ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,037 Commits 30 Branches 141 Tags 551 MiB
Commit Graph

2 Commits

Author SHA1 Message Date
Klement Sekera
16ce09db9e tests: fix assert_nothing_captured 
Type: fix
Fixes: 26cd0242c95025e0d644db3a80dfe8dee83b6d7a
Change-Id: I9a88221af65f170dc6b1f0dc0992df401e489fa2
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
 2022-04-29 09:57:47 +00:00
Zachary Leaf
26fec718f2 ipsec: input: drop by default for non-matching pkts 
As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.

For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480

It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.

[1]: https://datatracker.ietf.org/doc/html/rfc4301

Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
 2022-03-08 17:43:43 +00:00