Release notes for VPP 23.02

More than 243 commits since the previous release, including 118 fixes.

Of particular importance, this release contains the fix for JIRA VPP-2307: CVE-2022-46397 FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV in AES-CBC mode

Features

• Binary API Compiler for Python

  • Include comments in json (5d2346801)

• Plugins

  • AVF Device driver

    • Support generic flow (a6d16b713)

  • CNat

    • Add sctp support (f284c14c7)

  • Crypto - ipsecmb

    • Bump ipsecmb library to v1.3 (2a6f35f24)

  • DPDK

    • Add Intel QAT 200xx series support (a57549ad2)

  • HTTP

    • Support client connect (ee4172ef0)

  • Unicast Reverse Path forwarding

    • Add mode for specific fib index lookup (b3605eab5)

• VNET

  • Device Drivers

    • Add support for af-packet v2 (8b90d89b0)

  • IPSec

    • Introduce fast path ipv6 inbound matching (06abf2352)

    • Remove redundant policy array in fast path spd (14bf6a8fb)

    • New api for sa ips and ports updates (4117b24ac)

  • Segment Routing (IPv6 and MPLS)

    • SRv6 Path Tracing Midpoint behaviour (39d6deca5)

    • Srv6 path tracing api (b79d09bbf)

  • UDP

    • Add udp encap source port entropy support (5c801b362)

    • Explicit udp output node (8c1be054b)

    • Support for disabling tx csum (f8ee39ff7)

• VPP Comms Library

  • Add api to check if vcl disconnected from VPP (6ff8e90ed)

• VPP StrongSwan Daemon

  • Add plugin for VPP-swan (4e88e041a)

  • Add scripts for testing (95875774b)

Known issues

For the full list of issues please refer to fd.io JIRA.

Fixed issues

For the full list of fixed issues please refer to: - fd.io JIRA - git commit log

API changes

Description of results:

• Definition changed: indicates that the API file was modified between releases.

• Only in image: indicates the API is new for this release.

• Only in file: indicates the API has been removed in this release.

Message Name	Result
bridge_domain_add_del_v2	only in image
bridge_domain_add_del_v2_reply	only in image
ipsec_sad_entry_update	only in image
ipsec_sad_entry_update_reply	only in image
nat44_del_user	only in file
nat44_del_user_reply	only in file
nat44_ei_user_session_v2_details	only in image
nat44_ei_user_session_v2_dump	only in image
nat44_user_session_v3_details	only in image
nat44_user_session_v3_dump	only in image
nat_get_addr_and_port_alloc_alg	only in file
nat_get_addr_and_port_alloc_alg_reply	only in file
nat_ha_flush	only in file
nat_ha_flush_reply	only in file
nat_ha_get_failover	only in file
nat_ha_get_failover_reply	only in file
nat_ha_get_listener	only in file
nat_ha_get_listener_reply	only in file
nat_ha_resync	only in file
nat_ha_resync_completed_event	only in file
nat_ha_resync_reply	only in file
nat_ha_set_failover	only in file
nat_ha_set_failover_reply	only in file
nat_ha_set_listener	only in file
nat_ha_set_listener_reply	only in file
nat_set_addr_and_port_alloc_alg	only in file
nat_set_addr_and_port_alloc_alg_reply	only in file
sr_localsids_with_packet_stats_details	only in image
sr_localsids_with_packet_stats_dump	only in image
sr_pt_iface_add	only in image
sr_pt_iface_add_reply	only in image
sr_pt_iface_del	only in image
sr_pt_iface_del_reply	only in image
sr_pt_iface_details	only in image
sr_pt_iface_dump	only in image
urpf_update_v2	only in image
urpf_update_v2_reply	only in image

Found 37 api message signature differences

Newly deprecated API messages

These messages are still there in the API, but can and probably will disappear in the next release.

• bridge_domain_add_del

• bridge_domain_add_del_reply

• create_vhost_user_if

• create_vhost_user_if_reply

• ipsec_spd_entry_add_del_reply

• modify_vhost_user_if

• modify_vhost_user_if_reply

In-progress API messages

These messages are provided for testing and experimentation only. They are not subject to any compatibility process, and therefore can arbitrarily change or disappear at any moment. Also they may have less than satisfactory testing, making them unsuitable for other use than the technology preview. If you are intending to use these messages in production projects, please collaborate with the feature maintainer on their productization.

