Skip to content

Default values & bounds for SAs in Ipsec Policy #4180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jun 23, 2017
Merged

Default values & bounds for SAs in Ipsec Policy #4180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cbc05f7
default values for SAs in Ipsec Policy
henry416 Jun 22, 2017
f3d8efd
static analysis for SA changes
henry416 Jun 22, 2017
980bde2
Parameter existence check
henry416 Jun 23, 2017
a97265c
changelog for ipsec policy
henry416 Jun 23, 2017
07b0e39
Update ChangeLog.md
cormacpayne Jun 23, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions src/ResourceManager/Network/ChangeLog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,17 @@
- Additional information about change #1
-->
## Current Release
* New-AzureRmIpsecPolicy: SALifeTimeSeconds and SADataSizeKilobytes are no longer mandatory parameters
   - SALifeTimeSeconds defaults to 27000 seconds
   - SADataSizeKilobytes defaults to 102400000 KB

## Version 4.1.0
* Get-AzureRmNetworkUsage: New cmdlet to show network usage and capacity details
* Added new GatewaySku options for VirtualNetworkGateways
- VpnGw1, VpnGw2, VpnGw3 are the new Skus added for Vpn gateways
* Set-AzureRmNetworkWatcherConfigFlowLog
* Fixed help examples

## Version 4.0.1

## Version 4.0.0
Expand Down Expand Up @@ -115,4 +118,4 @@
    - Fixed issue where UseRemoteGateway property was not being populated in the request to the server
* Get-AzureRmEffectiveNetworkSecurityGroup
    - Add warning if there is no response from GetEffectiveNSG
* Add Source property to EffectiveRoute
* Add Source property to EffectiveRoute
9 changes: 6 additions & 3 deletions ...ager/Network/Commands.Network.Test/ScenarioTests/VirtualNetworkGatewayConnectionTests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ function Test-VirtualNetworkGatewayConnectionWithIpsecPoliciesCRUD
$rglocation = Get-ProviderLocation ResourceManagement
$resourceTypeParent = "Microsoft.Network/connections"
$location = Get-ProviderLocation $resourceTypeParent

try
{
# Create the resource group
Expand All @@ -167,8 +167,11 @@ function Test-VirtualNetworkGatewayConnectionWithIpsecPoliciesCRUD
$actual = New-AzureRmLocalNetworkGateway -ResourceGroupName $rgname -name $localnetName -location $location -AddressPrefix 192.168.0.0/16 -GatewayIpAddress 192.168.3.10
$localnetGateway = Get-AzureRmLocalNetworkGateway -ResourceGroupName $rgname -name $localnetName

# Create IpsecPolicy
$ipsecPolicy = New-AzureRmIpsecPolicy -SALifeTimeSeconds 300 -SADataSizeKilobytes 1024 -IpsecEncryption "GCMAES256" -IpsecIntegrity "GCMAES256" -IkeEncryption "AES256" -IkeIntegrity "SHA256" -DhGroup "DHGroup14" -PfsGroup "PFS2048"
# Create IpsecPolicy and test defaults creation
$ipsecPolicy = New-AzureRmIpsecPolicy -IpsecEncryption "GCMAES256" -IpsecIntegrity "GCMAES256" -IkeEncryption "AES256" -IkeIntegrity "SHA256" -DhGroup "DHGroup14" -PfsGroup "PFS2048"
Assert-AreEqual $ipsecPolicy.SALifeTimeSeconds 27000
Assert-AreEqual $ipsecPolicy.SADataSizeKilobytes 102400000
$ipsecPolicy = New-AzureRmIpsecPolicy -SALifeTimeSeconds 3000 -SADataSizeKilobytes 10000 -IpsecEncryption "GCMAES256" -IpsecIntegrity "GCMAES256" -IkeEncryption "AES256" -IkeIntegrity "SHA256" -DhGroup "DHGroup14" -PfsGroup "PFS2048"

# Create & Get VirtualNetworkGatewayConnection w/ policy based TS
$actual = New-AzureRmVirtualNetworkGatewayConnection -ResourceGroupName $rgname -name $vnetConnectionName -location $location -VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localnetGateway -ConnectionType IPsec -RoutingWeight 3 -SharedKey abc -EnableBgp $false -UsePolicyBasedTrafficSelectors $true -IpsecPolicies $ipsecPolicy
Expand Down
786,359 changes: 784,881 additions & 1,478 deletions ...tworkGatewayConnectionTests/TestVirtualNetworkGatewayConnectionwithIpsecPoliciesCRUD.json
View file
Open in desktop

Large diffs are not rendered by default.

14 changes: 8 additions & 6 deletions .../Network/Commands.Network/VirtualNetworkGatewayConnection/NewAzureRmIpsecPolicyCommand.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,15 @@ namespace Microsoft.Azure.Commands.Network
public class NewAzureRmIpsecPolicyCommand : NetworkBaseCmdlet
{
[Parameter(
Mandatory = true,
Mandatory = false,
HelpMessage = "The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds")]
[ValidateNotNullOrEmpty]
[ValidateRange(300, 172799)]
public int SALifeTimeSeconds { get; set; }

