ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipsec: add missing ipv6 ah code & ipv6 tests

Browse Source 
Change-Id: I89e90193ded1beb6cb0950c15737f9467efac1c3
Signed-off-by: Klement Sekera <ksekera@cisco.com>
This commit is contained in:
Klement Sekera
2018-09-26 11:19:00 +02:00
committed by Damjan Marion
parent 400ded3642
commit 611864f4bd
13 changed files with 654 additions and 346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/vnet/ipsec/ah.h
View File

@ -49,6 +49,15 @@ typedef CLIB_PACKED (struct {
}) ip6_and_ah_header_t; }) ip6_and_ah_header_t;
/* *INDENT-ON* */ /* *INDENT-ON* */
always_inline u8
ah_calc_icv_padding_len (u8 icv_size, int is_ipv6)
{
ASSERT (0 == is_ipv6 || 1 == is_ipv6);
const u8 req_multiple = 4 + 4 * is_ipv6; // 4 for ipv4, 8 for ipv6
const u8 total_size = sizeof (ah_header_t) + icv_size;
return (req_multiple - total_size % req_multiple) % req_multiple;
}
#endif /* __AH_H__ */ #endif /* __AH_H__ */
/* /*

58
src/vnet/ipsec/ah_decrypt.c
View File

@ -112,6 +112,10 @@ ah_decrypt_node_fn (vlib_main_t * vm,
u8 ip_hdr_size = 0; u8 ip_hdr_size = 0;
u8 tos = 0; u8 tos = 0;
u8 ttl = 0; u8 ttl = 0;
u32 ip_version_traffic_class_and_flow_label = 0;
u8 hop_limit = 0;
u8 nexthdr = 0;
u8 icv_padding_len = 0;
i_bi0 = from[0]; i_bi0 = from[0];
@ -125,12 +129,29 @@ ah_decrypt_node_fn (vlib_main_t * vm,
to_next[0] = i_bi0; to_next[0] = i_bi0;
to_next += 1; to_next += 1;
ih4 = vlib_buffer_get_current (i_b0); ih4 = vlib_buffer_get_current (i_b0);
ip_hdr_size = ip4_header_bytes (ih4); ih6 = vlib_buffer_get_current (i_b0);
ah0 = (ah_header_t *) ((u8 *) ih4 + ip_hdr_size);
sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index; sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index;
sa0 = pool_elt_at_index (im->sad, sa_index0); sa0 = pool_elt_at_index (im->sad, sa_index0);
if ((ih4->ip_version_and_header_length & 0xF0) == 0x40)
{
ip_hdr_size = ip4_header_bytes (ih4);
ah0 = (ah_header_t *) ((u8 *) ih4 + ip_hdr_size);
}
else if ((ih4->ip_version_and_header_length & 0xF0) == 0x60)
{
ip6_ext_header_t *prev = NULL;
ip6_ext_header_find_t (ih6, prev, ah0, IP_PROTOCOL_IPSEC_AH);
ip_hdr_size = sizeof (ip6_header_t);
ASSERT ((u8 *) ah0 - (u8 *) ih6 == ip_hdr_size);
}
else
{
vlib_node_increment_counter (vm, ah_decrypt_node.index,
AH_DECRYPT_ERROR_NOT_IP, 1);
goto trace;
}
seq = clib_host_to_net_u32 (ah0->seq_no); seq = clib_host_to_net_u32 (ah0->seq_no);
/* anti-replay check */ /* anti-replay check */
//TODO UT remaining //TODO UT remaining
@ -164,9 +185,7 @@ ah_decrypt_node_fn (vlib_main_t * vm,
u8 digest[64]; u8 digest[64];
memset (sig, 0, sizeof (sig)); memset (sig, 0, sizeof (sig));
memset (digest, 0, sizeof (digest)); memset (digest, 0, sizeof (digest));
u8 *icv = u8 *icv = ah0->auth_data;
vlib_buffer_get_current (i_b0) + ip_hdr_size +
sizeof (ah_header_t);
memcpy (digest, icv, icv_size); memcpy (digest, icv, icv_size);
memset (icv, 0, icv_size); memset (icv, 0, icv_size);
@ -178,7 +197,20 @@ ah_decrypt_node_fn (vlib_main_t * vm,
ih4->ttl = 0; ih4->ttl = 0;
ih4->checksum = 0; ih4->checksum = 0;
ih4->flags_and_fragment_offset = 0; ih4->flags_and_fragment_offset = 0;
} //TODO else part for IPv6 icv_padding_len =
ah_calc_icv_padding_len (icv_size, 0 /* is_ipv6 */ );
}
else
{
ip_version_traffic_class_and_flow_label =
ih6->ip_version_traffic_class_and_flow_label;
hop_limit = ih6->hop_limit;
ih6->ip_version_traffic_class_and_flow_label = 0x60;
ih6->hop_limit = 0;
nexthdr = ah0->nexthdr;
icv_padding_len =
ah_calc_icv_padding_len (icv_size, 1 /* is_ipv6 */ );
}
hmac_calc (sa0->integ_alg, sa0->integ_key, sa0->integ_key_len, hmac_calc (sa0->integ_alg, sa0->integ_key, sa0->integ_key_len,
(u8 *) ih4, i_b0->current_length, sig, sa0->use_esn, (u8 *) ih4, i_b0->current_length, sig, sa0->use_esn,
sa0->seq_hi); sa0->seq_hi);
@ -204,9 +236,9 @@ ah_decrypt_node_fn (vlib_main_t * vm,
} }
vlib_buffer_advance (i_b0, vlib_buffer_advance (i_b0,
ip_hdr_size + sizeof (ah_header_t) + icv_size); ip_hdr_size + sizeof (ah_header_t) + icv_size +
icv_padding_len);
i_b0->flags |= VLIB_BUFFER_TOTAL_LENGTH_VALID; i_b0->flags |= VLIB_BUFFER_TOTAL_LENGTH_VALID;
/* transport mode */ /* transport mode */
@ -251,15 +283,15 @@ ah_decrypt_node_fn (vlib_main_t * vm,
{ {
if (PREDICT_FALSE (transport_ip6)) if (PREDICT_FALSE (transport_ip6))
{ {
ih6 =
(ip6_header_t *) (i_b0->data +
sizeof (ethernet_header_t));
vlib_buffer_advance (i_b0, -sizeof (ip6_header_t)); vlib_buffer_advance (i_b0, -sizeof (ip6_header_t));
oh6 = vlib_buffer_get_current (i_b0); oh6 = vlib_buffer_get_current (i_b0);
memmove (oh6, ih6, sizeof (ip6_header_t)); memmove (oh6, ih6, sizeof (ip6_header_t));
next0 = AH_DECRYPT_NEXT_IP6_INPUT; next0 = AH_DECRYPT_NEXT_IP6_INPUT;
oh6->protocol = ah0->nexthdr; oh6->protocol = nexthdr;
oh6->hop_limit = hop_limit;
oh6->ip_version_traffic_class_and_flow_label =
ip_version_traffic_class_and_flow_label;
oh6->payload_length = oh6->payload_length =
clib_host_to_net_u16 (vlib_buffer_length_in_chain clib_host_to_net_u16 (vlib_buffer_length_in_chain
(vm, i_b0) - sizeof (ip6_header_t)); (vm, i_b0) - sizeof (ip6_header_t));