• abf_itf_attach_add_del

• abf_itf_attach_add_del_reply

• abf_itf_attach_details

• abf_itf_attach_dump

• abf_plugin_get_version

• abf_plugin_get_version_reply

• abf_policy_add_del

• abf_policy_add_del_reply

• abf_policy_details

• abf_policy_dump

• acl_plugin_use_hash_lookup_get

• acl_plugin_use_hash_lookup_get_reply

• acl_plugin_use_hash_lookup_set

• acl_plugin_use_hash_lookup_set_reply

• adl_allowlist_enable_disable

• adl_allowlist_enable_disable_reply

• adl_interface_enable_disable

• adl_interface_enable_disable_reply

• cnat_get_snat_addresses

• cnat_get_snat_addresses_reply

• cnat_session_details

• cnat_session_dump

• cnat_session_purge

• cnat_session_purge_reply

• cnat_set_snat_addresses

• cnat_set_snat_addresses_reply

• cnat_set_snat_policy

• cnat_set_snat_policy_reply

• cnat_snat_policy_add_del_exclude_pfx

• cnat_snat_policy_add_del_exclude_pfx_reply

• cnat_snat_policy_add_del_if

• cnat_snat_policy_add_del_if_reply

• cnat_translation_del

• cnat_translation_del_reply

• cnat_translation_details

• cnat_translation_dump

• cnat_translation_update

• cnat_translation_update_reply

• crypto_sw_scheduler_set_worker

• crypto_sw_scheduler_set_worker_reply

• det44_get_timeouts_reply

• det44_interface_add_del_feature

• det44_interface_add_del_feature_reply

• det44_interface_details

• det44_interface_dump

• det44_plugin_enable_disable

• det44_plugin_enable_disable_reply

• det44_set_timeouts

• det44_set_timeouts_reply

• flow_add

• flow_add_reply

• flow_add_v2

• flow_add_v2_reply

• flow_del

• flow_del_reply

• flow_disable

• flow_disable_reply

• flow_enable

• flow_enable_reply

• flowprobe_get_params

• flowprobe_get_params_reply

• flowprobe_interface_add_del

• flowprobe_interface_add_del_reply

• flowprobe_interface_details

• flowprobe_interface_dump

• flowprobe_set_params

• flowprobe_set_params_reply

• gbp_bridge_domain_add

• gbp_bridge_domain_add_reply

• gbp_bridge_domain_del

• gbp_bridge_domain_del_reply

• gbp_bridge_domain_details

• gbp_bridge_domain_dump

• gbp_bridge_domain_dump_reply

• gbp_contract_add_del

• gbp_contract_add_del_reply

• gbp_contract_details

• gbp_contract_dump

• gbp_endpoint_add

• gbp_endpoint_add_reply

• gbp_endpoint_del

• gbp_endpoint_del_reply

• gbp_endpoint_details

• gbp_endpoint_dump

• gbp_endpoint_group_add

• gbp_endpoint_group_add_reply

• gbp_endpoint_group_del

• gbp_endpoint_group_del_reply

• gbp_endpoint_group_details

• gbp_endpoint_group_dump

• gbp_ext_itf_add_del

• gbp_ext_itf_add_del_reply

• gbp_ext_itf_details

• gbp_ext_itf_dump

• gbp_recirc_add_del

• gbp_recirc_add_del_reply

• gbp_recirc_details

• gbp_recirc_dump

• gbp_route_domain_add

• gbp_route_domain_add_reply

• gbp_route_domain_del

• gbp_route_domain_del_reply

• gbp_route_domain_details

• gbp_route_domain_dump

• gbp_route_domain_dump_reply

• gbp_subnet_add_del

• gbp_subnet_add_del_reply

• gbp_subnet_details

• gbp_subnet_dump

• gbp_vxlan_tunnel_add

• gbp_vxlan_tunnel_add_reply

• gbp_vxlan_tunnel_del

• gbp_vxlan_tunnel_del_reply

• gbp_vxlan_tunnel_details

• gbp_vxlan_tunnel_dump

• ikev2_child_sa_details

• ikev2_child_sa_dump

• ikev2_initiate_del_child_sa

• ikev2_initiate_del_child_sa_reply

• ikev2_initiate_del_ike_sa

• ikev2_initiate_del_ike_sa_reply

• ikev2_initiate_rekey_child_sa

• ikev2_initiate_rekey_child_sa_reply

• ikev2_initiate_sa_init

• ikev2_initiate_sa_init_reply

• ikev2_nonce_get

• ikev2_nonce_get_reply

• ikev2_profile_add_del

• ikev2_profile_add_del_reply

• ikev2_profile_details

• ikev2_profile_disable_natt

• ikev2_profile_disable_natt_reply

• ikev2_profile_dump

• ikev2_profile_set_auth

• ikev2_profile_set_auth_reply

• ikev2_profile_set_id

• ikev2_profile_set_id_reply

• ikev2_profile_set_ipsec_udp_port

• ikev2_profile_set_ipsec_udp_port_reply

• ikev2_profile_set_liveness

• ikev2_profile_set_liveness_reply

• ikev2_profile_set_ts

• ikev2_profile_set_ts_reply

• ikev2_profile_set_udp_encap

• ikev2_profile_set_udp_encap_reply

• ikev2_sa_details

• ikev2_sa_dump

• ikev2_set_esp_transforms

• ikev2_set_esp_transforms_reply

• ikev2_set_ike_transforms

• ikev2_set_ike_transforms_reply

• ikev2_set_local_key

• ikev2_set_local_key_reply

• ikev2_set_responder

• ikev2_set_responder_hostname

• ikev2_set_responder_hostname_reply

• ikev2_set_responder_reply

• ikev2_set_sa_lifetime

• ikev2_set_sa_lifetime_reply

• ikev2_set_tunnel_interface

• ikev2_set_tunnel_interface_reply

• ikev2_traffic_selector_details

• ikev2_traffic_selector_dump

• ip_route_add_del_v2

• ip_route_add_del_v2_reply

• ip_route_lookup_v2

• ip_route_lookup_v2_reply

• ip_route_v2_details

• ip_route_v2_dump

• l2_emulation

• l2_emulation_reply

• lcp_default_ns_get_reply

• lcp_default_ns_set

• lcp_default_ns_set_reply

• lcp_itf_pair_add_del

• lcp_itf_pair_add_del_reply

• lcp_itf_pair_add_del_v2

• lcp_itf_pair_details

• mdata_enable_disable

• mdata_enable_disable_reply

• nat44_ei_add_del_address_range

• nat44_ei_add_del_address_range_reply

• nat44_ei_add_del_static_mapping

• nat44_ei_add_del_static_mapping_reply

• nat44_ei_address_details

• nat44_ei_address_dump

• nat44_ei_del_session

• nat44_ei_del_session_reply

• nat44_ei_del_user

• nat44_ei_del_user_reply

• nat44_ei_forwarding_enable_disable

• nat44_ei_forwarding_enable_disable_reply

• nat44_ei_ha_flush

• nat44_ei_ha_flush_reply

• nat44_ei_ha_resync

• nat44_ei_ha_resync_completed_event

• nat44_ei_ha_resync_reply

• nat44_ei_ha_set_failover

• nat44_ei_ha_set_failover_reply

• nat44_ei_ha_set_listener

• nat44_ei_ha_set_listener_reply

• nat44_ei_interface_add_del_feature

• nat44_ei_interface_add_del_feature_reply

• nat44_ei_interface_details

• nat44_ei_interface_dump

• nat44_ei_ipfix_enable_disable

• nat44_ei_ipfix_enable_disable_reply

• nat44_ei_plugin_enable_disable

• nat44_ei_plugin_enable_disable_reply

• nat44_ei_set_addr_and_port_alloc_alg

• nat44_ei_set_addr_and_port_alloc_alg_reply

• nat44_ei_set_fq_options

• nat44_ei_set_fq_options_reply

• nat44_ei_set_mss_clamping

• nat44_ei_set_mss_clamping_reply

• nat44_ei_set_timeouts

• nat44_ei_set_timeouts_reply

• nat44_ei_set_workers

• nat44_ei_set_workers_reply

• nat44_ei_show_fq_options

• nat44_ei_show_fq_options_reply

• nat44_ei_show_running_config

• nat44_ei_show_running_config_reply

• nat44_ei_static_mapping_details

• nat44_ei_static_mapping_dump

• nat44_ei_user_details

• nat44_ei_user_dump

• nat44_ei_user_session_details

• nat44_ei_user_session_dump

• nat44_ei_user_session_v2_details

• nat44_ei_user_session_v2_dump

• nat44_ei_worker_details

• nat44_ei_worker_dump

• nat64_plugin_enable_disable

• nat64_plugin_enable_disable_reply

• oddbuf_enable_disable

• oddbuf_enable_disable_reply

• pg_interface_enable_disable_coalesce

• pg_interface_enable_disable_coalesce_reply

• pnat_binding_add

• pnat_binding_add_reply

• pnat_binding_add_v2

• pnat_binding_add_v2_reply

• pnat_binding_attach

• pnat_binding_attach_reply

• pnat_binding_del

• pnat_binding_del_reply

• pnat_binding_detach

• pnat_binding_detach_reply

• pnat_bindings_details

• pnat_bindings_get

• pnat_bindings_get_reply

• pnat_interfaces_details

• pnat_interfaces_get

• pnat_interfaces_get_reply

• sample_macswap_enable_disable

• sample_macswap_enable_disable_reply

• sr_localsids_with_packet_stats_details

• sr_localsids_with_packet_stats_dump

• sr_policies_with_sl_index_details

• sr_policies_with_sl_index_dump

• sw_interface_set_vxlan_gbp_bypass

• sw_interface_set_vxlan_gbp_bypass_reply

• test_addresses

• test_addresses2

• test_addresses2_reply

• test_addresses3

• test_addresses3_reply

• test_addresses_reply

• test_empty

• test_empty_reply

• test_enum

• test_enum_reply

• test_interface

• test_interface_reply

• test_prefix

• test_prefix_reply

• test_string

• test_string2

• test_string2_reply

• test_string_reply

• test_vla

• test_vla2

• test_vla2_reply

• test_vla3

• test_vla3_reply

• test_vla4

• test_vla4_reply

• test_vla5

• test_vla5_reply

• test_vla_reply

• trace_capture_packets

• trace_capture_packets_reply

• trace_clear_capture

• trace_clear_capture_reply

• trace_details

• trace_dump

• trace_dump_reply

• trace_set_filters

• trace_set_filters_reply

• vxlan_gbp_tunnel_add_del

• vxlan_gbp_tunnel_add_del_reply

• vxlan_gbp_tunnel_details

• vxlan_gbp_tunnel_dump

• want_wireguard_peer_events

• want_wireguard_peer_events_reply

• wg_set_async_mode

• wg_set_async_mode_reply

• wireguard_interface_create

• wireguard_interface_create_reply

• wireguard_interface_delete

• wireguard_interface_delete_reply

• wireguard_interface_details

• wireguard_interface_dump

• wireguard_peer_add

• wireguard_peer_add_reply

• wireguard_peer_event

• wireguard_peer_remove

• wireguard_peer_remove_reply

• wireguard_peers_details

• wireguard_peers_dump

Patches that changed API definitions

src/plugins/af_packet/af_packet.api

• bca76580b af_packet: move to plugin

src/plugins/vhost/vhost_user.api

• 7eba44d1e vhost: convert vhost device driver to a plugin

src/plugins/nat/nat44-ed/nat44_ed.api

• a923ce591 nat: cleanup of deprecated features

• 91246bc6a nat: report time between current vpp time and last_heard

src/plugins/nat/nat44-ei/nat44_ei.api

• 91246bc6a nat: report time between current vpp time and last_heard

src/plugins/urpf/urpf.api

• b3605eab5 urpf: add mode for specific fib index lookup

src/vnet/udp/udp.api

• 5c801b362 udp: add udp encap source port entropy support

src/vnet/ip/ip.api

• d92524687 vnet: fix ip4 version and IHL check

src/vnet/ipsec/ipsec.api

• 4117b24ac ipsec: new api for sa ips and ports updates

• 520cde406 ipsec: use correct reply message

src/vnet/srv6/sr_pt.api

• b79d09bbf sr: srv6 path tracing api

src/vnet/srv6/sr.api

• 9503eb59c sr: new messages created to return packet statistics in sr localsid details

src/vnet/l2/l2.api

• 0f8f4351b l2: Add bridge_domain_add_del_v2 to l2 api

src/vnet/bfd/bfd.api

• 415b6a7c7 bfd: fix bfd udp error enum incompatibility