VPP-341: iOAM plugin documentation

Change-Id: I0042ce8b8a70bb709765037c3636be667ad88aa2
Signed-off-by: Shwetha <shwethab@cisco.com>
diff --git a/plugins/ioam-plugin/ioam/Readme.md b/plugins/ioam-plugin/ioam/Readme.md
new file mode 100644
index 0000000..469a15a
--- /dev/null
+++ b/plugins/ioam-plugin/ioam/Readme.md
@@ -0,0 +1,465 @@
+
+## VPP Inband OAM (iOAM)
+
+In-band OAM (iOAM) is an implementation study to record operational
+information in the packet while the packet traverses a path between
+two points in the network.
+
+Overview of iOAM can be found in [iOAM-Devnet] page.
+The following IETF drafts detail the motivation and mechanism for
+recording operational information:
+ - [iOAM-ietf-requirements] - Describes motivation and usecases for iOAM
+ - [iOAM-ietf-data] - Describes data records that can be collected using iOAM
+ - [iOAM-ietf-transport] - Lists out the transport protocols
+ and mechanism to carry iOAM data records
+ - [iOAM-ietf-proof-of-transit] - Describes the idea of Proof of Transit (POT)
+ and mechanisms to operationalize the idea
+
+## Terminology
+In-band OAM is expected to be deployed in a specific domain rather
+than on the overall Internet. The part of the network which employs in-band OAM
+is referred to as **"in-band OAM-domain"**.
+
+In-band OAM data is added to a packet on entering the in-band OAM-domain
+and is removed from the packet when exiting the domain.
+Within the in-band OAM-domain, network nodes that the packet traverses
+may update the in-band OAM data records.
+
+- The node which adds in-band OAM data to the packet is called the
+**"in-band OAM encapsulating node"**.
+
+- The node which removes the in-band OAM data is referred to as the
+**"in-band OAM decapsulating node"**.
+
+- Nodes within the domain which are aware of in-band OAM data and read
+and/or write or process the in-band OAM data are called
+**"in-band OAM transit nodes"**.
+
+## Features supported in the current release
+VPP can function as in-band OAM encapsulating, transit and decapsulating node.
+In this version of VPP in-band OAM data is transported as options in an
+IPv6 hop-by-hop extension header. Hence in-band OAM can be enabled
+for IPv6 traffic.
+
+The following iOAM features are supported:
+
+- **In-band OAM Tracing** : In-band OAM supports multiple data records to be
+recorded in the packet as the packet traverses the network.
+These data records offer insights into the operational behavior of the network.
+The following information can be collected in the tracing
+data from the nodes a packet traverses:
+  - Node ID
+  - Ingress interface ID
+  - Egress interface ID
+  - Timestamp
+  - Pre-configured application data
+
+- **In-band OAM Proof of Transit (POT)**: Proof of transit iOAM data is
+added to every packet for verifying that a packet traverses a specific
+set of nodes.
+In-band OAM data is updated at every node that is enabled with iOAM
+proof of transit and is used to verify whether a packet traversed
+all the specified nodes. When the verifier receives each packet,
+it can validate whether the packet traversed the specified nodes.
+
+
+## Configuration
+Configuring iOAM involves:
+- Selecting the packets for which iOAM data must be inserted, updated or removed
+  - Selection of packets for iOAM data insertion on iOAM encapsulating node.
+  Selection of packets is done by 5-tuple based classification
+  - Selection of packets for updating iOAM data is implicitly done on the
+  presence of iOAM options in the packet
+  - Selection of packets for removing the iOAM data is done on 5-tuple
+  based classification
+- The kind of data to be collected
+  - Tracing data
+  - Proof of transit
+- Additional details for processing iOAM data to be collected
+  - For trace data - trace type, number of nodes to be recorded in the trace,
+  time stamp precision, etc.
+  - For POT data - configuration of POT profile required to process the POT data
+
+The CLI for configuring iOAM is explained here followed by detailed steps
+and examples to deploy iOAM on VPP as an encapsulating, transit or
+decapsulating iOAM node in the subsequent sub-sections.
+
+VPP iOAM configuration for enabling trace and POT is as follows:
+
+    set ioam rewrite trace-type <0x1f|0x7|0x9|0x11|0x19>
+    trace-elts <number of trace elements> trace-tsp <0|1|2|3>
+    node-id <node ID in hex> app-data <application data in hex> [pot]
+
+A description of each of the options of the CLI follows:
+- trace-type : An entry in the "Node data List" array of the trace option
+can have different formats, following the needs of the a deployment.
+For example: Some deployments might only be interested
+in recording the node identifiers, whereas others might be interested
+in recording node identifier and timestamp.
+The following types are currently supported:
+    - 0x1f : Node data to include hop limit (8 bits), node ID (24 bits),
+    ingress and egress interface IDs (16 bits each), timestamp (32 bits),
+    application data (32 bits)
+    - 0x7 : Node data to include hop limit (8 bits), node ID (24 bits),
+    ingress and egress interface IDs (16 bits each)
+    - 0x9 : Node data to include hop limit (8 bits), node ID (24 bits),
+    timestamp (32 bits)
+    - 0x11: Node data to include hop limit (8 bits), node ID (24 bits),
+    application data (32 bits)
+    - 0x19: Node data to include hop limit (8 bits), node ID (24 bits),
+    timestamp (32 bits), application data (32 bits)
+- trace-elts : Defines the length of the node data array in the trace option.
+- trace-tsp : Defines the timestamp precision to use with the enumerated value
+              for precision as follows:
+    - 0 : 32bits timestamp in seconds
+    - 1 : 32bits timestamp in milliseconds
+    - 2 : 32bits timestamp in microseconds
+    - 3 : 32bits timestamp in nanoseconds
+- node-id : Unique identifier for the node, included in the node ID
+  field of the node data in trace option.
+- app-data : The value configured here is included as is in
+application data field of node data in trace option.
+- pot : Enables POT option to be included in the iOAM options.
+
+### Trace configuration
+
+#### On in-band OAM encapsulating node
+ - **Configure classifier and apply ACL** to select packets for
+ iOAM data insertion
+    - Example to enable iOAM data insertion for all the packets
+    towards IPv6 address db06::06:
+
+    vpp# classify table miss-next node ip6-lookup mask l3 ip6 dst
+    
+    vpp# classify session acl-hit-next node ip6-add-hop-by-hop
+    table-index 0 match l3 ip6 dst db06::06
+    
+    vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0
+    
+ - **Enable tracing** : Specify node ID, maximum number of nodes for which
+ trace data should be recorded, type of data to be included for recording,
+ optionally application data to be included
+    - Example to enable tracing with a maximum of 4 nodes recorded
+    and the data to be recorded to include - hop limit, node id,
+    ingress and egress interface IDs, timestamp (millisecond precision),
+    application data (0x1234):
+
+
+    vpp# set ioam rewrite trace-type 0x1f trace-elts 4 trace-tsp 1
+    node-id 0x1 app-data 0x1234
+
+
+
+#### On in-band OAM transit node
+- The transit node requires trace type, timestamp precision, node ID and
+optionally application data to be configured,
+to update its node data in the trace option.
+
+Example:  
+
+    vpp# set ioam rewrite trace-type 0x1f trace-elts 4 trace-tsp 1  
+    node-id 0x2 app-data 0x1234  
+
+#### On the In-band OAM decapsulating node
+- The decapsulating node similar to encapsulating node requires
+**classification** of the packets to remove iOAM data from.
+    - Example to decapsulate iOAM data for packets towards
+    db06::06, configure classifier and enable it as an ACL as follows:
+
+
+    vpp# classify table miss-next node ip6-lookup mask l3 ip6 dst
+
+    vpp# classify session acl-hit-next node ip6-lookup table-index 0
+    match l3 ip6 dst db06::06 opaque-index 100
+
+    vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0
+
+
+- Decapsulating node requires trace type, timestamp precision,
+node ID and optionally application data to be configured,
+to update its node data in the trace option before it is decapsulated.
+
+Example:  
+
+    vpp# set ioam rewrite trace-type 0x1f trace-elts 4  
+    trace-tsp 1 node-id 0x3 app-data 0x1234  
+
+
+### Proof of Transit configuration
+
+For details on proof-of-transit,
+see the IETF draft [iOAM-ietf-proof-of-transit].
+To enable Proof of Transit all the nodes that participate
+and hence are verified for transit need a proof of transit profile.
+A script to generate a proof of transit profile as per the mechanism
+described in [iOAM-ietf-proof-of-transit] will be available at [iOAM-Devnet].
