Difference between revisions of "VPP/IPSec and IKEv2"
From fd.io
< VPP
(Created page with "This page describes the support in the VPP platform for IPSec and IKEv2. __TOC__ == IPSec == === Features === This implementation of support for IPSec in the VPP engine in...") |
|||
| Line 109: | Line 109: | ||
== IKEv2 == | == IKEv2 == | ||
| + | |||
| + | VPP engine [https://tools.ietf.org/html/rfc7296 IKEv2] implmentation works only as responder. | ||
=== Features === | === Features === | ||
| + | |||
| + | This implementation of support for [http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml IKEv2] in the VPP engine includes the following features: | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Exchange Types | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |34 | ||
| + | |IKE SA init | ||
| + | |- | ||
| + | |35 | ||
| + | |IKE auth | ||
| + | |- | ||
| + | |36 | ||
| + | |Create child SA | ||
| + | |- | ||
| + | |37 | ||
| + | |Informational | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Payload Types | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |0 | ||
| + | |No next payload | ||
| + | |- | ||
| + | |33 | ||
| + | |Security Association (SA) | ||
| + | |- | ||
| + | |34 | ||
| + | |Key Exchange (KE) | ||
| + | |- | ||
| + | |35 | ||
| + | |Identification - Initiator (IDi) | ||
| + | |- | ||
| + | |36 | ||
| + | |Identification - Responder (IDr) | ||
| + | |- | ||
| + | |39 | ||
| + | |Authentication (AUTH) | ||
| + | |- | ||
| + | |40 | ||
| + | |Nonce (Ni, Nr) | ||
| + | |- | ||
| + | |41 | ||
| + | |Notify (N) | ||
| + | |- | ||
| + | |42 | ||
| + | |Delete (D) | ||
| + | |- | ||
| + | |43 | ||
| + | |Vendor ID (V) | ||
| + | |- | ||
| + | |44 | ||
| + | |Traffic Selector - Initiator (TSi) | ||
| + | |- | ||
| + | |45 | ||
| + | |Traffic Selector - Responder (TSr) | ||
| + | |- | ||
| + | |46 | ||
| + | |Encrypted and Authenticated (SK) | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Transform Type Values | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |1 | ||
| + | |Encryption Algorithm (ENCR) | ||
| + | |- | ||
| + | |2 | ||
| + | |Pseudo-random Function (PRF) | ||
| + | |- | ||
| + | |3 | ||
| + | |Integrity Algorithm (INTEG) | ||
| + | |- | ||
| + | |4 | ||
| + | |Diffie-Hellman Group (D-H) | ||
| + | |- | ||
| + | |5 | ||
| + | |Extended Sequence Numbers (ESN) | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Encryption Algorithm | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |12 | ||
| + | |AES-CBC (128/192/256) | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Pseudo-random Function | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |1 | ||
| + | |HMAC-SHA1 | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Integrity Algorithm | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |2 | ||
| + | |HMAC-SHA1-96 | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Diffie-Hellman Group | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |1 | ||
| + | |768bit MODP | ||
| + | |- | ||
| + | |2 | ||
| + | |1024bit MODP | ||
| + | |- | ||
| + | |5 | ||
| + | |1536bit MODP | ||
| + | |- | ||
| + | |14 | ||
| + | |2048bit MODP | ||
| + | |- | ||
| + | |15 | ||
| + | |3072bit MODP | ||
| + | |- | ||
| + | |16 | ||
| + | |4096bit MODP | ||
| + | |- | ||
| + | |17 | ||
| + | |6144bit MODP | ||
| + | |- | ||
| + | |18 | ||
| + | |8192bit MODP | ||
| + | |- | ||
| + | |19 | ||
| + | |256bit random ECP | ||
| + | |- | ||
| + | |20 | ||
| + | |384bit random ECP | ||
| + | |- | ||
| + | |21 | ||
| + | |521bit random ECP | ||
| + | |- | ||
| + | |22 | ||
| + | |1024bit MODP with 160bit prime order group | ||
| + | |- | ||
| + | |23 | ||
| + | |2048bit MODP with 224bit prime order group | ||
| + | |- | ||
| + | |24 | ||
| + | |2048bit MODP with 256bit prime order group | ||
| + | |- | ||
| + | |25 | ||
| + | |192bit random ECP | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Extended Sequence Numbers | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |0 | ||
| + | |No ESN | ||
| + | |- | ||
| + | |1 | ||
| + | |ESN | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+ID Types | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |1 | ||
| + | |IPv4 address | ||
| + | |- | ||
| + | |2 | ||
| + | |FQDN | ||
| + | |- | ||
| + | |3 | ||
| + | |RFC822 | ||
| + | |- | ||
| + | |11 | ||
| + | |Key ID | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Authentication Method | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |1 | ||
| + | |RSA digital signature | ||
| + | |- | ||
| + | |2 | ||
| + | |Shared key message integrity code | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Traffic Selector Types | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |7 | ||
| + | |IPv4 address range | ||
| + | |} | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+Security Protocol Identifiers | ||
| + | |- | ||
| + | ! scope="col"| Number | ||
| + | ! scope="col"| Name | ||
| + | |- | ||
| + | |1 | ||
| + | |IKE | ||
| + | |- | ||
| + | |3 | ||
| + | |ESP | ||
| + | |} | ||
| + | |||
=== Configuration === | === Configuration === | ||
| + | |||
| + | ==== Profile creation ==== | ||
| + | The following example command shows the configuration sequence to create a IKEv2 profile: | ||
| + | |||
| + | CLI commands | ||
| + | <pre> | ||
| + | ikev2 profile add profile1 | ||
| + | </pre> | ||
| + | |||
| + | VAT commands | ||
| + | <pre> | ||
| + | ikev2_profile_add_del name profile1 | ||
| + | </pre> | ||
| + | |||
| + | ==== Authentication ==== | ||
| + | The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic string format: | ||
| + | |||
| + | CLI commands | ||
| + | <pre> | ||
| + | ikev2 profile set profile1 auth shared-key-mic string Vpp123 | ||
| + | </pre> | ||
| + | |||
| + | VAT commands | ||
| + | <pre> | ||
| + | ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data Vpp123 | ||
| + | </pre> | ||
| + | |||
| + | The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic hex format: | ||
| + | |||
| + | CLI commands | ||
| + | <pre> | ||
| + | ikev2 profile set profile1 auth shared-key-mic hex abcd1234 | ||
| + | </pre> | ||
| + | |||
| + | VAT commands | ||
| + | <pre> | ||
| + | ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data 0xabcd1234 | ||
| + | </pre> | ||
| + | |||
| + | The following example command shows the configuration sequence to set a IKEv2 profile authentication rsa-sig: | ||
| + | |||
| + | CLI commands | ||
| + | <pre> | ||
| + | ikev2 profile set profile1 auth rsa-sig cert-file /home/localadmin/certs/server-cert.pem | ||
| + | </pre> | ||
| + | |||
| + | VAT commands | ||
| + | <pre> | ||
| + | ikev2_profile_set_auth name profile1 auth_method rsa-sig auth_data /home/localadmin/certs/server-cert.pem | ||
| + | </pre> | ||
| + | |||
| + | ==== ID ==== | ||
| + | The following example command shows the configuration sequence to set a IKEv2 profile remote ID IPv4 address: | ||
| + | |||
| + | CLI commands | ||
| + | <pre> | ||
| + | ikev2 profile set profile1 id remote ip4-addr 192.168.123.20 | ||
| + | </pre> | ||
| + | |||
| + | VAT commands | ||
| + | <pre> | ||
| + | ikev2_profile_set_id name profile1 ip4-addr id_data 192.168.123.20 remote | ||
| + | </pre> | ||
| + | |||
| + | The following example command shows the configuration sequence to set a IKEv2 profile local ID FQDN: | ||
| + | |||
| + | CLI commands | ||
| + | <pre> | ||
| + | ikev2 profile set profile1 id local fqdn vpp.home | ||
| + | </pre> | ||
| + | |||
| + | VAT commands | ||
| + | <pre> | ||
| + | ikev2_profile_set_id name profile1 fqdn id_data vpp.home local | ||
| + | </pre> | ||
| + | |||
| + | The following example command shows the configuration sequence to set a IKEv2 profile local ID key-id: | ||
| + | |||
| + | CLI commands | ||
| + | <pre> | ||
| + | ikev2 profile set profile1 id local key-id 0xabcd | ||
| + | </pre> | ||
| + | |||
| + | VAT commands | ||
| + | <pre> | ||
| + | ikev2_profile_set_id name profile2 key-id id_data 0xabcd local | ||
| + | </pre> | ||
| + | |||
| + | The following example command shows the configuration sequence to set a IKEv2 profile local ID rfc822 (email address): | ||
| + | |||
| + | CLI commands | ||
| + | <pre> | ||
| + | ikev2 profile set profile1 id local rfc822 vpp@vvp.home | ||
| + | </pre> | ||
| + | |||
| + | VAT commands | ||
| + | <pre> | ||
| + | ikev2_profile_set_id name profile2 id_type rfc822 id_data vpp@vvp.home local | ||
| + | </pre> | ||
| + | |||
| + | ==== Traffic Selector ==== | ||
| + | The following example command shows the configuration sequence to set a IKEv2 profile traffic selector: | ||
| + | |||
| + | CLI commands | ||
| + | <pre> | ||
| + | ikev2 profile set profile1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 | ||
| + | ikev2 profile set profile1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 | ||
| + | </pre> | ||
| + | |||
| + | VAT commands | ||
| + | <pre> | ||
| + | ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.124.0 end_addr 192.168.124.255 local | ||
| + | ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.125.0 end_addr 192.168.125.255 remote | ||
| + | </pre> | ||
Revision as of 09:11, 1 August 2016
This page describes the support in the VPP platform for IPSec and IKEv2.
Contents
[hide]IPSec
Features
This implementation of support for IPSec in the VPP engine includes the following features:
- ESP - Encapsulating Security Payload protocol
- Tunnel mode - encapsulates the entire IP packet
- Transport mode - encapsulates IP payload
- IPv4 and IPv6
Supported cryptographic algorithms for authentication:
- sha1
- sha-256-96
- sha-256-128
- sha-384-192
- sha-512-256
Supported cryptographic algorithms for encryption:
- aes-cbc-128
- aes-cbc-192
- aes-cbc-256
Configuration
SPD creation
The following example command shows the configuration sequence to create a Security Policy Database (SPD):
CLI commands
ipsec spd add 1
VAT commands
ipsec_spd_add_del spd_id 1
Enable SPD on an interface
The following example command shows the configuration sequence to enable SPD on an interface:
CLI commands
set interface ipsec spd GigabitEthernet0/6/0 1
VAT commands
ipsec_interface_add_del_spd GigabitEthernet0/5/0 spd_id 1
SA creation
The following example command shows the configuration sequence to create a Security Association (SA) for Tunnel mode:
CLI commands
ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.100.3 tunnel-dst 192.168.100.2
VAT commands
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58 tunnel_src 192.168.100.3 tunnel_dst 192.168.100.2
The following example command shows the configuration sequence to create a SA for Transport mode:
CLI commands
ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
VAT commands
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58
SPD entry creation
Parameters:
- spd <id> - SPD identifier
- priority - policy order in SPD, signed integer
- inbound|outbound - policy is for inbound or outbound traffic
- action bypass|discard|protect - policy action, protect action needs aditional parameter "sa <id>"
Traffic selectors (optional parameters):
- local-ip-range <start_ip_addr> - <end_ip_addr>
- remote-ip-range <start_ip_addr> - <end_ip_addr>
- protocol <n>
- local-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
- remote-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
The following example commands show the configuration sequence to create a SPD entry:
CLI commands
ipsec policy add spd 1 inbound priority 10 action protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 remote-ip-range 192.168.3.3 - 192.168.3.3
VAT commands
ipsec_spd_add_del_entry spd_id 1 priority 10 inbound action protectsa_id 20 laddr_start 192.168.4.4 laddr_stop 192.168.4.4 raddr_start 192.168.3.3 raddr_stop 192.168.3.3
IKEv2
VPP engine IKEv2 implmentation works only as responder.
Features
This implementation of support for IKEv2 in the VPP engine includes the following features:
| Number | Name |
|---|---|
| 34 | IKE SA init |
| 35 | IKE auth |
| 36 | Create child SA |
| 37 | Informational |
| Number | Name |
|---|---|
| 0 | No next payload |
| 33 | Security Association (SA) |
| 34 | Key Exchange (KE) |
| 35 | Identification - Initiator (IDi) |
| 36 | Identification - Responder (IDr) |
| 39 | Authentication (AUTH) |
| 40 | Nonce (Ni, Nr) |
| 41 | Notify (N) |
| 42 | Delete (D) |
| 43 | Vendor ID (V) |
| 44 | Traffic Selector - Initiator (TSi) |
| 45 | Traffic Selector - Responder (TSr) |
| 46 | Encrypted and Authenticated (SK) |
| Number | Name |
|---|---|
| 1 | Encryption Algorithm (ENCR) |
| 2 | Pseudo-random Function (PRF) |
| 3 | Integrity Algorithm (INTEG) |
| 4 | Diffie-Hellman Group (D-H) |
| 5 | Extended Sequence Numbers (ESN) |
| Number | Name |
|---|---|
| 12 | AES-CBC (128/192/256) |
| Number | Name |
|---|---|
| 1 | HMAC-SHA1 |
| Number | Name |
|---|---|
| 2 | HMAC-SHA1-96 |
| Number | Name |
|---|---|
| 1 | 768bit MODP |
| 2 | 1024bit MODP |
| 5 | 1536bit MODP |
| 14 | 2048bit MODP |
| 15 | 3072bit MODP |
| 16 | 4096bit MODP |
| 17 | 6144bit MODP |
| 18 | 8192bit MODP |
| 19 | 256bit random ECP |
| 20 | 384bit random ECP |
| 21 | 521bit random ECP |
| 22 | 1024bit MODP with 160bit prime order group |
| 23 | 2048bit MODP with 224bit prime order group |
| 24 | 2048bit MODP with 256bit prime order group |
| 25 | 192bit random ECP |
| Number | Name |
|---|---|
| 0 | No ESN |
| 1 | ESN |
| Number | Name |
|---|---|
| 1 | IPv4 address |
| 2 | FQDN |
| 3 | RFC822 |
| 11 | Key ID |
| Number | Name |
|---|---|
| 1 | RSA digital signature |
| 2 | Shared key message integrity code |
| Number | Name |
|---|---|
| 7 | IPv4 address range |
| Number | Name |
|---|---|
| 1 | IKE |
| 3 | ESP |
Configuration
Profile creation
The following example command shows the configuration sequence to create a IKEv2 profile:
CLI commands
ikev2 profile add profile1
VAT commands
ikev2_profile_add_del name profile1
Authentication
The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic string format:
CLI commands
ikev2 profile set profile1 auth shared-key-mic string Vpp123
VAT commands
ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data Vpp123
The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic hex format:
CLI commands
ikev2 profile set profile1 auth shared-key-mic hex abcd1234
VAT commands
ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data 0xabcd1234
The following example command shows the configuration sequence to set a IKEv2 profile authentication rsa-sig:
CLI commands
ikev2 profile set profile1 auth rsa-sig cert-file /home/localadmin/certs/server-cert.pem
VAT commands
ikev2_profile_set_auth name profile1 auth_method rsa-sig auth_data /home/localadmin/certs/server-cert.pem
ID
The following example command shows the configuration sequence to set a IKEv2 profile remote ID IPv4 address:
CLI commands
ikev2 profile set profile1 id remote ip4-addr 192.168.123.20
VAT commands
ikev2_profile_set_id name profile1 ip4-addr id_data 192.168.123.20 remote
The following example command shows the configuration sequence to set a IKEv2 profile local ID FQDN:
CLI commands
ikev2 profile set profile1 id local fqdn vpp.home
VAT commands
ikev2_profile_set_id name profile1 fqdn id_data vpp.home local
The following example command shows the configuration sequence to set a IKEv2 profile local ID key-id:
CLI commands
ikev2 profile set profile1 id local key-id 0xabcd
VAT commands
ikev2_profile_set_id name profile2 key-id id_data 0xabcd local
The following example command shows the configuration sequence to set a IKEv2 profile local ID rfc822 (email address):
CLI commands
ikev2 profile set profile1 id local rfc822 vpp@vvp.home
VAT commands
ikev2_profile_set_id name profile2 id_type rfc822 id_data vpp@vvp.home local
Traffic Selector
The following example command shows the configuration sequence to set a IKEv2 profile traffic selector:
CLI commands
ikev2 profile set profile1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set profile1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
VAT commands
ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.124.0 end_addr 192.168.124.255 local ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.125.0 end_addr 192.168.125.255 remote
