session: first approximation implementation of tls

It consists of two main parts. First, add an application transport type whereby applications can offer transport to other applications. For instance, a tls app can offer transport services to other applications. And second, a tls transport app that leverages the mbedtls library for tls protocol implementation. Change-Id: I616996c6e6539a9e2368fab8a1ac874d7c5d9838 Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-02-21 12:07:41 -08:00
parent 9e6356962a
commit 371ca50a74
29 changed files with 1777 additions and 181 deletions
@@ -63,7 +63,7 @@ DEB_DEPENDS += debhelper dkms git libtool libapr1-dev dh-systemd
 DEB_DEPENDS += libconfuse-dev git-review exuberant-ctags cscope pkg-config
 DEB_DEPENDS += lcov chrpath autoconf indent clang-format libnuma-dev
 DEB_DEPENDS += python-all python-dev python-virtualenv python-pip libffi6 check
-DEB_DEPENDS += libboost-all-dev libffi-dev python-ply
+DEB_DEPENDS += libboost-all-dev libffi-dev python-ply libmbedtls-dev
 ifeq ($(OS_VERSION_ID),14.04)
 	DEB_DEPENDS += openjdk-8-jdk-headless
 	DEB_DEPENDS += libssl-dev
@@ -86,6 +86,7 @@ RPM_DEPENDS += check check-devel
 RPM_DEPENDS += boost boost-devel
 RPM_DEPENDS += subunit subunit-devel
 RPM_DEPENDS += selinux-policy selinux-policy-devel
+RPM_DEPENDS += mbedtls-devel

 ifeq ($(OS_ID)-$(OS_VERSION_ID),fedora-25)
 	RPM_DEPENDS += openssl-devel
@@ -113,7 +114,7 @@ RPM_SUSE_BUILDTOOLS_DEPS = autoconf automake ccache check-devel chrpath
 RPM_SUSE_BUILDTOOLS_DEPS += clang indent libtool make python-ply

 RPM_SUSE_DEVEL_DEPS = glibc-devel-static java-1_8_0-openjdk-devel libnuma-devel
-RPM_SUSE_DEVEL_DEPS += libopenssl-devel openssl-devel
+RPM_SUSE_DEVEL_DEPS += libopenssl-devel openssl-devel mbedtls-devel

 RPM_SUSE_PYTHON_DEPS = python-devel python3-devel python-pip python3-pip
 RPM_SUSE_PYTHON_DEPS += python-rpm-macros python3-rpm-macros
@@ -282,7 +283,7 @@ endif
 else ifneq ("$(wildcard /etc/redhat-release)","")
 	@sudo -E yum groupinstall $(CONFIRM) $(RPM_DEPENDS_GROUPS)
 	@sudo -E yum install $(CONFIRM) $(RPM_DEPENDS)
-	@sudo -E debuginfo-install $(CONFIRM) glibc openssl-libs zlib
+	@sudo -E debuginfo-install $(CONFIRM) glibc openssl-libs mbedtls-devel zlib
 else ifeq ($(filter opensuse,$(OS_ID)),$(OS_ID))
 	@sudo -E zypper refresh
 	@sudo -E zypper install -y $(RPM_SUSE_DEPENDS)
@@ -137,6 +137,7 @@ DISABLE_ARG(vom,	[Disable VPP object model bindings])
 # --without-X
 WITHOUT_ARG(libssl,	[Disable libssl])
 WITHOUT_ARG(apicli,	[Disable binary api CLI])
+WITHOUT_ARG(mbedtls,	[Disable mbedtls])

 AC_ARG_WITH(unix,
            AC_HELP_STRING([--with-unix],[Compile unix version of clib]),
@@ -196,6 +197,7 @@ AC_SUBST(APICLI,		[-DVPP_API_TEST_BUILTIN=${n_with_apicli}])

 AC_DEFINE_UNQUOTED(DPDK_SHARED_LIB,	[${n_enable_dpdk_shared}])
 AC_DEFINE_UNQUOTED(WITH_LIBSSL,		[${n_with_libssl}])
+AC_DEFINE_UNQUOTED(WITH_MBEDTLS,	[${n_with_mbedtls}])


 # Silence following noise:
@@ -307,6 +309,15 @@ AM_COND_IF([ENABLE_MARVELL_PLUGIN],
    ])
 ])

+AM_COND_IF([WITH_MBEDTLS],
+[
+  AC_CHECK_HEADERS([mbedtls/ssl.h], [],
+    [
+      AC_MSG_WARN([mbedtls headers not found. TLS app disabled])
+      AM_CONDITIONAL(WITH_MBEDTLS, false)
+    ], [])
+])
+
 AC_PATH_PROG([VPPAPIGEN], [vppapigen], [no])
 if test "$VPPAPIGEN" = "no"; then
   VPPAPIGEN=\$\(top_srcdir\)/tools/vppapigen/vppapigen
@@ -448,7 +448,8 @@ ooo_segment_try_collect (svm_fifo_t * f, u32 n_bytes_enqueued)
 }

 static int
-svm_fifo_enqueue_internal (svm_fifo_t * f, u32 max_bytes, u8 * copy_from_here)
+svm_fifo_enqueue_internal (svm_fifo_t * f, u32 max_bytes,
+			   const u8 * copy_from_here)
 {
  u32 total_copy_bytes, first_copy_bytes, second_copy_bytes;
  u32 cursize, nitems;
@@ -520,7 +521,7 @@ svm_fifo_enqueue_internal (svm_fifo_t * f, u32 max_bytes, u8 * copy_from_here)

