summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2019-02-11ipsec: multi-arch, next-node-index cleanupKingwel Xie4-27/+52
1. specify ipsec_xxx_node.c in MULTIARCH_SOURCES 2. cleanup foreach_ipsec_output_next & foreach_ipsec_input_next, as next-nodes are actually added by ipsec_register_xx_backend dynamically thus, ipsec4-input-feature will point to ah4/esp4-encrypt, instead of pointing to ah6/esp6-encrypt 3. remove an unused count and add counter IPSEC_INPUT_ERROR_RX_MATCH_PKTS in ipsec-input Change-Id: Ifcf167812d2cc18187c2cea84b657a52b67e17d4 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-07IPSEC: remove unused members of main structNeale Ranns1-4/+0
Change-Id: Ib55deb620f4f58cac07da7cb69418a3a30ff3136 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-07IPSEC: no second lookup after tunnel encapNeale Ranns14-443/+713
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-05IPSEC: SPD counters in the stats sgementNeale Ranns12-505/+411
- return the stats_index of each SPD in the create API call - no ip_any in the API as this creates 2 SPD entries. client must add both v4 and v6 explicitly - only one pool of SPD entries (rhter than one per-SPD) to support this - no packets/bytes in the dump API. Polling the stats segment is much more efficient (if the SA lifetime is based on packet/bytes) - emit the policy index in the packet trace and CLI commands. Change-Id: I7eaf52c9d0495fa24450facf55229941279b8569 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-04ipsec: cli 'create ipsec tunnel' more optionsKingwel Xie1-3/+7
use-esp use-anti-replay Change-Id: I977b65eee926adaded0cb923e14feb0ee90fc32c Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-01IPSEC: minor refactorNeale Ranns10-754/+999
No function change. Only breaking the monster ipsec.[hc] into smaller constituent parts Change-Id: I3fd4d2d041673db5865d46a4002f6bd383f378af Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-31IPSEC: API modernisationNeale Ranns3-257/+396
- use enums to enumerate the algoritms and protocols that are supported - use address_t types to simplify encode/deocde - use typedefs of entry objects to get consistency between add/del API and dump Change-Id: I7e7c58c06a150e2439633ba9dca58bc1049677ee Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-30ipsec: fix check support functionsKlement Sekera2-5/+17
Change-Id: If94c57fbb07a7376a9f2873e1489c00b28152620 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-01-28Add Ipsec IKE support to openssl 3.0.0 master branchPing Yu1-0/+24
Change-Id: I7bd43f57d23b1ecf031530c4a7508f949ddf616f Signed-off-by: Ping Yu <ping.yu@intel.com>
2019-01-25IPSEC: tests use opbject registryNeale Ranns1-1/+11
this means we test the dumps - to some extent Change-Id: I8d90745701012012b41a7b3aaf9be97b4dd2bdf8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-24IPSEC Tests: to per-test setup and tearDownNeale Ranns1-4/+4
don't do the setup and teardown in class methods so that with each test the config is added and deleted. that way we test that delete actually removes state. more helpful error codes from VPP for existing IPSEC state. Change-Id: I5de1578f73b935b420d4cdd85aa98d5fdcc682f6 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-23AH encrypt; don't double enqueue nor emit clib_warnings when seq-num max ↵Neale Ranns1-5/+0
exceeded Change-Id: Id5b47f78521a0cbedf7bd2c72babfb2ffe9fa67d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-20fix data_length in IpSec API call (VPP-1548)Michal Cmarada1-4/+6
Change-Id: Idb2839f6082bd2e052be2bc5417f0ebb43d1c0a6 Signed-off-by: Michal Cmarada <mcmarada@cisco.com>
2019-01-02ipsec: fix support check when using AES-GCMMatthew Smith1-10/+15
When adding an IPsec SA, ipsec_check_support_cb() is called. This invokes a callback for AH and a callback for ESP to check if the algorithms are supported. When using AES-GCM on an ESP SA with the DPDK IPsec backend selected, the AH callback fails. The DPDK IPsec backend has no AH support, so the callback for the default OpenSSL backend is invoked. This checks whether the crypto algorithm is AES-GCM and returns failure. Only invoke the callback to check support for the IPsec protocol of the SA - either AH or ESP rather than doing both. Change-Id: Ic10be6a17b580d06ffb7e82ef5866e53a4f8b525 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-12-12fix spurious error setting SA on ipsec intfMatthew Smith1-1/+1
