X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;ds=sidebyside;f=src%2Fplugins%2Fikev2%2Fikev2.c;h=ea99e375ea01afde72441038a2a0a7630012be8b;hb=e5d34919b;hp=a647784e31cc8341c48e140d7be7b4f46bbd6d64;hpb=b05249b3b48ec61f5367518c0d0869328010df62;p=vpp.git diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index a647784e31c..ea99e375ea0 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -398,6 +398,8 @@ ikev2_complete_sa_data (ikev2_sa_t * sa, ikev2_sa_t * sai) sa->i_auth.key = _(sai->i_auth.key); sa->last_sa_init_req_packet_data = _(sai->last_sa_init_req_packet_data); sa->childs = _(sai->childs); + sa->udp_encap = sai->udp_encap; + sa->dst_port = sai->dst_port; #undef _ @@ -1377,6 +1379,11 @@ ikev2_sa_auth (ikev2_sa_t * sa) })); /* *INDENT-ON* */ + if (sel_p) + { + sa->udp_encap = sel_p->udp_encap; + sa->dst_port = sel_p->dst_port; + } vec_free (authmsg); if (sa->state == IKEV2_STATE_AUTHENTICATED) @@ -1496,6 +1503,9 @@ typedef struct ip46_address_t local_ip; ip46_address_t remote_ip; ipsec_key_t loc_ckey, rem_ckey, loc_ikey, rem_ikey; + u8 is_rekey; + u32 old_remote_sa_id; + u16 dst_port; } ikev2_add_ipsec_tunnel_args_t; static void @@ -1535,21 +1545,32 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) return; } + u32 *sas_in = NULL; + vec_add1 (sas_in, a->remote_sa_id); + if (a->is_rekey) + { + ipsec_tun_protect_del (sw_if_index, NULL); + + /* replace local SA immediately */ + ipsec_sa_unlock_id (a->local_sa_id); + + /* keep the old sa */ + vec_add1 (sas_in, a->old_remote_sa_id); + } + rv |= ipsec_sa_add_and_lock (a->local_sa_id, a->local_spi, IPSEC_PROTOCOL_ESP, a->encr_type, &a->loc_ckey, a->integ_type, &a->loc_ikey, a->flags, 0, a->salt_local, &a->local_ip, - &a->remote_ip, NULL); + &a->remote_ip, NULL, a->dst_port); rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi, IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey, a->integ_type, &a->rem_ikey, (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0, a->salt_remote, &a->remote_ip, - &a->local_ip, NULL); + &a->local_ip, NULL, a->dst_port); - u32 *sas_in = NULL; - vec_add1 (sas_in, a->remote_sa_id); rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in); } @@ -1558,7 +1579,7 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, u32 thread_index, ikev2_sa_t * sa, ikev2_child_sa_t * child, u32 sa_index, - u32 child_index) + u32 child_index, u8 is_rekey) { ikev2_main_t *km = &ikev2_main; ipsec_crypto_alg_t encr_type; @@ -1595,6 +1616,10 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, } a.flags = IPSEC_SA_FLAG_USE_ANTI_REPLAY; + a.flags |= IPSEC_SA_FLAG_IS_TUNNEL; + if (sa->udp_encap) + a.flags |= IPSEC_SA_FLAG_UDP_ENCAP; + a.is_rekey = is_rekey; tr = ikev2_sa_get_td_for_type (proposals, IKEV2_TRANSFORM_TYPE_ESN); if (tr && tr->esn_type) @@ -1749,10 +1774,36 @@ ikev2_create_tunnel_interface (vnet_main_t * vnm, child->local_sa_id = a.local_sa_id = ikev2_mk_local_sa_id (sa_index, child_index, thread_index); - child->remote_sa_id = - a.remote_sa_id = - ikev2_mk_remote_sa_id (sa_index, child_index, thread_index); + + u32 remote_sa_id = ikev2_mk_remote_sa_id (sa_index, child_index, + thread_index); + + if (is_rekey) + { + /* create a new remote SA ID to keep the old SA for a bit longer + * so the peer has some time to swap their SAs */ + + /* use most significat bit of child index part in id */ + u32 mask = 0x800; + if (sa->current_remote_id_mask) + { + sa->old_remote_id = a.old_remote_sa_id = remote_sa_id | mask; + sa->current_remote_id_mask = 0; + } + else + { + sa->old_remote_id = a.old_remote_sa_id = remote_sa_id; + sa->current_remote_id_mask = mask; + remote_sa_id |= mask; + } + sa->old_id_expiration = 3.0; + sa->old_remote_id_present = 1; + } + + child->remote_sa_id = a.remote_sa_id = remote_sa_id; + a.sw_if_index = (sa->is_tun_itf_set ? sa->tun_itf : ~0); + a.dst_port = sa->dst_port; vl_api_rpc_call_main_thread (ikev2_add_tunnel_from_main, (u8 *) & a, sizeof (a)); @@ -1768,6 +1819,15 @@ typedef struct u32 sw_if_index; } ikev2_del_ipsec_tunnel_args_t; +static_always_inline u32 +ikev2_flip_alternate_sa_bit (u32 id) +{ + u32 mask = 0x800; + if (mask & id) + return id & ~mask; + return id | mask; +} + static void ikev2_del_tunnel_from_main (ikev2_del_ipsec_tunnel_args_t * a) { @@ -1807,6 +1867,7 @@ ikev2_del_tunnel_from_main (ikev2_del_ipsec_tunnel_args_t * a) ipsec_sa_unlock_id (a->remote_sa_id); ipsec_sa_unlock_id (a->local_sa_id); + ipsec_sa_unlock_id (ikev2_flip_alternate_sa_bit (a->remote_sa_id)); if (ipip) ipip_del_tunnel (ipip->sw_if_index); @@ -2430,7 +2491,7 @@ ikev2_node_fn (vlib_main_t * vm, ikev2_create_tunnel_interface (km->vnet_main, thread_index, sa0, &sa0->childs[0], - p[0], 0); + p[0], 0, 0); } if (sa0->is_initiator) @@ -2561,7 +2622,8 @@ ikev2_node_fn (vlib_main_t * vm, ikev2_create_tunnel_interface (km->vnet_main, thread_index, sa0, child, p[0], - child - sa0->childs); + child - sa0->childs, + 1); } if (sa0->is_initiator) { @@ -2697,24 +2759,27 @@ ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa, return r; } - /* Integrity */ - error = 1; - vec_foreach (td, km->supported_transforms) - { - if (td->type == IKEV2_TRANSFORM_TYPE_INTEG - && td->integ_type == ts->integ_alg) + if (IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16 != ts->crypto_alg) + { + /* Integrity */ + error = 1; + vec_foreach (td, km->supported_transforms) { - vec_add1 (proposal->transforms, *td); - error = 0; - break; + if (td->type == IKEV2_TRANSFORM_TYPE_INTEG + && td->integ_type == ts->integ_alg) + { + vec_add1 (proposal->transforms, *td); + error = 0; + break; + } } - } - if (error) - { - ikev2_elog_error - ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG"); - r = clib_error_return (0, "Unsupported algorithm"); - return r; + if (error) + { + ikev2_elog_error + ("Didn't find any supported algorithm for IKEV2_TRANSFORM_TYPE_INTEG"); + r = clib_error_return (0, "Unsupported algorithm"); + return r; + } } /* PRF */ @@ -2868,6 +2933,58 @@ ikev2_set_local_key (vlib_main_t * vm, u8 * file) return 0; } +static_always_inline vnet_api_error_t +ikev2_register_udp_port (ikev2_profile_t * p, u16 port) +{ + ikev2_main_t *km = &ikev2_main; + udp_dst_port_info_t *pi; + + uword *v = hash_get (km->udp_ports, port); + pi = udp_get_dst_port_info (&udp_main, port, UDP_IP4); + + if (v) + { + /* IKE