2 * Copyright (c) 2011-2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief BFD nodes implementation
20 #include <vppinfra/random.h>
21 #include <vppinfra/error.h>
22 #include <vppinfra/hash.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/ethernet/packet.h>
25 #include <vnet/bfd/bfd_debug.h>
26 #include <vnet/bfd/bfd_protocol.h>
27 #include <vnet/bfd/bfd_main.h>
29 #include <openssl/sha.h>
33 bfd_us_to_clocks (bfd_main_t * bm, u64 us)
35 return bm->cpu_cps * ((f64) us / USEC_PER_SECOND);
38 static vlib_node_registration_t bfd_process_node;
40 /* set to 0 here, real values filled at startup */
41 static u32 bfd_node_index_by_transport[] = {
42 #define F(t, n) [BFD_TRANSPORT_##t] = 0,
43 foreach_bfd_transport (F)
48 format_bfd_auth_key (u8 * s, va_list * args)
50 const bfd_auth_key_t *key = va_arg (*args, bfd_auth_key_t *);
53 s = format (s, "{auth-type=%u:%s, conf-key-id=%u, use-count=%u}, ",
54 key->auth_type, bfd_auth_type_str (key->auth_type),
55 key->conf_key_id, key->use_count);
59 s = format (s, "{none}");
65 * We actually send all bfd pkts to the "error" node after scanning
66 * them, so the graph node has only one next-index. The "error-drop"
67 * node automatically bumps our per-node packet counters for us.
71 BFD_INPUT_NEXT_NORMAL,
75 static void bfd_on_state_change (bfd_main_t * bm, bfd_session_t * bs, u64 now,
79 bfd_set_defaults (bfd_main_t * bm, bfd_session_t * bs)
81 bs->local_state = BFD_STATE_down;
82 bs->local_diag = BFD_DIAG_CODE_no_diag;
83 bs->remote_state = BFD_STATE_down;
86 bs->desired_min_tx_us = BFD_DEFAULT_DESIRED_MIN_TX_US;
87 bs->desired_min_tx_clocks = bfd_us_to_clocks (bm, bs->desired_min_tx_us);
88 bs->remote_min_rx_us = 1;
89 bs->remote_demand = 0;
90 bs->auth.remote_seq_number = 0;
91 bs->auth.remote_seq_number_known = 0;
92 bs->auth.local_seq_number = random_u32 (&bm->random_seed);
96 bfd_set_diag (bfd_session_t * bs, bfd_diag_code_e code)
98 if (bs->local_diag != code)
100 BFD_DBG ("set local_diag, bs_idx=%d: '%d:%s'", bs->bs_idx, code,
101 bfd_diag_code_string (code));
102 bs->local_diag = code;
107 bfd_set_state (bfd_main_t * bm, bfd_session_t * bs,
108 bfd_state_e new_state, int handling_wakeup)
110 if (bs->local_state != new_state)
112 BFD_DBG ("Change state, bs_idx=%d: %s->%s", bs->bs_idx,
113 bfd_state_string (bs->local_state),
114 bfd_state_string (new_state));
115 bs->local_state = new_state;
116 bfd_on_state_change (bm, bs, clib_cpu_time_now (), handling_wakeup);
121 bfd_recalc_tx_interval (bfd_main_t * bm, bfd_session_t * bs)
123 if (!bs->local_demand)
125 bs->transmit_interval_clocks =
126 clib_max (bs->desired_min_tx_clocks, bs->remote_min_rx_clocks);
132 BFD_DBG ("Recalculated transmit interval %lu clocks/%.2fs",
133 bs->transmit_interval_clocks,
134 bs->transmit_interval_clocks / bm->cpu_cps);
138 bfd_calc_next_tx (bfd_main_t * bm, bfd_session_t * bs, u64 now)
140 if (!bs->local_demand)
142 if (bs->local_detect_mult > 1)
144 /* common case - 75-100% of transmit interval */
145 bs->tx_timeout_clocks = bs->last_tx_clocks +
146 (1 - .25 * (random_f64 (&bm->random_seed))) *
147 bs->transmit_interval_clocks;
148 if (bs->tx_timeout_clocks < now)
150 /* huh, we've missed it already, transmit now */
151 BFD_DBG ("Missed %lu transmit events (now is %lu, calc "
152 "tx_timeout is %lu)",
153 (now - bs->tx_timeout_clocks) /
154 bs->transmit_interval_clocks,
155 now, bs->tx_timeout_clocks);
156 bs->tx_timeout_clocks = now;
161 /* special case - 75-90% of transmit interval */
162 bs->tx_timeout_clocks =
164 (.9 - .15 * (random_f64 (&bm->random_seed))) *
165 bs->transmit_interval_clocks;
166 if (bs->tx_timeout_clocks < now)
168 /* huh, we've missed it already, transmit now */
169 BFD_DBG ("Missed %lu transmit events (now is %lu, calc "
170 "tx_timeout is %lu)",
171 (now - bs->tx_timeout_clocks) /
172 bs->transmit_interval_clocks,
173 now, bs->tx_timeout_clocks);
174 bs->tx_timeout_clocks = now;
182 if (bs->tx_timeout_clocks)
184 BFD_DBG ("Next transmit in %lu clocks/%.02fs@%lu",
185 bs->tx_timeout_clocks - now,
186 (bs->tx_timeout_clocks - now) / bm->cpu_cps,
187 bs->tx_timeout_clocks);
192 bfd_recalc_detection_time (bfd_main_t * bm, bfd_session_t * bs)
194 if (!bs->local_demand)
196 bs->detection_time_clocks =
197 bs->remote_detect_mult *
198 bfd_us_to_clocks (bm, clib_max (bs->required_min_rx_us,
199 bs->remote_desired_min_tx_us));
203 bs->detection_time_clocks =
204 bs->local_detect_mult *
205 bfd_us_to_clocks (bm,
206 clib_max (bs->desired_min_tx_us,
207 bs->remote_min_rx_us));
209 BFD_DBG ("Recalculated detection time %lu clocks/%.2fs",
210 bs->detection_time_clocks,