[Parameter(
Mandatory = true,
Mandatory = false,
HelpMessage = "The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB")]
[ValidateNotNullOrEmpty]
[ValidateRange(1024, int.MaxValue)]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@henry416 adding these ValidateRange attributes are breaking changes. Previously if a user provided a value outside of the above range, what would happen?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IPsec Policy is only used by the Put connection call. It would be rejected as the backend would check the SA values and see it was out of bounds. There is no logic change overall.
This PR is meant to address complaints that 1) customers were surprised to see policy get rejected on the Put call and wanted to see the policy get rejected on creating the object instead 2) customer wanted some default values to be set for unspecified SAs

public int SADataSizeKilobytes { get; set; }

[Parameter(
Expand Down Expand Up @@ -125,8 +125,10 @@ public override void Execute()
base.Execute();
var ipsecPolicy = new PSIpsecPolicy();

ipsecPolicy.SALifeTimeSeconds = this.SALifeTimeSeconds;
ipsecPolicy.SADataSizeKilobytes = this.SADataSizeKilobytes;
// default SA values
ipsecPolicy.SALifeTimeSeconds = (!this.MyInvocation.BoundParameters.ContainsKey("SALifeTimeSeconds")) ? 27000 : this.SALifeTimeSeconds;
ipsecPolicy.SADataSizeKilobytes = (!this.MyInvocation.BoundParameters.ContainsKey("SADataSizeKilobytes")) ? 102400000 : this.SADataSizeKilobytes;

ipsecPolicy.IpsecEncryption = this.IpsecEncryption;
ipsecPolicy.IpsecIntegrity = this.IpsecIntegrity;
ipsecPolicy.IkeEncryption = this.IkeEncryption;
Expand Down
4 changes: 3 additions & 1 deletion tools/StaticAnalysis/Exceptions/BreakingChangeIssues.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,4 +37,6 @@
"Microsoft.Azure.Commands.Network.dll","Microsoft.Azure.Commands.Network.StopAzureNetworkWatcherPacketCaptureCommand","Stop-AzureRmNetworkWatcherPacketCapture","0","2090","The ValidateNotNullOrEmpty attribute has been added to parameter 'NetworkWatcherName' for cmdlet 'Stop-AzureRmNetworkWatcherPacketCapture'.","Remove the ValidateNotNullOrEmpty attribute from parameter 'NetworkWatcherName'."
"Microsoft.Azure.Commands.Network.dll","Microsoft.Azure.Commands.Network.StopAzureNetworkWatcherPacketCaptureCommand","Stop-AzureRmNetworkWatcherPacketCapture","0","2090","The ValidateNotNullOrEmpty attribute has been added to parameter 'ResourceGroupName' for cmdlet 'Stop-AzureRmNetworkWatcherPacketCapture'.","Remove the ValidateNotNullOrEmpty attribute from parameter 'ResourceGroupName'."
"D:\workspace\powershell\src\Package\Debug\ResourceManager\AzureResourceManager\AzureRM.DataLakeAnalytics\Microsoft.Azure.Commands.DataLakeAnalytics.dll","Microsoft.Azure.Commands.DataLakeAnalytics.SubmitAzureDataLakeAnalyticsJob","Submit-AzureRmDataLakeAnalyticsJob","0","1050","The parameter set 'Submit job with script path for SQL-IP' for cmdlet 'Submit-AzureRmDataLakeAnalyticsJob' has been removed.","Add parameter set 'Submit job with script path for SQL-IP' back to cmdlet 'Submit-AzureRmDataLakeAnalyticsJob'."
"D:\workspace\powershell\src\Package\Debug\ResourceManager\AzureResourceManager\AzureRM.DataLakeAnalytics\Microsoft.Azure.Commands.DataLakeAnalytics.dll","Microsoft.Azure.Commands.DataLakeAnalytics.SubmitAzureDataLakeAnalyticsJob","Submit-AzureRmDataLakeAnalyticsJob","0","1050","The parameter set 'Submit SQL-IP Job' for cmdlet 'Submit-AzureRmDataLakeAnalyticsJob' has been removed.","Add parameter set 'Submit SQL-IP Job' back to cmdlet 'Submit-AzureRmDataLakeAnalyticsJob'."
"D:\workspace\powershell\src\Package\Debug\ResourceManager\AzureResourceManager\AzureRM.DataLakeAnalytics\Microsoft.Azure.Commands.DataLakeAnalytics.dll","Microsoft.Azure.Commands.DataLakeAnalytics.SubmitAzureDataLakeAnalyticsJob","Submit-AzureRmDataLakeAnalyticsJob","0","1050","The parameter set 'Submit SQL-IP Job' for cmdlet 'Submit-AzureRmDataLakeAnalyticsJob' has been removed.","Add parameter set 'Submit SQL-IP Job' back to cmdlet 'Submit-AzureRmDataLakeAnalyticsJob'."
"Microsoft.Azure.Commands.Network.dll","Microsoft.Azure.Commands.Network.NewAzureRmIpsecPolicyCommand","New-AzureRmIpsecPolicy","0","2150","A validate range has been added for parameter 'SALifeTimeSeconds' for cmdlet 'New-AzureRmIpsecPolicy'.","Remove the validate range from parameter 'SALifeTimeSeconds'."
"Microsoft.Azure.Commands.Network.dll","Microsoft.Azure.Commands.Network.NewAzureRmIpsecPolicyCommand","New-AzureRmIpsecPolicy","0","2150","A validate range has been added for parameter 'SADataSizeKilobytes' for cmdlet 'New-AzureRmIpsecPolicy'.","Remove the validate range from parameter 'SADataSizeKilobytes'."