29
src/vnet/ipsec/ah_encrypt.c
View File

@ -110,6 +110,8 @@ ah_encrypt_node_fn (vlib_main_t * vm,
u8 transport_mode = 0; u8 transport_mode = 0;
u8 tos = 0; u8 tos = 0;
u8 ttl = 0; u8 ttl = 0;
u8 hop_limit = 0;
u32 ip_version_traffic_class_and_flow_label = 0;
i_bi0 = from[0]; i_bi0 = from[0];
from += 1; from += 1;
@ -159,6 +161,8 @@ ah_encrypt_node_fn (vlib_main_t * vm,
icv_size = icv_size =
em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size; em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
const u8 padding_len = ah_calc_icv_padding_len (icv_size, is_ipv6);
adv -= padding_len;
/*transport mode save the eth header before it is overwritten */ /*transport mode save the eth header before it is overwritten */
if (PREDICT_FALSE (!sa0->is_tunnel)) if (PREDICT_FALSE (!sa0->is_tunnel))
{ {
@ -172,18 +176,18 @@ ah_encrypt_node_fn (vlib_main_t * vm,
vlib_buffer_advance (i_b0, adv - icv_size); vlib_buffer_advance (i_b0, adv - icv_size);
/* is ipv6 */
if (PREDICT_FALSE (is_ipv6)) if (PREDICT_FALSE (is_ipv6))
{ { /* is ipv6 */
ih6_0 = (ip6_and_ah_header_t *) ih0; ih6_0 = (ip6_and_ah_header_t *) ih0;
ip_hdr_size = sizeof (ip6_header_t); ip_hdr_size = sizeof (ip6_header_t);
oh6_0 = vlib_buffer_get_current (i_b0); oh6_0 = vlib_buffer_get_current (i_b0);
hop_limit = ih6_0->ip6.hop_limit;
ip_version_traffic_class_and_flow_label =
ih6_0->ip6.ip_version_traffic_class_and_flow_label;
if (PREDICT_TRUE (sa0->is_tunnel)) if (PREDICT_TRUE (sa0->is_tunnel))
{ {
next_hdr_type = IP_PROTOCOL_IPV6; next_hdr_type = IP_PROTOCOL_IPV6;
oh6_0->ip6.ip_version_traffic_class_and_flow_label =
ih6_0->ip6.ip_version_traffic_class_and_flow_label;
} }
else else
{ {
@ -192,12 +196,17 @@ ah_encrypt_node_fn (vlib_main_t * vm,
} }
oh6_0->ip6.protocol = IP_PROTOCOL_IPSEC_AH; oh6_0->ip6.protocol = IP_PROTOCOL_IPSEC_AH;
oh6_0->ip6.hop_limit = 254; oh6_0->ip6.hop_limit = 0;
oh6_0->ip6.ip_version_traffic_class_and_flow_label = 0x60;
oh6_0->ah.reserved = 0;
oh6_0->ah.nexthdr = next_hdr_type;
oh6_0->ah.spi = clib_net_to_host_u32 (sa0->spi); oh6_0->ah.spi = clib_net_to_host_u32 (sa0->spi);
oh6_0->ah.seq_no = clib_net_to_host_u32 (sa0->seq); oh6_0->ah.seq_no = clib_net_to_host_u32 (sa0->seq);
oh6_0->ip6.payload_length = oh6_0->ip6.payload_length =
clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, i_b0) - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, i_b0) -
sizeof (ip6_header_t)); sizeof (ip6_header_t));
oh6_0->ah.hdrlen =
(sizeof (ah_header_t) + icv_size + padding_len) / 4 - 2;
} }
else else
{ {
@ -227,11 +236,11 @@ ah_encrypt_node_fn (vlib_main_t * vm,
oh0->ah.seq_no = clib_net_to_host_u32 (sa0->seq); oh0->ah.seq_no = clib_net_to_host_u32 (sa0->seq);
oh0->ip4.checksum = 0; oh0->ip4.checksum = 0;
oh0->ah.nexthdr = next_hdr_type; oh0->ah.nexthdr = next_hdr_type;
oh0->ah.hdrlen = 4; oh0->ah.hdrlen =
(sizeof (ah_header_t) + icv_size + padding_len) / 4 - 2;
} }
if (PREDICT_TRUE if (PREDICT_TRUE
(!is_ipv6 && sa0->is_tunnel && !sa0->is_tunnel_ip6)) (!is_ipv6 && sa0->is_tunnel && !sa0->is_tunnel_ip6))
{ {
@ -264,7 +273,8 @@ ah_encrypt_node_fn (vlib_main_t * vm,
