/* * Copyright (c) 2011-2016 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * @file * @brief BFD nodes implementation */ #if WITH_LIBSSL > 0 #include #endif #if __SSE4_2__ #include #endif #include #include #include #include #include #include #include #include #include #include #include static u64 bfd_calc_echo_checksum (u32 discriminator, u64 expire_time, u32 secret) { u64 checksum = 0; #if defined(clib_crc32c_uses_intrinsics) && !defined (__i386__) checksum = crc32_u64 (0, discriminator); checksum = crc32_u64 (checksum, expire_time); checksum = crc32_u64 (checksum, secret); #else checksum = clib_xxhash (discriminator ^ expire_time ^ secret); #endif return checksum; } static u64 bfd_usec_to_clocks (const bfd_main_t * bm, u64 us) { return bm->cpu_cps * ((f64) us / USEC_PER_SECOND); } u32 bfd_clocks_to_usec (const bfd_main_t * bm, u64 clocks) { return (clocks / bm->cpu_cps) * USEC_PER_SECOND; } static vlib_node_registration_t bfd_process_node; u8 * format_bfd_auth_key (u8 * s, va_list * args) { const bfd_auth_key_t *key = va_arg (*args, bfd_auth_key_t *); if (key) { s = format (s, "{auth-type=%u:%s, conf-key-id=%u, use-count=%u}, ", key->auth_type, bfd_auth_type_str (key->auth_type), key->conf_key_id, key->use_count); } else { s = format (s, "{none}"); } return s; } /* * We actually send all bfd pkts to the "error" node after scanning * them, so the graph node has only one next-index. The "error-drop" * node automatically bumps our per-node packet counters for us. */ typedef enum { BFD_INPUT_NEXT_NORMAL, BFD_INPUT_N_NEXT, } bfd_input_next_t; static void bfd_on_state_change (bfd_main_t * bm, bfd_session_t * bs, u64 now, int handling_wakeup); static void bfd_set_defaults (bfd_main_t * bm, bfd_session_t * bs) { bs->local_state = BFD_STATE_down; bs->local_diag = BFD_DIAG_CODE_no_diag; bs->remote_state = BFD_STATE_down; bs->remote_discr = 0; bs->hop_type = BFD_HOP_TYPE_SINGLE; bs->config_desired_min_tx_usec = BFD_DEFAULT_DESIRED_MIN_TX_USEC; bs->config_desired_min_tx_clocks = bm->default_desired_min_tx_clocks; bs->effective_desired_min_tx_clocks = bm->default_desired_min_tx_clocks; bs->remote_min_rx_usec = 1; bs->remote_min_rx_clocks = bfd_usec_to_clocks (bm, bs->remote_min_rx_usec); bs->remote_min_echo_rx_usec = 0; bs->remote_min_echo_rx_clocks = 0; bs->remote_demand = 0; bs->auth.remote_seq_number = 0; bs->auth.remote_seq_number_known = 0; bs->auth.local_seq_number = random_u32 (&bm->random_seed); bs->echo_secret = random_u32 (&bm->random_seed); } static void bfd_set_diag (bfd_session_t * bs, bfd_diag_code_e code) { if (bs->local_diag != code) { BFD_DBG ("set local_diag, bs_idx=%d: '%d:%s'", bs->bs_idx, code, bfd_diag_code_string (code)); bs->local_diag = code; } } static void bfd_set_state (bfd_main_t * bm, bfd_session_t * bs, bfd_state_e new_state, int handling_wakeup) { if (bs->local_state != new_state) { BFD_DBG ("Change state, bs_idx=%d: %s->%s", bs->bs_idx, bfd_state_string (bs->local_state), bfd_state_string (new_state)); bs->local_state = new_state; bfd_on_state_change (bm, bs, clib_cpu_time_now (), handling_wakeup); } } const char * bfd_poll_state_string (bfd_poll_state_e state) { switch (state) { #define F(x) \ case BFD_POLL_##x: \ return "BFD_POLL_" #x; foreach_bfd_poll_state (F) #undef F } return "UNKNOWN"; } static void bfd_set_poll_state (bfd_session_t * bs, bfd_poll_state_e state) { if (bs->poll_state != state) { BFD_DBG ("Setting poll state=%s, bs_idx=%u", bfd_poll_state_string (state), bs->bs_idx); bs->poll_state = state; } } static void bfd_recalc_tx_interval (bfd_main_t * bm, bfd_session_t * bs) { bs->transmit_interval_clocks = clib_max (bs->effective_desired_min_tx_clocks, bs->remote_min_rx_clocks); BFD_DBG ("Recalculated transmit interval " BFD_CLK_FMT, BFD_CLK_PRN (bs->transmit_interval_clocks)); } static void bfd_recalc_echo_tx_interval (bfd_main_t * bm, bfd_session_t * bs) { bs->echo_transmit_interval_clocks = clib_max (bs->effective_desired_min_tx_clocks, bs->remote_min_echo_rx_clocks); BFD_DBG ("Recalculated echo transmit interval " BFD_CLK_FMT, BFD_CLK_PRN (bs->echo_transmit_interval_clocks)); } static void bfd_calc_next_tx (bfd_main_t * bm, bfd_session_t * bs, u64 now) { if (bs->local_detect_mult > 1) { /* common case - 75-100% of transmit interval */ bs->tx_timeout_clocks = bs->last_tx_clocks + (1 - .25 * (random_f64 (&bm->random_seed))) * bs->transmit_interval_clocks; if (bs->tx_timeout_clocks < now) { /* * the timeout is in the past, which means that either remote * demand mode was set or performance/clock issues ... */ BFD_DBG ("Missed %lu transmit events (now is %lu, calc " "tx_timeout is %lu)", (now - bs->tx_timeout_clocks) / bs->transmit_interval_clocks, now, bs->tx_timeout_clocks); bs->tx_timeout_clocks = now; } } else { /* special case - 75-90% of transmit interval */ bs->tx_timeout_clocks = bs->last_tx_clocks + (.9 - .15 * (random_f64 (&bm->random_seed))) * bs->transmit_interval_clocks; if (bs->tx_timeout_clocks < now) { /* * the timeout is in the past, which means that either remote * demand mode was set or performance/clock issues ... */ BFD_DBG ("Missed %lu transmit events (now is %lu, calc " "tx_timeout is %lu)", (now - bs->tx_timeout_clocks) / bs->transmit_interval_clocks, now, bs->tx_timeout_clocks); bs->tx_timeout_clocks = now; } } if (bs->tx_timeout_clocks) { BFD_DBG ("Next transmit in %lu clocks/%.02fs@%lu", bs->tx_timeout_clocks - now, (bs->tx_timeout_clocks - now) / bm->cpu_cps, bs->tx_timeout_clocks); } } static void bfd_calc_next_echo_tx (bfd_main_t * bm, bfd_session_t * bs, u64 now) { bs->echo_tx_timeout_clocks = bs->echo_last_tx_clocks + bs->echo_transmit_interval_clocks; if (bs->echo_tx_timeout_clocks < now) { /* huh, we've missed it already, transmit now */ BFD_DBG ("Missed %lu echo transmit events (now is %lu, calc tx_timeout " "is %lu)", (now - bs->echo_tx_timeout_clocks) / bs->echo_transmit_interval_clocks, now, bs->echo_tx_timeout_clocks); bs->echo_tx_timeout_clocks = now; } BFD_DBG ("Next echo transmit in %lu clocks/%.02fs@%lu", bs->echo_tx_timeout_clocks - now, (bs->echo_tx_timeout_clocks - now) / bm->cpu_cps, bs->echo_tx_timeout_clocks); } static void bfd_recalc_detection_time (bfd_main_t * bm, bfd_session_t * bs) { if (bs->local_state == BFD_STATE_init || bs->local_state == BFD_STATE_up) { bs->detection_time_clocks = bs->remote_detect_mult * clib_max (bs->effective_required_min_rx_clocks, bs->remote_desired_min_tx_clocks); BFD_DBG ("Recalculated detection time %lu clocks/%.2fs", bs->detection_time_clocks, bs->detection_time_clocks / bm->cpu_cps); } } static void bfd_set_timer (bfd_main_t * bm, bfd_session_t * bs, u64 now, int handling_wakeup) { u64 next = 0; u64 rx_timeout = 0; u64 tx_timeout = 0; if (BFD_STATE_up == bs->local_state) { rx_timeout = bs->last_rx_clocks + bs->detection_time_clocks; } if (BFD_STATE_up != bs->local_state || (!bs->remote_demand && bs->remote_min_rx_usec) || BFD_POLL_NOT_NEEDED != bs->poll_state) { tx_timeout = bs->tx_timeout_clocks; } if (tx_timeout && rx_timeout) { next = clib_min (tx_timeout, rx_timeout); } else if (tx_timeout) { next = tx_timeout; } else if (rx_timeout) { next = rx_timeout; } if (bs->echo && next > bs->echo_tx_timeout_clocks) { next = bs->echo_tx_timeout_clocks; } BFD_DBG ("bs_idx=%u, tx_timeout=%lu, echo_tx_timeout=%lu, rx_timeout=%lu, " "next=%s", bs->bs_idx, tx_timeout, bs->echo_tx_timeout_clocks, rx_timeout, next == tx_timeout ? "tx" : (next == bs->echo_tx_timeout_clocks ? "echo tx" : "rx")); /* sometimes the wheel expires an event a bit sooner than requested, account for that here */ if (next && (now + bm->wheel_inaccuracy > bs->wheel_time_clocks || next < bs->wheel_time_clocks || !bs->wheel_time_clocks)) { int send_signal = 0; bs->wheel_time_clocks = next; BFD_DBG ("timing_wheel_insert(%p, %lu (%ld clocks/%.2fs in the " "future), %u);", &bm->wheel, bs->wheel_time_clocks, (i64) bs->wheel_time_clocks - clib_cpu_time_now (), (i64) (bs->wheel_time_clocks - clib_cpu_time_now ()) / bm->cpu_cps, bs->bs_idx); bfd_lock (bm); timing_wheel_insert (&bm->wheel, bs->wheel_time_clocks, bs->bs_idx); if (!handling_wakeup) { /* Send only if it is earlier than current awaited wakeup time */ send_signal = (bs->wheel_time_clocks < bm->bfd_process_next_wakeup_clocks) && /* * If the wake-up time is within 2x the delay of the event propagation delay, * avoid the expense of sending the event. The 2x multiplier is to workaround the race whereby * simultaneous event + expired timer create one recurring bogus wakeup/suspend instance, * due to double scheduling of the node on the pending list. */ (bm->bfd_process_next_wakeup_clocks - bs->wheel_time_clocks > 2 * bm->bfd_process_wakeup_event_delay_clocks) && /* Must be no events in flight to send an event */ (!bm->bfd_process_wakeup_events_in_flight); /* If we do send the signal, note this down along with the start timestamp */ if (send_signal) { bm->bfd_process_wakeup_events_in_flight++; bm->bfd_process_wakeup_event_start_clocks = now; } } bfd_unlock (bm); /* Use the multithreaded event sending so the workers can send events too */ if (send_signal) { vlib_process_signal_event_mt (bm->vlib_main, bm->bfd_pr
/*
 * Copyright (c) 2016 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <stddef.h>

