23 Commits

Author SHA1 Message Date
Neale Ranns
6afaae156a ipsec: GCM, Anti-replay and ESN fixess
Type: fix

Several Fixes:
 1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
 2 - The high sequence number was not byte swapped during ESP encrypt.
 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
 4 - improved tracing to show the low and high seq numbers
 5 - documented the anti-replay window checks
 6 - fixed scapy patch for ESN support for GCM
 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo

Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-24 11:01:47 +00:00
Neale Ranns
47feb1146e IPSEC: support GCM in ESP
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-16 15:54:31 +00:00
Neale Ranns
49e7ef60cb IPSEC: ESP with ESN tests and fixes
Change-Id: Ie42b26e6d5cdb7b23f370ea2933c65079e8d1089
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-11 19:42:34 +00:00
Neale Ranns
3833ffd6c6 IPSEC tests fnd fix or Extended Sequence Numbers
Change-Id: Iad6c4b867961ec8036110a4e15a829ddb93193ed
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-25 20:03:24 +00:00
Filip Varga
eb60124098 cdp scapy protocol & cdp unit tests
Change-Id: Ieb362523f81f7ae3e1a9dceb341c499ff1f402c8
Signed-off-by: Filip Varga <fivarga@cisco.com>
2018-11-02 13:16:10 +00:00
Ole Troan
282093f1fe IPIP and IPv6 fragmentation
- Error where ICMPv6 error code doesn't reset VLIB_TX = -1
  Leading to crash for ICMP generated on tunnelled packets
- Missed setting VNET_BUFFER_F_LOCALLY_ORIGINATED, so
  IP in IPv6 packets never got fragmented.
- Add support for fragmentation of buffer chains.
- Remove support for inner fragmentation in frag code itself.

Change-Id: If9a97301b7e35ca97ffa5c0fada2b9e7e7dbfb27
Signed-off-by: Ole Troan <ot@cisco.com>
2018-09-27 08:47:40 +00:00
Mohsin Kazmi
61b94c6bc4 vxlan-gbp: Add support for vxlan gbp
This patch implements vxlan with extension of group based
policy support.

Change-Id: I70405bf7332c02867286da8958d9652837edd3c2
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2018-09-10 12:38:30 +00:00
Francois Clad
d47da680eb srv6: Fixing SRH parsing bug in Scapy 2.4
Change-Id: Ib2cb345d07665735697bf54ad48d353ba4112eda
Signed-off-by: Francois Clad <fclad@cisco.com>
2018-07-11 13:17:46 +00:00
Neale Ranns
2bc940272e Scapy upgrade to 2.4.0.rc5
- many of the patches fd.io applies in test/patches/2.3.3 are now upstreamed in 2.4
- 2.4 adds support for IGMPv3 which is my main motivation for the upgrade

Change-Id: If2c0a524e3cba320b4a5d8cd07817c6ea2bf0c5a
Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-03-19 13:09:45 +00:00
John Lo
2bf8b8154d Fix ERSPAN encap to set EN bits in the header and add test case
For ERSPAN encap, both bits in the EN field of the header should
be set to indicate any VLAN tag in the original Ethernet frame is
preserved.
Added SPAN L2 test case where the mirrored packet output is a GRE
ERSPAN tunnel.

Change-Id: Ie7a40992a9278469c24aa6fa9e122b4505797d10
Signed-off-by: John Lo <loj@cisco.com>
2018-03-01 13:09:57 +00:00
Neale Ranns
cbcc84ba66 update BIER scapy patch to match the scapy repo PR
Change-Id: I4953b8444b49d1ad445c98a199ae8fd1635e24a5
Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-02-26 11:29:22 +00:00
Neale Ranns
f051072f85 BIER: fix support for longer bit-string lengths
Change-Id: I2421197b76be58099e5f8ed5554410adff202109
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2018-02-06 12:44:08 +00:00
Klement Sekera
75e7d13014 IPv4/6 reassembly
Change-Id: Ic5dcadd13c88b8a5e7896dab82404509c081614a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-02-01 23:41:17 +00:00
Neale Ranns
8716e6bf43 GRE: fix single loop decap and add test
Change-Id: I64e8a76a17057ae69de72a5a80c0a194cd0c21cb
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-12-13 15:14:49 +00:00
Neale Ranns
9128637ee8 BIER in non-MPLS netowrks
as decsribed in section 2.2
  ihttps://tools.ietf.org/html/draft-ietf-bier-mpls-encapsulation-10
with BIFT encoding from:
  https://tools.ietf.org/html/draft-wijnandsxu-bier-non-mpls-bift-encoding-00

changes:
1 - introduce the new BIFT lookup table. BIER tables that have an associated
    MPLS label are added to the MPLS-FIB. Those that don't are added to the
    BIER table
2 - BIER routes that have no associated output MPLS label will add a BIFT label.
3 - The BIER FMask has a path-list as a member to resolve via any possible path.

Change-Id: I1fd4d9dbd074f0e855c16e9329b81460ebe1efce
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-12-09 20:55:08 +00:00
Gabriel Ganne
3904a0c72b vxlan extended tests - fix scapy-related issues
- Add vxlan-gpe binding on udp port 4790 (taken from scapy upstream)
- VXLAN.VNI -> VXLAN.vni

Change-Id: If7ad38fa04fbfec01e01c81a06e88ffe70183672
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
2017-11-15 15:43:11 +00:00
Neale Ranns
d792d9c01e BIER
- see draft-ietf-bier-mpls-encapsulation-10
- midpoint, head and tail functions
- supported payload protocols; IPv4 and IPv6 only.

Change-Id: I59d7363bb6fdfdce8e4016a68a9c8f5a5e5791cb
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-11-09 15:16:52 +00:00
Marco Varlese
b598f1d3d7 Initial GENEVE TUNNEL implementation and tests.
Notes on this first implementation:
* First version of the implementation does NOT support GENEVE OPTIONS
HEADER: it isn't well understood what the purpose of the OPTIONS will be and/or
what content would be placed in the variable option data;

Once the IETF work will evolve and further information will be available
it could be possible to modify the frame rewrite to contemplate the
actual GENEVE OPTIONS.

Change-Id: Iddfe6f408cc45bb0800f00ce6a3e302e48a4ed52
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
2017-10-06 08:51:09 +00:00
Kris Michielsen
910744394f SRv6 tests
Change-Id: Ib1d2fc5a83d9d007a0468591a73881675f1bec9b
Signed-off-by: Kris Michielsen <kmichiel@cisco.com>
2017-08-22 11:12:34 +00:00
Neale Ranns
71275e3d1e MPLS hash function improvements
Change-Id: I28e98f445c01493562b6196a4f5b532a51f178af
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-05-25 21:03:11 +00:00
Neale Ranns
fca0c242e4 DHCPv[46] proxy tests
Change-Id: I6aaf9c602cd515ed9d4416d286f9191d048c1a87
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-01-26 05:14:35 -08:00
Neale Ranns
ad422ed7ea MPLS infrastructure improvments
- deprecate MPLSoEth and MPLSoGRE; replace with generic MPLS tunnel.
- deprecates CLI 'mpls encap ..'; replace with addition of MPLS out label to a route/tunnel.
- support for MPLS 'routes', e.g. MPLS x-connects.
 - deprecates CLI 'mpls decap ..'; replace with 'mpls route .. '

Change-Id: Ibda46544912f880d0200f22bf9ff9b52828fcc2f
Signed-off-by: Neale Ranns <nranns@cisco.com>
2016-12-02 11:09:36 +00:00
Neale Ranns
177bbdcd8f GRE tests and fixes
Change-Id: I234240e9bdd4b69ad64a17b1449ae1e81c0edaca
Signed-off-by: Neale Ranns <nranns@cisco.com>
2016-11-22 21:26:55 +00:00