Code Review / vpp.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
ipsec: ipsec-tun protect
[vpp.git] / src / vnet / ipsec / ipsec_tun_in.c
1 /*
2  * ipsec_tun_protect_in.c : IPSec interface input node
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21
22 #include <vnet/ipsec/ipsec.h>
23 #include <vnet/ipsec/esp.h>
24 #include <vnet/ipsec/ipsec_io.h>
25 #include <vnet/ipsec/ipsec_punt.h>
26 #include <vnet/ipsec/ipsec_tun.h>
27 #include <vnet/ip/ip4_input.h>
28
29 /* Statistics (not really errors) */
30 #define foreach_ipsec_tun_protect_input_error                     \
31   _(RX, "good packets received")                                  \
32   _(DISABLED, "ipsec packets received on disabled interface")     \
33   _(NO_TUNNEL, "no matching tunnel")                              \
34   _(TUNNEL_MISMATCH, "SPI-tunnel mismatch")                       \
35   _(SPI_0, "SPI 0")
36
37 static char *ipsec_tun_protect_input_error_strings[] = {
38 #define _(sym,string) string,
39   foreach_ipsec_tun_protect_input_error
40 #undef _
41 };
42
43 typedef enum
44 {
45 #define _(sym,str) IPSEC_TUN_PROTECT_INPUT_ERROR_##sym,
46   foreach_ipsec_tun_protect_input_error
47 #undef _
48     IPSEC_TUN_PROTECT_INPUT_N_ERROR,
49 } ipsec_tun_protect_input_error_t;
50
51 typedef enum ipsec_tun_next_t_
52 {
53 #define _(v, s) IPSEC_TUN_PROTECT_NEXT_##v,
54   foreach_ipsec_input_next
55 #undef _
56     IPSEC_TUN_PROTECT_NEXT_DECRYPT,
57   IPSEC_TUN_PROTECT_N_NEXT,
58 } ipsec_tun_next_t;
59
60 typedef struct
61 {
62   u32 spi;
63   u32 seq;
64 } ipsec_tun_protect_input_trace_t;
65
66 static u8 *
67 format_ipsec_tun_protect_input_trace (u8 * s, va_list * args)
68 {
69   CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
70   CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
71   ipsec_tun_protect_input_trace_t *t =
72     va_arg (*args, ipsec_tun_protect_input_trace_t *);
73
74   s = format (s, "IPSec: spi %u seq %u", t->spi, t->seq);
75   return s;
76 }
77
78 always_inline u16
79 ipsec_ip4_if_no_tunnel (vlib_node_runtime_t * node,
80                         vlib_buffer_t * b,
81                         const esp_header_t * esp, const ip4_header_t * ip4)
82 {
83   if (PREDICT_FALSE (0 == esp->spi))
84     {
85       b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_SPI_0];
86       b->punt_reason = ipsec_punt_reason[(ip4->protocol == IP_PROTOCOL_UDP ?
87                                           IPSEC_PUNT_IP4_SPI_UDP_0 :
88                                           IPSEC_PUNT_IP4_SPI_0)];
89     }
90   else
91     {
92       b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
93       b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL];
94     }
95   return IPSEC_INPUT_NEXT_PUNT;
96 }
97
98 always_inline u16
99 ipsec_ip6_if_no_tunnel (vlib_node_runtime_t * node,
100                         vlib_buffer_t * b, const esp_header_t * esp)
101 {
102   if (PREDICT_FALSE (0 == esp->spi))
103     {
104       b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
105       b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_SPI_0];
106     }
107   else
108     {
109       b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
110       b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL];
111     }
112   return (IPSEC_INPUT_NEXT_PUNT);
113 }
114
115 always_inline uword
116 ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
117                                 vlib_frame_t * from_frame, int is_ip6)
118 {
119   ipsec_main_t *im = &ipsec_main;
120   vnet_main_t *vnm = im->vnet_main;
121   vnet_interface_main_t *vim = &vnm->interface_main;
122
123   int is_trace = node->flags & VLIB_NODE_FLAG_TRACE;
124   u32 thread_index = vm->thread_index;
125
126   u32 n_left_from, *from;
127   u16 nexts[VLIB_FRAME_SIZE], *next;
128   vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
129
130   from = vlib_frame_vector_args (from_frame);
131   n_left_from = from_frame->n_vectors;
132
133   vlib_get_buffers (vm, from, bufs, n_left_from);
134   b = bufs;
135   next = nexts;
136
137   clib_memset_u16 (nexts, im->esp4_decrypt_next_index, n_left_from);
138
139   u64 n_bytes = 0, n_packets = 0;
140   u32 n_disabled = 0, n_no_tunnel = 0;
141
142   u32 last_sw_if_index = ~0;
143   ipsec_tun_lkup_result_t last_result = {
144     .tun_index = ~0
145   };
146   ipsec4_tunnel_key_t last_key4;
147   ipsec6_tunnel_key_t last_key6;
148
149   vlib_combined_counter_main_t *rx_counter;
150   vlib_combined_counter_main_t *drop_counter;
151   ipsec_tun_protect_t *itp0;
152
153   if (is_ip6)
154     clib_memset (&last_key6, 0xff, sizeof (last_key6));
155   else
156     last_key4.as_u64 = ~0;
157
158   rx_counter = vim->combined_sw_if_counters + VNET_INTERFACE_COUNTER_RX;
159   drop_counter = vim->combined_sw_if_counters + VNET_INTERFACE_COUNTER_DROP;
160
161   while (n_left_from > 0)
162     {
163       u32 sw_if_index0, len0, hdr_sz0;
164       ipsec_tun_lkup_result_t itr0;
165       ipsec4_tunnel_key_t key40;
166       ipsec6_tunnel_key_t key60;
167       ip4_header_t *ip40;
168       ip6_header_t *ip60;
169       esp_header_t *esp0;
170
171       ip40 = vlib_buffer_get_current (b[0]);
172
173       if (is_ip6)
174         {
175           ip60 = (ip6_header_t *) ip40;
176           esp0 = (esp_header_t *) (ip60 + 1);
177           hdr_sz0 = sizeof (ip6_header_t);
178         }
179       else
180         {
181           /* NAT UDP port 4500 case, don't advance any more */
182           if (ip40->protocol == IP_PROTOCOL_UDP)
183             {
184               esp0 =
185                 (esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40) +
186                                   sizeof (udp_header_t));
187               hdr_sz0 = 0;
188             }
189           else
190             {
191               esp0 = (esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40));
192               hdr_sz0 = ip4_header_bytes (ip40);
193             }
194         }
195
196       /* stats for the tunnel include all the data after the IP header
197          just like a norml IP-IP tunnel */
198       vlib_buffer_advance (b[0], hdr_sz0);
199       len0 = vlib_buffer_length_in_chain (vm, b[0]);
200
201       if (is_ip6)
202         {
203           key60.remote_ip = ip60->src_address;
204           key60.spi = esp0->spi;
205
206           if (memcmp (&key60, &last_key6, sizeof (last_key6)) == 0)
207             {
208               itr0 = last_result;
209             }
210           else
211             {
212               uword *p = hash_get_mem (im->tun6_protect_by_key, &key60);
213               if (p)
214                 {
215                   itr0.as_u64 = p[0];
216                   last_result = itr0;
217                   clib_memcpy_fast (&last_key6, &key60, sizeof (key60));
218                 }