#include <vnet/arp/arp.h>

#include <vnet/fib/fib_table.h>
#include <vnet/ip/ip_types_api.h>

#include <vpp/app/version.h>

#include <vlibapi/api.h>
#include <vlibmemory/api.h>

/* define message IDs */
#include <vnet/format_fns.h>
#include <vnet/arp/arp.api_enum.h>
#include <vnet/arp/arp.api_types.h>

/**
 * Base message ID fot the plugin
 */
static u32 arp_base_msg_id;
#define REPLY_MSG_ID_BASE arp_base_msg_id

#include <vlibapi/api_helper_macros.h>

static void
vl_api_proxy_arp_add_del_t_handler (vl_api_proxy_arp_add_del_t * mp)
{
  vl_api_proxy_arp_add_del_reply_t *rmp;
  ip4_address_t lo, hi;
  u32 fib_index;
  int rv;

  fib_index = fib_table_find (FIB_PROTOCOL_IP4, ntohl (mp->proxy.table_id));

  if (~0 == fib_index)
    {
      rv = VNET_API_ERROR_NO_SUCH_FIB;
      goto out;
    }

  ip4_address_decode (mp->proxy.low, &lo);
  ip4_address_decode (mp->proxy.hi, &hi);

  if (mp->is_add)
    rv = arp_proxy_add (fib_index, &lo, &hi);
  else
    rv = arp_proxy_del (fib_index, &lo, &hi);

out:
  REPLY_MACRO (VL_API_PROXY_ARP_ADD_DEL_REPLY);
}

typedef struct proxy_arp_walk_ctx_t_
{
  vl_api_registration_t *reg;
  u32 context;
} proxy_arp_walk_ctx_t;

static walk_rc_t
send_proxy_arp_details (const ip4_address_t * lo_addr,
			const ip4_address_t * hi_addr,
			u32 fib_index, void *data)
{
  vl_api_proxy_arp_details_t *mp;
  proxy_arp_walk_ctx_t *ctx;

  ctx = data;

  mp = vl_msg_api_alloc (sizeof (*mp));
  clib_memset (mp, 0, sizeof (*mp));
  mp->_vl_msg_id = ntohs (VL_API_PROXY_ARP_DETAILS + REPLY_MSG_ID_BASE);
  mp->context = ctx->context;
  mp->proxy.table_id = htonl (fib_index);

  ip4_address_encode (lo_addr, mp->proxy.low);
  ip4_address_encode (hi_addr, mp->proxy.hi);

  vl_api_send_msg (ctx->reg, (u8 *) mp);

  return (WALK_CONTINUE);
}

static void
vl_api_proxy_arp_dump_t_handler (vl_api_proxy_arp_dump_t * mp)
{
  vl_api_registration_t *reg;

  reg = vl_api_client_index_to_registration (mp->client_index);
  if (!reg)
    return;

  proxy_arp_walk_ctx_t wctx = {
    .reg = reg,
    .context = mp->context,
  };

  proxy_arp_walk (send_proxy_arp_details, &wctx);
}

static walk_rc_t
send_proxy_arp_intfc_details (u32 sw_if_index, void *data)
{
  vl_api_proxy_arp_intfc_details_t *mp;
  proxy_arp_walk_ctx_t *ctx;

  ctx = data;

  mp = vl_msg_api_alloc (sizeof (*mp));
  clib_memset (mp, 0, sizeof (*mp));
  mp->_vl_msg_id = ntohs (VL_API_PROXY_ARP_INTFC_DETAILS + REPLY_MSG_ID_BASE);
  mp->context = ctx->context;
  mp->sw_if_index = htonl (sw_if_index);

  vl_api_send_msg (ctx->reg, (u8 *) mp);

  return (WALK_CONTINUE);
}

static void
vl_api_proxy_arp_intfc_dump_t_handler (vl_api_proxy_arp_intfc_dump_t * mp)
{
  vl_api_registration_t *reg;

  reg = vl_api_client_index_to_registration (mp->client_index);
  if (!reg)
    return;

  proxy_arp_walk_ctx_t wctx = {
    .reg = reg,
    .context = mp->context,
  };

  proxy_arp_intfc_walk (send_proxy_arp_intfc_details, &wctx);
}

static void
  vl_api_proxy_arp_intfc_enable_disable_t_handler
  (vl_api_proxy_arp_intfc_enable_disable_t * mp)
{
  vl_api_proxy_arp_intfc_enable_disable_reply_t *rmp;
  int rv;

  VALIDATE_SW_IF_INDEX (mp);

  if (mp->enable)
    rv = arp_proxy_enable (ntohl (mp->sw_if_index));
  else
    rv = arp_proxy_disable (ntohl (mp->sw_if_index));

  BAD_SW_IF_INDEX_LABEL;

  REPLY_MACRO (VL_API_PROXY_ARP_INTFC_ENABLE_DISABLE_REPLY);
}

#include <vnet/arp/arp.api.c>

static clib_error_t *
arp_api_init (vlib_main_t * vm)
{
  /* Ask for a correctly-sized block of API message decode slots */
  arp_base_msg_id = setup_message_id_table ();

  return 0;
}

VLIB_INIT_FUNCTION (arp_api_init);

/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */
) { vlib_thread_main_t *tm = &vlib_thread_main; u32 n_vlib_mains = tm->n_vlib_mains; #if BFD_DEBUG setbuf (stdout, NULL); #endif bfd_main_t *bm = &bfd_main; bm->random_seed = random_default_seed (); bm->vlib_main = vm; bm->vnet_main = vnet_get_main (); clib_memset (&bm->wheel, 0, sizeof (bm->wheel)); bm->cpu_cps = vm->clib_time.clocks_per_second; BFD_DBG ("cps is %.2f", bm->cpu_cps); bm->default_desired_min_tx_clocks = bfd_usec_to_clocks (bm, BFD_DEFAULT_DESIRED_MIN_TX_USEC); bm->min_required_min_rx_while_echo_clocks = bfd_usec_to_clocks (bm, BFD_REQUIRED_MIN_RX_USEC_WHILE_ECHO); const u64 now = clib_cpu_time_now (); timing_wheel_init (&bm->wheel, now, bm->cpu_cps); bm->wheel_inaccuracy = 2 << bm->wheel.log2_clocks_per_bin; bm->log_class = vlib_log_register_class ("bfd", 0); vlib_log_debug (bm->log_class, "initialized"); bm->owner_thread_index = ~0; if (n_vlib_mains > 1) clib_spinlock_init (&bm->lock); return 0; } VLIB_INIT_FUNCTION (bfd_main_init); bfd_session_t * bfd_get_session (bfd_main_t * bm, bfd_transport_e t) { bfd_session_t *result; bfd_lock (bm); pool_get (bm->sessions, result); clib_memset (result, 0, sizeof (*result)); result->bs_idx = result - bm->sessions; result->transport = t; const unsigned limit = 1000; unsigned counter = 0; do { result->local_discr = random_u32 (&bm->random_seed); if (counter > limit) { vlib_log_crit (bm->log_class, "couldn't allocate unused session discriminator even " "after %u tries!", limit); pool_put (bm->sessions, result); bfd_unlock (bm); return NULL; } ++counter; } while (hash_get (bm->session_by_disc, result->local_discr)); bfd_set_defaults (bm, result); hash_set (bm->session_by_disc, result->local_discr, result->bs_idx); bfd_unlock (bm); return result; } void bfd_put_session (bfd_main_t * bm, bfd_session_t * bs) { bfd_lock (bm); vlib_log_info (bm->log_class, "delete session: %U", format_bfd_session_brief, bs); bfd_notify_listeners (bm, BFD_LISTEN_EVENT_DELETE, bs); if (bs->auth.curr_key) { --bs->auth.curr_key->use_count; } if (bs->auth.next_key) { --bs->auth.next_key->use_count; } hash_unset (bm->session_by_disc, bs->local_discr); pool_put (bm->sessions, bs); bfd_unlock (bm); } bfd_session_t * bfd_find_session_by_idx (bfd_main_t * bm, uword bs_idx) { bfd_lock_check (bm); if (!pool_is_free_index (bm->sessions, bs_idx)) { return pool_elt_at_index (bm->sessions, bs_idx); } return NULL; } bfd_session_t * bfd_find_session_by_disc (bfd_main_t * bm, u32 disc) { bfd_lock_check (bm); uword *p = hash_get (bfd_main.session_by_disc, disc); if (p) { return pool_elt_at_index (bfd_main.sessions, *p); } return NULL; } /** * @brief verify bfd packet - common checks * * @param pkt * * @return 1 if bfd packet is valid */ int bfd_verify_pkt_common (const bfd_pkt_t * pkt) { if (1 != bfd_pkt_get_version (pkt)) { BFD_ERR ("BFD verification failed - unexpected version: '%d'", bfd_pkt_get_version (pkt)); return 0; } if (pkt->head.length < sizeof (bfd_pkt_t) || (bfd_pkt_get_auth_present (pkt) && pkt->head.length < sizeof (bfd_pkt_with_common_auth_t))) { BFD_ERR ("BFD verification failed - unexpected length: '%d' (auth " "present: %d)", pkt->head.length, bfd_pkt_get_auth_present (pkt)); return 0; } if (!pkt->head.detect_mult) { BFD_ERR ("BFD verification failed - unexpected detect-mult: '%d'", pkt->head.detect_mult); return 0; } if (bfd_pkt_get_multipoint (pkt)) { BFD_ERR ("BFD verification failed - unexpected multipoint: '%d'", bfd_pkt_get_multipoint (pkt)); return 0; } if (!pkt->my_disc) { BFD_ERR ("BFD verification failed - unexpected my-disc: '%d'", pkt->my_disc); return 0; } if (!pkt->your_disc) { const u8 pkt_state = bfd_pkt_get_state (pkt); if (pkt_state != BFD_STATE_down && pkt_state != BFD_STATE_admin_down) { BFD_ERR ("BFD verification failed - unexpected state: '%s' " "(your-disc is zero)", bfd_state_string (pkt_state)); return 0; } } return 1; } static void bfd_session_switch_auth_to_next (bfd_session_t * bs) { BFD_DBG ("Switching authentication key from %U to %U for bs_idx=%u", format_bfd_auth_key, bs->auth.curr_key, format_bfd_auth_key, bs->auth.next_key, bs->bs_idx); bs->auth.is_delayed = 0; if (bs->auth.curr_key) { --bs->auth.curr_key->use_count; } bs->auth.curr_key = bs->auth.next_key; bs->auth.next_key = NULL; bs->auth.curr_bfd_key_id = bs->auth.next_bfd_key_id; } static int bfd_auth_type_is_meticulous (bfd_auth_type_e auth_type) { if (BFD_AUTH_TYPE_meticulous_keyed_md5 == auth_type || BFD_AUTH_TYPE_meticulous_keyed_sha1 == auth_type) { return 1; } return 0; } static int bfd_verify_pkt_auth_seq_num (bfd_session_t * bs, u32 received_seq_num, int is_meticulous) { /* * RFC 5880 6.8.1: * * This variable MUST be set to zero after no packets have been * received on this session for at least twice the Detection Time. */ u64 now = clib_cpu_time_now (); if (now - bs->last_rx_clocks > bs->detection_time_clocks * 2) { BFD_DBG ("BFD peer unresponsive for %lu clocks, which