ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ikev2: uptime

Browse Source 
Introduced SA and child SA uptime.

Type: improvement

Change-Id: I28cf9f90d35ebe035a31ed0a985a5e462c8536a8
Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
This commit is contained in:
Denys Haryachyy
2024-02-20 09:59:55 +02:00
committed by Beno�t Ganne
parent bbee45c80b
commit 07b2274073
7 changed files with 433 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
src/plugins/ikev2/ikev2.api
View File

@ -72,8 +72,6 @@ define ikev2_sa_dump
{
u32 client_index;
u32 context;
option status = "in_progress";
};
/** \brief Dump all SAs
@ -86,6 +84,17 @@ define ikev2_sa_v2_dump
u32 context;
};
/** \brief Dump all SAs
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
*/
define ikev2_sa_v3_dump
{
u32 client_index;
u32 context;
option status = "in_progress";
};
/** \brief Details about IKE SA
@param context - sender context, to match reply w/ request
@param retval - return code
@ -97,7 +106,6 @@ define ikev2_sa_details
i32 retval;
vl_api_ikev2_sa_t sa;
option status = "in_progress";
};
/** \brief Details about IKE SA
@ -113,6 +121,20 @@ define ikev2_sa_v2_details
vl_api_ikev2_sa_v2_t sa;
};
/** \brief Details about IKE SA
@param context - sender context, to match reply w/ request
@param retval - return code
@param sa - SA data
*/
define ikev2_sa_v3_details
{
u32 context;
i32 retval;
vl_api_ikev2_sa_v3_t sa;
option status = "in_progress";
};
/** \brief Dump child SA of specific SA
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@ -123,6 +145,33 @@ define ikev2_child_sa_dump
u32 client_index;
u32 context;
u32 sa_index;
option vat_help = "sa_index <index>";
};
/** \brief Child SA details
@param context - sender context, to match reply w/ request
@param retval - return code
@param child_sa - child SA data
*/
define ikev2_child_sa_details
{
u32 context;
i32 retval;
vl_api_ikev2_child_sa_t child_sa;
};
/** \brief Dump child SA of specific SA
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param sa_index - index of specific sa
*/
define ikev2_child_sa_v2_dump
{
u32 client_index;
u32 context;
u32 sa_index;
option vat_help = "sa_index <index>";
option status = "in_progress";
@ -133,12 +182,12 @@ define ikev2_child_sa_dump
@param retval - return code
@param child_sa - child SA data
*/
define ikev2_child_sa_details
define ikev2_child_sa_v2_details
{
u32 context;
i32 retval;
vl_api_ikev2_child_sa_t child_sa;
vl_api_ikev2_child_sa_v2_t child_sa;
option status = "in_progress";
};

12
src/plugins/ikev2/ikev2.c
View File

@ -1888,7 +1888,7 @@ ikev2_sa_match_ts (ikev2_sa_t * sa)
}
static ikev2_profile_t *
ikev2_select_profile (ikev2_main_t *km, ikev2_sa_t *sa,
ikev2_select_profile (vlib_main_t *vm, ikev2_main_t *km, ikev2_sa_t *sa,
ikev2_sa_transform_t *tr_prf, u8 *key_pad)
{
ikev2_profile_t *ret = 0, *p;
@ -1928,6 +1928,7 @@ ikev2_select_profile (ikev2_main_t *km, ikev2_sa_t *sa,
if (!clib_memcmp (auth, sa_auth->data, vec_len (sa_auth->data)))
{
ikev2_set_state (sa, IKEV2_STATE_AUTHENTICATED);
sa->auth_timestamp = vlib_time_now (vm);
vec_free (auth);
ret = p;
break;
@ -1946,6 +1947,7 @@ ikev2_select_profile (ikev2_main_t *km, ikev2_sa_t *sa,
if (ikev2_verify_sign (p->auth.key, sa_auth->data, authmsg) == 1)
{
ikev2_set_state (sa, IKEV2_STATE_AUTHENTICATED);
sa->auth_timestamp = vlib_time_now (vm);
ret = p;
break;
}
@ -1961,7 +1963,7 @@ ikev2_select_profile (ikev2_main_t *km, ikev2_sa_t *sa,
}
static void
ikev2_sa_auth (ikev2_sa_t *sa)
ikev2_sa_auth (ikev2_sa_t *sa, vlib_main_t *vm)
{
ikev2_main_t *km = &ikev2_main;
ikev2_profile_t *sel_p = 0;
@ -1982,7 +1984,7 @@ ikev2_sa_auth (ikev2_sa_t *sa)
}
key_pad = format (0, "%s", IKEV2_KEY_PAD);
sel_p = ikev2_select_profile (km, sa, tr_prf, key_pad);
sel_p = ikev2_select_profile (vm, km, sa, tr_prf, key_pad);
if (sel_p)
{
@ -2230,6 +2232,8 @@ ikev2_create_tunnel_interface (vlib_main_t *vm, ikev2_sa_t *sa,
clib_memset (&a, 0, sizeof (a));
child->timestamp = vlib_time_now (vm);
if (!child->r_proposals)
{
ikev2_set_state (sa, IKEV2_STATE_NO_PROPOSAL_CHOSEN);
@ -3424,7 +3428,7 @@ ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node,
sa0->dst_port = clib_net_to_host_u16 (udp0->src_port);
res = ikev2_process_auth_req (vm, sa0, ike0, rlen);
if (res)
ikev2_sa_auth (sa0);
ikev2_sa_auth (sa0, vm);
else
vlib_node_increment_counter (vm, node->node_index,
IKEV2_ERROR_MALFORMED_PACKET, 1);

