36 Commits

Author SHA1 Message Date
Andrew Yourtchenko
a47203128b build: Make the build work on Debian 11
Debian 11 has some packages that have changed, and need adjustment.
Also - its default compiler is gcc 10, which, contrary to either gcc 8
or gcc 11 prints a bunch of warnings, which fails compilation.
And there is no gcc 11 package.

Therefore, use clang for this build.

Additionally, python 3.9 has exposed this issue:
https://bugs.python.org/issue42580

Therefore, make a local patch to scapy to tackle it.

Type: feature
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I7b9c0f852ab97fe3c1feca3f22020ac0970ba3e2
2022-02-07 18:40:51 +00:00
Arthur de Kerhor
ce04e3b038 ipsec: allow registering random ports in tests
We add the possibility to bind the destination UDP port of a Scapy SA
to the ESP layer in the IPsec tunnel protection tests, even if it is not
the default port for ESP (4500).

This allows to test IPSec tunnel protection with ports other than 4500
in the UDP header, without hardcoding them in the Scapy patch (ex: 4545)

Type: improvement

Change-Id: I1eea3d4660ed1b59d827250a419af6b7b41c4a72
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
2022-01-05 08:18:03 +00:00
Neale Ranns
3be9164f80 misc: deprecate gbp and its dependents
Type: improvement

Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Change-Id: I2f30a4f04fd9a8635ce2d259b5fd5b0c85cee8c3
2021-11-23 13:03:36 +00:00
Neale Ranns
4a58e49cfe ipsec: Support MPLS over IPSec[46] interface
Type: feature

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I89dc3815eabfee135cd5b3c910dea5e2e2ef1333
2021-01-18 08:35:52 +00:00
Filip Tehlar
558607dc3a ikev2: better packet parsing functions
Ticket: VPP-1918
Type: improvement

Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-09-30 16:38:59 +00:00
Christian Hopps
fb7e7ed2cd ipsec: fix padding/alignment for native IPsec encryption
Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.

  CTR: https://tools.ietf.org/html/rfc3686#section-3.2
  GCM: https://tools.ietf.org/html/rfc4106#section-3.2
  CCM: https://tools.ietf.org/html/rfc4309#section-3.2

- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.

Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.

test: ipsec: Add unit-test to test for RFC correct padding/alignment

test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well

- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:

  https://github.com/secdev/scapy/issues/2322

Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-09-07 09:43:27 +00:00
Neale Ranns
abc5660c61 ipsec: User can choose the UDP source port
Type: feature

thus allowing NAT traversal,

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-05 18:36:33 +00:00
Matthew Smith
39e9428b90 vrrp: add plugin providing vrrp support
Type: feature

Add a new plugin to support HA using VRRPv3 (RFC 5798).

Change-Id: Iaa2c37e6172f8f41e9165f178f44d481f6e247b9
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-02-13 19:46:30 +00:00
pcamaril
30e7671c85 sr: update NH value for Ethernet payloads
Upon encapsulation of L2 frames, IETF has replaced the NextHeader value from 59 (IPv6 No Next Header) to 143 (Ethernet).
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Type: fix

Signed-off-by: pcamaril <pcamaril@cisco.com>
Change-Id: I88aa5590c81d16700ff7a0bbe6337e113179496e
Signed-off-by: pcamaril <pcamaril@cisco.com>
2020-02-11 16:25:41 +00:00
Paul Vinciguerra
53131d2a26 tests: fix cdp patch for scapy 2.4.3
Type: test
Fixes: 5d4b8912d2fe186b4fb920a72b3a2f7b556f4e7d

Change-Id: Ib64ae00eba41b2b6afc728142cbccc02d07f4997
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-12-18 20:42:36 +00:00
snaramre
5d4b8912d2 tests: changes for scapy 2.4.3 migration
Type: fix
Change-Id: I7e041b666dabd90df23a920a1f1d99db4c10ddfe
Signed-off-by: snaramre <snaramre@cisco.com>
2019-12-14 22:14:12 +00:00
Renato Botelho do Couto
ead1e536d6 misc: Fix python scripts shebang line
Type: fix

Since CentOS 8, RPM build script doesn't accept '#!/usr/bin/env python'
as a valid shebang line.  It requires scripts to explicitly chose
between python2 or python3.

Change all to use python3 as suggested by Paul Vinciguerra.

Depends-On: https://gerrit.fd.io/r/23170

Signed-off-by: Renato Botelho do Couto <renato@netgate.com>
Change-Id: Ie72af9f60fd0609e07f05b70f8d96e738b2754d1
2019-11-05 21:08:59 +00:00
Ole Troan
2a884db1d1 cdp: re-enable skipped tests for python3
CDP uses the running sytems host name, which
caused different failures on different systems.
The root cause was an python3 specific error in
checksum calculation.

Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I205436682d46e7e8cbb8c057c03a76dbbcab4d72
2019-10-23 12:19:37 +00:00
Neale Ranns
6afaae156a ipsec: GCM, Anti-replay and ESN fixess
Type: fix

Several Fixes:
 1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
 2 - The high sequence number was not byte swapped during ESP encrypt.
 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
 4 - improved tracing to show the low and high seq numbers
 5 - documented the anti-replay window checks
 6 - fixed scapy patch for ESN support for GCM
 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo

Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-24 11:01:47 +00:00
Neale Ranns
47feb1146e IPSEC: support GCM in ESP
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-16 15:54:31 +00:00
Neale Ranns
49e7ef60cb IPSEC: ESP with ESN tests and fixes
Change-Id: Ie42b26e6d5cdb7b23f370ea2933c65079e8d1089
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-11 19:42:34 +00:00
Neale Ranns
3833ffd6c6 IPSEC tests fnd fix or Extended Sequence Numbers
Change-Id: Iad6c4b867961ec8036110a4e15a829ddb93193ed
Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-25 20:03:24 +00:00
Filip Varga
eb60124098 cdp scapy protocol & cdp unit tests
Change-Id: Ieb362523f81f7ae3e1a9dceb341c499ff1f402c8
Signed-off-by: Filip Varga <fivarga@cisco.com>
2018-11-02 13:16:10 +00:00
Ole Troan
282093f1fe IPIP and IPv6 fragmentation
- Error where ICMPv6 error code doesn't reset VLIB_TX = -1
  Leading to crash for ICMP generated on tunnelled packets
- Missed setting VNET_BUFFER_F_LOCALLY_ORIGINATED, so
  IP in IPv6 packets never got fragmented.
- Add support for fragmentation of buffer chains.
- Remove support for inner fragmentation in frag code itself.

Change-Id: If9a97301b7e35ca97ffa5c0fada2b9e7e7dbfb27
Signed-off-by: Ole Troan <ot@cisco.com>
2018-09-27 08:47:40 +00:00
Mohsin Kazmi
61b94c6bc4 vxlan-gbp: Add support for vxlan gbp
This patch implements vxlan with extension of group based
policy support.

Change-Id: I70405bf7332c02867286da8958d9652837edd3c2
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2018-09-10 12:38:30 +00:00
Francois Clad
d47da680eb srv6: Fixing SRH parsing bug in Scapy 2.4
Change-Id: Ib2cb345d07665735697bf54ad48d353ba4112eda
Signed-off-by: Francois Clad <fclad@cisco.com>
2018-07-11 13:17:46 +00:00
Neale Ranns
2bc940272e Scapy upgrade to 2.4.0.rc5
- many of the patches fd.io applies in test/patches/2.3.3 are now upstreamed in 2.4
- 2.4 adds support for IGMPv3 which is my main motivation for the upgrade

Change-Id: If2c0a524e3cba320b4a5d8cd07817c6ea2bf0c5a
Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-03-19 13:09:45 +00:00
John Lo
2bf8b8154d Fix ERSPAN encap to set EN bits in the header and add test case
For ERSPAN encap, both bits in the EN field of the header should
be set to indicate any VLAN tag in the original Ethernet frame is
preserved.
Added SPAN L2 test case where the mirrored packet output is a GRE
ERSPAN tunnel.

