Code Review / vpp.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
ip ipsec: Remove IPSec SPI-0 punt reason
[vpp.git] / src / vnet / ipsec / ipsec_tun_in.c
1 /*
2  * ipsec_tun_protect_in.c : IPSec interface input node
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21
22 #include <vnet/ipsec/ipsec.h>
23 #include <vnet/ipsec/esp.h>
24 #include <vnet/ipsec/ipsec_io.h>
25 #include <vnet/ipsec/ipsec_punt.h>
26 #include <vnet/ipsec/ipsec_tun.h>
27 #include <vnet/ip/ip4_input.h>
28
29 /* Statistics (not really errors) */
30 #define foreach_ipsec_tun_protect_input_error                     \
31   _(RX, "good packets received")                                  \
32   _(DISABLED, "ipsec packets received on disabled interface")     \
33   _(NO_TUNNEL, "no matching tunnel")                              \
34   _(TUNNEL_MISMATCH, "SPI-tunnel mismatch")                       \
35   _(SPI_0, "SPI 0")
36
37 static char *ipsec_tun_protect_input_error_strings[] = {
38 #define _(sym,string) string,
39   foreach_ipsec_tun_protect_input_error
40 #undef _
41 };
42
43 typedef enum
44 {
45 #define _(sym,str) IPSEC_TUN_PROTECT_INPUT_ERROR_##sym,
46   foreach_ipsec_tun_protect_input_error
47 #undef _
48     IPSEC_TUN_PROTECT_INPUT_N_ERROR,
49 } ipsec_tun_protect_input_error_t;
50
51 typedef enum ipsec_tun_next_t_
52 {
53 #define _(v, s) IPSEC_TUN_PROTECT_NEXT_##v,
54   foreach_ipsec_input_next
55 #undef _
56     IPSEC_TUN_PROTECT_NEXT_DECRYPT,
57   IPSEC_TUN_PROTECT_N_NEXT,
58 } ipsec_tun_next_t;
59
60 typedef struct
61 {
62   u32 spi;
63   u32 seq;
64 } ipsec_tun_protect_input_trace_t;
65
66 static u8 *
67 format_ipsec_tun_protect_input_trace (u8 * s, va_list * args)
68 {
69   CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
70   CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
71   ipsec_tun_protect_input_trace_t *t =
72     va_arg (*args, ipsec_tun_protect_input_trace_t *);
73
74   s = format (s, "IPSec: spi %u seq %u", t->spi, t->seq);
75   return s;
76 }
77
78 always_inline u16
79 ipsec_ip4_if_no_tunnel (vlib_node_runtime_t * node,
80                         vlib_buffer_t * b,
81                         const esp_header_t * esp, const ip4_header_t * ip4)
82 {
83   if (PREDICT_FALSE (0 == esp->spi))
84     {
85       b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_SPI_0];
86       b->punt_reason = ipsec_punt_reason[(ip4->protocol == IP_PROTOCOL_UDP ?
87                                           IPSEC_PUNT_IP4_SPI_UDP_0 :
88                                           IPSEC_PUNT_IP4_NO_SUCH_TUNNEL)];
89     }
90   else
91     {
92       b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
93       b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL];
94     }
95   return IPSEC_INPUT_NEXT_PUNT;
96 }
97
98 always_inline u16
99 ipsec_ip6_if_no_tunnel (vlib_node_runtime_t * node,
100                         vlib_buffer_t * b, const esp_header_t * esp)
101 {
102   b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
103   b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL];
104
105   return (IPSEC_INPUT_NEXT_PUNT);
106 }
107
108 always_inline uword
109 ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
110                                 vlib_frame_t * from_frame, int is_ip6)
111 {
112   ipsec_main_t *im = &ipsec_main;
113   vnet_main_t *vnm = im->vnet_main;
114   vnet_interface_main_t *vim = &vnm->interface_main;
115
116   int is_trace = node->flags & VLIB_NODE_FLAG_TRACE;
117   u32 thread_index = vm->thread_index;
118
119   u32 n_left_from, *from;
120   u16 nexts[VLIB_FRAME_SIZE], *next;
121   vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
122
123   from = vlib_frame_vector_args (from_frame);
124   n_left_from = from_frame->n_vectors;
125
126   vlib_get_buffers (vm, from, bufs, n_left_from);
127   b = bufs;
128   next = nexts;
129
130   clib_memset_u16 (nexts, im->esp4_decrypt_next_index, n_left_from);
131
132   u64 n_bytes = 0, n_packets = 0;
133   u32 n_disabled = 0, n_no_tunnel = 0;
134
135   u32 last_sw_if_index = ~0;
136   ipsec_tun_lkup_result_t last_result = {
137     .tun_index = ~0
138   };
139   ipsec4_tunnel_key_t last_key4;
140   ipsec6_tunnel_key_t last_key6;
141
142   vlib_combined_counter_main_t *rx_counter;
143   vlib_combined_counter_main_t *drop_counter;
144   ipsec_tun_protect_t *itp0;
145
146   if (is_ip6)
147     clib_memset (&last_key6, 0xff, sizeof (last_key6));
148   else
149     last_key4.as_u64 = ~0;
150
151   rx_counter = vim->combined_sw_if_counters + VNET_INTERFACE_COUNTER_RX;
152   drop_counter = vim->combined_sw_if_counters + VNET_INTERFACE_COUNTER_DROP;
153
154   while (n_left_from > 0)
155     {
156       u32 sw_if_index0, len0, hdr_sz0;
157       ipsec_tun_lkup_result_t itr0;
158       ipsec4_tunnel_key_t key40;
159       ipsec6_tunnel_key_t key60;
160       ip4_header_t *ip40;
161       ip6_header_t *ip60;
162       esp_header_t *esp0;
163
164       ip40 = vlib_buffer_get_current (b[0]);
165
166       if (is_ip6)
167         {
168           ip60 = (ip6_header_t *) ip40;
169           esp0 = (esp_header_t *) (ip60 + 1);
170           hdr_sz0 = sizeof (ip6_header_t);
171         }
172       else
173         {
174           /* NAT UDP port 4500 case, don't advance any more */
175           if (ip40->protocol == IP_PROTOCOL_UDP)
176             {
177               esp0 =
178                 (esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40) +
179                                   sizeof (udp_header_t));
