aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2025-02-25ipsec: coverity warning, issue CID 509068Piotr Bronowski1-5/+0
UNUSED_VALUE warning fixed. Type: fix Change-Id: Idd1f0fab96f252f2081d5c268ecc722223289477 Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
2025-02-18ipsec: enable support for ipv6 udp ipsec encapsulation in policy modePiotr Bronowski1-32/+49
IPSec traffic may be sent encapsulated inside UDP packagaes. In case of esp packgaes decryption is required (according to defined policies), whereas IKE traffic should be bypassed (relevant policy needs to be defined). With this patch required behaviour is provided. Type: feature Change-Id: If99c7bf121db881c0bdf2b45e6fdca87c0d872a5 Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
2025-02-18ipsec: add support for bypass and discard policies for ipv6Piotr Bronowski1-120/+223
In case of ipv6 addresses spd did not support bypass and discard policies. This change introduces missing implementation in the same way as it was implemented for ipv4. Type: feature Change-Id: Idad974655b209d946414d7d85037d0783cde7db3 Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
2025-02-13ipsec: better pack outbound SA runtime dataDamjan Marion1-5/+5
Type: improvement Change-Id: I9a0437dcfaf5e6930bb7fa057866ea36e7ca328f Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-02-13ipsec: keep inbound seq as u64Damjan Marion4-48/+45
Type: improvement Change-Id: I03f0b6137db6780f2c2935df90e98acf4bd471f9 Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-02-13ipsec: combine huge and normal anti-replay-window handlingDamjan Marion4-239/+118
Type: improvement Change-Id: Idfbaf56e3b56e77c8deaca9d3e41f7a78d8c4e0b Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-02-13ipsec: embed anti-replay bitmap in the runtime dataDamjan Marion2-63/+47
Type: improvement Change-Id: I753917c6d7e30b8d5e3291b85a7532a455ebc2bb Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-02-13ipsec: store anti_replay_window_size in runtime dataDamjan Marion4-55/+31
Type: improvement Change-Id: I0626af365855ad5301419e72e9430a47a5d0e5d7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-02-03ipsec: fix ipsec_sa_v5_detailsMaxime Peim1-2/+6
Re-add the anti-replay window size in the SA dump API and add tests. Type: fix Change-Id: Iacecdf5df796a0a6353491f8160c878751c6039b Signed-off-by: Maxime Peim <mpeim@cisco.com> Signed-off-by: Benoît Ganne <bganne@cisco.com>
2025-01-31ipsec: store outbound seq as u64Damjan Marion6-63/+34
Type: improvement Change-Id: Id7717de00558ab90dbd312a58becd58d008397ea Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-01-30ipsec: add SA inbound and outbound runtime dataDamjan Marion15-666/+891
Type: improvement Change-Id: I0f949b67fb5b65fa1a79ffb7777d654693f0de6a Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-01-16crypto: combine sync and async algos and opsDamjan Marion3-6/+6
Type: improvement Change-Id: I4d507b105e5b5ba7dd68d373c7f1ab156a9fc9f1 Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-01-16ipsec: make algo data constantDamjan Marion3-162/+192
Type: improvement Change-Id: I554418fca0cbe1a2b42eddc24eccf25ede5f678a Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-01-16ipsec: don't add crypto key if cipher is NONEDamjan Marion1-6/+10
Type: fix Change-Id: I0c418fe71b579febc4ca02e8ad0aeba24df1945d Signed-off-by: Damjan Marion <damarion@cisco.com>
2025-01-08ipsec: fix spd fast path single match compare for ipv6Piotr Bronowski1-15/+91
Fast path match single compare (the last step of policy matching in spd fast path) is only implemented for IPv4 addresses. This change adds support to also do a single match on IPv6 addresses. Type: fix Change-Id: I5aeb6e1e9afccfd2b2082e26502c5b7e9a8b2d4c Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Signed-off-by: Vinayak Udandkar <vinayakx.udandkar@intel.com>
2024-10-30ipsec: fix UDP flow in ipsec inbound policyGabriel Oginski1-25/+52
This patch fixes handle with UDP packages for UDP-Encapsulated ESP and IKE traffic in inbound policy. Orignally IKE traffic on UDP with port 4500 is dropped inside inbound look-up. Type: fix Change-Id: I071adf18cb82da8cd000b93914078e51e393104c Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
2024-09-24ipsec: cleanup tun protect on interface removalStanislav Zaikin1-11/+39
