-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simple "IPsec" implementation #471
Comments
The ipsec config does not look complete. I believe the missing part is the RadixIPsecLookup, which if I recall correctly sets annotations required by the other ipsec elements. |
For what it is worth, here is a simple example to get started with
|
Thank you for you answer @ahenning. I saw the RadixIPsecLookup and I was wondering if it is mandatory for the implementation. Thank you for the example. I will try it. |
Hello @ahenning I run this configuration thank you. For my scenario my scenario I will generate the traffic to source using the InfiniteSource element. I'm thinking a click configuration file like this: InfiniteSource(LENGTH 1000, LIMIT 3, STOP true) And the IPSec VNF will be like this: Correct me if I'm wrong. I also try to create a simple NAT configuration file, kindly ask you for some input. InfiniteSource(LENGTH 1500, LIMIT 10000, STOP true) rw[0] -> IPPrint(NAT) -> IPMirror -> IPPrint(backToSource)-> [0]rw; Thank you again |
Hello again @ahenning I am kindly asking for your input on something. As I told before I have a simple implemation with three nodes Source --> VNF --> Sink And the second again in the source On the VNF node I have the IPSec implementation fd -> rt rt[0] Using tcpdump on the enp4s0f1 interface on VNF, I realize that tcpdump did not "catch" any packet when I use InfiniteSource as packet generator, and obviously the IPSec flow did not work. Using the FastUDP source, tcpdump catches packets, but it seems my IPSec configuration did not work. Kindly ask you for some input. Thank you in advance |
The issue appears to be the L2/MAC headers. In the first example it looks like this header is set, while in the second there are no MAC headers. EtherEncap might help. By default FromDevice(ethX) would provide the MAC headers, so you would need to Strip(14) to remove it, CheckIPHeader to ensure its a valid packet, which should normally be done before using elements that expect IP packets. Then afterwards Unstrip(14) can be used to 'add' the L2 header back, e.g. before using elements expecting an ethernet packet e.g. ToDevice. Just a rough off hand example: The L2 headers at the source is one issue, there might be more, for example in the IPsec config after FromDevice and before ToDevice. |
Thank you @ahenning also I forgot to say that all the interfaces are in promisc mode. |
So your advice @ahenning is to configure the VNF node like this: fd:: FromDevice(enp4s0f1); |
Yes and no. Yes that is how L2 headers could work if the VNF was just a L2 bridge, but due to the udp and ipsec headers you are probably going to be better off using EtherEncap after UDPIPEncap and before ToDevice |
It seems that I am close enough to my target, but I am little bit confuse. Finally I have the following IPSec config file:
The following configuration on the source node:
I can capture t the traffic in the ipsec node: And I can capture the traffic with tcpdump on the interface enp4s0f1 that connects the IPSec node with the sink. But on the sink node with the following configuration
I could not capture any traffic on the interface. Do you see any error here @ahenning? Thank you in advance. |
I notice 'enp4s0f1' in the ToDevice of the ipsec config and the FromDevice of the sink. If this is actually the exact same interface, that could be the issue. If not, then perhaps the FromDevice on the sink needs 'PROMISC true'. I don't see any major issues, looks like you are 99% there. Also, I'd recommend to run tcpdump with flag '-e' to print the L2 headers. This might help to spot issues with the packets. |
No these are different interfaces on two different nodes. I have also enable promisc mode on this interface with the command
what does it mean the indication expensive::Push have 0 wanted 14 |
What is between the two enp4s0f1 interfaces? Might want to look if there is some L2 filter going on that might be filtering the spoofed source MAC (1:1:1:1:1:1), or just set it to the actual MAC of the interface. If you can see the packets leaving the interface with tcpdump, and you are sure the packet headers are valid, then they should arrive on the destination interface. |
The topology is like this: Source(Node1) (enp4s0f0) <-------->(enp4s0f0)(Node2)VNF(enp4s0f1) <-------> (enp4s0f0)(Node3)Sink Source: 192.168.2.2/24, a0:36:9f:08:22:60 A silly question, in the EtherEncap() the source mac address should be the the mac address of the eggress interface (i.e. enp4s0f) ? |
Yes, some L2 devices, physical or virtual, will check if the packets are sourced from the connected interface MAC. I am not sure if this the issue, but double check the L2 header with tcpdump '-e'. If the packets are valid, the issue is probably not click related. I would make one change to the sink config. Replace DriverManager with Script(wait 10, print c.rate, loop); or something along those lines. |
@ahenning It seems that the source mac address in the EtherEncap was the problem.. I fixed it and now I can capture the packets on the ingress interface of the sink.. Now I can count the rate with the Counter, but I can't explain why sometimes the rate is 0 and the other 23887, the fluctuation is weird |
Hello @ahenning, and happy new year. I m facing an issue, and i was wondering if you can provide me some input. I send 500k packet/sec with FastUDP, I measure the rate(using AverageCounter element) on the two VNF ports (ingress - egress) and on the sink, and I can't find where is the bottleneck. Source (500023,13) -> (212191,40)VNF(210629,83) -> (214183)Sink. I also noticed that after some interation I had a warning on the VNF: CheckIPHeader@3: IP header check failed: bad IP version I use the drop_details handler of the CheckIPHeader element to see if this is the root of the problem. But the output show that only one packet is dropped every time What could cause this throughput "issue", except from that I use Click instead of FastClick? Thank you in advance |
Packets per second looks normal for the default PCAP method. You can try the fastclick DPDK elements for higher throughput. You can also try enabling verbose logging on the IP header check element. Perhaps it is just promiscuous mode picking up something else on the network. You might be able to output the error packets to a second output port and print the packets to get more detail on the packet that causes the error. ... check[0] -> out; |
I believe that the packet loss is due to the NICs buffers, so yes the p/sec looks normal. |
review linux process pinning to pin process to a core |
I just said if there is any other way than the obvious one :) |
Hello (again) I'm currently trying to build a CPU intensive VNF so Ι decided to creat simple IPsec-alike flow. I just want to implement the flow for the packets that entering the tunnel.
My topology is the same that I used here, and I just change the middle router in order to act as an IPsec, that pull the traffic from the FastUDPsource element.
I show the example and for my configuration I'm using:
FromDevice(eth0)->IPsecESPEncap()->IPsecAuthHMACSHA1(0)->IPsecAES(1)->IPsecEncap(50)->Queue->ToDevice(eth1)
Probably this is not right because I had the following error "Segmentation fault (core dumped)
Kindly thank you (again) for your input.
The text was updated successfully, but these errors were encountered: