Code Review / vpp.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 1031098) | patch
ipsec: input: drop by default for non-matching pkts 52/34252/3
authorZachary Leaf <zachary.leaf@arm.com>
Tue, 26 Oct 2021 15:05:58 +0000 (10:05 -0500)
committerFan Zhang <roy.fan.zhang@intel.com>
Tue, 8 Mar 2022 17:43:43 +0000 (17:43 +0000)
commit26fec718f2fa7913a484008fca7b1bc015c6efb5
treed1ff50ea37c938f7caa4b88ca25885c13f83d4bbtree | snapshot
parent1031098b903e6eb4bca4d268350795e6827abddacommit | diff
ipsec: input: drop by default for non-matching pkts

As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.

For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480

It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.

[1]: https://datatracker.ietf.org/doc/html/rfc4301

Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
src/vnet/ipsec/ipsec_input.c diff | blob | history
test/template_ipsec.py diff | blob | history
test/test_ipsec_default.py [new file with mode: 0644] blob
test/test_ipsec_spd_flow_cache.py diff | blob | history
Vector Packet Processing