 static int
 svm_fifo_enqueue_nowait_ma (svm_fifo_t * f, u32 max_bytes,
-			    u8 * copy_from_here)
+			    const u8 * copy_from_here)
 {
  return svm_fifo_enqueue_internal (f, max_bytes, copy_from_here);
 }
@@ -530,12 +531,13 @@ foreach_march_variant (SVM_ENQUEUE_CLONE_TEMPLATE,
 CLIB_MULTIARCH_SELECT_FN (svm_fifo_enqueue_nowait_ma);

 int
-svm_fifo_enqueue_nowait (svm_fifo_t * f, u32 max_bytes, u8 * copy_from_here)
+svm_fifo_enqueue_nowait (svm_fifo_t * f, u32 max_bytes,
+			 const u8 * copy_from_here)
 {
 #if CLIB_DEBUG > 0
  return svm_fifo_enqueue_nowait_ma (f, max_bytes, copy_from_here);
 #else
-  static int (*fp) (svm_fifo_t *, u32, u8 *);
+  static int (*fp) (svm_fifo_t *, u32, const u8 *);

  if (PREDICT_FALSE (fp == 0))
    fp = (void *) svm_fifo_enqueue_nowait_ma_multiarch_select ();
@@ -140,7 +140,7 @@ svm_fifo_t *svm_fifo_create (u32 data_size_in_bytes);
 void svm_fifo_free (svm_fifo_t * f);

 int svm_fifo_enqueue_nowait (svm_fifo_t * f, u32 max_bytes,
-			     u8 * copy_from_here);
+			     const u8 * copy_from_here);
 int svm_fifo_enqueue_with_offset (svm_fifo_t * f, u32 offset,
 				  u32 required_bytes, u8 * copy_from_here);
 int svm_fifo_dequeue_nowait (svm_fifo_t * f, u32 max_bytes, u8 * copy_here);
@@ -27,6 +27,10 @@ if WITH_LIBSSL
 libvnet_la_LIBADD += -lcrypto
 endif

+if WITH_MBEDTLS
+libvnet_la_LIBADD += -lmbedtls -lmbedx509 -lmbedcrypto
+endif
+
 ########################################
 # Generic stuff
 ########################################
@@ -970,6 +974,10 @@ libvnet_la_SOURCES +=				\
  vnet/session-apps/http_server.c		\
  vnet/session-apps/proxy.c

+if WITH_MBEDTLS
+libvnet_la_SOURCES += vnet/session-apps/tls.c
+endif
+
 nobase_include_HEADERS +=			\
  vnet/session-apps/echo_client.h		\
  vnet/session-apps/proxy.h
@@ -905,6 +905,8 @@ const static transport_proto_vft_t sctp_proto = {
  .format_connection = format_sctp_session,
  .format_listener = format_sctp_listener_session,
  .format_half_open = format_sctp_half_open,
+  .tx_type = TRANSPORT_TX_DEQUEUE,
+  .service_type = TRANSPORT_SERVICE_VC,
 };

 /* *INDENT ON* */
@@ -426,7 +426,7 @@ static session_cb_vft_t echo_clients = {
  .session_connected_callback = echo_clients_session_connected_callback,
  .session_accept_callback = echo_clients_session_create_callback,
  .session_disconnect_callback = echo_clients_session_disconnect_callback,
-  .builtin_server_rx_callback = echo_clients_rx_callback,
+  .builtin_app_rx_callback = echo_clients_rx_callback,
  .add_segment_callback = echo_client_add_segment_callback
 };
 /* *INDENT-ON* */
@@ -245,7 +245,7 @@ static session_cb_vft_t echo_server_session_cb_vft = {
  .session_disconnect_callback = echo_server_session_disconnect_callback,
  .session_connected_callback = echo_server_session_connected_callback,
  .add_segment_callback = echo_server_add_segment_callback,
-  .builtin_server_rx_callback = echo_server_rx_callback,
+  .builtin_app_rx_callback = echo_server_rx_callback,
  .session_reset_callback = echo_server_session_reset_callback
 };

@@ -267,19 +267,21 @@ create_api_loopback (vlib_main_t * vm)
 static int
 echo_server_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret)
 {
+  vnet_app_add_tls_cert_args_t _a_cert, *a_cert = &_a_cert;
+  vnet_app_add_tls_key_args_t _a_key, *a_key = &_a_key;
  echo_server_main_t *esm = &echo_server_main;
-  u64 options[APP_OPTIONS_N_OPTIONS];
  vnet_app_attach_args_t _a, *a = &_a;
+  u64 options[APP_OPTIONS_N_OPTIONS];
  u32 segment_size = 512 << 20;

  memset (a, 0, sizeof (*a));
  memset (options, 0, sizeof (options));

  if (esm->no_echo)
-    echo_server_session_cb_vft.builtin_server_rx_callback =
+    echo_server_session_cb_vft.builtin_app_rx_callback =
      echo_server_builtin_server_rx_callback_no_echo;
  else
-    echo_server_session_cb_vft.builtin_server_rx_callback =
+    echo_server_session_cb_vft.builtin_app_rx_callback =
      echo_server_rx_callback;

  if (esm->private_segment_size)
@@ -310,6 +312,18 @@ echo_server_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret)
      return -1;
    }
  esm->app_index = a->app_index;
+
+  memset (a_cert, 0, sizeof (*a_cert));
+  a_cert->app_index = a->app_index;
+  vec_validate (a_cert->cert, test_srv_crt_rsa_len);
+  clib_memcpy (a_cert->cert, test_srv_crt_rsa, test_srv_crt_rsa_len);
+  vnet_app_add_tls_cert (a_cert);
+
+  memset (a_key, 0, sizeof (*a_key));
+  a_key->app_index = a->app_index;
+  vec_validate (a_key->key, test_srv_key_rsa_len);
+  clib_memcpy (a_key->key, test_srv_key_rsa, test_srv_key_rsa_len);
+  vnet_app_add_tls_key (a_key);
  return 0;
 }