173
src/plugins/ikev2/ikev2_api.c
View File

@ -404,6 +404,100 @@ vl_api_ikev2_sa_v2_dump_t_handler (vl_api_ikev2_sa_v2_dump_t *mp)
}
}
static void
send_sa_v3 (ikev2_sa_t *sa, vl_api_ikev2_sa_v3_dump_t *mp, u32 api_sa_index)
{
ikev2_main_t *km = &ikev2_main;
vl_api_ikev2_sa_v3_details_t *rmp = 0;
int rv = 0;
ikev2_sa_transform_t *tr;
ikev2_profile_t *p;
p = pool_elt_at_index (km->profiles, sa->profile_index);
vlib_main_t *vm = vlib_get_main ();
REPLY_MACRO2_ZERO (VL_API_IKEV2_SA_V3_DETAILS, {
vl_api_ikev2_sa_v3_t *rsa = &rmp->sa;
vl_api_ikev2_keys_t *k = &rsa->keys;
int size_data = sizeof (rsa->profile_name) - 1;
if (vec_len (p->name) < size_data)
size_data = vec_len (p->name);
clib_memcpy (rsa->profile_name, p->name, size_data);
rsa->state = ikev2_state_encode (sa->state);
rsa->uptime = vlib_time_now (vm) - sa->auth_timestamp;
rsa->sa_index = api_sa_index;
ip_address_encode2 (&sa->iaddr, &rsa->iaddr);
ip_address_encode2 (&sa->raddr, &rsa->raddr);
rsa->ispi = sa->ispi;
rsa->rspi = sa->rspi;
cp_id (&rsa->i_id, &sa->i_id);
cp_id (&rsa->r_id, &sa->r_id);
tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
if (tr)
cp_sa_transform (&rsa->encryption, tr);
tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
if (tr)
cp_sa_transform (&rsa->prf, tr);
tr =
ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
if (tr)
cp_sa_transform (&rsa->integrity, tr);
tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH);
if (tr)
cp_sa_transform (&rsa->dh, tr);
k->sk_d_len = vec_len (sa->sk_d);
clib_memcpy (&k->sk_d, sa->sk_d, k->sk_d_len);
k->sk_ai_len = vec_len (sa->sk_ai);
clib_memcpy (&k->sk_ai, sa->sk_ai, k->sk_ai_len);
k->sk_ar_len = vec_len (sa->sk_ar);
clib_memcpy (&k->sk_ar, sa->sk_ar, k->sk_ar_len);
k->sk_ei_len = vec_len (sa->sk_ei);
clib_memcpy (&k->sk_ei, sa->sk_ei, k->sk_ei_len);
k->sk_er_len = vec_len (sa->sk_er);
clib_memcpy (&k->sk_er, sa->sk_er, k->sk_er_len);
k->sk_pi_len = vec_len (sa->sk_pi);
clib_memcpy (&k->sk_pi, sa->sk_pi, k->sk_pi_len);
k->sk_pr_len = vec_len (sa->sk_pr);
clib_memcpy (&k->sk_pr, sa->sk_pr, k->sk_pr_len);
ikev2_copy_stats (&rsa->stats, &sa->stats);
vl_api_ikev2_sa_v3_t_endian (rsa);
});
}
static void
vl_api_ikev2_sa_v3_dump_t_handler (vl_api_ikev2_sa_v3_dump_t *mp)
{
ikev2_main_t *km = &ikev2_main;
ikev2_main_per_thread_data_t *tkm;
ikev2_sa_t *sa;
vec_foreach (tkm, km->per_thread_data)
{
pool_foreach (sa, tkm->sas)
{
u32 api_sa_index =
ikev2_encode_sa_index (sa - tkm->sas, tkm - km->per_thread_data);
send_sa_v3 (sa, mp, api_sa_index);
}
}
}
static void
send_child_sa (ikev2_child_sa_t * child,
vl_api_ikev2_child_sa_dump_t * mp, u32 child_sa_index,
@ -487,6 +581,85 @@ vl_api_ikev2_child_sa_dump_t_handler (vl_api_ikev2_child_sa_dump_t * mp)
}
}
static void
send_child_sa_v2 (ikev2_child_sa_t *child, vl_api_ikev2_child_sa_v2_dump_t *mp,
u32 child_sa_index, u32 sa_index)
{
vl_api_ikev2_child_sa_v2_details_t *rmp = 0;
int rv = 0;
ikev2_sa_transform_t *tr;
vlib_main_t *vm = vlib_get_main ();
REPLY_MACRO2_ZERO (VL_API_IKEV2_CHILD_SA_V2_DETAILS, {
vl_api_ikev2_keys_t *k = &rmp->child_sa.keys;
rmp->child_sa.child_sa_index = child_sa_index;
rmp->child_sa.uptime = vlib_time_now (vm) - child->timestamp;
rmp->child_sa.sa_index = sa_index;
rmp->child_sa.i_spi = child->i_proposals ? child->i_proposals[0].spi : 0;
rmp->child_sa.r_spi = child->r_proposals ? child->r_proposals[0].spi : 0;
tr =
ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
if (tr)
cp_sa_transform (&rmp->child_sa.encryption, tr);
tr = ikev2_sa_get_td_for_type (child->r_proposals,
IKEV2_TRANSFORM_TYPE_INTEG);
if (tr)
cp_sa_transform (&rmp->child_sa.integrity, tr);
tr =
ikev2_sa_get_td_for_type (child->r_proposals, IKEV2_TRANSFORM_TYPE_ESN);
if (tr)
cp_sa_transform (&rmp->child_sa.esn, tr);
k->sk_ei_len = vec_len (child->sk_ei);
clib_memcpy (&k->sk_ei, child->sk_ei, k->sk_ei_len);
k->sk_er_len = vec_len (child->sk_er);
clib_memcpy (&k->sk_er, child->sk_er, k->sk_er_len);
if (vec_len (child->sk_ai))
{
k->sk_ai_len = vec_len (child->sk_ai);
clib_memcpy (&k->sk_ai, child->sk_ai, k->sk_ai_len);
k->sk_ar_len = vec_len (child->sk_ar);
clib_memcpy (&k->sk_ar, child->sk_ar, k->sk_ar_len);
}
vl_api_ikev2_child_sa_v2_t_endian (&rmp->child_sa);
});
}
static void
vl_api_ikev2_child_sa_v2_dump_t_handler (vl_api_ikev2_child_sa_v2_dump_t *mp)
{
ikev2_main_t *im = &ikev2_main;
ikev2_main_per_thread_data_t *tkm;
ikev2_sa_t *sa;
ikev2_child_sa_t *child;
u32 sai = ~0, ti = ~0;
ikev2_decode_sa_index (clib_net_to_host_u32 (mp->sa_index), &sai, &ti);
if (vec_len (im->per_thread_data) <= ti)
return;
tkm = vec_elt_at_index (im->per_thread_data, ti);
if (pool_len (tkm->sas) <= sai || pool_is_free_index (tkm->sas, sai))
return;
sa = pool_elt_at_index (tkm->sas, sai);
vec_foreach (child, sa->childs)
{
u32 child_sa_index = child - sa->childs;
send_child_sa_v2 (child, mp, child_sa_index, sai);
}
}
static void
vl_api_ikev2_traffic_selector_dump_t_handler
(vl_api_ikev2_traffic_selector_dump_t * mp)

