75 Commits

Author SHA1 Message Date
Benoît Ganne
d13b61171b tests: fix ipv6 fragmented esp w/ scapy 2.4.5
Since scapy 2.4.4, scapy will not decode the next layer if the fragment
offset is not 0 - IOW it will decode only for the 1st fragment.
See f1c26e77c5

Type: fix

Change-Id: If738734f90b15b24c0d98fec4bce4ff48c6d5fea
Signed-off-by: Benoît Ganne <bganne@cisco.com>
2024-08-07 13:18:47 +00:00
Dave Wallace
cf9356d642 tests: update scapy to version 2.4.5
- Required for Ubuntu 24.04 LTS jobs
- temporarily disable TestIpsecEsp1 and
  TestIpsecAhAll tests until a patch can
  be added to fix them

Type: test

Change-Id: I1ae7b170117182c3252629bbbb770775e2c496c9
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2024-08-07 09:15:17 +00:00
Dmitry Valter
34fa0ce8f7 tests: skip more excluded plugin tests
Check and skip VPP_EXCLUDED_PLUGINS tests for most of plugins.

Type: improvement
Signed-off-by: Dmitry Valter <d-valter@yandex-team.com>
Change-Id: I23fd3666729251c639aa8da72a676058e3f5bb4e
2024-07-12 15:43:24 +00:00
Dave Wallace
8800f732f8 tests: refactor asf framework code
- Make framework.py classes a subset of asfframework.py classes
- Remove all packet related code from asfframework.py
- Add test class and test case set up debug output to log
- Repatriate packet tests from asf to test directory
- Remove non-packet related code from framework.py and
  inherit them from asfframework.py classes
- Clean up unused import variables
- Re-enable BFD tests on Ubuntu 22.04 and fix
  intermittent test failures in echo_looped_back
  testcases (where # control packets verified but
  not guaranteed to be received during test)
- Re-enable Wireguard tests on Ubuntu 22.04 and fix
  intermittent test failures in handshake ratelimiting
  testcases and event testcase
- Run Wiregard testcase suites solo
- Improve debug output in log.txt
- Increase VCL/LDP post sleep timeout to allow iperf server
  to finish cleanly.
- Fix pcap history files to be sorted by suite and testcase
  and ensure order/timestamp is correct based on creation
  in the testcase.
- Decode pcap files for each suite and testcase for all
  errors or if configured via comandline option / env var
- Improve vpp corefile detection to allow complete corefile
  generation
- Disable vm vpp interfaces testcases on debian11
- Clean up failed unittest dir when retrying failed testcases
  and unify testname directory and failed linknames into
  framwork functions

Type: test

Change-Id: I0764f79ea5bb639d278bf635ed2408d4d5220e1e
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2023-11-03 05:06:43 +00:00
Maxime Peim
0e2f188f7c ipsec: huge anti-replay window support
Type: improvement

Since RFC4303 does not specify the anti-replay window size, VPP should
support multiple window size. It is done through a clib_bitmap.

Signed-off-by: Maxime Peim <mpeim@cisco.com>
Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc
2023-10-30 15:23:13 +00:00
Benoît Ganne
84e6658486 ipsec: add support for RFC-4543 ENCR_NULL_AUTH_AES_GMAC
Type: improvement

Change-Id: I830f7a2ea3ac0aff5185698b9fa7a278c45116b0
Signed-off-by: Benoît Ganne <bganne@cisco.com>
2023-08-08 10:16:26 +00:00
Xiaoming Jiang
9a9604b09f crypto: make crypto-dispatch node working in adaptive mode
This patch can make crypto dispatch node adaptively switching
between pooling and interrupt mode, and improve vpp overall
performance.

Type: improvement
Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com>
Change-Id: I845ed1d29ba9f3c507ea95a337f6dca7f8d6e24e
2023-06-01 10:17:50 +00:00
Arthur de Kerhor
0df06b6e95 ipsec: fix SA names consistency in tests
In some IPsec tests, the SA called scapy_sa designs the SA that
encrypts Scapy packets and decrypts them in VPP, and the one
called vpp_sa the SA that encrypts VPP packets and decrypts them
with Scapy. However, this pattern is not consistent across all
tests. Some tests use the opposite logic. Others even mix both
correlating scapy_tra_spi with vpp_tra_sa_id and vice-versa.