@@ -53,6 +53,7 @@ typedef struct
  u32 prealloc_fifos;
  u32 private_segment_size;
  u32 fifo_size;
+  u8 *uri;
  vlib_main_t *vlib_main;
 } http_server_main_t;

@@ -476,7 +477,7 @@ static session_cb_vft_t http_server_session_cb_vft = {
  .session_disconnect_callback = http_server_session_disconnect_callback,
  .session_connected_callback = http_server_session_connected_callback,
  .add_segment_callback = http_server_add_segment_callback,
-  .builtin_server_rx_callback = http_server_rx_callback,
+  .builtin_app_rx_callback = http_server_rx_callback,
  .session_reset_callback = http_server_session_reset_callback
 };

@@ -498,6 +499,8 @@ create_api_loopback (vlib_main_t * vm)
 static int
 server_attach ()
 {
+  vnet_app_add_tls_cert_args_t _a_cert, *a_cert = &_a_cert;
+  vnet_app_add_tls_key_args_t _a_key, *a_key = &_a_key;
  http_server_main_t *hsm = &http_server_main;
  u64 options[APP_OPTIONS_N_OPTIONS];
  vnet_app_attach_args_t _a, *a = &_a;
@@ -526,6 +529,19 @@ server_attach ()
      return -1;
    }
  hsm->app_index = a->app_index;
+
+  memset (a_cert, 0, sizeof (*a_cert));
+  a_cert->app_index = a->app_index;
+  vec_validate (a_cert->cert, test_srv_crt_rsa_len);
+  clib_memcpy (a_cert->cert, test_srv_crt_rsa, test_srv_crt_rsa_len);
+  vnet_app_add_tls_cert (a_cert);
+
+  memset (a_key, 0, sizeof (*a_key));
+  a_key->app_index = a->app_index;
+  vec_validate (a_key->key, test_srv_key_rsa_len);
+  clib_memcpy (a_key->key, test_srv_key_rsa, test_srv_key_rsa_len);
+  vnet_app_add_tls_key (a_key);
+
  return 0;
 }

@@ -537,6 +553,8 @@ http_server_listen ()
  memset (a, 0, sizeof (*a));
  a->app_index = hsm->app_index;
  a->uri = "tcp://0.0.0.0/80";
+  if (hsm->uri)
+    a->uri = (char *) hsm->uri;
  return vnet_bind_uri (a);
 }

@@ -599,6 +617,8 @@ http_server_create_command_fn (vlib_main_t * vm,
 	}
      else if (unformat (input, "fifo-size %d", &hsm->fifo_size))
 	hsm->fifo_size <<= 10;
+      else if (unformat (input, "uri %s", &hsm->uri))
+	;
      else
 	return clib_error_return (0, "unknown input `%U'",
 				  format_unformat_error, input);
@@ -610,7 +630,7 @@ http_server_create_command_fn (vlib_main_t * vm,

  if (is_static)
    {
-      http_server_session_cb_vft.builtin_server_rx_callback =
+      http_server_session_cb_vft.builtin_app_rx_callback =
 	http_server_rx_callback_static;
      html = format (0, html_header_static);
      static_http = format (0, http_response, vec_len (html), html);
@@ -232,7 +232,7 @@ static session_cb_vft_t proxy_session_cb_vft = {
  .session_disconnect_callback = proxy_disconnect_callback,
  .session_connected_callback = proxy_connected_callback,
  .add_segment_callback = proxy_add_segment_callback,
-  .builtin_server_rx_callback = proxy_rx_callback,
+  .builtin_app_rx_callback = proxy_rx_callback,
  .session_reset_callback = proxy_reset_callback
 };

@@ -348,7 +348,7 @@ static session_cb_vft_t active_open_clients = {
  .session_connected_callback = active_open_connected_callback,
  .session_accept_callback = active_open_create_callback,
  .session_disconnect_callback = active_open_disconnect_callback,
-  .builtin_server_rx_callback = active_open_rx_callback
+  .builtin_app_rx_callback = active_open_rx_callback
 };
 /* *INDENT-ON* */

@@ -209,6 +209,9 @@ application_del (application_t * app)
   */
  application_local_sessions_del (app);

+  vec_free (app->tls_cert);
+  vec_free (app->tls_key);
+
  application_table_del (app);
  pool_put (app_pool, app);
 }
@@ -473,10 +476,22 @@ int
 application_open_session (application_t * app, session_endpoint_t * sep,
 			  u32 api_context)
 {
-  segment_manager_t *sm;
  int rv;

  /* Make sure we have a segment manager for connects */
+  application_alloc_connects_segment_manager (app);
+
+  if ((rv = session_open (app->index, sep, api_context)))
+    return rv;
+
+  return 0;
+}
+
+int
+application_alloc_connects_segment_manager (application_t * app)
+{
+  segment_manager_t *sm;
+
  if (app->connects_seg_manager == APP_INVALID_SEGMENT_MANAGER_INDEX)
    {
      sm = application_alloc_segment_manager (app);
@@ -484,10 +499,6 @@ application_open_session (application_t * app, session_endpoint_t * sep,
 	return -1;
      app->connects_seg_manager = segment_manager_index (sm);
    }
-
-  if ((rv = session_open (app->index, sep, api_context)))
-    return rv;
-
  return 0;
 }

@@ -1156,6 +1167,30 @@ application_local_sessions_del (application_t * app)
  segment_manager_del (sm);
 }

+clib_error_t *
+vnet_app_add_tls_cert (vnet_app_add_tls_cert_args_t * a)
+{
+  application_t *app;
+  app = application_get (a->app_index);
+  if (!app)
+    return clib_error_return_code (0, VNET_API_ERROR_APPLICATION_NOT_ATTACHED,
+				   0, "app %u doesn't exist", a->app_index);
+  app->tls_cert = vec_dup (a->cert);
+  return 0;
+}
+
+clib_error_t *
+vnet_app_add_tls_key (vnet_app_add_tls_key_args_t * a)
+{
+  application_t *app;
+  app = application_get (a->app_index);
+  if (!app)
+    return clib_error_return_code (0, VNET_API_ERROR_APPLICATION_NOT_ATTACHED,
+				   0, "app %u doesn't exist", a->app_index);
+  app->tls_key = vec_dup (a->key);
+  return 0;
+}
+
 u8 *
 format_application_listener (u8 * s, va_list * args)
 {
@@ -20,12 +20,6 @@
 #include <vnet/session/session.h>
 #include <vnet/session/segment_manager.h>
 #include <vnet/session/application_namespace.h>
-typedef enum
-{
-  APP_SERVER,
-  APP_CLIENT,
-  APP_N_TYPES
-} application_type_t;

 typedef struct _stream_session_cb_vft
 {
@@ -49,8 +43,11 @@ typedef struct _stream_session_cb_vft
  /** Notify app that session was reset */
  void (*session_reset_callback) (stream_session_t * s);

-  /** Direct RX callback, for built-in servers */
-  int (*builtin_server_rx_callback) (stream_session_t * session);
+  /** Direct RX callback for built-in application */
+  int (*builtin_app_rx_callback) (stream_session_t * session);
+
+  /** Direct TX callback for built-in application */
+  int (*builtin_app_tx_callback) (stream_session_t * session);

 } session_cb_vft_t;

@@ -118,6 +115,16 @@ typedef struct _application

  /** Hash table of the app's local connects */
  uword *local_connects;
+
+  /*
+   * TLS Specific
+   */
+
+  /** Certificate to be used for listen sessions */
+  u8 *tls_cert;
+
+  /** PEM encoded key */
+  u8 *tls_key;
 } application_t;

 #define APP_INVALID_INDEX ((u32)~0)
@@ -152,6 +159,8 @@ segment_manager_t *application_get_listen_segment_manager (application_t *
 							   ls);
 segment_manager_t *application_get_connect_segment_manager (application_t *
 							    app);
+int application_alloc_connects_segment_manager (application_t * app);
+
 int application_is_proxy (application_t * app);
 int application_is_builtin (application_t * app);
 int application_is_builtin_proxy (application_t * app);
@@ -245,6 +254,13 @@ application_local_session_listener_has_transport (local_session_t * ls)
  return (tp != TRANSPORT_PROTO_NONE);
 }

+void send_local_session_disconnect_callback (u32 app_index,
+					     local_session_t * ls);
+
+int application_connect (u32 client_index, u32 api_context,
+			 session_endpoint_t * sep);
+
+uword unformat_application_proto (unformat_input_t * input, va_list * args);

 #endif /* SRC_VNET_SESSION_APPLICATION_H_ */

@@ -22,6 +22,61 @@
    VPP's application/session API bind/unbind/connect/disconnect calls
 */

+/*
+ * TLS server cert and keys to be used for testing only
+ */
+const char test_srv_crt_rsa[] =
+  "-----BEGIN CERTIFICATE-----\r\n"
+  "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
+  "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
+  "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
+  "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"
+  "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"
+  "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"
+  "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"
+  "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"
+  "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"
+  "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"
+  "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"
+  "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n"
+  "oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n"
+  "UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n"
+  "iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n"
+  "wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n"
+  "RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
+  "zhuYwjVuX6JHG0c=\r\n" "-----END CERTIFICATE-----\r\n";
+const u32 test_srv_crt_rsa_len = sizeof (test_srv_crt_rsa);
+
+const char test_srv_key_rsa[] =
+  "-----BEGIN RSA PRIVATE KEY-----\r\n"
+  "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
+  "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
+  "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
+  "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
+  "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
+  "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
+  "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
+  "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
+  "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
+  "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
+  "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
+  "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
+  "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
+  "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
+  "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
+  "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
+  "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
+  "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
+  "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
+  "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
+  "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
+  "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
+  "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
+  "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
+  "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
+  "-----END RSA PRIVATE KEY-----\r\n";
+const u32 test_srv_key_rsa_len = sizeof (test_srv_key_rsa);
+
 static u8
 session_endpoint_is_local (session_endpoint_t * sep)
 {
@@ -179,8 +234,8 @@ vnet_unbind_i (u32 app_index, session_handle_t handle)
 }

 int
-vnet_connect_i (u32 client_index, u32 api_context, session_endpoint_t * sep,
-		void *mp)
+application_connect (u32 client_index, u32 api_context,
+		     session_endpoint_t * sep)
 {
  application_t *server, *client;
  u32 table_index, server_index, li;
@@ -277,22 +332,23 @@ uword
 unformat_vnet_uri (unformat_input_t * input, va_list * args)
 {
  session_endpoint_t *sep = va_arg (*args, session_endpoint_t *);
-  u32 transport_proto = 0;
-  if (unformat (input, "%U://%U/%d", unformat_transport_proto,
-		&transport_proto, unformat_ip4_address, &sep->ip.ip4,
-		&sep->port))
+  u32 transport_proto = 0, port;
+
+  if (unformat
+      (input, "%U://%U/%d", unformat_transport_proto, &transport_proto,
+       unformat_ip4_address, &sep->ip.ip4, &port))
    {
      sep->transport_proto = transport_proto;
-      sep->port = clib_host_to_net_u16 (sep->port);
+      sep->port = clib_host_to_net_u16 (port);
      sep->is_ip4 = 1;
      return 1;
    }
-  if (unformat (input, "%U://%U/%d", unformat_transport_proto,
-		&transport_proto, unformat_ip6_address, &sep->ip.ip6,
-		&sep->port))
+  else if (unformat (input, "%U://%U/%d", unformat_transport_proto,
+		     &transport_proto, unformat_ip6_address, &sep->ip.ip6,
+		     &port))
    {
      sep->transport_proto = transport_proto;
-      sep->port = clib_host_to_net_u16 (sep->port);
+      sep->port = clib_host_to_net_u16 (port);
      sep->is_ip4 = 0;
      return 1;
    }
@@ -440,8 +496,8 @@ vnet_bind_uri (vnet_bind_args_t * a)
 int
 vnet_unbind_uri (vnet_unbind_args_t * a)
 {
-  stream_session_t *listener;
  session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+  stream_session_t *listener;
  int rv;