8
src/plugins/ikev2/ikev2_cli.c
View File

@ -74,12 +74,16 @@ format_ikev2_child_sa (u8 * s, va_list * va)
ikev2_ts_t *ts;
ikev2_sa_transform_t *tr;
u8 *c = 0;
vlib_main_t *vm = vlib_get_main ();
u32 indent = format_get_indent (s);
indent += 1;
s = format (s, "child sa %u:", index);
s = format (s, "\n uptime: %f (s)\n ",
vlib_time_now (vm) - child->timestamp);
tr = ikev2_sa_get_td_for_type (child->r_proposals,
IKEV2_TRANSFORM_TYPE_ENCR);
c = format (c, "%U ", format_ikev2_sa_transform, tr);
@ -135,6 +139,7 @@ format_ikev2_sa (u8 * s, va_list * va)
ikev2_sa_transform_t *tr;
ikev2_child_sa_t *child;
u32 indent = 1;
vlib_main_t *vm = vlib_get_main ();
ikev2_main_t *km = &ikev2_main;
ikev2_profile_t *p;
@ -168,6 +173,9 @@ format_ikev2_sa (u8 * s, va_list * va)
s = format (s, "\n state: %s", stateNames[sa->state]);
}
s =
format (s, "\n uptime: %f (s)\n", vlib_time_now (vm) - sa->auth_timestamp);
s = format (s, "\n%U", format_white_space, indent);
s = format (s, "nonce i:%U\n%Ur:%U\n",

4
src/plugins/ikev2/ikev2_priv.h
View File

@ -307,6 +307,8 @@ typedef struct
f64 time_to_expiration;
u8 is_expired;
i8 rekey_retries;
f64 timestamp;
} ikev2_child_sa_t;
typedef struct
@ -488,6 +490,8 @@ typedef struct
u8 keys_generated;
ikev2_stats_t stats;
f64 auth_timestamp;
} ikev2_sa_t;

147
src/plugins/ikev2/ikev2_test.c
View File

@ -496,6 +496,76 @@ vl_api_ikev2_sa_v2_details_t_handler (vl_api_ikev2_sa_v2_details_t *mp)
vam->result_ready = 1;
}
static int
api_ikev2_sa_v3_dump (vat_main_t *vam)
{
ikev2_test_main_t *im = &ikev2_test_main;
vl_api_ikev2_sa_v3_dump_t *mp;
vl_api_control_ping_t *mp_ping;
int ret;
/* Construct the API message */
M (IKEV2_SA_V3_DUMP, mp);
/* send it... */
S (mp);
/* Use a control ping for synchronization */
if (!im->ping_id)
im->ping_id = vl_msg_api_get_msg_index ((u8 *) (VL_API_CONTROL_PING_CRC));
mp_ping = vl_msg_api_alloc_as_if_client (sizeof (*mp_ping));
mp_ping->_vl_msg_id = htons (im->ping_id);
mp_ping->client_index = vam->my_client_index;
vam->result_ready = 0;
S (mp_ping);
/* Wait for a reply... */
W (ret);
return ret;
}
static void
vl_api_ikev2_sa_v3_details_t_handler (vl_api_ikev2_sa_v3_details_t *mp)
{
vat_main_t *vam = ikev2_test_main.vat_main;
vl_api_ikev2_sa_v3_t *sa = &mp->sa;
ip_address_t iaddr;
ip_address_t raddr;
vl_api_ikev2_keys_t *k = &sa->keys;
vl_api_ikev2_sa_v3_t_endian (sa);
ip_address_decode2 (&sa->iaddr, &iaddr);
ip_address_decode2 (&sa->raddr, &raddr);
fformat (vam->ofp, "profile name %s sa index: %d\n", mp->sa.profile_name,
mp->sa.sa_index);
fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip_address,
&iaddr, sa->ispi, format_ip_address, &raddr, sa->rspi);
fformat (vam->ofp, " %U ", format_ikev2_sa_transform, &sa->encryption);
fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->prf);
fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->integrity);
fformat (vam->ofp, "%U \n", format_ikev2_sa_transform, &sa->dh);