211 bs->detection_time_clocks / bm->cpu_cps);
215 bfd_set_timer (bfd_main_t * bm, bfd_session_t * bs, u64 now,
220 if (BFD_STATE_up == bs->local_state)
222 rx_timeout = bs->last_rx_clocks + bs->detection_time_clocks;
224 if (bs->tx_timeout_clocks && rx_timeout)
226 next = clib_min (bs->tx_timeout_clocks, rx_timeout);
228 else if (bs->tx_timeout_clocks)
230 next = bs->tx_timeout_clocks;
236 BFD_DBG ("bs_idx=%u, tx_timeout=%lu, rx_timeout=%lu, next=%s", bs->bs_idx,
237 bs->tx_timeout_clocks, rx_timeout,
238 next == bs->tx_timeout_clocks ? "tx" : "rx");
239 /* sometimes the wheel expires an event a bit sooner than requested, account
241 if (next && (now + bm->wheel_inaccuracy > bs->wheel_time_clocks ||
242 next < bs->wheel_time_clocks || !bs->wheel_time_clocks))
244 bs->wheel_time_clocks = next;
245 BFD_DBG ("timing_wheel_insert(%p, %lu (%ld clocks/%.2fs in the "
247 &bm->wheel, bs->wheel_time_clocks,
248 (i64) bs->wheel_time_clocks - clib_cpu_time_now (),
249 (i64) (bs->wheel_time_clocks - clib_cpu_time_now ()) /
250 bm->cpu_cps, bs->bs_idx);
251 timing_wheel_insert (&bm->wheel, bs->wheel_time_clocks, bs->bs_idx);
252 if (!handling_wakeup)
254 vlib_process_signal_event (bm->vlib_main,
255 bm->bfd_process_node_index,
256 BFD_EVENT_RESCHEDULE, bs->bs_idx);
262 bfd_set_desired_min_tx (bfd_main_t * bm, bfd_session_t * bs, u64 now,
263 u32 desired_min_tx_us, int handling_wakeup)
265 bs->desired_min_tx_us = desired_min_tx_us;
266 bs->desired_min_tx_clocks = bfd_us_to_clocks (bm, bs->desired_min_tx_us);
267 BFD_DBG ("Set desired min tx to %uus/%lu clocks/%.2fs",
268 bs->desired_min_tx_us, bs->desired_min_tx_clocks,
269 bs->desired_min_tx_clocks / bm->cpu_cps);
270 bfd_recalc_detection_time (bm, bs);
271 bfd_recalc_tx_interval (bm, bs);
272 bfd_calc_next_tx (bm, bs, now);
273 bfd_set_timer (bm, bs, now, handling_wakeup);
277 bfd_set_remote_required_min_rx (bfd_main_t * bm, bfd_session_t * bs,
279 u32 remote_required_min_rx_us,
282 bs->remote_min_rx_us = remote_required_min_rx_us;
283 bs->remote_min_rx_clocks = bfd_us_to_clocks (bm, bs->remote_min_rx_us);
284 BFD_DBG ("Set remote min rx to %uus/%lu clocks/%.2fs", bs->remote_min_rx_us,
285 bs->remote_min_rx_clocks, bs->remote_min_rx_clocks / bm->cpu_cps);
286 bfd_recalc_detection_time (bm, bs);
287 bfd_recalc_tx_interval (bm, bs);
288 bfd_calc_next_tx (bm, bs, now);
289 bfd_set_timer (bm, bs, now, handling_wakeup);
293 bfd_session_start (bfd_main_t * bm, bfd_session_t * bs)
295 BFD_DBG ("%U", format_bfd_session, bs);
296 bfd_recalc_tx_interval (bm, bs);
297 vlib_process_signal_event (bm->vlib_main, bm->bfd_process_node_index,
298 BFD_EVENT_NEW_SESSION, bs->bs_idx);
302 bfd_del_session (uword bs_idx)
304 const bfd_main_t *bm = &bfd_main;
305 if (!pool_is_free_index (bm->sessions, bs_idx))
307 bfd_session_t *bs = pool_elt_at_index (bm->sessions, bs_idx);
308 pool_put (bm->sessions, bs);
313 BFD_ERR ("no such session");
314 return VNET_API_ERROR_BFD_ENOENT;
320 bfd_diag_code_string (bfd_diag_code_e diag)
323 case BFD_DIAG_CODE_NAME (t): \
327 foreach_bfd_diag_code (F)}
333 bfd_state_string (bfd_state_e state)
336 case BFD_STATE_NAME (t): \
340 foreach_bfd_state (F)}
346 bfd_session_set_flags (bfd_session_t * bs, u8 admin_up_down)
348 bfd_main_t *bm = &bfd_main;
351 bfd_set_state (bm, bs, BFD_STATE_down, 0);
355 bfd_set_diag (bs, BFD_DIAG_CODE_neighbor_sig_down);
356 bfd_set_state (bm, bs, BFD_STATE_admin_down, 0);
361 bfd_input_format_trace (u8 * s, va_list * args)
363 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
364 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
365 const bfd_input_trace_t *t = va_arg (*args, bfd_input_trace_t *);
366 const bfd_pkt_t *pkt = (bfd_pkt_t *) t->data;
367 if (t->len > STRUCT_SIZE_OF (bfd_pkt_t, head))
369 s = format (s, "BFD v%u, diag=%u(%s), state=%u(%s),\n"
370 " flags=(P:%u, F:%u, C:%u, A:%u, D:%u, M:%u), "
371 "detect_mult=%u, length=%u\n",
372 bfd_pkt_get_version (pkt), bfd_pkt_get_diag_code (pkt),
373 bfd_diag_code_string (bfd_pkt_get_diag_code (pkt)),
374 bfd_pkt_get_state (pkt),
375 bfd_state_string (bfd_pkt_get_state (pkt)),
376 bfd_pkt_get_poll (pkt), bfd_pkt_get_final (pkt),
377 bfd_pkt_get_control_plane_independent (pkt),
378 bfd_pkt_get_auth_present (pkt), bfd_pkt_get_demand (pkt),
379 bfd_pkt_get_multipoint (pkt), pkt->head.detect_mult,
381 if (t->len >= sizeof (bfd_pkt_t) &&
382 pkt->head.length >= sizeof (bfd_pkt_t))
384 s = format (s, " my discriminator: %u\n", pkt->my_disc);
385 s = format (s, " your discriminator: %u\n", pkt->your_disc);
386 s = format (s, " desired min tx interval: %u\n",
387 clib_net_to_host_u32 (pkt->des_min_tx));
