XFRM Interface Development Notes: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
Line 20: Line 20:


<pre>
<pre>
https://patchwork.ozlabs.org/cover/928175/
https://patchwork.ozlabs.org/cover/928175/


Steffen Klassert June 12, 2018, 7:56 a.m.
Steffen Klassert June 12, 2018, 7:56 a.m.
Line 90: Line 90:


</pre>
</pre>
=== initial commits ===
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f203b76d78092faf248db3f851840fbecf80b40e
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6526404adedf079279aa7aa11722deaca8fe2e
   
   
* Steffen Klassert's at Linux IPsec 2018, Dresden https://workshop.linux-ipsec.org/2018/slides/xfrm_interfaces.pdf
* Steffen Klassert's at Linux IPsec 2018, Dresden https://workshop.linux-ipsec.org/2018/slides/xfrm_interfaces.pdf


== iproute related changes ==
== iproute related changes ==

Revision as of 13:12, 14 February 2019

Development notes for XFRMi

libreswan/pluto design choices

  • allow names ipsec0, ipsec1 ... ipsecx.
  • Should we allow names other than ipsecXX ?
  • initial thought is keep "xfrm interface id" and "xfrm output mark" consistent.
  • interface creation is inside pluto.
  • create bugzilla entry for Fedora/CentOS kernels? Fedora 28 do not enable

Kernel XFRM - related

XFRM INTERFACE

  • Commit cover letter 20180612, Merged in 4.19:

https://patchwork.ozlabs.org/cover/928175/

Steffen Klassert June 12, 2018, 7:56 a.m.

This patchset introduces new virtual xfrm interfaces.
The design of virtual xfrm interfaces interfaces was
discussed at the Linux IPsec workshop 2018. This patchset
implements these interfaces as the IPsec userspace and
kernel developers agreed. The purpose of these interfaces
is to overcome the design limitations that the existing
VTI devices have.

The main limitations that we see with the current VTI are the
following:

- VTI interfaces are L3 tunnels with configurable endpoints.
  For xfrm, the tunnel endpoint are already determined by the SA.
  So the VTI tunnel endpoints must be either the same as on the
  SA or wildcards. In case VTI tunnel endpoints are same as on
  the SA, we get a one to one correlation between the SA and
  the tunnel. So each SA needs its own tunnel interface.

  On the other hand, we can have only one VTI tunnel with
  wildcard src/dst tunnel endpoints in the system because the
  lookup is based on the tunnel endpoints. The existing tunnel
  lookup won't work with multiple tunnels with wildcard
  tunnel endpoints. Some usecases require more than on
  VTI tunnel of this type, for example if somebody has multiple
  namespaces and every namespace requires such a VTI.

- VTI needs separate interfaces for IPv4 and IPv6 tunnels.
  So when routing to a VTI, we have to know to which address
  family this traffic class is going to be encapsulated.
  This is a lmitation because it makes routing more complex
  and it is not always possible to know what happens behind the
  VTI, e.g. when the VTI is move to some namespace.

- VTI works just with tunnel mode SAs. We need generic interfaces
  that ensures transfomation, regardless of the xfrm mode and
  the encapsulated address family.

- VTI is configured with a combination GRE keys and xfrm marks.
  With this we have to deal with some extra cases in the generic
  tunnel lookup because the GRE keys on the VTI are actually
  not GRE keys, the GRE keys were just reused for something else.
  All extensions to the VTI interfaces would require to add
  even more complexity to the generic tunnel lookup.

To overcome this, we started with the following design goal:

- It should be possible to tunnel IPv4 and IPv6 through the same
  interface.

- No limitation on xfrm mode (tunnel, transport and beet).

- Should be a generic virtual interface that ensures IPsec
  transformation, no need to know what happens behind the
  interface.

- Interfaces should be configured with a new key that must match a
  new policy/SA lookup key.

- The lookup logic should stay in the xfrm codebase, no need to
  change or extend generic routing and tunnel lookups.

- Should be possible to use IPsec hardware offloads of the underlying
  interface.

initial commits

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f203b76d78092faf248db3f851840fbecf80b40e

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6526404adedf079279aa7aa11722deaca8fe2e

iproute related changes