Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
BFD: add ARP-awareness, fix bugs
[vpp.git] / src / vnet / bfd / bfd_main.c
diff --git a/src/vnet/bfd/bfd_main.c b/src/vnet/bfd/bfd_main.c
index 29c4045..2b70a20 100644 (file)
--- a/src/vnet/bfd/bfd_main.c
+++ b/src/vnet/bfd/bfd_main.c
@@ -55,7 +55,7 @@ bfd_usec_to_clocks (const bfd_main_t * bm, u64 us)
   return bm->cpu_cps * ((f64) us / USEC_PER_SECOND);
 }
 
-static u32
+u32
 bfd_clocks_to_usec (const bfd_main_t * bm, u64 clocks)
 {
   return (clocks / bm->cpu_cps) * USEC_PER_SECOND;
@@ -63,14 +63,7 @@ bfd_clocks_to_usec (const bfd_main_t * bm, u64 clocks)
 
 static vlib_node_registration_t bfd_process_node;
 
-/* set to 0 here, real values filled at startup */
-static u32 bfd_node_index_by_transport[] = {
-#define F(t, n) [BFD_TRANSPORT_##t] = 0,
-  foreach_bfd_transport (F)
-#undef F
-};
-
-static u8 *
+u8 *
 format_bfd_auth_key (u8 * s, va_list * args)
 {
   const bfd_auth_key_t *key = va_arg (*args, bfd_auth_key_t *);
@@ -147,7 +140,7 @@ bfd_set_state (bfd_main_t * bm, bfd_session_t * bs,
     }
 }
 
-static const char *
+const char *
 bfd_poll_state_string (bfd_poll_state_e state)
 {
   switch (state)
@@ -265,12 +258,16 @@ bfd_calc_next_echo_tx (bfd_main_t * bm, bfd_session_t * bs, u64 now)
 static void
 bfd_recalc_detection_time (bfd_main_t * bm, bfd_session_t * bs)
 {
-  bs->detection_time_clocks =
-    bs->remote_detect_mult * clib_max (bs->effective_required_min_rx_clocks,
-                                      bs->remote_desired_min_tx_clocks);
-  BFD_DBG ("Recalculated detection time %lu clocks/%.2fs",
-          bs->detection_time_clocks,
-          bs->detection_time_clocks / bm->cpu_cps);
+  if (bs->local_state == BFD_STATE_init || bs->local_state == BFD_STATE_up)
+    {
+      bs->detection_time_clocks =
+       bs->remote_detect_mult *
+       clib_max (bs->effective_required_min_rx_clocks,
+                 bs->remote_desired_min_tx_clocks);
+      BFD_DBG ("Recalculated detection time %lu clocks/%.2fs",
+              bs->detection_time_clocks,
+              bs->detection_time_clocks / bm->cpu_cps);
+    }
 }
 
 static void
@@ -284,7 +281,8 @@ bfd_set_timer (bfd_main_t * bm, bfd_session_t * bs, u64 now,
     {
       rx_timeout = bs->last_rx_clocks + bs->detection_time_clocks;
     }
-  if (BFD_STATE_up != bs->local_state || !bs->remote_demand ||
+  if (BFD_STATE_up != bs->local_state ||
+      (!bs->remote_demand && bs->remote_min_rx_usec) ||
       BFD_POLL_NOT_NEEDED != bs->poll_state)
     {
       tx_timeout = bs->tx_timeout_clocks;
@@ -348,7 +346,7 @@ bfd_set_effective_desired_min_tx (bfd_main_t * bm,
 
 static void
 bfd_set_effective_required_min_rx (bfd_main_t * bm,
-                                  bfd_session_t * bs, u64 now,
+                                  bfd_session_t * bs,
                                   u64 required_min_rx_clocks)
 {
   bs->effective_required_min_rx_clocks = required_min_rx_clocks;
@@ -393,44 +391,33 @@ void
 bfd_session_start (bfd_main_t * bm, bfd_session_t * bs)
 {
   BFD_DBG ("\nStarting session: %U", format_bfd_session, bs);
+  bfd_set_effective_required_min_rx (bm, bs,
+                                    bs->config_required_min_rx_clocks);
   bfd_recalc_tx_interval (bm, bs);
   vlib_process_signal_event (bm->vlib_main, bm->bfd_process_node_index,
                             BFD_EVENT_NEW_SESSION, bs->bs_idx);
 }
 