  rv = parse_uri (a->uri, &sep);
@@ -459,15 +515,15 @@ vnet_unbind_uri (vnet_unbind_args_t * a)
 clib_error_t *
 vnet_connect_uri (vnet_connect_args_t * a)
 {
-  session_endpoint_t sep_null = SESSION_ENDPOINT_NULL;
+  session_endpoint_t sep = SESSION_ENDPOINT_NULL;
  int rv;

  /* Parse uri */
-  a->sep = sep_null;
-  rv = parse_uri (a->uri, &a->sep);
+  rv = parse_uri (a->uri, &sep);
  if (rv)
    return clib_error_return_code (0, rv, 0, "app init: %d", rv);
-  if ((rv = vnet_connect_i (a->app_index, a->api_context, &a->sep, a->mp)))
+
+  if ((rv = application_connect (a->app_index, a->api_context, &sep)))
    return clib_error_return_code (0, rv, 0, "connect failed");
  return 0;
 }
@@ -523,8 +579,10 @@ vnet_unbind (vnet_unbind_args_t * a)
 clib_error_t *
 vnet_connect (vnet_connect_args_t * a)
 {
+  session_endpoint_t *sep = &a->sep;
  int rv;
-  if ((rv = vnet_connect_i (a->app_index, a->api_context, &a->sep, a->mp)))
+
+  if ((rv = application_connect (a->app_index, a->api_context, sep)))
    return clib_error_return_code (0, rv, 0, "connect failed");
  return 0;
 }
@@ -30,7 +30,7 @@ typedef struct _vnet_app_attach_args_t
  /** Application and segment manager options */
  u64 *options;

-  /* Namespace id */
+  /** ID of the namespace the app has access to */
  u8 *namespace_id;

  /** Session to application callback functions */
@@ -80,8 +80,11 @@ typedef struct _vnet_unbind_args_t

 typedef struct _vnet_connect_args
 {
-  char *uri;
-  session_endpoint_t sep;
+  union
+  {
+    char *uri;
+    session_endpoint_t sep;
+  };
  u32 app_index;
  u32 api_context;

@@ -96,6 +99,18 @@ typedef struct _vnet_disconnect_args_t
  u32 app_index;
 } vnet_disconnect_args_t;

+typedef struct _vnet_application_add_tls_cert_args_t
+{
+  u32 app_index;
+  u8 *cert;
+} vnet_app_add_tls_cert_args_t;
+
+typedef struct _vnet_application_add_tls_key_args_t
+{
+  u32 app_index;
+  u8 *key;
+} vnet_app_add_tls_key_args_t;
+
 /* Application attach options */
 typedef enum
 {
@@ -136,24 +151,24 @@ typedef enum _app_options_flags
 #undef _
 } app_options_flags_t;

-clib_error_t *vnet_application_attach (vnet_app_attach_args_t * a);
-int vnet_application_detach (vnet_app_detach_args_t * a);
-
 int vnet_bind_uri (vnet_bind_args_t *);
 int vnet_unbind_uri (vnet_unbind_args_t * a);
 clib_error_t *vnet_connect_uri (vnet_connect_args_t * a);
-int vnet_disconnect_session (vnet_disconnect_args_t * a);

+clib_error_t *vnet_application_attach (vnet_app_attach_args_t * a);
 clib_error_t *vnet_bind (vnet_bind_args_t * a);
 clib_error_t *vnet_connect (vnet_connect_args_t * a);
 clib_error_t *vnet_unbind (vnet_unbind_args_t * a);
+int vnet_application_detach (vnet_app_detach_args_t * a);
+int vnet_disconnect_session (vnet_disconnect_args_t * a);

-int
-api_parse_session_handle (u64 handle, u32 * session_index,
-			  u32 * thread_index);
+clib_error_t *vnet_app_add_tls_cert (vnet_app_add_tls_cert_args_t * a);
+clib_error_t *vnet_app_add_tls_key (vnet_app_add_tls_key_args_t * a);

-void send_local_session_disconnect_callback (u32 app_index,
-					     local_session_t * ls);
+extern const char test_srv_crt_rsa[];
+extern const u32 test_srv_crt_rsa_len;
+extern const char test_srv_key_rsa[];
+extern const u32 test_srv_key_rsa_len;

 #endif /* __included_uri_h__ */

@@ -51,6 +51,34 @@ define application_attach_reply {
    u8 segment_name[128];
 };

+/** \brief Application add TLS certificate
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param cert_len - certificate length
+    @param cert - certificate as a string
+*/
+autoreply define application_tls_cert_add {
+    u32 client_index;
+    u32 context;
+    u32 app_index;
+    u16 cert_len;
+    u8 cert[cert_len];
+};
+
+/** \brief Application add TLS key
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param key_len - certificate length
+    @param key - PEM encoded key as a string
+*/
+autoreply define application_tls_key_add {
+    u32 client_index;
+    u32 context;
+    u32 app_index;
+    u16 key_len;
+    u8 key[key_len];
+};
+
 /** \brief client->vpp, attach application to session layer
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
@@ -114,6 +114,7 @@ typedef int

 extern session_fifo_rx_fn session_tx_fifo_peek_and_snd;
 extern session_fifo_rx_fn session_tx_fifo_dequeue_and_snd;
+extern session_fifo_rx_fn session_tx_fifo_dequeue_internal;

 u8 session_node_lookup_fifo_event (svm_fifo_t * f, session_fifo_event_t * e);

