Hi Andrew,
The tests updated as part of this patch[1] are related to the IPSec outbound
side "flow cache" i.e. test/test_ipsec_spd_flow_cache.py (see commit[2]). This
is really testing the behaviour of the flow cache, rather than this drop by
default behaviour described here. These tests just h
Zach, Neale,
Just a thought from the “make test” PoV:
If understand this email thread well, this change adds a behavior, relying on
which can create security implications in case this new behavior gets broken -
so you think you could add a few negative tests as well ? (I.e. that the
packets i
Hi Neale,
Please see https://gerrit.fd.io/r/c/vpp/+/34252 for the patch for this. Would
appreciate a review when you get the chance so Juraj can start adding the CSIT
tests required for the inbound side IPSec flow cache (
https://gerrit.fd.io/r/c/vpp/+/32903 ).
Best,
Zach
-=-=-=-=-=-=-=-=-=-
Hi Zach,
Apologies for the late reply and thank you for the considered analysis.
..snip..
Is there a reason that the input side is setup like this? Unless there is a
good reason for allowing inbound traffic by default, I would propose to patch
the ipsec-input node to align with ipsec-output a
A correction, I meant inbound rule, not input rule.
Juraj
From: Juraj Linkeš
Sent: Thursday, September 9, 2021 10:59 AM
To: 'Zachary Leaf' ; 'ne...@graphiant.com'
Cc: vpp-dev
Subject: RE: [vpp-dev] IPSec input/output: default action for non-matching
traffic
Hi Neale,
D
Hi Neale,
Did you have a chance to look at this? For my part, I'm trying to figure out
how to configure VPP with two DPDK interfaces where I would send bidirectional
traffic (unencrypted, since the traffic generator in question (T-rex) can't
send encrypted traffic yet) and I'd match an input ru