-vnet_api_error_t
-bfd_del_session (uword bs_idx)
-{
-  const bfd_main_t *bm = &bfd_main;
-  if (!pool_is_free_index (bm->sessions, bs_idx))
-    {
-      bfd_session_t *bs = pool_elt_at_index (bm->sessions, bs_idx);
-      pool_put (bm->sessions, bs);
-      return 0;
-    }
-  else
-    {
-      BFD_ERR ("no such session");
-      return VNET_API_ERROR_BFD_ENOENT;
-    }
-  return 0;
-}
-
 void
 bfd_session_set_flags (bfd_session_t * bs, u8 admin_up_down)
 {
   bfd_main_t *bm = &bfd_main;
+  u64 now = clib_cpu_time_now ();
   if (admin_up_down)
     {
       BFD_DBG ("Session set admin-up, bs-idx=%u", bs->bs_idx);
       bfd_set_state (bm, bs, BFD_STATE_down, 0);
       bfd_set_diag (bs, BFD_DIAG_CODE_no_diag);
+      bfd_calc_next_tx (bm, bs, now);
+      bfd_set_timer (bm, bs, now, 0);
     }
   else
     {
       BFD_DBG ("Session set admin-down, bs-idx=%u", bs->bs_idx);
       bfd_set_diag (bs, BFD_DIAG_CODE_admin_down);
       bfd_set_state (bm, bs, BFD_STATE_admin_down, 0);
+      bfd_calc_next_tx (bm, bs, now);
+      bfd_set_timer (bm, bs, now, 0);
     }
 }
 
@@ -515,7 +502,7 @@ bfd_on_state_change (bfd_main_t * bm, bfd_session_t * bs, u64 now,
                                        clib_max
                                        (bs->config_desired_min_tx_clocks,
                                         bm->default_desired_min_tx_clocks));
-      bfd_set_effective_required_min_rx (bm, bs, now,
+      bfd_set_effective_required_min_rx (bm, bs,
                                         bs->config_required_min_rx_clocks);
       bfd_set_timer (bm, bs, now, handling_wakeup);
       break;
@@ -525,7 +512,7 @@ bfd_on_state_change (bfd_main_t * bm, bfd_session_t * bs, u64 now,
                                        clib_max
                                        (bs->config_desired_min_tx_clocks,
                                         bm->default_desired_min_tx_clocks));
-      bfd_set_effective_required_min_rx (bm, bs, now,
+      bfd_set_effective_required_min_rx (bm, bs,
                                         bs->config_required_min_rx_clocks);
       bfd_set_timer (bm, bs, now, handling_wakeup);
       break;
@@ -540,7 +527,7 @@ bfd_on_state_change (bfd_main_t * bm, bfd_session_t * bs, u64 now,
                                        bs->config_desired_min_tx_clocks);
       if (BFD_POLL_NOT_NEEDED == bs->poll_state)
        {
-         bfd_set_effective_required_min_rx (bm, bs, now,
+         bfd_set_effective_required_min_rx (bm, bs,
                                             bs->config_required_min_rx_clocks);
        }
       bfd_set_timer (bm, bs, now, handling_wakeup);
@@ -566,51 +553,70 @@ bfd_on_config_change (vlib_main_t * vm, vlib_node_runtime_t * rt,
 }
 
