search

ligato / vpp-agent

⚡️ Control plane management agent for FD.io's VPP
https://docs.ligato.io/
Apache License 2.0
252 stars 125 forks source link

Optimize updating SAs in IPSec tunnels #1393

Closed ondrej-fabry closed 4 years ago

ondrej-fabry commented 5 years ago

When the IPSec tunnel is updated and only SA keys change, descriptor should only call relevant VPP binary API instead of recreating the tunnel.

Relevant VPP binary API:

https://github.com/ligato/vpp-agent/blob/018da1163250ae08893dbbfe4eb8055a44291a80/plugins/vpp/binapi/vpp1908/ipsec/ipsec.ba.go#L883-L884

VladoLavor commented 5 years ago

@ondrej-fabry In the current implementation, IPSec tunnel security associations are a part of the tunnel configuration model. The model is transformed to single binary API (for IPSec related configuration), so it will be always recreated. Also created SAs are with generated IDs, so if we change target inbound/outbound SA with the binary API mentioned, they will become "lost", since the ID is unknown to the VPP-Agent.

It seems the ipsec_tunnel_if_add_del call does not allow to define SA IDs.

One way I see here is to define SA IDs in the IPSecLink and postpone tunnel creation until they are available. In such a case, the tunnel can be updated with new SAs without recreating, while the change of the SA keys is not related to the IPSec tunnel (The tunnel only refers to the SAs).

Any thoughts here?

Also, VPP guys mentioned that the API can be used to assign SA to other interface types (I guess in transport mode?), but as far as I tried, it didn't work so I would not bother with it since it is not needed now.

ondrej-fabry commented 5 years ago

@VladoLavor Hmm, does the IpsecTunnelIfSetSa at least work for existing SAs when setting to some IPsec tunnel that was created normally?

VladoLavor commented 5 years ago

@ondrej-fabry Yes, it works with IPSec tunnels.

VladoLavor commented 5 years ago

@ondrej-fabry Did some more testing in the VPP, here is what I found:

Abandoned SAs, originally created together with the IPSec tunnel cannot be removed even using the VPP CLI - the VPP behaves as if those generated indexes do not exist. However, if the interface is set to different SAs, original ones can be still dumped - a kind of problem for the VPP-Agent which retrieves them during resync and tries to remove them, getting an error.

The possible solution would be to limit the SA index in the VPP-Agent and just ignore all above. Generated indexes start with 0x80000000, that provides a lot of free space for user-defined indexes.

Another problem is IPSec tunnel removal - the binary API does not want sw_if_index, but SAs definitions to remove the tunnel. So if IPSec tunnel is switched to different SAs, it cannot be deleted using original ETCD data (unless it knows the current SA index to replace them).

Also, SA cannot be removed if it is a part of the tunnel.

ondrej-fabry commented 5 years ago

We might have to check with Neale about this. I see some commits in ipsec that might be relevant here. Especially this one: https://github.com/FDio/vpp/commit/2f0522008ca168e5fff5d754e2ca280ef9366d58#diff-760bd5f6d8f4b83c8c4cd8ace7617aa1