for them. The addition of this flag inhibits this forwarding
node creation as well as properly flagging the SA as inbound.
Ticket: VPP-1845
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: I195e32c430e51155fac2d9f33671e06ef42a3f7f
|
|
This reverts commit 666ece35cd2625bbd8b6ddadb6e87444a617df4d.
Reason for revert: Awaiting CSIT CRC job to catch up
Type: fix
Change-Id: Ib38bbd5879ff761496a6819186f1af1dbee48590
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Use consistent API types.
Change vl_api_ipsec_proto_t to iana values:
ESP 50,
AH 51,
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: Ic961130ffa519d1c904d872c34f9a7461b1be77e
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
Type: improvement
when using vlib_buffer_enqueue_to_next the 'nexts' parameter is an array
of u16, but vnet_feautre_next takes a u32. this is a simple wrapper to
address the impedence mismatch.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I0fa86629e979e313344eb68442dc35a7b9537a8f
|
|
Type: improvement
allow clients that allocate punt reasons to pass a callback function
that is invoked when the first/last client registers to use/listen on
that punt reason. This allows the client to perform some necessary
configs that might not otherwise be enabled.
IPSec uses this callback to register the ESP proto and UDP handling
nodes, that would not otherwise be enabled unless a tunnel was present.
Change-Id: I9759349903f21ffeeb253d4271e619e6bf46054b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
|
|
Add an ALWAYS_ASSERT (...) macro, to (a) shut up coverity, and (b)
check the indicated condition in production images.
As in:
p = hash_get(...);
ALWAYS_ASSERT(p) /* was ASSERT(p) */
elt = pool_elt_at_index(pool, p[0]);
This may not be the best way to handle a specific case, but failure to
check return values at all followed by e.g. a pointer dereference
isn't ok.
Type: fix
Ticket: VPP-1837
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Ia97c641cefcfb7ea7d77ea5a55ed4afea0345acb
|
|
Type: feature
Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I0c9640dab2c0eaba369bc8f3ff7ae56d8e97e170
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: style
Change-Id: Ifda9597bf4aee89cf1dfd287429a2772fed8f535
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Ticket: VPP-1831
Signed-off-by: John Lo <loj@cisco.com>
Change-Id: I655964b22021ac38cbced577091a1156286d4fd6
|
|
Type: feature
plus fixes for gre
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I0eca5f94b8b8ea0fcfb058162cafea4491708db6
|
|
Type: refactor
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I18dcdb7af3e327f6cacdbcb1e52b89f13d6ba6e2
|
|
Type: fix
Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: docs
Signed-off-by: John DeNisco <jdenisco@cisco.com>
Change-Id: I7280e5c5ad10a66c0787a5282291a2ef000bff5f
|
|
Type: docs
Change-Id: I9cb093589b84fdca3f4239da90c431e8bc4d74f1
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: I63d4df68eed6589763b5ce62bcd7f3fd867c60e1
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
1 - big packets; chained buffers and those without enoguh space to add
ESP header
2 - IPv6 extension headers in packets that are encrypted/decrypted
3 - Interface protection with SAs that have null algorithms
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
|
|
Type: fix
Change-Id: I5cb9a3845ddbc5f4de4eb4e9c481f606fe5cec9a
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
in transport mode the header sequence is:
MAC - IP (tun) - ESP - GRE - L2
so popping the GRE header is done in the ESP decrypt node.
Change-Id: Ia125eb65b9300368617d2bffca09683851e43be0
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
the sequence number increment and the anti-replay window
checks must be atomic. Given the vector nature of VPP we
can't simply use atomic increments for sequence numbers,
since a vector on thread 1 with lower sequence numbers could
be 'overtaken' by packets on thread 2 with higher sequence
numbers.
The anti-replay logic requires a critical section, not just
atomics, and we don't want that.
So when the SA see the first packet it is bound to that worker
all subsequent packets, that arrive on a different worker,
are subject to a handoff.
Type: feature
Change-Id: Ia20a8645fb50622ea6235ab015a537f033d531a4
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: Idf4d0b59a1eb2c739a67a4786470884050f81561
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I2272521d6e69edcd385ef684af6dd4eea5eaa953
|
|
This helps GCC understand the memcpy will not overflow pad_data. GCC-6
(default on Debian 9) in particular got confused.
Type: fix
Change-Id: I176eb01531b9d5c7ebec40f015e510b2d56e77c4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I9467f11775936754406892b8e9e275f989ac9b30
|
|
Type: fix
Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com>
Change-Id: I81b937fc8cfec36f8fb5de711ffbb02f23f3664e
Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com>
|
|
IPsec writes trailing data at the end of the buffer without checking
if there is enough space. If the packet length equals buffer size this
leads to rewiting of the next buffer header in the pool.
Type: fix
Change-Id: Iceb27bb724c7243863a4b532aad0808051b7d74c
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: If41f154c354772f5b32cfd35ea231b8f59c2c0c5
|
|
Type: fix
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I6bb6c6be62f98ac9a059469c81a5f4476b96e96e
|
|
APIs for dedicated IPSec tunnels will remain in this release and are
used to programme the IPIP tunnel protect. APIs will be removed in a
future release.
see:
https://wiki.fd.io/view/VPP/IPSec
Type: feature
Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Make sure packet is big enough before processing it.
Policy matching is done speculatively but is discarded if packet is too
short.
Type: fix
Change-Id: I647db2c4e568b0d9bf2cfd5056e1b1c2e25132fe
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Do not copy invalid seq number if packet is too small.
Type: fix
Change-Id: I1e78f5920e9645521f57efccaf35bbf9ce0676a8
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Change-Id: I382499061ff4b1c2cc1b70ebbf9725ff0e1be325
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I4d5546d1f9b3a162291997f6f0c094c5c3d6cf31
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
When deleting interface from the API, 'hi' gets removed before
'h->sw_if_index' is copied.
Type: fix
Change-Id: I8e10108e9bdf95ab2fe002790d98262d583ca58c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
If specified, shows keys, otherwise redacts. This change sets this flag
in the existing CLI code (thus maintaining the old behavior). The use
case for not specifying the insecure flag (and thus redacting the keys
from the show output) is for log messages.
Type: feature
Signed-off-by: Christian E. Hopps <chopps@chopps.org>
Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111
|
|
Type: feature
Change-Id: Ib2352ca4c7abf4645f21fa16aaaf27408890a2bf
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: I5a5461652f8115fa1270e20f748178fb5f5450f2
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Credits to ray.kinsella@intel.com who spotted the issue and identified
root cause.
Type: fix
Change-Id: I4afe74c47769484309f6aebca2de56ad32c8041f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: feature
with detail option prints all details for all SAs
Change-Id: Ic3c423c085dfc849cf9c3e18a6f624b82150d961
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Ticket: VPP-1756
the block-size was set to 0 resulting in incorrect placement of the ESP
footer.
add tests for NULL encrypt + integ.
Change-Id: I8ab3afda8e68f9ff649540cba3f2cac68f12bbba
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
This algorithm was missed in last improvements.
Type:fix
Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
Change-Id: Ib818cbdcdd1a6f298e8b0086dac4189cc201baa3
|
|
Type: fix
Change-Id: I1fa8c5326d6f22cfb8dd40e97d8a22d11a716922
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: I0c9353598d3c9b7ea587ea8a2b6e1faa5454843d
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Several Fixes:
1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
2 - The high sequence number was not byte swapped during ESP encrypt.
3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
4 - improved tracing to show the low and high seq numbers
5 - documented the anti-replay window checks
6 - fixed scapy patch for ESN support for GCM
7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo
Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|