ipsec: Tunnel SA DSCP behaviour

Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
2020-01-02 04:06:10 +00:00
parent 62877029aa
commit 041add7d12
20 changed files with 664 additions and 72 deletions
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@ -2,6 +2,9 @@ import socket
 import unittest
 from scapy.layers.ipsec import ESP
 from scapy.layers.inet import IP, ICMP, UDP
+from scapy.layers.inet6 import IPv6
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw

 from parameterized import parameterized
 from framework import VppTestRunner
@ -107,6 +110,7 @@ class ConfigIpsecESP(TemplateIpsec):
        addr_bcast = params.addr_bcast
        e = VppEnum.vl_api_ipsec_spd_action_t
        flags = params.flags
+        tun_flags = params.tun_flags
        salt = params.salt
        objs = []

@ -116,6 +120,8 @@ class ConfigIpsecESP(TemplateIpsec):
                                      self.vpp_esp_protocol,
                                      self.tun_if.local_addr[addr_type],
                                      self.tun_if.remote_addr[addr_type],
+                                      tun_flags=tun_flags,
+                                      dscp=params.dscp,
                                      flags=flags,
                                      salt=salt)
        params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
@ -124,6 +130,8 @@ class ConfigIpsecESP(TemplateIpsec):
                                       self.vpp_esp_protocol,
                                       self.tun_if.remote_addr[addr_type],
                                       self.tun_if.local_addr[addr_type],
+                                       tun_flags=tun_flags,
+                                       dscp=params.dscp,
                                       flags=flags,
                                       salt=salt)
        objs.append(params.tun_sa_in)
@ -368,6 +376,91 @@ class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests,
        self.tun4_encrypt_node_name = old_name


+class TestIpsecEspTun(TemplateIpsecEsp, IpsecTun46Tests):
+    """ Ipsec ESP - TUN encap tests """
+
+    def setUp(self):
+        self.ipv4_params = IPsecIPv4Params()
+        self.ipv6_params = IPsecIPv6Params()
+
+        c = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+             TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
+        c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+                  TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
+
+        self.ipv4_params.tun_flags = c
+        self.ipv6_params.tun_flags = c1
+
+        super(TestIpsecEspTun, self).setUp()
+
+    def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+        # set the DSCP + ECN - flags are set to copy only DSCP
+        return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+                IP(src=src, dst=dst, tos=5) /
+                UDP(sport=4444, dport=4444) /
+                Raw(b'X' * payload_size)
+                for i in range(count)]
+
+    def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+        # set the DSCP + ECN - flags are set to copy both
+        return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+                IPv6(src=src, dst=dst, tc=5) /
+                UDP(sport=4444, dport=4444) /
+                Raw(b'X' * payload_size)
+                for i in range(count)]
+
+    def verify_encrypted(self, p, sa, rxs):
+        # just check that only the DSCP is copied
+        for rx in rxs:
+            self.assertEqual(rx[IP].tos, 4)
+
+    def verify_encrypted6(self, p, sa, rxs):
+        # just check that the DSCP & ECN are copied
+        for rx in rxs:
+            self.assertEqual(rx[IPv6].tc, 5)
+
+
+class TestIpsecEspTun2(TemplateIpsecEsp, IpsecTun46Tests):
+    """ Ipsec ESP - TUN DSCP tests """
+
+    def setUp(self):
+        self.ipv4_params = IPsecIPv4Params()
+        self.ipv6_params = IPsecIPv6Params()
+
+        self.ipv4_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF
+        self.ipv6_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11
+
+        super(TestIpsecEspTun2, self).setUp()
+
+    def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+        # set the DSCP + ECN - flags are set to copy only DSCP
+        return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+                IP(src=src, dst=dst) /
+                UDP(sport=4444, dport=4444) /
+                Raw(b'X' * payload_size)
+                for i in range(count)]
+
+    def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+        # set the DSCP + ECN - flags are set to copy both
+        return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+                IPv6(src=src, dst=dst) /
+                UDP(sport=4444, dport=4444) /
+                Raw(b'X' * payload_size)
+                for i in range(count)]
+
+    def verify_encrypted(self, p, sa, rxs):
+        # just check that only the DSCP is copied
+        for rx in rxs:
+            self.assertEqual(rx[IP].tos,
+                             VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
+
+    def verify_encrypted6(self, p, sa, rxs):
+        # just check that the DSCP & ECN are copied
+        for rx in rxs:
+            self.assertEqual(rx[IPv6].tc,
+                             VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11 << 2)
+
+
 class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
    """ Ipsec ESP - TCP tests """
    pass