u8 sig[64]; u8 sig[64];
memset (sig, 0, sizeof (sig)); memset (sig, 0, sizeof (sig));
u8 *digest = u8 *digest =
vlib_buffer_get_current (i_b0) + ip_hdr_size + icv_size; vlib_buffer_get_current (i_b0) + ip_hdr_size +
sizeof (ah_header_t);
memset (digest, 0, icv_size); memset (digest, 0, icv_size);
unsigned size = hmac_calc (sa0->integ_alg, sa0->integ_key, unsigned size = hmac_calc (sa0->integ_alg, sa0->integ_key,
@ -276,6 +286,9 @@ ah_encrypt_node_fn (vlib_main_t * vm,
memcpy (digest, sig, size); memcpy (digest, sig, size);
if (PREDICT_FALSE (is_ipv6)) if (PREDICT_FALSE (is_ipv6))
{ {
oh6_0->ip6.hop_limit = hop_limit;
oh6_0->ip6.ip_version_traffic_class_and_flow_label =
ip_version_traffic_class_and_flow_label;
} }
else else
{ {

34
src/vnet/ipsec/ipsec_input.c
View File

@ -348,13 +348,13 @@ VLIB_REGISTER_NODE (ipsec_input_ip4_node,static) = {
}; };
/* *INDENT-ON* */ /* *INDENT-ON* */
VLIB_NODE_FUNCTION_MULTIARCH (ipsec_input_ip4_node, ipsec_input_ip4_node_fn) VLIB_NODE_FUNCTION_MULTIARCH (ipsec_input_ip4_node, ipsec_input_ip4_node_fn);
static vlib_node_registration_t ipsec_input_ip6_node; static vlib_node_registration_t ipsec_input_ip6_node;
static uword static uword
ipsec_input_ip6_node_fn (vlib_main_t * vm, ipsec_input_ip6_node_fn (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_node_runtime_t * node,
vlib_frame_t * from_frame) vlib_frame_t * from_frame)
{ {
u32 n_left_from, *from, next_index, *to_next; u32 n_left_from, *from, next_index, *to_next;
ipsec_main_t *im = &ipsec_main; ipsec_main_t *im = &ipsec_main;
@ -379,6 +379,7 @@ VLIB_NODE_FUNCTION_MULTIARCH (ipsec_input_ip4_node, ipsec_input_ip4_node_fn)
ip4_ipsec_config_t *c0; ip4_ipsec_config_t *c0;
ipsec_spd_t *spd0; ipsec_spd_t *spd0;
ipsec_policy_t *p0 = 0; ipsec_policy_t *p0 = 0;
ah_header_t *ah0;
u32 header_size = sizeof (ip0[0]); u32 header_size = sizeof (ip0[0]);
bi0 = to_next[0] = from[0]; bi0 = to_next[0] = from[0];
@ -396,6 +397,7 @@ VLIB_NODE_FUNCTION_MULTIARCH (ipsec_input_ip4_node, ipsec_input_ip4_node_fn)
ip0 = vlib_buffer_get_current (b0); ip0 = vlib_buffer_get_current (b0);
esp0 = (esp_header_t *) ((u8 *) ip0 + header_size); esp0 = (esp_header_t *) ((u8 *) ip0 + header_size);
ah0 = (ah_header_t *) ((u8 *) ip0 + header_size);
if (PREDICT_TRUE (ip0->protocol == IP_PROTOCOL_IPSEC_ESP)) if (PREDICT_TRUE (ip0->protocol == IP_PROTOCOL_IPSEC_ESP))
{ {
@ -426,6 +428,26 @@ VLIB_NODE_FUNCTION_MULTIARCH (ipsec_input_ip4_node, ipsec_input_ip4_node_fn)
goto trace0; goto trace0;
} }
} }
else if (ip0->protocol == IP_PROTOCOL_IPSEC_AH)
{
p0 = ipsec_input_ip6_protect_policy_match (spd0,
&ip0->src_address,
&ip0->dst_address,
clib_net_to_host_u32
(ah0->spi));
if (PREDICT_TRUE (p0 != 0))
{
p0->counter.packets++;
p0->counter.bytes +=
clib_net_to_host_u16 (ip0->payload_length);
p0->counter.bytes += header_size;
vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
vnet_buffer (b0)->ipsec.flags = 0;
next0 = im->ah_decrypt_next_index;
goto trace0;
}
}
trace0: trace0:
if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))

24
test/framework.py
View File

@ -287,8 +287,7 @@ class VppTestCase(unittest.TestCase):
coredump_size, "}", "api-trace", "{", "on", "}", coredump_size, "}", "api-trace", "{", "on", "}",
"api-segment", "{", "prefix", cls.shm_prefix, "}", "api-segment", "{", "prefix", cls.shm_prefix, "}",
"cpu", "{", "main-core", str(cpu_core_number), "}", "cpu", "{", "main-core", str(cpu_core_number), "}",
"statseg", "{", "socket-name", "statseg", "{", "socket-name", cls.stats_sock, "}",
cls.tempdir + "/stats.sock", "}",
"plugins", "{", "plugin", "dpdk_plugin.so", "{", "plugins", "{", "plugin", "dpdk_plugin.so", "{",
"disable", "}", "plugin", "unittest_plugin.so", "disable", "}", "plugin", "unittest_plugin.so",
"{", "enable", "}", "}", ] "{", "enable", "}", "}", ]
@ -346,6 +345,13 @@ class VppTestCase(unittest.TestCase):
cls.wait_for_enter() cls.wait_for_enter()
@classmethod
def wait_for_stats_socket(cls):
deadline = time.time() + 3
while time.time() < deadline or cls.debug_gdb or cls.debug_gdbserver:
if os.path.exists(cls.stats_sock):
break
@classmethod @classmethod
def setUpClass(cls): def setUpClass(cls):
""" """
@ -360,6 +366,7 @@ class VppTestCase(unittest.TestCase):
cls.logger.name = cls.__name__ cls.logger.name = cls.__name__
cls.tempdir = tempfile.mkdtemp( cls.tempdir = tempfile.mkdtemp(
prefix='vpp-unittest-%s-' % cls.__name__) prefix='vpp-unittest-%s-' % cls.__name__)
cls.stats_sock = "%s/stats.sock" % cls.tempdir
cls.file_handler = FileHandler("%s/log.txt" % cls.tempdir) cls.file_handler = FileHandler("%s/log.txt" % cls.tempdir)
cls.file_handler.setFormatter( cls.file_handler.setFormatter(
Formatter(fmt='%(asctime)s,%(msecs)03d %(message)s', Formatter(fmt='%(asctime)s,%(msecs)03d %(message)s',
@ -391,14 +398,19 @@ class VppTestCase(unittest.TestCase):
cls.pump_thread = Thread(target=pump_output, args=(cls,)) cls.pump_thread = Thread(target=pump_output, args=(cls,))
cls.pump_thread.daemon = True cls.pump_thread.daemon = True
cls.pump_thread.start() cls.pump_thread.start()
cls.vapi = VppPapiProvider(cls.shm_prefix, cls.shm_prefix, cls) if cls.debug_gdb or cls.debug_gdbserver:
read_timeout = 0
else:
read_timeout = 5
cls.vapi = VppPapiProvider(cls.shm_prefix, cls.shm_prefix, cls,
read_timeout)
if cls.step: if cls.step:
hook = StepHook(cls) hook = StepHook(cls)
else: else:
hook = PollHook(cls) hook = PollHook(cls)
cls.vapi.register_hook(hook) cls.vapi.register_hook(hook)
cls.sleep(0.1, "after vpp startup, before initial poll") cls.wait_for_stats_socket()
cls.statistics = VPPStats(socketname=cls.tempdir+'/stats.sock') cls.statistics = VPPStats(socketname=cls.stats_sock)
try: try:
hook.poll_vpp() hook.poll_vpp()
except VppDiedError: except VppDiedError:
@ -459,7 +471,7 @@ class VppTestCase(unittest.TestCase):
cls.vpp.poll() cls.vpp.poll()
if cls.vpp.returncode is None: if cls.vpp.returncode is None:
cls.logger.debug("Sending TERM to vpp") cls.logger.debug("Sending TERM to vpp")
cls.vpp.terminate() cls.vpp.kill()
cls.logger.debug("Waiting for vpp to die") cls.logger.debug("Waiting for vpp to die")
cls.vpp.communicate() cls.vpp.communicate()
del cls.vpp del cls.vpp

