Age | Commit message (Collapse) | Author | Files | Lines |
|
Calculate IP/TCP/UDP checksums in software before adding authentication.
Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I761aced55b7cef51a9b47048283b2cb9430bcde2
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Cause: EVP_MD_CTX object used but not initialized.
Change-Id: I390b2acf580f16415685563fa52e56717efc7be7
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Replace hash with a vector to improve performance.
Plus other minor performance improvements.
Change-Id: I3f0ebd909782ce3727f6360ce5ff5ddd131f8574
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Packets arriving on an IPsec tunnel interface
are decrypted and forwarded even if the
interface is down.
Check interface flags. If the interface is down,
cause packet to be dropped and increment the
counters for drops.
Change-Id: I94456bda3bd8eade0f3f522ad7cc341251174e6e
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: I1f7c634328f25b33580a215af2daeb498cd3b181
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
The pointer to IP header was derived from l3_hdr_offset,
which would be ok, if l3_hdr_offset was valid. But it does not
have to be, so it was a bad solution. Now the previous nodes
mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt
we count get ip header pointer by substracting the size
of the ip header from the pointer to esp header (which lies
in front of the ip header).
Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
Change-Id: I65c12617ad49e4d5ef242e53988782f0cefa5684
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic1e189c22e3d344d165e0eab05ccb667eef088a9
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Object sizes must evenly divide alignment requests, or vice
versa. Otherwise, only the first object will be aligned as
requested.
Three choices: add CLIB_CACHE_LINE_ALIGN_MARK(align_me) at
the end of structures, manually pad to an even divisor or multiple of
the alignment request, or use plain vectors/pools.
static assert for enforcement.
Change-Id: I41aa6ff1a58267301d32aaf4b9cd24678ac1c147
Signed-off-by: Dave Barach <dbarach@cisco.com>
|
|
Change-Id: I69fee1dcf07a4d2eed69a59f0a36e63e3741ed4e
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
When creating an IPsec tunnel interface, allow a numeric
identifier to be set for use in the interface's name in
place of the dev instance. Default to using the dev instance
if no value is explicitly set.
When an IPsec tunnel is deleted, the interface is deleted
now instead of being kept in a pool of available hw
interfaces. Otherwise there was the possibility of
conflicting tx node names between deleted tunnels and
newly created ones.
Change-Id: Ic525466622a0dec38a845fa5871c084f6d9da380
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
IP header is set as data + sizeof(ethernet_header_t),
what does not need to be true. The solution is to use
l3_hdr_offset.
Change-Id: I5d9f41599ba8d8eb14ce2d9d523f82ea6e0fd10d
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
With no IPv4 output features on an IPsec tunnel inferface,
when packets are forwarded to that interface, they reach
the ipsec-if-output node via the output_node_index on the
hw interface and they are handled correctly.
When an IPv4 output feature (e.g. output ACL, outbound
NAT) is enabled on an IPsec tunnel interface, outbound
IPsec stops working for that interface. The last node in
the ip4-output feature arc is interface-output. From there
a packet is sent to ipsec<N>-output, and then ipsec<N>-tx.
The tx function for an IPsec tunnel interface that is
called by ipsec<N>-tx is a dummy that doesn't do anything
except write a warning message.
Enable a feature on the interface-output feature arc for
an IPsec tunnel interface so the ipsec-if-output node is
reached from the interface-output node.
Change-Id: Ia9c73d3932f5930ec7ce0791a0375b1d37148b01
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
The init-path for IPSEC_AH where the CTX gets initialized is broken
since the for-loop never executes due to the wrong usage of
tm->n_vlib_mains which being subtracted by 1.
Change-Id: I4d967f52cd3ca061aa60d824d65f446e06162403
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
Change-Id: I9f487d6033edde09557709f94f97fc8a70246b09
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
== CONTENT ==
* SCTP chunks definition as per RFC4960;
* Helper functions to set/get values to/from the corresponding chunks;
* Hooks to the session/application layers;
* Complete state-machine handling;
* Implementation for unexpected chunk received in a certain
state (state-machine error handling)
* Support for 1-single connection;
* Sample application to test receive/transmit data-path;
* Test to validate SCTP stack;
Change-Id: I1b55c455ab400be9513f4e094dadfc3181d2ebc9
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
This is a version of the VPP API generator in Python PLY. It supports
the existing language, and has a plugin architecture for generators.
Currently C and JSON are supported.
Changes:
- vl_api_version to option version = "major.minor.patch"
- enum support
- Added error checking and reporting
- import support (removed the C pre-processor)
- services (tying request/reply together)
Version:
option version = "1.0.0";
Enum:
enum colours {
RED,
BLUE = 50,
};
define foo {
vl_api_colours_t colours;
};
Services:
service {
rpc foo returns foo_reply;
rpc foo_dump returns stream foo_details;
rpc want_stats returns want_stats_reply
events ip4_counters, ip6_counters;
};
Future planned features:
- unions
- bool, text
- array support (including length)
- proto3 output plugin
- Refactor C/C++ generator as a plugin
- Refactor Java generator as a plugin
Change-Id: Ifa289966c790e1b1a8e2938a91e69331e3a58bdf
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
This does not update api client code. In other words, if the client
assumes the transport is shmem based, this patch does not change that.
Furthermore, code that checks queue size, for tail dropping, is not
updated.
Done for the following apis:
Plugins
- acl
- gtpu
- memif
- nat
- pppoe
VNET
- bfd
- bier
- tapv2
- vhost user
- dhcp
- flow
- geneve
- ip
- punt
- ipsec/ipsec-gre
- l2
- l2tp
- lisp-cp/one-cp
- lisp-gpe
- map
- mpls
- policer
- session
- span
- udp
- tap
- vxlan/vxlan-gpe
- interface
VPP
- api/api.c
OAM
- oam_api.c
Stats
- stats.c
Change-Id: I0e33ecefb2bdab0295698c0add948068a5a83345
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
- separate client/server code for both memory and socket apis
- separate memory api code from generic vlib api code
- move unix_shared_memory_fifo to svm and rename to svm_fifo_t
- overall declutter
Change-Id: I90cdd98ff74d0787d58825b914b0f1eafcfa4dc2
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Change-Id: I941abdc4a02e4c52c66b9d299e380b27caca7c1d
Signed-off-by: “mystarrocks” <mystarrocks@yahoo.com>
|
|
Change-Id: I876f215b129e5e59d3acc6447ce40458cc341eba
Signed-off-by: “mukeshyadav1984” <mukyadav@cisco.com>
|
|
Change-Id: Iec5804d768485f4015bbf732d8d19ef2f24e6939
Signed-off-by: “mukeshyadav1984” <mukyadav@cisco.com>
|
|
This patch addresses all the code changes required to VPP to support
openssl 1.1.0 API.
All the changes have been done so that VPP can still be built against
current openssl API whilst forward-looking to version 1.1.0.
Change-Id: I65e22c53c5decde7a15c7eb78a62951ee246b8dc
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
|
|
When IPsec tunnel interface has the inbound SA updated,
the key used to find the right interface for inbound
packets was being generated using the destination
address instead of the source.
Change-Id: Id5a6fb1511637c912b329aad65188789646a5889
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Make it easier to integrate with external IKE daemon.
IPsec interfaces can have one or both SAs replaced after
creation. This allows for the possibility of setting a
new child SA on an interface when rekeying occurs. It also
allows for the possibility of creating an interface ahead
of time and updating the SA when parameters that are
negotiated during IKE exchange become known.
Change-Id: I0a31afdcc2bdff7098a924a51abbc58bdab2bd08
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
- Global variables declared in header files without
the use of the 'extern' keword will result in multiple
instances of the variable to be created by the compiler
-- one for each different source file in which the
the header file is included. This results in wasted
memory allocated in the BSS segments as well as
potentially introducing bugs in the application.
Change-Id: I6ef1790b60a0bd9dd3994f8510723decf258b0cc
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
There was already a CLI command and a libvnet function
to set the keys on an existing IPsec tunnel interface.
Expose this via the API.
Change-Id: I226a9616f680fc022f04447177a2e8232690657f
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: Ica3bc74ffbb1c0df4e198b0abff8df10cdeb2182
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Add one of these statements to foo.api:
vl_api_version 1.2.3
to generate a version tuple stanza in foo.api.h:
/****** Version tuple *****/
vl_api_version_tuple(foo, 1, 2, 3)
Change-Id: Ic514439e4677999daa8463a94f948f76b132ff15
Signed-off-by: Dave Barach <dave@barachs.net>
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
This patch reworks the DPDK ipsec implementation including the cryptodev
management as well as replacing new cli commands for better usability.
For the data path:
- The dpdk-esp-encrypt-post node is not necessary anymore.
- IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead
of ip4-input.
The DPDK cryptodev cli commands are replaced by the following new commands:
- show dpdk crypto devices
- show dpdk crypto placement [verbose]
- set dpdk crypto placement (<device> <thread> | auto)
- clear dpdk crypto placement <device> [<thread>]
- show dpdk crypto pools
Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Add an API request message type to dump IPsec SAs. Either
all IPsec SAs can be dumped or it can be limited to a single
SA ID (numeric ID set at creation time - not an index).
Add a handler for incoming messages with the new request type.
Add an API response message type containing the data
for an IPsec SA.
Add VAT support for new message type.
Change-Id: Id7828d000efc637dee7f988a87d3f707a8b466b7
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
For routed IPsec, set the RX sw_if_index on inbound packets
to the index of the IPsec interface. When a packet is
decrypted into a new buffer, bring along the RX sw_if_index
of the encrypted packet to the new buffer.
