ikev2: IKE plugin manages the state of the protected tunnel interface

Type: improvement

IKE will bring the tunnel up ince the negociation is complete and bring
it down when the session ends. It is the clinets responsibility to
manage the state of the tunnel before and after these events. So to
prevent any unencrpyted traffic egressing the tunnel before the session
is negpciated, the tunnel should be in the down state when it a
associated with the IKE session.

Change-Id: I8aee593c79ca006d6ab08f9fa560fbbf6f8dcc16
Signed-off-by: Neale Ranns <nranns@cisco.com>

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 75b9dcb..7d03150 100644 (file)
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -1525,7 +1525,10 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
       hash_set1 (km->sw_if_indices, sw_if_index);
     }
   else
-    sw_if_index = a->sw_if_index;
+    {
+      sw_if_index = a->sw_if_index;
+      vnet_sw_interface_admin_up (vnet_get_main (), sw_if_index);
+    }
 
   if (rv)
     {
@@ -1797,7 +1800,10 @@ ikev2_del_tunnel_from_main (ikev2_del_ipsec_tunnel_args_t * a)
        sw_if_index = ~0;
     }
   else
-    sw_if_index = a->sw_if_index;
+    {
+      sw_if_index = a->sw_if_index;
+      vnet_sw_interface_admin_down (vnet_get_main (), sw_if_index);
+    }
 
   if (~0 != sw_if_index)
     ipsec_tun_protect_del (sw_if_index);