388 s = format (s, " required min rx interval: %u\n",
389 clib_net_to_host_u32 (pkt->req_min_rx));
390 s = format (s, " required min echo rx interval: %u",
391 clib_net_to_host_u32 (pkt->req_min_echo_rx));
399 bfd_on_state_change (bfd_main_t * bm, bfd_session_t * bs, u64 now,
402 BFD_DBG ("State changed: %U", format_bfd_session, bs);
404 switch (bs->local_state)
406 case BFD_STATE_admin_down:
407 bfd_set_desired_min_tx (bm, bs, now,
408 clib_max (bs->config_desired_min_tx_us,
409 BFD_DEFAULT_DESIRED_MIN_TX_US),
413 bfd_set_desired_min_tx (bm, bs, now,
414 clib_max (bs->config_desired_min_tx_us,
415 BFD_DEFAULT_DESIRED_MIN_TX_US),
419 bfd_set_desired_min_tx (bm, bs, now,
420 clib_max (bs->config_desired_min_tx_us,
421 BFD_DEFAULT_DESIRED_MIN_TX_US),
425 bfd_set_desired_min_tx (bm, bs, now, bs->config_desired_min_tx_us,
432 bfd_add_transport_layer (vlib_main_t * vm, vlib_buffer_t * b,
435 switch (bs->transport)
437 case BFD_TRANSPORT_UDP4:
438 BFD_DBG ("Transport bfd via udp4, bs_idx=%u", bs->bs_idx);
439 bfd_add_udp4_transport (vm, b, &bs->udp);
441 case BFD_TRANSPORT_UDP6:
442 BFD_DBG ("Transport bfd via udp6, bs_idx=%u", bs->bs_idx);
443 bfd_add_udp6_transport (vm, b, &bs->udp);
448 static vlib_buffer_t *
449 bfd_create_frame_to_next_node (vlib_main_t * vm, bfd_session_t * bs)
452 if (vlib_buffer_alloc (vm, &bi, 1) != 1)
454 clib_warning ("buffer allocation failure");
458 vlib_buffer_t *b = vlib_get_buffer (vm, bi);
459 ASSERT (b->current_data == 0);
462 vlib_get_frame_to_node (vm, bfd_node_index_by_transport[bs->transport]);
464 u32 *to_next = vlib_frame_vector_args (f);
468 vlib_put_frame_to_node (vm, bfd_node_index_by_transport[bs->transport], f);
474 bfd_add_sha1_auth_section (vlib_buffer_t * b, bfd_session_t * bs)
476 bfd_pkt_with_sha1_auth_t *pkt = vlib_buffer_get_current (b);
477 bfd_auth_sha1_t *auth = &pkt->sha1_auth;
478 b->current_length += sizeof (*auth);
479 pkt->pkt.head.length += sizeof (*auth);
480 bfd_pkt_set_auth_present (&pkt->pkt);
481 memset (auth, 0, sizeof (*auth));
482 auth->type_len.type = bs->auth.curr_key->auth_type;
484 * only meticulous authentication types require incrementing seq number
485 * for every message, but doing so doesn't violate the RFC
487 ++bs->auth.local_seq_number;
488 auth->type_len.len = sizeof (bfd_auth_sha1_t);
489 auth->key_id = bs->auth.curr_bfd_key_id;
490 auth->seq_num = clib_host_to_net_u32 (bs->auth.local_seq_number);
492 * first copy the password into the packet, then calculate the hash
493 * and finally replace the password with the calculated hash
495 clib_memcpy (auth->hash, bs->auth.curr_key->key,
496 sizeof (bs->auth.curr_key->key));
497 unsigned char hash[sizeof (auth->hash)];
498 SHA1 ((unsigned char *) pkt, sizeof (*pkt), hash);
499 BFD_DBG ("hashing: %U", format_hex_bytes, pkt, sizeof (*pkt));
500 clib_memcpy (auth->hash, hash, sizeof (hash));
505 bfd_add_auth_section (vlib_buffer_t * b, bfd_session_t * bs)
507 if (bs->auth.curr_key)
509 const bfd_auth_type_e auth_type = bs->auth.curr_key->auth_type;
512 case BFD_AUTH_TYPE_reserved:
514 case BFD_AUTH_TYPE_simple_password:
516 case BFD_AUTH_TYPE_keyed_md5:
518 case BFD_AUTH_TYPE_meticulous_keyed_md5:
519 clib_warning ("Internal error, unexpected BFD auth type '%d'",
523 case BFD_AUTH_TYPE_keyed_sha1:
525 case BFD_AUTH_TYPE_meticulous_keyed_sha1:
526 bfd_add_sha1_auth_section (b, bs);
529 case BFD_AUTH_TYPE_keyed_sha1:
531 case BFD_AUTH_TYPE_meticulous_keyed_sha1:
532 clib_warning ("Internal error, unexpected BFD auth type '%d'",
541 bfd_init_control_frame (vlib_buffer_t * b, bfd_session_t * bs)
543 bfd_pkt_t *pkt = vlib_buffer_get_current (b);
546 bfd_length = sizeof (bfd_pkt_t);
547 memset (pkt, 0, sizeof (*pkt));
548 bfd_pkt_set_version (pkt, 1);
549 bfd_pkt_set_diag_code (pkt, bs->local_diag);
550 bfd_pkt_set_state (pkt, bs->local_state);
551 if (bs->local_demand && BFD_STATE_up == bs->local_state &&
552 BFD_STATE_up == bs->remote_state)
554 bfd_pkt_set_demand (pkt);
556 pkt->head.detect_mult = bs->local_detect_mult;
557 pkt->head.length = clib_host_to_net_u32 (bfd_length);
558 pkt->my_disc = bs->local_discr;
559 pkt->your_disc = bs->remote_discr;
560 pkt->des_min_tx = clib_host_to_net_u32 (bs->desired_min_tx_us);
561 pkt->req_min_rx = clib_host_to_net_u32 (bs->required_min_rx_us);
562 pkt->req_min_echo_rx = clib_host_to_net_u32 (bs->required_min_echo_rx_us);
563 b->current_length = bfd_length;
564 bfd_add_auth_section (b, bs);
568 bfd_send_periodic (vlib_main_t * vm, vlib_node_runtime_t * rt,
569 bfd_main_t * bm, bfd_session_t * bs, u64 now,
572 if (!bs->remote_min_rx_us)
575 ("bfd.RemoteMinRxInterval is zero, not sending periodic control "
580 A system MUST NOT periodically transmit BFD Control packets if Demand
581 mode is active on the remote system (bfd.RemoteDemandMode is 1,
582 bfd.SessionState is Up, and bfd.RemoteSessionState is Up) and a Poll
583 Sequence is not being transmitted.
585 /* sometimes the wheel expires an event a bit sooner than requested, account
587 if (now + bm->wheel_inaccuracy >= bs->tx_timeout_clocks)
589 BFD_DBG ("Send periodic control frame for bs_idx=%lu", bs->bs_idx);
590 vlib_buffer_t *b = bfd_create_frame_to_next_node (vm, bs);
595 bfd_init_control_frame (b, bs);
596 bfd_add_transport_layer (vm, b, bs);
597 bs->last_tx_clocks = now;
598 bfd_calc_next_tx (bm, bs, now);
603 ("No need to send control frame now, now is %lu, tx_timeout is %lu",
604 now, bs->tx_timeout_clocks);
606 bfd_set_timer (bm, bs, now, handling_wakeup);
610 bfd_init_final_control_frame (vlib_main_t * vm, vlib_buffer_t * b,
613 BFD_DBG ("Send final control frame for bs_idx=%lu", bs->bs_idx);
614 bfd_init_control_frame (b, bs);
615 bfd_pkt_set_final (vlib_buffer_get_current (b));
616 bfd_add_transport_layer (vm, b, bs);
617 bs->last_tx_clocks = clib_cpu_time_now ();
621 bfd_check_rx_timeout (bfd_main_t * bm, bfd_session_t * bs, u64 now,
624 /* sometimes the wheel expires an event a bit sooner than requested, account
626 if (bs->last_rx_clocks + bs->detection_time_clocks <=
627 now + bm->wheel_inaccuracy)
629 BFD_DBG ("Rx timeout, session goes down");
630 bfd_set_diag (bs, BFD_DIAG_CODE_det_time_exp);
631 bfd_set_state (bm, bs, BFD_STATE_down, handling_wakeup);
636 bfd_on_timeout (vlib_main_t * vm, vlib_node_runtime_t * rt, bfd_main_t * bm,
637 bfd_session_t * bs, u64 now)
639 BFD_DBG ("Timeout for bs_idx=%lu", bs->bs_idx);
640 switch (bs->local_state)
642 case BFD_STATE_admin_down:
643 BFD_ERR ("Unexpected timeout when in %s state",
644 bfd_state_string (bs->local_state));
648 bfd_send_periodic (vm, rt, bm, bs, now, 1);
651 BFD_ERR ("Unexpected timeout when in %s state",
652 bfd_state_string (bs->local_state));
656 bfd_check_rx_timeout (bm, bs, now, 1);
657 bfd_send_periodic (vm, rt, bm, bs, now, 1);
663 * bfd process node function
666 bfd_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
668 bfd_main_t *bm = &bfd_main;
670 uword event_type, *event_data = 0;
672 /* So we can send events to the bfd process */
673 bm->bfd_process_node_index = bfd_process_node.index;
677 u64 now = clib_cpu_time_now ();
678 u64 next_expire = timing_wheel_next_expiring_elt_time (&bm->wheel);
679 BFD_DBG ("timing_wheel_next_expiring_elt_time(%p) returns %lu",
680 &bm->wheel, next_expire);
681 if ((i64) next_expire < 0)
683 BFD_DBG ("wait for event without timeout");
684 (void) vlib_process_wait_for_event (vm);
685 event_type = vlib_process_get_events (vm, &event_data);
689 f64 timeout = ((i64) next_expire - (i64) now) / bm->cpu_cps;
690 BFD_DBG ("wait for event with timeout %.02f", timeout);
693 BFD_DBG ("negative timeout, already expired, skipping wait");
698 (void) vlib_process_wait_for_event_or_clock (vm, timeout);
699 event_type = vlib_process_get_events (vm, &event_data);
702 now = clib_cpu_time_now ();
705 case ~0: /* no events => timeout */
706 /* nothing to do here */
708 case BFD_EVENT_RESCHEDULE:
709 /* nothing to do here - reschedule is done automatically after
710 * each event or timeout */
712 case BFD_EVENT_NEW_SESSION:
713 if (!pool_is_free_index (bm->sessions, *event_data))
716 pool_elt_at_index (bm->sessions, *event_data);
717 bfd_send_periodic (vm, rt, bm, bs, now, 1);
721 BFD_DBG ("Ignoring event for non-existent session index %u",
726 clib_warning ("BUG: event type 0x%wx", event_type);
729 BFD_DBG ("advancing wheel, now is %lu", now);
730 BFD_DBG ("timing_wheel_advance (%p, %lu, %p, 0);", &bm->wheel, now,
732 expired = timing_wheel_advance (&bm->wheel, now, expired, 0);
733 BFD_DBG ("Expired %d elements", vec_len (expired));
735 vec_foreach (p, expired)
737 const u32 bs_idx = *p;
738 if (!pool_is_free_index (bm->sessions, bs_idx))
740 bfd_session_t *bs = pool_elt_at_index (bm->sessions, bs_idx);
741 bfd_on_timeout (vm, rt, bm, bs, now);
746 _vec_len (expired) = 0;
750 _vec_len (event_data) = 0;
758 * bfd process node declaration
761 VLIB_REGISTER_NODE (bfd_process_node, static) = {
762 .function = bfd_process,
763 .type = VLIB_NODE_TYPE_PROCESS,
764 .name = "bfd-process",
770 static clib_error_t *
