Skip to content

Commit

Permalink
Add IPSec mechanism (#762)
Browse files Browse the repository at this point in the history
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>

Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
  • Loading branch information
glazychev-art authored Dec 6, 2022
1 parent 4484fcc commit 459443a
Show file tree
Hide file tree
Showing 11 changed files with 167 additions and 8 deletions.
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
ARG VPP_VERSION=v22.06-rc0-150-gd38fa55fa
ARG VPP_VERSION=v22.06-rc0-151-g1af463082
FROM ghcr.io/edwarnicke/govpp/vpp:${VPP_VERSION} as go
COPY --from=golang:1.18.2-buster /usr/local/go/ /go
ENV PATH ${PATH}:/go/bin
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ require (
github.com/networkservicemesh/sdk v0.5.1-0.20221206103812-b6979bfe147d
github.com/networkservicemesh/sdk-k8s v0.0.0-20221128102348-7b25c04bed9e
github.com/networkservicemesh/sdk-sriov v0.0.0-20221206105157-ce61d862f46f
github.com/networkservicemesh/sdk-vpp v0.0.0-20221206105447-23a527c0a2c4
github.com/networkservicemesh/sdk-vpp v0.0.0-20221206112452-c9d7291b5e3b
github.com/pkg/errors v0.9.1
github.com/sirupsen/logrus v1.9.0
github.com/spiffe/go-spiffe/v2 v2.0.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -374,8 +374,8 @@ github.com/networkservicemesh/sdk-kernel v0.0.0-20221206104345-fd91dd9e8f6d h1:e
github.com/networkservicemesh/sdk-kernel v0.0.0-20221206104345-fd91dd9e8f6d/go.mod h1:t4A46Ph49k1kfuiEUPjmFvnIeaU3cfigQjUxr+gSmwE=
github.com/networkservicemesh/sdk-sriov v0.0.0-20221206105157-ce61d862f46f h1:WOicK+q0roBwdWQqriWKk3YYqRniVszIAd0FafH2+tg=
github.com/networkservicemesh/sdk-sriov v0.0.0-20221206105157-ce61d862f46f/go.mod h1:pVMdEtwTPziKjhbqFEQWpz3DhXfOfJ+FfVyzENdNCb8=
github.com/networkservicemesh/sdk-vpp v0.0.0-20221206105447-23a527c0a2c4 h1:E+WcbzILudVP9fUvlLOeaNUcGirY4C3K4SM6DsVcypo=
github.com/networkservicemesh/sdk-vpp v0.0.0-20221206105447-23a527c0a2c4/go.mod h1:9XCG5+2GxZs2jN9PkQb08iQ2Qg1mx22/OTbtLhpbcxc=
github.com/networkservicemesh/sdk-vpp v0.0.0-20221206112452-c9d7291b5e3b h1:tJrY7VBHaTc6u5BLh3w1cPs362eiSD/dbTxdEWSDVSM=
github.com/networkservicemesh/sdk-vpp v0.0.0-20221206112452-c9d7291b5e3b/go.mod h1:9XCG5+2GxZs2jN9PkQb08iQ2Qg1mx22/OTbtLhpbcxc=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
Expand Down
1 change: 1 addition & 0 deletions internal/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ type Config struct {
PCIDriversPath string `default:"/sys/bus/pci/drivers" desc:"path to the PCI drivers directory" split_words:"true"`
CgroupPath string `default:"/host/sys/fs/cgroup/devices" desc:"path to the host cgroup directory" split_words:"true"`
VFIOPath string `default:"/host/dev/vfio" desc:"path to the host VFIO directory" split_words:"true"`
PriorityMechanisms []string `default:"" desc:"sets priorities for mechanisms" split_words:"true"`
}

// Process reads config from env
Expand Down
2 changes: 2 additions & 0 deletions internal/imports/imports_linux.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions internal/tests/suite_combinatronics_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ import (
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"

ipsecapi "github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/ipsec"
"github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/kernel"
"github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/memif"
"github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/vxlan"
Expand Down Expand Up @@ -86,6 +87,12 @@ func (f *ForwarderTestSuite) TestCombinations() {
f.vppServerConn,
)
},
ipsecapi.MECHANISM: func(ctx context.Context) verifiableEndpoint {
return newIpsecVerifiableEndpoint(ctx, prefix1, prefix2,
spiffejwt.TokenGeneratorFunc(f.x509source, f.config.MaxTokenLifetime),
f.vppServerConn,
)
},
}
clients := map[string]func(ctx context.Context) verifiableClient{
kernel.MECHANISM: func(ctx context.Context) verifiableClient {
Expand All @@ -111,13 +118,20 @@ func (f *ForwarderTestSuite) TestCombinations() {
f.vppClientConn,
)
},
ipsecapi.MECHANISM: func(ctx context.Context) verifiableClient {
return newIpsecVerifiableClient(ctx,
f.sutCC,
f.vppClientConn,
)
},
}