 static void
-bfd_add_transport_layer (vlib_main_t * vm, vlib_buffer_t * b,
-                        bfd_session_t * bs)
+bfd_add_transport_layer (vlib_main_t * vm, u32 bi, bfd_session_t * bs)
+{
+  switch (bs->transport)
+    {
+    case BFD_TRANSPORT_UDP4:
+      BFD_DBG ("Transport bfd via udp4, bs_idx=%u", bs->bs_idx);
+      bfd_add_udp4_transport (vm, bi, bs, 0 /* is_echo */ );
+      break;
+    case BFD_TRANSPORT_UDP6:
+      BFD_DBG ("Transport bfd via udp6, bs_idx=%u", bs->bs_idx);
+      bfd_add_udp6_transport (vm, bi, bs, 0 /* is_echo */ );
+      break;
+    }
+}
+
+static int
+bfd_transport_control_frame (vlib_main_t * vm, u32 bi, bfd_session_t * bs)
 {
   switch (bs->transport)
     {
     case BFD_TRANSPORT_UDP4:
       BFD_DBG ("Transport bfd via udp4, bs_idx=%u", bs->bs_idx);
-      bfd_add_udp4_transport (vm, b, bs, 0 /* is_echo */ );
+      return bfd_transport_udp4 (vm, bi, bs);
       break;
     case BFD_TRANSPORT_UDP6:
       BFD_DBG ("Transport bfd via udp6, bs_idx=%u", bs->bs_idx);
-      bfd_add_udp6_transport (vm, b, bs, 0 /* is_echo */ );
+      return bfd_transport_udp6 (vm, bi, bs);
       break;
     }
+  return 0;
 }
 
 static int
-bfd_echo_add_transport_layer (vlib_main_t * vm, vlib_buffer_t * b,
-                             bfd_session_t * bs)
+bfd_echo_add_transport_layer (vlib_main_t * vm, u32 bi, bfd_session_t * bs)
 {
   switch (bs->transport)
     {
     case BFD_TRANSPORT_UDP4:
       BFD_DBG ("Transport bfd echo via udp4, bs_idx=%u", bs->bs_idx);
-      return bfd_add_udp4_transport (vm, b, bs, 1 /* is_echo */ );
+      return bfd_add_udp4_transport (vm, bi, bs, 1 /* is_echo */ );
       break;
     case BFD_TRANSPORT_UDP6:
       BFD_DBG ("Transport bfd echo via udp6, bs_idx=%u", bs->bs_idx);
-      return bfd_add_udp6_transport (vm, b, bs, 1 /* is_echo */ );
+      return bfd_add_udp6_transport (vm, bi, bs, 1 /* is_echo */ );
       break;
     }
   return 0;
 }
 
-static void
-bfd_create_frame_to_next_node (vlib_main_t * vm, bfd_session_t * bs, u32 bi)
+static int
+bfd_transport_echo (vlib_main_t * vm, u32 bi, bfd_session_t * bs)
 {
-
-  vlib_frame_t *f =
-    vlib_get_frame_to_node (vm, bfd_node_index_by_transport[bs->transport]);
-
-  u32 *to_next = vlib_frame_vector_args (f);
-  to_next[0] = bi;
-  f->n_vectors = 1;
-  vlib_put_frame_to_node (vm, bfd_node_index_by_transport[bs->transport], f);
+  switch (bs->transport)
+    {
+    case BFD_TRANSPORT_UDP4:
+      BFD_DBG ("Transport bfd echo via udp4, bs_idx=%u", bs->bs_idx);
+      return bfd_transport_udp4 (vm, bi, bs);
+      break;
+    case BFD_TRANSPORT_UDP6:
+      BFD_DBG ("Transport bfd echo via udp6, bs_idx=%u", bs->bs_idx);
+      return bfd_transport_udp6 (vm, bi, bs);
+      break;
+    }
+  return 0;
 }
 
 #if WITH_LIBSSL > 0
@@ -710,7 +716,7 @@ bfd_init_control_frame (bfd_main_t * bm, bfd_session_t * bs,
   bfd_pkt_set_diag_code (pkt, bs->local_diag);
   bfd_pkt_set_state (pkt, bs->local_state);
   pkt->head.detect_mult = bs->local_detect_mult;
-  pkt->head.length = clib_host_to_net_u32 (bfd_length);
+  pkt->head.length = bfd_length;
   pkt->my_disc = bs->local_discr;
   pkt->your_disc = bs->remote_discr;
   pkt->des_min_tx = clib_host_to_net_u32 (bs->config_desired_min_tx_usec);
@@ -731,8 +737,7 @@ bfd_init_control_frame (bfd_main_t * bm, bfd_session_t * bs,
 
 static void
 bfd_send_echo (vlib_main_t * vm, vlib_node_runtime_t * rt,
-              bfd_main_t * bm, bfd_session_t * bs, u64 now,
-              int handling_wakeup)
+              bfd_main_t * bm, bfd_session_t * bs, u64 now)
 {
   if (!bfd_is_echo_possible (bs))
     {
@@ -740,7 +745,8 @@ bfd_send_echo (vlib_main_t * vm, vlib_node_runtime_t * rt,
       bs->echo = 0;
       return;
     }
-  /* sometimes the wheel expires an event a bit sooner than requested, account
+  /* sometimes the wheel expires an event a bit sooner than requested,
+     account
      for that here */
   if (now + bm->wheel_inaccuracy >= bs->echo_tx_timeout_clocks)
     {
@@ -753,6 +759,8 @@ bfd_send_echo (vlib_main_t * vm, vlib_node_runtime_t * rt,
        }
       vlib_buffer_t *b = vlib_get_buffer (vm, bi);
       ASSERT (b->current_data == 0);
+      memset (vnet_buffer (b), 0, sizeof (*vnet_buffer (b)));
+      VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b);
       bfd_echo_pkt_t *pkt = vlib_buffer_get_current (b);
       memset (pkt, 0, sizeof (*pkt));
       pkt->discriminator = bs->local_discr;
@@ -762,7 +770,14 @@ bfd_send_echo (vlib_main_t * vm, vlib_node_runtime_t * rt,
        bfd_calc_echo_checksum (bs->local_discr, pkt->expire_time_clocks,
                                bs->echo_secret);
       b->current_length = sizeof (*pkt);
-      if (!bfd_echo_add_transport_layer (vm, b, bs))
+      if (!bfd_echo_add_transport_layer (vm, bi, bs))
+       {
+         BFD_ERR ("cannot send echo packet out, turning echo off");
+         bs->echo = 0;
+         vlib_buffer_free_one (vm, bi);
+         return;
+       }
+      if (!bfd_transport_echo (vm, bi, bs))
        {
          BFD_ERR ("cannot send echo packet out, turning echo off");
          bs->echo = 0;
@@ -771,7 +786,6 @@ bfd_send_echo (vlib_main_t * vm, vlib_node_runtime_t * rt,
        }
       bs->echo_last_tx_clocks = now;
       bfd_calc_next_echo_tx (bm, bs, now);
-      bfd_create_frame_to_next_node (vm, bs, bi);
     }
   else
     {
@@ -783,8 +797,7 @@ bfd_send_echo (vlib_main_t * vm, vlib_node_runtime_t * rt,
 
 static void
 bfd_send_periodic (vlib_main_t * vm, vlib_node_runtime_t * rt,
-                  bfd_main_t * bm, bfd_session_t * bs, u64 now,
-                  int handling_wakeup)
+                  bfd_main_t * bm, bfd_session_t * bs, u64 now)
 {
   if (!bs->remote_min_rx_usec && BFD_POLL_NOT_NEEDED == bs->poll_state)
     {
@@ -804,8 +817,10 @@ bfd_send_periodic (vlib_main_t * vm, vlib_node_runtime_t * rt,
       BFD_DBG ("Remote demand is set, not sending periodic control frame");
       return;
     }
-  /* sometimes the wheel expires an event a bit sooner than requested, account
-     for that here */
+  /*
+   * sometimes the wheel expires an event a bit sooner than requested, account
+   * for that here
+   */
   if (now + bm->wheel_inaccuracy >= bs->tx_timeout_clocks)
     {
       BFD_DBG ("\nSending periodic control frame: %U", format_bfd_session,
@@ -818,6 +833,8 @@ bfd_send_periodic (vlib_main_t * vm, vlib_node_runtime_t * rt,
        }
       vlib_buffer_t *b = vlib_get_buffer (vm, bi);
       ASSERT (b->current_data == 0);
+      memset (vnet_buffer (b), 0, sizeof (*vnet_buffer (b)));
+      VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b);
       bfd_init_control_frame (bm, bs, b);
       switch (bs->poll_state)
        {
@@ -843,10 +860,13 @@ bfd_send_periodic (vlib_main_t * vm, vlib_node_runtime_t * rt,
          break;
        }
       bfd_add_auth_section (b, bs);
-      bfd_add_transport_layer (vm, b, bs);
+      bfd_add_transport_layer (vm, bi, bs);
+      if (!bfd_transport_control_frame (vm, bi, bs))
+       {
+         vlib_buffer_free_one (vm, bi);
+       }
       bs->last_tx_clocks = now;
       bfd_calc_next_tx (bm, bs, now);
-      bfd_create_frame_to_next_node (vm, bs, bi);
     }
   else
     {
@@ -858,13 +878,15 @@ bfd_send_periodic (vlib_main_t * vm, vlib_node_runtime_t * rt,
 
