Add IPSec mechanism

Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>

Dockerfile

@@ -1,4 +1,4 @@
-ARG VPP_VERSION=v22.06-rc0-150-gd38fa55fa
+ARG VPP_VERSION=v22.06-rc0-151-g1af463082
 FROM ghcr.io/edwarnicke/govpp/vpp:${VPP_VERSION} as go
 COPY --from=golang:1.18.2-buster /usr/local/go/ /go
 ENV PATH ${PATH}:/go/bin

internal/config/config.go

@@ -58,6 +58,7 @@ type Config struct {
 	PCIDriversPath      string        `default:"/sys/bus/pci/drivers" desc:"path to the PCI drivers directory" split_words:"true"`
 	CgroupPath          string        `default:"/host/sys/fs/cgroup/devices" desc:"path to the host cgroup directory" split_words:"true"`
 	VFIOPath            string        `default:"/host/dev/vfio" desc:"path to the host VFIO directory" split_words:"true"`
+	PriorityMechanisms  []string      `default:"" desc:"sets priorities for mechanisms" split_words:"true"`
 }
 
 // Process reads config from env

internal/tests/suite_combinatronics_test.go

@@ -41,6 +41,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 
+	ipsecapi "github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/ipsec"
 	"github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/kernel"
 	"github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/memif"
 	"github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/vxlan"
@@ -86,6 +87,12 @@ func (f *ForwarderTestSuite) TestCombinations() {
 				f.vppServerConn,
 			)
 		},
+		ipsecapi.MECHANISM: func(ctx context.Context) verifiableEndpoint {
+			return newIpsecVerifiableEndpoint(ctx, prefix1, prefix2,
+				spiffejwt.TokenGeneratorFunc(f.x509source, f.config.MaxTokenLifetime),
+				f.vppServerConn,
+			)
+		},
 	}
 	clients := map[string]func(ctx context.Context) verifiableClient{
 		kernel.MECHANISM: func(ctx context.Context) verifiableClient {
@@ -111,13 +118,20 @@ func (f *ForwarderTestSuite) TestCombinations() {
 				f.vppClientConn,
 			)
 		},
+		ipsecapi.MECHANISM: func(ctx context.Context) verifiableClient {
+			return newIpsecVerifiableClient(ctx,
+				f.sutCC,
+				f.vppClientConn,
+			)
+		},
 	}
 
 	payloads := map[string][]string{
 		payload.IP: {
 			kernel.MECHANISM,
 			memif.MECHANISM,
 			wireguard.MECHANISM,
+			ipsecapi.MECHANISM,
 		},
 		payload.Ethernet: {
 			kernel.MECHANISM,
@@ -128,6 +142,7 @@ func (f *ForwarderTestSuite) TestCombinations() {
 	isRemote := map[string]bool{
 		wireguard.MECHANISM: true,
 		vxlan.MECHANISM:     true,
+		ipsecapi.MECHANISM:  true,
 	}
 	for _, pl := range []string{payload.Ethernet, payload.IP} {
 		payloadName := pl

internal/tests/suite_ipsec_test.go

@@ -0,0 +1,130 @@
+// Copyright (c) 2022 Cisco and/or its affiliates.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at:
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// nolint:dupl
+package tests
+
+import (
+	"context"
+	"net"
+
+	"github.com/edwarnicke/vpphelper"
+	"google.golang.org/grpc"
+
+	"github.com/networkservicemesh/api/pkg/api/networkservice"
+	ipsecapi "github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/ipsec"
+
+	"github.com/networkservicemesh/sdk/pkg/networkservice/chains/client"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/chains/endpoint"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/common/authorize"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/common/mechanisms"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/ipam/point2pointipam"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/utils/metadata"
+	"github.com/networkservicemesh/sdk/pkg/tools/token"
+
+	"github.com/networkservicemesh/sdk-vpp/pkg/networkservice/connectioncontext"
+	"github.com/networkservicemesh/sdk-vpp/pkg/networkservice/mechanisms/ipsec"
+	"github.com/networkservicemesh/sdk-vpp/pkg/networkservice/pinhole"
+	"github.com/networkservicemesh/sdk-vpp/pkg/networkservice/up"
+)
+
+type ipsecVerifiableEndpoint struct {
+	ctx     context.Context
+	vppConn vpphelper.Connection
+	endpoint.Endpoint
+}
+
+func newIpsecVerifiableEndpoint(ctx context.Context,
+	prefix1, prefix2 *net.IPNet,
+	tokenGenerator token.GeneratorFunc,
+	vppConn vpphelper.Connection) verifiableEndpoint {
+	rv := &ipsecVerifiableEndpoint{
+		ctx:     ctx,
+		vppConn: vppConn,
+	}
+	name := "ipsecVerifiableEndpoint"
+	rv.Endpoint = endpoint.NewServer(ctx,
+		tokenGenerator,
+		endpoint.WithName(name),
+		endpoint.WithAuthorizeServer(authorize.NewServer()),
+		endpoint.WithAdditionalFunctionality(
+			metadata.NewServer(),
+			point2pointipam.NewServer(prefix1),
+			point2pointipam.NewServer(prefix2),
+			up.NewServer(ctx, vppConn),
+			pinhole.NewServer(vppConn),
+			connectioncontext.NewServer(vppConn),
+			mechanisms.NewServer(map[string]networkservice.NetworkServiceServer{
+				ipsecapi.MECHANISM: ipsec.NewServer(vppConn, net.ParseIP(serverIP)),
+			}),
+		),
+	)
+	return rv
+}
+
+func (v *ipsecVerifiableEndpoint) VerifyConnection(conn *networkservice.Connection) error {
+	for _, ip := range conn.GetContext().GetIpContext().GetSrcIpAddrs() {
+		if err := pingVpp(v.ctx, v.vppConn, ip); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (v *ipsecVerifiableEndpoint) VerifyClose(conn *networkservice.Connection) error {
+	return nil
+}
+
+type ipsecVerifiableClient struct {
+	ctx     context.Context
+	vppConn vpphelper.Connection
+	networkservice.NetworkServiceClient
+}
+
+func newIpsecVerifiableClient(
+	ctx context.Context,
+	sutCC grpc.ClientConnInterface,
+	vppConn vpphelper.Connection,
+) verifiableClient {
+	return &ipsecVerifiableClient{
+		ctx:     ctx,
+		vppConn: vppConn,
+		NetworkServiceClient: client.NewClient(
+			ctx,
+			client.WithName("ipsecVerifiableClient"),
+			client.WithClientConn(sutCC),
+			client.WithAdditionalFunctionality(
+				up.NewClient(ctx, vppConn),
+				connectioncontext.NewClient(vppConn),
+				ipsec.NewClient(vppConn, net.ParseIP(clientIP)),
+				pinhole.NewClient(vppConn),
+			),
+		),
+	}
+}
+
+func (v *ipsecVerifiableClient) VerifyConnection(conn *networkservice.Connection) error {
+	for _, ip := range conn.GetContext().GetIpContext().GetDstIpAddrs() {
+		if err := pingVpp(v.ctx, v.vppConn, ip); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (v *ipsecVerifiableClient) VerifyClose(conn *networkservice.Connection) error {
+	return nil
+}

internal/tests/suite_wireguard_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2021 Cisco and/or its affiliates.
+// Copyright (c) 2020-2022 Cisco and/or its affiliates.
 //
 // SPDX-License-Identifier: Apache-2.0
 //
@@ -14,6 +14,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// nolint:dupl
 package tests
 
 import (
@@ -51,7 +52,7 @@ func newWireguardVerifiableEndpoint(ctx context.Context,
 	prefix1, prefix2 *net.IPNet,
 	tokenGenerator token.GeneratorFunc,
 	vppConn vpphelper.Connection) verifiableEndpoint {
-	rv := &vxlanVerifiableEndpoint{
+	rv := &wireguardVerifiableEndpoint{
 		ctx:     ctx,
 		vppConn: vppConn,
 	}
@@ -99,12 +100,12 @@ func newWireguardVerifiableClient(
 	sutCC grpc.ClientConnInterface,
 	vppConn vpphelper.Connection,
 ) verifiableClient {
-	return &vxlanVerifiableClient{
+	return &wireguardVerifiableClient{
 		ctx:     ctx,
 		vppConn: vppConn,
 		NetworkServiceClient: client.NewClient(
 			ctx,
-			client.WithName("vxlanVerifiableClient"),
+			client.WithName("wireguardVerifiableClient"),
 			client.WithClientConn(sutCC),
 			client.WithAdditionalFunctionality(
 				up.NewClient(ctx, vppConn),

internal/xconnectns/options.go

@@ -37,6 +37,7 @@ type xconnOptions struct {
 	clientURL                        *url.URL
 	dialTimeout                      time.Duration
 	domain2Device                    map[string]string
+	prioriyMechanismList             []string
 	statsOpts                        []stats.Option
 	cleanupOpts                      []cleanup.Option
 	vxlanOpts                        []vxlan.Option
@@ -115,6 +116,13 @@ func WithVxlanOptions(opts ...vxlan.Option) Option {
 	}
 }
 
+// WithPriorityMechanisms sets prioritymechanisms options
+func WithPriorityMechanisms(priorityList []string) Option {
+	return func(o *xconnOptions) {
+		o.prioriyMechanismList = priorityList
+	}
+}
+
 // WithDialOptions sets dial options
 func WithDialOptions(opts ...grpc.DialOption) Option {
 	return func(o *xconnOptions) {

internal/xconnectns/server.go

@@ -80,6 +80,7 @@ func NewServer(
 		vppforwarder.WithClientURL(xconnOpts.clientURL),
 		vppforwarder.WithDialTimeout(xconnOpts.dialTimeout),
 		vppforwarder.WithVlanDomain2Device(xconnOpts.domain2Device),
+		vppforwarder.WithPriorityMechanisms(xconnOpts.prioriyMechanismList),
 		vppforwarder.WithCleanupOptions(xconnOpts.cleanupOpts...),
 		vppforwarder.WithStatsOptions(xconnOpts.statsOpts...),
 		vppforwarder.WithVxlanOptions(xconnOpts.vxlanOpts...),

main.go

@@ -248,6 +248,7 @@ func main() {
 		xconnectns.WithAuthorizeServer(authorize.NewServer(authorize.WithSpiffeIDConnectionMap(&spiffeIDConnMap))),
 		xconnectns.WithAuthorizeMonitorConnectionsServer(authmonitor.NewMonitorConnectionServer(authmonitor.WithSpiffeIDConnectionMap(&spiffeIDConnMap))),
 		xconnectns.WithVlanDomain2Device(deviceMap),
+		xconnectns.WithPriorityMechanisms(cfg.PriorityMechanisms),
 		xconnectns.WithClientURL(&cfg.ConnectTo),
 		xconnectns.WithDialTimeout(cfg.DialTimeout),
 		xconnectns.WithStatsOptions(statsOpts...),