vpnaas: add support for more ciphers (auth, encryption, pfs modes)
Encryption algorithms: add AES CCM mode and AES GCM mode variants for 128/192/256 bit keys and 8/12/16 octet ICVs. Auth algorithms: add aes-xcbc and aes-cmac. PFS: add Diffie Hellman groups 15 to 31. Related-Bug: #1938284 Change-Id: Iba86fe9a1bbf88223b57a45fb89349c6b1858015
This commit is contained in:
parent
bdebe1de3c
commit
b7598dab47
|
@ -2007,7 +2007,8 @@ audited:
|
|||
auth_algorithm:
|
||||
description: |
|
||||
The authentication hash algorithm. Valid values
|
||||
are ``sha1``, ``sha256``, ``sha384``, ``sha512``.
|
||||
are ``sha1``, ``sha256``, ``sha384``, ``sha512``, ``aes-xcbc``,
|
||||
``aes-cmac``.
|
||||
The default is ``sha1``.
|
||||
in: body
|
||||
required: false
|
||||
|
@ -3029,7 +3030,10 @@ encapsulation_mode:
|
|||
encryption_algorithm:
|
||||
description: |
|
||||
The encryption algorithm. A valid value is
|
||||
``3des``, ``aes-128``, ``aes-192``, ``aes-256``, and so on.
|
||||
``3des``, ``aes-128``, ``aes-192``, ``aes-256``. Additional values for AES
|
||||
CCM and GCM modes are defined (e.g. ``aes-256-ccm-16``, ``aes-256-gcm-16``)
|
||||
for all combinations of key length 128, 192, 256 bits and ICV length
|
||||
8, 12, 16 octets.
|
||||
Default is ``aes-128``.
|
||||
in: body
|
||||
required: false
|
||||
|
@ -5197,7 +5201,7 @@ peer_id:
|
|||
pfs:
|
||||
description: |
|
||||
Perfect forward secrecy (PFS). A valid value is
|
||||
``Group2``, ``Group5``, ``Group14``, and so on. Default is
|
||||
``Group2``, ``Group5``, ``Group14`` to ``Group31``. Default is
|
||||
``Group5``.
|
||||
in: body
|
||||
required: false
|
||||
|
|
|
@ -159,6 +159,7 @@ from neutron_lib.api.definitions import uplink_status_propagation
|
|||
from neutron_lib.api.definitions import vlan_filter
|
||||
from neutron_lib.api.definitions import vlantransparent
|
||||
from neutron_lib.api.definitions import vpn
|
||||
from neutron_lib.api.definitions import vpn_aes_ccm_gcm
|
||||
from neutron_lib.api.definitions import vpn_endpoint_groups
|
||||
from neutron_lib.api.definitions import vpn_flavors
|
||||
|
||||
|
@ -312,6 +313,7 @@ _ALL_API_DEFINITIONS = {
|
|||
vlan_filter,
|
||||
vlantransparent,
|
||||
vpn,
|
||||
vpn_aes_ccm_gcm,
|
||||
vpn_endpoint_groups,
|
||||
vpn_flavors,
|
||||
}
|
||||
|
|
|
@ -41,10 +41,48 @@ VPN_ENCRYPTION_ALGORITHM_3DES = '3des'
|
|||
VPN_ENCRYPTION_ALGORITHM_AES_128 = 'aes-128'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192 = 'aes-192'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256 = 'aes-256'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_8 = 'aes-128-ccm-8'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_8 = 'aes-192-ccm-8'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_8 = 'aes-256-ccm-8'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_12 = 'aes-128-ccm-12'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_12 = 'aes-192-ccm-12'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_12 = 'aes-256-ccm-12'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_16 = 'aes-128-ccm-16'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_16 = 'aes-192-ccm-16'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_16 = 'aes-256-ccm-16'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_8 = 'aes-128-gcm-8'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_8 = 'aes-192-gcm-8'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_8 = 'aes-256-gcm-8'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_12 = 'aes-128-gcm-12'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_12 = 'aes-192-gcm-12'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_12 = 'aes-256-gcm-12'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_16 = 'aes-128-gcm-16'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_16 = 'aes-192-gcm-16'
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_16 = 'aes-256-gcm-16'
|
||||
|
||||
VPN_SUPPORTED_ENCRYPTION_ALGORITHMS = [
|
||||
VPN_ENCRYPTION_ALGORITHM_3DES, VPN_ENCRYPTION_ALGORITHM_AES_128,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192, VPN_ENCRYPTION_ALGORITHM_AES_256,
|
||||
VPN_ENCRYPTION_ALGORITHM_3DES,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_8,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_8,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_8,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_12,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_12,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_12,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_CCM_16,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_CCM_16,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_CCM_16,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_8,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_8,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_8,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_12,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_12,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_12,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_128_GCM_16,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_192_GCM_16,
|
||||
VPN_ENCRYPTION_ALGORITHM_AES_256_GCM_16,
|
||||
]
|
||||
|
||||
# VPN DPD action constants
|
||||
|
@ -88,9 +126,30 @@ VPN_SUPPORTED_LIFETIME_UNITS = [
|
|||
VPN_PFS_GROUP2 = 'group2'
|
||||
VPN_PFS_GROUP5 = 'group5'
|
||||
VPN_PFS_GROUP14 = 'group14'
|
||||
VPN_PFS_GROUP15 = 'group15'
|
||||
VPN_PFS_GROUP16 = 'group16'
|
||||
VPN_PFS_GROUP17 = 'group17'
|
||||
VPN_PFS_GROUP18 = 'group18'
|
||||
VPN_PFS_GROUP19 = 'group19'
|
||||
VPN_PFS_GROUP20 = 'group20'
|
||||
VPN_PFS_GROUP21 = 'group21'
|
||||
VPN_PFS_GROUP22 = 'group22'
|
||||
VPN_PFS_GROUP23 = 'group23'
|
||||
VPN_PFS_GROUP24 = 'group24'
|
||||
VPN_PFS_GROUP25 = 'group25'
|
||||
VPN_PFS_GROUP26 = 'group26'
|
||||
VPN_PFS_GROUP27 = 'group27'
|
||||
VPN_PFS_GROUP28 = 'group28'
|
||||
VPN_PFS_GROUP29 = 'group29'
|
||||
VPN_PFS_GROUP30 = 'group30'
|
||||
VPN_PFS_GROUP31 = 'group31'
|
||||
|
||||
VPN_SUPPORTED_PFSES = [
|
||||
VPN_PFS_GROUP2, VPN_PFS_GROUP5, VPN_PFS_GROUP14,
|
||||
VPN_PFS_GROUP2, VPN_PFS_GROUP5, VPN_PFS_GROUP14, VPN_PFS_GROUP15,
|
||||
VPN_PFS_GROUP16, VPN_PFS_GROUP17, VPN_PFS_GROUP18, VPN_PFS_GROUP19,
|
||||
VPN_PFS_GROUP20, VPN_PFS_GROUP21, VPN_PFS_GROUP22, VPN_PFS_GROUP23,
|
||||
VPN_PFS_GROUP24, VPN_PFS_GROUP25, VPN_PFS_GROUP26, VPN_PFS_GROUP27,
|
||||
VPN_PFS_GROUP28, VPN_PFS_GROUP29, VPN_PFS_GROUP30, VPN_PFS_GROUP31,
|
||||
]
|
||||
|
||||
# VPN IKE version constants
|
||||
|
@ -113,10 +172,13 @@ VPN_AUTH_ALGORITHM_SHA1 = 'sha1'
|
|||
VPN_AUTH_ALGORITHM_SHA256 = 'sha256'
|
||||
VPN_AUTH_ALGORITHM_SHA384 = 'sha384'
|
||||
VPN_AUTH_ALGORITHM_SHA512 = 'sha512'
|
||||
VPN_AUTH_ALGORITHM_AES_XCBC = 'aes-xcbc'
|
||||
VPN_AUTH_ALGORITHM_AES_CMAC = 'aes-cmac'
|
||||
|
||||
VPN_SUPPORTED_AUTH_ALGORITHMS = [
|
||||
VPN_AUTH_ALGORITHM_SHA1, VPN_AUTH_ALGORITHM_SHA256,
|
||||
VPN_AUTH_ALGORITHM_SHA384, VPN_AUTH_ALGORITHM_SHA512,
|
||||
VPN_AUTH_ALGORITHM_AES_XCBC, VPN_AUTH_ALGORITHM_AES_CMAC,
|
||||
]
|
||||
|
||||
# VPN phase1 negotiation mode constants
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from neutron_lib.api.definitions import vpn
|
||||
|
||||
|
||||
ALIAS = 'vpn-aes-ccm-gcm'
|
||||
IS_SHIM_EXTENSION = True
|
||||
IS_STANDARD_ATTR_EXTENSION = False
|
||||
NAME = 'VPN support for AES CCM, GCM modes'
|
||||
DESCRIPTION = 'Add choices for encryption, auth and pfs'
|
||||
UPDATED_TIMESTAMP = '2023-10-24T11:00:00-00:00'
|
||||
RESOURCE_ATTRIBUTE_MAP = {}
|
||||
SUB_RESOURCE_ATTRIBUTE_MAP = {}
|
||||
ACTION_MAP = {}
|
||||
REQUIRED_EXTENSIONS = [vpn.ALIAS]
|
||||
OPTIONAL_EXTENSIONS = []
|
||||
ACTION_STATUS = {}
|
|
@ -0,0 +1,18 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from neutron_lib.api.definitions import vpn_aes_ccm_gcm
|
||||
from neutron_lib.tests.unit.api.definitions import base
|
||||
|
||||
|
||||
class VpnAesCcmGcmDefinitionTestCase(base.DefinitionBaseTestCase):
|
||||
extension_module = vpn_aes_ccm_gcm
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Added support for more ciphers to the neutron-vpnaas API.
|
||||
Added encryption algorithms (AES CCM and AES GCM modes for 128/192/256
|
||||
bit keys and 8/12/16 octet ICVs, e.g. aes-256-ccm-16),
|
||||
authentication algorithms (AES-XCBC, AES-CMAC) and PFS choices
|
||||
(Diffie Hellman groups 15 to 31).
|
Loading…
Reference in New Issue