288
test/template_ipsec.py
View File

File diff suppressed because it is too large Load Diff

190
test/test_ipsec_ah.py
View File

@ -37,8 +37,6 @@ class TemplateIpsecAh(TemplateIpsec):
--- decrypt --- plain --- --- decrypt --- plain ---
|pg0| -------> |VPP| ------> |pg1| |pg0| -------> |VPP| ------> |pg1|
--- --- --- --- --- ---
Note : IPv6 is not covered
""" """
encryption_type = AH encryption_type = AH
@ -49,100 +47,130 @@ class TemplateIpsecAh(TemplateIpsec):
cls.tun_if = cls.pg0 cls.tun_if = cls.pg0
cls.tra_if = cls.pg2 cls.tra_if = cls.pg2
cls.logger.info(cls.vapi.ppcli("show int addr")) cls.logger.info(cls.vapi.ppcli("show int addr"))
cls.config_ah_tra()
cls.logger.info(cls.vapi.ppcli("show ipsec"))
cls.config_ah_tun()
cls.logger.info(cls.vapi.ppcli("show ipsec"))
src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host)
cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n)
@classmethod
def config_ah_tun(cls):
cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id,
cls.scapy_tun_spi,
cls.auth_algo_vpp_id, cls.auth_key,
cls.crypt_algo_vpp_id,
cls.crypt_key, cls.vpp_ah_protocol,
cls.tun_if.local_ip4n,
cls.tun_if.remote_ip4n)
cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id,
cls.vpp_tun_spi,
cls.auth_algo_vpp_id, cls.auth_key,
cls.crypt_algo_vpp_id,
cls.crypt_key, cls.vpp_ah_protocol,
cls.tun_if.remote_ip4n,
cls.tun_if.local_ip4n)
cls.vapi.ipsec_spd_add_del(cls.tun_spd_id) cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id, cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
cls.tun_if.sw_if_index) cls.tun_if.sw_if_index)
l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0")
l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
"255.255.255.255")
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr,
protocol=socket.IPPROTO_AH)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, is_outbound=0,
protocol=socket.IPPROTO_AH)
l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET,
cls.remote_tun_if_host)
r_startaddr = r_stopaddr = cls.pg1.remote_ip4n
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, policy=3,
is_outbound=0)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
r_startaddr, r_stopaddr, l_startaddr,
l_stopaddr, priority=10, policy=3)
r_startaddr = r_stopaddr = cls.pg0.local_ip4n
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=20, policy=3,
is_outbound=0)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
r_startaddr, r_stopaddr, l_startaddr,
l_stopaddr, priority=20, policy=3)
@classmethod
def config_ah_tra(cls):
cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id,
cls.scapy_tra_spi,
cls.auth_algo_vpp_id, cls.auth_key,
cls.crypt_algo_vpp_id,
cls.crypt_key, cls.vpp_ah_protocol,
is_tunnel=0)
cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id,
cls.vpp_tra_spi,
cls.auth_algo_vpp_id, cls.auth_key,
cls.crypt_algo_vpp_id,
cls.crypt_key, cls.vpp_ah_protocol,
is_tunnel=0)
cls.vapi.ipsec_spd_add_del(cls.tra_spd_id) cls.vapi.ipsec_spd_add_del(cls.tra_spd_id)
cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id, cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id,
cls.tra_if.sw_if_index) cls.tra_if.sw_if_index)
l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0") for _, p in cls.params.items():
l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, cls.config_ah_tra(p)
"255.255.255.255") cls.logger.info(cls.vapi.ppcli("show ipsec"))
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, for _, p in cls.params.items():
cls.config_ah_tun(p)
cls.logger.info(cls.vapi.ppcli("show ipsec"))
for _, p in cls.params.items():
src = socket.inet_pton(p.addr_type, p.remote_tun_if_host)
cls.vapi.ip_add_del_route(src, p.addr_len,
cls.tun_if.remote_addr_n[p.addr_type],
is_ipv6=p.is_ipv6)
@classmethod
def config_ah_tun(cls, params):
addr_type = params.addr_type
is_ipv6 = params.is_ipv6
scapy_tun_sa_id = params.scapy_tun_sa_id
scapy_tun_spi = params.scapy_tun_spi
vpp_tun_sa_id = params.vpp_tun_sa_id
vpp_tun_spi = params.vpp_tun_spi
auth_algo_vpp_id = params.auth_algo_vpp_id
auth_key = params.auth_key
crypt_algo_vpp_id = params.crypt_algo_vpp_id
crypt_key = params.crypt_key
remote_tun_if_host = params.remote_tun_if_host
addr_any = params.addr_any
addr_bcast = params.addr_bcast
cls.vapi.ipsec_sad_add_del_entry(scapy_tun_sa_id, scapy_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
cls.vpp_ah_protocol,
cls.tun_if.local_addr_n[addr_type],
cls.tun_if.remote_addr_n[addr_type],
is_tunnel=1, is_tunnel_ipv6=is_ipv6)
cls.vapi.ipsec_sad_add_del_entry(vpp_tun_sa_id, vpp_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
cls.vpp_ah_protocol,
cls.tun_if.remote_addr_n[addr_type],
cls.tun_if.local_addr_n[addr_type],
is_tunnel=1, is_tunnel_ipv6=is_ipv6)
l_startaddr = r_startaddr = socket.inet_pton(addr_type, addr_any)
l_stopaddr = r_stopaddr = socket.inet_pton(addr_type, addr_bcast)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, r_stopaddr, is_ipv6=is_ipv6,
protocol=socket.IPPROTO_AH) protocol=socket.IPPROTO_AH)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id, cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, is_outbound=0, r_stopaddr, is_outbound=0,
is_ipv6=is_ipv6,
protocol=socket.IPPROTO_AH) protocol=socket.IPPROTO_AH)
l_startaddr = l_stopaddr = cls.tra_if.local_ip4n l_startaddr = l_stopaddr = socket.inet_pton(addr_type,
r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n remote_tun_if_host)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, r_startaddr = r_stopaddr = cls.pg1.remote_addr_n[addr_type]
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, policy=3, r_stopaddr, priority=10, policy=3,
is_outbound=0) is_outbound=0, is_ipv6=is_ipv6)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id, cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
r_startaddr, r_stopaddr, l_startaddr,
l_stopaddr, priority=10, policy=3,
is_ipv6=is_ipv6)
r_startaddr = r_stopaddr = cls.pg0.local_addr_n[addr_type]
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=20, policy=3,
is_outbound=0, is_ipv6=is_ipv6)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
r_startaddr, r_stopaddr, l_startaddr,
l_stopaddr, priority=20, policy=3,
is_ipv6=is_ipv6)
@classmethod
def config_ah_tra(cls, params):
addr_type = params.addr_type
is_ipv6 = params.is_ipv6
scapy_tra_sa_id = params.scapy_tra_sa_id
scapy_tra_spi = params.scapy_tra_spi
vpp_tra_sa_id = params.vpp_tra_sa_id
vpp_tra_spi = params.vpp_tra_spi
auth_algo_vpp_id = params.auth_algo_vpp_id
auth_key = params.auth_key
crypt_algo_vpp_id = params.crypt_algo_vpp_id
crypt_key = params.crypt_key
addr_any = params.addr_any
addr_bcast = params.addr_bcast
cls.vapi.ipsec_sad_add_del_entry(scapy_tra_sa_id, scapy_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
cls.vpp_ah_protocol, is_tunnel=0,
is_tunnel_ipv6=0)
cls.vapi.ipsec_sad_add_del_entry(vpp_tra_sa_id, vpp_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
cls.vpp_ah_protocol, is_tunnel=0,
is_tunnel_ipv6=0)
l_startaddr = r_startaddr = socket.inet_pton(addr_type, addr_any)
l_stopaddr = r_stopaddr = socket.inet_pton(addr_type, addr_bcast)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, vpp_tra_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, is_ipv6=is_ipv6,
protocol=socket.IPPROTO_AH)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, scapy_tra_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, is_outbound=0,
is_ipv6=is_ipv6,
protocol=socket.IPPROTO_AH)
l_startaddr = l_stopaddr = cls.tra_if.local_addr_n[addr_type]
r_startaddr = r_stopaddr = cls.tra_if.remote_addr_n[addr_type]
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, vpp_tra_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, policy=3,
is_outbound=0, is_ipv6=is_ipv6)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, scapy_tra_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, r_stopaddr, priority=10,
policy=3) policy=3, is_ipv6=is_ipv6)
def tearDown(self): def tearDown(self):
super(TemplateIpsecAh, self).tearDown() super(TemplateIpsecAh, self).tearDown()

