From: Zachary Leaf <zachary.leaf@arm.com>
Date: Tue, 26 Oct 2021 15:05:58 +0000 (-0500)
Subject: ipsec: input: drop by default for non-matching pkts
X-Git-Tag: v22.10-rc0~303
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=26fec718f2fa7913a484008fca7b1bc015c6efb5;hp=26fec718f2fa7913a484008fca7b1bc015c6efb5;p=vpp.git

ipsec: input: drop by default for non-matching pkts

As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.

For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480

It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.

[1]: https://datatracker.ietf.org/doc/html/rfc4301

Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
---