Hi Neale,
I set that flag and have been testing with it and it seems to have solved the
problem.
Thanks!
-Matt
> On May 20, 2017, at 2:18 AM, Neale Ranns (nranns) <nra...@cisco.com> wrote:
>
> Hi Matt,
>
> No ARP lookup is needed for interfaces that are point-2-point. The FIB will
> link entries reachable through a p2p interface using a special ‘auto’
> adjacency. The auto adj has the all zeros address as a next-hop and a rewrite
> that is constructed by the interface type (i.e. for GRE has tunnel src,dst)
> and since the interface is P2P, it’s independent of the packet’s destination.
>
> The construction of the special adj and the config to set the interface as
> P2P is, e.g.;
>
> VNET_HW_INTERFACE_CLASS (gre_hw_interface_class) = {
> .name = "GRE",
> …
> .update_adjacency = gre_update_adj,
> .flags = VNET_HW_INTERFACE_CLASS_FLAG_P2P,
> };
>
> similar config for IPSEC would be required.
>
> Thanks,
> neale
>
> -----Original Message-----
> From: <vpp-dev-boun...@lists.fd.io> on behalf of Matthew Smith
> <mgsm...@netgate.com>
> Date: Saturday, 20 May 2017 at 01:36
> To: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
> Subject: [vpp-dev] IPsec interface handling in FIB
>
>
> Hi,
>
> In the course of testing IPsec interfaces in VPP, I managed to make VPP
> crash on a SEGV by setting an IP address on an established IPsec tunnel
> interface and then trying to send packets through the tunnel to the IPsec
> peer by pinging an address in the same subnet as that address. I.e. I set the
> address 10.0.0.2/30 on the ipsec0 interface and tried to ping to 10.0.0.1. It
> looks like VPP was trying to resolve the address via ARP and crashed because
> it was trying to memcpy the hardware address of the IPsec tunnel interface,
> which was NULL, to build the ARP packet.
>
> GRE tunnel interfaces allow this sort of configuration without crashing. I
> took a look at some of the GRE code and it looked like there was some setup &
> maintenance that is done for GRE tunnels so that FIB lookups treat packets
> destined for a GRE tunnel in a special way. No ARP lookup is initiated when I
> send a packet to an address in the same subnet as an IP address configured on
> a GRE tunnel interface.
>
> I’d like to fix this for IPsec tunnel interfaces. Does anyone have any
> pointers on what I would need to do? I been looking at the GRE code to get an
> idea, but it would save me a lot of time if anyone could share a high-level
> description of what needs to be done, or point me at any relevant
> documentation.
>
> Thanks,
> -Matt Smith
>
> _______________________________________________
> vpp-dev mailing list
> vpp-dev@lists.fd.io
> https://lists.fd.io/mailman/listinfo/vpp-dev
>
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
