Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and "Unsupported payload"

[Neale Ranns]

Hi Vijay,

No I don’t see random failures. Do they occur during a rekeying event?

/neale

From: vpp-dev@lists.fd.io  on behalf of Vijay Kumar via 
lists.fd.io 
Date: Monday, 2 August 2021 at 08:43
To: vpp-dev 
Subject: Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and 
"Unsupported payload"
Hi Neale,

Do you have any suggestions for this problem.
Did you face this random issue anytime?




On Sat, Jul 31, 2021 at 7:05 PM Vijay Kumar via lists.fd.io 
mailto:gmail@lists.fd.io>> wrote:
Hi Neale,

I am testing data traffic b/w Strongswan and VPP but sometimes data traffic is 
dropped in esp4-decrypt-tun graph node. Sometimes it is dropped with "Integrity 
failure" while sometimes it is "Unsupported payload"

But if I delete the tunnel and re-establish IPSec SA, then it works fine.

I have ensured the configuration w.r.t PSK, Proposals and TS is fine. Also, I 
confirmed that the adjacencies(routes) for the Strongswan are fine on the VPP 
side.

Version I am using is pasted below.

Could I be missing something? These are random issues.


vpp# show version
vpp v20.05.1-2~g44ff05906-dirty built by an-vijay_kumar on 56d1c81f572a at 
2021-07-30T15:54:16



Regards.



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19888): https://lists.fd.io/g/vpp-dev/message/19888
Mute This Topic: https://lists.fd.io/mt/84569833/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and "Unsupported payload"

[Vijay Kumar]

Hi Neale,

My IPSEC rekey is set to high (2 hr). So the issue is not during rekey.
According to code, during decrypt the esp_process_ops() is called. In this
function, I had added the below print. Whenever I get integrity check
failure, I see that print in my application logs.

Once I land into this issue, it always fails. To recover I have to reset
ike and ipsecsa and establish again.

When can I see the integrity check failure in decrypt??


*Code snippet*
**
static_always_inline void
esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
   vnet_crypto_op_t * ops, vlib_buffer_t * b[], u16 * nexts,
   int e)
{
  vnet_crypto_op_t *op = ops;
  u32 n_fail, n_ops = vec_len (ops);

  if (n_ops == 0)
return;

  n_fail = n_ops - vnet_crypto_process_ops (vm, op, n_ops);

  while (n_fail)
{
  ASSERT (op - ops < n_ops);
  if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED)
 {
   u32 err, bi = op->user_data;
   if (op->status == VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC)
   {
 err = e;
 printf("In esp_process_ops op status =
VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC\n");
 }
   else
   {
 err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
 printf("In esp_process_ops err =
ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR\n");
   }
   b[bi]->error = node->errors[err];
   nexts[bi] = ESP_DECRYPT_NEXT_DROP;
   n_fail--;
 }
  op++;
}
}

On Mon, Aug 2, 2021 at 1:06 PM Neale Ranns  wrote:

>
>
> Hi Vijay,
>
>
>
> No I don’t see random failures. Do they occur during a rekeying event?
>
>
>
> /neale
>
>
>
> *From: *vpp-dev@lists.fd.io  on behalf of Vijay
> Kumar via lists.fd.io 
> *Date: *Monday, 2 August 2021 at 08:43
> *To: *vpp-dev 
> *Subject: *Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and
> "Unsupported payload"
>
> Hi Neale,
>
>
>
> Do you have any suggestions for this problem.
>
> Did you face this random issue anytime?
>
>
>
>
>
>
>
>
>
> On Sat, Jul 31, 2021 at 7:05 PM Vijay Kumar via lists.fd.io  gmail@lists.fd.io> wrote:
>
> Hi Neale,
>
>
>
> I am testing data traffic b/w Strongswan and VPP but sometimes data
> traffic is dropped in *esp4-decrypt-tun *graph node. Sometimes it is
> dropped with "Integrity failure" while sometimes it is "Unsupported
> payload"
>
>
>
> But if I delete the tunnel and re-establish IPSec SA, then it works fine.
>
>
>
> I have ensured the configuration w.r.t PSK, Proposals and TS is fine.
> Also, I confirmed that the adjacencies(routes) for the Strongswan are fine
> on the VPP side.
>
>
>
> Version I am using is pasted below.
>
>
>
> Could I be missing something? These are random issues.
>
>
>
>
>
> vpp# show version
>
> *vpp v20.05.1-2*~g44ff05906-dirty built by an-vijay_kumar on 56d1c81f572a
> at 2021-07-30T15:54:16
>
>
>
>
>
>
>
> Regards.
>
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19889): https://lists.fd.io/g/vpp-dev/message/19889
Mute This Topic: https://lists.fd.io/mt/84569833/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and "Unsupported payload"

[Neale Ranns]

From: Vijay Kumar 
Date: Monday, 2 August 2021 at 11:33
To: Neale Ranns 
Cc: vpp-dev 
Subject: Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and 
"Unsupported payload"
Hi Neale,

My IPSEC rekey is set to high (2 hr). So the issue is not during rekey.

I don’t understand why the former statement leads to your latter conclusion. Is 
it because you see this failure happen soon after the initial session is 
established and before the first rekey?

According to code, during decrypt the esp_process_ops() is called. In this 
function, I had added the below print. Whenever I get integrity check failure, 
I see that print in my application logs.

Once I land into this issue, it always fails. To recover I have to reset ike 
and ipsecsa and establish again.

When can I see the integrity check failure in decrypt??

Do you mean why would an integrity check fail? Lot’s of reasons. But given that 
you see all packets fail, and it is recovered by reset/rekey, I would suggest 
the sender has changed its keys.

/neaele


Code snippet

static_always_inline void
esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
   vnet_crypto_op_t * ops, vlib_buffer_t * b[], u16 * nexts,
   int e)
{
  vnet_crypto_op_t *op = ops;
  u32 n_fail, n_ops = vec_len (ops);

  if (n_ops == 0)
return;

  n_fail = n_ops - vnet_crypto_process_ops (vm, op, n_ops);

  while (n_fail)
{
  ASSERT (op - ops < n_ops);
  if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED)
 {
   u32 err, bi = op->user_data;
   if (op->status == VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC)
   {
 err = e;
 printf("In esp_process_ops op status = 
VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC\n");
 }
   else
   {
 err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
 printf("In esp_process_ops err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR\n");
   }
   b[bi]->error = node->errors[err];
   nexts[bi] = ESP_DECRYPT_NEXT_DROP;
   n_fail--;
 }
  op++;
}
}

On Mon, Aug 2, 2021 at 1:06 PM Neale Ranns 
mailto:ne...@graphiant.com>> wrote:

Hi Vijay,

No I don’t see random failures. Do they occur during a rekeying event?

/neale

From: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>> on behalf of Vijay Kumar via 
lists.fd.io 
mailto:gmail@lists.fd.io>>
Date: Monday, 2 August 2021 at 08:43
To: vpp-dev mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and 
"Unsupported payload"
Hi Neale,

Do you have any suggestions for this problem.
Did you face this random issue anytime?




On Sat, Jul 31, 2021 at 7:05 PM Vijay Kumar via lists.fd.io 
mailto:gmail@lists.fd.io>> wrote:
Hi Neale,

I am testing data traffic b/w Strongswan and VPP but sometimes data traffic is 
dropped in esp4-decrypt-tun graph node. Sometimes it is dropped with "Integrity 
failure" while sometimes it is "Unsupported payload"

But if I delete the tunnel and re-establish IPSec SA, then it works fine.

I have ensured the configuration w.r.t PSK, Proposals and TS is fine. Also, I 
confirmed that the adjacencies(routes) for the Strongswan are fine on the VPP 
side.

Version I am using is pasted below.

Could I be missing something? These are random issues.


vpp# show version
vpp v20.05.1-2~g44ff05906-dirty built by an-vijay_kumar on 56d1c81f572a at 
2021-07-30T15:54:16



Regards.


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19890): https://lists.fd.io/g/vpp-dev/message/19890
Mute This Topic: https://lists.fd.io/mt/84569833/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] MAC Learning in vpp

[Mohsen Meamarian]

Hi friends,
I want to implement port security in vpp. I assume that the l2learn_process
function in l2_learn.c runs periodically when vpp is active and When a
device is connected to my system , this function helps to learn it's mac.
Is this assumption true ?

because when I run the sh l2fib command , it returns nothing. but when I
set an interface as a bridge , the sh l2fib command returns something. my
commands :

create bridge-domain 2 arp-term 1
create loopback interface
set int l2 bridge loop0 2 bvi
set interface state loop0 up
set interface l2 bridge GigabitEthernet0/8/0 2

show bridge-domain 2 detail
show l2fib all

but i have a problem here. vpp drop ping packet.Where can the problem come
from?

I attached my trace command result to this mail.I get " l2-flood: BVI L3
mac mismatch " error.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19891): https://lists.fd.io/g/vpp-dev/message/19891
Mute This Topic: https://lists.fd.io/mt/84615988/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] VLAN+IP Based forwarding is possible? #vlan #abf #acl #memif

[RaviKiran Veldanda]

Hi Experts,
We have our application reading packets through memif and does consume them.
We are adding rules in the VPP to reach particualr memif based on dst IP.

"ip route add 172.172.0.0/24 via 192.168.1.3 memif1/0"

However we have a requirement, where the Destination  NETWORK can overlap with 
other VLAN.

So we need forward rules based on the "VLAN + MEMIF"
For example
If VLAN is *301* and DST IP is *172.173.0.0/24* it should reach to *memif1/0*
If VLAN is *302* and DST IP is 172.173.0.0/24 it should reach to *memif2/0

* any suggestion is a great help.

//Ravi

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19892): https://lists.fd.io/g/vpp-dev/message/19892
Mute This Topic: https://lists.fd.io/mt/84619355/21656
Mute #vlan:https://lists.fd.io/g/vpp-dev/mutehashtag/vlan
Mute #abf:https://lists.fd.io/g/vpp-dev/mutehashtag/abf
Mute #acl:https://lists.fd.io/g/vpp-dev/mutehashtag/acl
Mute #memif:https://lists.fd.io/g/vpp-dev/mutehashtag/memif
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] MAC Learning in vpp

[Neale Ranns]

HI Moshen,

From: vpp-dev@lists.fd.io  on behalf of Mohsen Meamarian 
via lists.fd.io 
Date: Monday, 2 August 2021 at 18:45
To: vpp-dev@lists.fd.io 
Subject: [vpp-dev] MAC Learning in vpp
Hi friends,
I want to implement port security in vpp. I assume that the l2learn_process 
function in l2_learn.c runs periodically when vpp is active and When a device 
is connected to my system , this function helps to learn it's mac. Is this 
assumption true ?

No. l2_learn runs for all packets that are received on a link on which learning 
is enabled. You can see it in the trace you provided. It is learning in this 
VLIB node that will populated the l2fib.

because when I run the sh l2fib command , it returns nothing. but when I set an 
interface as a bridge , the sh l2fib command returns something. my commands :

create bridge-domain 2 arp-term 1
create loopback interface
set int l2 bridge loop0 2 bvi
set interface state loop0 up
set interface l2 bridge GigabitEthernet0/8/0 2

show bridge-domain 2 detail
show l2fib all

but i have a problem here. vpp drop ping packet.Where can the problem come from?

I attached my trace command result to this mail.I get " l2-flood: BVI L3 mac 
mismatch " error.

That shows an ARP packet destined to a unicast MAC. That packet was flooded, 
suggesting an l2fib miss and unknown-unicast flooding is enabled. The dst MAC 
of the packet did not match the MAC of the BVI (the only other interface in the 
BD) so it was dropped.

/neale


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19893): https://lists.fd.io/g/vpp-dev/message/19893
Mute This Topic: https://lists.fd.io/mt/84615988/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] VLAN based Forwarding to My application #vlan #memif #forwarding #acl

[RaviKiran Veldanda]

Hi Neale,
Thanks for your suggestion and time.
However I tried following things
"
set interface l2 xconnect memif1/0 memif2/0
set interface l2 xconnect memif2/0 memif1/0 " and forwarding to memif1/0 from 
some routing. the memif1/0 is getting received the packets. But memif2/0 is not 
getting received any thing? is xconnect doesn't work for across 2 memif 
interfaces?
When I tried with the following commands, memif1/0 is receiving the packets
set interface l2 xconnect BondEthernet0.1100 memif1/0
set interface l2 xconnect memif1/0  BondEthernet0.1100

But I need between 2 memifs? any help is appreciated.
//Ravi

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19894): https://lists.fd.io/g/vpp-dev/message/19894
Mute This Topic: https://lists.fd.io/mt/84532112/21656
Mute #acl:https://lists.fd.io/g/vpp-dev/mutehashtag/acl
Mute #memif:https://lists.fd.io/g/vpp-dev/mutehashtag/memif
Mute #vlan:https://lists.fd.io/g/vpp-dev/mutehashtag/vlan
Mute #forwarding:https://lists.fd.io/g/vpp-dev/mutehashtag/forwarding
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] GTP_U to SRv6 function T.M.GTP4.D

[Tetsuya Murakami]

Hi Subrata,

Please see my comments inline.

> 1. I configured with /64 SID instead of /32
> 
> vppctl sr policy add bsid fcf0:12::104 next fcf0:12::100 next fcf0:12::101 
> next fcf0:12::102 next fcf0:12::103
> vppctl sr policy add bsid fcf0:12::109 behavior t.m.gtp4.d fcf0:12::104/64 
> v6src_prefix fcf0:12::109/64 nhtype ipv4
> vppctl sr steer l3 14.1.32.27/32  via bsid fcf0:12::109
> 
> I can see the source IP of the outgoing SRv6 packet is 
> fcf0:12::e01:201c:0:109 and the last SID is fcf0:12::e01:201b:2c:2000.
> source IPv6 is encoded as /32 prefix followed by source IP of GTP-U src 
> e01:201c and then last part of SID 109 got appended
> 
> As per https://docs.fd.io/vpp/20.05/d7/d3c/srv6_mobile_plugin_doc.html 
> , 
> SRC-PREFIX: Prefix for src address of sending packets. The src IPv6 address 
> consists of the prefix followed by the src IPv4 address of the receiving 
> packets.
> As v6src_prefix is mentioned as fcf0:12::109/64, I was expecting it to be as 
> fcf0:12::109:e01:201c.
> 
> Is /32 prefix mandatory?

I think it depends on your IPv6 notation. If you would like to use 
fcf0:12:0:109::/64 as source prefix, fcf0:12::109/64 is not correct. The 
following config should be working as you expected.

vppctl sr policy add bsid fcf0:12::109 behavior t.m.gtp4.d fcf0:12::104/64 
v6src_prefix fcf0:12:0:109::/64 nhtype ipv4

> 2) last SID is fcf0:12::e01:201b:2c:2000.
> 
> It took /32 followed by dst IP  e01:201b and teid. Teid is 740294658 i.e. 
> 2C20 0002. last two labels of SID doesn't look like 
> encoded the teid properly. Note: there is no QFI put in the GTP-U packet. 

Same as above.

vppctl sr policy add bsid fcf0:12::109 behavior t.m.gtp4.d fcf0:12:0:104::/64 
v6src_prefix fcf0:12:0:109::/64 nhtype ipv4.

> 3) For the return packet as per 
> https://docs.fd.io/vpp/20.09/d7/d3c/srv6_mobile_plugin_doc.html 
> 
> 
> sr localsid prefix SID-PREFIX behavior end.m.gtp4.e v4src_position 
> V4SRC-ADDR-POSITION
> 
> vppctl sr localsid prefix fcf0:12::107/64 behavior end.m.gtp4.e 
> v4src_position 64
> 
> Though DST SID sent as fcf0:12::107/64 followed by sending GTP_U IP address 
> ie. e01:201c + teid but its not working.

You need to use the correct SID prefix here like fcf0:12:0:104::/64. 

Thanks,
Tetsuya
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19895): https://lists.fd.io/g/vpp-dev/message/19895
Mute This Topic: https://lists.fd.io/mt/84417565/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] VLAN+IP based forwarding #acl, #abf #vlan #memif #forwarding #vpp

[RaviKiran Veldanda]

Hi Experts,
We have our application reading packets through memif and does consume them.
We are adding rules in the VPP to reach particualr memif based on dst IP.

"ip route add 172.172.0.0/24 via 192.168.1.3 memif1/0"

However we have a requirement, where the Destination  NETWORK can overlap with 
other VLAN.

So we need forward rules based on the "VLAN + MEMIF"
For example
If *VLAN is 301* and *DST IP is 172.173.0.0/24* it should reach to *memif1/0*
If *VLAN is 302* and *DST IP is 172.173.0.0/24* it should reach to *memif2/0*
If *VLAN is 302* and *DST IP is 172.174.0.0/24* it should reach to *memif1/0*
If *VLAN is 301* and *DST IP is 172.174.0.0/24* it should reach to *memif2/0*

We can not use *L2 xconnect* , which directly  relays L2 packets to 
corresponding memif1/0,
*We need DST and VLAN because our application handles multiple clients with 
same overlapping subnets with VLAN+IP based routing.*

So we need *VLAN+DST IP based routing, any suggestion is a great help.*

//Ravi

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19896): https://lists.fd.io/g/vpp-dev/message/19896
Mute This Topic: https://lists.fd.io/mt/84622474/21656
Mute #abf:https://lists.fd.io/g/vpp-dev/mutehashtag/abf
Mute #vlan:https://lists.fd.io/g/vpp-dev/mutehashtag/vlan
Mute #memif:https://lists.fd.io/g/vpp-dev/mutehashtag/memif
Mute #forwarding:https://lists.fd.io/g/vpp-dev/mutehashtag/forwarding
Mute #vpp:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] MAC Learning in vpp

[Mohsen Meamarian]

Thanks neale,
What is the easiest way to enable learning on an interface while other
functionality , including passing the ping and arp packets , work normally?

I want l2_learn_process run for that interface so that I can write a
function to do something like put a limiting on maximum connected devices
with it's help.


On Mon, Aug 2, 2021, 23:38 Neale Ranns  wrote:

>
>
> HI Moshen,
>
>
>
> *From: *vpp-dev@lists.fd.io  on behalf of Mohsen
> Meamarian via lists.fd.io 
> *Date: *Monday, 2 August 2021 at 18:45
> *To: *vpp-dev@lists.fd.io 
> *Subject: *[vpp-dev] MAC Learning in vpp
>
> Hi friends,
>
> I want to implement port security in vpp. I assume that the
> l2learn_process function in l2_learn.c runs periodically when vpp is active
> and When a device is connected to my system , this function helps to learn
> it's mac. Is this assumption true ?
>
>
>
> No. l2_learn runs for all packets that are received on a link on which
> learning is enabled. You can see it in the trace you provided. It is
> learning in this VLIB node that will populated the l2fib.
>
>
>
> because when I run the sh l2fib command , it returns nothing. but when I
> set an interface as a bridge , the sh l2fib command returns something. my
> commands :
>
>
>
> create bridge-domain 2 arp-term 1
> create loopback interface
> set int l2 bridge loop0 2 bvi
> set interface state loop0 up
> set interface l2 bridge GigabitEthernet0/8/0 2
>
> show bridge-domain 2 detail
> show l2fib all
>
>
>
> but i have a problem here. vpp drop ping packet.Where can the problem come
> from?
>
>
>
> I attached my trace command result to this mail.I get " l2-flood: BVI L3
> mac mismatch " error.
>
>
>
> That shows an ARP packet destined to a unicast MAC. That packet was
> flooded, suggesting an l2fib miss and unknown-unicast flooding is enabled.
> The dst MAC of the packet did not match the MAC of the BVI (the only other
> interface in the BD) so it was dropped.
>
>
>
> /neale
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19897): https://lists.fd.io/g/vpp-dev/message/19897
Mute This Topic: https://lists.fd.io/mt/84615988/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and "Unsupported payload"

[Vijay Kumar]

Hi Neale,

There was an issue in my code (we use a different IKE stack with VPP
IPSEC). While copying keys recvd from the IKE process, I was using strncpy
instead of memcpy. As the encr and auth keys can have a '0' byte, the
strncpy gets terminated before copying all the n bytes. This  caused
decryption failure or Integrity check failure when SS sent IPSEC pkts.


*NOTE*: -
Whenever the keys generated did not have a '0' byte, there was no issue. It
used to work fine in such cases.


On Mon, Aug 2, 2021 at 5:34 PM Neale Ranns  wrote:

>
>
>
>
> *From: *Vijay Kumar 
> *Date: *Monday, 2 August 2021 at 11:33
> *To: *Neale Ranns 
> *Cc: *vpp-dev 
> *Subject: *Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and
> "Unsupported payload"
>
> Hi Neale,
>
>
>
> My IPSEC rekey is set to high (2 hr). So the issue is not during rekey.
>
>
>
> I don’t understand why the former statement leads to your latter
> conclusion. Is it because you see this failure happen soon after the
> initial session is established and before the first rekey?
>
>
>
> According to code, during decrypt the esp_process_ops() is called. In this
> function, I had added the below print. Whenever I get integrity check
> failure, I see that print in my application logs.
>
>
>
> Once I land into this issue, it always fails. To recover I have to reset
> ike and ipsecsa and establish again.
>
>
>
> When can I see the integrity check failure in decrypt??
>
>
>
> Do you mean why would an integrity check fail? Lot’s of reasons. But given
> that you see all packets fail, and it is recovered by reset/rekey, I would
> suggest the sender has changed its keys.
>
>
>
> /neaele
>
>
>
>
>
> *Code snippet*
>
> **
>
> static_always_inline void
> esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
>vnet_crypto_op_t * ops, vlib_buffer_t * b[], u16 * nexts,
>int e)
> {
>   vnet_crypto_op_t *op = ops;
>   u32 n_fail, n_ops = vec_len (ops);
>
>   if (n_ops == 0)
> return;
>
>   n_fail = n_ops - vnet_crypto_process_ops (vm, op, n_ops);
>
>   while (n_fail)
> {
>   ASSERT (op - ops < n_ops);
>   if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED)
>  {
>u32 err, bi = op->user_data;
>if (op->status == VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC)
>{
>  err = e;
>  printf("In esp_process_ops op status =
> VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC\n");
>
>  }
>
>else
>{
>  err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
>  printf("In esp_process_ops err =
> ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR\n");
>}
>b[bi]->error = node->errors[err];
>nexts[bi] = ESP_DECRYPT_NEXT_DROP;
>n_fail--;
>  }
>   op++;
> }
>
> }
>
>
>
> On Mon, Aug 2, 2021 at 1:06 PM Neale Ranns  wrote:
>
>
>
> Hi Vijay,
>
>
>
> No I don’t see random failures. Do they occur during a rekeying event?
>
>
>
> /neale
>
>
>
> *From: *vpp-dev@lists.fd.io  on behalf of Vijay
> Kumar via lists.fd.io 
> *Date: *Monday, 2 August 2021 at 08:43
> *To: *vpp-dev 
> *Subject: *Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and
> "Unsupported payload"
>
> Hi Neale,
>
>
>
> Do you have any suggestions for this problem.
>
> Did you face this random issue anytime?
>
>
>
>
>
>
>
>
>
> On Sat, Jul 31, 2021 at 7:05 PM Vijay Kumar via lists.fd.io  gmail@lists.fd.io> wrote:
>
> Hi Neale,
>
>
>
> I am testing data traffic b/w Strongswan and VPP but sometimes data
> traffic is dropped in *esp4-decrypt-tun *graph node. Sometimes it is
> dropped with "Integrity failure" while sometimes it is "Unsupported
> payload"
>
>
>
> But if I delete the tunnel and re-establish IPSec SA, then it works fine.
>
>
>
> I have ensured the configuration w.r.t PSK, Proposals and TS is fine.
> Also, I confirmed that the adjacencies(routes) for the Strongswan are fine
> on the VPP side.
>
>
>
> Version I am using is pasted below.
>
>
>
> Could I be missing something? These are random issues.
>
>
>
>
>
> vpp# show version
>
> *vpp v20.05.1-2*~g44ff05906-dirty built by an-vijay_kumar on 56d1c81f572a
> at 2021-07-30T15:54:16
>
>
>
>
>
>
>
> Regards.
>
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19898): https://lists.fd.io/g/vpp-dev/message/19898
Mute This Topic: https://lists.fd.io/mt/84569833/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-