summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2019-04-11IPSEC: ESP with ESN tests and fixesNeale Ranns2-4/+4
Change-Id: Ie42b26e6d5cdb7b23f370ea2933c65079e8d1089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-11IPSEC-MB: Use random & non-repeating IV (VPP-1642)Neale Ranns2-5/+1
hard code IV and key lengths based on cipher. Init IV from random data, use AES instruction to rotate. Change-Id: I13a6507d12267b823c528660a903787baeba47a0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-10crypto: Intel IPSEC-MB engineNeale Ranns2-2/+13
A plugin to use Intel IPSec MB library as a VPP crypto engine This changes uses concepts from: https://gerrit.fd.io/r/#/c/17301/ hence that author's work is acknowledge below Change-Id: I2bf3beeb10f3c9706fa5efbdc9bc023e310f5a92 Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-04-10IPSEC: for each engine and algorithm testsNeale Ranns1-1/+1
refactor the IPSEC tests a bit so we can parameterise the setup. Change-Id: I777e5eb8f29ca1dce3dd273ebd05dae5846790af Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-10IPSEC: remove double byte swap of IP addressesNeale Ranns1-18/+10
Change-Id: I8c03c4aa90fb0056e11e0f234999c25d7839d759 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-08IPSEC TEST: various hash alogrithmsNeale Ranns1-1/+1
Change-Id: I925aa5bf9472e81f98072d63df499b19e6ddf43d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-07crypto: add support for AEAD and AES-GCMDamjan Marion7-41/+39
Change-Id: Iff6f81a49b9cff5522fbb4914d47472423eac5db Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-05IPSEC: punt reasons; SPI=0, no-tunnelNeale Ranns4-13/+154
Change-Id: If76992e283a27fa193a6865257ab3aa764066e48 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-04ipsec: trunc_size -> icv_sizeDamjan Marion9-15/+15
Change-Id: Idb661261c2191adda963a7815822fd7a27a9e7a0 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-03IPSEC: correctly size per-thread dataNeale Ranns1-1/+1
Change-Id: Idfc05cd0e09b50a26eaf747b7c49f720b009159a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-03IPSEC: show CLI improvementsNeale Ranns4-31/+208
Change-Id: I48a4b0a16f71cbab04dd0955d3ec4001074b57ed Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-02IPSEC: tunnel scaling - don't stack the inbould SANeale Ranns4-19/+15
Change-Id: I0b47590400aebea09aa1b27de753be638e1ba870 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-02IPSEC: remove pointless feature orderingNeale Ranns1-4/+2
Change-Id: Ic1b657794d23cb4d1664fc749ad2468339e376df Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-29IPSEC-GRE: fixes and API update to common types.Neale Ranns10-52/+57
Change-Id: Icdcbac7453baa837a9c0c4a2401dff4a6aa6cba0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-29ipsec: esp-decrypt reworkDamjan Marion3-199/+299
Change-Id: Icf83c876d0880d1872b84e0a3d34be654b76149f Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-29IPSEC: tunnel fragmentationNeale Ranns2-0/+13
Change-Id: I63741a22bc82f5f861e1c0f26a93b5569cc52061 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28crypto: add vnet_crypto_op_init (...)Damjan Marion3-6/+4
Change-Id: I2018d8367bb010e1ab30d9c7c23d9501fc38a2e5 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-28ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESNDamjan Marion8-14/+14
Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-28ipsec: anti-replay code cleanupDamjan Marion4-171/+143
Change-Id: Ib73352d6be26d639a7f9d47ca0570a1248bff04a Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-28IPSEC: 4o6 and 6o4 for tunnel interfacesNeale Ranns1-2/+4
Change-Id: I4d3ba18ab5205317219989de55b6e50d3b1d8a79 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28IPSEC: fix build breakage from ships in the night mergesNeale Ranns1-2/+6
Change-Id: Iec7da9adc970d005cd7d3d42839b5e51b0b5f5c3 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28IPSEC: run encrpyt as a feautre on the tunnelNeale Ranns3-125/+178
Change-Id: I6527e3fd8bbbca2d5f728621fc66b3856b39d505 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-27ipsec: compress ipsec_sa_t so data used by dataplane code fits in cachelineDamjan Marion11-91/+129
Change-Id: I81ecdf9fdcfcb017117b47dc031f93208e004d7c Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-26IPSEC: more expressive API errorsNeale Ranns2-7/+7
Change-Id: I517a7bdae03abfea58451819e7854974397d77f8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-26ipsec: esp-encrypt reworkDamjan Marion6-242/+397
Change-Id: Ibe7f806b9d600994e83c9f1be526fdb0a1ef1833 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-26IPSEC: improved policy deleteNeale Ranns1-13/+9
Change-Id: Icdf51b094c34725c079d2e4acbb955744434302d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-25IPSEC tests fnd fix or Extended Sequence NumbersNeale Ranns3-15/+14
Change-Id: Iad6c4b867961ec8036110a4e15a829ddb93193ed Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-22ipsec: fix esn handlingDamjan Marion1-9/+5
