Hi,
So to revisit this topic from a different angle. I believe VPP needs something
like the xfrm linux interface [1]. If I understand things correctly this
actually provides what was useful (but more-so) with old ipsec interface
functionality that has been lost. It is also a much cleaner/more powerful
abstraction than the current "ipip tunnel with transport mode SA" trick that
replaced the old ipsec interface functionality.
The idea is to have an interface that one can use as a result of a FIB lookup.
SAs can be attached to this interface. The replacement for the old ipsec
interface functionality that was removed after 19.08, is that you attach a
simple *tunnel mode* SA with "accept all" policy to the xfrm interface. You can
also attach more complex policies if you care to, but the common and highly
efficient case will be "accept all".
The win here is that:
- FIB Fast: You get an interface that can be the result of the forwarding
lookup
. highly efficient especially with common zero cost match all policy
. compare to adding complex ip policy directly to all your ingress interfaces
(expensive).
- You have one interface for both IPv4 and IPv6
- It operates directly with the IPsec tunnel mode and transport mode SAs
without needing to mangle the internal definition of SA tunnel into transport
mode.
- CRITICAL: Its use does not impose any encapsulation on the traffic itself.
Thoughts?
Thanks,
Chris.
[1] -
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#XFRM-Interfaces-on-Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#16754): https://lists.fd.io/g/vpp-dev/message/16754
Mute This Topic: https://lists.fd.io/mt/74962223/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