Change-Id: Ie7a40992a9278469c24aa6fa9e122b4505797d10
Signed-off-by: John Lo <loj@cisco.com>
2018-03-01 13:09:57 +00:00
Neale Ranns
cbcc84ba66 update BIER scapy patch to match the scapy repo PR
Change-Id: I4953b8444b49d1ad445c98a199ae8fd1635e24a5
Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-02-26 11:29:22 +00:00
Neale Ranns
f051072f85 BIER: fix support for longer bit-string lengths
Change-Id: I2421197b76be58099e5f8ed5554410adff202109
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2018-02-06 12:44:08 +00:00
Klement Sekera
75e7d13014 IPv4/6 reassembly
Change-Id: Ic5dcadd13c88b8a5e7896dab82404509c081614a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-02-01 23:41:17 +00:00
Neale Ranns
8716e6bf43 GRE: fix single loop decap and add test
Change-Id: I64e8a76a17057ae69de72a5a80c0a194cd0c21cb
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-12-13 15:14:49 +00:00
Neale Ranns
9128637ee8 BIER in non-MPLS netowrks
as decsribed in section 2.2
  ihttps://tools.ietf.org/html/draft-ietf-bier-mpls-encapsulation-10
with BIFT encoding from:
  https://tools.ietf.org/html/draft-wijnandsxu-bier-non-mpls-bift-encoding-00

changes:
1 - introduce the new BIFT lookup table. BIER tables that have an associated
    MPLS label are added to the MPLS-FIB. Those that don't are added to the
    BIER table
2 - BIER routes that have no associated output MPLS label will add a BIFT label.
3 - The BIER FMask has a path-list as a member to resolve via any possible path.

Change-Id: I1fd4d9dbd074f0e855c16e9329b81460ebe1efce
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-12-09 20:55:08 +00:00
Gabriel Ganne
3904a0c72b vxlan extended tests - fix scapy-related issues
- Add vxlan-gpe binding on udp port 4790 (taken from scapy upstream)
- VXLAN.VNI -> VXLAN.vni

Change-Id: If7ad38fa04fbfec01e01c81a06e88ffe70183672
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
2017-11-15 15:43:11 +00:00
Neale Ranns
d792d9c01e BIER
- see draft-ietf-bier-mpls-encapsulation-10
- midpoint, head and tail functions
- supported payload protocols; IPv4 and IPv6 only.

Change-Id: I59d7363bb6fdfdce8e4016a68a9c8f5a5e5791cb
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-11-09 15:16:52 +00:00
Marco Varlese
b598f1d3d7 Initial GENEVE TUNNEL implementation and tests.
Notes on this first implementation:
* First version of the implementation does NOT support GENEVE OPTIONS
HEADER: it isn't well understood what the purpose of the OPTIONS will be and/or
what content would be placed in the variable option data;

Once the IETF work will evolve and further information will be available
it could be possible to modify the frame rewrite to contemplate the
actual GENEVE OPTIONS.

Change-Id: Iddfe6f408cc45bb0800f00ce6a3e302e48a4ed52
Signed-off-by: Marco Varlese <marco.varlese@suse.com>
2017-10-06 08:51:09 +00:00
Kris Michielsen
910744394f SRv6 tests
Change-Id: Ib1d2fc5a83d9d007a0468591a73881675f1bec9b
Signed-off-by: Kris Michielsen <kmichiel@cisco.com>
2017-08-22 11:12:34 +00:00
Neale Ranns
71275e3d1e MPLS hash function improvements
Change-Id: I28e98f445c01493562b6196a4f5b532a51f178af
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-05-25 21:03:11 +00:00
Neale Ranns
fca0c242e4 DHCPv[46] proxy tests
Change-Id: I6aaf9c602cd515ed9d4416d286f9191d048c1a87
Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-01-26 05:14:35 -08:00
Neale Ranns
ad422ed7ea MPLS infrastructure improvments
- deprecate MPLSoEth and MPLSoGRE; replace with generic MPLS tunnel.
- deprecates CLI 'mpls encap ..'; replace with addition of MPLS out label to a route/tunnel.
- support for MPLS 'routes', e.g. MPLS x-connects.
 - deprecates CLI 'mpls decap ..'; replace with 'mpls route .. '

Change-Id: Ibda46544912f880d0200f22bf9ff9b52828fcc2f
Signed-off-by: Neale Ranns <nranns@cisco.com>
2016-12-02 11:09:36 +00:00
Neale Ranns
177bbdcd8f GRE tests and fixes
Change-Id: I234240e9bdd4b69ad64a17b1449ae1e81c0edaca
Signed-off-by: Neale Ranns <nranns@cisco.com>
2016-11-22 21:26:55 +00:00