180               hdr_sz0 = 0;
181             }
182           else
183             {
184               esp0 = (esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40));
185               hdr_sz0 = ip4_header_bytes (ip40);
186             }
187         }
188
189       /* stats for the tunnel include all the data after the IP header
190          just like a norml IP-IP tunnel */
191       vlib_buffer_advance (b[0], hdr_sz0);
192       len0 = vlib_buffer_length_in_chain (vm, b[0]);
193
194       if (is_ip6)
195         {
196           key60.remote_ip = ip60->src_address;
197           key60.spi = esp0->spi;
198
199           if (memcmp (&key60, &last_key6, sizeof (last_key6)) == 0)
200             {
201               itr0 = last_result;
202             }
203           else
204             {
205               uword *p = hash_get_mem (im->tun6_protect_by_key, &key60);
206               if (p)
207                 {
208                   itr0.as_u64 = p[0];
209                   last_result = itr0;
210                   clib_memcpy_fast (&last_key6, &key60, sizeof (key60));
211                 }
212               else
213                 {
214                   next[0] = ipsec_ip6_if_no_tunnel (node, b[0], esp0);
215                   n_no_tunnel++;
216                   goto trace00;
217                 }
218             }
219         }
220       else
221         {
222           key40.remote_ip = ip40->src_address.as_u32;
223           key40.spi = esp0->spi;
224
225           if (key40.as_u64 == last_key4.as_u64)
226             {
227               itr0 = last_result;
228             }
229           else
230             {
231               uword *p = hash_get (im->tun4_protect_by_key, key40.as_u64);
232               if (p)
233                 {
234                   itr0.as_u64 = p[0];
235                   last_result = itr0;
236                   last_key4.as_u64 = key40.as_u64;
237                 }
238               else
239                 {
240                   next[0] = ipsec_ip4_if_no_tunnel (node, b[0], esp0, ip40);
241                   n_no_tunnel++;
242                   goto trace00;
243                 }
244             }
245         }
246
247       itp0 = pool_elt_at_index (ipsec_protect_pool, itr0.tun_index);
248       vnet_buffer (b[0])->ipsec.sad_index = itr0.sa_index;
249       vnet_buffer (b[0])->ipsec.protect_index = itr0.tun_index;
250
251       sw_if_index0 = itp0->itp_sw_if_index;
252       vnet_buffer (b[0])->sw_if_index[VLIB_RX] = sw_if_index0;
253
254       if (PREDICT_FALSE (!vnet_sw_interface_is_admin_up (vnm, sw_if_index0)))
255         {
256           vlib_increment_combined_counter
257             (drop_counter, thread_index, sw_if_index0, 1, len0);
258           n_disabled++;
259           b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED];
260           next[0] = IPSEC_INPUT_NEXT_DROP;
261           goto trace00;
262         }
263       else
264         {
265           if (PREDICT_TRUE (sw_if_index0 == last_sw_if_index))
266             {
267               n_packets++;
268               n_bytes += len0;
269             }
270           else
271             {
272               if (n_packets && !(itp0->itp_flags & IPSEC_PROTECT_ENCAPED))
273                 {
274                   vlib_increment_combined_counter
275                     (rx_counter, thread_index, last_sw_if_index,
276                      n_packets, n_bytes);
277                 }
278
279               last_sw_if_index = sw_if_index0;
280               n_packets = 1;
281               n_bytes = len0;
282             }
283
284           /*
285            * compare the packet's outer IP headers to that of the tunnels
286            */
287           if (is_ip6)
288             {
289               if (PREDICT_FALSE
290                   (!ip46_address_is_equal_v6
291                    (&itp0->itp_crypto.dst, &ip60->src_address)
292                    || !ip46_address_is_equal_v6 (&itp0->itp_crypto.src,
293                                                  &ip60->dst_address)))
294                 {
295                   b[0]->error =
296                     node->errors
297                     [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
298                   next[0] = IPSEC_INPUT_NEXT_DROP;
299                   goto trace00;
300                 }
301             }
302           else
303             {
304               if (PREDICT_FALSE
305                   (!ip46_address_is_equal_v4
306                    (&itp0->itp_crypto.dst, &ip40->src_address)
307                    || !ip46_address_is_equal_v4 (&itp0->itp_crypto.src,
308                                                  &ip40->dst_address)))
309                 {
310                   b[0]->error =
311                     node->errors
312                     [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
313                   next[0] = IPSEC_INPUT_NEXT_DROP;
314                   goto trace00;
315                 }
316             }
317
318           /*
319            * There are two encap possibilities
320            * 1) the tunnel and ths SA are prodiving encap, i.e. it's
321            *   MAC | SA-IP | TUN-IP | ESP | PAYLOAD
322            * implying the SA is in tunnel mode (on a tunnel interface)
323            * 2) only the tunnel provides encap
324            *   MAC | TUN-IP | ESP | PAYLOAD
325            * implying the SA is in transport mode.