 void
 bfd_init_final_control_frame (vlib_main_t * vm, vlib_buffer_t * b,
-                             bfd_main_t * bm, bfd_session_t * bs)
+                             bfd_main_t * bm, bfd_session_t * bs,
+                             int is_local)
 {
   BFD_DBG ("Send final control frame for bs_idx=%lu", bs->bs_idx);
   bfd_init_control_frame (bm, bs, b);
   bfd_pkt_set_final (vlib_buffer_get_current (b));
   bfd_add_auth_section (b, bs);
-  bfd_add_transport_layer (vm, b, bs);
+  u32 bi = vlib_get_buffer_index (vm, b);
+  bfd_add_transport_layer (vm, bi, bs);
   bs->last_tx_clocks = clib_cpu_time_now ();
   /*
    * RFC allows to include changes in final frame, so if there were any
@@ -877,8 +899,10 @@ static void
 bfd_check_rx_timeout (bfd_main_t * bm, bfd_session_t * bs, u64 now,
                      int handling_wakeup)
 {
-  /* sometimes the wheel expires an event a bit sooner than requested, account
-     for that here */
+  /*
+   * sometimes the wheel expires an event a bit sooner than requested, account
+   * for that here
+   */
   if (bs->last_rx_clocks + bs->detection_time_clocks <=
       now + bm->wheel_inaccuracy)
     {
@@ -913,14 +937,14 @@ bfd_on_timeout (vlib_main_t * vm, vlib_node_runtime_t * rt, bfd_main_t * bm,
   switch (bs->local_state)
     {
     case BFD_STATE_admin_down:
-      bfd_send_periodic (vm, rt, bm, bs, now, 1);
+      bfd_send_periodic (vm, rt, bm, bs, now);
       break;
     case BFD_STATE_down:
-      bfd_send_periodic (vm, rt, bm, bs, now, 1);
+      bfd_send_periodic (vm, rt, bm, bs, now);
       break;
     case BFD_STATE_init:
       bfd_check_rx_timeout (bm, bs, now, 1);
-      bfd_send_periodic (vm, rt, bm, bs, now, 1);
+      bfd_send_periodic (vm, rt, bm, bs, now);
       break;
     case BFD_STATE_up:
       bfd_check_rx_timeout (bm, bs, now, 1);
@@ -932,16 +956,16 @@ bfd_on_timeout (vlib_main_t * vm, vlib_node_runtime_t * rt, bfd_main_t * bm,
          bs->echo = 1;
          bs->echo_last_rx_clocks = now;
          bs->echo_tx_timeout_clocks = now;
-         bfd_set_effective_required_min_rx (bm, bs, now,
+         bfd_set_effective_required_min_rx (bm, bs,
                                             clib_max
                                             (bm->min_required_min_rx_while_echo_clocks,
                                              bs->config_required_min_rx_clocks));
          bfd_set_poll_state (bs, BFD_POLL_NEEDED);
        }
-      bfd_send_periodic (vm, rt, bm, bs, now, 1);
+      bfd_send_periodic (vm, rt, bm, bs, now);
       if (bs->echo)
        {
-         bfd_send_echo (vm, rt, bm, bs, now, 1);
+         bfd_send_echo (vm, rt, bm, bs, now);
        }
       break;
     }
@@ -1002,7 +1026,8 @@ bfd_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
            {
              bfd_session_t *bs =
                pool_elt_at_index (bm->sessions, *event_data);
-             bfd_send_periodic (vm, rt, bm, bs, now, 1);
+             bfd_send_periodic (vm, rt, bm, bs, now);
+             bfd_set_timer (bm, bs, now, 1);
            }
          else
            {
@@ -1119,14 +1144,6 @@ bfd_main_init (vlib_main_t * vm)
   const u64 now = clib_cpu_time_now ();
   timing_wheel_init (&bm->wheel, now, bm->cpu_cps);
   bm->wheel_inaccuracy = 2 << bm->wheel.log2_clocks_per_bin;
-
-  vlib_node_t *node = NULL;
-#define F(t, n)                                                 \
-  node = vlib_get_node_by_name (vm, (u8 *)n);                   \
-  bfd_node_index_by_transport[BFD_TRANSPORT_##t] = node->index; \
-  BFD_DBG ("node '%s' has index %u", n, node->index);
-  foreach_bfd_transport (F);
-#undef F
   return 0;
 }
 
