#define __IPSEC_SPD_SA_H__
#include <vlib/vlib.h>
+#include <vnet/crypto/crypto.h>
#include <vnet/ip/ip.h>
#include <vnet/fib/fib_node.h>
-
-#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (64)
-
-#define foreach_ipsec_crypto_alg \
- _ (0, NONE, "none") \
- _ (1, AES_CBC_128, "aes-cbc-128") \
- _ (2, AES_CBC_192, "aes-cbc-192") \
- _ (3, AES_CBC_256, "aes-cbc-256") \
- _ (4, AES_CTR_128, "aes-ctr-128") \
- _ (5, AES_CTR_192, "aes-ctr-192") \
- _ (6, AES_CTR_256, "aes-ctr-256") \
- _ (7, AES_GCM_128, "aes-gcm-128") \
- _ (8, AES_GCM_192, "aes-gcm-192") \
- _ (9, AES_GCM_256, "aes-gcm-256") \
- _ (10, DES_CBC, "des-cbc") \
- _ (11, 3DES_CBC, "3des-cbc")
+#include <vnet/tunnel/tunnel.h>
+
+#define foreach_ipsec_crypto_alg \
+ _ (0, NONE, "none") \
+ _ (1, AES_CBC_128, "aes-cbc-128") \
+ _ (2, AES_CBC_192, "aes-cbc-192") \
+ _ (3, AES_CBC_256, "aes-cbc-256") \
+ _ (4, AES_CTR_128, "aes-ctr-128") \
+ _ (5, AES_CTR_192, "aes-ctr-192") \
+ _ (6, AES_CTR_256, "aes-ctr-256") \
+ _ (7, AES_GCM_128, "aes-gcm-128") \
+ _ (8, AES_GCM_192, "aes-gcm-192") \
+ _ (9, AES_GCM_256, "aes-gcm-256") \
+ _ (10, DES_CBC, "des-cbc") \
+ _ (11, 3DES_CBC, "3des-cbc") \
+ _ (12, CHACHA20_POLY1305, "chacha20-poly1305")
typedef enum
{
foreach_ipsec_crypto_alg
#undef _
IPSEC_CRYPTO_N_ALG,
-} ipsec_crypto_alg_t;
+} __clib_packed ipsec_crypto_alg_t;
+
+#define IPSEC_CRYPTO_ALG_IS_GCM(_alg) \
+ (((_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) || \
+ (_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) || \
+ (_alg == IPSEC_CRYPTO_ALG_AES_GCM_256)))
+
+#define IPSEC_CRYPTO_ALG_IS_CTR(_alg) \
+ (((_alg == IPSEC_CRYPTO_ALG_AES_CTR_128) || \
+ (_alg == IPSEC_CRYPTO_ALG_AES_CTR_192) || \
+ (_alg == IPSEC_CRYPTO_ALG_AES_CTR_256)))
+
+#define IPSEC_CRYPTO_ALG_CTR_AEAD_OTHERS(_alg) \
+ (_alg == IPSEC_CRYPTO_ALG_CHACHA20_POLY1305)
#define foreach_ipsec_integ_alg \
_ (0, NONE, "none") \
foreach_ipsec_integ_alg
#undef _
IPSEC_INTEG_N_ALG,
-} ipsec_integ_alg_t;
+} __clib_packed ipsec_integ_alg_t;
typedef enum
{
IPSEC_PROTOCOL_AH = 0,
IPSEC_PROTOCOL_ESP = 1
-} ipsec_protocol_t;
-
-#define IPSEC_N_PROTOCOLS (IPSEC_PROTOCOL_ESP+1)
+} __clib_packed ipsec_protocol_t;
#define IPSEC_KEY_MAX_LEN 128
typedef struct ipsec_key_t_
* else IPv4 tunnel only valid if is_tunnel is non-zero
* enable UDP encapsulation for NAT traversal
*/
-#define foreach_ipsec_sa_flags \
- _ (0, NONE, "none") \
- _ (1, USE_EXTENDED_SEQ_NUM, "esn") \
- _ (2, USE_ANTI_REPLAY, "anti-replay") \
- _ (4, IS_TUNNEL, "tunnel") \
- _ (8, IS_TUNNEL_V6, "tunnel-v6") \
- _ (16, UDP_ENCAP, "udp-encap") \
+#define foreach_ipsec_sa_flags \
+ _ (0, NONE, "none") \
+ _ (1, USE_ESN, "esn") \
+ _ (2, USE_ANTI_REPLAY, "anti-replay") \
+ _ (4, IS_TUNNEL, "tunnel") \
+ _ (8, IS_TUNNEL_V6, "tunnel-v6") \
+ _ (16, UDP_ENCAP, "udp-encap") \
+ _ (32, IS_PROTECT, "Protect") \
+ _ (64, IS_INBOUND, "inbound") \
+ _ (128, IS_AEAD, "aead") \
+ _ (256, IS_CTR, "ctr") \
+ _ (512, IS_ASYNC, "async") \
+ _ (1024, NO_ALGO_NO_DROP, "no-algo-no-drop")
typedef enum ipsec_sad_flags_t_
{
#undef _
} __clib_packed ipsec_sa_flags_t;
-STATIC_ASSERT (sizeof (ipsec_sa_flags_t) == 1, "IPSEC SA flags > 1 byte");