Change-Id: I093e9d37def2082c8d2f1deb96b1c5b97126e023
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: I25238debb7081b4467aec4620dfdef33fbef3295
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
Change-Id: I4ac05ee5974f5e7ab3685d325446a6e77048a948
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Increment byte & packet counters when packets are sent or received on an
IPsec tunnel interface. Set counters to zero when the interface is deleted.
Change-Id: Ie9584aa82778875dd4d0c931005f7720b4d5c76d
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: If5158f6fa7344dee94548c93dace779430e0647f
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: I8c9f886cb95e92adbe1c646844789ca0a6bb6140
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Fix handling of IDi and IDr when processing payloads in ikev2_process_auth_req
Change-Id: If0d4441dc89f08f3753f38987406c002d43558ec
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: I72298aaae7d172082ece3a8edea4217c11b28d79
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
This patch deprecates stack-based thread identification,
Also removes requirement that thread stacks are adjacent.
Finally, possibly annoying for some folks, it renames
all occurences of cpu_index and cpu_number with thread
index. Using word "cpu" is misleading here as thread can
be migrated ti different CPU, and also it is not related
to linux cpu index.
Change-Id: I68cdaf661e701d2336fc953dcb9978d10a70f7c1
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ic206601413bb366e2a920daf00524e92a47287ef
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
|
|
Change-Id: I238258cdeb77035adc5e88903d824593d0a1da90
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I49e5ce0aae6e4ff634024387ceaf7dbc432a0351
Signed-off-by: Dave Barach <dave@barachs.net>
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
In the CLI parsing, below is a common pattern:
/* Get a line of input. */
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
{
if (unformat (line_input, "x"))
x = 1;
:
else
return clib_error_return (0, "unknown input `%U'",
format_unformat_error, line_input);
}
unformat_free (line_input);
The 'else' returns if an unknown string is encountered. There a memory
leak because the 'unformat_free(line_input)' is not called. There is a
large number of instances of this pattern.
Replaced the previous pattern with:
/* Get a line of input. */
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
{
if (unformat (line_input, "x"))
x = 1;
:
else
{
error = clib_error_return (0, "unknown input `%U'",
format_unformat_error, line_input);
goto done:
}
}
/* ...Remaining code... */
done:
unformat_free (line_input);
return error;
}
In multiple files, 'unformat_free (line_input);' was never called, so
there was a memory leak whether an invalid string was entered or not.
Also, there were multiple instance where:
error = clib_error_return (0, "unknown input `%U'",
format_unformat_error, line_input);
used 'input' as the last parameter instead of 'line_input'. The result
is that output did not contain the substring in error, instead just an
empty string. Fixed all of those as well.
There are a lot of file, and very mind numbing work, so tried to keep
it to a pattern to avoid mistakes.
Change-Id: I8902f0c32a47dd7fb3bb3471a89818571702f1d2
Signed-off-by: Billy McFall <bmcfall@redhat.com>
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
- IKE_SA_INIT and IKE_AUTH initial exchanges
- Delete IKA SA
- Rekey and delete Child SA
- Child SAs lifetime policy
To set up one VPP instance as the initiator use the following CLI commands (or API equivalents):
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
and finally
ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange
Child SA re-keying process:
1. Child SA expires
2. A new Child SA is created using the Child SA rekey exchange
3. For a set time both SAs are alive
4. After the set time interval expires old SA is deleted
Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA)
CLI API additions:
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
ikev2 initiate sa-init <profile id>
ikev2 initiate del-child-sa <child sa ispi>
ikev2 initiate del-sa <sa ispi>
ikev2 initiate rekey-child-sa <profile id> <child sa ispi>
Sample configurations:
Responder:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.responder
ikev2 profile set pr1 id remote fqdn vpp.home.initiator
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
Initiator:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.initiator
ikev2 profile set pr1 id remote fqdn vpp.home.responder
ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20
ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
fixes a problem that occurs with cryptodev ipv6 input.
Change-Id: I1f0c0db45b2aabc243dd785c8d5d5ef990cac903
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: I2330cb7c2ba0f5eaeb4e7a4c3de4f22283d3923d
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Build Cryptodev IPsec support by default when DPDK is enabled but only build
hardware Cryptodev PMDs.
To enable Cryptodev support, a new startup.conf option for dpdk has been
introduced 'enable-cryptodev'.
During VPP init, if Cryptodev support is not enabled or not enough cryptodev
resources are available then default to OpenSSL ipsec implementation.
Change-Id: I5aa7e0d5c2676bdb41d775ef40364536a081956d
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
This replaces --without-ipsec and --without-ipv6sr
and allows other parts of the code to be disabled if
libssl is not available.
Change-Id: Id97ff3685a7924d7f86622952e0405d94ceb5957
Signed-off-by: Damjan Marion <damarion@cisco.com>
|