commit 0e2f188f7c9872d7c946c14d785c6dc7c7c68847
author Maxime Peim <mpeim@cisco.com> Thu Dec 22 11:26:57 2022 +0000
committer Beno�t Ganne <bganne@cisco.com> Mon Oct 30 15:23:13 2023 +0000
tree 1adc39db5e2e0e243811c8ce001d0bd056c0402e
parent 21922cec7339f48989f230248de36a98816c4b1b

ipsec: huge anti-replay window support

Type: improvement

Since RFC4303 does not specify the anti-replay window size, VPP should
support multiple window size. It is done through a clib_bitmap.

Signed-off-by: Maxime Peim <mpeim@cisco.com>
Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc

test/test_ipsec_esp.py

diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 927863c..fdd7eb8 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -62,10 +62,11 @@
     def tearDown(self):
         super(ConfigIpsecESP, self).tearDown()
 
-    def config_anti_replay(self, params):
+    def config_anti_replay(self, params, anti_replay_window_size=64):
         saf = VppEnum.vl_api_ipsec_sad_flags_t
         for p in params:
             p.flags |= saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
+            p.anti_replay_window_size = anti_replay_window_size
 
     def config_network(self, params):
         self.net_objs = []
@@ -134,6 +135,7 @@
         flags = params.flags
         tun_flags = params.tun_flags
         salt = params.salt
+        anti_replay_window_size = params.anti_replay_window_size
         objs = []
 
         params.tun_sa_in = VppIpsecSA(
@@ -152,6 +154,7 @@
             flags=flags,
             salt=salt,
             hop_limit=params.outer_hop_limit,
+            anti_replay_window_size=anti_replay_window_size,
         )
         params.tun_sa_out = VppIpsecSA(
             self,
@@ -169,6 +172,7 @@
             flags=flags,
             salt=salt,
             hop_limit=params.outer_hop_limit,
+            anti_replay_window_size=anti_replay_window_size,
         )
         objs.append(params.tun_sa_in)
         objs.append(params.tun_sa_out)
@@ -274,6 +278,7 @@
         e = VppEnum.vl_api_ipsec_spd_action_t
         flags = params.flags
         salt = params.salt
+        anti_replay_window_size = params.anti_replay_window_size
         objs = []
 
         params.tra_sa_in = VppIpsecSA(
@@ -287,6 +292,7 @@
             self.vpp_esp_protocol,
             flags=flags,
             salt=salt,
+            anti_replay_window_size=anti_replay_window_size,
         )
         params.tra_sa_out = VppIpsecSA(
             self,
@@ -299,6 +305,7 @@
             self.vpp_esp_protocol,
             flags=flags,
             salt=salt,
+            anti_replay_window_size=anti_replay_window_size,
         )
         objs.append(params.tra_sa_in)
         objs.append(params.tra_sa_out)
@@ -1184,9 +1191,16 @@
         #
         saf = VppEnum.vl_api_ipsec_sad_flags_t
         if flag & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY:
-            self.unconfig_network()
-            self.config_network(self.params.values())
-            self.verify_tra_anti_replay()
+            for anti_replay_window_size in (
+                64,
+                131072,
+            ):
+                self.unconfig_network()
+                self.config_anti_replay(self.params.values(), anti_replay_window_size)
+                self.config_network(self.params.values())
+                self.verify_tra_anti_replay()
+                self.verify_tra_anti_replay_algorithm()
+            self.config_anti_replay(self.params.values())
 
         self.unconfig_network()
         self.config_network(self.params.values())