README
¶
IPsec plugin
The ipsecplugin is a Core Agent Plugin that is designed to configure IPsec for VPP. Configuration managed by this plugin is modelled by the proto file.
The configuration must be stored in etcd using the following keys:
# Security Policy Database (SPD)
/vnf-agent/<agent-label>/vpp/config/v1/ipsec/spd/<spdName>
# Security Association
/vnf-agent/<agent-label>/vpp/config/v1/ipsec/sa/<saName>
An example of configuration in json format can be found here: SPD and SA.
To insert config into etcd in json format vpp-agent-ctl
can be used. We assume that we want to configure vpp with label vpp1,
config for SPD is stored in the ipsec-spd.json file and
config for SAs is stored in the ipsec-sa10.json and ipsec-sa20.json file.
vpp-agent-ctl -put /vnf-agent/vpp1/vpp/config/v1/ipsec/sa/sa10 ipsec-sa10.json
vpp-agent-ctl -put /vnf-agent/vpp1/vpp/config/v1/ipsec/sa/sa20 ipsec-sa20.json
vpp-agent-ctl -put /vnf-agent/vpp1/vpp/config/v1/ipsec/spd/spd1 ipsec-spd.json
To enable IPsec in Linux as well you need to have package ipsec-tools installed.
Then you need to edit /etc/ipsec-tools.conf and add following configuration:
# Flush the SAD and SPD
flush;
spdflush;
# ESP Security associations
add 10.0.0.1 10.0.0.2 esp 0x000003e8 -E rijndael-cbc
0x4a506a794f574265564551694d653768
-A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;
add 10.0.0.2 10.0.0.1 esp 0x000003e9 -E rijndael-cbc
0x4a506a794f574265564551694d653768
-A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;
# Security policies
spdadd 10.0.0.1 10.0.0.2 any -P out ipsec
esp/transport//require;
spdadd 10.0.0.2 10.0.0.1 any -P in ipsec
esp/transport//require;
After saving the configuration file run /etc/init.d/setkey start to activate it.
You can find more information here: https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#Ubuntu_configuration
Documentation
¶
Overview ¶
Package ipsecplugin implements the IPSec plugin that handles management of IPSec for VPP.
Index ¶
- type IPSecConfigurator
- func (plugin *IPSecConfigurator) Close() error
- func (plugin *IPSecConfigurator) ConfigureSA(sa *ipsec.SecurityAssociations_SA) error
- func (plugin *IPSecConfigurator) ConfigureSPD(spd *ipsec.SecurityPolicyDatabases_SPD) error
- func (plugin *IPSecConfigurator) ConfigureTunnel(tunnel *ipsec.TunnelInterfaces_Tunnel) error
- func (plugin *IPSecConfigurator) DeleteSA(oldSa *ipsec.SecurityAssociations_SA) error
- func (plugin *IPSecConfigurator) DeleteSPD(oldSpd *ipsec.SecurityPolicyDatabases_SPD) error
- func (plugin *IPSecConfigurator) DeleteTunnel(oldTunnel *ipsec.TunnelInterfaces_Tunnel) error
- func (plugin *IPSecConfigurator) Init() (err error)
- func (plugin *IPSecConfigurator) ModifySA(oldSa *ipsec.SecurityAssociations_SA, newSa *ipsec.SecurityAssociations_SA) error
- func (plugin *IPSecConfigurator) ModifySPD(oldSpd *ipsec.SecurityPolicyDatabases_SPD, ...) error
- func (plugin *IPSecConfigurator) ModifyTunnel(oldTunnel *ipsec.TunnelInterfaces_Tunnel, ...) error
- func (plugin *IPSecConfigurator) ResolveCreatedInterface(ifName string, swIfIdx uint32)
- func (plugin *IPSecConfigurator) ResolveDeletedInterface(ifName string, swIfIdx uint32)
- func (plugin *IPSecConfigurator) Resync(spds []*ipsec.SecurityPolicyDatabases_SPD, ...) error
- type SPDIfCacheEntry
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type IPSecConfigurator ¶
type IPSecConfigurator struct {
Log logging.Logger
Stopwatch *measure.Stopwatch // timer used to measure and store time
GoVppmux govppmux.API
SwIfIndexes ifaceidx.SwIfIndexRW
SaIndexSeq uint32
SaIndexes idxvpp.NameToIdxRW
SpdIndexSeq uint32
SpdIndexes ipsecidx.SPDIndexRW
CachedSpdIndexes ipsecidx.SPDIndexRW
SPDIfCache []SPDIfCacheEntry
// contains filtered or unexported fields
}
IPSecConfigurator runs in the background in its own goroutine where it watches for any changes in the configuration of interfaces as modelled by the proto file "../model/ipsec/ipsec.proto" and stored in ETCD under the key "/vnf-agent/{vnf-agent}/vpp/config/v1/ipsec". Updates received from the northbound API are compared with the VPP run-time configuration and differences are applied through the VPP binary API.
func (*IPSecConfigurator) Close ¶
func (plugin *IPSecConfigurator) Close() error
Close GOVPP channel
func (*IPSecConfigurator) ConfigureSA ¶
func (plugin *IPSecConfigurator) ConfigureSA(sa *ipsec.SecurityAssociations_SA) error
ConfigureSA configures Security Association in VPP
func (*IPSecConfigurator) ConfigureSPD ¶
func (plugin *IPSecConfigurator) ConfigureSPD(spd *ipsec.SecurityPolicyDatabases_SPD) error
ConfigureSPD configures Security Policy Database in VPP
func (*IPSecConfigurator) ConfigureTunnel ¶
func (plugin *IPSecConfigurator) ConfigureTunnel(tunnel *ipsec.TunnelInterfaces_Tunnel) error
ConfigureTunnel configures Tunnel interface in VPP
func (*IPSecConfigurator) DeleteSA ¶
func (plugin *IPSecConfigurator) DeleteSA(oldSa *ipsec.SecurityAssociations_SA) error
DeleteSA deletes Security Association in VPP
func (*IPSecConfigurator) DeleteSPD ¶
func (plugin *IPSecConfigurator) DeleteSPD(oldSpd *ipsec.SecurityPolicyDatabases_SPD) error
DeleteSPD deletes Security Policy Database in VPP
func (*IPSecConfigurator) DeleteTunnel ¶
func (plugin *IPSecConfigurator) DeleteTunnel(oldTunnel *ipsec.TunnelInterfaces_Tunnel) error
DeleteTunnel deletes Tunnel interface in VPP
func (*IPSecConfigurator) Init ¶
func (plugin *IPSecConfigurator) Init() (err error)
Init members (channels...) and start go routines
func (*IPSecConfigurator) ModifySA ¶
func (plugin *IPSecConfigurator) ModifySA(oldSa *ipsec.SecurityAssociations_SA, newSa *ipsec.SecurityAssociations_SA) error
ModifySA modifies Security Association in VPP
func (*IPSecConfigurator) ModifySPD ¶
func (plugin *IPSecConfigurator) ModifySPD(oldSpd *ipsec.SecurityPolicyDatabases_SPD, newSpd *ipsec.SecurityPolicyDatabases_SPD) error
ModifySPD modifies Security Policy Database in VPP
func (*IPSecConfigurator) ModifyTunnel ¶
func (plugin *IPSecConfigurator) ModifyTunnel(oldTunnel *ipsec.TunnelInterfaces_Tunnel, newTunnel *ipsec.TunnelInterfaces_Tunnel) error
ModifyTunnel modifies Tunnel interface in VPP
func (*IPSecConfigurator) ResolveCreatedInterface ¶
func (plugin *IPSecConfigurator) ResolveCreatedInterface(ifName string, swIfIdx uint32)
ResolveCreatedInterface is responsible for reconfiguring cached assignments
func (*IPSecConfigurator) ResolveDeletedInterface ¶
func (plugin *IPSecConfigurator) ResolveDeletedInterface(ifName string, swIfIdx uint32)
ResolveDeletedInterface is responsible for caching assignments for future reconfiguration
func (*IPSecConfigurator) Resync ¶
func (plugin *IPSecConfigurator) Resync(spds []*ipsec.SecurityPolicyDatabases_SPD, sas []*ipsec.SecurityAssociations_SA, tunnels []*ipsec.TunnelInterfaces_Tunnel) error
Resync writes missing IPSec configs to the VPP and removes obsolete ones.
type SPDIfCacheEntry ¶
type SPDIfCacheEntry struct {
// contains filtered or unexported fields
}
SPDIfCacheEntry contains info about cached assignment of interface to SPD
Source Files
Directories