Reverse the polarity on test to determine if old SA session deletion succeeded. 0 == success, not failure. Change-Id: I499cb04c7f13165e6c92367d4385057b77fe3836 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-12-12Change ipsec feature node namesPierre Pfister4-24/+24
ipsec4-output and ipsec6-output were conflicting with ipsec interface names ("ipsec<id>") and vnet/interface.c autogenerated output node ("<ifname>-output"). Changing feature names seems to be the less invasive option. This patch also changes "input" feature names for consistency. Change-Id: I4ba10d07e9ba09df20aa2500104252b06b55f8f7 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-12-11Add IPSec interface FIB index for TX packetPierre Pfister6-6/+36
This patch adds a configuration parameter to IPSec tunnels, enabling custom FIB selection for encapsulated packets. Although this option could also be used for policy-based IPSec, this change only enables it for virtual-tunnel-interface mode. Note that this patch does change the API default behavior regarding TX fib selection for encapsulated packets. Previous behavior was to use the same FIB after and before encap. The new default behavior consists in using the FIB 0 as default. Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-12-11Fix [csit-dev] CSIT IPv6 IPSec transport mode tests are failingjackiechen19851-1/+9
Change-Id: I7893a8fd5b3e15063675597c0e9bd1cd0b49ef0e Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
2018-12-07Fix VPP-1515 IPSec receive packet error in transport mode with udp encapjackiechen19852-4/+14
Change-Id: Ife66395b89e1e9f9206666e5f0fd441b3c241bb2 Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
2018-12-04ipsec: simplify bumping counters - cosmetic changeKlement Sekera4-116/+35
Change-Id: Ibb55427ed49d0277854a352922c6c4bb007bf072 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-12-03Add UDP encap flagFilip Tehlar2-0/+3
Change-Id: Ic6a8b9aaec7e5dee4fb1971168988dbe4f931f86 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2018-12-02IPSEC-AH: anti-replay testingNeale Ranns2-6/+9
Change-Id: Ia5d45db73e4bdb32214ed4f365d5eec8e28115f3 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-30IPSEC-AH: fix packet dropNeale Ranns2-7/+0
Change-Id: I45b97cfd0c3785bfbf6d142d362bd3d4d56bae00 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-29ipsec: move ipsec defs to ipsec.hKlement Sekera2-51/+54
Change-Id: Ia3dcd98edb6188deb96a3a99d831e71b2ffa0060 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-11-26Fix IPSec CLI key parsingPierre Pfister2-4/+11
strncpy stops copying when a byte set to 0 is read. The fix is to use mempcy instead. This patch also adds spd id to ipsec input trace. Change-Id: Ibed071d3607fa76c3f6ee065f94128f1aca9b2e2 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-11-20IPSEC: remove duplicate memcyNeale Ranns1-6/+0
Change-Id: If91257fa23ba74c09e5c3b5528eb2fd4c4b36b6a Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera6-177/+622
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-11-14Remove c-11 memcpy checks from perf-critical codeDave Barach4-42/+43
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1 Signed-off-by: Dave Barach <dave@barachs.net>
2018-11-13ipsec: fix typoKlement Sekera1-1/+1
Change-Id: I04c59bbe1780e7289cb27a0a912803812fdc297e Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-11-05VPP-1450: binary api call for dumping SPD to interface registrationFilip Varga2-1/+81
Change-Id: Idd4a5f8bab5d39e5f33f5c130601175af70a20d4 Signed-off-by: Filip Varga <filip.varga@pantheon.tech>
2018-10-29migrate ipsec to new multiarch infraKlement Sekera7-73/+42
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-25buffer trace is broken in ipsec-output. copy it from node->flags to ↵Kingwel Xie1-0/+5
frame->frame_flags Change-Id: I56b573b5da04a27766bcbcafbd5438555424f2e7 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-10-23c11 safe string handling supportDave Barach11-39/+39
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-23ipsec: fix wrong counter bumpKlement Sekera1-1/+1
