[vpp-dev] pppoe plugin + vlan
Hello folks, I'm trying to figure out how to make PPPoE plugin work with dot1q subinterfaces (and maybe with qinq interfaces). I've made a prototype with the following things: 1) I enabled arc "device-input" with the next node "pppoe-input" on the pppoe cp interface: to get rid of L3_MAC_MISMATCH error (it's a bit controversial thing, but I didn't find any other proper way to get it working). 2) Because of the previous point - I rewrite parsing in the "pppoe-input" node to parse all headers from the scratch. 3) I get rid of "local mac" because it's more obvious to get mac address directly from encap interface when you filling up DPO adjacency. Anyway, in the case of the dot1q subinterface, we need to get vlan tags to fill the DPO adjacency. I'm new to VPP, so maybe some of these things are not good from some points of view. So it would be great if someone will look at it (and maybe propose something). Also, there are some open questions: - Should we strip the vlan tag before we sent pppoe packets to the cp interface? (I keep it, but my cp is ok with parsing vlan tags). - Is there any sense in pointing local mac address when we creating a pppoe session? We can get it from the encap interface. https://gerrit.fd.io/r/c/vpp/+/26964 -- Best regards Stanislav Zaikin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16293): https://lists.fd.io/g/vpp-dev/message/16293 Mute This Topic: https://lists.fd.io/mt/74099572/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] Coverity run FAILED as of 2020-05-09 14:00:23 UTC
Coverity run failed today. ERROR: File 'output.txt' does not exist -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16292): https://lists.fd.io/g/vpp-dev/message/16292 Mute This Topic: https://lists.fd.io/mt/74095639/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] IPsec tunnel interfaces?
Hi Chris, > Are there other properties of a tunnel mode SA that you need that are lost > with this approach? I need to use tunnel mode SAs provided by IKEv2. Transport mode is an optional (normally on-the-wire IKEv2 negotiated) feature of IPsec. These tunnel mode SAs will have IPTFS enabled on them, and that functionality is only defined for IPsec tunnel mode SAs. The only difference in VPP between a transport and tunnel mode SA is the presence of the encap. So I think it’s fair to say that what you need is an interface to interact with the L[23] system, ‘encap’ to describe how to encap/decap packets (i.e. what to copy from overlay/underlay (DSCP, ECN, etc) and an SA (for the algo set); Interface + encap + SA VPP doesn’t model encap separately. So it’s a question of where you add the parenthesis. (interface + encap) + SA = ipip tunnel + transport mode SA Or Interface + (encap + SA) = ipsec dedicated interface + tunnel mode SA In both cases the same information is available, it’s just modelled differently. The first model is used since it reuses the types/functionality that VPP already has to support other use case, without the need for a dedicated interface type. Is it not possible for you to work with the first model, or is it less convenient? /neale There will be future work in IETF/ipsecme to enable a form of transport mode support in IPTFS to handle the Cisco-preferred GRE with transport mode IPsec configuration, but that is not available today, and obviously won't be the only option standardized. Thanks, Chris. > /neale > > > > > > > Thanks, > Chris. > > > > > >I did read through the Wiki and it seems that this change was motivated > > by wanting to cleanup the IPsec API, but that hardly seems like > > justification to eliminate the efficient use of an entire variant of > > commonly used IPsec functionality. > > > > Cleaning up the API was one motivation. It was a pain that each time we > > added new attributes to SA creation (like ESN, UDP, algo=foo) (for use with > > the SPD) we had to make similar changes to both the ipsec and ipsec_gre > > create APIs. The other motivation was removing 2 interface types that did > > exactly the same as the existing ipip and gre tunnels (and the same goes > > for their APIs too, like how do I configure what DCSP, ECN, DF to copy on > > encap/decap). > > > > /neale > > > > > > > >Could we bring back the functionality using more "acceptable to the > > project" APIs or something? > > > >Thanks, > >Chris. > > > >> > >> /neale > >> > >> > >> From: on behalf of Christian Hopps > >> > >> Date: Wednesday 6 May 2020 at 14:32 > >> To: vpp-dev > >> Cc: Christian Hopps > >> Subject: [vpp-dev] IPsec tunnel interfaces? > >> > >> Hi, vpp-dev, > >> > >> Post 19.08 seems to have removed IPsec logical interfaces. > >> > >> One cannot always use transport mode IPsec. > >> > >> How can I get the efficiency of route based (FIB) IPsec w/o transport > >> mode? Adding superfluous encapsulations (wasting bandwidth) to replace > >> this (seemingly lost, hope not) functionality is not an option. > >> > >> Thanks, > >> Chris. > >> > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16291): https://lists.fd.io/g/vpp-dev/message/16291 Mute This Topic: https://lists.fd.io/mt/74027328/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] How to match a specific packet to the outbound direction of a specified interface #vpp
which vpp version are you heading? If you r using 19.05 or less, you can create ipsec tunnel, and route your packet to ipsec0 interface, create ipsec tunnel local-ip local-spi remote-ip remote-spi set interface ipsec key ipsec0 local crypto aes-gcm-128 2b7e151628aed2a6abf7158809cf4f3d set interface ipsec key ipsec0 remote crypto aes-gcm-128 2b7e151628aed2a6abf7158809cf4f3d set interface state ipsec0 up set interface unnumbered ipsec0 use ip route add 192.168.200.10/24 via ipsec0 if your are using >= 19.08, best practice, you can create policy based tunnel. ipsec policy add spd 1 priority 100 inbound action bypass protocol 50 ipsec policy add spd 1 priority 100 outbound action bypass protocol 50 ipsec policy add spd 1 outbound action bypass local-ip-range 10.168.4.0-10.168.4.255 remote-ip-range 10.168.2.0-10.168.2.255 ipsec sa add 10 spi 3391172682 esp crypto-alg aes-gcm-256 crypto-key 523a88fa4ad8c0325d75c933d9e567c23879ea701355207551bc2cf7d963c3dac8dcdca2 tunnel-src 10.168.2.4 tunnel-dst 10.168.4.11 ipsec sa add 20 spi 3443809241 esp crypto-alg aes-gcm-256 crypto-key 6062e3e9a9d578f58527242e9fbd48aeef7a0f8b4adc4569e7a84cda19c14ae21aa0a2b4 tunnel-src 10.168.4.11 tunnel-dst 10.168.2.4 ipsec policy add spd 1 priority 10 inbound action protect sa 10 local-ip-range 10.168.3.11 - 10.168.3.11 remote-ip-range 10.168.2.4 - 10.168.2.4 ipsec policy add spd 1 priority 10 outbound action protect sa 20 local-ip-range 10.168.3.11 - 10.168.3.11 remote-ip-range 10.168.2.4 - 10.168.2.4 cheers! enjoy //MJ *Regards*, Mrityunjay Kumar. Mobile: +91 - 9731528504 On Sat, May 9, 2020 at 12:16 PM wrote: > Hi VPP hackers, > My program and vpp communicate through the memif interface. > I want to make vpp match specific packets(such as ospf packet), and then > redirect to the outbound direction of the memif interface. > > I don't know how to match a specific packet to the outbound direction of a > specified interface. > > Can someone provide an example of configuration. > Thanks in advance! > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16290): https://lists.fd.io/g/vpp-dev/message/16290 Mute This Topic: https://lists.fd.io/mt/74091305/21656 Mute #vpp: https://lists.fd.io/mk?hashtag=vpp=1480452 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] clang-9
Hi Damjan, The patch[2] installs clang-9 in package dependencies and sets “clang-10 clang-9 gcc-9 cc” as the default compiler. The problem is, 1. clang-9 does not support ‘-mtune=qdf24xx’, ‘-mtune=neoverse-n1’, ‘-mcpu=neoverse-n1’, so it cannot do arch-specific compiling and optimal function selection for those two CPUs. These options requires gcc-9.2, clang-10 and any newer versions. 2. The clang package servers for Ubuntu-18.04 mentioned in https://apt.llvm.org/ support x86, but does not support Arm64, so we cannot install clang-10/clang-11 directly via apt commands on Arm servers. I’m thinking two options, 1. remove clang-9 dependency in Makefile or add for x86_64 only, so that users should install clang-10/clang-9 for x86 manually, and for Arm, install gcc-9 and clang-10/clang-11(not available yet). Just like CSIT has to update gcc version to gcc-8.3 manually(gcc-8.3 not listed in dependencies) previously. 2. there are other several workaround, 2.1 install clang-10 from source code until we can do clang-10 binary install on Ubuntu-18.04 on Arm; 2.2 keep the code as it is now, although it will disable multi-arch support for these two CPUs with clang-9; 2.3 when we are developing code or doing benchmarking, we need to hack the code temporarily from “set(CMAKE_C_COMPILER_NAMES clang-10 clang-9 gcc-9 cc)” to “set(CMAKE_C_COMPILER_NAMES clang-10 gcc-9 cc)”, so that multi-arch will be supported with gcc-9. Could you suggest on this issue? Thanks. From: vpp-dev@lists.fd.io On Behalf Of Damjan Marion via lists.fd.io Sent: 2020年4月28日 22:14 To: vpp-dev Subject: [vpp-dev] clang-9 Folks, As there is bug in gnu assembler which is shipping with ubuntu 18.04 we are not able to produce working binaries with avx512 instruction set. Because of that, I had to change default to avx2. reported bug[1], but it is ignored for a year. As alternative[2], I wanted to consider using clang-9 which is shipped with ubuntu 18.04 and seems like it is even capable of producing faster binaries than gcc. Unfortunately, "make test" is failing at several places including vxlan, ipsec and tcp stack[3]. May I ask folks who “own” that code to take a quick look? Thanks, Damjan [1] https://bugs.launchpad.net/ubuntu/cosmic/+source/binutils/+bug/1819961 [2] https://gerrit.fd.io/r/c/vpp/+/26744 [3] https://jenkins.fd.io/job/vpp-verify-master-ubuntu1804/3615/console -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16289): https://lists.fd.io/g/vpp-dev/message/16289 Mute This Topic: https://lists.fd.io/mt/73327785/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] How to match a specific packet to the outbound direction of a specified interface #vpp
Hi VPP hackers, My program and vpp communicate through the memif interface. I want to make vpp match specific packets(such as ospf packet), and then redirect to the outbound direction of the memif interface. I don't know how to match a specific packet to the outbound direction of a specified interface. Can someone provide an example of configuration. Thanks in advance! -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16288): https://lists.fd.io/g/vpp-dev/message/16288 Mute This Topic: https://lists.fd.io/mt/74091305/21656 Mute #vpp: https://lists.fd.io/mk?hashtag=vpp=1480452 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