+
+The Proof of transit mechanism implemented here is based on
+Shamir's Secret Sharing algorithm.
+The overall algorithm uses two polynomials 
+POLY-1 and POLY-2. The degree of polynomials depends on number of nodes
+to be verified for transit.
+POLY-1 is secret and constant. Each node gets a point on POLY-1
+at setup-time and keeps it secret.
+POLY-2 is public, random and per packet.
+Each node is assigned a point on POLY-1 and POLY-2 with the same x index.
+Each node derives its point on POLY-2 each time a packet arrives at it.
+A node then contributes its points on POLY-1 and POLY-2 to construct
+POLY-3 (POLY-3 = POLY-1 + POLY-2) using lagrange extrapolation and
+forwards it towards the verifier by updating POT data in the packet.
+The verifier constructs POLY-3 from the accumulated value from all the nodes
+and its own points on POLY-1 and POLY-2 and verifies whether
+POLY-3 = POLY-1 + POLY-2.  Only the verifier knows POLY-1.
+The solution leverages finite field arithmetic in a field of size "prime number"
+for reasons explained in description of Shamir's secret sharing algorithm.
+
+Here is an explanation of POT profile list and profile configuration CLI to
+realize the above mechanism.
+It is best to use the script provided at [iOAM-Devnet] to generate
+this configuration.
+- **Create POT profile** : set pot profile name <string> id [0-1]  
+[validator-key 0xu64] prime-number 0xu64 secret_share 0xu64  
+lpc 0xu64 polynomial2 0xu64 bits-in-random [0-64]  
+    - name : Profile list name.
+    - id : Profile id, it can be 0 or 1.
+    A maximum of two profiles can be configured per profile list.
+    - validator-key : Secret key configured only on the
+    verifier/decapsulating node used to compare and verify proof of transit.
+    - prime-number : Prime number for finite field arithmetic as required by the
+    proof of transit mechanism.
+    - secret_share : Unique point for each node on the secret polynomial POLY-1.
+    - lpc : Lagrange Polynomial Constant(LPC) calculated per node based on
+    its point (x value used for evaluating the points on the polynomial)
+    on the polynomial used in lagrange extrapolation
+    for reconstructing polynomial (POLY-3).
+    - polynomial2 : Is the pre-evaluated value of the point on
+    2nd polynomial(POLY-2). This is unique for each node.
+    It is pre-evaluated for all the coefficients of POLY-2 except
+    for the constant part of the polynomial that changes per packet
+    and is received as part of the POT data in the packet.
+    - bits-in-random : To control the size of the random number to be
+    generated. This number has to match the other numbers generated and used
+    in the profile as per the algorithm.
+
+- **Set a configured profile as active/in-use** :  
+set pot profile-active name <string> ID [0-1]  
+    - name : Name of the profile list to be used for computing
+    POT data per packet.
+    - ID : Identifier of the profile within the list to be used.
+
+#### On In-band OAM encapsulating node
+ - Configure the classifier and apply ACL to select packets for iOAM data insertion.
+    - Example to enable iOAM data insertion for all the packet towards
+    IPv6 address db06::06 -
+
+
+    vpp# classify table miss-next node ip6-lookup mask l3 ip6 dst
+
+    vpp# classify session acl-hit-next node
+    ip6-add-hop-by-hop table-index 0 match l3 ip6 dst db06::06
+
+    vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0
+
+
+ - Configure the proof of transit profile list with profiles.
+Each profile list referred to by a name can contain 2 profiles,
+only one is in use for updating proof of transit data at any time.
+    - Example profile list example with a profile generated from the
+    script to verify transit through 3 nodes is:
+
+
+    vpp# set pot profile name example id 0 prime-number 0x7fff0000fa884685
+    secret_share 0x6c22eff0f45ec56d lpc 0x7fff0000fa884682
+    polynomial2 0xffb543d4a9c bits-in-random 63
+
+ - Enable one of the profiles from the configured profile list as active
+ so that is will be used for calculating proof of transit
+
+Example enable profile ID 0 from profile list example configured above:
+
+
+    vpp# set pot profile-active name example ID 0
+
+
+ - Enable POT option to be inserted
+
+
+    vpp# set ioam rewrite pot
+
+
+#### On in-band OAM transit node
+ - Configure the proof of transit profile list with profiles for transit node.
+Example:
+
+
+    vpp# set pot profile name example id 0 prime-number 0x7fff0000fa884685
+    secret_share 0x564cdbdec4eb625d lpc 0x1
+    polynomial2 0x23f3a227186a bits-in-random 63
+
+#### On in-band OAM decapsulating node / verifier
+- The decapsulating node, similar to the encapsulating node requires
+classification of the packets to remove iOAM data from.
+    - Example to decapsulate iOAM data for packets towards db06::06
+    configure classifier and enable it as an ACL as follows:
+
+
+    vpp# classify table miss-next node ip6-lookup mask l3 ip6 dst
+
+    vpp# classify session acl-hit-next node ip6-lookup table-index 0
+    match l3 ip6 dst db06::06 opaque-index 100
+
+    vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0
+
+- To update and verify the proof of transit, POT profile list should be configured.
+    - Example POT profile list configured as follows:
+
+    vpp# set pot profile name example id 0 validate-key 0x7fff0000fa88465d
+    prime-number 0x7fff0000fa884685 secret_share 0x7a08fbfc5b93116d lpc 0x3
+    polynomial2 0x3ff738597ce bits-in-random 63
+
+## Operational data
+
+Following CLIs are available to check iOAM operation:
+- To check iOAM configuration that are effective use "show ioam summary"  
+
+Example:
+
+    vpp# show ioam summary  
+                  REWRITE FLOW CONFIGS - Not configured  
+     HOP BY HOP OPTIONS - TRACE CONFIG -  
+                            Trace Type : 0x1f (31)  
+             Trace timestamp precision : 1 (Milliseconds)  
+                    Num of trace nodes : 4  
+                               Node-id : 0x2 (2)  
+                              App Data : 0x1234 (4660)  
+                            POT OPTION - 1 (Enabled)  
+    Try 'show ioam pot and show pot profile' for more information  
+
+- To find statistics about packets for which iOAM options were
+added (encapsulating node) and removed (decapsulating node) execute
+*show errors*
+
+Example on encapsulating node:
+
+
+    vpp# show error
+       Count                    Node                  Reason
+    1208804706                ip6-inacl               input ACL hits
+    1208804706           ip6-add-hop-by-hop           Pkts w/ added ip6 hop-by-hop options
+    
+Example on decapsulating node:
+
+    vpp# show error
+       Count                    Node                  Reason
+      69508569                ip6-inacl               input ACL hits
+      69508569           ip6-pop-hop-by-hop           Pkts w/ removed ip6 hop-by-hop options
+
+- To check the POT profiles use "show pot profile"
+
+Example:
+
+    vpp# show pot profile
+    Profile list in use  : example
+    POT Profile at index: 0
+                     ID : 0
+              Validator : False (0)
+           Secret share : 0x564cdbdec4eb625d (6218586935324795485)
+           Prime number : 0x7fff0000fa884685 (9223090566081300101)
+    2nd polynomial(eval) : 0x23f3a227186a (39529304496234)
+                     LPC : 0x1 (1)
+               Bit mask : 0x7fffffffffffffff (9223372036854775807)
+    Profile index in use: 0
+    Pkts passed : 0x36 (54)
+
+- To get statistics  of POT for packets use "show ioam pot"
+
+Example at encapsulating or transit node:
+
+    vpp# show ioam pot
+     Pkts with ip6 hop-by-hop POT options - 54
+     Pkts with ip6 hop-by-hop POT options but no profile set - 0
+     Pkts with POT in Policy - 0
+     Pkts with POT out of Policy - 0
+    
+
+Example at decapsulating/verification node:
+
+
+    vpp# show ioam pot
+     Pkts with ip6 hop-by-hop POT options - 54
+     Pkts with ip6 hop-by-hop POT options but no profile set - 0
+     Pkts with POT in Policy - 54
+     Pkts with POT out of Policy - 0
+    
+- Tracing - enable trace of IPv6 packets to view the data inserted and
+collected.