203
test/test_ipsec_esp.py
View File

@ -36,8 +36,6 @@ class TemplateIpsecEsp(TemplateIpsec):
--- decrypt --- plain --- --- decrypt --- plain ---
|pg0| -------> |VPP| ------> |pg1| |pg0| -------> |VPP| ------> |pg1|
--- --- --- --- --- ---
Note : IPv6 is not covered
""" """
encryption_type = ESP encryption_type = ESP
@ -48,103 +46,130 @@ class TemplateIpsecEsp(TemplateIpsec):
cls.tun_if = cls.pg0 cls.tun_if = cls.pg0
cls.tra_if = cls.pg2 cls.tra_if = cls.pg2
cls.logger.info(cls.vapi.ppcli("show int addr")) cls.logger.info(cls.vapi.ppcli("show int addr"))
cls.config_esp_tra()
cls.logger.info(cls.vapi.ppcli("show ipsec"))
cls.config_esp_tun()
cls.logger.info(cls.vapi.ppcli("show ipsec"))
src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host)
cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n)
@classmethod
def config_esp_tun(cls):
cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id,
cls.scapy_tun_spi,
cls.auth_algo_vpp_id, cls.auth_key,
cls.crypt_algo_vpp_id,
cls.crypt_key, cls.vpp_esp_protocol,
cls.tun_if.local_ip4n,
cls.tun_if.remote_ip4n)
cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id,
cls.vpp_tun_spi,
cls.auth_algo_vpp_id, cls.auth_key,
cls.crypt_algo_vpp_id,
cls.crypt_key, cls.vpp_esp_protocol,
cls.tun_if.remote_ip4n,
cls.tun_if.local_ip4n)
cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
cls.tun_if.sw_if_index)
l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET,
"0.0.0.0")
l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
"255.255.255.255")
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr,
protocol=socket.IPPROTO_ESP)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, is_outbound=0,
protocol=socket.IPPROTO_ESP)
l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET,
cls.remote_tun_if_host)
r_startaddr = r_stopaddr = cls.pg1.remote_ip4n
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, policy=3,
is_outbound=0)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
r_startaddr, r_stopaddr, l_startaddr,
l_stopaddr, priority=10, policy=3)
l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET,
cls.remote_tun_if_host)
r_startaddr = r_stopaddr = cls.pg0.local_ip4n
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=20, policy=3,
is_outbound=0)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
r_startaddr, r_stopaddr, l_startaddr,
l_stopaddr, priority=20, policy=3)
@classmethod
def config_esp_tra(cls):
cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id,
cls.scapy_tra_spi,
cls.auth_algo_vpp_id, cls.auth_key,
cls.crypt_algo_vpp_id,
cls.crypt_key, cls.vpp_esp_protocol,
is_tunnel=0)
cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id,
cls.vpp_tra_spi,
cls.auth_algo_vpp_id, cls.auth_key,
cls.crypt_algo_vpp_id,
cls.crypt_key, cls.vpp_esp_protocol,
is_tunnel=0)
cls.vapi.ipsec_spd_add_del(cls.tra_spd_id) cls.vapi.ipsec_spd_add_del(cls.tra_spd_id)
cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id, cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id,
cls.tra_if.sw_if_index) cls.tra_if.sw_if_index)
l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, for _, p in cls.params.items():
"0.0.0.0") cls.config_esp_tra(p)
l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, cls.logger.info(cls.vapi.ppcli("show ipsec"))
"255.255.255.255") cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
cls.tun_if.sw_if_index)
for _, p in cls.params.items():
cls.config_esp_tun(p)
cls.logger.info(cls.vapi.ppcli("show ipsec"))
for _, p in cls.params.items():
src = socket.inet_pton(p.addr_type, p.remote_tun_if_host)
cls.vapi.ip_add_del_route(
src, p.addr_len, cls.tun_if.remote_addr_n[p.addr_type],
is_ipv6=p.is_ipv6)
@classmethod
def config_esp_tun(cls, params):
addr_type = params.addr_type
is_ipv6 = params.is_ipv6
scapy_tun_sa_id = params.scapy_tun_sa_id
scapy_tun_spi = params.scapy_tun_spi
vpp_tun_sa_id = params.vpp_tun_sa_id
vpp_tun_spi = params.vpp_tun_spi
auth_algo_vpp_id = params.auth_algo_vpp_id
auth_key = params.auth_key
