From 26fec718f2fa7913a484008fca7b1bc015c6efb5 Mon Sep 17 00:00:00 2001
From: Zachary Leaf <zachary.leaf@arm.com>
Date: Tue, 26 Oct 2021 10:05:58 -0500
Subject: ipsec: input: drop by default for non-matching pkts

As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.

For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480

It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.

[1]: https://datatracker.ietf.org/doc/html/rfc4301

Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
---
 src/vnet/ipsec/ipsec_input.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'src/vnet/ipsec/ipsec_input.c')

diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index 96bad28c2b5..c47ea34f288 100644
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -331,6 +331,11 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
 	      p0 = 0;
 	      pi0 = ~0;
 	    };
+
+	  /* Drop by default if no match on PROTECT, BYPASS or DISCARD */
+	  ipsec_unprocessed += 1;
+	  next[0] = IPSEC_INPUT_NEXT_DROP;
+
 	trace0:
 	  if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) &&
 	      PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
@@ -427,6 +432,11 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
 	      p0 = 0;
 	      pi0 = ~0;
 	    };
+
+	  /* Drop by default if no match on PROTECT, BYPASS or DISCARD */
+	  ipsec_unprocessed += 1;
+	  next[0] = IPSEC_INPUT_NEXT_DROP;
+
 	trace1:
 	  if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) &&
 	      PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
@@ -581,6 +591,8 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm,
 	      else
 		{
 		  pi0 = ~0;
+		  ipsec_unprocessed += 1;
+		  next0 = IPSEC_INPUT_NEXT_DROP;
 		}
 	    }
 	  else if (ip0->protocol == IP_PROTOCOL_IPSEC_AH)
@@ -608,6 +620,8 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm,
 	      else
 		{
 		  pi0 = ~0;
+		  ipsec_unprocessed += 1;
+		  next0 = IPSEC_INPUT_NEXT_DROP;
 		}
 	    }
 	  else
-- 
cgit 1.2.3-korg