Add IPSec mechanism #660
Merged
Add IPSec mechanism #660
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
denis-tingaikin
approved these changes
Dec 6, 2022
nsmbot
pushed a commit
to networkservicemesh/cmd-nse-vl3-vpp
that referenced
this pull request
Dec 6, 2022
…k-vpp@main PR link: networkservicemesh/sdk-vpp#660 Commit: 1e7ed6b Author: Artem Glazychev Date: 2022-12-06 16:29:44 +0700 Message: - Add IPSec mechanism (#660) Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
nsmbot
pushed a commit
to networkservicemesh/cmd-nse-vlan-vpp
that referenced
this pull request
Dec 6, 2022
…k-vpp@main PR link: networkservicemesh/sdk-vpp#660 Commit: 1e7ed6b Author: Artem Glazychev Date: 2022-12-06 16:29:44 +0700 Message: - Add IPSec mechanism (#660) Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
nsmbot
pushed a commit
to networkservicemesh/cmd-nse-icmp-responder-vpp
that referenced
this pull request
Dec 6, 2022
…k-vpp@main PR link: networkservicemesh/sdk-vpp#660 Commit: 1e7ed6b Author: Artem Glazychev Date: 2022-12-06 16:29:44 +0700 Message: - Add IPSec mechanism (#660) Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
nsmbot
pushed a commit
to networkservicemesh/cmd-nsc-simple-docker
that referenced
this pull request
Dec 6, 2022
…k-vpp@main PR link: networkservicemesh/sdk-vpp#660 Commit: 1e7ed6b Author: Artem Glazychev Date: 2022-12-06 16:29:44 +0700 Message: - Add IPSec mechanism (#660) Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
nsmbot
pushed a commit
to networkservicemesh/cmd-forwarder-vpp
that referenced
this pull request
Dec 6, 2022
…k-vpp@main PR link: networkservicemesh/sdk-vpp#660 Commit: 1e7ed6b Author: Artem Glazychev Date: 2022-12-06 16:29:44 +0700 Message: - Add IPSec mechanism (#660) Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
nsmbot
pushed a commit
to networkservicemesh/cmd-nsc-vpp
that referenced
this pull request
Dec 6, 2022
…k-vpp@main PR link: networkservicemesh/sdk-vpp#660 Commit: 1e7ed6b Author: Artem Glazychev Date: 2022-12-06 16:29:44 +0700 Message: - Add IPSec mechanism (#660) Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
nsmbot
pushed a commit
to networkservicemesh/cmd-nse-firewall-vpp
that referenced
this pull request
Dec 6, 2022
…k-vpp@main PR link: networkservicemesh/sdk-vpp#660 Commit: 1e7ed6b Author: Artem Glazychev Date: 2022-12-06 16:29:44 +0700 Message: - Add IPSec mechanism (#660) Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
nsmbot
pushed a commit
to networkservicemesh/cmd-nse-simple-vl3-docker
that referenced
this pull request
Dec 6, 2022
…k-vpp@main PR link: networkservicemesh/sdk-vpp#660 Commit: 1e7ed6b Author: Artem Glazychev Date: 2022-12-06 16:29:44 +0700 Message: - Add IPSec mechanism (#660) Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
This was referenced Dec 6, 2022
Merged
nsmbot
pushed a commit
that referenced
this pull request
Apr 25, 2024
…k-kernel@main PR link: networkservicemesh/sdk-kernel#660 Commit: 4e18004 Author: Network Service Mesh Bot Date: 2024-04-25 13:52:03 -0500 Message: - Update go.mod and go.sum to latest version from networkservicemesh/sdk@main (#660) PR link: networkservicemesh/sdk#1614 Commit: aa92e5b Author: Network Service Mesh Bot Date: 2024-04-25 13:49:29 -0500 Message: - Update go.mod and go.sum to latest version from networkservicemesh/api@main (#1614) PR link: networkservicemesh/api#171 Commit: d0df988 Author: Nikita Skrynnik Date: 2024-04-25 04:04:52 +0700 Message: - Create releases with Github CLI (#171) * Create releases with Github CLI * use reusable github actions for release and release-dependent-repositories jobs * fix yaml linter issues * remove get-tag job --------- Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
nsmbot
added a commit
that referenced
this pull request
Apr 25, 2024
…k-kernel@main (#826) PR link: networkservicemesh/sdk-kernel#660 Commit: 4e18004 Author: Network Service Mesh Bot Date: 2024-04-25 13:52:03 -0500 Message: - Update go.mod and go.sum to latest version from networkservicemesh/sdk@main (#660) PR link: networkservicemesh/sdk#1614 Commit: aa92e5b Author: Network Service Mesh Bot Date: 2024-04-25 13:49:29 -0500 Message: - Update go.mod and go.sum to latest version from networkservicemesh/api@main (#1614) PR link: networkservicemesh/api#171 Commit: d0df988 Author: Nikita Skrynnik Date: 2024-04-25 04:04:52 +0700 Message: - Create releases with Github CLI (#171) * Create releases with Github CLI * use reusable github actions for release and release-dependent-repositories jobs * fix yaml linter issues * remove get-tag job --------- Signed-off-by: NSMBot <nsmbot@networkservicmesh.io> Co-authored-by: NSMBot <nsmbot@networkservicmesh.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue: #638
Signed-off-by: Artem Glazychev artem.glazychev@xored.com
Description
IKEv2
This implementation is based on built-in vpp IKEv2 plugin - https://github.com/FDio/vpp/tree/master/src/plugins/ikev2
Many things have been implemented based on - https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IKEv2_negotiation_between_a_VPP_responder_and_a_VPP_initiator.2C_using_RSA_signature_authentication_method
We also use here UDP encapsulation of ESP packets.
Pinhole
This PR also modifies the pinhole chain element to pass additional rules via metadata. This is necessary because IPSec uses 2 UDP ports to function. One (4500) is passed in the mechanism and the other (500) is passed through the metadata as it is a constant.
Also added mutex for pinhole. This is necessary because the pinhole chain element dumps VPP, performs some manipulations and reassign ACL rules. Possible data race.