Change-Id: I27f24095309082363ba0d0ba4bd69e2c0741dc1c Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-22IPSEC: test for packet drop on sequence number wrapNeale Ranns1-1/+2
Change-Id: Id546c56a4904d13d4278055f3c5a5e4548e2efd0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-21ipsec: add ipv6 support for ipsec tunnel interfaceKingwel Xie7-147/+415
Change-Id: I6a76907dc7bed2a81282b63669bea2219d6903c9 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com> Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2019-03-20crypto: add hmac truncate optionDamjan Marion1-0/+1
This reverts commit 785368e559dbdf50676f74f43f13423c817abb52. Change-Id: I782ac2be4e161790c73ccd4b08492e2188a6d79d Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-20IPSEC: Tunnel SA not deletedNeale Ranns1-3/+6
p is overwritten by hash_unset so an incorrect value is passed to ipsec_sa_del Change-Id: I97300dd4421c62d7cfa47b8e7e9789becb2370e9 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-20ipsec: keep crypto data inside SADamjan Marion8-58/+65
Change-Id: Ie8986bd3652d25c4befe681cea77df95aba37ebc Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-20ipsec: bug fix ipsec-init sequenceKingwel Xie1-2/+0
ipsec_tunnel_if_init might be called before ipsec_init this memset in ipsec-init therefore zero the memory allocated by ipsec_tunnel_if_init Change-Id: Ie889f1bf624c76842ef77e5a51ed1d41fed4758d Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-19crypto: introduce crypto infraDamjan Marion8-233/+123
Change-Id: Ibf320b3e7b054b686f3af9a55afd5d5bda9b1048 Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-19IPSEC: remove byte swap operations in DP during SPD classifyNeale Ranns5-46/+35
Change-Id: I4bfde738f9585b045cb5ba62cf51b141d639b1b2 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-19IPSEC: tidy the policy typesNeale Ranns6-78/+102
Change-Id: I5e981f12ff44243623cfd18d5e0ae06a7dfd1eb8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-13VPP-1576: fix a set of coverity warningsDave Barach1-1/+1
Change-Id: Ifd34aed8692d5acaa370d4976d974ac573e43705 Signed-off-by: Dave Barach <dave@barachs.net>
2019-03-08updates now that flags are supported on the APINeale Ranns1-5/+0
Change-Id: I9c45f390a6454c114f12f9c46c3a93fcecffa73f Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-07ipsec: cli bug fixesKingwel Xie2-5/+9
1. fix wrong assignemnt of lik/rik 2. keys initialized to 0, to avoid using random data in stack. could cause memory overlapped then crash 3. show sa->id in hex format Change-Id: Id0430aa49bb55c27cee4f97f8c0e4ec87515dcd2 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-07ipsec: ipsec-if optimizations & bug fixesKingwel Xie2-254/+309
1. changed to vlib_buffer_enqueue_to_next 2. error counter fixes; stats added to last_sw_if_index when interface changed 3. udp-encap support Change-Id: I70b0814aa37181fea4d70fa3c96c608adb5afe49 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-06ipsec: esp-encrypt and esp-decrypt cleanupDamjan Marion4-558/+447
Change-Id: I1e431aa36a282ca7565c6618a940d591674b8cd2 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-06IPSEC: tunnel encap/decap dual loop speedupsNeale Ranns3-89/+255
baseline: ipsec0-tx 1.27e1 ipsec-if-input 8.19e1 this change: ipsec0-tx 6.17e0 ipsec-if-input 6.39e1 this also fixes the double tunnel TX counts by removing the duplicate from the TX node. Change-Id: Ie4608acda08dc653b6fb9e2c85185d83625efd40 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-05ipsec: cleanup, remove unnecessary code,Kingwel Xie5-13/+7
ipsec_proto_main moved to ipsec.c fix missing '\0' of backend name Change-Id: I90760b3045973a46792c2f098d9b0b1b3d209ad0 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-04IPSEC: script to bounce IPSEC traffic through a pipe to test encrypt and decrpytNeale Ranns1-0/+33
Change-Id: I262a9412951b5df616920a8fad16c61eae96d0cc Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-01IPSEC: tunnel-input; don't load the HW interface structNeale Ranns4-43/+41
also fix the stats to include all the data in the tunnel. And don't load the SA. Change-Id: I7cd2e8d879f19683175fd0de78a606a2836e6da2 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-28TEST: IPSEC NAT-T with UDP headerNeale Ranns1-0/+1
Change-Id: I5ef8b3f4be40a7a0b0f1cb90dc0e15a4711e8664 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-25IKEv2 to pluginNeale Ranns10-7245/+19
for easy integration with ptoducts running their own Ike stack. Without the VPP IKE plugin loaded, the product is free to handle IKE packets as it pleases. Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-22IPSEC: header exportsNeale Ranns7-1/+6
Change-Id: I7d48a4e236c6e7b11b0c9750a30fb68e829d64a5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-20IPSEC: API coverity error of unitialised stat_index valueNeale Ranns1-0/+2
Change-Id: If884a3840f34090e33ce7808d38e50f919290d9f Signed-off-by: Neale Ranns <nranns@cisco.com>