already uses this port, only increment reference counter */ + ASSERT (pi); + v[0]++; + } + else + { + if (pi) + return VNET_API_ERROR_UDP_PORT_TAKEN; + + udp_register_dst_port (km->vlib_main, port, + ipsec4_tun_input_node.index, 1); + hash_set (km->udp_ports, port, 1); + } + p->dst_port = port; + return 0; +} + +static_always_inline void +ikev2_unregister_udp_port (ikev2_profile_t * p) +{ + ikev2_main_t *km = &ikev2_main; + uword *v; + + if (p->dst_port == IPSEC_UDP_PORT_NONE) + return; + + v = hash_get (km->udp_ports, p->dst_port); + if (!v) + return; + + v[0]--; + + if (v[0] == 0) + { + udp_unregister_dst_port (km->vlib_main, p->dst_port, 1); + hash_unset (km->udp_ports, p->dst_port); + } + + p->dst_port = IPSEC_UDP_PORT_NONE; +} + clib_error_t * ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add) { @@ -2882,6 +2999,7 @@ ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add) pool_get (km->profiles, p); clib_memset (p, 0, sizeof (*p)); p->name = vec_dup (name); + p->dst_port = IPSEC_UDP_PORT_NONE; p->responder.sw_if_index = ~0; p->tun_itf = ~0; uword index = p - km->profiles; @@ -2893,6 +3011,8 @@ ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add) if (!p) return clib_error_return (0, "policy %v does not exists", name); + ikev2_unregister_udp_port (p); + vec_free (p->name); pool_put (km->profiles, p); mhash_unset (&km->profile_index_by_name, name, 0); @@ -3101,6 +3221,55 @@ ikev2_set_profile_tunnel_interface (vlib_main_t * vm, return 0; } +vnet_api_error_t +ikev2_set_profile_ipsec_udp_port (vlib_main_t * vm, u8 * name, u16 port, + u8 is_set) +{ + ikev2_profile_t *p = ikev2_profile_index_by_name (name); + ikev2_main_t *km = &ikev2_main; + vnet_api_error_t rv = 0; + uword *v; + + if (!p) + return VNET_API_ERROR_INVALID_VALUE; + + if (is_set) + { + if (p->dst_port != IPSEC_UDP_PORT_NONE) + return VNET_API_ERROR_VALUE_EXIST; + + rv = ikev2_register_udp_port (p, port); + } + else + { + v = hash_get (km->udp_ports, port); + if (!v) + return VNET_API_ERROR_IKE_NO_PORT; + + if (p->dst_port == IPSEC_UDP_PORT_NONE) + return VNET_API_ERROR_INVALID_VALUE; + + ikev2_unregister_udp_port (p); + } + return rv; +} + +clib_error_t * +ikev2_set_profile_udp_encap (vlib_main_t * vm, u8 * name) +{ + ikev2_profile_t *p = ikev2_profile_index_by_name (name); + clib_error_t *r; + + if (!p) + { + r = clib_error_return (0, "unknown profile %v", name); + return r; + } + + p->udp_encap = 1; + return 0; +} + clib_error_t * ikev2_set_profile_sa_lifetime (vlib_main_t * vm, u8 * name, u64 lifetime, u32 jitter, u32 handover, @@ -3185,6 +3354,8 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name) sa.is_profile_index_set = 1; sa.state = IKEV2_STATE_SA_INIT; sa.tun_itf = p->tun_itf; + sa.udp_encap = p->udp_encap; + sa.dst_port = p->dst_port; sa.is_tun_itf_set = 1; sa.initial_contact = 1; ikev2_generate_sa_init_data (&sa); @@ -3519,7 +3690,8 @@ ikev2_init (vlib_main_t * vm) mhash_init_vec_string (&km->profile_index_by_name, sizeof (uword)); - vec_validate (km->per_thread_data, tm->n_vlib_mains - 1); + vec_validate_aligned (km->per_thread_data, tm->n_vlib_mains - 