-
Notifications
You must be signed in to change notification settings - Fork 299
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge #961 branch 'eugeneia/max-next-v2016.07-2' into next
- Loading branch information
Showing
13 changed files
with
217 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# IPsec Apps | ||
|
||
## AES128gcm (apps.ipsec.esp) | ||
|
||
The `AES128gcm` implements an ESP transport tunnel using the AES-GCM-128 | ||
cipher. It encrypts packets received on its `decapsulated` port and transmits | ||
them on its `encapsulated` port, and vice-versa. Packets arriving on the | ||
`decapsulated` port must have an IPv6 header, and packets arriving on the | ||
`encapsulated` port must have an IPv6 header followed by an ESP header, | ||
otherwise they will be discarded. | ||
|
||
References: | ||
|
||
- `lib.ipsec.esp` | ||
|
||
DIAGRAM: AES128gcm | ||
+-----------+ | ||
encapsulated | | | ||
---->* AES128gcm *<---- | ||
<----* *----> | ||
| | decapsulated | ||
+-----------+ | ||
|
||
encapsulated | ||
--------\ /---------- | ||
<-------|---/ /-------> | ||
\-----/ decapsulated | ||
|
||
### Configuration | ||
|
||
The `AES128gcm` app accepts a table as its configuration argument. The | ||
following keys are defined: | ||
|
||
— Key **spi** | ||
|
||
*Required*. Security Parameter Index. A 32 bit integer. | ||
|
||
— Key **key** | ||
|
||
*Required*. 20 bytes in form of a hex encoded string. | ||
|
||
— Key **replay_window** | ||
|
||
*Optional*. Size of the “Anti-Replay Window”. Defaults to 128. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
-- Use of this source code is governed by the Apache 2.0 license; see COPYING. | ||
|
||
-- This app implements a point-to-point encryption tunnel using ESP with | ||
-- AES-128-GCM. | ||
|
||
module(..., package.seeall) | ||
local esp = require("lib.ipsec.esp") | ||
|
||
AES128gcm = {} | ||
|
||
function AES128gcm:new (arg) | ||
local conf = arg and config.parse_app_arg(arg) or {} | ||
local self = {} | ||
self.encrypt = esp.esp_v6_encrypt:new{ | ||
mode = "aes-128-gcm", | ||
spi = conf.spi, | ||
keymat = conf.key:sub(1, 32), | ||
salt = conf.key:sub(33, 40)} | ||
self.decrypt = esp.esp_v6_decrypt:new{ | ||
mode = "aes-128-gcm", | ||
spi = conf.spi, | ||
keymat = conf.key:sub(1, 32), | ||
salt = conf.key:sub(33, 40), | ||
window_size = conf.replay_window} | ||
return setmetatable(self, {__index = AES128gcm}) | ||
end | ||
|
||
function AES128gcm:push () | ||
-- Encapsulation path | ||
local input = self.input.decapsulated | ||
local output = self.output.encapsulated | ||
for _=1,link.nreadable(input) do | ||
local p = link.receive(input) | ||
if self.encrypt:encapsulate(p) then link.transmit(output, p) | ||
else packet.free(p) end | ||
end | ||
-- Decapsulation path | ||
local input = self.input.encapsulated | ||
local output = self.output.decapsulated | ||
for _=1,link.nreadable(input) do | ||
local p = link.receive(input) | ||
if self.decrypt:decapsulate(p) then link.transmit(output, p) | ||
else packet.free(p) end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/usr/bin/env bash | ||
set -e | ||
out=$(program/snabbnfv/selftest.sh bench 1500 \ | ||
program/snabbnfv/test_fixtures/nfvconfig/test_functions/crypto.ports) | ||
# Extract floating point Gbits number from output. | ||
echo "$out" | grep IPERF-1500 | cut -d " " -f 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/usr/bin/env bash | ||
set -e | ||
out=$(program/snabbnfv/selftest.sh bench 1500 \ | ||
program/snabbnfv/test_fixtures/nfvconfig/test_functions/crypto-tunnel.ports) | ||
# Extract floating point Gbits number from output. | ||
echo "$out" | grep IPERF-1500 | cut -d " " -f 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
30 changes: 30 additions & 0 deletions
30
src/program/snabbnfv/test_fixtures/nfvconfig/test_functions/crypto-tunnel.ports
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
return { | ||
{ vlan = 43, | ||
mac_address = "52:54:00:00:00:00", | ||
port_id = "A", | ||
tunnel = { type = "L2TPv3", | ||
remote_ip = "fe80:0:0:0:5054:ff:fe00:1", | ||
local_ip = "fe80:0:0:0:5054:ff:fe00:0", | ||
session = 16, | ||
local_cookie = "deadbeef", | ||
remote_cookie = "deadbeef", | ||
next_hop = "fe80:0:0:0:5054:ff:fe00:1" }, | ||
crypto = { type = "esp-aes-128-gcm", | ||
spi = 0x42, | ||
key = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", } | ||
}, | ||
{ vlan = 43, | ||
mac_address = "52:54:00:00:00:01", | ||
port_id = "B", | ||
tunnel = { type = "L2TPv3", | ||
remote_ip = "fe80:0:0:0:5054:ff:fe00:0", | ||
local_ip = "fe80:0:0:0:5054:ff:fe00:1", | ||
session = 16, | ||
local_cookie = "deadbeef", | ||
remote_cookie = "deadbeef", | ||
next_hop = "fe80:0:0:0:5054:ff:fe00:0" }, | ||
crypto = { type = "esp-aes-128-gcm", | ||
spi = 0x42, | ||
key = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", } | ||
}, | ||
} |
16 changes: 16 additions & 0 deletions
16
src/program/snabbnfv/test_fixtures/nfvconfig/test_functions/crypto.ports
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
return { | ||
{ vlan = 43, | ||
mac_address = "52:54:00:00:00:00", | ||
port_id = "A", | ||
crypto = { type = "esp-aes-128-gcm", | ||
spi = 0x42, | ||
key = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", } | ||
}, | ||
{ vlan = 43, | ||
mac_address = "52:54:00:00:00:01", | ||
port_id = "B", | ||
crypto = { type = "esp-aes-128-gcm", | ||
spi = 0x42, | ||
key = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", } | ||
}, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters