ipsecplugin

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 24, 2018 License: Apache-2.0 Imports: 12 Imported by: 0

README

IPsec plugin

The ipsecplugin is a Core Agent Plugin that is designed to configure IPsec for VPP. Configuration managed by this plugin is modelled by the proto file.

The configuration must be stored in etcd using the following keys:

# Security Policy Database (SPD)
/vnf-agent/<agent-label>/vpp/config/v1/ipsec/spd/<spdName>
# Security Association
/vnf-agent/<agent-label>/vpp/config/v1/ipsec/sa/<saName>

An example of configuration in json format can be found here: SPD and SA.

To insert config into etcd in json format vpp-agent-ctl can be used. We assume that we want to configure vpp with label vpp1, config for SPD is stored in the ipsec-spd.json file and config for SAs is stored in the ipsec-sa10.json and ipsec-sa20.json file.

vpp-agent-ctl -put /vnf-agent/vpp1/vpp/config/v1/ipsec/sa/sa10 ipsec-sa10.json
vpp-agent-ctl -put /vnf-agent/vpp1/vpp/config/v1/ipsec/sa/sa20 ipsec-sa20.json
vpp-agent-ctl -put /vnf-agent/vpp1/vpp/config/v1/ipsec/spd/spd1 ipsec-spd.json

To enable IPsec in Linux as well you need to have package ipsec-tools installed. Then you need to edit /etc/ipsec-tools.conf and add following configuration:

# Flush the SAD and SPD
flush;
spdflush;

# ESP Security associations
add 10.0.0.1 10.0.0.2 esp 0x000003e8 -E rijndael-cbc
        0x4a506a794f574265564551694d653768
        -A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;
add 10.0.0.2 10.0.0.1 esp 0x000003e9 -E rijndael-cbc
        0x4a506a794f574265564551694d653768
        -A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;

# Security policies
spdadd 10.0.0.1 10.0.0.2 any -P out ipsec
           esp/transport//require;

spdadd 10.0.0.2 10.0.0.1 any -P in ipsec
           esp/transport//require;

After saving the configuration file run /etc/init.d/setkey start to activate it.

You can find more information here: https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#Ubuntu_configuration

Documentation

Overview

Package ipsecplugin implements the IPSec plugin that handles management of IPSec for VPP.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type IPSecConfigurator

type IPSecConfigurator struct {
	Log       logging.Logger
	Stopwatch *measure.Stopwatch // timer used to measure and store time

	GoVppmux govppmux.API

	SwIfIndexes ifaceidx.SwIfIndexRW

	SaIndexSeq       uint32
	SaIndexes        idxvpp.NameToIdxRW
	SpdIndexSeq      uint32
	SpdIndexes       ipsecidx.SPDIndexRW
	CachedSpdIndexes ipsecidx.SPDIndexRW

	SPDIfCache []SPDIfCacheEntry
	// contains filtered or unexported fields
}

IPSecConfigurator runs in the background in its own goroutine where it watches for any changes in the configuration of interfaces as modelled by the proto file "../model/ipsec/ipsec.proto" and stored in ETCD under the key "/vnf-agent/{vnf-agent}/vpp/config/v1/ipsec". Updates received from the northbound API are compared with the VPP run-time configuration and differences are applied through the VPP binary API.

func (*IPSecConfigurator) Close

func (plugin *IPSecConfigurator) Close() error

Close GOVPP channel

func (*IPSecConfigurator) ConfigureSA

func (plugin *IPSecConfigurator) ConfigureSA(sa *ipsec.SecurityAssociations_SA) error

ConfigureSA configures Security Association in VPP

func (*IPSecConfigurator) ConfigureSPD

func (plugin *IPSecConfigurator) ConfigureSPD(spd *ipsec.SecurityPolicyDatabases_SPD) error

ConfigureSPD configures Security Policy Database in VPP

func (*IPSecConfigurator) ConfigureTunnel

func (plugin *IPSecConfigurator) ConfigureTunnel(tunnel *ipsec.TunnelInterfaces_Tunnel) error

ConfigureTunnel configures Tunnel interface in VPP

func (*IPSecConfigurator) DeleteSA

func (plugin *IPSecConfigurator) DeleteSA(oldSa *ipsec.SecurityAssociations_SA) error

DeleteSA deletes Security Association in VPP

func (*IPSecConfigurator) DeleteSPD

func (plugin *IPSecConfigurator) DeleteSPD(oldSpd *ipsec.SecurityPolicyDatabases_SPD) error

DeleteSPD deletes Security Policy Database in VPP

func (*IPSecConfigurator) DeleteTunnel

func (plugin *IPSecConfigurator) DeleteTunnel(oldTunnel *ipsec.TunnelInterfaces_Tunnel) error

DeleteTunnel deletes Tunnel interface in VPP

func (*IPSecConfigurator) Init

func (plugin *IPSecConfigurator) Init() (err error)

Init members (channels...) and start go routines

func (*IPSecConfigurator) ModifySA

ModifySA modifies Security Association in VPP

func (*IPSecConfigurator) ModifySPD

ModifySPD modifies Security Policy Database in VPP

func (*IPSecConfigurator) ModifyTunnel

func (plugin *IPSecConfigurator) ModifyTunnel(oldTunnel *ipsec.TunnelInterfaces_Tunnel, newTunnel *ipsec.TunnelInterfaces_Tunnel) error

ModifyTunnel modifies Tunnel interface in VPP

func (*IPSecConfigurator) ResolveCreatedInterface

func (plugin *IPSecConfigurator) ResolveCreatedInterface(ifName string, swIfIdx uint32)

ResolveCreatedInterface is responsible for reconfiguring cached assignments

func (*IPSecConfigurator) ResolveDeletedInterface

func (plugin *IPSecConfigurator) ResolveDeletedInterface(ifName string, swIfIdx uint32)

ResolveDeletedInterface is responsible for caching assignments for future reconfiguration

func (*IPSecConfigurator) Resync

Resync writes missing IPSec configs to the VPP and removes obsolete ones.

type SPDIfCacheEntry

type SPDIfCacheEntry struct {
	// contains filtered or unexported fields
}

SPDIfCacheEntry contains info about cached assignment of interface to SPD

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL