Age | Commit message (Collapse) | Author | Files | Lines |
|
1. specify ipsec_xxx_node.c in MULTIARCH_SOURCES
2. cleanup foreach_ipsec_output_next & foreach_ipsec_input_next,
as next-nodes are actually added by ipsec_register_xx_backend dynamically
thus, ipsec4-input-feature will point to ah4/esp4-encrypt, instead of
pointing to ah6/esp6-encrypt
3. remove an unused count and add counter IPSEC_INPUT_ERROR_RX_MATCH_PKTS
in ipsec-input
Change-Id: Ifcf167812d2cc18187c2cea84b657a52b67e17d4
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
Change-Id: Ib55deb620f4f58cac07da7cb69418a3a30ff3136
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
in the same maaner as with other tunnel tyeps we use
the FIB to cache and track the destination used to reach
the tunnel endpoint. Post encap we can then ship the packet
straight to this adjacency and thus elide the costly second
lookup.
- SA add and del function so they can be used both directly
from the API and for tunnels.
- API change for the SA dump to use the SA type
- ipsec_key_t type for convenience (copying, [un]formating)
- no matching tunnel counters in ipsec-if-input
Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
- return the stats_index of each SPD in the create API call
- no ip_any in the API as this creates 2 SPD entries. client must add both v4 and v6 explicitly
- only one pool of SPD entries (rhter than one per-SPD) to support this
- no packets/bytes in the dump API. Polling the stats segment is much more efficient
(if the SA lifetime is based on packet/bytes)
- emit the policy index in the packet trace and CLI commands.
Change-Id: I7eaf52c9d0495fa24450facf55229941279b8569
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
use-esp use-anti-replay
Change-Id: I977b65eee926adaded0cb923e14feb0ee90fc32c
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
No function change. Only breaking the monster ipsec.[hc]
into smaller constituent parts
Change-Id: I3fd4d2d041673db5865d46a4002f6bd383f378af
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
- use enums to enumerate the algoritms and protocols that are supported
- use address_t types to simplify encode/deocde
- use typedefs of entry objects to get consistency between add/del API and dump
Change-Id: I7e7c58c06a150e2439633ba9dca58bc1049677ee
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: If94c57fbb07a7376a9f2873e1489c00b28152620
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I7bd43f57d23b1ecf031530c4a7508f949ddf616f
Signed-off-by: Ping Yu <ping.yu@intel.com>
|
|
this means we test the dumps - to some extent
Change-Id: I8d90745701012012b41a7b3aaf9be97b4dd2bdf8
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
don't do the setup and teardown in class methods so that with
each test the config is added and deleted. that way we test that
delete actually removes state.
more helpful error codes from VPP for existing IPSEC state.
Change-Id: I5de1578f73b935b420d4cdd85aa98d5fdcc682f6
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
exceeded
Change-Id: Id5b47f78521a0cbedf7bd2c72babfb2ffe9fa67d
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Idb2839f6082bd2e052be2bc5417f0ebb43d1c0a6
Signed-off-by: Michal Cmarada <mcmarada@cisco.com>
|
|
When adding an IPsec SA, ipsec_check_support_cb() is called. This
invokes a callback for AH and a callback for ESP to check if the
algorithms are supported.
When using AES-GCM on an ESP SA with the DPDK IPsec backend selected,
the AH callback fails. The DPDK IPsec backend has no AH support,
so the callback for the default OpenSSL backend is invoked. This
checks whether the crypto algorithm is AES-GCM and returns failure.
Only invoke the callback to check support for the IPsec protocol
of the SA - either AH or ESP rather than doing both.
Change-Id: Ic10be6a17b580d06ffb7e82ef5866e53a4f8b525
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Reverse the polarity on test to determine if old SA session
deletion succeeded. 0 == success, not failure.
Change-Id: I499cb04c7f13165e6c92367d4385057b77fe3836
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
ipsec4-output and ipsec6-output were conflicting with ipsec
interface names ("ipsec<id>") and vnet/interface.c autogenerated
output node ("<ifname>-output").
Changing feature names seems to be the less invasive option.
This patch also changes "input" feature names for consistency.
Change-Id: I4ba10d07e9ba09df20aa2500104252b06b55f8f7
Signed-off-by: Pierre Pfister <ppfister@cisco.com>
|
|
This patch adds a configuration parameter to IPSec tunnels, enabling
custom FIB selection for encapsulated packets.
Although this option could also be used for policy-based IPSec,
this change only enables it for virtual-tunnel-interface mode.
Note that this patch does change the API default behavior regarding
TX fib selection for encapsulated packets.
Previous behavior was to use the same FIB after and before encap.
The new default behavior consists in using the FIB 0 as default.
Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452
Signed-off-by: Pierre Pfister <ppfister@cisco.com>
|
|
Change-Id: I7893a8fd5b3e15063675597c0e9bd1cd0b49ef0e
Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
|
|
Change-Id: Ife66395b89e1e9f9206666e5f0fd441b3c241bb2
Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
|
|
Change-Id: Ibb55427ed49d0277854a352922c6c4bb007bf072
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic6a8b9aaec7e5dee4fb1971168988dbe4f931f86
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Change-Id: Ia5d45db73e4bdb32214ed4f365d5eec8e28115f3
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I45b97cfd0c3785bfbf6d142d362bd3d4d56bae00
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Ia3dcd98edb6188deb96a3a99d831e71b2ffa0060
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
strncpy stops copying when a byte set to 0 is read.
The fix is to use mempcy instead.
This patch also adds spd id to ipsec input trace.
Change-Id: Ibed071d3607fa76c3f6ee065f94128f1aca9b2e2
Signed-off-by: Pierre Pfister <ppfister@cisco.com>
|
|
Change-Id: If91257fa23ba74c09e5c3b5528eb2fd4c4b36b6a
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I04c59bbe1780e7289cb27a0a912803812fdc297e
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Idd4a5f8bab5d39e5f33f5c130601175af70a20d4
Signed-off-by: Filip Varga <filip.varga@pantheon.tech>
|
|
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
frame->frame_flags
Change-Id: I56b573b5da04a27766bcbcafbd5438555424f2e7
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I5105b688ef3df2c949ba09e1e90c1b8913502388
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I89e90193ded1beb6cb0950c15737f9467efac1c3
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I36e6878712c394de629a9182d2af24c53a8f811d
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I35dcb987edf11097f34a633ac36d87cecd12088f
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
The following patch adds a stronger cryptographic suite to IKEv2 implementation.
The following algorithms can now be used for integrity checking in IKEv2 implementation (responder and initiator):
- hmac-sha2-256-128
- hmac-sha2-384-192
- hmac-sha2-512-256
The default integrity checking method was set to hmac-sha2-256-128.
The default PRF function was set sha2-256.
Change-Id: Ia82b4cbbf3067b19b8487040dbefbaf4c9319548
Signed-off-by: Berenger Foucher <berenger.foucher@stagiaires.ssi.gouv.fr>
|
|
Change-Id: I3195afd952f6783da87224d7ceb9df13ddd39459
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: Ieb8b53977fc8484c19780941e232ee072b667de3
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Remove useless unsigned comparisions: "(unsigned) value < 0", correct
a couple of incorrect limit checks.
Change-Id: I9606c4057df157f770d59535457cb9df1cfd1f35
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
It is cheaper to get thread index from vlib_main_t if available...
Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
When using a DPDK cryptodev with IPsec, sending outbound
packets results in a crash on division by zero if using an
algorithm not supported by the OpenSSL ESP nodes. This
includes AES-GCM and MD5.
At IPsec intf creation time, the next node at slot
IPSEC_OUTPUT_NEXT_ESP_ENCRYPT for ipsec_if_tx_node_fn is
set to the node named esp-encrypt. This is the OpenSSL
ESP encrypt function. If DPDK cryptodevs are configured,
dpdk-esp-encrypt is the correct next node.
Change to setting the next node according to the value in
ipsec_main.esp_encrypt_node_index. That value is set to
esp-encrypt by default. If DPDK cryptodevs are configured
it gets set to dpdk-esp-encrypt.
Change-Id: I83896c76b975d74aead247a162c85eccca9575a8
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: Ibfd0a2e7010e6e74c32244c538f60e0713bea03f
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I843d094b6bbd1cefba82d6026174be005e66d510
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This reverts commit e0d2bd6bd7fc59c0c6ac48195d7f825dc99bfd91.
Change-Id: If491e16f9ea66b2493a6a7c7f3c684ed585f8f51
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This reverts commit a98346f664aae148d26a8e158008b773d73db96f.
Change-Id: Iee5b3a5ddff0e8fd3a30fe5973cee24de434fe12
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Calculate IP/TCP/UDP checksums in software before adding authentication.
Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|