+STATIC_ASSERT (sizeof (ipsec_sa_flags_t) == 2, "IPSEC SA flags != 2 byte");
typedef struct
{
ipsec_sa_flags_t flags;
u8 crypto_iv_size;
- u8 crypto_block_size;
- u8 integ_trunc_size;
+ u8 esp_block_align;
+ u8 integ_icv_size;
+
+ u8 __pad1[3];
+
+ u32 thread_index;
+
u32 spi;
u32 seq;
u32 seq_hi;
- u32 last_seq;
- u32 last_seq_hi;
u64 replay_window;
+ u64 iv_counter;
+ dpo_id_t dpo;
- vnet_crypto_op_type_t crypto_enc_op_type;
- vnet_crypto_op_type_t crypto_dec_op_type;
- vnet_crypto_op_type_t integ_op_type;
+ vnet_crypto_key_index_t crypto_key_index;
+ vnet_crypto_key_index_t integ_key_index;
- dpo_id_t dpo[IPSEC_N_PROTOCOLS];
+ /* Union data shared by sync and async ops, updated when mode is
+ * changed. */
+ union
+ {
+ struct
+ {
+ vnet_crypto_op_id_t crypto_enc_op_id:16;
+ vnet_crypto_op_id_t crypto_dec_op_id:16;
+ vnet_crypto_op_id_t integ_op_id:16;
+ };
- /* data accessed by dataplane code should be above this comment */
- CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
+ struct
+ {
+ vnet_crypto_async_op_id_t crypto_async_enc_op_id:16;
+ vnet_crypto_async_op_id_t crypto_async_dec_op_id:16;
+ vnet_crypto_key_index_t linked_key_index;
+ };
+
+ u64 crypto_op_data;
+ };
+
+ CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
union
{
};
udp_header_t udp_hdr;
+ /* Salt used in CTR modes (incl. GCM) - stored in network byte order */
+ u32 salt;
- fib_node_t node;
- u32 id;
- u32 stat_index;
ipsec_protocol_t protocol;
+ tunnel_encap_decap_flags_t tunnel_flags;
+ u8 __pad[2];
- ipsec_crypto_alg_t crypto_alg;
- ipsec_key_t crypto_key;
+ /* data accessed by dataplane code should be above this comment */
+ CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
- ipsec_integ_alg_t integ_alg;
- ipsec_key_t integ_key;
+ /* Elements with u64 size multiples */
+ union
+ {
+ struct
+ {
+ vnet_crypto_op_id_t crypto_enc_op_id:16;
+ vnet_crypto_op_id_t crypto_dec_op_id:16;
+ vnet_crypto_op_id_t integ_op_id:16;
+ };
+ u64 data;
+ } sync_op_data;
- ip46_address_t tunnel_src_addr;
- ip46_address_t tunnel_dst_addr;
+ union
+ {
+ struct
+ {
+ vnet_crypto_async_op_id_t crypto_async_enc_op_id:16;
+ vnet_crypto_async_op_id_t crypto_async_dec_op_id:16;
+ vnet_crypto_key_index_t linked_key_index;
+ };
+ u64 data;
+ } async_op_data;
- fib_node_index_t fib_entry_index;
- u32 sibling;
+ tunnel_t tunnel;
- u32 tx_fib_index;
- u32 salt;
+ fib_node_t node;
- /* runtime */
+ /* elements with u32 size */
+ u32 id;
+ u32 stat_index;
+ vnet_crypto_alg_t integ_calg;
+ vnet_crypto_alg_t crypto_calg;
+
+ /* else u8 packed */
+ ipsec_crypto_alg_t crypto_alg;
+ ipsec_integ_alg_t integ_alg;
+
+ ipsec_key_t integ_key;
+ ipsec_key_t crypto_key;
} ipsec_sa_t;
STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES);
+STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline2, 2 * CLIB_CACHE_LINE_BYTES);
+
+/**
+ * Pool of IPSec SAs
+ */
+extern ipsec_sa_t *ipsec_sa_pool;
+
+/*
+ * Ensure that the IPsec data does not overlap with the IP data in
+ * the buffer meta data
+ */
+STATIC_ASSERT (STRUCT_OFFSET_OF (vnet_buffer_opaque_t, ipsec.sad_index) ==
+ STRUCT_OFFSET_OF (vnet_buffer_opaque_t, ip.save_protocol),
