From: <vpp-dev@lists.fd.io> on behalf of Christian Hopps <cho...@chopps.org> Date: Thursday 18 June 2020 at 18:20 To: vpp-dev <vpp-dev@lists.fd.io> Cc: Christian Hopps <cho...@chopps.org> Subject: [vpp-dev] ipsec interface revisted.
Hi, So to revisit this topic from a different angle. I believe VPP needs something like the xfrm linux interface [1]. If I understand things correctly this actually provides what was useful (but more-so) with old ipsec interface functionality that has been lost. It is also a much cleaner/more powerful abstraction than the current "ipip tunnel with transport mode SA" trick that replaced the old ipsec interface functionality. As you say, replaced by ipip/gre tunnel interface, which shows the functionality has not been lost. Route based VPNs are still supported. The idea is to have an interface that one can use as a result of a FIB lookup. SAs can be attached to this interface. The replacement for the old ipsec interface functionality that was removed after 19.08, is that you attach a simple *tunnel mode* SA with "accept all" policy to the xfrm interface. You can also attach more complex policies if you care to, but the common and highly efficient case will be "accept all". The win here is that: - FIB Fast: You get an interface that can be the result of the forwarding lookup . highly efficient especially with common zero cost match all policy . compare to adding complex ip policy directly to all your ingress interfaces (expensive). - You have one interface for both IPv4 and IPv6 All of which are available with the ipip/gre tunnel model. - It operates directly with the IPsec tunnel mode and transport mode SAs without needing to mangle the internal definition of SA tunnel into transport mode. - CRITICAL: Its use does not impose any encapsulation on the traffic itself. Critical implies that without this some use cases are impossible. What is it that cannot be done with the tunnel model? /neale Thoughts? Thanks, Chris. [1] - https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#XFRM-Interfaces-on-Linux
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16778): https://lists.fd.io/g/vpp-dev/message/16778 Mute This Topic: https://lists.fd.io/mt/74962223/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-