Change-Id: I5105b688ef3df2c949ba09e1e90c1b8913502388 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-22ipsec: split ipsec nodes into ip4/ip6 nodesKlement Sekera10-311/+502
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-03ipsec: add missing ipv6 ah code & ipv6 testsKlement Sekera4-27/+103
Change-Id: I89e90193ded1beb6cb0950c15737f9467efac1c3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-02IPsec: add API for SPDs dump (VPP-1363)Matus Fabian2-1/+60
Change-Id: I36e6878712c394de629a9182d2af24c53a8f811d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-26forget to assign spd_index to configKingwel Xie1-0/+2
Change-Id: I35dcb987edf11097f34a633ac36d87cecd12088f Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra6-10/+10
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-08-30Add SHA2 support to IKEv2 implementationBerenger Foucher2-8/+89
The following patch adds a stronger cryptographic suite to IKEv2 implementation. The following algorithms can now be used for integrity checking in IKEv2 implementation (responder and initiator): - hmac-sha2-256-128 - hmac-sha2-384-192 - hmac-sha2-512-256 The default integrity checking method was set to hmac-sha2-256-128. The default PRF function was set sha2-256. Change-Id: Ia82b4cbbf3067b19b8487040dbefbaf4c9319548 Signed-off-by: Berenger Foucher <berenger.foucher@stagiaires.ssi.gouv.fr>
2018-08-03ipsec: add udp-encap option to debug cli commandsRadu Nicolau5-10/+17
Change-Id: I3195afd952f6783da87224d7ceb9df13ddd39459 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-07-19Remove unused argument to vlib_feature_nextDamjan Marion2-10/+3
Change-Id: Ieb8b53977fc8484c19780941e232ee072b667de3 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-13VPP-1338: fix ipsec api coverity warningsDave Barach1-4/+3
Remove useless unsigned comparisions: "(unsigned) value < 0", correct a couple of incorrect limit checks. Change-Id: I9606c4057df157f770d59535457cb9df1cfd1f35 Signed-off-by: Dave Barach <dave@barachs.net>
2018-07-11avoid using thread local storage for thread indexDamjan Marion4-7/+7
It is cheaper to get thread index from vlib_main_t if available... Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-08Fix IPsec intf tx node setup at intf creationMatthew Smith1-2/+2
When using a DPDK cryptodev with IPsec, sending outbound packets results in a crash on division by zero if using an algorithm not supported by the OpenSSL ESP nodes. This includes AES-GCM and MD5. At IPsec intf creation time, the next node at slot IPSEC_OUTPUT_NEXT_ESP_ENCRYPT for ipsec_if_tx_node_fn is set to the node named esp-encrypt. This is the OpenSSL ESP encrypt function. If DPDK cryptodevs are configured, dpdk-esp-encrypt is the correct next node. Change to setting the next node according to the value in ipsec_main.esp_encrypt_node_index. That value is set to esp-encrypt by default. If DPDK cryptodevs are configured it gets set to dpdk-esp-encrypt. Change-Id: I83896c76b975d74aead247a162c85eccca9575a8 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-07-04fix VPP-1312 Invalid UDP packet length in ipsecKlement Sekera1-1/+2
Change-Id: Ibfd0a2e7010e6e74c32244c538f60e0713bea03f Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-29ipsec: fix VPP-1333 - crash in ipsec policy cliKlement Sekera1-0/+6
Change-Id: I843d094b6bbd1cefba82d6026174be005e66d510 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-24Revert "Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums""Klement Sekera5-194/+180
This reverts commit e0d2bd6bd7fc59c0c6ac48195d7f825dc99bfd91. Change-Id: If491e16f9ea66b2493a6a7c7f3c684ed585f8f51 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-22Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums"Ole Troan5-180/+194
This reverts commit a98346f664aae148d26a8e158008b773d73db96f. Change-Id: Iee5b3a5ddff0e8fd3a30fe5973cee24de434fe12 Signed-off-by: Ole Troan <ot@cisco.com>
2018-06-21ipsec: VPP-1316 calculate IP/TCP/UDP inner checksumsKlement Sekera5-194/+180
Calculate IP/TCP/UDP checksums in software before adding authentication. Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b Signed-off-by: Klement Sekera <ksekera@cisco.com>