fformat (vam->ofp, " SK_d %U\n", format_hex_bytes, k->sk_d, k->sk_d_len);
fformat (vam->ofp, " SK_a i:%U\n r:%U\n", format_hex_bytes,
k->sk_ai, k->sk_ai_len, format_hex_bytes, k->sk_ar, k->sk_ar_len);
fformat (vam->ofp, " SK_e i:%U\n r:%U\n", format_hex_bytes,
k->sk_ei, k->sk_ei_len, format_hex_bytes, k->sk_er, k->sk_er_len);
fformat (vam->ofp, " SK_p i:%U\n r:%U\n", format_hex_bytes,
k->sk_pi, k->sk_pi_len, format_hex_bytes, k->sk_pr, k->sk_pr_len);
fformat (vam->ofp, " identifier (i) %U\n", format_ikev2_id_type_and_data,
&sa->i_id);
fformat (vam->ofp, " identifier (r) %U\n", format_ikev2_id_type_and_data,
&sa->r_id);
vam->result_ready = 1;
}
static int
api_ikev2_child_sa_dump (vat_main_t * vam)
{
@ -558,6 +628,83 @@ vl_api_ikev2_child_sa_details_t_handler (vl_api_ikev2_child_sa_details_t * mp)
fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &child_sa->integrity);
fformat (vam->ofp, "%U \n", format_ikev2_sa_transform, &child_sa->esn);
fformat (vam->ofp, " spi(i) %lx spi(r) %lx\n", child_sa->i_spi,
child_sa->r_spi);
fformat (vam->ofp, " SK_e i:%U\n r:%U\n", format_hex_bytes,
k->sk_ei, k->sk_ei_len, format_hex_bytes, k->sk_er, k->sk_er_len);
if (k->sk_ai_len)
{
fformat (vam->ofp, " SK_a i:%U\n r:%U\n", format_hex_bytes,
k->sk_ai, k->sk_ai_len, format_hex_bytes, k->sk_ar,
k->sk_ar_len);
}
vam->result_ready = 1;
}
static int
api_ikev2_child_sa_v2_dump (vat_main_t *vam)
{
unformat_input_t *i = vam->input;
ikev2_test_main_t *im = &ikev2_test_main;
vl_api_ikev2_child_sa_dump_t *mp;
vl_api_control_ping_t *mp_ping;
int ret;
u32 sa_index = ~0;
while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
{
if (unformat (i, "sa_index %d", &sa_index))
;
else
{
errmsg ("parse error '%U'", format_unformat_error, i);
return -99;
}
}
if (sa_index == ~0)
return -99;
/* Construct the API message */
M (IKEV2_CHILD_SA_DUMP, mp);
mp->sa_index = clib_net_to_host_u32 (sa_index);
/* send it... */
S (mp);
/* Use a control ping for synchronization */
if (!im->ping_id)
im->ping_id = vl_msg_api_get_msg_index ((u8 *) (VL_API_CONTROL_PING_CRC));
mp_ping = vl_msg_api_alloc_as_if_client (sizeof (*mp_ping));
mp_ping->_vl_msg_id = htons (im->ping_id);
mp_ping->client_index = vam->my_client_index;
vam->result_ready = 0;
S (mp_ping);
/* Wait for a reply... */
W (ret);
return ret;
}
static void
vl_api_ikev2_child_sa_v2_details_t_handler (
vl_api_ikev2_child_sa_details_t *mp)
{
vat_main_t *vam = ikev2_test_main.vat_main;
vl_api_ikev2_child_sa_t *child_sa = &mp->child_sa;
vl_api_ikev2_keys_t *k = &child_sa->keys;
vl_api_ikev2_child_sa_t_endian (child_sa);
fformat (vam->ofp, " child sa %u:\n", child_sa->child_sa_index);
fformat (vam->ofp, " %U ", format_ikev2_sa_transform,
&child_sa->encryption);
fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &child_sa->integrity);
fformat (vam->ofp, "%U \n", format_ikev2_sa_transform, &child_sa->esn);
fformat (vam->ofp, " spi(i) %lx spi(r) %lx\n",
child_sa->i_spi, child_sa->r_spi);