@@ -233,6 +234,8 @@ stream_session_is_valid (u32 si, u8 thread_index)
 }

 stream_session_t *session_alloc (u32 thread_index);
+int session_alloc_fifos (segment_manager_t * sm, stream_session_t * s);
+void session_free (stream_session_t * s);

 always_inline stream_session_t *
 session_get (u32 si, u32 thread_index)
@@ -453,7 +456,6 @@ transport_connection_t *session_get_transport (stream_session_t * s);

 u32 stream_session_tx_fifo_max_dequeue (transport_connection_t * tc);

-stream_session_t *session_alloc (u32 thread_index);
 int
 session_enqueue_stream_connection (transport_connection_t * tc,
 				   vlib_buffer_t * b, u32 offset,
@@ -531,6 +533,13 @@ listen_session_get_from_handle (session_handle_t handle)
  return s;
 }

+always_inline void
+listen_session_parse_handle (session_handle_t handle, u32 * type, u32 * index)
+{
+  *type = handle >> 32;
+  *index = handle & 0xFFFFFFFF;
+}
+
 always_inline stream_session_t *
 listen_session_new (session_type_t type)
 {
@@ -573,18 +582,6 @@ session_manager_get_listener (u8 session_type, u32 index)
 		       index);
 }

-/**
- * Set peek or dequeue function for given session type
- *
- * Reliable transport protocols will probably want to use a peek function
- */
-always_inline void
-session_manager_set_transport_rx_fn (session_type_t type, u8 is_peek)
-{
-  session_manager_main.session_tx_fns[type] = (is_peek) ?
-    session_tx_fifo_peek_and_snd : session_tx_fifo_dequeue_and_snd;
-}
-
 always_inline u8
 session_manager_is_enabled ()
 {
@@ -56,6 +56,8 @@ _(SESSION_ENABLE_DISABLE, session_enable_disable)                   	\
 _(APP_NAMESPACE_ADD_DEL, app_namespace_add_del)				\
 _(SESSION_RULE_ADD_DEL, session_rule_add_del)				\
 _(SESSION_RULES_DUMP, session_rules_dump)				\
+_(APPLICATION_TLS_CERT_ADD, application_tls_cert_add)			\
+_(APPLICATION_TLS_KEY_ADD, application_tls_key_add)			\

 static int
 session_send_memfd_fd (vl_api_registration_t * reg, const ssvm_private_t * sp)
@@ -1102,6 +1104,64 @@ vl_api_session_rules_dump_t_handler (vl_api_one_map_server_dump_t * mp)
  /* *INDENT-ON* */
 }

+static void
+vl_api_application_tls_cert_add_t_handler (vl_api_application_tls_cert_add_t *
+					   mp)
+{
+  vl_api_app_namespace_add_del_reply_t *rmp;
+  vnet_app_add_tls_cert_args_t _a, *a = &_a;
+  clib_error_t *error;
+  u32 cert_len;
+  int rv = 0;
+  if (!session_manager_is_enabled ())
+    {
+      rv = VNET_API_ERROR_FEATURE_DISABLED;
+      goto done;
+    }
+  memset (a, 0, sizeof (*a));
+  a->app_index = clib_net_to_host_u32 (mp->app_index);
+  cert_len = clib_net_to_host_u16 (mp->cert_len);
+  vec_validate (a->cert, cert_len);
+  clib_memcpy (a->cert, mp->cert, cert_len);
+  if ((error = vnet_app_add_tls_cert (a)))
+    {
+      rv = clib_error_get_code (error);
+      clib_error_report (error);
+    }
+  vec_free (a->cert);
+done:
+  REPLY_MACRO (VL_API_APPLICATION_TLS_CERT_ADD_REPLY);
+}
+
+static void
+vl_api_application_tls_key_add_t_handler (vl_api_application_tls_key_add_t *
+					  mp)
+{
+  vl_api_app_namespace_add_del_reply_t *rmp;
+  vnet_app_add_tls_key_args_t _a, *a = &_a;
+  clib_error_t *error;
+  u32 key_len;
+  int rv = 0;
+  if (!session_manager_is_enabled ())
+    {
+      rv = VNET_API_ERROR_FEATURE_DISABLED;
+      goto done;
+    }
+  memset (a, 0, sizeof (*a));
+  a->app_index = clib_net_to_host_u32 (mp->app_index);
+  key_len = clib_net_to_host_u16 (mp->key_len);
+  vec_validate (a->key, key_len);
+  clib_memcpy (a->key, mp->key, key_len);
+  if ((error = vnet_app_add_tls_key (a)))
+    {
+      rv = clib_error_get_code (error);
+      clib_error_report (error);
+    }
+  vec_free (a->key);
+done:
+  REPLY_MACRO (VL_API_APPLICATION_TLS_KEY_ADD_REPLY);
+}
+
 static clib_error_t *
 application_reaper_cb (u32 client_index)
 {
@@ -33,7 +33,7 @@ typedef enum _session_evt_dbg

 #define SESSION_DEBUG (0 && TRANSPORT_DEBUG)
 #define SESSION_DEQ_NODE_EVTS (0)
-#define SESSION_EVT_POLL_DBG (1)
+#define SESSION_EVT_POLL_DBG (0)