@@ -1561,7 +1578,7 @@ void
 bfd_consume_pkt (bfd_main_t * bm, const bfd_pkt_t * pkt, u32 bs_idx)
 {
   bfd_session_t *bs = bfd_find_session_by_idx (bm, bs_idx);
-  if (!bs)
+  if (!bs || (pkt->your_disc && pkt->your_disc != bs->local_discr))
     {
       return;
     }
@@ -1569,6 +1586,7 @@ bfd_consume_pkt (bfd_main_t * bm, const bfd_pkt_t * pkt, u32 bs_idx)
   bs->remote_discr = pkt->my_disc;
   bs->remote_state = bfd_pkt_get_state (pkt);
   bs->remote_demand = bfd_pkt_get_demand (pkt);
+  bs->remote_diag = bfd_pkt_get_diag_code (pkt);
   u64 now = clib_cpu_time_now ();
   bs->last_rx_clocks = now;
   if (bfd_pkt_get_auth_present (pkt))
@@ -1611,8 +1629,6 @@ bfd_consume_pkt (bfd_main_t * bm, const bfd_pkt_t * pkt, u32 bs_idx)
   bfd_set_remote_required_min_echo_rx (bm, bs, now,
                                       clib_net_to_host_u32
                                       (pkt->req_min_echo_rx));
-  /* FIXME 6.8.2 */
-  /* FIXME 6.8.4 */
   if (bfd_pkt_get_final (pkt))
     {
       if (BFD_POLL_IN_PROGRESS == bs->poll_state)
@@ -1621,7 +1637,7 @@ bfd_consume_pkt (bfd_main_t * bm, const bfd_pkt_t * pkt, u32 bs_idx)
          bfd_set_poll_state (bs, BFD_POLL_NOT_NEEDED);
          if (BFD_STATE_up == bs->local_state)
            {
-             bfd_set_effective_required_min_rx (bm, bs, now,
+             bfd_set_effective_required_min_rx (bm, bs,
                                                 clib_max (bs->echo *
                                                           bm->min_required_min_rx_while_echo_clocks,
                                                           bs->config_required_min_rx_clocks));
@@ -1661,10 +1677,12 @@ bfd_consume_pkt (bfd_main_t * bm, const bfd_pkt_t * pkt, u32 bs_idx)
     {
       if (BFD_STATE_down == bs->remote_state)
        {
+         bfd_set_diag (bs, BFD_DIAG_CODE_no_diag);
          bfd_set_state (bm, bs, BFD_STATE_init, 0);
        }
       else if (BFD_STATE_init == bs->remote_state)
        {
+         bfd_set_diag (bs, BFD_DIAG_CODE_no_diag);
          bfd_set_state (bm, bs, BFD_STATE_up, 0);
        }
     }
@@ -1673,6 +1691,7 @@ bfd_consume_pkt (bfd_main_t * bm, const bfd_pkt_t * pkt, u32 bs_idx)
       if (BFD_STATE_up == bs->remote_state ||
          BFD_STATE_init == bs->remote_state)
        {
+         bfd_set_diag (bs, BFD_DIAG_CODE_no_diag);
          bfd_set_state (bm, bs, BFD_STATE_up, 0);
        }
     }
@@ -1914,6 +1933,97 @@ bfd_session_set_params (bfd_main_t * bm, bfd_session_t * bs,
   return 0;
 }
 
