ipsec: support 4o6 and 6o4 for tunnel protect

Type: feature

Change-Id: Ib2352ca4c7abf4645f21fa16aaaf27408890a2bf
Signed-off-by: Neale Ranns <nranns@cisco.com>
(cherry picked from commit b325983a4461dd806e86a31abc47533b09482157)
This commit is contained in:
Neale Ranns
2019-09-27 13:32:02 +00:00
committed by Andrew Yourtchenko
parent 24f486cb56
commit 2e6d739344
3 changed files with 71 additions and 27 deletions

View File

@ -630,6 +630,13 @@ VNET_FEATURE_INIT (esp4_encrypt_tun_feat_node, static) =
.runs_before = VNET_FEATURES ("adj-midchain-tx"), .runs_before = VNET_FEATURES ("adj-midchain-tx"),
}; };
VNET_FEATURE_INIT (esp6o4_encrypt_tun_feat_node, static) =
{
.arc_name = "ip6-output",
.node_name = "esp4-encrypt-tun",
.runs_before = VNET_FEATURES ("adj-midchain-tx"),
};
VNET_FEATURE_INIT (esp4_ethernet_encrypt_tun_feat_node, static) = VNET_FEATURE_INIT (esp4_ethernet_encrypt_tun_feat_node, static) =
{ {
.arc_name = "ethernet-output", .arc_name = "ethernet-output",
@ -667,6 +674,14 @@ VNET_FEATURE_INIT (esp6_encrypt_tun_feat_node, static) =
.node_name = "esp6-encrypt-tun", .node_name = "esp6-encrypt-tun",
.runs_before = VNET_FEATURES ("adj-midchain-tx"), .runs_before = VNET_FEATURES ("adj-midchain-tx"),
}; };
VNET_FEATURE_INIT (esp4o6_encrypt_tun_feat_node, static) =
{
.arc_name = "ip4-output",
.node_name = "esp6-encrypt-tun",
.runs_before = VNET_FEATURES ("adj-midchain-tx"),
};
/* *INDENT-ON* */ /* *INDENT-ON* */
typedef struct typedef struct

View File

@ -39,38 +39,29 @@ static int
ipsec_tun_protect_feature_set (ipsec_tun_protect_t * itp, u8 enable) ipsec_tun_protect_feature_set (ipsec_tun_protect_t * itp, u8 enable)
{ {
u32 sai = itp->itp_out_sa; u32 sai = itp->itp_out_sa;
int is_ip4, is_l2, rv; int rv;
is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src); const char *enc_node = (ip46_address_is_ip4 (&itp->itp_tun.src) ?
is_l2 = itp->itp_flags & IPSEC_PROTECT_L2; "esp4-encrypt-tun" : "esp6-encrypt-tun");
if (is_ip4) if (itp->itp_flags & IPSEC_PROTECT_L2)
{ {
if (is_l2) rv = vnet_feature_enable_disable ("ethernet-output",
rv = vnet_feature_enable_disable ("ethernet-output", enc_node,
"esp4-encrypt-tun", itp->itp_sw_if_index, enable,
itp->itp_sw_if_index, enable, &sai, sizeof (sai));
&sai, sizeof (sai));
else
rv = vnet_feature_enable_disable ("ip4-output",
"esp4-encrypt-tun",
itp->itp_sw_if_index, enable,
&sai, sizeof (sai));
} }
else else
{ {
if (is_l2) rv = vnet_feature_enable_disable ("ip4-output",
rv = vnet_feature_enable_disable ("ethernet-output", enc_node,
"esp6-encrypt-tun", itp->itp_sw_if_index, enable,
itp->itp_sw_if_index, enable, &sai, sizeof (sai));
&sai, sizeof (sai)); rv = vnet_feature_enable_disable ("ip6-output",
else enc_node,
rv = vnet_feature_enable_disable ("ip6-output", itp->itp_sw_if_index, enable,
"esp6-encrypt-tun", &sai, sizeof (sai));
itp->itp_sw_if_index, enable,
&sai, sizeof (sai));
} }
ASSERT (!rv); ASSERT (!rv);
return (rv); return (rv);
} }