771 bfd_sw_interface_up_down (vnet_main_t * vnm, u32 sw_if_index, u32 flags)
773 // bfd_main_t *bm = &bfd_main;
774 // vnet_hw_interface_t *hi = vnet_get_sup_hw_interface (vnm, sw_if_index);
775 if (!(flags & VNET_SW_INTERFACE_FLAG_ADMIN_UP))
782 VNET_SW_INTERFACE_ADMIN_UP_DOWN_FUNCTION (bfd_sw_interface_up_down);
784 static clib_error_t *
785 bfd_hw_interface_up_down (vnet_main_t * vnm, u32 hw_if_index, u32 flags)
787 // bfd_main_t *bm = &bfd_main;
788 if (flags & VNET_HW_INTERFACE_FLAG_LINK_UP)
795 VNET_HW_INTERFACE_LINK_UP_DOWN_FUNCTION (bfd_hw_interface_up_down);
800 static clib_error_t *
801 bfd_main_init (vlib_main_t * vm)
804 setbuf (stdout, NULL);
806 bfd_main_t *bm = &bfd_main;
807 bm->random_seed = random_default_seed ();
809 bm->vnet_main = vnet_get_main ();
810 memset (&bm->wheel, 0, sizeof (bm->wheel));
811 bm->cpu_cps = vm->clib_time.clocks_per_second;
812 BFD_DBG ("cps is %.2f", bm->cpu_cps);
813 const u64 now = clib_cpu_time_now ();
814 timing_wheel_init (&bm->wheel, now, bm->cpu_cps);
815 bm->wheel_inaccuracy = 2 << bm->wheel.log2_clocks_per_bin;
817 vlib_node_t *node = NULL;
819 node = vlib_get_node_by_name (vm, (u8 *)n); \
820 bfd_node_index_by_transport[BFD_TRANSPORT_##t] = node->index; \
821 BFD_DBG ("node '%s' has index %u", n, node->index);
822 foreach_bfd_transport (F);
827 VLIB_INIT_FUNCTION (bfd_main_init);
830 bfd_get_session (bfd_main_t * bm, bfd_transport_t t)
832 bfd_session_t *result;
833 pool_get (bm->sessions, result);
834 memset (result, 0, sizeof (*result));
835 result->bs_idx = result - bm->sessions;
836 result->transport = t;
837 result->local_discr = random_u32 (&bm->random_seed);
838 bfd_set_defaults (bm, result);
839 hash_set (bm->session_by_disc, result->local_discr, result->bs_idx);
844 bfd_put_session (bfd_main_t * bm, bfd_session_t * bs)
846 if (bs->auth.curr_key)
848 --bs->auth.curr_key->use_count;
850 if (bs->auth.next_key)
852 --bs->auth.next_key->use_count;
854 hash_unset (bm->session_by_disc, bs->local_discr);
855 pool_put (bm->sessions, bs);
859 bfd_find_session_by_idx (bfd_main_t * bm, uword bs_idx)
861 if (!pool_is_free_index (bm->sessions, bs_idx))
863 return pool_elt_at_index (bm->sessions, bs_idx);
869 bfd_find_session_by_disc (bfd_main_t * bm, u32 disc)
871 uword *p = hash_get (bfd_main.session_by_disc, disc);
874 return pool_elt_at_index (bfd_main.sessions, *p);
880 * @brief verify bfd packet - common checks
884 * @return 1 if bfd packet is valid
887 bfd_verify_pkt_common (const bfd_pkt_t * pkt)
889 if (1 != bfd_pkt_get_version (pkt))
891 BFD_ERR ("BFD verification failed - unexpected version: '%d'",
892 bfd_pkt_get_version (pkt));
895 if (pkt->head.length < sizeof (bfd_pkt_t) ||
896 (bfd_pkt_get_auth_present (pkt) &&
897 pkt->head.length < sizeof (bfd_pkt_with_common_auth_t)))
899 BFD_ERR ("BFD verification failed - unexpected length: '%d' (auth "
901 pkt->head.length, bfd_pkt_get_auth_present (pkt));
904 if (!pkt->head.detect_mult)
906 BFD_ERR ("BFD verification failed - unexpected detect-mult: '%d'",
907 pkt->head.detect_mult);
910 if (bfd_pkt_get_multipoint (pkt))
912 BFD_ERR ("BFD verification failed - unexpected multipoint: '%d'",
913 bfd_pkt_get_multipoint (pkt));
918 BFD_ERR ("BFD verification failed - unexpected my-disc: '%d'",
924 const u8 pkt_state = bfd_pkt_get_state (pkt);
925 if (pkt_state != BFD_STATE_down && pkt_state != BFD_STATE_admin_down)
927 BFD_ERR ("BFD verification failed - unexpected state: '%s' "
928 "(your-disc is zero)", bfd_state_string (pkt_state));
936 bfd_session_switch_auth_to_next (bfd_session_t * bs)
938 BFD_DBG ("Switching authentication key from %U to %U for bs_idx=%u",
939 format_bfd_auth_key, bs->auth.curr_key, format_bfd_auth_key,
940 bs->auth.next_key, bs->bs_idx);
941 bs->auth.is_delayed = 0;
942 if (bs->auth.curr_key)
944 --bs->auth.curr_key->use_count;
946 bs->auth.curr_key = bs->auth.next_key;
947 bs->auth.next_key = NULL;
948 bs->auth.curr_bfd_key_id = bs->auth.next_bfd_key_id;
952 bfd_auth_type_is_meticulous (bfd_auth_type_e auth_type)
954 if (BFD_AUTH_TYPE_meticulous_keyed_md5 == auth_type ||
955 BFD_AUTH_TYPE_meticulous_keyed_sha1 == auth_type)
963 bfd_verify_pkt_auth_seq_num (bfd_session_t * bs,
964 u32 received_seq_num, int is_meticulous)
969 * This variable MUST be set to zero after no packets have been
970 * received on this session for at least twice the Detection Time.
972 u64 now = clib_cpu_time_now ();
973 if (now - bs->last_rx_clocks > bs->detection_time_clocks * 2)
975 BFD_DBG ("BFD peer unresponsive for %lu clocks, which is > 2 * "
976 "detection_time=%u clocks, resetting remote_seq_number_known "
978 now - bs->last_rx_clocks, bs->detection_time_clocks * 2);
979 bs->auth.remote_seq_number_known = 0;
981 if (bs->auth.remote_seq_number_known)
983 /* remote sequence number is known, verify its validity */
984 const u32 max_u32 = 0xffffffff;
985 /* the calculation might wrap, account for the special case... */
986 if (bs->auth.remote_seq_number > max_u32 - 3 * bs->local_detect_mult)
992 * |----------+----------------------------+-----------|
994 * | remote_seq_num------+
996 * +-----(remote_seq_num + 3*detect_mult) % * 0xffffffff
998 * x + y + z = 0xffffffff
999 * x + z = 3 * detect_mult
1001 const u32 z = max_u32 - bs->auth.remote_seq_number;
1002 const u32 x = 3 * bs->local_detect_mult - z;
1003 if (received_seq_num > x &&
1004 received_seq_num < bs->auth.remote_seq_number + is_meticulous)
1007 ("Recvd sequence number=%u out of ranges <0, %u>, <%u, %u>",
1008 received_seq_num, x,
1009 bs->auth.remote_seq_number + is_meticulous, max_u32);
1016 const u32 min = bs->auth.remote_seq_number + is_meticulous;
1018 bs->auth.remote_seq_number + 3 * bs->local_detect_mult;
1019 if (received_seq_num < min || received_seq_num > max)
1021 BFD_ERR ("Recvd sequence number=%u out of range <%u, %u>",
1022 received_seq_num, min, max);
1031 bfd_verify_pkt_auth_key_sha1 (const bfd_pkt_t * pkt, u32 pkt_size,
1032 bfd_session_t * bs, u8 bfd_key_id,
1033 bfd_auth_key_t * auth_key)
1035 ASSERT (auth_key->auth_type == BFD_AUTH_TYPE_keyed_sha1 ||
1036 auth_key->auth_type == BFD_AUTH_TYPE_meticulous_keyed_sha1);
1038 u8 result[SHA_DIGEST_LENGTH];
1039 bfd_pkt_with_common_auth_t *with_common = (void *) pkt;
1040 if (pkt_size < sizeof (*with_common))
1042 BFD_ERR ("Packet size too small to hold authentication common header");
1045 if (with_common->common_auth.type != auth_key->auth_type)
1047 BFD_ERR ("BFD auth type mismatch, packet auth=%d:%s doesn't match "
1048 "in-use auth=%d:%s",
1049 with_common->common_auth.type,
1050 bfd_auth_type_str (with_common->common_auth.type),
1051 auth_key->auth_type, bfd_auth_type_str (auth_key->auth_type));
1054 bfd_pkt_with_sha1_auth_t *with_sha1 = (void *) pkt;
1055 if (pkt_size < sizeof (*with_sha1) ||
1056 with_sha1->sha1_auth.type_len.len < sizeof (with_sha1->sha1_auth))
1059 ("BFD size mismatch, payload size=%u, expected=%u, auth_len=%u, "
1060 "expected=%u", pkt_size, sizeof (*with_sha1),
1061 with_sha1->sha1_auth.type_len.len, sizeof (with_sha1->sha1_auth));
1064 if (with_sha1->sha1_auth.key_id != bfd_key_id)
1067 ("BFD key ID mismatch, packet key ID=%u doesn't match key ID=%u%s",
1068 with_sha1->sha1_auth.key_id, bfd_key_id,
1070 auth.is_delayed ? " (but a delayed auth change is scheduled)" : "");
1074 if (!SHA1_Init (&ctx))
1076 BFD_ERR ("SHA1_Init failed");
1079 /* ignore last 20 bytes - use the actual key data instead pkt data */
1080 if (!SHA1_Update (&ctx, with_sha1,
1081 sizeof (*with_sha1) - sizeof (with_sha1->sha1_auth.hash)))
1083 BFD_ERR ("SHA1_Update failed");
1086 if (!SHA1_Update (&ctx, auth_key->key, sizeof (auth_key->key)))
1088 BFD_ERR ("SHA1_Update failed");
1091 if (!SHA1_Final (result, &ctx))
1093 BFD_ERR ("SHA1_Final failed");
1096 if (0 == memcmp (result, with_sha1->sha1_auth.hash, SHA_DIGEST_LENGTH))
1100 BFD_ERR ("SHA1 hash: %U doesn't match the expected value: %U",
1101 format_hex_bytes, with_sha1->sha1_auth.hash, SHA_DIGEST_LENGTH,
1102 format_hex_bytes, result, SHA_DIGEST_LENGTH);
1107 bfd_verify_pkt_auth_key (const bfd_pkt_t * pkt, u32 pkt_size,
1108 bfd_session_t * bs, u8 bfd_key_id,
1109 bfd_auth_key_t * auth_key)
1111 switch (auth_key->auth_type)
1113 case BFD_AUTH_TYPE_reserved:
1114 clib_warning ("Internal error, unexpected auth_type=%d:%s",
1115 auth_key->auth_type,
1116 bfd_auth_type_str (auth_key->auth_type));
1118 case BFD_AUTH_TYPE_simple_password:
1120 ("Internal error, not implemented, unexpected auth_type=%d:%s",
1121 auth_key->auth_type, bfd_auth_type_str (auth_key->auth_type));
1123 case BFD_AUTH_TYPE_keyed_md5:
1125 case BFD_AUTH_TYPE_meticulous_keyed_md5:
1127 ("Internal error, not implemented, unexpected auth_type=%d:%s",
1128 auth_key->auth_type, bfd_auth_type_str (auth_key->auth_type));
1130 case BFD_AUTH_TYPE_keyed_sha1:
1132 case BFD_AUTH_TYPE_meticulous_keyed_sha1:
1136 const u32 seq_num = clib_net_to_host_u32 (((bfd_pkt_with_sha1_auth_t
1139 return bfd_verify_pkt_auth_seq_num (bs, seq_num,
1140 bfd_auth_type_is_meticulous
1141 (auth_key->auth_type))
1142 && bfd_verify_pkt_auth_key_sha1 (pkt, pkt_size, bs, bfd_key_id,
1148 ("Internal error, attempt to use SHA1 without SSL support");
1156 * @brief verify bfd packet - authentication
1160 * @return 1 if bfd packet is valid
1163 bfd_verify_pkt_auth (const bfd_pkt_t * pkt, u16 pkt_size, bfd_session_t * bs)
1165 if (bfd_pkt_get_auth_present (pkt))
1167 /* authentication present in packet */
1168 if (!bs->auth.curr_key)
1170 /* currently not using authentication - can we turn it on? */
1171 if (bs->auth.is_delayed && bs->auth.next_key)
1173 /* yes, switch is scheduled - make sure the auth is valid */
1174 if (bfd_verify_pkt_auth_key (pkt, pkt_size, bs,
1175 bs->auth.next_bfd_key_id,
1178 /* auth matches next key, do the switch, packet is valid */
1179 bfd_session_switch_auth_to_next (bs);
1186 /* yes, using authentication, verify the key */
1187 if (bfd_verify_pkt_auth_key (pkt, pkt_size, bs,
1188 bs->auth.curr_bfd_key_id,
1191 /* verification passed, packet is valid */
1196 /* verification failed - but maybe we need to switch key */
1197 if (bs->auth.is_delayed && bs->auth.next_key)
1199 /* delayed switch present, verify if that key works */
1200 if (bfd_verify_pkt_auth_key (pkt, pkt_size, bs,
1201 bs->auth.next_bfd_key_id,
1204 /* auth matches next key, switch key, packet is valid */
1205 bfd_session_switch_auth_to_next (bs);
1214 /* authentication in packet not present */
1215 if (pkt_size > sizeof (*pkt))
1217 BFD_ERR ("BFD verification failed - unexpected packet size '%d' "
1218 "(auth not present)", pkt_size);
1221 if (bs->auth.curr_key)
1223 /* currently authenticating - could we turn it off? */
1224 if (bs->auth.is_delayed && !bs->auth.next_key)
1226 /* yes, delayed switch to NULL key is scheduled */
1227 bfd_session_switch_auth_to_next (bs);
1233 /* no auth in packet, no auth in use - packet is valid */
1241 bfd_consume_pkt (bfd_main_t * bm, const bfd_pkt_t * pkt, u32 bs_idx)
1243 bfd_session_t *bs = bfd_find_session_by_idx (bm, bs_idx);
1248 BFD_DBG ("Scanning bfd packet, bs_idx=%d", bs->bs_idx);
1249 bs->remote_discr = pkt->my_disc;
1250 bs->remote_state = bfd_pkt_get_state (pkt);
1251 bs->remote_demand = bfd_pkt_get_demand (pkt);
1252 u64 now = clib_cpu_time_now ();
1253 bs->last_rx_clocks = now;
1254 if (bfd_pkt_get_auth_present (pkt))
1256 bfd_auth_type_e auth_type =
1257 ((bfd_pkt_with_common_auth_t *) (pkt))->common_auth.type;
1260 case BFD_AUTH_TYPE_reserved:
1262 case BFD_AUTH_TYPE_simple_password:
1264 case BFD_AUTH_TYPE_keyed_md5:
1266 case BFD_AUTH_TYPE_meticulous_keyed_md5:
1267 clib_warning ("Internal error, unexpected auth_type=%d:%s",
1268 auth_type, bfd_auth_type_str (auth_type));
1270 case BFD_AUTH_TYPE_keyed_sha1:
1272 case BFD_AUTH_TYPE_meticulous_keyed_sha1:
1275 bfd_pkt_with_sha1_auth_t *with_sha1 =
1276 (bfd_pkt_with_sha1_auth_t *) pkt;
1277 bs->auth.remote_seq_number =
1278 clib_net_to_host_u32 (with_sha1->sha1_auth.seq_num);
1279 bs->auth.remote_seq_number_known = 1;
1280 BFD_DBG ("Received sequence number %u",
1281 bs->auth.remote_seq_number);
1286 bs->remote_desired_min_tx_us = clib_net_to_host_u32 (pkt->des_min_tx);
1287 bs->remote_detect_mult = pkt->head.detect_mult;
1288 bfd_set_remote_required_min_rx (bm, bs, now,
1289 clib_net_to_host_u32 (pkt->req_min_rx), 0);
1291 If the Required Min Echo RX Interval field is zero, the
1292 transmission of Echo packets, if any, MUST cease.
