VPP/IPSec and IKEv2

From fd.io
< VPP
Revision as of 11:15, 1 August 2016 by Matfabia (Talk | contribs)

Jump to: navigation, search

This page describes the support in the VPP platform for IPSec and IKEv2.

IPSec

Features

This implementation of support for IPSec in the VPP engine includes the following features:

  • ESP - Encapsulating Security Payload protocol
  • Tunnel mode - encapsulates the entire IP packet
  • Transport mode - encapsulates IP payload
  • IPv4 and IPv6

Supported cryptographic algorithms for authentication:

  • sha1
  • sha-256-96
  • sha-256-128
  • sha-384-192
  • sha-512-256

Supported cryptographic algorithms for encryption:

  • aes-cbc-128
  • aes-cbc-192
  • aes-cbc-256

Configuration

SPD creation

The following example command shows the configuration sequence to create a Security Policy Database (SPD):

CLI commands

ipsec spd add 1

VAT commands

ipsec_spd_add_del spd_id 1

Enable SPD on an interface

The following example command shows the configuration sequence to enable SPD on an interface:

CLI commands

set interface ipsec spd GigabitEthernet0/6/0 1

VAT commands

ipsec_interface_add_del_spd GigabitEthernet0/5/0 spd_id 1

SA creation

The following example command shows the configuration sequence to create a Security Association (SA) for Tunnel mode:

CLI commands

ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96 tunnel-src 192.168.100.3 tunnel-dst 192.168.100.2

VAT commands

ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58 tunnel_src 192.168.100.3 tunnel_dst 192.168.100.2

The following example command shows the configuration sequence to create a SA for Transport mode:

CLI commands

ipsec sa add 10 spi 1001 esp crypto-key 4a506a794f574265564551694d653768 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45764e6a58 integ-alg sha1-96

VAT commands

ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58

SPD entry creation

Parameters:

  • spd <id> - SPD identifier
  • priority - policy order in SPD, signed integer
  • inbound|outbound - policy is for inbound or outbound traffic
  • action bypass|discard|protect - policy action, protect action needs aditional parameter "sa <id>"

Traffic selectors (optional parameters):

  • local-ip-range <start_ip_addr> - <end_ip_addr>
  • remote-ip-range <start_ip_addr> - <end_ip_addr>
  • protocol <n>
  • local-port-range <start_port> - <end_port> (only for TCP/UDP protocol)
  • remote-port-range <start_port> - <end_port> (only for TCP/UDP protocol)

The following example commands show the configuration sequence to create a SPD entry:

CLI commands

ipsec policy add spd 1 inbound priority 10 action protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 remote-ip-range 192.168.3.3 - 192.168.3.3

VAT commands

ipsec_spd_add_del_entry spd_id 1 priority 10 inbound action protectsa_id 20 laddr_start 192.168.4.4 laddr_stop 192.168.4.4 raddr_start 192.168.3.3 raddr_stop 192.168.3.3

Example configurations

This section covers using manually-keyed IPSec connections between VPP and native IPSec stack in the 2.6 kernel series (Ubuntu 14.04)

Prerequisite

Install ipsec-tools on Ubuntu:

sudo apt-get install ipsec-tools

Network Topology

+--------------------+                    +-------------------------+
|Ubuntu              |   +------------+   |                      VPP|
|                eth3|---|IPSec tunnel|---|GigabitEthernet0/8/0     |
|       192.168.100.2|   +------------+   |192.168.100.3            |
|                    |                    |                         |
+--------------------+                    +-------------------------+             

ESP transport mode

VPP configuration

CLI commands

set int ip address GigabitEthernet0/8/0 192.168.100.3/24
set int state GigabitEthernet0/8/0 up
set ip arp GigabitEthernet0/8/0 192.168.100.2 08:00:27:12:3c:cc
ipsec sa add 10 spi 1001 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58
ipsec sa add 20 spi 1000 esp crypto-alg aes-cbc-128 crypto-key 4a506a794f574265564551694d653768 integ-alg sha1-96 integ-key 4339314b55523947594d6d3547666b45764e6a58
ipsec spd add 1
set interface ipsec spd GigabitEthernet0/8/0 1
ipsec policy add spd 1 priority 100 inbound action bypass protocol 50
ipsec policy add spd 1 priority 100 outbound action bypass protocol 50
ipsec policy add spd 1 priority 10 inbound action protect sa 20 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2
ipsec policy add spd 1 priority 10 outbound action protect sa 10 local-ip-range 192.168.100.3 - 192.168.100.3 remote-ip-range 192.168.100.2 - 192.168.100.2

VAT ccommands

sw_interface_add_del_address sw_if_index 5 192.168.100.3/24
sw_interface_set_flags sw_if_index 5 admin-up
ip_neighbor_add_del sw_if_index 5 dst 192.168.100.2 mac 08:00:27:12:3c:cc
ipsec_sad_add_del_entry esp sad_id 10 spi 1001 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58
ipsec_sad_add_del_entry esp sad_id 20 spi 1000 crypto_alg aes-cbc-128 crypto_key 4a506a794f574265564551694d653768 integ_alg sha1-96 integ_key 4339314b55523947594d6d3547666b45764e6a58
ipsec_spd_add_del spd_id 1
ipsec_interface_add_del_spd sw_if_index 5 spd_id 1
ipsec_spd_add_del_entry spd_id 1 priority 100 inbound action bypass protocol 50
ipsec_spd_add_del_entry spd_id 1 priority 100 outbound action bypass protocol 50
ipsec_spd_add_del_entry spd_id 1 priority 10 inbound action protectsa_id 20 laddr_start 192.168.100.3 laddr_stop 192.168.100.3 raddr_start 192.168.100.2 raddr_stop 192.168.100.2
ipsec_spd_add_del_entry spd_id 1 priority 10 outbound action protectsa_id 10 laddr_start 192.168.100.3 laddr_stop 192.168.100.3 raddr_start 192.168.100.2 raddr_stop 192.168.100.2
Ubuntu configuration

Edit /etc/ipsec-tools.conf file:

# Configuration for 192.168.100.2

# Flush the SAD and SPD
flush;
spdflush;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.100.2 192.168.100.3 esp 0x000003e8 -E rijndael-cbc
        0x4a506a794f574265564551694d653768
        -A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;
add 192.168.100.3 192.168.100.2 esp 0x000003e9 -E rijndael-cbc
        0x4a506a794f574265564551694d653768
        -A hmac-sha1 0x4339314b55523947594d6d3547666b45764e6a58;

# Security policies
spdadd 192.168.100.2 192.168.100.3 any -P out ipsec
           esp/transport//require;

spdadd 192.168.100.3 192.168.100.2 any -P in ipsec
           esp/transport//require;

Set interface, static ARP and start IPSec:

sudo ifconfig eth3 192.168.100.2 netmask 255.255.255.0 up
sudo arp -s 192.168.100.3 08:00:27:43:a9:5b 
sudo /etc/init.d/setkey start
Verification

ping output:

 ping 192.168.100.3 -c 2
PING 192.168.100.3 (192.168.100.3) 56(84) bytes of data.
64 bytes from 192.168.100.3: icmp_seq=1 ttl=254 time=0.368 ms
64 bytes from 192.168.100.3: icmp_seq=2 ttl=254 time=0.284 ms

--- 192.168.100.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.284/0.326/0.368/0.042 ms

tcpdump output:

sudo tcpdump -vvn -i eth3
tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
04:12:02.197589 IP (tos 0x0, ttl 64, id 19395, offset 0, flags [DF], proto ESP (50), length 136)
    192.168.100.2 > 192.168.100.3: ESP(spi=0x000003e8,seq=0x6), length 116
04:12:02.197939 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto ESP (50), length 136)
    192.168.100.3 > 192.168.100.2: ESP(spi=0x000003e9,seq=0x6), length 116
04:12:03.198067 IP (tos 0x0, ttl 64, id 19641, offset 0, flags [DF], proto ESP (50), length 136)
    192.168.100.2 > 192.168.100.3: ESP(spi=0x000003e8,seq=0x7), length 116
04:12:03.198325 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto ESP (50), length 136)
    192.168.100.3 > 192.168.100.2: ESP(spi=0x000003e9,seq=0x7), length 116

VPP error counters:

vpp# sh error
   Count                    Node                  Reason
         2              ipsec-output              IPSec policy protect
         2               esp-decrypt              ESP pkts received
         2               esp-encrypt              ESP pkts received
         2             ipsec-input-ip4            IPSEC pkts received
         2             ip4-icmp-input             echo replies sent

IKEv2

VPP engine IKEv2 implmentation works only as responder.

Features

This implementation of support for IKEv2 in the VPP engine includes the following features:

Exchange Types
Number Name
34 IKE SA init
35 IKE auth
36 Create child SA
37 Informational
Payload Types
Number Name
0 No next payload
33 Security Association (SA)
34 Key Exchange (KE)
35 Identification - Initiator (IDi)
36 Identification - Responder (IDr)
39 Authentication (AUTH)
40 Nonce (Ni, Nr)
41 Notify (N)
42 Delete (D)
43 Vendor ID (V)
44 Traffic Selector - Initiator (TSi)
45 Traffic Selector - Responder (TSr)
46 Encrypted and Authenticated (SK)
Transform Type Values
Number Name
1 Encryption Algorithm (ENCR)
2 Pseudo-random Function (PRF)
3 Integrity Algorithm (INTEG)
4 Diffie-Hellman Group (D-H)
5 Extended Sequence Numbers (ESN)
Encryption Algorithm
Number Name
12 AES-CBC (128/192/256)
Pseudo-random Function
Number Name
1 HMAC-SHA1
Integrity Algorithm
Number Name
2 HMAC-SHA1-96
Diffie-Hellman Group
Number Name
1 768bit MODP
2 1024bit MODP
5 1536bit MODP
14 2048bit MODP
15 3072bit MODP
16 4096bit MODP
17 6144bit MODP
18 8192bit MODP
19 256bit random ECP
20 384bit random ECP
21 521bit random ECP
22 1024bit MODP with 160bit prime order group
23 2048bit MODP with 224bit prime order group
24 2048bit MODP with 256bit prime order group
25 192bit random ECP
Extended Sequence Numbers
Number Name
0 No ESN
1 ESN
ID Types
Number Name
1 IPv4 address
2 FQDN
3 RFC822
11 Key ID
Authentication Method
Number Name
1 RSA digital signature
2 Shared key message integrity code
Traffic Selector Types
Number Name
7 IPv4 address range
Security Protocol Identifiers
Number Name
1 IKE
3 ESP


Configuration

Profile creation

The following example command shows the configuration sequence to create a IKEv2 profile:

CLI commands

ikev2 profile add profile1

VAT commands

ikev2_profile_add_del name profile1

Authentication

The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic string format:

CLI commands

ikev2 profile set profile1 auth shared-key-mic string Vpp123

VAT commands

ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data Vpp123

The following example command shows the configuration sequence to set a IKEv2 profile authentication shared-key-mic hex format:

CLI commands

ikev2 profile set profile1 auth shared-key-mic hex abcd1234

VAT commands

ikev2_profile_set_auth name profile1 auth_method shared-key-mic auth_data 0xabcd1234

The following example command shows the configuration sequence to set a IKEv2 profile authentication rsa-sig:

CLI commands

ikev2 profile set profile1 auth rsa-sig cert-file /home/localadmin/certs/server-cert.pem

VAT commands

ikev2_profile_set_auth name profile1 auth_method rsa-sig auth_data /home/localadmin/certs/server-cert.pem

ID

The following example command shows the configuration sequence to set a IKEv2 profile remote ID IPv4 address:

CLI commands

ikev2 profile set profile1 id remote ip4-addr 192.168.123.20

VAT commands

ikev2_profile_set_id name profile1 ip4-addr id_data 192.168.123.20 remote

The following example command shows the configuration sequence to set a IKEv2 profile local ID FQDN:

CLI commands

ikev2 profile set profile1 id local fqdn vpp.home

VAT commands

ikev2_profile_set_id name profile1 fqdn id_data vpp.home local

The following example command shows the configuration sequence to set a IKEv2 profile local ID key-id:

CLI commands

ikev2 profile set profile1 id local key-id 0xabcd

VAT commands

ikev2_profile_set_id name profile2 key-id id_data 0xabcd local

The following example command shows the configuration sequence to set a IKEv2 profile local ID rfc822 (email address):

CLI commands

ikev2 profile set profile1 id local rfc822 vpp@vvp.home

VAT commands

ikev2_profile_set_id name profile2 id_type rfc822 id_data vpp@vvp.home local

Traffic Selector

The following example command shows the configuration sequence to set a IKEv2 profile traffic selector:

CLI commands

ikev2 profile set profile1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set profile1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0

VAT commands

ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.124.0 end_addr 192.168.124.255 local
ikev2_profile_set_ts name profile1 protocol 0 start_port 0 end_port 65535 start_addr 192.168.125.0 end_addr 192.168.125.255 remote