10 Commits

Author SHA1 Message Date
Benoît Ganne
84e6658486 ipsec: add support for RFC-4543 ENCR_NULL_AUTH_AES_GMAC
Type: improvement

Change-Id: I830f7a2ea3ac0aff5185698b9fa7a278c45116b0
Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-08-08 10:16:26 +00:00
Andrew Yourtchenko
a47203128b build: Make the build work on Debian 11
Debian 11 has some packages that have changed, and need adjustment.
Also - its default compiler is gcc 10, which, contrary to either gcc 8
or gcc 11 prints a bunch of warnings, which fails compilation.
And there is no gcc 11 package.

Therefore, use clang for this build.

Additionally, python 3.9 has exposed this issue:
https://bugs.python.org/issue42580

Therefore, make a local patch to scapy to tackle it.

Type: feature
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I7b9c0f852ab97fe3c1feca3f22020ac0970ba3e2
2022-02-07 18:40:51 +00:00
Arthur de Kerhor
ce04e3b038 ipsec: allow registering random ports in tests
We add the possibility to bind the destination UDP port of a Scapy SA
to the ESP layer in the IPsec tunnel protection tests, even if it is not
the default port for ESP (4500).

This allows to test IPSec tunnel protection with ports other than 4500
in the UDP header, without hardcoding them in the Scapy patch (ex: 4545)

Type: improvement

Change-Id: I1eea3d4660ed1b59d827250a419af6b7b41c4a72
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
2022-01-05 08:18:03 +00:00
Neale Ranns
4a58e49cfe ipsec: Support MPLS over IPSec[46] interface
Type: feature

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I89dc3815eabfee135cd5b3c910dea5e2e2ef1333
2021-01-18 08:35:52 +00:00
Filip Tehlar
558607dc3a ikev2: better packet parsing functions
Ticket: VPP-1918
Type: improvement

Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-30 16:38:59 +00:00
Christian Hopps
fb7e7ed2cd ipsec: fix padding/alignment for native IPsec encryption
Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.

  CTR: https://tools.ietf.org/html/rfc3686#section-3.2
  GCM: https://tools.ietf.org/html/rfc4106#section-3.2
  CCM: https://tools.ietf.org/html/rfc4309#section-3.2

- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.

Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.

test: ipsec: Add unit-test to test for RFC correct padding/alignment

test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well

- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:

  https://github.com/secdev/scapy/issues/2322

Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-09-07 09:43:27 +00:00
Neale Ranns
abc5660c61 ipsec: User can choose the UDP source port
Type: feature

thus allowing NAT traversal,

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-05 18:36:33 +00:00
Matthew Smith
39e9428b90 vrrp: add plugin providing vrrp support
Type: feature

Add a new plugin to support HA using VRRPv3 (RFC 5798).

Change-Id: Iaa2c37e6172f8f41e9165f178f44d481f6e247b9
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-02-13 19:46:30 +00:00
Paul Vinciguerra
53131d2a26 tests: fix cdp patch for scapy 2.4.3
Type: test
Fixes: 5d4b8912d2fe186b4fb920a72b3a2f7b556f4e7d

Change-Id: Ib64ae00eba41b2b6afc728142cbccc02d07f4997
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-12-18 20:42:36 +00:00
snaramre
5d4b8912d2 tests: changes for scapy 2.4.3 migration
Type: fix
Change-Id: I7e041b666dabd90df23a920a1f1d99db4c10ddfe
Signed-off-by: snaramre <snaramre@cisco.com>
2019-12-14 22:14:12 +00:00