is > 2 * " "detection_time=%u clocks, resetting remote_seq_number_known " "flag", now - bs->last_rx_clocks, bs->detection_time_clocks * 2); bs->auth.remote_seq_number_known = 0; } if (bs->auth.remote_seq_number_known) { /* remote sequence number is known, verify its validity */ const u32 max_u32 = 0xffffffff; /* the calculation might wrap, account for the special case... */ if (bs->auth.remote_seq_number > max_u32 - 3 * bs->local_detect_mult) { /* * special case * * x y z * |----------+----------------------------+-----------| * 0 ^ ^ 0xffffffff * | remote_seq_num------+ * | * +-----(remote_seq_num + 3*detect_mult) % * 0xffffffff * * x + y + z = 0xffffffff * x + z = 3 * detect_mult */ const u32 z = max_u32 - bs->auth.remote_seq_number; const u32 x = 3 * bs->local_detect_mult - z; if (received_seq_num > x && received_seq_num < bs->auth.remote_seq_number + is_meticulous) { BFD_ERR ("Recvd sequence number=%u out of ranges <0, %u>, <%u, %u>", received_seq_num, x, bs->auth.remote_seq_number + is_meticulous, max_u32); return 0; } } else { /* regular case */ const u32 min = bs->auth.remote_seq_number + is_meticulous; const u32 max = bs->auth.remote_seq_number + 3 * bs->local_detect_mult; if (received_seq_num < min || received_seq_num > max) { BFD_ERR ("Recvd sequence number=%u out of range <%u, %u>", received_seq_num, min, max); return 0; } } } return 1; } static int bfd_verify_pkt_auth_key_sha1 (const bfd_pkt_t * pkt, u32 pkt_size, bfd_session_t * bs, u8 bfd_key_id, bfd_auth_key_t * auth_key) { ASSERT (auth_key->auth_type == BFD_AUTH_TYPE_keyed_sha1 || auth_key->auth_type == BFD_AUTH_TYPE_meticulous_keyed_sha1); u8 result[SHA_DIGEST_LENGTH]; bfd_pkt_with_common_auth_t *with_common = (void *) pkt; if (pkt_size < sizeof (*with_common)) { BFD_ERR ("Packet size too small to hold authentication common header"); return 0; } if (with_common->common_auth.type != auth_key->auth_type) { BFD_ERR ("BFD auth type mismatch, packet auth=%d:%s doesn't match " "in-use auth=%d:%s", with_common->common_auth.type, bfd_auth_type_str (with_common->common_auth.type), auth_key->auth_type, bfd_auth_type_str (auth_key->auth_type)); return 0; } bfd_pkt_with_sha1_auth_t *with_sha1 = (void *) pkt; if (pkt_size < sizeof (*with_sha1) || with_sha1->sha1_auth.type_len.len < sizeof (with_sha1->sha1_auth)) { BFD_ERR ("BFD size mismatch, payload size=%u, expected=%u, auth_len=%u, " "expected=%u", pkt_size, sizeof (*with_sha1), with_sha1->sha1_auth.type_len.len, sizeof (with_sha1->sha1_auth)); return 0; } if (with_sha1->sha1_auth.key_id != bfd_key_id) { BFD_ERR ("BFD key ID mismatch, packet key ID=%u doesn't match key ID=%u%s", with_sha1->sha1_auth.key_id, bfd_key_id, bs-> auth.is_delayed ? " (but a delayed auth change is scheduled)" : ""); return 0; } SHA_CTX ctx; if (!SHA1_Init (&ctx)) { BFD_ERR ("SHA1_Init failed"); return 0; } /* ignore last 20 bytes - use the actual key data instead pkt data */ if (!SHA1_Update (&ctx, with_sha1, sizeof (*with_sha1) - sizeof (with_sha1->sha1_auth.hash))) { BFD_ERR ("SHA1_Update failed"); return 0; } if (!SHA1_Update (&ctx, auth_key->key, sizeof (auth_key->key))) { BFD_ERR ("SHA1_Update failed"); return 0; } if (!SHA1_Final (result, &ctx)) { BFD_ERR ("SHA1_Final failed"); return 0; } if (0 == memcmp (result, with_sha1->sha1_auth.hash, SHA_DIGEST_LENGTH)) { return 1; } BFD_ERR ("SHA1 hash: %U doesn't match the expected value: %U", format_hex_bytes, with_sha1->sha1_auth.hash, SHA_DIGEST_LENGTH, format_hex_bytes, result, SHA_DIGEST_LENGTH); return 0; } static int bfd_verify_pkt_auth_key (const bfd_pkt_t * pkt, u32 pkt_size, bfd_session_t * bs, u8 bfd_key_id, bfd_auth_key_t * auth_key) { bfd_main_t *bm = &bfd_main; switch (auth_key->auth_type) { case BFD_AUTH_TYPE_reserved: vlib_log_err (bm->log_class, "internal error, unexpected auth_type=%d:%s", auth_key->auth_type, bfd_auth_type_str (auth_key->auth_type)); return 0; case BFD_AUTH_TYPE_simple_password: vlib_log_err (bm->log_class, "internal error, not implemented, unexpected auth_type=%d:%s", auth_key->auth_type, bfd_auth_type_str (auth_key->auth_type)); return 0; case BFD_AUTH_TYPE_keyed_md5: /* fallthrough */ case BFD_AUTH_TYPE_meticulous_keyed_md5: vlib_log_err (bm->log_class, "internal error, not implemented, unexpected auth_type=%d:%s", auth_key->auth_type, bfd_auth_type_str (auth_key->auth_type)); return 0; case BFD_AUTH_TYPE_keyed_sha1: /* fallthrough */ case BFD_AUTH_TYPE_meticulous_keyed_sha1: #if WITH_LIBSSL > 0 do { const u32 seq_num = clib_net_to_host_u32 (((bfd_pkt_with_sha1_auth_t *) pkt)-> sha1_auth.seq_num); return bfd_verify_pkt_auth_seq_num (bs, seq_num, bfd_auth_type_is_meticulous (auth_key->auth_type)) && bfd_verify_pkt_auth_key_sha1 (pkt, pkt_size, bs, bfd_key_id, auth_key); } while (0); #else vlib_log_err (bm->log_class, "internal error, attempt to use SHA1 without SSL support"); return 0; #endif } return 0; } /** * @brief verify bfd packet - authentication * * @param pkt * * @return 1 if bfd packet is valid */ int bfd_verify_pkt_auth (const bfd_pkt_t * pkt, u16 pkt_size, bfd_session_t * bs) { if (bfd_pkt_get_auth_present (pkt)) { /* authentication present in packet */ if (!bs->auth.curr_key) { /* currently not using authentication - can we turn it on? */ if (bs->auth.is_delayed && bs->auth.next_key) { /* yes, switch is scheduled - make sure the auth is valid */ if (bfd_verify_pkt_auth_key (pkt, pkt_size, bs, bs->auth.next_bfd_key_id, bs->auth.next_key)) { /* auth matches next key, do the switch, packet is valid */ bfd_session_switch_auth_to_next (bs); return 1; } } } else { /* yes, using authentication, verify the key */ if (bfd_verify_pkt_auth_key (pkt, pkt_size, bs, bs->auth.curr_bfd_key_id, bs->auth.curr_key)) { /* verification passed, packet is valid */ return 1; } else { /* verification failed - but maybe we need to switch key */ if (bs->auth.is_delayed && bs->auth.next_key) { /* delayed switch present, verify if that key works */ if (bfd_verify_pkt_auth_key (pkt, pkt_size, bs, bs->auth.next_bfd_key_id, bs->auth.next_key)) { /* auth matches next key, switch key, packet is valid */ bfd_session_switch_auth_to_next (bs); return 1; } } } } } else { /* authentication in packet not present */ if (pkt_size > sizeof (*pkt)) { BFD_ERR ("BFD verification failed - unexpected packet size '%d' " "(auth not present)", pkt_size); return 0; } if (bs->auth.curr_key) { /* currently authenticating - could we turn it off? */ if (bs->auth.is_delayed && !bs->auth.next_key) { /* yes, delayed switch to NULL key is scheduled */ bfd_session_switch_auth_to_next (bs); return 1; } } else { /* no auth in packet, no auth in use - packet is valid */ return 1; } } return 0; } void bfd_consume_pkt (bfd_main_t * bm, const bfd_pkt_t * pkt, u32 bs_idx) { bfd_lock_check (bm); bfd_session_t *bs = bfd_find_session_by_idx (bm, bs_idx); if (!bs || (pkt->your_disc && pkt->your_disc != bs->local_discr)) { return; } BFD_DBG ("Scanning bfd packet, bs_idx=%d", bs->bs_idx); bs->remote_discr = pkt->my_disc; bs->remote_state = bfd_pkt_get_state (pkt); bs->remote_demand = bfd_pkt_get_demand (pkt); bs->remote_diag = bfd_pkt_get_diag_code (pkt); u64 now = clib_cpu_time_now (); bs->last_rx_clocks = now; if (bfd_pkt_get_auth_present (pkt)) { bfd_auth_type_e auth_type = ((bfd_pkt_with_common_auth_t *) (pkt))->common_auth.type; switch (auth_type) { case BFD_AUTH_TYPE_reserved: /* fallthrough */ case BFD_AUTH_TYPE_simple_password: /* fallthrough */ case BFD_AUTH_TYPE_keyed_md5: /* fallthrough */ case BFD_AUTH_TYPE_meticulous_keyed_md5: vlib_log_crit (bm->log_class, "internal error, unexpected auth_type=%d:%s", auth_type, bfd_auth_type_str (auth_type)); break; case BFD_AUTH_TYPE_keyed_sha1: /* fallthrough */ case BFD_AUTH_TYPE_meticulous_keyed_sha1: do { bfd_pkt_with_sha1_auth_t *with_sha1 = (bfd_pkt_with_sha1_auth_t *) pkt; bs->auth.remote_seq_number = clib_net_to_host_u32 (with_sha1->sha1_auth.seq_num); bs->auth.remote_seq_number_known = 1; BFD_DBG ("Received sequence number %u", bs->auth.remote_seq_number); } while (0); } } bs->remote_desired_min_tx_clocks = bfd_usec_to_clocks (bm, clib_net_to_host_u32 (pkt->des_min_tx)); bs->remote_detect_mult = pkt->head.detect_mult; bfd_set_remote_required_min_rx (bm, bs, now, clib_net_to_host_u32 (pkt->req_min_rx)); bfd_set_remote_required_min_echo_rx (bm, bs, now, clib_net_to_host_u32 (pkt->req_min_echo_rx)); if (bfd_pkt_get_final (pkt)) { if (BFD_POLL_IN_PROGRESS == bs->poll_state) { BFD_DBG ("Poll sequence terminated, bs_idx=%u", bs->bs_idx); bfd_set_poll_state (bs, BFD_POLL_NOT_NEEDED); if (BFD_STATE_up == bs->local_state) { bfd_set_effective_required_min_rx (bm, bs, clib_max (bs->echo * bm->min_required_min_rx_while_echo_clocks, bs->config_required_min_rx_clocks)); } } else if (BFD_POLL_IN_PROGRESS_AND_QUEUED == bs->poll_state) { /* * next poll sequence must be delayed by at least the round trip * time, so calculate that here */ BFD_DBG ("Next poll sequence can commence in " BFD_CLK_FMT, BFD_CLK_PRN (now - bs->poll_state_start_or_timeout_clocks)); bs->poll_state_start_or_timeout_clocks = now + (now - bs->poll_state_start_or_timeout_clocks); BFD_DBG ("Poll sequence terminated, but another is needed, bs_idx=%u", bs->bs_idx); bfd_set_poll_state (bs, BFD_POLL_NEEDED); } } bfd_calc_next_tx (bm, bs, now); bfd_set_timer (bm, bs, now, 0); if (BFD_STATE_admin_down == bs->local_state) { BFD_DBG ("Session is admin-down, ignoring packet, bs_idx=%u", bs->bs_idx); return; } if (BFD_STATE_admin_down == bs->remote_state) { bfd_set_diag (bs, BFD_DIAG_CODE_neighbor_sig_down); bfd_set_state (bm, bs, BFD_STATE_down, 0); } else if (BFD_STATE_down == bs->local_state) { if (BFD_STATE_down == bs->remote_state) { bfd_set_diag (bs, BFD_DIAG_CODE_no_diag); bfd_set_state (bm, bs, BFD_STATE_init, 0); } else if (BFD_STATE_init == bs->remote_state) { bfd_set_diag (bs, BFD_DIAG_CODE_no_diag); bfd_set_state (bm, bs, BFD_STATE_up, 0); } } else if (BFD_STATE_init == bs->local_state) { if (BFD_STATE_up == bs->remote_state || BFD_STATE_init == bs->remote_state) { bfd_set_diag (bs, BFD_DIAG_CODE_no_diag); bfd_set_state (bm, bs, BFD_STATE_up, 0); } } else /* BFD_STATE_up == bs->local_state */ { if (BFD_STATE_down == bs->remote_state) { bfd_set_diag (bs, BFD_DIAG_CODE_neighbor_sig_down); bfd_set_state (bm, bs, BFD_STATE_down, 0); } } } int bfd_consume_echo_pkt (bfd_main_t * bm, vlib_buffer_t * b) { bfd_echo_pkt_t *pkt = NULL; if (b->current_length != sizeof (*pkt)) { return 0; } pkt = vlib_buffer_get_current (b); bfd_session_t *bs = bfd_find_session_by_disc (bm, pkt->discriminator); if (!bs) { return 0; } BFD_DBG ("Scanning bfd echo packet, bs_idx=%d", bs->bs_idx); u64 checksum = bfd_calc_echo_checksum (bs->local_discr, pkt->expire_time_clocks, bs->echo_secret); if (checksum != pkt->checksum) { BFD_DBG ("Invalid echo packet, checksum mismatch"); return 1; } u64 now = clib_cpu_time_now (); if (pkt->expire_time_clocks < now) { BFD_DBG ("Stale packet received, expire time %lu < now %lu", pkt->expire_time_clocks, now); } else { bs->echo_last_rx_clocks = now; } return 1; } u8 * format_bfd_session (u8 * s, va_list * args) { const bfd_session_t *bs = va_arg (*args, bfd_session_t *); u32 indent = format_get_indent (s) + vlib_log_get_indent (); s = format (s, "bs_idx=%u local-state=%s remote-state=%s\n" "%Ulocal-discriminator=%u remote-discriminator=%u\n" "%Ulocal-diag=%s echo-active=%s\n" "%Udesired-min-tx=%u required-min-rx=%u\n" "%Urequired-min-echo-rx=%u detect-mult=%u\n" "%Uremote-min-rx=%u remote-min-echo-rx=%u\n" "%Uremote-demand=%s poll-state=%s\n" "%Uauth: local-seq-num=%u remote-seq-num=%u\n" "%U is-delayed=%s\n" "%U curr-key=%U\n" "%U next-key=%U", bs->bs_idx, bfd_state_string (bs->local_state), bfd_state_string (bs->remote_state), format_white_space, indent, bs->local_discr, bs->remote_discr, format_white_space, indent, bfd_diag_code_string (bs->local_diag), (bs->echo ? "yes" : "no"), format_white_space, indent, bs->config_desired_min_tx_usec, bs->config_required_min_rx_usec, format_white_space, indent, 1, bs->local_detect_mult, format_white_space, indent, bs->remote_min_rx_usec, bs->remote_min_echo_rx_usec, format_white_space, indent, (bs->remote_demand ? "yes" : "no"), bfd_poll_state_string (bs->poll_state), format_white_space, indent, bs->auth.local_seq_number, bs->auth.remote_seq_number, format_white_space, indent, (bs->auth.is_delayed ? "yes" : "no"), format_white_space, indent, format_bfd_auth_key, bs->auth.curr_key, format_white_space, indent, format_bfd_auth_key, bs->auth.next_key); return s; } u8 * format_bfd_session_brief (u8 * s, va_list * args) { const bfd_session_t *bs = va_arg (*args, bfd_session_t *); s = format (s, "bs_idx=%u local-state=%s remote-state=%s", bs->bs_idx, bfd_state_string (bs->local_state), bfd_state_string (bs->remote_state)); return s; } unsigned bfd_auth_type_supported (bfd_auth_type_e auth_type) { if (auth_type == BFD_AUTH_TYPE_keyed_sha1 || auth_type == BFD_AUTH_TYPE_meticulous_keyed_sha1) { return 1; } return 0; } vnet_api_error_t bfd_auth_activate (bfd_session_t * bs, u32 conf_key_id, u8 bfd_key_id, u8 is_delayed) { bfd_main_t *bm = &bfd_main; const uword *key_idx_p = hash_get (bm->auth_key_by_conf_key_id, conf_key_id); if (!key_idx_p) { vlib_log_err (bm->log_class, "authentication key with config ID %u doesn't exist)", conf_key_id); return VNET_API_ERROR_BFD_ENOENT; } const uword key_idx = *key_idx_p; bfd_auth_key_t *key = pool_elt_at_index (bm->auth_keys, key_idx); if (is_delayed) { if (bs->auth.next_key == key) { /* already using this key, no changes required */ return 0; } bs->auth.next_key = key; bs->auth.next_bfd_key_id = bfd_key_id; bs->auth.is_delayed = 1; } else { if (bs->auth.curr_key == key) { /* already using this key, no changes required */ return 0; } if (bs->auth.curr_key) { --bs->auth.curr_key->use_count; } bs->auth.curr_key = key; bs->auth.curr_bfd_key_id = bfd_key_id; bs->auth.is_delayed = 0; } ++key->use_count; BFD_DBG ("\nSession auth modified: %U", format_bfd_session, bs); vlib_log_info (bm->log_class, "session auth modified: %U", format_bfd_session_brief, bs); return 0; } vnet_api_error_t bfd_auth_deactivate (bfd_session_t * bs, u8 is_delayed) { bfd_main_t *bm = &bfd_main; #if WITH_LIBSSL > 0 if (!is_delayed) { /* not delayed - deactivate the current key right now */ if (bs->auth.curr_key) { --bs->auth.curr_key->use_count; bs->auth.curr_key = NULL; } bs->auth.is_delayed = 0; } else { /* delayed - mark as so */ bs->auth.is_delayed = 1; } /* * clear the next key unconditionally - either the auth change is not delayed * in which case the caller expects the session to not use authentication * from this point forward, or it is delayed, in which case the next_key * needs to be set to NULL to make it so in the future */ if (bs->auth.next_key) { --bs->auth.next_key->use_count; bs->auth.next_key = NULL; } BFD_DBG ("\nSession auth modified: %U", format_bfd_session, bs); vlib_log_info (bm->log_class, "session auth modified: %U", format_bfd_session_brief, bs); return 0; #else vlib_log_err (bm->log_class, "SSL missing, cannot deactivate BFD authentication"); return VNET_API_ERROR_BFD_NOTSUPP; #endif } vnet_api_error_t bfd_session_set_params (bfd_main_t * bm, bfd_session_t * bs, u32 desired_min_tx_usec, u32 required_min_rx_usec, u8 detect_mult) { if (bs->local_detect_mult != detect_mult || bs->config_desired_min_tx_usec != desired_min_tx_usec || bs->config_required_min_rx_usec != required_min_rx_usec) { BFD_DBG ("\nChanging session params: %U", format_bfd_session, bs); switch (bs->poll_state) { case BFD_POLL_NOT_NEEDED: if (BFD_STATE_up == bs->local_state || BFD_STATE_init == bs->local_state) { /* poll sequence is not needed for detect multiplier change */ if (bs->config_desired_min_tx_usec != desired_min_tx_usec || bs->config_required_min_rx_usec != required_min_rx_usec) { bfd_set_poll_state (bs, BFD_POLL_NEEDED); } } break; case BFD_POLL_NEEDED: case BFD_POLL_IN_PROGRESS_AND_QUEUED: /* * nothing to do - will be handled in the future poll which is * already scheduled for execution */ break; case BFD_POLL_IN_PROGRESS: /* poll sequence is not needed for detect multiplier change */ if (bs->config_desired_min_tx_usec != desired_min_tx_usec || bs->config_required_min_rx_usec != required_min_rx_usec) { BFD_DBG ("Poll in progress, queueing extra poll, bs_idx=%u", bs->bs_idx); bfd_set_poll_state (bs, BFD_POLL_IN_PROGRESS_AND_QUEUED); } } bs->local_detect_mult = detect_mult; bs->config_desired_min_tx_usec = desired_min_tx_usec; bs->config_desired_min_tx_clocks = bfd_usec_to_clocks (bm, desired_min_tx_usec); bs->config_required_min_rx_usec = required_min_rx_usec; bs->config_required_min_rx_clocks = bfd_usec_to_clocks (bm, required_min_rx_usec); BFD_DBG ("\nChanged session params: %U", format_bfd_session, bs); vlib_log_info (bm->log_class, "changed session params: %U", format_bfd_session_brief, bs); vlib_process_signal_event (bm->vlib_main, bm->bfd_process_node_index, BFD_EVENT_CONFIG_CHANGED, bs->bs_idx); } else { BFD_DBG ("Ignore parameter change - no change, bs_idx=%u", bs->bs_idx); } return 0; } vnet_api_error_t bfd_auth_set_key (u32 conf_key_id, u8 auth_type, u8 key_len, const u8 * key_data) { bfd_main_t *bm = &bfd_main; #if WITH_LIBSSL > 0 bfd_auth_key_t *auth_key = NULL; if (!key_len || key_len > bfd_max_key_len_for_auth_type (auth_type)) { vlib_log_err (bm->log_class, "invalid authentication key length for auth_type=%d:%s " "(key_len=%u, must be non-zero, expected max=%u)", auth_type, bfd_auth_type_str (auth_type), key_len, (u32) bfd_max_key_len_for_auth_type (auth_type)); return VNET_API_ERROR_INVALID_VALUE; } if (!bfd_auth_type_supported (auth_type)) { vlib_log_err (bm->log_class, "unsupported auth type=%d:%s", auth_type, bfd_auth_type_str (auth_type)); return VNET_API_ERROR_BFD_NOTSUPP; } uword *key_idx_p = hash_get (bm->auth_key_by_conf_key_id, conf_key_id); if (key_idx_p) { /* modifying existing key - must not be used */ const uword key_idx = *key_idx_p; auth_key = pool_elt_at_index (bm->auth_keys, key_idx); if (auth_key->use_count > 0) { vlib_log_err (bm->log_class, "authentication key with conf ID %u in use by %u BFD " "session(s) - cannot modify", conf_key_id, auth_key->use_count); return VNET_API_ERROR_BFD_EINUSE; } } else { /* adding new key */ pool_get (bm->auth_keys, auth_key); auth_key->conf_key_id = conf_key_id; hash_set (bm->auth_key_by_conf_key_id, conf_key_id, auth_key - bm->auth_keys); } auth_key->auth_type = auth_type; clib_memset (auth_key->key, 0, sizeof (auth_key->key)); clib_memcpy (auth_key->key, key_data, key_len); return 0; #else vlib_log_err (bm->log_class, "SSL missing, cannot manipulate authentication keys"); return VNET_API_ERROR_BFD_NOTSUPP; #endif } vnet_api_error_t bfd_auth_del_key (u32 conf_key_id) { #if WITH_LIBSSL > 0 bfd_auth_key_t *auth_key = NULL; bfd_main_t *bm = &bfd_main; uword *key_idx_p = hash_get (bm->auth_key_by_conf_key_id, conf_key_id); if (key_idx_p) { /* deleting existing key - must not be used */ const uword key_idx = *key_idx_p; auth_key = pool_elt_at_index (bm->auth_keys, key_idx); if (auth_key->use_count > 0) { vlib_log_err (bm->log_class, "authentication key with conf ID %u in use by %u BFD " "session(s) - cannot delete", conf_key_id, auth_key->use_count); return VNET_API_ERROR_BFD_EINUSE; } hash_unset (bm->auth_key_by_conf_key_id, conf_key_id); clib_memset (auth_key, 0, sizeof (*auth_key)); pool_put (bm->auth_keys, auth_key); } else { /* no such key */ vlib_log_err (bm->log_class, "authentication key with conf ID %u does not exist", conf_key_id); return VNET_API_ERROR_BFD_ENOENT; } return 0; #else vlib_log_err (bm->log_class, "SSL missing, cannot manipulate authentication keys"); return VNET_API_ERROR_BFD_NOTSUPP; #endif } bfd_main_t bfd_main; /* * fd.io coding-style-patch-verification: ON * * Local Variables: * eval: (c-set-style "gnu") * End: */