 #if SESSION_DEBUG

@@ -389,6 +389,20 @@ session_tx_fifo_dequeue_and_snd (vlib_main_t * vm, vlib_node_runtime_t * node,
 					 n_tx_pkts, 0);
 }

+int
+session_tx_fifo_dequeue_internal (vlib_main_t * vm,
+				  vlib_node_runtime_t * node,
+				  session_manager_main_t * smm,
+				  session_fifo_event_t * e0,
+				  stream_session_t * s0, u32 thread_index,
+				  int *n_tx_pkts)
+{
+  application_t *app;
+  app = application_get (s0->opaque);
+  svm_fifo_unset_event (s0->server_tx_fifo);
+  return app->cb_fns.builtin_app_tx_callback (s0);
+}
+
 always_inline stream_session_t *
 session_event_get_session (session_fifo_event_t * e, u8 thread_index)
 {
@@ -505,7 +519,7 @@ session_node_lookup_fifo_event (svm_fifo_t * f, session_fifo_event_t * e)
      clib_memcpy (e, headp, q->elsize);
      found = session_node_cmp_event (e, f);
      if (found)
-	break;
+	return 1;
      if (++index == q->maxsize)
 	index = 0;
    }
@@ -657,7 +671,7 @@ skip_dequeue:
 	    continue;
 	  svm_fifo_unset_event (s0->server_rx_fifo);
 	  app = application_get (s0->app_index);
-	  app->cb_fns.builtin_server_rx_callback (s0);
+	  app->cb_fns.builtin_app_rx_callback (s0);
 	  break;
 	case FIFO_EVENT_RPC:
 	  fp = e0->rpc_args.fp;
@@ -69,12 +69,6 @@ dummy_del_segment_callback (u32 client_index, const ssvm_private_t * fs)
  return 0;
 }

-int
-dummy_redirect_connect_callback (u32 client_index, void *mp)
-{
-  return VNET_API_ERROR_SESSION_REDIRECT;
-}
-
 void
 dummy_session_disconnect_callback (stream_session_t * s)
 {
@@ -104,7 +98,7 @@ static session_cb_vft_t dummy_session_cbs = {
  .session_connected_callback = dummy_session_connected_callback,
  .session_accept_callback = dummy_session_accept_callback,
  .session_disconnect_callback = dummy_session_disconnect_callback,
-  .builtin_server_rx_callback = dummy_server_rx_callback,
+  .builtin_app_rx_callback = dummy_server_rx_callback,
  .add_segment_callback = dummy_add_segment_callback,
  .del_segment_callback = dummy_del_segment_callback,
 };
@@ -1316,8 +1310,10 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input)
  SESSION_TEST ((handle == SESSION_DROP_HANDLE), "lookup for 1.2.3.4/32 1234 "
 		"5.6.7.8/16 432*2* in local table should return deny");

+
  connect_args.app_index = server_index;
  connect_args.sep = sep;
+
  error = vnet_connect (&connect_args);
  SESSION_TEST ((error != 0), "connect should fail");
  rv = clib_error_get_code (error);
@@ -85,8 +85,13 @@ typedef struct _stream_session_t
  /** Transport specific */
  u32 connection_index;

-  /** Parent listener session if the result of an accept */
-  u32 listener_index;
+  union
+  {
+    /** Parent listener session if the result of an accept */
+    u32 listener_index;
+    /** Opaque, for general use */
+    u32 opaque;
+  };

    CLIB_CACHE_LINE_ALIGN_MARK (pad);
 } stream_session_t;
@@ -133,20 +138,27 @@ typedef struct local_session_
    CLIB_CACHE_LINE_ALIGN_MARK (pad);
 } local_session_t;

+#define foreach_session_endpoint_fields				\
+    foreach_transport_connection_fields				\
+    _(u8, transport_proto)					\
+    _(u8, app_proto)						\
+
 typedef struct _session_endpoint
 {
-  /*
-   * Network specific
-   */
 #define _(type, name) type name;
-  foreach_transport_connection_fields
+  foreach_session_endpoint_fields
 #undef _
-    /*
-     * Session specific
-     */
-  u8 transport_proto;	/**< transport protocol for session */
 } session_endpoint_t;

+typedef struct _session_endpoint_extended
+{
+#define _(type, name) type name;
+  foreach_session_endpoint_fields
+#undef _
+  u32 app_index;
+  u32 opaque;
+} session_endpoint_extended_t;
+
 #define SESSION_IP46_ZERO		\
 {					\
    .ip6 = {				\
@@ -161,6 +173,7 @@ typedef struct _session_endpoint
  .is_ip4 = 0,				\
  .port = 0,				\
  .transport_proto = 0,			\
+  .app_proto = 0,			\
 }

 #define session_endpoint_to_transport(_sep) ((transport_endpoint_t *)_sep)
@@ -96,6 +96,10 @@ unformat_transport_proto (unformat_input_t * input, va_list * args)
    *proto = TRANSPORT_PROTO_SCTP;
  else if (unformat (input, "SCTP"))
    *proto = TRANSPORT_PROTO_SCTP;
+  else if (unformat (input, "tls"))
+    *proto = TRANSPORT_PROTO_TLS;
+  else if (unformat (input, "TLS"))
+    *proto = TRANSPORT_PROTO_TLS;
  else
    return 0;
  return 1;
@@ -25,20 +25,34 @@
 */
 typedef struct _transport_connection
 {
-  ip46_address_t rmt_ip;	/**< Remote IP */
-  ip46_address_t lcl_ip;	/**< Local IP */
-  u16 lcl_port;			/**< Local port */
-  u16 rmt_port;			/**< Remote port */
-  u8 proto;			/**< Protocol id */
-  u8 is_ip4;			/**< Flag if IP4 connection */
-  u32 fib_index;			/**< Network namespace */
+  /** Connection ID */
+  union
+  {
+    /*
+     * Network connection ID tuple
+     */
+    struct
+    {
+      ip46_address_t rmt_ip;	/**< Remote IP */
+      ip46_address_t lcl_ip;	/**< Local IP */
+      u16 lcl_port;		/**< Local port */
+      u16 rmt_port;		/**< Remote port */
+      u8 proto;			/**< Protocol id */
+      u8 is_ip4;		/**< Flag if IP4 connection */
+      u32 fib_index;		/**< Network namespace */
+    };
+    /*
+     * Opaque connection ID
+     */
+    u8 opaque_conn_id[42];
+  };

  u32 s_index;			/**< Parent session index */
  u32 c_index;			/**< Connection index in transport pool */
  u32 thread_index;		/**< Worker-thread index */