payloads := map[string][]string{
payload.IP: {
kernel.MECHANISM,
memif.MECHANISM,
wireguard.MECHANISM,
ipsecapi.MECHANISM,
},
payload.Ethernet: {
kernel.MECHANISM,
Expand All @@ -128,6 +142,7 @@ func (f *ForwarderTestSuite) TestCombinations() {
isRemote := map[string]bool{
wireguard.MECHANISM: true,
vxlan.MECHANISM: true,
ipsecapi.MECHANISM: true,
}
for _, pl := range []string{payload.Ethernet, payload.IP} {
payloadName := pl
Expand Down
130 changes: 130 additions & 0 deletions internal/tests/suite_ipsec_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
// Copyright (c) 2022 Cisco and/or its affiliates.
//
// SPDX-License-Identifier: Apache-2.0
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at:
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// nolint:dupl
package tests

import (
"context"
"net"

"github.com/edwarnicke/vpphelper"
"google.golang.org/grpc"

"github.com/networkservicemesh/api/pkg/api/networkservice"
ipsecapi "github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/ipsec"

"github.com/networkservicemesh/sdk/pkg/networkservice/chains/client"
"github.com/networkservicemesh/sdk/pkg/networkservice/chains/endpoint"
"github.com/networkservicemesh/sdk/pkg/networkservice/common/authorize"
"github.com/networkservicemesh/sdk/pkg/networkservice/common/mechanisms"
"github.com/networkservicemesh/sdk/pkg/networkservice/ipam/point2pointipam"
"github.com/networkservicemesh/sdk/pkg/networkservice/utils/metadata"
"github.com/networkservicemesh/sdk/pkg/tools/token"

"github.com/networkservicemesh/sdk-vpp/pkg/networkservice/connectioncontext"
"github.com/networkservicemesh/sdk-vpp/pkg/networkservice/mechanisms/ipsec"
"github.com/networkservicemesh/sdk-vpp/pkg/networkservice/pinhole"
"github.com/networkservicemesh/sdk-vpp/pkg/networkservice/up"
)

type ipsecVerifiableEndpoint struct {
ctx context.Context
vppConn vpphelper.Connection
endpoint.Endpoint
}

func newIpsecVerifiableEndpoint(ctx context.Context,
prefix1, prefix2 *net.IPNet,
tokenGenerator token.GeneratorFunc,
vppConn vpphelper.Connection) verifiableEndpoint {
rv := &ipsecVerifiableEndpoint{
ctx: ctx,
vppConn: vppConn,
}
name := "ipsecVerifiableEndpoint"
rv.Endpoint = endpoint.NewServer(ctx,
tokenGenerator,
endpoint.WithName(name),
endpoint.WithAuthorizeServer(authorize.NewServer()),
endpoint.WithAdditionalFunctionality(
metadata.NewServer(),
point2pointipam.NewServer(prefix1),
point2pointipam.NewServer(prefix2),
up.NewServer(ctx, vppConn),
pinhole.NewServer(vppConn),
connectioncontext.NewServer(vppConn),
mechanisms.NewServer(map[string]networkservice.NetworkServiceServer{
ipsecapi.MECHANISM: ipsec.NewServer(vppConn, net.ParseIP(serverIP)),
}),
),
)
return rv
}

func (v *ipsecVerifiableEndpoint) VerifyConnection(conn *networkservice.Connection) error {
for _, ip := range conn.GetContext().GetIpContext().GetSrcIpAddrs() {
if err := pingVpp(v.ctx, v.vppConn, ip); err != nil {
return err
}
}
return nil
}

func (v *ipsecVerifiableEndpoint) VerifyClose(conn *networkservice.Connection) error {
return nil
}

type ipsecVerifiableClient struct {
ctx context.Context
vppConn vpphelper.Connection
networkservice.NetworkServiceClient
}

func newIpsecVerifiableClient(
ctx context.Context,
sutCC grpc.ClientConnInterface,
vppConn vpphelper.Connection,
) verifiableClient {
return &ipsecVerifiableClient{
ctx: ctx,
vppConn: vppConn,
NetworkServiceClient: client.NewClient(
ctx,
client.WithName("ipsecVerifiableClient"),
client.WithClientConn(sutCC),
client.WithAdditionalFunctionality(
up.NewClient(ctx, vppConn),
connectioncontext.NewClient(vppConn),
ipsec.NewClient(vppConn, net.ParseIP(clientIP)),
pinhole.NewClient(vppConn),
),
),
}
}

func (v *ipsecVerifiableClient) VerifyConnection(conn *networkservice.Connection) error {
for _, ip := range conn.GetContext().GetIpContext().GetDstIpAddrs() {
if err := pingVpp(v.ctx, v.vppConn, ip); err != nil {
return err
}
}
return nil
}

func (v *ipsecVerifiableClient) VerifyClose(conn *networkservice.Connection) error {
return nil
}
9 changes: 5 additions & 4 deletions internal/tests/suite_wireguard_test.go
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright (c) 2020-2021 Cisco and/or its affiliates.
// Copyright (c) 2020-2022 Cisco and/or its affiliates.
//
// SPDX-License-Identifier: Apache-2.0
//
Expand All @@ -14,6 +14,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.

// nolint:dupl
package tests

import (
Expand Down Expand Up @@ -51,7 +52,7 @@ func newWireguardVerifiableEndpoint(ctx context.Context,
prefix1, prefix2 *net.IPNet,
tokenGenerator token.GeneratorFunc,
vppConn vpphelper.Connection) verifiableEndpoint {
rv := &vxlanVerifiableEndpoint{
rv := &wireguardVerifiableEndpoint{
ctx: ctx,
vppConn: vppConn,
}
Expand Down Expand Up @@ -99,12 +100,12 @@ func newWireguardVerifiableClient(
sutCC grpc.ClientConnInterface,
vppConn vpphelper.Connection,
) verifiableClient {
return &vxlanVerifiableClient{
return &wireguardVerifiableClient{
ctx: ctx,
vppConn: vppConn,
NetworkServiceClient: client.NewClient(
ctx,
client.WithName("vxlanVerifiableClient"),
client.WithName("wireguardVerifiableClient"),
client.WithClientConn(sutCC),
client.WithAdditionalFunctionality(
up.NewClient(ctx, vppConn),
Expand Down
8 changes: 8 additions & 0 deletions internal/xconnectns/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ type xconnOptions struct {
clientURL *url.URL
dialTimeout time.Duration
domain2Device map[string]string
prioriyMechanismList []string
statsOpts []stats.Option
cleanupOpts []cleanup.Option
vxlanOpts []vxlan.Option
Expand Down Expand Up @@ -115,6 +116,13 @@ func WithVxlanOptions(opts ...vxlan.Option) Option {
}
}

// WithPriorityMechanisms sets prioritymechanisms options
func WithPriorityMechanisms(priorityList []string) Option {
return func(o *xconnOptions) {
o.prioriyMechanismList = priorityList
}
}

// WithDialOptions sets dial options
func WithDialOptions(opts ...grpc.DialOption) Option {
return func(o *xconnOptions) {
Expand Down
1 change: 1 addition & 0 deletions internal/xconnectns/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ func NewServer(
vppforwarder.WithClientURL(xconnOpts.clientURL),
vppforwarder.WithDialTimeout(xconnOpts.dialTimeout),
vppforwarder.WithVlanDomain2Device(xconnOpts.domain2Device),
vppforwarder.WithPriorityMechanisms(xconnOpts.prioriyMechanismList),
vppforwarder.WithCleanupOptions(xconnOpts.cleanupOpts...),
vppforwarder.WithStatsOptions(xconnOpts.statsOpts...),
vppforwarder.WithVxlanOptions(xconnOpts.vxlanOpts...),
Expand Down
1 change: 1 addition & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,7 @@ func main() {
xconnectns.WithAuthorizeServer(authorize.NewServer(authorize.WithSpiffeIDConnectionMap(&spiffeIDConnMap))),
xconnectns.WithAuthorizeMonitorConnectionsServer(authmonitor.NewMonitorConnectionServer(authmonitor.WithSpiffeIDConnectionMap(&spiffeIDConnMap))),
xconnectns.WithVlanDomain2Device(deviceMap),
xconnectns.WithPriorityMechanisms(cfg.PriorityMechanisms),
xconnectns.WithClientURL(&cfg.ConnectTo),
xconnectns.WithDialTimeout(cfg.DialTimeout),
xconnectns.WithStatsOptions(statsOpts...),
Expand Down

0 comments on commit 459443a

Please sign in to comment.