when a protected tunnel gets deleted it's necessary to run a proper cleanup Type: fix Change-Id: I9d2c60ecbf97c4df299ac5c2228b036bf3478a56 Signed-off-by: Stanislav Zaikin <stanislav.zaikin@46labs.com>
2024-09-09ipsec: remove redundant code in ipsec_tun_in traceGarvit1-2/+2
This patch removes redundant sa index value in format_ipsec_tun_protect_input_trace() as sa index value already added by format_ipsec4_tunnel_kv(). Type: fix Change-Id: I7834bda57ba0f7cfe5084b671f6f7da0749ba64d Signed-off-by: Garvit <gvarshney@marvell.com>
2024-07-19ipsec: fix integer overflowFan Zhang1-1/+1
Type: fix Coverity issue: 394440 Change-Id: I915a088145ee1317a7c8746b517f4af50323aa11 Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>
2024-06-25ipsec: enable ipv6 udp checksum offloadJeff Shaw1-0/+33
RFC6935 section 5 states that, by default, the UDP checksum must be computed when originating an IPv6 UDP packet. The default behavior may be overridden when conditions defined by RFC6936 are satisfied. However this implementation does not satisfy all the conditions so the checksum must be computed. After ESP encryption the packet is an IPv6 UDP packet so set the l3_hdr_offset and l4_hdr_offset values, and set the UDP_CKSUM offload flag in the buffer. Type: improvement Co-authored-by: Cian Ferriter <cian.ferriter@intel.com> Change-Id: I9f8c434c9fe9dbddd8890d5ae366984bfcf34067 Signed-off-by: Jeff Shaw <jeffrey.b.shaw@intel.com>
2024-06-12ipsec: move ah packet processing in the inline function ipsec_ah_packet_processvinay tripathi1-138/+157
This inline function is introduced to simplify code readability and consolidate AH packet processing in separate API. Type: improvement Change-Id: Id98074d00aba277fed714ea9995655c9e84ec83b Signed-off-by: vinay tripathi <vinayx.tripathi@intel.com>
2024-06-12ipsec: Add option to configure the hand-off worker queue sizeDau Do6-26/+34
Type: improvement Change-Id: I252951d3ec01497c049ca0ffb7cb42aaf2efb965 Signed-off-by: Dau Do <daudo@yahoo.com>
2024-06-04ipsec: fix missing udp port checkFan Zhang1-8/+7
Type: fix This patch fixes the missing UDP port check in IPsec NAT-T case. As of RFC3948 UDP encapped ESP traffic should have destination port ID of 4500, which was missing. The related tests are updated with this port ID, too. Change-Id: I73ecc6a93de8d0f4b642313b0f4d9c2f214a7790 Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>
2024-04-23ipsec: fix CLI for create ipsec itfGabriel Oginski1-3/+6
This commit adds missing support in CLI for creating ipsec itf in p2mp mode. Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I1bd1cc6667625b8e527af8d25bd8e723751dbc41
2024-03-30ipsec: fix clang compile issueKai Ji1-3/+0
Type: fix Change-Id: Ic015b37e18a43c49c3fb3dbff284a17fa2c5fd99 Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com> Signed-off-by: Kai Ji <kai.ji@intel.com>
2024-03-22ipsec: esp_decrypt code clean upFan Zhang1-43/+42
Type: improvement Change-Id: Icac31a8a3da71334e2b877f3b8e5d5a7cc5e76b8 Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>
2024-03-21ip: add support for buffer offload metadata in ip midchainArthur de Kerhor1-4/+7
The offload should be handled by gso node or by the NIC if the latter has the relevant capabilities. But ip midchain is missing the support for buffer offload metadata in case of GSO packet. This patch adds the relevant support to add the buffer metadata if the packet is GSO/IPIP to be handled accordingly. Type: improvement Change-Id: I17f5d71bf4c5f43a85ca3f2fbebfa1426b42ef69 Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2024-03-21ipsec: remove unused parameter for esp_add_footer_and_icvFan Zhang1-4/+3
Type: improvement Change-Id: Ib6c4e6bc42dd63cb2fdb2dfa7e94baa709e7185b Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>
2024-03-12misc: remove GNU Indent directivesDamjan Marion17-135/+0
Type: refactor Change-Id: I5235bf3e9aff58af6ba2c14e8c6529c4fc9ec86c Signed-off-by: Damjan Marion <damarion@cisco.com>
2024-02-19ipsec: check each packet for no algs in esp-encryptMatthew Smith1-10/+13
In esp_encrypt_inline(), if two or more consecutive packets are associated with the same SA which has no crypto or integrity algorithms set, only the first one gets dropped. Subsequent packets either get sent (synchronous crypto) or cause a segv (asynchronous crypto). The current SA's index and pool entry are cached before it can be determined whether the packet should be dropped due to no algorithms being set. The check for no algorithms is only performed when the cached SA index is different than the SA index for the current packet. So packets after the first one associated with the "none" alg SA aren't handled properly. This was broken by my previous commit ("ipsec: keep esp encrypt pointer and index synced") which fixed a segv that occurred under a different set of circumstances. Check whether each packet should be dropped instead of only checking when a new SA is encountered. Update unit tests: - Add a test for no algs on tunnel interface which enables asynchronous crypto. - Send more than one packet in the tests for no algs. Type: fix Fixes: dac9e566cd16fc375fff14280b37cb5135584fc6 Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: I69e951f22044051eb8557da187cb58f5535b54bf
2023-12-12ipsec: allow receiving encrypted IP packets with TFC paddingArthur de Kerhor1-4/+42
Type: feature Change-Id: I7b29c71d3d053af9a53931aa333484bf43a424ca Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-12-01ipsec: should use praddr_ instead of pladdr_Dengfeng Liu1-1/+1
Type: fix Change-Id: I982ef624226807d7c263e3ff83c108f7d31f61f1 Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
2023-11-17ipsec: keep esp encrypt pointer and index syncedMatthew Smith1-1/+1
Type: fix In esp_encrypt_inline(), an index and pointer to the last processed SA are stored. If the next packet uses the same SA, we defer on updating counters until a different SA is encountered. The pointer was being retrieved, then the SA was checked to see if the packet should be dropped due to no crypto/integ algs, then the index was updated. If the check failed, we would skip further processing and now the pointer refers to a different SA than the index. When you have a batch of packets that are encrypted using an SA followed by a packet which is dropped for no algs and then more packets to be encrypted using the original SA, the packets that arrive after the one that was dropped end up being processed using a pointer that refers to the wrong SA data. This can result in a segv. Update the current_sa_index at the same time that the sa0 pointer is updated. Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: I65f1511a37475b4f737f5e1b51749c0a30e88806
2023-11-09ipsec: IPsec fix constant propagationMaxime Peim1-2/+3
In some anti-replay, some functions weren't using the boolean telling if the window was huge or not. Hence, limiting the constant propagation at compilation. Type: fix Change-Id: Ie5f2dda38339bb32113c6f7b2b82c82135fc92a8 Signed-off-by: Maxime Peim <mpeim@cisco.com>
2023-11-06ipsec: delete redundant codeDengfeng Liu1-4/+0
Type: fix Change-Id: I0de1c51455b0d3958c75ab5626a318ac656adbe7 Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
2023-10-31ipsec: separate UDP and UDP-encapsulated ESP packet processingvinay tripathi1-8/+33
This fix differentiates UDP and UDP-encapsulated ESP packets processing. While UDP-encapsulated ESP traffic is processed as IPsec traffic, UDP as other plain-text protocols is NOT dispatched against SPD policies. Key logic is taken from RFC 3948, and is based on the fact that the checksum of UDP packet encapsulating ESP packet must be zero. Type: fix Signed-off-by: vinay tripathi <vinayx.tripathi@intel.com> Change-Id: Ib1b4d240eea8e89f2daf17ec833905f26cdb31bd
2023-10-31ipsec: move udp/esp packet processing in the inline function ↵vinay tripathi1-174/+181
ipsec_esp_packet_process This inline function is introduced to simplify code readability and allows to splitting of UDP and ESP processing in the next step. Type: improvement Change-Id: Ida4d6abbed141ac74d4d285900777778eb8a5a1d Signed-off-by: Vinay Tripathi <vinayx.tripathi@intel.com>
2023-10-30ipsec: huge anti-replay window supportMaxime Peim10-168/+680
Type: improvement Since RFC4303 does not specify the anti-replay window size, VPP should support multiple window size. It is done through a clib_bitmap. Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc
2023-09-12ipsec: improve fast path policy searching performanceXiaoming Jiang2-35/+59
Type: improvement Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com> Change-Id: Ib8bb300f5b62648f6b634046415742bdf5365982
2023-09-07ipsec: clear L4-cksum flags when decap'ing packetsFrédéric Perrin2-1/+5
Type: fix Signed-off-by: Frédéric Perrin <fred@fperrin.net> Change-Id: I45191b7316c88038bcd57d62aeb07bb109cf4a4d