-  fib_node_index_t rmt_fei;	/**< FIB entry index for rmt */
-  dpo_id_t rmt_dpo;		/**< Forwarding DPO for rmt */
+  /*fib_node_index_t rmt_fei;
+     dpo_id_t rmt_dpo; */

 #if TRANSPORT_DEBUG
  elog_track_t elog_track;	/**< Event logging */
@@ -64,6 +78,7 @@ typedef struct _transport_connection
 #define c_cc_stat_tstamp connection.cc_stat_tstamp
 #define c_rmt_fei connection.rmt_fei
 #define c_rmt_dpo connection.rmt_dpo
+#define c_opaque_id connection.opaque_conn_id
 } transport_connection_t;

 typedef enum _transport_proto
@@ -72,6 +87,7 @@ typedef enum _transport_proto
  TRANSPORT_PROTO_UDP,
  TRANSPORT_PROTO_SCTP,
  TRANSPORT_PROTO_NONE,
+  TRANSPORT_PROTO_TLS,
  TRANSPORT_N_PROTO
 } transport_proto_t;

@@ -19,9 +19,26 @@
 #include <vnet/vnet.h>
 #include <vnet/session/transport.h>

+typedef enum transport_dequeue_type_
+{
+  TRANSPORT_TX_PEEK,		/**< reliable transport protos */
+  TRANSPORT_TX_DEQUEUE,		/**< unreliable transport protos */
+  TRANSPORT_TX_INTERNAL,		/**< apps acting as transports */
+  TRANSPORT_TX_N_FNS
+} transport_tx_fn_type_t;
+
+typedef enum transport_service_type_
+{
+  TRANSPORT_SERVICE_VC,		/**< virtual circuit service */
+  TRANSPORT_SERVICE_CL,		/**< connectionless service */
+  TRANSPORT_SERVICE_APP,		/**< app transport service */
+  TRANSPORT_N_SERVICES
+} transport_service_type_t;
+
 /*
 * Transport protocol virtual function table
 */
+/* *INDENT-OFF* */
 typedef struct _transport_proto_vft
 {
  /*
@@ -37,10 +54,11 @@ typedef struct _transport_proto_vft
  /*
   * Transmission
   */
-    u32 (*push_header) (transport_connection_t * tconn, vlib_buffer_t * b);
-    u16 (*send_mss) (transport_connection_t * tc);
-    u32 (*send_space) (transport_connection_t * tc);
-    u32 (*tx_fifo_offset) (transport_connection_t * tc);
+
+  u32 (*push_header) (transport_connection_t * tconn, vlib_buffer_t * b);
+  u16 (*send_mss) (transport_connection_t * tc);
+  u32 (*send_space) (transport_connection_t * tc);
+  u32 (*tx_fifo_offset) (transport_connection_t * tc);
  void (*update_time) (f64 time_now, u8 thread_index);

  /*
@@ -56,11 +74,18 @@ typedef struct _transport_proto_vft
  u8 *(*format_connection) (u8 * s, va_list * args);
  u8 *(*format_listener) (u8 * s, va_list * args);
  u8 *(*format_half_open) (u8 * s, va_list * args);
+
+  /*
+   * Properties
+   */
+  transport_tx_fn_type_t tx_type;
+  transport_service_type_t service_type;
 } transport_proto_vft_t;
+/* *INDENT-ON* */

 extern transport_proto_vft_t *tp_vfts;

-#define transport_proto_foreach(VAR, BODY)				\
+#define transport_proto_foreach(VAR, BODY)			\
 do {								\
    for (VAR = 0; VAR < vec_len (tp_vfts); VAR++)		\
      if (tp_vfts[VAR].push_header != 0)				\
@@ -1037,6 +1037,8 @@ const static transport_proto_vft_t tcp_proto = {
  .format_connection = format_tcp_session,
  .format_listener = format_tcp_listener_session,
  .format_half_open = format_tcp_half_open_session,
+  .tx_type = TRANSPORT_TX_PEEK,
+  .service_type = TRANSPORT_SERVICE_VC,
 };
 /* *INDENT-ON* */

@@ -389,7 +389,7 @@ tcp_make_options (tcp_connection_t * tc, tcp_options_t * opts,
    case TCP_STATE_SYN_SENT:
      return tcp_make_syn_options (opts, tc->rcv_wscale);
    default:
-      clib_warning ("Not handled!");
+      clib_warning ("State not handled! %d", state);
      return 0;
    }
 }
@@ -321,7 +321,9 @@ const static transport_proto_vft_t udp_proto = {
  .send_space = udp_send_space,
  .format_connection = format_udp_session,
  .format_half_open = format_udp_half_open_session,
-  .format_listener = format_udp_listener_session
+  .format_listener = format_udp_listener_session,
+  .tx_type = TRANSPORT_TX_DEQUEUE,
+  .service_type = TRANSPORT_SERVICE_VC,
 };
 /* *INDENT-ON* */