View File

@ -785,11 +785,17 @@ class TemplateIpsec4TunProtect(object):
p.tun_if.add_vpp_config() p.tun_if.add_vpp_config()
p.tun_if.admin_up() p.tun_if.admin_up()
p.tun_if.config_ip4() p.tun_if.config_ip4()
p.tun_if.config_ip6()
p.route = VppIpRoute(self, p.remote_tun_if_host, 32, p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
[VppRoutePath(p.tun_if.remote_ip4, [VppRoutePath(p.tun_if.remote_ip4,
0xffffffff)]) 0xffffffff)])
p.route.add_vpp_config() p.route.add_vpp_config()
r = VppIpRoute(self, p.remote_tun_if_host6, 128,
[VppRoutePath(p.tun_if.remote_ip6,
0xffffffff,
proto=DpoProto.DPO_PROTO_IP6)])
r.add_vpp_config()
def unconfig_network(self, p): def unconfig_network(self, p):
p.route.remove_vpp_config() p.route.remove_vpp_config()
@ -831,6 +837,13 @@ class TestIpsec4TunProtect(TemplateIpsec,
c = p.tun_if.get_tx_stats() c = p.tun_if.get_tx_stats()
self.assertEqual(c['packets'], 127) self.assertEqual(c['packets'], 127)
self.vapi.cli("clear ipsec sa")
self.verify_tun_64(p, count=127)
c = p.tun_if.get_rx_stats()
self.assertEqual(c['packets'], 254)
c = p.tun_if.get_tx_stats()
self.assertEqual(c['packets'], 254)
# rekey - create new SAs and update the tunnel protection # rekey - create new SAs and update the tunnel protection
np = copy.copy(p) np = copy.copy(p)
np.crypt_key = 'X' + p.crypt_key[1:] np.crypt_key = 'X' + p.crypt_key[1:]
@ -847,9 +860,9 @@ class TestIpsec4TunProtect(TemplateIpsec,
self.verify_tun_44(np, count=127) self.verify_tun_44(np, count=127)
c = p.tun_if.get_rx_stats() c = p.tun_if.get_rx_stats()
self.assertEqual(c['packets'], 254) self.assertEqual(c['packets'], 381)
c = p.tun_if.get_tx_stats() c = p.tun_if.get_tx_stats()
self.assertEqual(c['packets'], 254) self.assertEqual(c['packets'], 381)
# teardown # teardown
self.unconfig_protect(np) self.unconfig_protect(np)
@ -1052,12 +1065,17 @@ class TemplateIpsec6TunProtect(object):
p.tun_if.add_vpp_config() p.tun_if.add_vpp_config()
p.tun_if.admin_up() p.tun_if.admin_up()
p.tun_if.config_ip6() p.tun_if.config_ip6()
p.tun_if.config_ip4()
p.route = VppIpRoute(self, p.remote_tun_if_host, 128, p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
[VppRoutePath(p.tun_if.remote_ip6, [VppRoutePath(p.tun_if.remote_ip6,
0xffffffff, 0xffffffff,
proto=DpoProto.DPO_PROTO_IP6)]) proto=DpoProto.DPO_PROTO_IP6)])
p.route.add_vpp_config() p.route.add_vpp_config()
r = VppIpRoute(self, p.remote_tun_if_host4, 32,
[VppRoutePath(p.tun_if.remote_ip4,
0xffffffff)])
r.add_vpp_config()
def unconfig_network(self, p): def unconfig_network(self, p):
p.route.remove_vpp_config() p.route.remove_vpp_config()
@ -1167,6 +1185,26 @@ class TestIpsec6TunProtect(TemplateIpsec,
self.unconfig_sa(np3) self.unconfig_sa(np3)
self.unconfig_network(p) self.unconfig_network(p)
def test_tun_46(self):
"""IPSEC tunnel protect"""
p = self.ipv6_params
self.config_network(p)
self.config_sa_tra(p)
self.config_protect(p)
self.verify_tun_46(p, count=127)
c = p.tun_if.get_rx_stats()
self.assertEqual(c['packets'], 127)
c = p.tun_if.get_tx_stats()
self.assertEqual(c['packets'], 127)
# teardown
self.unconfig_protect(p)
self.unconfig_sa(p)
self.unconfig_network(p)
class TestIpsec6TunProtectTun(TemplateIpsec, class TestIpsec6TunProtectTun(TemplateIpsec,
TemplateIpsec6TunProtect, TemplateIpsec6TunProtect,