Hi All,
When I test VPP ipsec with version 2110, I found the node
ipsec4-output-feature is the last node in ARC ip4-output. So when use SPD in
ipsec. if there is
big packet that was fragment when output . When the fragment packet was input
ipsec4-output-feature node. the other packet expect the first fragment
packet will not match SPD policy ,so the packet was droped.
00:12:05:665867: ip4-lookup
fib 0 dpo-idx 7 flow hash: 0x00000000
UDP: 10.10.10.15 -> 10.10.10.2
tos 0x00, ttl 128, length 1548, checksum 0x0cbd dscp CS0 ecn NON_ECN
fragment id 0x0000
UDP: 500 -> 500
length 1528, checksum 0x94f4
00:12:05:665868: ip4-rewrite
tx_sw_if_index 0 dpo-idx 7 : ipv4 via 10.10.10.2 GigabitEthernet0/13/0:
mtu:1500 next:4 flags:[features ] ee9d5c82816900005e0001010800 flow hash:
0x000005dc
00000000: 4500060c0000000080110cbd0a0a0a0f0a0a0a0201f401f405f894f43eb4a54c
00000020: 65ce89de80feb8853ee4fe402e20232000000001000005f0240005d4
00:12:05:665869: ip4-frag
IPv4 mtu: 1500 fragments: 2 next: 0
00:12:05:665878: ip4-rewrite
tx_sw_if_index 1 dpo-idx 7 : ipv4 via 10.10.10.2 GigabitEthernet0/13/0:
mtu:1500 next:4 flags:[features ] ee9d5c82816900005e0001010800 flow hash:
0x00000000
00000000: ee9d5c82816900005e0001010800450005dc060020007f11e7ec0a0a0a0f0a0a
00000020: 0a0201f401f405f894f43eb4a54c65ce89de80feb8853ee4fe402e20
tx_sw_if_index 1 dpo-idx 7 : ipv4 via 10.10.10.2 GigabitEthernet0/13/0:
mtu:1500 next:4 flags:[features ] ee9d5c82816900005e0001010800 flow hash:
0x00000000
00000000: ee9d5c82816900005e000101080045000044060000b97f110ccc0a0a0a0f0a0a
00000020: 0a02cb4be59b66a472db88e5a88133f298724b594b7624391727117e
00:12:05:665880: ipsec4-output-feature
spd 2 policy 17
spd 2 policy -1
00:12:05:665882: error-drop
rx:local0
00:12:05:665883: GigabitEthernet0/13/0-output
GigabitEthernet0/13/0
IP4: 00:00:5e:00:01:01 -> ee:9d:5c:82:81:69
UDP: 10.10.10.15 -> 10.10.10.2
tos 0x00, ttl 127, length 1500, checksum 0xe7ec dscp CS0 ecn NON_ECN
fragment id 0x0600, flags MORE_FRAGMENTS
UDP: 500 -> 500
length 1528, checksum 0x94f4
00:12:05:665884: drop
ip4-frag: packet fragmented
00:12:05:665884: GigabitEthernet0/13/0-tx
GigabitEthernet0/13/0 tx queue 0
buffer 0x91ca7: current data -14, length 1514, buffer-pool 0, ref-count 1,
trace handle 0x6
ip4 l3-hdr-offset 0
PKT MBUF: port 65535, nb_segs 1, pkt_len 1514
buf_len 2176, data_len 1514, ol_flags 0x0, data_off 114, phys_addr
0x62272a40
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:00:5e:00:01:01 -> ee:9d:5c:82:81:69
UDP: 10.10.10.15 -> 10.10.10.2
tos 0x00, ttl 127, length 1500, checksum 0xe7ec dscp CS0 ecn NON_ECN
fragment id 0x0600, flags MORE_FRAGMENTS
UDP: 500 -> 500
length 1528, checksum 0x94f4
Can we move the node ipsec4-output-feature to the first node in ARC
ip4-output ? And any bad effect when move this node position?
Thanks
Guangming
zhangguangm...@baicells.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21642): https://lists.fd.io/g/vpp-dev/message/21642
Mute This Topic: https://lists.fd.io/mt/92328476/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