Because of that, sometimes, the SA called vpp_sa_in is used as an
outbound SA and vpp_sa_out as an inbound one.

This patch forces all the tests to follow the same following logic:
- scapy_sa is the SA used to encrypt Scapy packets and decrypt
them in VPP. It matches the VPP inbound SA.
- vpp_sa is the SA used to encrypt VPP packets and decrypt them in
Scapy. It matches the VPP outbound SA.

Type: fix
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: Iadccdccbf98e834add13b5f4ad87af57e2ea3c2a
2023-02-06 03:49:14 +00:00
Dave Wallace
76a1d0580a tests: enable ipsec-esp 'make test' testcases on ubuntu-22.04
Type: test

Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I016fd169813e369208089df122477152aaf9ffc2
2022-09-27 13:11:53 -04:00
Dave Wallace
e95b246c7b tests: skip tests failing on ubuntu 22.04
Type: test

Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I218059de5d05680d661f302293475b6c2a7bf81d
2022-09-19 13:59:05 +00:00
Piotr Bronowski
815c6a4fbc ipsec: change wildcard value for any protocol of spd policy
Currently 0 has been used as the wildcard representing ANY type of
protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore
it should not be used as a wildcard. Instead 255 is used which is
guaranteed by IANA to be reserved and not used as a protocol id.

Type: improvement
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
2022-06-28 14:53:07 +00:00
Klement Sekera
d9b0c6fbf7 tests: replace pycodestyle with black
Drop pycodestyle for code style checking in favor of black. Black is
much faster, stable PEP8 compliant code style checker offering also
automatic formatting. It aims to be very stable and produce smallest
diffs. It's used by many small and big projects.

Running checkstyle with black takes a few seconds with a terse output.
Thus, test-checkstyle-diff is no longer necessary.

Expand scope of checkstyle to all python files in the repo, replacing
test-checkstyle with checkstyle-python.

Also, fixstyle-python is now available for automatic style formatting.

Note: python virtualenv has been consolidated in test/Makefile,
test/requirements*.txt which will eventually be moved to a central
location.  This is required to simply the automated generation of
docker executor images in the CI.

Type: improvement
Change-Id: I022a326603485f58585e879ac0f697fceefbc9c8
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-05-10 18:52:08 +00:00
Nathan Skrzypczak
2c77ae484c docs: vnet comment nitfixes
Type: improvement

Change-Id: Iac01d7830b53819ace8f199554be10ab89ecdb97
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-06 12:32:20 +00:00
Neale Ranns
e11203e5b8 ipsec: Record the number of packets lost from an SA
Type: feature

Gaps in the sequence numbers received on an SA indicate packets that were lost.
Gaps are identified using the anti-replay window that records the sequences seen.

Publish the number of lost packets in the stats segment at /net/ipsec/sa/lost

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I8af1c09b7b25a705e18bf82e1623b3ce19e5a74d
2021-09-29 14:27:48 +00:00
Dave Wallace
d170681b24 tests docs: upgrade python packages
- Upgrade python package requirements for test & docs
- Clean up docs generation warnings
- Consolidate python requirements for docs in test
  requirements specs.
- Upgrade pip

Type: make

Change-Id: I74a3924b43ed93d15b32ec9f6fc41ed1ba95b69b
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2021-08-13 15:57:21 +00:00
Neale Ranns
5b8911020e ipsec: Fix setting the hi-sequence number for decrypt
Type: fix

two problems;
 1 - just because anti-reply is not enabled doesn't mean the high sequence
number should not be used.
   - fix, there needs to be some means to detect a wrapped packet, so we
use a window size of 2^30.
 2 - The SA object was used as a scratch pad for the high-sequence
number used during decryption. That means that once the batch has been
processed the high-sequence number used is lost. This means it is not
possible to distinguish this case:
      if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
	{
	  ...
	  if (post_decrypt)
	    {
	      if (hi_seq_used == sa->seq_hi)
		/* the high sequence number used to succesfully decrypt this
		 * packet is the same as the last-sequnence number of the SA.
		 * that means this packet did not cause a wrap.
		 * this packet is thus out of window and should be dropped */
		return 1;
	      else
		/* The packet decrypted with a different high sequence number
		 * to the SA, that means it is the wrap packet and should be
		 * accepted */
		return 0;
	    }
  - fix: don't use the SA as a scratch pad, use the 'packet_data' - the
same place that is used as the scratch pad for the low sequence number.

other consequences:
 - An SA doesn't have seq and last_seq, it has only seq; the sequence
numnber of the last packet tx'd or rx'd.
 - there's 64bits of space available on the SA's first cache line. move
the AES CTR mode IV there.
 - test the ESN/AR combinations to catch the bugs this fixes. This
doubles the amount of tests, but without AR on they only run for 2
seconds. In the AR tests, the time taken to wait for packets that won't
arrive is dropped from 1 to 0.2 seconds thus reducing the runtime of
these tests from 10-15 to about 5 sceonds.

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iaac78905289a272dc01930d70decd8109cf5e7a5
2021-06-29 17:12:28 +00:00
Neale Ranns
9c23ff8c8a ipsec: Enable the extended Sequence Number IPSec tests for GCM
Type: test

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie691b1c8841f5e195525bfff990f12ab918ba394
2021-06-28 13:32:40 +00:00
Benoît Ganne
5c481ff732 crypto: fix chained buffer integrity support
Type: fix

Change-Id: I984a3e577a4209e41d046eaf3a8eef8986dc6147
Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-04-29 15:48:25 +00:00
Klement Sekera
8d8150262b tests: add support for worker awareness
VppTestCase now has vpp_worker_count property set to number of workers.
This can be overriden by child classes. Also overriden by
VPP_WORKER_CONFIG variable for legacy reasons.

Type: improvement
Change-Id: Ic328bacb9003ddf9e92815767653bd362aa7f086
Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-20 01:14:20 +00:00
Neale Ranns
f16e9a5507 ipsec: Support async mode per-SA
Type: feature

This feautre only applies to ESP not AH SAs.
As well as the gobal switch for ayncs mode, allow individual SAs to be
async.
If global async is on, all SAs are async. If global async mode is off,
then if then an SA can be individually set to async. This preserves the
global switch behaviour.

the stratergy in the esp encrypt.decrypt nodes is to separate the frame
into, 1) sync buffers, 2) async buffers and 3) no-op buffers.
Sync buffer will undergo a cyrpto/ath operation, no-op will not, they
are dropped or handed-off.

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ifc15b10b870b19413ad030ce7f92ed56275d6791
2021-03-05 10:34:55 +00:00
Neale Ranns
fc81134a26 ipsec: Submit fuller async frames
Type: improvement

In the current scheme an async frame is submitted each time the crypto
op changes. thus happens each time a different SA is used and thus
potentially many times per-node. thi can lead to the submision of many
partially filled frames.

change the scheme to construct as many full frames as possible in the
node and submit them all at the end. the frame owner ship is passed to
the user so that there can be more than one open frame per-op at any
given time.

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ic2305581d7b5aa26133f52115e0cd28ba956ed55
2021-03-05 10:34:55 +00:00
Neale Ranns
8c609af230 tests: Add tests for IPSec async mode using the crypto SW scheduler
Type: test

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iabc8f2b09ee10a82aacebd36acfe8648cf69b7d7
2021-02-25 16:12:48 +00:00
Neale Ranns
9ec846c268 ipsec: Use the new tunnel API types to add flow label and TTL copy
support

Type: feature

attmpet 2. this includes changes in ah_encrypt that don't use
uninitialised memory when doing tunnel mode fixups.

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
2021-02-10 13:39:37 +00:00
Matthew Smith
751bb131ef Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f.

Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged.

Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-09 04:18:37 +00:00
Neale Ranns
c7eaa711f3 ipsec: Use the new tunnel API types to add flow label and TTL copy
support

Type: feature

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
2021-02-08 19:37:28 +00:00
Benoît Ganne
490b92738f ipsec: add support for AES CTR
Type: feature

Change-Id: I9f7742cb12ce30592b0b022c314b71c81fa7223a
Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-02-05 12:52:07 +00:00
Neale Ranns
041add7d12 ipsec: Tunnel SA DSCP behaviour
Type: feature

 - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc
during IPSEC tunnel mode encap.
 - use DSCP value to have fixed encap value.

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
2020-11-02 08:49:08 +00:00
Christian Hopps
fb7e7ed2cd ipsec: fix padding/alignment for native IPsec encryption
Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.

  CTR: https://tools.ietf.org/html/rfc3686#section-3.2
  GCM: https://tools.ietf.org/html/rfc4106#section-3.2
  CCM: https://tools.ietf.org/html/rfc4309#section-3.2

- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.

Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.

test: ipsec: Add unit-test to test for RFC correct padding/alignment

test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well

- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:

  https://github.com/secdev/scapy/issues/2322

Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-09-07 09:43:27 +00:00
PiotrX Kleski
fdca4dd1a1 ipsec: fixed chaining ops after add footer and icv
In case there is no free space in first buffer for ICV and footer,
additional buffer will be added, but esp_encrypt will stay in single
buffer mode.
The issue happens for the following payload sizes:
 - TCP packets with payload 1992
 - ICMP packets with payload 2004

This fix moves the single/chained buffer ops selection to after
esp_add_footer_and_icv call.

Type: fix

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: Ic5ceba418f738933f96edb3e489ca2d149033b79
2020-05-24 07:31:49 +00:00
Neale Ranns
b1fd80f099 ipsec: Support 4o6 and 6o4 for SPD tunnel mode SAs
Type: feature

the es4-encrypt and esp6-encrypt nodes need to be siblings so they both have the same edges for the DPO on which the tunnel mode SA stacks.

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I2126589135a1df6c95ee14503dfde9ff406df60a
2020-05-13 11:15:57 +00:00
Filip Tehlar
e4e8c6b082 ipsec: fix chained ESP
This fixes a special case when buffer chain enters decrypt node
and becomes a single buffer after decryption.

Type: fix

Change-Id: Id5da9e8a074f83ec3561949631ce613f35528312
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-31 10:14:30 +00:00
Filip Tehlar
39cf40a700 tests: speed up ipsec unit tests execution
... by removing duplicit test cacses.
There is little value in testing ESN flag when no integ algo
is used. This patch removes such test cases.

Type: improvement

Change-Id: Iae5baa1d39ac32a65d1d28ad57771a87962d8bb3
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-26 13:16:06 +00:00
Florin Coras
ae8102ec0e ipsec: Revert "ipsec: fix chained ESP"
This reverts commit c2c1bfd9b72aec88526c06479b128725eb525866.

Reason for revert: Seems it's breaking ipsec esp tests

Type: fix

Change-Id: Iac590eee23cbf92a10c62dafa789aa9c3b2284dd
Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-03-23 21:24:34 +00:00
Filip Tehlar
c2c1bfd9b7 ipsec: fix chained ESP
This fixes a special case when buffer chain enters decrypt node
and becomes a single buffer after decryption.

Type: fix

Change-Id: I1d4da029b952baa97400adb7173aa63fd97d916b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-23 13:24:20 +00:00
Filip Tehlar
efcad1a9d2 ipsec: add support for chained buffers
Type: feature

Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-02-11 23:07:38 +00:00
Neale Ranns
02950406c4 ipsec: Targeted unit testing
Type: fix

1 - big packets; chained buffers and those without enoguh space to add
ESP header
2 - IPv6 extension headers in packets that are encrypted/decrypted
3 - Interface protection with SAs that have null algorithms

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
2020-01-04 04:50:47 +00:00
Neale Ranns
4a56f4e48f ipsec: Test and fix IPSec worker hand-off
Type: fix

Change-Id: I5cb9a3845ddbc5f4de4eb4e9c481f606fe5cec9a
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-23 21:39:23 +00:00
Neale Ranns
12989b5388 ipsec: remove dedicated IPSec tunnels
APIs for dedicated IPSec tunnels will remain in this release and are
used to programme the IPIP tunnel protect. APIs will be removed in a
future release.

see:
 https://wiki.fd.io/view/VPP/IPSec

Type: feature

Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-08 20:06:56 +00:00
Ole Troan
64e978b1bf ipsec: make tests support python3
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I3255702e7c562c8d04a91a095e245756c6443a9e
2019-10-18 07:49:11 +00:00
Andrew Yourtchenko
fbc388986e tests: split up the long running IPSec tests into separate classes
Type: test
Change-Id: Ieeae7f1653f5f2e8e49f258871b389ef8954c90b
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-09-18 23:17:16 +00:00
Neale Ranns
2cdcd0cf40 ipsec: Fix NULL encryption algorithm
Type: fix
Ticket: VPP-1756

the block-size was set to 0 resulting in incorrect placement of the ESP
footer.

add tests for NULL encrypt + integ.

