Hi Andrew,
The tests updated as part of this patch[1] are related to the IPSec outbound
side "flow cache" i.e. test/test_ipsec_spd_flow_cache.py (see commit[2]). This
is really testing the behaviour of the flow cache, rather than this drop by
default behaviour described here. These tests just
Zach, Neale,
Just a thought from the “make test” PoV:
If understand this email thread well, this change adds a behavior, relying on
which can create security implications in case this new behavior gets broken -
so you think you could add a few negative tests as well ? (I.e. that the
packets
Hi Neale,
Please see https://gerrit.fd.io/r/c/vpp/+/34252 for the patch for this. Would
appreciate a review when you get the chance so Juraj can start adding the CSIT
tests required for the inbound side IPSec flow cache (
https://gerrit.fd.io/r/c/vpp/+/32903 ).
Best,
Zach
Hi Zach,
Apologies for the late reply and thank you for the considered analysis.
..snip..
Is there a reason that the input side is setup like this? Unless there is a
good reason for allowing inbound traffic by default, I would propose to patch
the ipsec-input node to align with ipsec-output
A correction, I meant inbound rule, not input rule.
Juraj
From: Juraj Linkeš
Sent: Thursday, September 9, 2021 10:59 AM
To: 'Zachary Leaf' ; 'ne...@graphiant.com'
Cc: vpp-dev
Subject: RE: [vpp-dev] IPSec input/output: default action for non-matching
traffic
Hi Neale,
Did you have a chance
rule in each direction - is
this even possible?
Thanks,
Juraj
From: vpp-dev@lists.fd.io On Behalf Of Zachary Leaf
Sent: Tuesday, August 17, 2021 10:30 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] IPSec input/output: default action for non-matching traffic
Hi Neale/all,
I've noticed
Hi Neale/all,
I've noticed an inconsistency between the default behaviour for non-matching
packets in the ipsec-input and ipsec-output nodes. I'm not sure if this
intended or not.
The summary is:
- For ipsec-output, any non-matching packets are dropped by default with the
same mechanism as