Age | Commit message (Collapse) | Author | Files | Lines |
|
Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.
CTR: https://tools.ietf.org/html/rfc3686#section-3.2
GCM: https://tools.ietf.org/html/rfc4106#section-3.2
CCM: https://tools.ietf.org/html/rfc4309#section-3.2
- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.
Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.
test: ipsec: Add unit-test to test for RFC correct padding/alignment
test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well
- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:
https://github.com/secdev/scapy/issues/2322
Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
|
|
Add the ability to configure the pp2 rx and tx queue sizes in the CLI.
Type: improvement
Signed-off-by: Christian E. Hopps <chopps@chopps.org>
Change-Id: I6a824f92e22fa47fec3d84525cc2d82524ddf639
|
|
Type: fix
Calling vlib_get_node_by_name via the VPE api
doesn't work due to hash weirdness. Haven't
gotten around the real cause of this. But this
fixes it.
Change-Id: I89f95dba2bcd9573b8f1f435e063e9dd57f9ca93
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: docs
Change-Id: Ib985ed6a644ae3f4c330bf6a27dc69c49a489a2f
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Otherwise, the debug CLI command is unusable in a script because it
will eat (and complain about) subsequent lines in the script. Missing
this guitar lick, etc:
/* Get a line of input. */
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Id328e6f1cc4d2e1672c3946db3865ab5a1a3af8d
|
|
Type: fix
Change-Id: I9e102e0028274cc084e59c106d1cd4be174b1205
Signed-off-by: MathiasRaoul <mathias.raoul@gmail.com>
|
|
Type: refactor
tap, virtio and vhost use virtio/vhost header files from linux
kernel. Different features are supported on different kernel
versions, making it difficult to use those in VPP. This patch
removes virtio/vhost based header dependencies to local header
files.
Change-Id: I064a8adb5cd9753c986b6f224bb075200b3856af
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
The ARP/ND feature nodes reply to requests for a VR virtual IP address
when a VR is in the master state. If the VR is in the backup state, the
request is passed to the next node on the feature arc.
This can cause an incorrect response to be sent. If some other feature
(e.g. NAT) causes a virtual IP address to be configured as a "local"
address on the system, a later node on the feature arc may respond to
an ARP/ND request with the real MAC address of the interface.
RFC 5798 says that a router must respond to ARP/ND requests for VR
virtual IP addresses with the VR virtual MAC address. And it says a
router must not respond to ARP/ND requests for VR virtual IP addresses
when the VR is in the backup state. Ensure that ARP/ND requests for
VR virtual IP addresses are dropped when in the backup state rather
than allowing them to continue on the feature arc where another node
may end up responding.
In order to do this, enable/disable the feature nodes when leaving
or entering the init state instead of the master state.
Change-Id: I416f83e125cbf91deb90c3b6eb00ba3207de24ad
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Adjust buffer allocation so it always have odd number of cache lines.
That should result in better distribution of cachelines among cache sets.
Type: improvement
Change-Id: I0d39d4cf01cff36ad6f70a700730823a96448c22
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Use VLIB_MAIN_LOOP_ENTER_FUNCTION to do post init initialization for
dpdk crypto rather than create a one-time process to do the same.
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: I06e480b028c8e1fc1b0024a66b2338eb21a797ca
|
|
Type: fix
Change-Id: Ic6e2b7e05b50945a8e2222019c2942a6ee52e465
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Fix the shown crypto inflight counts which were reversed. Also improve a
couple error descriptions to tell them apart when viewed.
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: I6d4054c64aa842658cfcde8969c7aa48f6d21207
|
|
The issue is not easily hit. When GRE_teb packets are received the post
crypto processing adjusts the l2.l2_len value in the vnet_buffer opaque
data. This is overwriting the ipsec opaque data. Later the trace code
fetches the sa_index from the ipsec opaque data. It's just an accident
that this currently works, if the ipsec data is changed so that the
sa_index moves around it will be overwritten by the l2_len modification.
Indeed, this was found b/c local development changes had moved the
sa_index so it was over-lapping with the l2_len memory space, and the UT
failed.
Type: fix
Change-Id: Iaecfa750cf0b36653fd9e75b4d799f323a14d932
Signed-off-by: Christian Hopps <chopps@labn.net>
|
|
Add missing cli options for setting IPsec SA flags, inbound,
use-anti-replay, and use-esn.
Type: fix
Change-Id: Ia7a91b4b0a12be9e4dd0e684be3e04d8ccafb9d4
Signed-off-by: Christian Hopps <chopps@labn.net>
|
|
This patch aims to improve decap performance by reducing expensive
hash_get callings as less as possible using AVX512 on XEON.
e.g. vxlan, vxlan_gpe, geneve, gtpu.
For the existing code, if vtep4 of the current packet match the last
vtep4_key_t well, expensive hash computation can be avoided and the
code returns directly.
This patch improves tunnel decap multiple flows case greatly by
leveraging 512bit vector register on XEON accommodating 8 vtep4_keys.
It enhances the possiblity of avoiding unnecessary hash computing
once hash key of the current packet hits any one of 8 in the 512bit
cache.
The oldest element in vtep4_cache_t is updated in round-robin order.
vlib_get_buffers is also leveraged in the meanwhile.
Type: improvement
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Signed-off-by: Junfeng Wang <drenfong.wang@intel.com>
Change-Id: I313103202bd76f2dd638cd942554721b37ddad60
|
|
The protocol value was changed to 50 and 51 (rather than 0 and 1), but
the custom_dump function wasn't updated to reflect this. Also the is_add
value wasn't being shown. Fix both these issues.
Type: fix
Change-Id: I429b4616d6c7937f73308b644154370fab32eaae
Signed-off-by: Christian Hopps <chopps@labn.net>
|
|
"clear counters" is not appropriate for a protocol to own. Change
to "clear l2tp counters" (and "test l2tp counter").
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: I3faac3907c4697c1c95df34ac7d31e48063869a8
|
|
Scenarios where SIGHUP is sent would include the user closing an xterm
while in interactive/nodaemon mode, or similarly when running vpp in the
same mode during testing (e.g., using ssh to run VPP on a DUT). VPP
should exit in these cases; however, generating a core is unwanted.
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Ibccfe5e676547e913c8a205ff16ab56d9abb1c82
|
|
Type: feature
This adds api calls for the following CLIs:
* set sw_scheuduler worker <N> crypto on|off
* set crypto async dispatch polling|interrupt
* set crypto handler
* set crypto async handler
Change-Id: Ic701d149c440e42ea4575da42b9f69e4c8759602
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: feature
This patch adds new sw_scheduler async crypto engine.
The engine transforms async frames info sync crypto ops and
delegates them to active sync engines. With the patch it
is possible to increase the single worker crypto throughput
by offloading the crypto workload to multiple workers.
By default all workers in the system will attend the crypto
workload processing. However a worker's available cycles
are limited. To avail more cycles to one worker to process
other workload (e.g. the worker core that handles the RX/TX
and IPSec stack processing), a useful cli command is added
to remove itself (or add it back later) from the heavy
crypto workload but only let other workers to process the
crypto. The command is:
- set sw_scheduler worker <idx> crypto <on|off>
It also adds new interrupt mode to async crypto dispatch node.
This mode signals the node when new frames are enqueued
as opposed to polling mode that continuously calls dispatch node.
New cli commands:
- set crypto async dispatch [polling|interrupt]
- show crypto async status (displays mode and nodes' states)
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Signed-off-by: DariuszX Kazimierski <dariuszx.kazimierski@intel.com>
Reviewed-by: Fan Zhang <roy.fan.zhang@intel.com>
Change-Id: I332655f347bb9e3bc9c64166e86e393e911bdb39
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I4b132cad8ff906ef24846cc43935ccfd6aa7b4ec
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I436741e061f11685980a71fb3989befc7af1e081
|
|
Let twice-nat static mapping pick specific
address from the twice-nat pool.
Type: improvement
Change-Id: Iadaa036af2fa3b0e6e9a68ff6e68b4bbe1650eb1
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
adding routes should be MP safe. When new prefixes with differrent
prefix lengths are added, adjust the sorted list in an MP safe way.
Change-Id: Ib73a3c84d01eb86d17f8e79ea2bd2505dd9afb3d
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Signed-off-by: yedonggang <yedg@wangsu.com>
Change-Id: I3bf67070ed01df40626f3b90f2762158b6c3ce05
|
|
gso option is available for the debug CLI version of bond create.
This patch is to create a new API to have the corresponding option in
the binary API. The old binary API bond_create is marked deprecated.
Type: improvement
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Id9501b8e6d267ae09e2b411957f181343da459c0
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I7228a01d38e61cc00358419b2512ca0da4f76ff5
|
|
Type: improvement
Signed-off-by: Yulong Pei <yulong.pei@intel.com>
Change-Id: I841f4407ed8c1a448e5102059fc79ae1f7d461de
|
|
Type: fix
Change-Id: I2b6b7b6f28cbf7accf883743e390b0031dd13bbb
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: improvement
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: Ia1276d00dded36ee28b4b2e93b4cc7c1df6b1eef
|
|
Type: feature
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I95d7fc1cc8db5199570c66535f45e867a7cae676
|
|
Type: feature
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
Change-Id: I3e00deb94943c545d1649865b2efdf7d51b90f4d
|
|
Type: feature
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: Iec28fb11b6edff1bee23117f56aa3a3e5729541a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Change-Id: Ia28161b583ea26ab820a494332a79b64add7004d
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
Change-Id: I8d55c2bfdd3c4607044370ebabf40cbac78b4996
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Type: fix
Change-Id: I12b08333f3f69aaa882e8801f4f69bca2d7bd558
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Change-Id: I4930c3c2a8025ec9ceb17e994137be67d88d455f
Type: fix
Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
|
|
enum bar_enum {
BAR1 = 0,
BAR2,
BAR3 [backwards_compatible],
BAR4 = 9 [backwards_compatible],
};
This allows adding backwards compatible (as guaranteed by the developer) enums.
The enums marked backwards compatible are not considered in the CRC calculation.
Type: improvement
Change-Id: I6fc0c21b19e1a02cff7f5d279a0f3a32d2f8b630
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: feature
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I3697cf7fab7abb7c3d2f61ef326c9116bc1eed66
|
|
In one's complement, there are two representations of zero: the all
zero and the all one bit values, often referred to as +0 and -0. See
RFC 1624 section 3 for more details.
This used to be taken care of in ip4_header_checksum(), but it is no
longer the case. The check ip->checksum == ip4_header_checksum (ip) is
no longer correct in the -0 case.
Always use ip4_header_checksum_is_valid() instead (which behaves
correctly since 9a79a1ab931c3b5a7ae07d6f0fcfef7c4368a2c4).
Type: fix
Fixes: e5f0050c7a5d411f96af6401797529d58825e2af
Change-Id: Iacc6b60645a834287b085aecb9e3fdb4554cf0cf
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Signed-off-by: jiangxiaoming <jiangxiaoming@outlook.com>
Change-Id: I87c6f423ea8fdd9fb764693055eb1509f994d6f1
|
|
Type: improvement
Change-Id: Ie063ee0a0c59a9ad632200ce2b23703bc0d936e6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Adjacencies are only defined for IPv4 and IPv6.
Type: fix
Fixes: 20aec3db441074ee5a861a40d6e02fad2f3dcb37
Change-Id: I19b2b7f6958da49f41c6eabc9f248840769acbbb
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Hitting a code not reachable when setting
BIHASH_KVP_AT_BUCKET_LEVEL = 1
Change-Id: I24d539df67ae7650a3b1969f5709a6f7366d786b
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: fix
Change-Id: I5287f6326726780c09e515eede0992bafb413bb2
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
It is cheaper to include checksum field in calculation and simply
compare result with zero.
Type: improvement
Change-Id: I6f77632c0a4d2f2c632d044d3a5d2fcf2b5bac62
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Translation memory size is internally a uword, but in api it was u32,
resulting in the returned value being 0 all the time.
Fix the "incorrect" API reply to return a u32 capped to 0xffffffff if
the u64 is larger than that, introduce the message with
the correct type, deprecate the message with the incorrect type.
Also, while we are updating the message definition,
add the max translations / max users per worker thread
into the new message.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I92e38a6a2bcb70fc8d1b129bbe416bf7f9e54280
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
There is a number of TERMs with big length, such as
'screen.konsole-256color' (23). These TERMs can not
be processed properly by vpp because maximum telnet
byte stream supported is 24 and we need 6 more service
bytes to send TTYPE.
So I extended maximum depth guard to 32.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: I9ca506996a97e9567d06483c5f020d6cc394329c
|
|
Make it shorter and same format when converting to biggor or smaller
types.
Type: refactor
Change-Id: I443d67e18ae65d779b4d9a0dce5406f7d9f0e4ac
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Building VPP using gcc-10 fails because of the array bounds check
error for function ip4_header_checksum(), with option field in IPv4
header exceeding the ip4_header_t bound. Fix this error by turning
off the array bounds check option for function ip4_header_checksum().
Change-Id: I68cc241ae9e403d35ac2e320549506dc6565a0b6
Type: fix
Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
|