Change-Id: I8ab3afda8e68f9ff649540cba3f2cac68f12bbba
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-08-27 13:49:55 +00:00
Dmitry Vakhrushev
77cc14a2b2 ipsec: fix missed IPSEC_INTEG_ALG_MD5_96
This algorithm was missed in last improvements.

Type:fix

Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
Change-Id: Ib818cbdcdd1a6f298e8b0086dac4189cc201baa3
2019-08-16 09:11:41 +00:00
Neale Ranns
00625a64f4 tests: Split IPSec ESP into parameterized tests per engine
Type: feature

Change-Id: Icb1bd3fce768aebf8919c63a104f771ca7fa1d6f
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-31 12:55:46 +00:00
Neale Ranns
6afaae156a ipsec: GCM, Anti-replay and ESN fixess
Type: fix

Several Fixes:
 1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
 2 - The high sequence number was not byte swapped during ESP encrypt.
 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
 4 - improved tracing to show the low and high seq numbers
 5 - documented the anti-replay window checks
 6 - fixed scapy patch for ESN support for GCM
 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo

Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-24 11:01:47 +00:00
juraj.linkes
1105766b8f tests: Re-enable ipsec tests on ARM
Type: fix

* test_ipsec_tun_if_esp.TestIpsecGreTebIfEsp
* test_ipsec_esp.TestIpsecEspAll
  add keepalive messages before each algo/engine to prevent test timeout

Change-Id: I726f3f9613bab02a65e65542cee494c68176ded7
Signed-off-by: juraj.linkes <juraj.linkes@pantheon.tech>
2019-07-10 08:01:35 +00:00
Neale Ranns
c87b66c862 ipsec: ipsec-tun protect
please consult the new tunnel proposal at:
  https://wiki.fd.io/view/VPP/IPSec

Type: feature

Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18 13:54:35 +00:00
Neale Ranns
097fa66b98 fib: fib api updates
Enhance the route add/del APIs to take a set of paths rather than just one.
Most unicast routing protocols calcualte all the available paths in one
run of the algorithm so updating all the paths at once is beneficial for the client.
two knobs control the behaviour:
  is_multipath - if set the the set of paths passed will be added to those
                 that already exist, otherwise the set will replace them.
  is_add - add or remove the set

is_add=0, is_multipath=1 and an empty set, results in deleting the route.

It is also considerably faster to add multiple paths at once, than one at a time:

vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.11
100000 routes in .572240 secs, 174751.80 routes/sec
vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.12
100000 routes in .528383 secs, 189256.54 routes/sec
vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.13
100000 routes in .757131 secs, 132077.52 routes/sec
vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.14
100000 routes in .878317 secs, 113854.12 routes/sec

vat# ip_route_add_del 1.1.1.1/32 count 100000 multipath via 10.10.10.11 via 10.10.10.12 via 10.10.10.13 via 10.10.10.14
100000 routes in .900212 secs, 111084.93 routes/sec

Change-Id: I416b93f7684745099c1adb0b33edac58c9339c1a
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
Signed-off-by: Ole Troan <ot@cisco.com>
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-06-18 13:31:39 +00:00
Vladimir Ratnikov
f48050785f openssl plugin 3des routine iv_len fix
Since 3DES has 8 bytes of initialization vector and
code contains hardcode for 16 bytes, check added to
determine if crypto algorythm is 3DES_CBC and set
corresponding iv_len param

Change-Id: Iac50c8a8241e321e3b4d576c88f2496852bd905c
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
2019-05-20 16:59:53 +00:00
Neale Ranns
80f6fd53fe IPSEC: Pass the algorithm salt (used in GCM) over the API
Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-17 13:05:07 +00:00
Neale Ranns
d8cfbebce7 crypto-ipsecmb: enable GCM
Change-Id: I670d7899bcc63a419daf481167dc445a6386cce8
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-17 13:03:45 +00:00