ipsec: Tunnel SA DSCP behaviour

Type: feature

 - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc
during IPSEC tunnel mode encap.
 - use DSCP value to have fixed encap value.

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f

Author: Neale Ranns

src/plugins/ikev2/ikev2.c

@@ -1856,13 +1856,17 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
 			       IPSEC_PROTOCOL_ESP, a->encr_type,
 			       &a->loc_ckey, a->integ_type, &a->loc_ikey,
 			       a->flags, 0, a->salt_local, &zero_addr,
-			       &zero_addr, NULL, a->src_port, a->dst_port);
+			       &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+			       IP_DSCP_CS0, NULL, a->src_port, a->dst_port);
+
   rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
 			       IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
 			       a->integ_type, &a->rem_ikey,
 			       (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
 			       a->salt_remote, &zero_addr,
-			       &zero_addr, NULL, a->ipsec_over_udp_port,
+			       &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+			       IP_DSCP_CS0, NULL,
+			       a->ipsec_over_udp_port,
 			       a->ipsec_over_udp_port);
 
   rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);

src/vnet/ip/ip.c

@@ -155,6 +155,24 @@ format_ip_dscp (u8 * s, va_list * va)
   return (format (s, "unknown"));
 }
 
+uword
+unformat_ip_dscp (unformat_input_t * input, va_list * args)
+{
+  ip_dscp_t *dscp = va_arg (*args, ip_dscp_t *);
+
+  if (0)
+    ;
+#define _(n,v)                                                  \
+  else if (unformat (input, #v))                                \
+    *dscp = IP_DSCP_##v;
+  foreach_ip_dscp
+#undef _
+    else
+    return 0;
+
+  return 1;
+}
+
 u8 *
 format_ip_ecn (u8 * s, va_list * va)
 {

src/vnet/ip/ip6_packet.h

@@ -310,31 +310,36 @@ typedef struct
   ip6_address_t src_address, dst_address;
 } ip6_header_t;
 
+#define IP6_PACKET_TC_MASK 0x0FF00000
+#define IP6_PACKET_DSCP_MASK 0x0FC00000
+#define IP6_PACKET_ECN_MASK 0x00300000
+
 always_inline ip_dscp_t
 ip6_traffic_class (const ip6_header_t * i)
 {
-  return (i->ip_version_traffic_class_and_flow_label & 0x0FF00000) >> 20;
+  return (i->ip_version_traffic_class_and_flow_label & IP6_PACKET_TC_MASK) >>
+    20;
 }
 
 static_always_inline ip_dscp_t
 ip6_traffic_class_network_order (const ip6_header_t * ip6)
 {
   return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
-	  & 0x0ff00000) >> 20;
+	  & IP6_PACKET_TC_MASK) >> 20;
 }
 
 static_always_inline ip_dscp_t
 ip6_dscp_network_order (const ip6_header_t * ip6)
 {
   return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
-	  & 0x0fc00000) >> 22;
+	  & IP6_PACKET_DSCP_MASK) >> 22;
 }
 
 static_always_inline ip_ecn_t
 ip6_ecn_network_order (const ip6_header_t * ip6)
 {
   return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
-	  & 0x00300000) >> 20;
+	  & IP6_PACKET_ECN_MASK) >> 20;
 }
 
 static_always_inline void

src/vnet/ip/ip_packet.h

@@ -42,6 +42,7 @@
 
 #include <vppinfra/byte_order.h>
 #include <vppinfra/error.h>
+#include <vppinfra/format.h>
 
 typedef enum ip_protocol
 {
@@ -119,6 +120,7 @@ typedef enum ip_dscp_t_
 } __clib_packed ip_dscp_t;
 
 extern u8 *format_ip_dscp (u8 * s, va_list * va);
+unformat_function_t unformat_ip_dscp;
 
 /**
  * IP DSCP bit shift

src/vnet/ipsec/ah_encrypt.c

@@ -22,6 +22,7 @@
 #include <vnet/ipsec/ipsec.h>
 #include <vnet/ipsec/esp.h>
 #include <vnet/ipsec/ah.h>
+#include <vnet/tunnel/tunnel_dp.h>
 
