ipsecplugin

package
v1.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 4, 2019 License: Apache-2.0 Imports: 14 Imported by: 0

README

IPsec plugin

The ipsecplugin is a Core Agent Plugin that is designed to configure IPsec for VPP. Configuration managed by this plugin is modelled by the proto file.

The configuration must be stored in etcd using the following keys:

# Security Policy Database (SPD)
/vnf-agent/<agent-label>/vpp/config/v1/ipsec/spd/<spdName>
# Security Association
/vnf-agent/<agent-label>/vpp/config/v1/ipsec/sa/<saName>

An example of configuration in json format can be found here: SPD and SA.

To insert config into etcd in json format vpp-agent-ctl can be used. We assume that we want to configure vpp with label vpp1, config for SPD is stored in the ipsec-spd.json file and config for SAs is stored in the ipsec-sa10.json and ipsec-sa20.json file.

vpp-agent-ctl -put /vnf-agent/vpp1/vpp/config/v1/ipsec/sa/sa10 ipsec-sa10.json
vpp-agent-ctl -put /vnf-agent/vpp1/vpp/config/v1/ipsec/sa/sa20 ipsec-sa20.json
vpp-agent-ctl -put /vnf-agent/vpp1/vpp/config/v1/ipsec/spd/spd1 ipsec-spd.json

To enable IPsec in Linux as well you need to have package ipsec-tools installed. Then you need to edit /etc/ipsec-tools.conf and add following configuration:

# Flush the SAD and SPD
flush;
spdflush;

# ESP Security associations
add 10.0.0.1 10.0.0.2 esp 0x000003e8 -E rijndael-cbc
        0x4a506a794f574265564551694d653768
        -A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;
add 10.0.0.2 10.0.0.1 esp 0x000003e9 -E rijndael-cbc
        0x4a506a794f574265564551694d653768
        -A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;

# Security policies
spdadd 10.0.0.1 10.0.0.2 any -P out ipsec
           esp/transport//require;

spdadd 10.0.0.2 10.0.0.1 any -P in ipsec
           esp/transport//require;

After saving the configuration file run /etc/init.d/setkey start to activate it.

You can find more information here: https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#Ubuntu_configuration

Documentation

Overview

Package ipsecplugin implements the IPSec plugin that handles management of IPSec for VPP.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type IPSecConfigurator

type IPSecConfigurator struct {
	// contains filtered or unexported fields
}

IPSecConfigurator runs in the background in its own goroutine where it watches for any changes in the configuration of interfaces as modelled by the proto file "../model/ipsec/ipsec.proto" and stored in ETCD under the key "/vnf-agent/{vnf-agent}/vpp/config/v1/ipsec". Updates received from the northbound API are compared with the VPP run-time configuration and differences are applied through the VPP binary API.

func (*IPSecConfigurator) Close

func (c *IPSecConfigurator) Close() error

Close GOVPP channel

func (*IPSecConfigurator) ConfigureSA

ConfigureSA configures Security Association in VPP

func (*IPSecConfigurator) ConfigureSPD

ConfigureSPD configures Security Policy Database in VPP

func (*IPSecConfigurator) ConfigureTunnel

func (c *IPSecConfigurator) ConfigureTunnel(tunnel *ipsec.TunnelInterfaces_Tunnel) error

ConfigureTunnel configures Tunnel interface in VPP

func (*IPSecConfigurator) DeleteSA

DeleteSA deletes Security Association in VPP

func (*IPSecConfigurator) DeleteSPD

DeleteSPD deletes Security Policy Database in VPP

func (*IPSecConfigurator) DeleteTunnel

func (c *IPSecConfigurator) DeleteTunnel(oldTunnel *ipsec.TunnelInterfaces_Tunnel) error

DeleteTunnel deletes Tunnel interface in VPP

func (*IPSecConfigurator) GetSaIndexes

func (c *IPSecConfigurator) GetSaIndexes() idxvpp.NameToIdxRW

GetSaIndexes returns security association indexes

func (*IPSecConfigurator) GetSpdIndexes

func (c *IPSecConfigurator) GetSpdIndexes() ipsecidx.SPDIndex

GetSpdIndexes returns security policy database indexes

func (*IPSecConfigurator) Init

func (c *IPSecConfigurator) Init(logger logging.PluginLogger, goVppMux govppmux.API, swIfIndexes ifaceidx.SwIfIndexRW) (err error)

Init members (channels...) and start go routines

func (*IPSecConfigurator) LogError added in v1.8.1

func (c *IPSecConfigurator) LogError(err error) error

LogError prints error if not nil, including stack trace. The same value is also returned, so it can be easily propagated further

func (*IPSecConfigurator) ModifySA

ModifySA modifies Security Association in VPP

func (*IPSecConfigurator) ModifySPD

func (c *IPSecConfigurator) ModifySPD(oldSpd, newSpd *ipsec.SecurityPolicyDatabases_SPD) error

ModifySPD modifies Security Policy Database in VPP

func (*IPSecConfigurator) ModifyTunnel

func (c *IPSecConfigurator) ModifyTunnel(oldTunnel, newTunnel *ipsec.TunnelInterfaces_Tunnel) error

ModifyTunnel modifies Tunnel interface in VPP

func (*IPSecConfigurator) ResolveCreatedInterface

func (c *IPSecConfigurator) ResolveCreatedInterface(ifName string, swIfIdx uint32) error

ResolveCreatedInterface is responsible for reconfiguring cached assignments and missing unnumbered interfaces

func (*IPSecConfigurator) ResolveDeletedInterface

func (c *IPSecConfigurator) ResolveDeletedInterface(ifName string, swIfIdx uint32) error

ResolveDeletedInterface is responsible for caching assignments for future reconfiguration. Also unset removed unnumbered interfaces

func (*IPSecConfigurator) Resync

Resync writes missing IPSec configs to the VPP and removes obsolete ones.

type SPDIfCacheEntry

type SPDIfCacheEntry struct {
	// contains filtered or unexported fields
}

SPDIfCacheEntry contains info about cached assignment of interface to SPD

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL