Difference between revisions of "VPP/IPSec and IKEv2"
m (→Features) |
|||
Line 8: | Line 8: | ||
This implementation of support for IPSec in the VPP engine includes the following features: | This implementation of support for IPSec in the VPP engine includes the following features: | ||
− | * ESP - Encapsulating Security Payload protocol | + | * [https://tools.ietf.org/html/rfc4303 ESP] - Encapsulating Security Payload protocol |
* Tunnel mode - encapsulates the entire IP packet | * Tunnel mode - encapsulates the entire IP packet | ||
* Transport mode - encapsulates IP payload | * Transport mode - encapsulates IP payload |
Revision as of 09:51, 1 August 2016
This page describes the support in the VPP platform for IPSec and IKEv2.
Contents
IPSec
Features
This implementation of support for IPSec in the VPP engine includes the following features:
- ESP - Encapsulating Security Payload protocol
- Tunnel mode - encapsulates the entire IP packet
- Transport mode - encapsulates IP payload
- IPv4 and IPv6
Supported cryptographic algorithms for authentication:
- sha1
- sha-256-96
- sha-256-128
- sha-384-192
- sha-512-256
Supported cryptographic algorithms for encryption:
- aes-cbc-128
- aes-cbc-192
- aes-cbc-256
Configuration
SPD creation
The following example command shows the configuration sequence to create a Security Policy Database (SPD):
CLI commands
ipsec spd add 1
VAT commands
ipsec_spd_add_del spd_id 1
Enable SPD on an interface
The following example command shows the configuration sequence to enable SPD on an interface:
CLI commands
set interface ipsec spd GigabitEthernet0/6/0 1
VAT commands
ipsec_interface_add_del_spd GigabitEthernet0/5/0 spd_id 1
SA creation
The following example command shows the configuration sequence to create a Security Association (SA) for Tunnel mode:
CLI commands
ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.100.3 tunnel-dst 192.168.100.2
VAT commands
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58 tunnel_src 192.168.100.3 tunnel_dst 192.168.100.2
The following example command shows the configuration sequence to create a SA for Transport mode:
CLI commands
ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96
VAT commands
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58
SPD entry creation
Parameters:
- spd <id> - SPD identifier
- priority - policy order in SPD, signed integer
- inbound|outbound - policy is for inbound or outbound traffic
- action bypass|discard|protect - policy action, protect action needs aditional parameter "sa <id>"
Traffic selectors (optional parameters):
- local-ip-range <start_ip_addr> - <end_ip_addr>
- remote-ip-range <start_ip_addr> - <end_ip_addr>
- protocol <n>
- local-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
- remote-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
The following example commands show the configuration sequence to create a SPD entry:
CLI commands
ipsec policy add spd 1 inbound priority 10 action protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 remote-ip-range 192.168.3.3 - 192.168.3.3
VAT commands
ipsec_spd_add_del_entry spd_id 1 priority 10 inbound action protectsa_id 20 laddr_start 192.168.4.4 laddr_stop 192.168.4.4 raddr_start 192.168.3.3 raddr_stop 192.168.3.3
IKEv2
VPP engine IKEv2 implmentation works only as responder.
Features
This implementation of support for IKEv2 in the VPP engine includes the following features:
Number | Name |
---|---|
34 | IKE SA init |
35 | IKE auth |
36 | Create child SA |
37 | Informational |
Number | Name |
---|---|
0 | No next payload |
33 | Security Association (SA) |
34 | Key Exchange (KE) |
35 | Identification - Initiator (IDi) |
36 | Identification - Responder (IDr) |
39 | Authentication (AUTH) |
40 | Nonce (Ni, Nr) |
41 | Notify (N) |
42 | Delete (D) |
43 | Vendor ID (V) |
44 | Traffic Selector - Initiator (TSi) |
45 | Traffic Selector - Responder (TSr) |
46 | Encrypted and Authenticated (SK) |
Number | Name |
---|---|
1 | Encryption Algorithm (ENCR) |
2 | Pseudo-random Function (PRF) |
3 | Integrity Algorithm (INTEG) |
4 | Diffie-Hellman Group (D-H) |
5 | Extended Sequence Numbers (ESN) |
Number | Name |
---|---|
12 | AES-CBC (128/192/256) |
Number | Name |
---|---|
1 | HMAC-SHA1 |
Number | Name |
---|---|
2 | HMAC-SHA1-96 |
Number | Name |
---|---|
1 | 768bit MODP |
2 | 1024bit MODP |
5 | 1536bit MODP |
14 | 2048bit MODP |
15 | 3072bit MODP |
16 | 4096bit MODP |
17 | 6144bit MODP |
18 | 8192bit MODP |
19 | 256bit random ECP |
20 | 384bit random ECP |
21 | 521bit random ECP |
22 | 1024bit MODP with 160bit prime order group |
23 | 2048bit MODP with 224bit prime order group |
24 | 2048bit MODP with 256bit prime order group |
25 | 192bit random ECP |
Number | Name |
---|---|
0 | No ESN |
1 | ESN |
Number | Name |
---|---|
1 | IPv4 address |
2 | FQDN |
3 | RFC822 |
11 | Key ID |
Number | Name |
---|---|
1 | RSA digital signature |
2 | Shared key message integrity code |
Number | Name |
---|---|
7 | IPv4 address range |
Number | Name |
---|---|
1 | IKE |
3 | ESP |
Configuration
Profile creation
The following example command shows the configuration sequence to create a IKEv2 profile:
CLI commands
ikev2 profile add profile1
VAT commands
ikev2_profile_add_del name profile1
Authentication
The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic string format:
CLI commands
ikev2 profile set profile1 auth shared-key-mic string Vpp123
VAT commands
ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data Vpp123
The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic hex format:
CLI commands
ikev2 profile set profile1 auth shared-key-mic hex abcd1234
VAT commands
ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data 0xabcd1234
The following example command shows the configuration sequence to set a IKEv2 profile authentication rsa-sig:
CLI commands
ikev2 profile set profile1 auth rsa-sig cert-file /home/localadmin/certs/server-cert.pem
VAT commands
ikev2_profile_set_auth name profile1 auth_method rsa-sig auth_data /home/localadmin/certs/server-cert.pem
ID
The following example command shows the configuration sequence to set a IKEv2 profile remote ID IPv4 address:
CLI commands
ikev2 profile set profile1 id remote ip4-addr 192.168.123.20
VAT commands
ikev2_profile_set_id name profile1 ip4-addr id_data 192.168.123.20 remote
The following example command shows the configuration sequence to set a IKEv2 profile local ID FQDN:
CLI commands
ikev2 profile set profile1 id local fqdn vpp.home
VAT commands
ikev2_profile_set_id name profile1 fqdn id_data vpp.home local
The following example command shows the configuration sequence to set a IKEv2 profile local ID key-id:
CLI commands
ikev2 profile set profile1 id local key-id 0xabcd
VAT commands
ikev2_profile_set_id name profile2 key-id id_data 0xabcd local
The following example command shows the configuration sequence to set a IKEv2 profile local ID rfc822 (email address):
CLI commands
ikev2 profile set profile1 id local rfc822 vpp@vvp.home
VAT commands
ikev2_profile_set_id name profile2 id_type rfc822 id_data vpp@vvp.home local
Traffic Selector
The following example command shows the configuration sequence to set a IKEv2 profile traffic selector:
CLI commands
ikev2 profile set profile1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set profile1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
VAT commands
ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.124.0 end_addr 192.168.124.255 local ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.125.0 end_addr 192.168.125.255 remote