+vnet_api_error_t
+bfd_auth_set_key (u32 conf_key_id, u8 auth_type, u8 key_len,
+                 const u8 * key_data)
+{
+#if WITH_LIBSSL > 0
+  bfd_auth_key_t *auth_key = NULL;
+  if (!key_len || key_len > bfd_max_key_len_for_auth_type (auth_type))
+    {
+      clib_warning ("Invalid authentication key length for auth_type=%d:%s "
+                   "(key_len=%u, must be "
+                   "non-zero, expected max=%u)",
+                   auth_type, bfd_auth_type_str (auth_type), key_len,
+                   (u32) bfd_max_key_len_for_auth_type (auth_type));
+      return VNET_API_ERROR_INVALID_VALUE;
+    }
+  if (!bfd_auth_type_supported (auth_type))
+    {
+      clib_warning ("Unsupported auth type=%d:%s", auth_type,
+                   bfd_auth_type_str (auth_type));
+      return VNET_API_ERROR_BFD_NOTSUPP;
+    }
+  bfd_main_t *bm = &bfd_main;
+  uword *key_idx_p = hash_get (bm->auth_key_by_conf_key_id, conf_key_id);
+  if (key_idx_p)
+    {
+      /* modifying existing key - must not be used */
+      const uword key_idx = *key_idx_p;
+      auth_key = pool_elt_at_index (bm->auth_keys, key_idx);
+      if (auth_key->use_count > 0)
+       {
+         clib_warning ("Authentication key with conf ID %u in use by %u BFD "
+                       "session(s) - cannot modify",
+                       conf_key_id, auth_key->use_count);
+         return VNET_API_ERROR_BFD_EINUSE;
+       }
+    }
+  else
+    {
+      /* adding new key */
+      pool_get (bm->auth_keys, auth_key);
+      auth_key->conf_key_id = conf_key_id;
+      hash_set (bm->auth_key_by_conf_key_id, conf_key_id,
+               auth_key - bm->auth_keys);
+    }
+  auth_key->auth_type = auth_type;
+  memset (auth_key->key, 0, sizeof (auth_key->key));
+  clib_memcpy (auth_key->key, key_data, key_len);
+  return 0;
+#else
+  clib_warning ("SSL missing, cannot manipulate authentication keys");
+  return VNET_API_ERROR_BFD_NOTSUPP;
+#endif
+}
+
+vnet_api_error_t
+bfd_auth_del_key (u32 conf_key_id)
+{
+#if WITH_LIBSSL > 0
+  bfd_auth_key_t *auth_key = NULL;
+  bfd_main_t *bm = &bfd_main;
+  uword *key_idx_p = hash_get (bm->auth_key_by_conf_key_id, conf_key_id);
+  if (key_idx_p)
+    {
+      /* deleting existing key - must not be used */
+      const uword key_idx = *key_idx_p;
+      auth_key = pool_elt_at_index (bm->auth_keys, key_idx);
+      if (auth_key->use_count > 0)
+       {
+         clib_warning ("Authentication key with conf ID %u in use by %u BFD "
+                       "session(s) - cannot delete",
+                       conf_key_id, auth_key->use_count);
+         return VNET_API_ERROR_BFD_EINUSE;
+       }
+      hash_unset (bm->auth_key_by_conf_key_id, conf_key_id);
+      memset (auth_key, 0, sizeof (*auth_key));
+      pool_put (bm->auth_keys, auth_key);
+    }
+  else
+    {
+      /* no such key */
+      clib_warning ("Authentication key with conf ID %u does not exist",
+                   conf_key_id);
+      return VNET_API_ERROR_BFD_ENOENT;
+    }
+  return 0;
+#else
+  clib_warning ("SSL missing, cannot manipulate authentication keys");
+  return VNET_API_ERROR_BFD_NOTSUPP;
+#endif
+}
+
 bfd_main_t bfd_main;
 
 /*
Vector Packet Processing