From 68d2753569592e424e7584e2f921f68d1b3d2088 Mon Sep 17 00:00:00 2001 From: Filip Tehlar Date: Mon, 25 Jan 2021 10:09:27 +0000 Subject: [PATCH] ikev2: add per SA stats Type: feature Change-Id: Ic502d806410ea3c8f3f1eac70b694114ccb053bf Signed-off-by: Filip Tehlar --- src/plugins/ikev2/ikev2.api | 2 +- src/plugins/ikev2/ikev2.c | 24 +++++++++++------------- src/plugins/ikev2/ikev2_api.c | 13 +++++++++++++ src/plugins/ikev2/ikev2_cli.c | 8 ++++++++ src/plugins/ikev2/ikev2_priv.h | 12 ++++++++++++ src/plugins/ikev2/ikev2_types.api | 12 ++++++++++++ src/plugins/ikev2/test/test_ikev2.py | 12 +++++++++++- 7 files changed, 68 insertions(+), 15 deletions(-) diff --git a/src/plugins/ikev2/ikev2.api b/src/plugins/ikev2/ikev2.api index f936e525e4b..32e1a91d1e8 100644 --- a/src/plugins/ikev2/ikev2.api +++ b/src/plugins/ikev2/ikev2.api @@ -563,7 +563,7 @@ counters ikev2 { units "packets"; description "IKE rekey requests received"; }; - exchange_sa_req { + init_sa_req { severity info; type counter64; units "packets"; diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index d6ee8f592e2..9b13991cd47 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -50,14 +50,6 @@ typedef struct u32 sw_if_index; } ikev2_trace_t; -typedef struct -{ - u16 n_keepalives; - u16 n_rekey_req; - u16 n_exchange_sa_req; - u16 n_ike_auth_req; -} ikev2_stats_t; - static u8 * format_ikev2_trace (u8 * s, va_list * args) { @@ -2439,6 +2431,7 @@ ikev2_generate_message (vlib_buffer_t *b, ikev2_sa_t *sa, ike_header_t *ike, { ASSERT (stats != 0); stats->n_keepalives++; + sa->stats.n_keepalives++; } } } @@ -2623,6 +2616,7 @@ ikev2_retransmit_sa_init_one (ikev2_sa_t * sa, ike_header_t * ike, /* req is retransmit */ if (sa->state == IKEV2_STATE_SA_INIT) { + sa->stats.n_init_retransmit++; tmp = (ike_header_t *) sa->last_sa_init_res_packet_data; u32 slen = clib_net_to_host_u32 (tmp->length); ike->ispi = tmp->ispi; @@ -2700,6 +2694,7 @@ ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike) /* retransmitted req */ if (msg_id == sa->last_msg_id) { + sa->stats.n_retransmit++; ike_header_t *tmp = (ike_header_t *) sa->last_res_packet_data; u32 slen = clib_net_to_host_u32 (tmp->length); ike->ispi = tmp->ispi; @@ -2832,10 +2827,10 @@ ikev2_update_stats (vlib_main_t *vm, u32 node_index, ikev2_stats_t *s) s->n_keepalives); vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_REKEY_REQ, s->n_rekey_req); - vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_EXCHANGE_SA_REQ, - s->n_exchange_sa_req); + vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_INIT_SA_REQ, + s->n_sa_init_req); vlib_node_increment_counter (vm, node_index, IKEV2_ERROR_IKE_AUTH_REQ, - s->n_ike_auth_req); + s->n_sa_auth_req); } static_always_inline uword @@ -2932,7 +2927,8 @@ ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node, if (ike_hdr_is_initiator (ike0)) { - stats->n_exchange_sa_req++; + sa0->stats.n_sa_init_req++; + stats->n_sa_init_req++; if (ike0->rspi == 0) { if (is_ip4) @@ -3104,7 +3100,8 @@ ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node, } else { - stats->n_ike_auth_req++; + sa0->stats.n_sa_auth_req++; + stats->n_sa_auth_req++; ike0->flags = IKEV2_HDR_FLAG_RESPONSE; slen = ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats); @@ -3241,6 +3238,7 @@ ikev2_node_internal (vlib_main_t *vm, vlib_node_runtime_t *node, else { stats->n_rekey_req++; + sa0->stats.n_rekey_req++; ike0->flags = IKEV2_HDR_FLAG_RESPONSE; slen = ikev2_generate_message (b0, sa0, ike0, 0, udp0, stats); diff --git a/src/plugins/ikev2/ikev2_api.c b/src/plugins/ikev2/ikev2_api.c index 00d71143a5d..01a7373a6ae 100644 --- a/src/plugins/ikev2/ikev2_api.c +++ b/src/plugins/ikev2/ikev2_api.c @@ -194,6 +194,17 @@ vl_api_ikev2_profile_dump_t_handler (vl_api_ikev2_profile_dump_t * mp) /* *INDENT-ON* */ } +static void +ikev2_copy_stats (vl_api_ikev2_sa_stats_t *dst, const ikev2_stats_t *src) +{ + dst->n_rekey_req = src->n_rekey_req; + dst->n_keepalives = src->n_keepalives; + dst->n_retransmit = src->n_retransmit; + dst->n_init_sa_retransmit = src->n_init_retransmit; + dst->n_sa_init_req = src->n_sa_init_req; + dst->n_sa_auth_req = src->n_sa_auth_req; +} + static void send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index) { @@ -253,6 +264,8 @@ send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index) k->sk_pr_len = vec_len (sa->sk_pr); clib_memcpy (&k->sk_pr, sa->sk_pr, k->sk_pr_len); + ikev2_copy_stats (&rsa->stats, &sa->stats); + vl_api_ikev2_sa_t_endian(rsa); }); /* *INDENT-ON* */ diff --git a/src/plugins/ikev2/ikev2_cli.c b/src/plugins/ikev2/ikev2_cli.c index efd0a209ebc..7778166254c 100644 --- a/src/plugins/ikev2/ikev2_cli.c +++ b/src/plugins/ikev2/ikev2_cli.c @@ -191,6 +191,14 @@ format_ikev2_sa (u8 * s, va_list * va) format_ikev2_child_sa, child, child - sa->childs); } + s = format (s, "Stats:\n"); + s = format (s, " keepalives :%u\n", sa->stats.n_keepalives); + s = format (s, " rekey :%u\n", sa->stats.n_rekey_req); + s = format (s, " SA init :%u (retransmit: %u)\n", sa->stats.n_sa_init_req, + sa->stats.n_init_retransmit); + s = format (s, " retransmit: %u\n", sa->stats.n_retransmit); + s = format (s, " SA auth :%u\n", sa->stats.n_sa_auth_req); + return s; } diff --git a/src/plugins/ikev2/ikev2_priv.h b/src/plugins/ikev2/ikev2_priv.h index fa302dcf21a..799c64372ac 100644 --- a/src/plugins/ikev2/ikev2_priv.h +++ b/src/plugins/ikev2/ikev2_priv.h @@ -365,6 +365,16 @@ typedef enum #define ikev2_natt_active(_sa) ((_sa)->natt_state == IKEV2_NATT_ACTIVE) +typedef struct +{ + u16 n_keepalives; + u16 n_rekey_req; + u16 n_sa_auth_req; + u16 n_sa_init_req; + u16 n_init_retransmit; + u16 n_retransmit; +} ikev2_stats_t; + typedef struct { ikev2_state_t state; @@ -446,6 +456,8 @@ typedef struct /* is NAT traversal mode */ ikev2_natt_state_t natt_state; u8 keys_generated; + + ikev2_stats_t stats; } ikev2_sa_t; diff --git a/src/plugins/ikev2/ikev2_types.api b/src/plugins/ikev2/ikev2_types.api index 9add084f9e3..b279026c2b9 100644 --- a/src/plugins/ikev2/ikev2_types.api +++ b/src/plugins/ikev2/ikev2_types.api @@ -128,6 +128,16 @@ typedef ikev2_child_sa vl_api_ikev2_sa_transform_t esn; }; +typedef ikev2_sa_stats +{ + u16 n_keepalives; + u16 n_rekey_req; + u16 n_sa_init_req; + u16 n_sa_auth_req; + u16 n_retransmit; + u16 n_init_sa_retransmit; +}; + typedef ikev2_sa { u32 sa_index; @@ -148,4 +158,6 @@ typedef ikev2_sa vl_api_ikev2_sa_transform_t integrity; vl_api_ikev2_sa_transform_t prf; vl_api_ikev2_sa_transform_t dh; + + vl_api_ikev2_sa_stats_t stats; }; diff --git a/src/plugins/ikev2/test/test_ikev2.py b/src/plugins/ikev2/test/test_ikev2.py index e6ccef7786a..9f72ffb4ae5 100644 --- a/src/plugins/ikev2/test/test_ikev2.py +++ b/src/plugins/ikev2/test/test_ikev2.py @@ -1325,9 +1325,14 @@ class TemplateResponder(IkePeer): def verify_counters(self): self.assert_counter(2, 'processed', self.IKE_NODE_SUFFIX) - self.assert_counter(1, 'exchange_sa_req', self.IKE_NODE_SUFFIX) + self.assert_counter(1, 'init_sa_req', self.IKE_NODE_SUFFIX) self.assert_counter(1, 'ike_auth_req', self.IKE_NODE_SUFFIX) + r = self.vapi.ikev2_sa_dump() + s = r[0].sa.stats + self.assertEqual(1, s.n_sa_auth_req) + self.assertEqual(1, s.n_sa_init_req) + def test_responder(self): self.send_sa_init_req() self.send_sa_auth() @@ -1862,6 +1867,9 @@ class TestResponderRekey(TestResponderPsk): self.sa.calc_child_keys() self.verify_ike_sas() self.verify_ipsec_sas(is_rekey=True) + self.assert_counter(1, 'rekey_req', 'ip4') + r = self.vapi.ikev2_sa_dump() + self.assertEqual(r[0].sa.stats.n_rekey_req, 1) class TestResponderRsaSign(TemplateResponder, Ikev2Params): @@ -1942,6 +1950,8 @@ class TestInitiatorKeepaliveMsg(TestInitiatorPsk): plain = self.sa.hmac_and_decrypt(ih) self.assertEqual(plain, b'') self.assert_counter(1, 'keepalive', 'ip4') + r = self.vapi.ikev2_sa_dump() + self.assertEqual(1, r[0].sa.stats.n_keepalives) def test_initiator(self): super(TestInitiatorKeepaliveMsg, self).test_initiator() -- 2.16.6