Hi Vratko, It is a great idea as it is non-intrusive and make both applications not dependent to each other. However I cannot find a way (yet!) to make it work as linux-nl The closest thing for strongswan to issue – at least in Linux – is the ip xfrm command, which I believe having no hooks to capture. Also it will be unsafe to do so – imagine a malware process was hiding somewhere to capture all SAs.
What we are proposing is * SSWAN supports externally linking a plugin, which is how it work on different OS. * To do so we only have to refer a few header files in our code, and generate a .so file in VPP scope. * In our code we will translate a SSWAN that translate SA management/routing cmds to VPP CAPI calls. * When the .so file is compiled – we may provide a script, or user manually copy the .so file to the location SSWAN stores plugins. * Rebooting SSWAN next time the plugin should be enabled and active. However I cannot think of a way to change make test for this work: * We need a strongswan application up and running and capable of adding plugin. * I wouldn’ say we cannot, but will be hard to use scapy’s ikev2 (as we are adding support to strongswan and we targets data path validation only). To test the implementation we can use similar way as existing vpp/extras/strongswan/run.sh, but this time we focus on data path checking. All ideas welcome. Regards, Fan From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Vratko Polak -X (vrpolak - PANTHEON TECHNOLOGIES at Cisco) via lists.fd.io Sent: Tuesday, June 14, 2022 5:57 PM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Community meeting today > a way to make VPP IPsec work better w/ StrongSwan As Damjan said, it would be a control plane adapter. I guess it is also a management plane adapter (translating higher level commands into VPP API commands). From existing management plane adapters, it reminds me of linux_nl. I read it listens to netlink messages. I like the approach of listening to more standardized messages coming over more standardized communication channel (as opposed to creating a plugin for Linux kernel to call VPP binary API directly). I read StrongSwan can work on Windows (not just Linux), so it has to have some abstraction of dataplane management. What you can do is to create a "remote/userspace dataplane" plugin (contribute to StrongSwan repo, using their GPLv2+) that translates from StrongSwan internals into a standard communication channel (no idea which one, maybe some user-defined netlink protocol), and then on the other side you will have a plugin similar to linux_nl (VPP repo, Apache2 license) translating from that standard communication channel to VPP calls (direct C calls, or binary API). This way you can test the VPP plugin in make test (assuming the standard communication channel is not too exotic for Python to handle) and also StrongSwan plugin in their CI. Vratko. From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Fan Zhang Sent: Tuesday, 2022-June-14 10:39 To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: [vpp-dev] Community meeting today Hi, I was wondering if we can squeeze in a quick topic to discuss in today’s community call? We are working on a way to make VPP IPsec work better w/ StrongSwan and want to discuss the upstream plan of it. Regards, Fan
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21544): https://lists.fd.io/g/vpp-dev/message/21544 Mute This Topic: https://lists.fd.io/mt/91745080/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