 #define foreach_ah_encrypt_next \
   _ (DROP, "error-drop")                           \
@@ -111,12 +112,13 @@ typedef struct
 {
   union
   {
+    /* Variable fields in the IP header not covered by the AH
+     * integrity check */
     struct
     {
       u8 hop_limit;
       u32 ip_version_traffic_class_and_flow_label;
     };
-
     struct
     {
       u8 ttl;
@@ -209,8 +211,6 @@ ah_encrypt_inline (vlib_main_t * vm,
 
       ssize_t adv;
       ih0 = vlib_buffer_get_current (b[0]);
-      pd->ttl = ih0->ip4.ttl;
-      pd->tos = ih0->ip4.tos;
 
       if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
 	{
@@ -246,10 +246,20 @@ ah_encrypt_inline (vlib_main_t * vm,
 	  ip_hdr_size = sizeof (ip6_header_t);
 	  oh6_0 = vlib_buffer_get_current (b[0]);
 	  pd->current_data = b[0]->current_data;
-
 	  pd->hop_limit = ih6_0->ip6.hop_limit;
-	  pd->ip_version_traffic_class_and_flow_label =
+
+	  oh6_0->ip6.ip_version_traffic_class_and_flow_label =
 	    ih6_0->ip6.ip_version_traffic_class_and_flow_label;
+
+	  ip6_set_dscp_network_order (&oh6_0->ip6, sa0->dscp);
+
+	  tunnel_encap_fixup_6o6 (sa0->tunnel_flags,
+				  &ih6_0->ip6, &oh6_0->ip6);
+
+	  pd->ip_version_traffic_class_and_flow_label =
+	    oh6_0->ip6.ip_version_traffic_class_and_flow_label;
+	  oh6_0->ip6.ip_version_traffic_class_and_flow_label = 0;
+
 	  if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
 	    {
 	      next_hdr_type = IP_PROTOCOL_IPV6;
@@ -275,8 +285,24 @@ ah_encrypt_inline (vlib_main_t * vm,
 	{
 	  ip_hdr_size = sizeof (ip4_header_t);
 	  oh0 = vlib_buffer_get_current (b[0]);
-	  clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t));
+	  pd->ttl = ih0->ip4.ttl;
+
+	  if (sa0->dscp)
+	    pd->tos = sa0->dscp << 2;
+	  else
+	    {
+	      pd->tos = ih0->ip4.tos;
+	      if (!
+		  (sa0->tunnel_flags &
+		   TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP))
+		pd->tos &= 0x3;
+	      if (!
+		  (sa0->tunnel_flags &
+		   TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN))
+		pd->tos &= 0xfc;
+	    }
 	  pd->current_data = b[0]->current_data;
+	  clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t));
 
 	  if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
 	    {

src/vnet/ipsec/esp_encrypt.c

@@ -24,6 +24,7 @@
 #include <vnet/ipsec/ipsec.h>
 #include <vnet/ipsec/ipsec_tun.h>
 #include <vnet/ipsec/esp.h>
+#include <vnet/tunnel/tunnel_dp.h>
 