+
+Example when the nodes are receiving data over a DPDK interface:
+Enable tracing using "trace add dpdk-input 20" and
+execute "show trace" to view the iOAM data collected:
+
+  
+    vpp# trace add dpdk-input 20  
+      
+    vpp# show trace
+    
+    ------------------- Start of thread 0 vpp_main -------------------  
+    
+    Packet 1  
+      
+    00:00:19:294697: dpdk-input  
+      GigabitEthernetb/0/0 rx queue 0  
+      buffer 0x10e6b: current data 0, length 214, free-list 0, totlen-nifb 0, trace 0x0  
+      PKT MBUF: port 0, nb_segs 1, pkt_len 214  
+        buf_len 2176, data_len 214, ol_flags 0x0, data_off 128, phys_addr 0xe9a35a00  
+        packet_type 0x0  
+      IP6: 00:50:56:9c:df:72 -> 00:50:56:9c:be:55  
+      IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6  
+        tos 0x00, flow label 0x0, hop limit 63, payload length 160  
+    00:00:19:294737: ethernet-input  
+      IP6: 00:50:56:9c:df:72 -> 00:50:56:9c:be:55  
+    00:00:19:294753: ip6-input  
+      IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6  
+        tos 0x00, flow label 0x0, hop limit 63, payload length 160  
+    00:00:19:294757: ip6-lookup  
+      fib 0 adj-idx 15 : indirect via db05::2 flow hash: 0x00000000  
+      IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6  
+        tos 0x00, flow label 0x0, hop limit 63, payload length 160  
+    00:00:19:294802: ip6-hop-by-hop  
+      IP6_HOP_BY_HOP: next index 5 len 96 traced 96  Trace Type 0x1f , 1 elts left  
+        [0] ttl 0x0 node ID 0x0 ingress 0x0 egress 0x0 ts 0x0  
+    app 0x0  
+        [1] ttl 0x3e node ID 0x3 ingress 0x1 egress 0x2 ts 0xb68c2213  
+    app 0x1234  
+        [2] ttl 0x3f node ID 0x2 ingress 0x1 egress 0x2 ts 0xb68c2204  
+    app 0x1234  
+        [3] ttl 0x40 node ID 0x1 ingress 0x5 egress 0x6 ts 0xb68c2200  
+    app 0x1234  
+        POT opt present  
+             random = 0x577a916946071950, Cumulative = 0x10b46e78a35a392d, Index = 0x0  
+    00:00:19:294810: ip6-rewrite  
+      tx_sw_if_index 1 adj-idx 14 : GigabitEthernetb/0/0  
+                                    IP6: 00:50:56:9c:be:55 -> 00:50:56:9c:df:72 flow hash: 0x00000000  
+      IP6: 00:50:56:9c:be:55 -> 00:50:56:9c:df:72  
+      IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6  
+        tos 0x00, flow label 0x0, hop limit 62, payload length 160  
+    00:00:19:294814: GigabitEthernetb/0/0-output  
+      GigabitEthernetb/0/0  
+      IP6: 00:50:56:9c:be:55 -> 00:50:56:9c:df:72  
+      IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6  
+        tos 0x00, flow label 0x0, hop limit 62, payload length 160  
+    00:00:19:294820: GigabitEthernetb/0/0-tx    
+      GigabitEthernetb/0/0 tx queue 0    
+      buffer 0x10e6b: current data 0, length 214, free-list 0, totlen-nifb 0, trace 0x0    
+      IP6: 00:50:56:9c:be:55 -> 00:50:56:9c:df:72
+      
+      IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
+      
+        tos 0x00, flow label 0x0, hop limit 62, payload length 160  
+    
+
+[iOAM-Devnet]: <https://github.com/ciscodevnet/iOAM>
+[iOAM-ietf-requirements]:<https://tools.ietf.org/html/draft-brockners-inband-oam-requirements-01>
+[iOAM-ietf-transport]:<https://tools.ietf.org/html/draft-brockners-inband-oam-transport-01>
+[iOAM-ietf-data]:<https://tools.ietf.org/html/draft-brockners-inband-oam-data-01>
+[iOAM-ietf-proof-of-transit]:<https://tools.ietf.org/html/draft-brockners-proof-of-transit-01>
diff --git a/plugins/ioam-plugin/ioam/dir.dox b/plugins/ioam-plugin/ioam/dir.dox
new file mode 100644
index 0000000..f3389b5
--- /dev/null
+++ b/plugins/ioam-plugin/ioam/dir.dox
@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ @dir
+ @brief Inband OAM (iOAM) implementation
+*/