Hi Matt,
Glad to hear it. And thank you for the patch.
Regards,
neale
-----Original Message-----
From: Matthew Smith <mgsm...@netgate.com>
Date: Wednesday, 24 May 2017 at 22:24
To: "Neale Ranns (nranns)" <nra...@cisco.com>
Cc: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] IPsec interface handling in FIB
Hi Neale,
I set that flag and have been testing with it and it seems to have solved
the problem.
Thanks!
-Matt
> On May 20, 2017, at 2:18 AM, Neale Ranns (nranns) <nra...@cisco.com>
wrote:
>
> Hi Matt,
>
> No ARP lookup is needed for interfaces that are point-2-point. The FIB
will link entries reachable through a p2p interface using a special ‘auto’
adjacency. The auto adj has the all zeros address as a next-hop and a rewrite
that is constructed by the interface type (i.e. for GRE has tunnel src,dst) and
since the interface is P2P, it’s independent of the packet’s destination.
>
> The construction of the special adj and the config to set the interface
as P2P is, e.g.;
>
> VNET_HW_INTERFACE_CLASS (gre_hw_interface_class) = {
> .name = "GRE",
> …
> .update_adjacency = gre_update_adj,
> .flags = VNET_HW_INTERFACE_CLASS_FLAG_P2P,
> };
>
> similar config for IPSEC would be required.
>
> Thanks,
> neale
>
> -----Original Message-----
> From: <vpp-dev-boun...@lists.fd.io> on behalf of Matthew Smith
<mgsm...@netgate.com>
> Date: Saturday, 20 May 2017 at 01:36
> To: "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
> Subject: [vpp-dev] IPsec interface handling in FIB
>
>
> Hi,
>
> In the course of testing IPsec interfaces in VPP, I managed to make
VPP crash on a SEGV by setting an IP address on an established IPsec tunnel
interface and then trying to send packets through the tunnel to the IPsec peer
by pinging an address in the same subnet as that address. I.e. I set the
address 10.0.0.2/30 on the ipsec0 interface and tried to ping to 10.0.0.1. It
looks like VPP was trying to resolve the address via ARP and crashed because it
was trying to memcpy the hardware address of the IPsec tunnel interface, which
was NULL, to build the ARP packet.
>
> GRE tunnel interfaces allow this sort of configuration without
crashing. I took a look at some of the GRE code and it looked like there was
some setup & maintenance that is done for GRE tunnels so that FIB lookups treat
packets destined for a GRE tunnel in a special way. No ARP lookup is initiated
when I send a packet to an address in the same subnet as an IP address
configured on a GRE tunnel interface.
>
> I’d like to fix this for IPsec tunnel interfaces. Does anyone have any
pointers on what I would need to do? I been looking at the GRE code to get an
idea, but it would save me a lot of time if anyone could share a high-level
description of what needs to be done, or point me at any relevant documentation.
>
> Thanks,
> -Matt Smith
>
> _______________________________________________
> vpp-dev mailing list
> vpp-dev@lists.fd.io
> https://lists.fd.io/mailman/listinfo/vpp-dev
>
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