 #define foreach_esp_encrypt_next                   \
 _(DROP4, "ip4-drop")                               \
@@ -743,9 +744,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      u16 len = sizeof (ip6_header_t);
 	      hdr_len += len;
 	      ip6 = (ip6_header_t *) (payload - hdr_len);
-	      clib_memcpy_fast (ip6, &sa0->ip6_hdr, len);
-	      *next_hdr_ptr = (is_ip6 ?
-			       IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
+	      clib_memcpy_fast (ip6, &sa0->ip6_hdr, sizeof (ip6_header_t));
+
+	      if (is_ip6)
+		{
+		  *next_hdr_ptr = IP_PROTOCOL_IPV6;
+		  tunnel_encap_fixup_6o6 (sa0->tunnel_flags,
+					  (const ip6_header_t *) payload,
+					  ip6);
+		}
+	      else
+		{
+		  *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP;
+		  tunnel_encap_fixup_4o6 (sa0->tunnel_flags,
+					  (const ip4_header_t *) payload,
+					  ip6);
+		}
 	      len = payload_len_total + hdr_len - len;
 	      ip6->payload_length = clib_net_to_host_u16 (len);
 	    }
@@ -755,9 +769,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      u16 len = sizeof (ip4_header_t);
 	      hdr_len += len;
 	      ip4 = (ip4_header_t *) (payload - hdr_len);
-	      clib_memcpy_fast (ip4, &sa0->ip4_hdr, len);
-	      *next_hdr_ptr = (is_ip6 ?
-			       IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
+	      clib_memcpy_fast (ip4, &sa0->ip4_hdr, sizeof (ip4_header_t));
+
+	      if (is_ip6)
+		{
+		  *next_hdr_ptr = IP_PROTOCOL_IPV6;
+		  tunnel_encap_fixup_6o4_w_chksum (sa0->tunnel_flags,
+						   (const ip6_header_t *)
+						   payload, ip4);
+		}
+	      else
+		{
+		  *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP;
+		  tunnel_encap_fixup_4o4_w_chksum (sa0->tunnel_flags,
+						   (const ip4_header_t *)
+						   payload, ip4);
+		}
 	      len = payload_len_total + hdr_len;
 	      esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0);
 	    }

src/vnet/ipsec/ipsec.api

@@ -196,12 +196,25 @@ define ipsec_sad_entry_add_del
   bool is_add;
   vl_api_ipsec_sad_entry_t entry;
 };
+define ipsec_sad_entry_add_del_v2
+{
+  u32 client_index;
+  u32 context;
+  bool is_add;
+  vl_api_ipsec_sad_entry_v2_t entry;
+};
 define ipsec_sad_entry_add_del_reply
 {
   u32 context;
   i32 retval;
   u32 stat_index;
 };
+define ipsec_sad_entry_add_del_v2_reply
+{
+  u32 context;
+  i32 retval;
+  u32 stat_index;
+};
 
 /** \brief Add or Update Protection for a tunnel with IPSEC
 
@@ -439,33 +452,24 @@ define ipsec_sa_dump
   u32 context;
   u32 sa_id;
 };
+define ipsec_sa_v2_dump
+{
+  u32 client_index;
+  u32 context;
+  u32 sa_id;
+};
 
 /** \brief IPsec security association database response
     @param context - sender context which was passed in the request
-    @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0
+    @param entry - The SA details
     @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
-    @param spi - security parameter index
-    @param protocol - IPsec protocol (value from ipsec_protocol_t)
-    @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t)
-    @param crypto_key_len - length of crypto_key in bytes
-    @param crypto_key - crypto keying material
-    @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t)
-    @param integ_key_len - length of integ_key in bytes
-    @param integ_key - integrity keying material
-    @param use_esn - using extended sequence numbers when non-zero
-    @param use_anti_replay - using anti-replay window when non-zero
-    @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode
-    @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6
-    @param tunnel_src_addr - Tunnel source address if using tunnel mode
-    @param tunnel_dst_addr - Tunnel destination address is using tunnel mode
     @param salt - 4 byte salt
     @param seq - current sequence number for outbound
     @param seq_hi - high 32 bits of ESN for outbound
     @param last_seq - highest sequence number received inbound
     @param last_seq_hi - high 32 bits of highest ESN received inbound
     @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
     @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
-    @param udp_encap - 1 if UDP encap enabled, 0 otherwise
 */
 define ipsec_sa_details {
   u32 context;
@@ -479,6 +483,18 @@ define ipsec_sa_details {
 
   u32 stat_index;
 };
+define ipsec_sa_v2_details {
+  u32 context;
+  vl_api_ipsec_sad_entry_v2_t entry;
+
+  vl_api_interface_index_t sw_if_index;
+  u32 salt;
+  u64 seq_outbound;
+  u64 last_seq_inbound;
+  u64 replay_window;
+
+  u32 stat_index;
+};
 
 /** \brief Set new SA on IPsec interface