commit | fb7e7ed2cd10446d5ecd1b1e8df470e706c448ed | [log] [tgz] |
---|---|---|
author | Christian Hopps <chopps@labn.net> | Sun Nov 03 07:02:15 2019 -0500 |
committer | Damjan Marion <dmarion@me.com> | Mon Sep 07 09:43:27 2020 +0000 |
tree | 2590e834f09c2d936f83d9bc766af99e084a522f | |
parent | dce44e4e2302042890dc8b579d4ff6f99509ae7a [diff] |
ipsec: fix padding/alignment for native IPsec encryption Not all ESP crypto algorithms require padding/alignment to be the same as AES block/IV size. CCM, CTR and GCM all have no padding/alignment requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet alignment requirement) should be used unless TFC (traffic flow confidentiality) has been requested. CTR: https://tools.ietf.org/html/rfc3686#section-3.2 GCM: https://tools.ietf.org/html/rfc4106#section-3.2 CCM: https://tools.ietf.org/html/rfc4309#section-3.2 - VPP is incorrectly using the IV/AES block size to pad CTR and GCM. These modes do not require padding (beyond ESPs 4 octet requirement), as a result packets will have unnecessary padding, which will waste bandwidth at least and possibly fail certain network configurations that have finely tuned MTU configurations at worst. Fix this as well as changing the field names from ".*block_size" to ".*block_align" to better represent their actual (and only) use. Rename "block_sz" in esp_encrypt to "esp_align" and set it correctly as well. test: ipsec: Add unit-test to test for RFC correct padding/alignment test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well - Scapy is also incorrectly using the AES block size of 16 to pad CCM, CTR, and GCM cipher modes. A bug report has been opened with the and acknowledged with the upstream scapy project as well: https://github.com/secdev/scapy/issues/2322 Ticket: VPP-1928 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
The VPP platform is an extensible framework that provides out-of-the-box production quality switch/router functionality. It is the open source version of Cisco's Vector Packet Processing (VPP) technology: a high performance, packet-processing stack that can run on commodity CPUs.
The benefits of this implementation of VPP are its high performance, proven technology, its modularity and flexibility, and rich feature set.
For more information on VPP and its features please visit the FD.io website and What is VPP? pages.
Details of the changes leading up to this version of VPP can be found under @ref release_notes.
Directory name | Description |
---|---|
build-data | Build metadata |
build-root | Build output directory |
doxygen | Documentation generator configuration |
dpdk | DPDK patches and build infrastructure |
@ref extras/libmemif | Client library for memif |
@ref src/examples | VPP example code |
@ref src/plugins | VPP bundled plugins directory |
@ref src/svm | Shared virtual memory allocation library |
src/tests | Standalone tests (not part of test harness) |
src/vat | VPP API test program |
@ref src/vlib | VPP application library |
@ref src/vlibapi | VPP API library |
@ref src/vlibmemory | VPP Memory management |
@ref src/vnet | VPP networking |
@ref src/vpp | VPP application |
@ref src/vpp-api | VPP application API bindings |
@ref src/vppinfra | VPP core library |
@ref src/vpp/api | Not-yet-relocated API bindings |
test | Unit tests and Python test harness |
In general anyone interested in building, developing or running VPP should consult the VPP wiki for more complete documentation.
In particular, readers are recommended to take a look at [Pulling, Building, Running, Hacking, Pushing](https://wiki.fd.io/view/VPP/Pulling,_Building,_Run ning,_Hacking_and_Pushing_VPP_Code) which provides extensive step-by-step coverage of the topic.
For the impatient, some salient information is distilled below.
To install system dependencies, build VPP and then install it, simply run the build script. This should be performed a non-privileged user with sudo
access from the project base directory:
./extras/vagrant/build.sh
If you want a more fine-grained approach because you intend to do some development work, the Makefile
in the root directory of the source tree provides several convenience shortcuts as make
targets that may be of interest. To see the available targets run:
make
The directory extras/vagrant
contains a VagrantFile
and supporting scripts to bootstrap a working VPP inside a Vagrant-managed Virtual Machine. This VM can then be used to test concepts with VPP or as a development platform to extend VPP. Some obvious caveats apply when using a VM for VPP since its performance will never match that of bare metal; if your work is timing or performance sensitive, consider using bare metal in addition or instead of the VM.
For this to work you will need a working installation of Vagrant. Instructions for this can be found [on the Setting up Vagrant wiki page] (https://wiki.fd.io/view/DEV/Setting_Up_Vagrant).
Several modules provide documentation, see @subpage user_doc for more end-user-oriented information. Also see @subpage dev_doc for developer notes.
Visit the VPP wiki for details on more advanced building strategies and other development notes.
There is PyDoc generated documentation available for the VPP test framework. See @ref test_framework_doc for details.