1, + CLIB_CACHE_LINE_BYTES); for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++) { km->per_thread_data[thread_id].sa_by_rspi = @@ -3528,6 +3700,7 @@ ikev2_init (vlib_main_t * vm) km->sa_by_ispi = hash_create (0, sizeof (uword)); km->sw_if_indices = hash_create (0, 0); + km->udp_ports = hash_create (0, sizeof (uword)); udp_register_dst_port (vm, 500, ikev2_node.index, 1); @@ -3545,9 +3718,9 @@ VLIB_INIT_FUNCTION (ikev2_init) = }; /* *INDENT-ON* */ - static u8 -ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa) +ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa, + u8 del_old_ids) { ikev2_main_t *km = &ikev2_main; ikev2_profile_t *p = 0; @@ -3590,6 +3763,48 @@ ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa) } } + if (del_old_ids) + { + ipip_tunnel_t *ipip = NULL; + u32 sw_if_index = sa->is_tun_itf_set ? sa->tun_itf : ~0; + if (~0 == sw_if_index) + { + ip46_address_t local_ip; + ip46_address_t remote_ip; + if (sa->is_initiator) + { + ip46_address_set_ip4 (&local_ip, &sa->iaddr); + ip46_address_set_ip4 (&remote_ip, &sa->raddr); + } + else + { + ip46_address_set_ip4 (&local_ip, &sa->raddr); + ip46_address_set_ip4 (&remote_ip, &sa->iaddr); + } + + /* *INDENT-OFF* */ + ipip_tunnel_key_t key = { + .src = local_ip, + .dst = remote_ip, + .transport = IPIP_TRANSPORT_IP4, + .fib_index = 0, + }; + /* *INDENT-ON* */ + + ipip = ipip_tunnel_db_find (&key); + + if (ipip) + sw_if_index = ipip->sw_if_index; + else + return res; + } + + u32 *sas_in = NULL; + vec_add1 (sas_in, csa->remote_sa_id); + ipsec_tun_protect_update (sw_if_index, NULL, csa->local_sa_id, sas_in); + ipsec_sa_unlock_id (ikev2_flip_alternate_sa_bit (csa->remote_sa_id)); + } + return res; } @@ -3652,6 +3867,31 @@ ikev2_mngr_process_ipsec_sa (ipsec_sa_t * ipsec_sa) } } +static void +ikev2_process_pending_sa_init (ikev2_main_t * km) +{ + u32 sai; + u64 ispi; + ikev2_sa_t *sa; + + /* *INDENT-OFF* */ + hash_foreach (ispi, sai, km->sa_by_ispi, + ({ + sa = pool_elt_at_index (km->sais, sai); + u32 bi0; + if (vlib_buffer_alloc (km->vlib_main, &bi0, 1) != 1) + return; + + vlib_buffer_t * b = vlib_get_buffer (km->vlib_main, bi0); + clib_memcpy_fast (vlib_buffer_get_current (b), + sa->last_sa_init_req_packet_data, + vec_len (sa->last_sa_init_req_packet_data)); + ikev2_send_ike (km->vlib_main, &sa->iaddr, &sa->raddr, bi0, + vec_len (sa->last_sa_init_req_packet_data)); + })); + /* *INDENT-ON* */ +} + static vlib_node_registration_t ikev2_mngr_process_node; static uword @@ -3675,9 +3915,18 @@ ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt, /* *INDENT-OFF* */ pool_foreach (sa, tkm->sas, ({ ikev2_child_sa_t *c; + u8 del_old_ids = 0; + if (sa->old_remote_id_present && 0 > sa->old_id_expiration) + { + sa->old_remote_id_present = 0; + del_old_ids = 1; + } + else + sa->old_id_expiration -= 1; + vec_foreach (c, sa->childs) { - req_sent |= ikev2_mngr_process_child_sa(sa, c); + req_sent |= ikev2_mngr_process_child_sa(sa, c, del_old_ids); } })); /* *INDENT-ON* */ @@ -3691,6 +3940,8 @@ ikev2_mngr_process_fn (vlib_main_t * vm, vlib_node_runtime_t * rt, })); /* *INDENT-ON* */ + ikev2_process_pending_sa_init (km); + if (req_sent) { vlib_process_wait_for_event_or_clock (vm, 5);