2 * ipsec_tun.h : IPSEC tunnel protection
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/ipsec/ipsec_tun.h>
19 #include <vnet/ipsec/esp.h>
20 #include <vnet/udp/udp.h>
23 * Pool of tunnel protection objects
25 ipsec_tun_protect_t *ipsec_protect_pool;
28 * DB of protected tunnels
30 typedef struct ipsec_protect_db_t_
36 static ipsec_protect_db_t ipsec_protect_db;
39 ipsec_tun_protect_feature_set (ipsec_tun_protect_t * itp, u8 enable)
41 u32 sai = itp->itp_out_sa;
42 int is_ip4, is_l2, rv;
44 is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src);
45 is_l2 = itp->itp_flags & IPSEC_PROTECT_L2;
50 rv = vnet_feature_enable_disable ("ethernet-output",
52 itp->itp_sw_if_index, enable,
55 rv = vnet_feature_enable_disable ("ip4-output",
57 itp->itp_sw_if_index, enable,
63 rv = vnet_feature_enable_disable ("ethernet-output",
65 itp->itp_sw_if_index, enable,
68 rv = vnet_feature_enable_disable ("ip6-output",
70 itp->itp_sw_if_index, enable,
79 ipsec_tun_protect_db_add (ipsec_main_t * im, const ipsec_tun_protect_t * itp)
85 FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai,
87 sa = ipsec_sa_get (sai);
89 ipsec_tun_lkup_result_t res = {
90 .tun_index = itp - ipsec_protect_pool,
95 * The key is formed from the tunnel's destination
96 * as the packet lookup is done from the packet's source
98 if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
100 ipsec4_tunnel_key_t key = {
101 .remote_ip = itp->itp_crypto.dst.ip4.as_u32,
102 .spi = clib_host_to_net_u32 (sa->spi),
104 hash_set (im->tun4_protect_by_key, key.as_u64, res.as_u64);
108 ipsec6_tunnel_key_t key = {
109 .remote_ip = itp->itp_crypto.dst.ip6,
110 .spi = clib_host_to_net_u32 (sa->spi),
112 hash_set_mem_alloc (&im->tun6_protect_by_key, &key, res.as_u64);
119 ipsec_tun_protect_db_remove (ipsec_main_t * im,
120 const ipsec_tun_protect_t * itp)
122 const ipsec_sa_t *sa;
125 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
127 if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
129 ipsec4_tunnel_key_t key = {
130 .remote_ip = itp->itp_crypto.dst.ip4.as_u32,
131 .spi = clib_host_to_net_u32 (sa->spi),
133 hash_unset (im->tun4_protect_by_key, &key);
137 ipsec6_tunnel_key_t key = {
138 .remote_ip = itp->itp_crypto.dst.ip6,
139 .spi = clib_host_to_net_u32 (sa->spi),
141 hash_unset_mem_free (&im->tun6_protect_by_key, &key);
148 ipsec_tun_protect_config (ipsec_main_t * im,
149 ipsec_tun_protect_t * itp, u32 sa_out, u32 * sas_in)
154 itp->itp_n_sa_in = vec_len (sas_in);
155 for (ii = 0; ii < itp->itp_n_sa_in; ii++)
156 itp->itp_in_sas[ii] = sas_in[ii];
157 itp->itp_out_sa = sa_out;
160 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
162 if (ipsec_sa_is_set_IS_TUNNEL (sa))
164 itp->itp_crypto.src = sa->tunnel_dst_addr;
165 itp->itp_crypto.dst = sa->tunnel_src_addr;
166 ipsec_sa_set_IS_PROTECT (sa);
167 itp->itp_flags |= IPSEC_PROTECT_ENCAPED;
171 itp->itp_crypto.src = itp->itp_tun.src;
172 itp->itp_crypto.dst = itp->itp_tun.dst;
173 itp->itp_flags &= ~IPSEC_PROTECT_ENCAPED;
179 * add to the DB against each SA
181 ipsec_tun_protect_db_add (im, itp);
184 * enable the encrypt feature for egress.
186 ipsec_tun_protect_feature_set (itp, 1);
191 ipsec_tun_protect_unconfig (ipsec_main_t * im, ipsec_tun_protect_t * itp)
195 ipsec_tun_protect_feature_set (itp, 0);
198 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
200 ipsec_sa_unset_IS_PROTECT (sa);
204 ipsec_tun_protect_db_remove (im, itp);
208 ipsec_tun_protect_find (u32 sw_if_index)
210 if (vec_len (ipsec_protect_db.tunnels) < sw_if_index)
211 return (INDEX_INVALID);
213 return (ipsec_protect_db.tunnels[sw_if_index]);
217 ipsec_tun_protect_update (u32 sw_if_index, u32 sa_out, u32 * sas_in)
220 ipsec_tun_protect_t *itp;
226 vec_validate_init_empty (ipsec_protect_db.tunnels, sw_if_index,
228 itpi = ipsec_protect_db.tunnels[sw_if_index];
230 vec_foreach_index (ii, sas_in)
232 sas_in[ii] = ipsec_get_sa_index_by_sa_id (sas_in[ii]);
233 if (~0 == sas_in[ii])
235 rv = VNET_API_ERROR_INVALID_VALUE;
240 sa_out = ipsec_get_sa_index_by_sa_id (sa_out);
244 rv = VNET_API_ERROR_INVALID_VALUE;
248 if (INDEX_INVALID == itpi)
250 vnet_device_class_t *dev_class;
251 vnet_hw_interface_t *hi;
255 vnm = vnet_get_main ();
256 hi = vnet_get_sup_hw_interface (vnm, sw_if_index);
257 dev_class = vnet_get_device_class (vnm, hi->dev_class_index);
259 if (NULL == dev_class->ip_tun_desc)
261 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
265 pool_get_zero (ipsec_protect_pool, itp);
267 itp->itp_sw_if_index = sw_if_index;
268 ipsec_protect_db.tunnels[sw_if_index] = itp - ipsec_protect_pool;
269 ipsec_protect_db.count++;
271 itp->itp_n_sa_in = vec_len (sas_in);
272 for (ii = 0; ii < itp->itp_n_sa_in; ii++)
273 itp->itp_in_sas[ii] = sas_in[ii];
274 itp->itp_out_sa = sa_out;
276 rv = dev_class->ip_tun_desc (sw_if_index,
278 &itp->itp_tun.dst, &is_l2);
284 itp->itp_flags |= IPSEC_PROTECT_L2;
287 * add to the tunnel DB for ingress
288 * - if the SA is in trasnport mode, then the packates will arrivw
289 * with the IP src,dst of the protected tunnel, in which case we can
290 * simply strip the IP header and hand the payload to the protocol
291 * appropriate input handler
292 * - if the SA is in tunnel mode then there are two IP headers present
293 * one for the crytpo tunnel endpoints (described in the SA) and one
294 * for the tunnel endpoints. The outer IP headers in the srriving
295 * packets will have the crypto endpoints. So the DB needs to contain
296 * the crpto endpoint. Once the crypto header is stripped, revealing,
297 * the tunnel-IP we have 2 choices:
298 * 1) do a tunnel lookup based on the revealed header
299 * 2) skip the tunnel lookup and assume that the packet matches the
300 * one that is protected here.
301 * If we did 1) then we would allow our peer to use the SA for tunnel
302 * X to inject traffic onto tunnel Y, this is not good. If we do 2)
303 * then we don't verify that the peer is indeed using SA for tunnel
304 * X and addressing tunnel X. So we take a compromise, once the SA
305 * matches to tunnel X we veriy that the inner IP matches the value
306 * of the tunnel we are protecting, else it's dropped.
308 ipsec_tun_protect_config (im, itp, sa_out, sas_in);
310 if (1 == hash_elts (im->tun4_protect_by_key))
311 ip4_register_protocol (IP_PROTOCOL_IPSEC_ESP,
312 ipsec4_tun_input_node.index);
313 if (1 == hash_elts (im->tun6_protect_by_key))
314 ip6_register_protocol (IP_PROTOCOL_IPSEC_ESP,
315 ipsec6_tun_input_node.index);
319 /* updating SAs only */
320 itp = pool_elt_at_index (ipsec_protect_pool, itpi);
322 ipsec_tun_protect_unconfig (im, itp);
323 ipsec_tun_protect_config (im, itp, sa_out, sas_in);
332 ipsec_tun_protect_del (u32 sw_if_index)
334 ipsec_tun_protect_t *itp;
340 vec_validate_init_empty (ipsec_protect_db.tunnels, sw_if_index,
342 itpi = ipsec_protect_db.tunnels[sw_if_index];
344 if (INDEX_INVALID == itpi)
345 return (VNET_API_ERROR_NO_SUCH_ENTRY);
347 itp = ipsec_tun_protect_get (itpi);
348 ipsec_tun_protect_unconfig (im, itp);
350 ipsec_protect_db.tunnels[itp->itp_sw_if_index] = INDEX_INVALID;
352 pool_put (ipsec_protect_pool, itp);
354 /* if (0 == hash_elts (im->tun4_protect_by_key)) */
355 /* ip4_unregister_protocol (IP_PROTOCOL_IPSEC_ESP); */
356 /* if (0 == hash_elts (im->tun6_protect_by_key)) */
357 /* ip6_unregister_protocol (IP_PROTOCOL_IPSEC_ESP); */
363 ipsec_tun_protect_walk (ipsec_tun_protect_walk_cb_t fn, void *ctx)
368 pool_foreach_index(itpi, ipsec_protect_pool,
376 ipsec_tunnel_protect_init (vlib_main_t * vm)
381 im->tun6_protect_by_key = hash_create_mem (0,
382 sizeof (ipsec6_tunnel_key_t),
384 im->tun4_protect_by_key = hash_create (0, sizeof (u64));
389 VLIB_INIT_FUNCTION (ipsec_tunnel_protect_init);
393 * fd.io coding-style-patch-verification: ON
396 * eval: (c-set-style "gnu")