+ "IPSec data is overlapping with IP data");
#define _(a,v,s) \
always_inline int \
}
foreach_ipsec_sa_flags
#undef _
+#define _(a,v,s) \
+ always_inline int \
+ ipsec_sa_unset_##v (ipsec_sa_t *sa) { \
+ return (sa->flags &= ~IPSEC_SA_FLAG_##v); \
+ }
+ foreach_ipsec_sa_flags
+#undef _
/**
* @brief
* SA packet & bytes counters
*/
extern vlib_combined_counter_main_t ipsec_sa_counters;
+extern vlib_simple_counter_main_t ipsec_sa_lost_counters;
extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
-extern int ipsec_sa_add (u32 id,
- u32 spi,
- ipsec_protocol_t proto,
- ipsec_crypto_alg_t crypto_alg,
- const ipsec_key_t * ck,
- ipsec_integ_alg_t integ_alg,
- const ipsec_key_t * ik,
- ipsec_sa_flags_t flags,
- u32 tx_table_id,
- const ip46_address_t * tunnel_src_addr,
- const ip46_address_t * tunnel_dst_addr,
- u32 * sa_index);
-extern u32 ipsec_sa_del (u32 id);
-extern void ipsec_sa_stack (ipsec_sa_t * sa);
+extern int ipsec_sa_update (u32 id, u16 src_port, u16 dst_port,
+ const tunnel_t *tun, bool is_tun);
+extern int
+ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto,
+ ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck,
+ ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik,
+ ipsec_sa_flags_t flags, u32 salt, u16 src_port,
+ u16 dst_port, const tunnel_t *tun, u32 *sa_out_index);
+extern index_t ipsec_sa_find_and_lock (u32 id);
+extern int ipsec_sa_unlock_id (u32 id);
+extern void ipsec_sa_unlock (index_t sai);
+extern void ipsec_sa_lock (index_t sai);
+extern void ipsec_sa_clear (index_t sai);
extern void ipsec_sa_set_crypto_alg (ipsec_sa_t * sa,
ipsec_crypto_alg_t crypto_alg);
extern void ipsec_sa_set_integ_alg (ipsec_sa_t * sa,
ipsec_integ_alg_t integ_alg);
-extern u8 ipsec_is_sa_used (u32 sa_index);
-extern int ipsec_set_sa_key (u32 id,
- const ipsec_key_t * ck, const ipsec_key_t * ik);
-extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
-
typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx);
extern void ipsec_sa_walk (ipsec_sa_walk_cb_t cd, void *ctx);
+extern u8 *format_ipsec_replay_window (u8 *s, va_list *args);
extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
extern u8 *format_ipsec_sa (u8 * s, va_list * args);
va_list * args);
extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args);
+#define IPSEC_UDP_PORT_NONE ((u16)~0)
+
+/*
+ * Anti Replay definitions
+ */
+
+#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (64)
+#define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE-1)
+
+/*
+ * sequence number less than the lower bound are outside of the window
+ * From RFC4303 Appendix A:
+ * Bl = Tl - W + 1
+ */
+#define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl) (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1)
+
always_inline int
-ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 * seqp)
+ipsec_sa_anti_replay_check (const ipsec_sa_t *sa, u32 seq)
{
- u32 seq, diff, tl, th;
- if ((sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
+ if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa) &&
+ sa->replay_window & (1ULL << (sa->seq - seq)))
+ return 1;
+ else
return 0;
+}
- seq = clib_net_to_host_u32 (*seqp);
+/*
+ * Anti replay check.
+ * inputs need to be in host byte order.
+ *
+ * The function runs in two contexts. pre and post decrypt.
+ * Pre-decrypt it:
+ * 1 - determines if a packet is a replay - a simple check in the window
+ * 2 - returns the hi-seq number that should be used to decrypt.
+ * post-decrypt:
+ * Checks whether the packet is a replay or falls out of window
+ *
+ * This funcion should be called even without anti-replay enabled to ensure
+ * the high sequence number is set.
+ */
+always_inline int
+ipsec_sa_anti_replay_and_sn_advance (const ipsec_sa_t *sa, u32 seq,
+ u32 hi_seq_used, bool post_decrypt,
+ u32 *hi_seq_req)
+{
+ ASSERT ((post_decrypt == false) == (hi_seq_req != 0));
- if ((sa->flags & IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM) == 0)
+ if (!ipsec_sa_is_set_USE_ESN (sa))
{
+ if (hi_seq_req)
+ /* no ESN, therefore the hi-seq is always 0 */
+ *hi_seq_req = 0;
- if (PREDICT_TRUE (seq > sa->last_seq))
+ if (!ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
return 0;
- diff = sa->last_seq - seq;
+ if (PREDICT_TRUE (seq > sa->seq))
+ return 0;
+
+ u32 diff = sa->seq - seq;
if (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE > diff)
- return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+ return ((sa->replay_window & (1ULL << diff)) ? 1 : 0);
else
return 1;
return 0;
}
- tl = sa->last_seq;
- th = sa->last_seq_hi;
- diff = tl - seq;
-
- if (PREDICT_TRUE (tl >= (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE - 1)))
+ if (!ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
{
- if (seq >= (tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1))
+ /* there's no AR configured for this SA, but in order
+ * to know whether a packet has wrapped the hi ESN we need
+ * to know whether it is out of window. if we use the default
+ * lower bound then we are effectively forcing AR because
+ * out of window packets will get the increased hi seq number
+ * and will thus fail to decrypt. IOW we need a window to know
+ * if the SN has wrapped, but we don't want a window to check for
+ * anti replay. to resolve the contradiction we use a huge window.
+ * if the packet is not within 2^30 of the current SN, we'll consider
+ * it a wrap.
+ */
+ if (hi_seq_req)
{
- sa->seq_hi = th;
- if (seq <= tl)
- return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+ if (seq >= sa->seq)
+ /* The packet's sequence number is larger that the SA's.
+ * that can't be a warp - unless we lost more than
+ * 2^32 packets ... how could we know? */
+ *hi_seq_req = sa->seq_hi;
else
- return 0;
+ {
+ /* The packet's SN is less than the SAs, so either the SN has
+ * wrapped or the SN is just old. */
+ if (sa->seq - seq > (1 << 30))
+ /* It's really really really old => it wrapped */
+ *hi_seq_req = sa->seq_hi + 1;
+ else
+ *hi_seq_req = sa->seq_hi;
+ }
+ }
+ /*
+ * else
+ * this is post-decrpyt and since it decrypted we accept it
+ */
+ return 0;
+ }
+ if (PREDICT_TRUE (sa->seq >= (IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX)))
+ {
+ /*
+ * the last sequence number VPP recieved is more than one
+ * window size greater than zero.
+ * Case A from RFC4303 Appendix A.