2023-08-08ipsec: add support for RFC-4543 ENCR_NULL_AUTH_AES_GMACBenoît Ganne6-3/+70
Type: improvement Change-Id: I830f7a2ea3ac0aff5185698b9fa7a278c45116b0 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-07-31ipsec: fix IPv6 IPsec tunnel puntingSylvain Cadilhac1-0/+1
Type: fix Buffer needs to be rewinded before being passed to punt-dispatch node. Change-Id: I43d103515d372e425f4c3b08ca1779398f1fced4 Signed-off-by: Sylvain Cadilhac <sylvain.cadilhac@freepro.com>
2023-07-27ipsec: fix sa bind cliMaxime Peim1-1/+1
Small mistake was made, reported by coverty scan. Type: fix Change-Id: I98ca16c0275a94b2def99831f9353d4ff3fe93a9 Signed-off-by: Maxime Peim <mpeim@cisco.com>
2023-07-21ipsec: fix logic in ext_hdr_is_pre_espPiotr Bronowski1-3/+3
When _VEC128 instructions are not enabled logic is buggy. The function always returned 1. Type: fix Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I603200637e8d65813f4e49ef15d798e74b79b9cf
2023-07-06api: ipsec - Mark old message versions as deprecatedOndrej Fabry1-0/+12
List of changed messages: - ipsec_sad_entry_add_del_v2 - ipsec_sad_entry_add_del_v2_reply - ipsec_sa_v2_dump - ipsec_sa_v2_details This change is part of VPP API cleanup initiative. Type: fix Signed-off-by: Ondrej Fabry <ofabry@cisco.com> Change-Id: I8fd6906e9684ef7ebc0688dc8b0637ae2dc8d0a2
2023-06-23ipsec: manually binding an SA to a workerMaxime Peim6-6/+272
An SA is normally bound to the first thread using it. However, one could want to manually bind an SA to a specific worker. Type: improvement Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I05cbbf753e44a01d9964ee47812c964db9bbb488
2023-06-08crypto: use fixed crypto frame poolgaoginskx3-0/+31
The async frames pool may be resized once drained. This will cause 2 problems: original pool pointer is invalidated and pool size changed, both problems will confuse the crypto infra user graph nodes (like IPsec and Wireguard) and crypto engines if they expect the pool pointers always valid and the pool size never changed (for performance reason). This patch introduces fixed size of the async frames pool. This helps zeroing surprise to the components shown above and avoiding segmentation fault when pool resizing happened. In addition, the crypto engine may take advantage of the feature to sync its own pool/vector with crypto infra. Type: improvement Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I2a71783b90149fa376848b9c4f84ce8c6c034bef
2023-06-01crypto: make crypto-dispatch node working in adaptive modeXiaoming Jiang3-29/+3
This patch can make crypto dispatch node adaptively switching between pooling and interrupt mode, and improve vpp overall performance. Type: improvement Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com> Change-Id: I845ed1d29ba9f3c507ea95a337f6dca7f8d6e24e
2023-05-29ipsec: fix ipsec_set_next_index set with wrong sa index when async frame ↵Xiaoming Jiang3-27/+39
commit failed Type: fix Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com> Change-Id: Ib4c61906a9cbb3eea1214394d164ecffb38fd36d
2023-03-23ipsec: make pre-shared keys harder to misuseBenoît Ganne8-137/+122
Using pre-shared keys is usually a bad idea, one should use eg. IKEv2 instead, but one does not always have the choice. For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix C) whereas for AES-CTR or AES-GCM, the IV should never be reused with the same key material (see NIST SP800-38a Appendix B and NIST SP800-38d section 8). If one uses pre-shared keys and VPP is restarted, the IV counter restarts at 0 and the same IVs are generated with the same pre-shared keys materials. To fix those issues we follow the recommendation from NIST SP800-38a and NIST SP800-38d: - we use a PRNG (not cryptographically secured) to generate IVs to avoid generating the same IV sequence between VPP restarts. The PRNG is chosen so that there is a low chance of generating the same sequence - for AES-CBC, the generated IV is encrypted as part of the message. This makes the (predictable) PRNG-generated IV unpredictable as it is encrypted with the secret key - for AES-CTR and GCM, we use the IV as-is as predictable IVs are fine Most of the changes in this patch are caused by the need to shoehorn an additional state of 2 u64 for the PRNG in the 1st cacheline of the SA object. Type: improvement Change-Id: I2af89c21ae4b2c4c33dd21aeffcfb79c13c9d84c Signed-off-by: Benoît Ganne <bganne@cisco.com>