Skip to content

Commit

Permalink
Merge #961 branch 'eugeneia/max-next-v2016.07-2' into next
Browse files Browse the repository at this point in the history
  • Loading branch information
lukego committed Jul 4, 2016
2 parents 995f9d8 + 9738d15 commit 3549398
Show file tree
Hide file tree
Showing 13 changed files with 217 additions and 7 deletions.
44 changes: 44 additions & 0 deletions src/apps/ipsec/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# IPsec Apps

## AES128gcm (apps.ipsec.esp)

The `AES128gcm` implements an ESP transport tunnel using the AES-GCM-128
cipher. It encrypts packets received on its `decapsulated` port and transmits
them on its `encapsulated` port, and vice-versa. Packets arriving on the
`decapsulated` port must have an IPv6 header, and packets arriving on the
`encapsulated` port must have an IPv6 header followed by an ESP header,
otherwise they will be discarded.

References:

- `lib.ipsec.esp`

DIAGRAM: AES128gcm
+-----------+
encapsulated | |
---->* AES128gcm *<----
<----* *---->
| | decapsulated
+-----------+

encapsulated
--------\ /----------
<-------|---/ /------->
\-----/ decapsulated

### Configuration

The `AES128gcm` app accepts a table as its configuration argument. The
following keys are defined:

— Key **spi**

*Required*. Security Parameter Index. A 32 bit integer.

— Key **key**

*Required*. 20 bytes in form of a hex encoded string.

— Key **replay_window**

*Optional*. Size of the “Anti-Replay Window”. Defaults to 128.
45 changes: 45 additions & 0 deletions src/apps/ipsec/esp.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
-- Use of this source code is governed by the Apache 2.0 license; see COPYING.

-- This app implements a point-to-point encryption tunnel using ESP with
-- AES-128-GCM.

module(..., package.seeall)
local esp = require("lib.ipsec.esp")

AES128gcm = {}

function AES128gcm:new (arg)
local conf = arg and config.parse_app_arg(arg) or {}
local self = {}
self.encrypt = esp.esp_v6_encrypt:new{
mode = "aes-128-gcm",
spi = conf.spi,
keymat = conf.key:sub(1, 32),
salt = conf.key:sub(33, 40)}
self.decrypt = esp.esp_v6_decrypt:new{
mode = "aes-128-gcm",
spi = conf.spi,
keymat = conf.key:sub(1, 32),
salt = conf.key:sub(33, 40),
window_size = conf.replay_window}
return setmetatable(self, {__index = AES128gcm})
end

function AES128gcm:push ()
-- Encapsulation path
local input = self.input.decapsulated
local output = self.output.encapsulated
for _=1,link.nreadable(input) do
local p = link.receive(input)
if self.encrypt:encapsulate(p) then link.transmit(output, p)
else packet.free(p) end
end
-- Decapsulation path
local input = self.input.encapsulated
local output = self.output.decapsulated
for _=1,link.nreadable(input) do
local p = link.receive(input)
if self.decrypt:decapsulate(p) then link.transmit(output, p)
else packet.free(p) end
end
end
6 changes: 6 additions & 0 deletions src/bench/snabbnfv-iperf-1500-crypto
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -e
out=$(program/snabbnfv/selftest.sh bench 1500 \
program/snabbnfv/test_fixtures/nfvconfig/test_functions/crypto.ports)
# Extract floating point Gbits number from output.
echo "$out" | grep IPERF-1500 | cut -d " " -f 2
6 changes: 6 additions & 0 deletions src/bench/snabbnfv-iperf-1500-tunnel+crypto
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -e
out=$(program/snabbnfv/selftest.sh bench 1500 \
program/snabbnfv/test_fixtures/nfvconfig/test_functions/crypto-tunnel.ports)
# Extract floating point Gbits number from output.
echo "$out" | grep IPERF-1500 | cut -d " " -f 2
16 changes: 16 additions & 0 deletions src/lib/ipsec/esp.lua
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,22 @@ ABCDEFGHIJKLMNOPQRSTUVWXYZ
assert(not enc:encapsulate(p_invalid), "encapsulated invalid packet")
local p_invalid = packet.from_string("invalid")
assert(not dec:decapsulate(p_invalid), "decapsulated invalid packet")
-- Check minimum packet.
local p_min = packet.from_string("012345678901234567890123456789012345678901234567890123")
p_min.data[18] = 0 -- Set IPv6 payload length to zero
p_min.data[19] = 0 -- ...
assert(packet.length(p_min) == PAYLOAD_OFFSET)
print("original", lib.hexdump(ffi.string(packet.data(p_min), packet.length(p_min))))
local e_min = packet.clone(p_min)
assert(enc:encapsulate(e_min))
print("encrypted", lib.hexdump(ffi.string(packet.data(e_min), packet.length(e_min))))
assert(packet.length(e_min) == dec.MIN_SIZE+PAYLOAD_OFFSET)
assert(dec:decapsulate(e_min))
print("decrypted", lib.hexdump(ffi.string(packet.data(e_min), packet.length(e_min))))
assert(packet.length(e_min) == PAYLOAD_OFFSET)
assert(packet.length(p_min) == packet.length(e_min)
and C.memcmp(p_min, e_min, packet.length(p_min)) == 0,
"integrity check failed")
-- Check transmitted Sequence Number wrap around
enc.seq:low(0)
enc.seq:high(1)
Expand Down
14 changes: 13 additions & 1 deletion src/program/snabbnfv/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ port := { port_id = <id>, -- A unique string
ingress_filter = <filter>, -- A pcap-filter(7) expression
egress_filter = <filter>, -- ..
tunnel = <tunnel-conf>,
crypto = <crypto-conf>,
rx_police_gbps = <n>, -- Allowed input rate in Gbps
tx_police_gbps = <n> } -- Allowed output rate in Gbps
```
Expand All @@ -64,9 +65,20 @@ tunnel := { type = "L2TPv3", -- The only type (for now)
next_hop = <ip-address>, -- Gateway IP
local_ip = <ip-address>, -- ~ `local_address'
remote_ip = <ip-address>, -- ~ `remote_address'
session = <32bit-int> -- ~ `session_id' }
session = <32bit-int> } -- ~ `session_id'
```

The `crypto` section allows configuration of traffic encryption based on
`apps.esp`:

```
crypto := { type = "esp-aes-128-gcm", -- The only type (for now)
spi = <spi>, -- Security Parameter Index
key = <key>, -- 20 bytes as a hex encoded string
replay_window = <n> } -- Replay window
```


### snabbnfv traffic

The `snabbnfv traffic` program loads and runs a NFV configuration using
Expand Down
8 changes: 8 additions & 0 deletions src/program/snabbnfv/nfvconfig.lua
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ local PcapFilter = require("apps.packet_filter.pcap_filter").PcapFilter
local RateLimiter = require("apps.rate_limiter.rate_limiter").RateLimiter
local nd_light = require("apps.ipv6.nd_light").nd_light
local L2TPv3 = require("apps.keyed_ipv6_tunnel.tunnel").SimpleKeyedTunnel
local AES128gcm = require("apps.ipsec.esp").AES128gcm
local pci = require("lib.hardware.pci")
local ffi = require("ffi")
local C = ffi.C
Expand Down Expand Up @@ -94,6 +95,13 @@ function load (file, pciaddr, sockpath)
config.link(c, Tunnel..".decapsulated -> "..VM_rx)
VM_rx, VM_tx = ND..".south", ND..".south"
end
if t.crypto and t.crypto.type == "esp-aes-128-gcm" then
local Crypto = name.."_Crypto"
config.app(c, Crypto, AES128gcm, t.crypto)
config.link(c, VM_tx.." -> "..Crypto..".decapsulated")
config.link(c, Crypto..".decapsulated -> "..VM_rx)
VM_rx, VM_tx = Crypto..".encapsulated", Crypto..".encapsulated"
end
if t.rx_police_gbps then
local RxLimit = name.."_RxLimit"
local rate = t.rx_police_gbps * 1e9 / 8
Expand Down
22 changes: 19 additions & 3 deletions src/program/snabbnfv/selftest.sh
Original file line number Diff line number Diff line change
Expand Up @@ -288,10 +288,25 @@ function filter_tests {
assert FILTER $?
}

# Usage: iperf_bench [<mode>]
function crypto_tests {
load_config program/snabbnfv/test_fixtures/nfvconfig/test_functions/crypto.ports

test_ping $SNABB_TELNET0 "$(ip 1)%eth0"
test_iperf $SNABB_TELNET0 $SNABB_TELNET1 "$(ip 1)%eth0"
test_jumboping $SNABB_TELNET0 $SNABB_TELNET1 "$(ip 1)%eth0"
# Repeat iperf test now that jumbo frames are enabled
test_iperf $SNABB_TELNET0 $SNABB_TELNET1 "$(ip 1)%eth0"
}

# Usage: iperf_bench [<mode>] [<config>]
# Run iperf benchmark. If <mode> is "jumbo", jumboframes will be enabled.
# <config> defaults to same_vlan.ports.
function iperf_bench {
load_config program/snabbnfv/test_fixtures/nfvconfig/test_functions/same_vlan.ports
if [ -z "$2" ]; then
load_config program/snabbnfv/test_fixtures/nfvconfig/test_functions/same_vlan.ports
else
load_config "$2"
fi

if [ "$1" = "jumbo" ]; then
test_jumboping $SNABB_TELNET0 $SNABB_TELNET1 "$(ip 1)%eth0" \
Expand Down Expand Up @@ -324,7 +339,7 @@ start_test_env
# Decide which mode to run (`test', `bench' or `fuzz').
case $1 in
bench)
iperf_bench "$2"
iperf_bench "$2" "$3"
;;
fuzz)
fuzz_tests "$2"
Expand All @@ -334,6 +349,7 @@ case $1 in
rate_limited_tests
tunnel_tests
filter_tests
crypto_tests
esac

exit 0
5 changes: 3 additions & 2 deletions src/program/snabbnfv/test_env/test_env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -116,14 +116,15 @@ function launch_qemu {
"numactl --cpunodebind=$(pci_node $1) --membind=$(pci_node $1) \
$QEMU $QEMU_ARGS \
-kernel $assets/$4 \
-append \"earlyprintk root=/dev/vda $SNABB_KERNEL_PARAMS rw console=ttyS0 ip=$(ip $qemu_n)\" \
-append \"earlyprintk root=/dev/vda $SNABB_KERNEL_PARAMS rw console=ttyS1 ip=$(ip $qemu_n)\" \
-m $GUEST_MEM -numa node,memdev=mem -object memory-backend-file,id=mem,size=${GUEST_MEM}M,mem-path=$HUGETLBFS,share=on \
-netdev type=vhost-user,id=net0,chardev=char0${mqueues} -chardev socket,id=char0,path=$2,server \
-device virtio-net-pci,netdev=net0,mac=$(mac $qemu_n),mq=$qemu_mq,vectors=$qemu_vectors \
-M pc -smp $qemu_smp -cpu host --enable-kvm \
-serial telnet:localhost:$3,server,nowait \
-serial stdio \
-drive if=virtio,format=raw,file=$(qemu_image $5) \
-nographic" \
-display none" \
$(qemu_log)
qemu_n=$(expr $qemu_n + 1)
sockets="$sockets $2"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
return {
{ vlan = 43,
mac_address = "52:54:00:00:00:00",
port_id = "A",
tunnel = { type = "L2TPv3",
remote_ip = "fe80:0:0:0:5054:ff:fe00:1",
local_ip = "fe80:0:0:0:5054:ff:fe00:0",
session = 16,
local_cookie = "deadbeef",
remote_cookie = "deadbeef",
next_hop = "fe80:0:0:0:5054:ff:fe00:1" },
crypto = { type = "esp-aes-128-gcm",
spi = 0x42,
key = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", }
},
{ vlan = 43,
mac_address = "52:54:00:00:00:01",
port_id = "B",
tunnel = { type = "L2TPv3",
remote_ip = "fe80:0:0:0:5054:ff:fe00:0",
local_ip = "fe80:0:0:0:5054:ff:fe00:1",
session = 16,
local_cookie = "deadbeef",
remote_cookie = "deadbeef",
next_hop = "fe80:0:0:0:5054:ff:fe00:0" },
crypto = { type = "esp-aes-128-gcm",
spi = 0x42,
key = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", }
},
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
return {
{ vlan = 43,
mac_address = "52:54:00:00:00:00",
port_id = "A",
crypto = { type = "esp-aes-128-gcm",
spi = 0x42,
key = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", }
},
{ vlan = 43,
mac_address = "52:54:00:00:00:01",
port_id = "B",
crypto = { type = "esp-aes-128-gcm",
spi = 0x42,
key = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", }
},
}
10 changes: 10 additions & 0 deletions src/program/snabbnfv/traffic/README
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ CONFIG FILE FORMAT:
ingress_filter = <rules>, -- A pcap-filter(7) expression
egress_filter = <rules>, -- ..
tunnel = <tunnel-conf>,
crypto = <crypto-conf>,
rx_police_gbps = <n>, -- Allowed input rate in Gbps
tx_police_gbps = <n> } -- Allowed output rate in Gbps

Expand All @@ -55,3 +56,12 @@ CONFIG FILE FORMAT:
local_ip = <ip-address>, -- ~ `local_address'
remote_ip = <ip-address>, -- ~ `remote_address'
session = <32bit-int> -- ~ `session_id' }

The crypto section allows configuration of traffic encryption based on
apps.ipsec.esp:


crypto := { type = "esp-aes-128-gcm", -- The only type (for now)
spi = <spi>, -- Security Parameter Index
key = <key>, -- 20 bytes as a hex encoded string
replay_window = <n> } -- Replay window
2 changes: 1 addition & 1 deletion src/scripts/dock.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/usr/bin/env bash

export SNABB_TEST_IMAGE=${SNABB_TEST_IMAGE:=eugeneia/snabb-nfv-test}
export SNABB_TEST_IMAGE=${SNABB_TEST_IMAGE:=eugeneia/snabb-nfv-test-vanilla}

# Snabb Docker environment

Expand Down

0 comments on commit 3549398

Please sign in to comment.