1294 If a Poll Sequence is being transmitted by the local system and
1295 the Final (F) bit in the received packet is set, the Poll Sequence
1300 if (BFD_STATE_admin_down == bs->local_state)
1302 if (BFD_STATE_admin_down == bs->remote_state)
1304 bfd_set_diag (bs, BFD_DIAG_CODE_neighbor_sig_down);
1305 bfd_set_state (bm, bs, BFD_STATE_down, 0);
1307 else if (BFD_STATE_down == bs->local_state)
1309 if (BFD_STATE_down == bs->remote_state)
1311 bfd_set_state (bm, bs, BFD_STATE_init, 0);
1313 else if (BFD_STATE_init == bs->remote_state)
1315 bfd_set_state (bm, bs, BFD_STATE_up, 0);
1318 else if (BFD_STATE_init == bs->local_state)
1320 if (BFD_STATE_up == bs->remote_state ||
1321 BFD_STATE_init == bs->remote_state)
1323 bfd_set_state (bm, bs, BFD_STATE_up, 0);
1326 else /* BFD_STATE_up == bs->local_state */
1328 if (BFD_STATE_down == bs->remote_state)
1330 bfd_set_diag (bs, BFD_DIAG_CODE_neighbor_sig_down);
1331 bfd_set_state (bm, bs, BFD_STATE_down, 0);
1337 format_bfd_session (u8 * s, va_list * args)
1339 const bfd_session_t *bs = va_arg (*args, bfd_session_t *);
1340 s = format (s, "BFD(%u): bfd.SessionState=%s, "
1341 "bfd.RemoteSessionState=%s, "
1342 "bfd.LocalDiscr=%u, "
1343 "bfd.RemoteDiscr=%u, "
1344 "bfd.LocalDiag=%s, "
1345 "bfd.DesiredMinTxInterval=%u, "
1346 "bfd.RequiredMinRxInterval=%u, "
1347 "bfd.RequiredMinEchoRxInterval=%u, "
1348 "bfd.RemoteMinRxInterval=%u, "
1349 "bfd.DemandMode=%s, "
1350 "bfd.RemoteDemandMode=%s, "
1351 "bfd.DetectMult=%u, "
1352 "Auth: {local-seq-num=%u, "
1353 "remote-seq-num=%u, "
1357 bs->bs_idx, bfd_state_string (bs->local_state),
1358 bfd_state_string (bs->remote_state), bs->local_discr,
1359 bs->remote_discr, bfd_diag_code_string (bs->local_diag),
1360 bs->desired_min_tx_us, bs->required_min_rx_us,
1361 bs->required_min_echo_rx_us, bs->remote_min_rx_us,
1362 (bs->local_demand ? "yes" : "no"),
1363 (bs->remote_demand ? "yes" : "no"), bs->local_detect_mult,
1364 bs->auth.local_seq_number, bs->auth.remote_seq_number,
1365 (bs->auth.is_delayed ? "yes" : "no"), format_bfd_auth_key,
1366 bs->auth.curr_key, format_bfd_auth_key, bs->auth.next_key);
1371 bfd_auth_type_supported (bfd_auth_type_e auth_type)
1373 if (auth_type == BFD_AUTH_TYPE_keyed_sha1 ||
1374 auth_type == BFD_AUTH_TYPE_meticulous_keyed_sha1)
1382 bfd_auth_activate (bfd_session_t * bs, u32 conf_key_id,
1383 u8 bfd_key_id, u8 is_delayed)
1385 bfd_main_t *bm = &bfd_main;
1386 const uword *key_idx_p =
1387 hash_get (bm->auth_key_by_conf_key_id, conf_key_id);
1390 clib_warning ("Authentication key with config ID %u doesn't exist)",
1392 return VNET_API_ERROR_BFD_ENOENT;
1394 const uword key_idx = *key_idx_p;
1395 bfd_auth_key_t *key = pool_elt_at_index (bm->auth_keys, key_idx);
1398 if (bs->auth.next_key == key)
1400 /* already using this key, no changes required */
1403 bs->auth.next_key = key;
1404 bs->auth.next_bfd_key_id = bfd_key_id;
1405 bs->auth.is_delayed = 1;
1409 if (bs->auth.curr_key == key)
1411 /* already using this key, no changes required */
1414 if (bs->auth.curr_key)
1416 --bs->auth.curr_key->use_count;
1418 bs->auth.curr_key = key;
1419 bs->auth.curr_bfd_key_id = bfd_key_id;
1420 bs->auth.is_delayed = 0;
1423 BFD_DBG ("Session auth modified: %U", format_bfd_session, bs);
1428 bfd_auth_deactivate (bfd_session_t * bs, u8 is_delayed)
1433 /* not delayed - deactivate the current key right now */
1434 if (bs->auth.curr_key)
1436 --bs->auth.curr_key->use_count;
1437 bs->auth.curr_key = NULL;
1439 bs->auth.is_delayed = 0;
1443 /* delayed - mark as so */
1444 bs->auth.is_delayed = 1;
1447 * clear the next key unconditionally - either the auth change is not delayed
1448 * in which case the caller expects the session to not use authentication
1449 * from this point forward, or it is delayed, in which case the next_key
1450 * needs to be set to NULL to make it so in the future
1452 if (bs->auth.next_key)
1454 --bs->auth.next_key->use_count;
1455 bs->auth.next_key = NULL;
1457 BFD_DBG ("Session auth modified: %U", format_bfd_session, bs);
1460 clib_warning ("SSL missing, cannot deactivate BFD authentication");
1461 return VNET_API_ERROR_BFD_NOTSUPP;
1465 bfd_main_t bfd_main;
1468 * fd.io coding-style-patch-verification: ON
1471 * eval: (c-set-style "gnu")