+ */
+ if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (sa->seq))
+ {
+ /*
+ * the received sequence number is lower than the lower bound
+ * of the window, this could mean either a replay packet or that
+ * the high sequence number has wrapped. if it decrypts corrently
+ * then it's the latter.
+ */
+ if (post_decrypt)
+ {
+ if (hi_seq_used == sa->seq_hi)
+ /* the high sequence number used to succesfully decrypt this
+ * packet is the same as the last-sequnence number of the SA.
+ * that means this packet did not cause a wrap.
+ * this packet is thus out of window and should be dropped */
+ return 1;
+ else
+ /* The packet decrypted with a different high sequence number
+ * to the SA, that means it is the wrap packet and should be
+ * accepted */
+ return 0;
+ }
+ else
+ {
+ /* pre-decrypt it might be the might that casues a wrap, we
+ * need to decrpyt to find out */
+ if (hi_seq_req)
+ *hi_seq_req = sa->seq_hi + 1;
+ return 0;
+ }
}
else
{
- sa->seq_hi = th + 1;
- return 0;
+ /*
+ * the recieved sequence number greater than the low
+ * end of the window.
+ */
+ if (hi_seq_req)
+ *hi_seq_req = sa->seq_hi;
+ if (seq <= sa->seq)
+ /*
+ * The recieved seq number is within bounds of the window
+ * check if it's a duplicate
+ */
+ return (ipsec_sa_anti_replay_check (sa, seq));
+ else
+ /*
+ * The received sequence number is greater than the window
+ * upper bound. this packet will move the window along, assuming
+ * it decrypts correctly.
+ */
+ return 0;
}
}
else
{
- if (seq >= (tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1))
+ /*
+ * the last sequence number VPP recieved is within one window
+ * size of zero, i.e. 0 < TL < WINDOW_SIZE, the lower bound is thus a
+ * large sequence number.
+ * Note that the check below uses unsiged integer arthimetic, so the
+ * RHS will be a larger number.
+ * Case B from RFC4303 Appendix A.
+ */
+ if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (sa->seq))
{
- sa->seq_hi = th - 1;
- return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+ /*
+ * the sequence number is less than the lower bound.
+ */
+ if (seq <= sa->seq)
+ {
+ /*
+ * the packet is within the window upper bound.
+ * check for duplicates.
+ */
+ if (hi_seq_req)
+ *hi_seq_req = sa->seq_hi;
+ return (ipsec_sa_anti_replay_check (sa, seq));
+ }
+ else
+ {
+ /*
+ * the packet is less the window lower bound or greater than
+ * the higher bound, depending on how you look at it...
+ * We're assuming, given that the last sequence number received,
+ * TL < WINDOW_SIZE, that a largeer seq num is more likely to be
+ * a packet that moves the window forward, than a packet that has
+ * wrapped the high sequence again. If it were the latter then
+ * we've lost close to 2^32 packets.
+ */
+ if (hi_seq_req)
+ *hi_seq_req = sa->seq_hi;
+ return 0;
+ }
}
else
{
- sa->seq_hi = th;
- if (seq <= tl)
- return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
- else
- return 0;
+ /*
+ * the packet seq number is between the lower bound (a large nubmer)
+ * and MAX_SEQ_NUM. This is in the window since the window upper bound
+ * tl > 0.
+ * However, since TL is the other side of 0 to the received
+ * packet, the SA has moved on to a higher sequence number.
+ */
+ if (hi_seq_req)
+ *hi_seq_req = sa->seq_hi - 1;
+ return (ipsec_sa_anti_replay_check (sa, seq));
}
}
+ /* unhandled case */
+ ASSERT (0);
return 0;
}
-always_inline void
-ipsec_sa_anti_replay_advance (ipsec_sa_t * sa, u32 * seqp)
+always_inline u32
+ipsec_sa_anti_replay_window_shift (ipsec_sa_t *sa, u32 inc)
{
- u32 pos, seq;
- if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
- return;
+ u32 n_lost = 0;
- seq = clib_host_to_net_u32 (*seqp);
- if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM))
+ if (inc < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
{
- int wrap = sa->seq_hi - sa->last_seq_hi;
+ if (sa->seq > IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
+ {
+ /*
+ * count how many holes there are in the portion
+ * of the window that we will right shift of the end
+ * as a result of this increments
+ */
+ u64 mask = (((u64) 1 << inc) - 1) << (BITS (u64) - inc);
+ u64 old = sa->replay_window & mask;
+ /* the number of packets we saw in this section of the window */
+ u64 seen = count_set_bits (old);
+
+ /*
+ * the number we missed is the size of the window section
+ * minus the number we saw.
+ */
+ n_lost = inc - seen;
+ }
+ sa->replay_window = ((sa->replay_window) << inc) | 1;
+ }
+ else
+ {
+ /* holes in the replay window are lost packets */
+ n_lost = BITS (u64) - count_set_bits (sa->replay_window);
+
+ /* any sequence numbers that now fall outside the window
+ * are forever lost */
+ n_lost += inc - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE;
+
+ sa->replay_window = 1;
+ }
+
+ return (n_lost);
+}
+
+/*
+ * Anti replay window advance
+ * inputs need to be in host byte order.
+ * This function both advances the anti-replay window and the sequence number
+ * We always need to move on the SN but the window updates are only needed
+ * if AR is on.
+ * However, updating the window is trivial, so we do it anyway to save
+ * the branch cost.
+ */
+always_inline u64
+ipsec_sa_anti_replay_advance (ipsec_sa_t *sa, u32 thread_index, u32 seq,
+ u32 hi_seq)
+{
+ u64 n_lost = 0;
+ u32 pos;
- if (wrap == 0 && seq > sa->last_seq)
+ if (ipsec_sa_is_set_USE_ESN (sa))
+ {
+ int wrap = hi_seq - sa->seq_hi;
+
+ if (wrap == 0 && seq > sa->seq)
{
- pos = seq - sa->last_seq;
- if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
- sa->replay_window = ((sa->replay_window) << pos) | 1;
- else
- sa->replay_window = 1;
- sa->last_seq = seq;
+ pos = seq - sa->seq;
+ n_lost = ipsec_sa_anti_replay_window_shift (sa, pos);
+ sa->seq = seq;
}
else if (wrap > 0)
{
- pos = ~seq + sa->last_seq + 1;
- if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
- sa->replay_window = ((sa->replay_window) << pos) | 1;
- else
- sa->replay_window = 1;
- sa->last_seq = seq;
- sa->last_seq_hi = sa->seq_hi;
+ pos = ~seq + sa->seq + 1;
+ n_lost = ipsec_sa_anti_replay_window_shift (sa, pos);
+ sa->seq = seq;
+ sa->seq_hi = hi_seq;
}
else if (wrap < 0)
{
- pos = ~seq + sa->last_seq + 1;
+ pos = ~seq + sa->seq + 1;
sa->replay_window |= (1ULL << pos);
}
else
{
- pos = sa->last_seq - seq;
+ pos = sa->seq - seq;
sa->replay_window |= (1ULL << pos);
}
}
else
{
- if (seq > sa->last_seq)
+ if (seq > sa->seq)
{
- pos = seq - sa->last_seq;
- if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
- sa->replay_window = ((sa->replay_window) << pos) | 1;
- else
- sa->replay_window = 1;
- sa->last_seq = seq;
+ pos = seq - sa->seq;
+ n_lost = ipsec_sa_anti_replay_window_shift (sa, pos);
+ sa->seq = seq;
}
else
{
- pos = sa->last_seq - seq;
+ pos = sa->seq - seq;
sa->replay_window |= (1ULL << pos);
}
}
+
+ return n_lost;
+}
+
+
+/*
+ * Makes choice for thread_id should be assigned.
+ * if input ~0, gets random worker_id based on unix_time_now_nsec
+*/
+always_inline u32
+ipsec_sa_assign_thread (u32 thread_id)
+{
+ return ((thread_id) ? thread_id
+ : (unix_time_now_nsec () % vlib_num_workers ()) + 1);
+}
+
+always_inline ipsec_sa_t *
+ipsec_sa_get (u32 sa_index)
+{
+ return (pool_elt_at_index (ipsec_sa_pool, sa_index));
}
#endif /* __IPSEC_SPD_SA_H__ */