326            *
327            * For 2) we need only strip the tunnel encap and we're good.
328            *  since the tunnel and crypto ecnap (int the tun=protect
329            * object) are the same and we verified above that these match
330            * for 1) we need to strip the SA-IP outer headers, to
331            * reveal the tunnel IP and then check that this matches
332            * the configured tunnel. this we can;t do here since it
333            * involves a lookup in the per-tunnel-type DB - so ship
334            * the packet to the tunnel-types provided node to do that
335            */
336           next[0] = IPSEC_TUN_PROTECT_NEXT_DECRYPT;
337         }
338     trace00:
339       if (PREDICT_FALSE (is_trace))
340         {
341           if (b[0]->flags & VLIB_BUFFER_IS_TRACED)
342             {
343               ipsec_tun_protect_input_trace_t *tr =
344                 vlib_add_trace (vm, node, b[0], sizeof (*tr));
345               tr->spi = clib_host_to_net_u32 (esp0->spi);
346               tr->seq = clib_host_to_net_u32 (esp0->seq);
347             }
348         }
349
350       /* next */
351       b += 1;
352       next += 1;
353       n_left_from -= 1;
354     }
355
356   if (n_packets && !(itp0->itp_flags & IPSEC_PROTECT_ENCAPED))
357     {
358       vlib_increment_combined_counter (rx_counter,
359                                        thread_index,
360                                        last_sw_if_index, n_packets, n_bytes);
361     }
362
363   vlib_node_increment_counter (vm, node->node_index,
364                                IPSEC_TUN_PROTECT_INPUT_ERROR_RX,
365                                from_frame->n_vectors - (n_disabled +
366                                                         n_no_tunnel));
367
368   vlib_buffer_enqueue_to_next (vm, node, from, nexts, from_frame->n_vectors);
369
370   return from_frame->n_vectors;
371 }
372
373 VLIB_NODE_FN (ipsec4_tun_input_node) (vlib_main_t * vm,
374                                       vlib_node_runtime_t * node,
375                                       vlib_frame_t * from_frame)
376 {
377   return ipsec_tun_protect_input_inline (vm, node, from_frame,
378                                          0 /* is_ip6 */ );
379 }
380
381 /* *INDENT-OFF* */
382 VLIB_REGISTER_NODE (ipsec4_tun_input_node) = {
383   .name = "ipsec4-tun-input",
384   .vector_size = sizeof (u32),
385   .format_trace = format_ipsec_tun_protect_input_trace,
386   .type = VLIB_NODE_TYPE_INTERNAL,
387   .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings),
388   .error_strings = ipsec_tun_protect_input_error_strings,
389   .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT,
390   .next_nodes = {
391     [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip4-drop",
392     [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
393     [IPSEC_TUN_PROTECT_NEXT_DECRYPT] = "esp4-decrypt-tun",
394   }
395 };
396 /* *INDENT-ON* */
397
398 VLIB_NODE_FN (ipsec6_tun_input_node) (vlib_main_t * vm,
399                                       vlib_node_runtime_t * node,
400                                       vlib_frame_t * from_frame)
401 {
402   return ipsec_tun_protect_input_inline (vm, node, from_frame,
403                                          1 /* is_ip6 */ );
404 }
405
406 /* *INDENT-OFF* */
407 VLIB_REGISTER_NODE (ipsec6_tun_input_node) = {
408   .name = "ipsec6-tun-input",
409   .vector_size = sizeof (u32),
410   .format_trace = format_ipsec_tun_protect_input_trace,
411   .type = VLIB_NODE_TYPE_INTERNAL,
412   .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings),
413   .error_strings = ipsec_tun_protect_input_error_strings,
414   .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT,
415   .next_nodes = {
416     [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip6-drop",
417     [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
418     [IPSEC_TUN_PROTECT_NEXT_DECRYPT] = "esp6-decrypt-tun",
419   }
420 };
421 /* *INDENT-ON* */
422
423 /*
424  * fd.io coding-style-patch-verification: ON
425  *
426  * Local Variables:
427  * eval: (c-set-style "gnu")
428  * End:
429  */
Vector Packet Processing