39
src/plugins/ikev2/ikev2_types.api
View File

@ -128,6 +128,19 @@ typedef ikev2_child_sa
vl_api_ikev2_sa_transform_t esn;
};
typedef ikev2_child_sa_v2
{
u32 sa_index;
u32 child_sa_index;
u32 i_spi;
u32 r_spi;
vl_api_ikev2_keys_t keys;
vl_api_ikev2_sa_transform_t encryption;
vl_api_ikev2_sa_transform_t integrity;
vl_api_ikev2_sa_transform_t esn;
f64 uptime;
};
typedef ikev2_sa_stats
{
u16 n_keepalives;
@ -197,4 +210,30 @@ typedef ikev2_sa_v2
vl_api_ikev2_sa_transform_t dh;
vl_api_ikev2_sa_stats_t stats;
};
typedef ikev2_sa_v3
{
u32 sa_index;
string profile_name[64];
vl_api_ikev2_state_t state;
u64 ispi;
u64 rspi;
vl_api_address_t iaddr;
vl_api_address_t raddr;
vl_api_ikev2_keys_t keys;
/* ID */
vl_api_ikev2_id_t i_id;
vl_api_ikev2_id_t r_id;
vl_api_ikev2_sa_transform_t encryption;
vl_api_ikev2_sa_transform_t integrity;
vl_api_ikev2_sa_transform_t prf;
vl_api_ikev2_sa_transform_t dh;
vl_api_ikev2_sa_stats_t stats;
f64 uptime;
};