219               else
220                 {
221                   next[0] = ipsec_ip6_if_no_tunnel (node, b[0], esp0);
222                   n_no_tunnel++;
223                   goto trace00;
224                 }
225             }
226         }
227       else
228         {
229           key40.remote_ip = ip40->src_address.as_u32;
230           key40.spi = esp0->spi;
231
232           if (key40.as_u64 == last_key4.as_u64)
233             {
234               itr0 = last_result;
235             }
236           else
237             {
238               uword *p = hash_get (im->tun4_protect_by_key, key40.as_u64);
239               if (p)
240                 {
241                   itr0.as_u64 = p[0];
242                   last_result = itr0;
243                   last_key4.as_u64 = key40.as_u64;
244                 }
245               else
246                 {
247                   next[0] = ipsec_ip4_if_no_tunnel (node, b[0], esp0, ip40);
248                   n_no_tunnel++;
249                   goto trace00;
250                 }
251             }
252         }
253
254       itp0 = pool_elt_at_index (ipsec_protect_pool, itr0.tun_index);
255       vnet_buffer (b[0])->ipsec.sad_index = itr0.sa_index;
256       vnet_buffer (b[0])->ipsec.protect_index = itr0.tun_index;
257
258       sw_if_index0 = itp0->itp_sw_if_index;
259       vnet_buffer (b[0])->sw_if_index[VLIB_RX] = sw_if_index0;
260
261       if (PREDICT_FALSE (!vnet_sw_interface_is_admin_up (vnm, sw_if_index0)))
262         {
263           vlib_increment_combined_counter
264             (drop_counter, thread_index, sw_if_index0, 1, len0);
265           n_disabled++;
266           b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED];
267           next[0] = IPSEC_INPUT_NEXT_DROP;
268           goto trace00;
269         }
270       else
271         {
272           if (PREDICT_TRUE (sw_if_index0 == last_sw_if_index))
273             {
274               n_packets++;
275               n_bytes += len0;
276             }
277           else
278             {
279               if (n_packets && !(itp0->itp_flags & IPSEC_PROTECT_ENCAPED))
280                 {
281                   vlib_increment_combined_counter
282                     (rx_counter, thread_index, last_sw_if_index,
283                      n_packets, n_bytes);
284                 }
285
286               last_sw_if_index = sw_if_index0;
287               n_packets = 1;
288               n_bytes = len0;
289             }
290
291           /*
292            * compare the packet's outer IP headers to that of the tunnels
293            */
294           if (is_ip6)
295             {
296               if (PREDICT_FALSE
297                   (!ip46_address_is_equal_v6
298                    (&itp0->itp_crypto.dst, &ip60->src_address)
299                    || !ip46_address_is_equal_v6 (&itp0->itp_crypto.src,
300                                                  &ip60->dst_address)))
301                 {
302                   b[0]->error =
303                     node->errors
304                     [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
305                   next[0] = IPSEC_INPUT_NEXT_DROP;
306                   goto trace00;
307                 }
308             }
309           else
310             {
311               if (PREDICT_FALSE
312                   (!ip46_address_is_equal_v4
313                    (&itp0->itp_crypto.dst, &ip40->src_address)
314                    || !ip46_address_is_equal_v4 (&itp0->itp_crypto.src,
315                                                  &ip40->dst_address)))
316                 {
317                   b[0]->error =
318                     node->errors
319                     [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
320                   next[0] = IPSEC_INPUT_NEXT_DROP;
321                   goto trace00;
322                 }
323             }
324
325           /*
326            * There are two encap possibilities
327            * 1) the tunnel and ths SA are prodiving encap, i.e. it's
328            *   MAC | SA-IP | TUN-IP | ESP | PAYLOAD
329            * implying the SA is in tunnel mode (on a tunnel interface)
330            * 2) only the tunnel provides encap
331            *   MAC | TUN-IP | ESP | PAYLOAD
332            * implying the SA is in transport mode.
333            *
334            * For 2) we need only strip the tunnel encap and we're good.
335            *  since the tunnel and crypto ecnap (int the tun=protect
336            * object) are the same and we verified above that these match
337            * for 1) we need to strip the SA-IP outer headers, to
338            * reveal the tunnel IP and then check that this matches
339            * the configured tunnel. this we can;t do here since it
340            * involves a lookup in the per-tunnel-type DB - so ship
341            * the packet to the tunnel-types provided node to do that
342            */
343           next[0] = IPSEC_TUN_PROTECT_NEXT_DECRYPT;
344         }
345     trace00:
346       if (PREDICT_FALSE (is_trace))
347         {
348           if (b[0]->flags & VLIB_BUFFER_IS_TRACED)
349             {
350               ipsec_tun_protect_input_trace_t *tr =
351                 vlib_add_trace (vm, node, b[0], sizeof (*tr));
352               tr->spi = clib_host_to_net_u32 (esp0->spi);
353               tr->seq = clib_host_to_net_u32 (esp0->seq);
354             }
355         }
356
357       /* next */
358       b += 1;
359       next += 1;
360       n_left_from -= 1;
361     }
362
363   if (n_packets && !(itp0->itp_flags & IPSEC_PROTECT_ENCAPED))
364     {
365       vlib_increment_combined_counter (rx_counter,
366                                        thread_index,
367                                        last_sw_if_index, n_packets, n_bytes);
368     }
369
370   vlib_node_increment_counter (vm, node->node_index,
371                                IPSEC_TUN_PROTECT_INPUT_ERROR_RX,
372                                from_frame->n_vectors - (n_disabled +
373                                                         n_no_tunnel));
374
375   vlib_buffer_enqueue_to_next (vm, node, from, nexts, from_frame->n_vectors);
376
377   return from_frame->n_vectors;
378 }
379
380 VLIB_NODE_FN (ipsec4_tun_input_node) (vlib_main_t * vm,
381                                       vlib_node_runtime_t * node,
382                                       vlib_frame_t * from_frame)
383 {
384   return ipsec_tun_protect_input_inline (vm, node, from_frame,
385                                          0 /* is_ip6 */ );
386 }
387
388 /* *INDENT-OFF* */
389 VLIB_REGISTER_NODE (ipsec4_tun_input_node) = {
390   .name = "ipsec4-tun-input",
391   .vector_size = sizeof (u32),
392   .format_trace = format_ipsec_tun_protect_input_trace,
393   .type = VLIB_NODE_TYPE_INTERNAL,
394   .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings),
395   .error_strings = ipsec_tun_protect_input_error_strings,
396   .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT,
397   .next_nodes = {
398     [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip4-drop",
399     [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
400     [IPSEC_TUN_PROTECT_NEXT_DECRYPT] = "esp4-decrypt-tun",
401   }
402 };
403 /* *INDENT-ON* */
404
405 VLIB_NODE_FN (ipsec6_tun_input_node) (vlib_main_t * vm,
406                                       vlib_node_runtime_t * node,
407                                       vlib_frame_t * from_frame)
408 {
409   return ipsec_tun_protect_input_inline (vm, node, from_frame,
410                                          1 /* is_ip6 */ );
411 }
412
413 /* *INDENT-OFF* */
414 VLIB_REGISTER_NODE (ipsec6_tun_input_node) = {
415   .name = "ipsec6-tun-input",
416   .vector_size = sizeof (u32),
417   .format_trace = format_ipsec_tun_protect_input_trace,
418   .type = VLIB_NODE_TYPE_INTERNAL,
419   .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings),
420   .error_strings = ipsec_tun_protect_input_error_strings,
421   .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT,
422   .next_nodes = {
423     [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip6-drop",
424     [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
425     [IPSEC_TUN_PROTECT_NEXT_DECRYPT] = "esp6-decrypt-tun",
426   }
427 };
428 /* *INDENT-ON* */
429
430 /*
431  * fd.io coding-style-patch-verification: ON
432  *
433  * Local Variables:
434  * eval: (c-set-style "gnu")
435  * End:
436  */
Vector Packet Processing