crypt_algo_vpp_id = params.crypt_algo_vpp_id
crypt_key = params.crypt_key
remote_tun_if_host = params.remote_tun_if_host
addr_any = params.addr_any
addr_bcast = params.addr_bcast
cls.vapi.ipsec_sad_add_del_entry(scapy_tun_sa_id, scapy_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
cls.vpp_esp_protocol,
cls.tun_if.local_addr_n[addr_type],
cls.tun_if.remote_addr_n[addr_type],
is_tunnel=1, is_tunnel_ipv6=is_ipv6)
cls.vapi.ipsec_sad_add_del_entry(vpp_tun_sa_id, vpp_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
cls.vpp_esp_protocol,
cls.tun_if.remote_addr_n[addr_type],
cls.tun_if.local_addr_n[addr_type],
is_tunnel=1, is_tunnel_ipv6=is_ipv6)
l_startaddr = r_startaddr = socket.inet_pton(addr_type, addr_any)
l_stopaddr = r_stopaddr = socket.inet_pton(addr_type, addr_bcast)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, r_stopaddr, is_ipv6=is_ipv6,
protocol=socket.IPPROTO_ESP) protocol=socket.IPPROTO_ESP)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, is_outbound=0, r_stopaddr, is_outbound=0,
protocol=socket.IPPROTO_ESP) protocol=socket.IPPROTO_ESP,
l_startaddr = l_stopaddr = cls.tra_if.local_ip4n is_ipv6=is_ipv6)
r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n l_startaddr = l_stopaddr = socket.inet_pton(addr_type,
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, remote_tun_if_host)
r_startaddr = r_stopaddr = cls.pg1.remote_addr_n[addr_type]
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, policy=3, r_stopaddr, priority=10, policy=3,
is_outbound=0) is_ipv6=is_ipv6, is_outbound=0)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id, cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
r_startaddr, r_stopaddr, l_startaddr,
l_stopaddr, priority=10, policy=3,
is_ipv6=is_ipv6)
l_startaddr = l_stopaddr = socket.inet_pton(addr_type,
remote_tun_if_host)
r_startaddr = r_stopaddr = cls.pg0.local_addr_n[addr_type]
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, policy=3) r_stopaddr, priority=20, policy=3,
is_outbound=0, is_ipv6=is_ipv6)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
r_startaddr, r_stopaddr, l_startaddr,
l_stopaddr, priority=20, policy=3,
is_ipv6=is_ipv6)
@classmethod
def config_esp_tra(cls, params):
addr_type = params.addr_type
is_ipv6 = params.is_ipv6
scapy_tra_sa_id = params.scapy_tra_sa_id
scapy_tra_spi = params.scapy_tra_spi
vpp_tra_sa_id = params.vpp_tra_sa_id
vpp_tra_spi = params.vpp_tra_spi
auth_algo_vpp_id = params.auth_algo_vpp_id
auth_key = params.auth_key
crypt_algo_vpp_id = params.crypt_algo_vpp_id
crypt_key = params.crypt_key
addr_any = params.addr_any
addr_bcast = params.addr_bcast
cls.vapi.ipsec_sad_add_del_entry(scapy_tra_sa_id, scapy_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
cls.vpp_esp_protocol, is_tunnel=0)
cls.vapi.ipsec_sad_add_del_entry(vpp_tra_sa_id, vpp_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
cls.vpp_esp_protocol, is_tunnel=0)
l_startaddr = r_startaddr = socket.inet_pton(addr_type, addr_any)
l_stopaddr = r_stopaddr = socket.inet_pton(addr_type, addr_bcast)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, vpp_tra_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, is_ipv6=is_ipv6,
protocol=socket.IPPROTO_ESP)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, vpp_tra_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, is_outbound=0,
is_ipv6=is_ipv6,
protocol=socket.IPPROTO_ESP)
l_startaddr = l_stopaddr = cls.tra_if.local_addr_n[addr_type]
r_startaddr = r_stopaddr = cls.tra_if.remote_addr_n[addr_type]
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, vpp_tra_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, policy=3,
is_outbound=0, is_ipv6=is_ipv6)
cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, scapy_tra_sa_id,
l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, policy=3,
is_ipv6=is_ipv6)
class TestIpsecEsp1(TemplateIpsecEsp, IpsecTraTests, IpsecTunTests): class TestIpsecEsp1(TemplateIpsecEsp, IpsecTraTests, IpsecTunTests):

97
test/test_ipsec_nat.py
View File

@ -35,10 +35,16 @@ class IPSecNATTestCase(TemplateIpsec):
def setUpClass(cls): def setUpClass(cls):
super(IPSecNATTestCase, cls).setUpClass() super(IPSecNATTestCase, cls).setUpClass()
cls.tun_if = cls.pg0 cls.tun_if = cls.pg0
cls.config_esp_tun() cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
cls.tun_if.sw_if_index)
p = cls.ipv4_params
cls.config_esp_tun(p)
cls.logger.info(cls.vapi.ppcli("show ipsec")) cls.logger.info(cls.vapi.ppcli("show ipsec"))
client = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host) src = socket.inet_pton(p.addr_type, p.remote_tun_if_host)
cls.vapi.ip_add_del_route(client, 32, cls.tun_if.remote_ip4n) cls.vapi.ip_add_del_route(src, p.addr_len,
cls.tun_if.remote_addr_n[p.addr_type],
is_ipv6=p.is_ipv6)
def create_stream_plain(self, src_mac, dst_mac, src_ip, dst_ip): def create_stream_plain(self, src_mac, dst_mac, src_ip, dst_ip):
return [ return [
@ -126,66 +132,71 @@ class IPSecNATTestCase(TemplateIpsec):
raise raise
@classmethod @classmethod
def config_esp_tun(cls): def config_esp_tun(cls, params):
cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id, addr_type = params.addr_type
cls.scapy_tun_spi, scapy_tun_sa_id = params.scapy_tun_sa_id
cls.auth_algo_vpp_id, cls.auth_key, scapy_tun_spi = params.scapy_tun_spi
cls.crypt_algo_vpp_id, vpp_tun_sa_id = params.vpp_tun_sa_id
cls.crypt_key, cls.vpp_esp_protocol, vpp_tun_spi = params.vpp_tun_spi
cls.pg1.remote_ip4n, auth_algo_vpp_id = params.auth_algo_vpp_id
cls.tun_if.remote_ip4n, auth_key = params.auth_key
crypt_algo_vpp_id = params.crypt_algo_vpp_id
crypt_key = params.crypt_key
addr_any = params.addr_any
addr_bcast = params.addr_bcast
cls.vapi.ipsec_sad_add_del_entry(scapy_tun_sa_id, scapy_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
cls.vpp_esp_protocol,
cls.pg1.remote_addr_n[addr_type],
cls.tun_if.remote_addr_n[addr_type],
udp_encap=1) udp_encap=1)
cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id, cls.vapi.ipsec_sad_add_del_entry(vpp_tun_sa_id, vpp_tun_spi,
cls.vpp_tun_spi, auth_algo_vpp_id, auth_key,
cls.auth_algo_vpp_id, cls.auth_key, crypt_algo_vpp_id, crypt_key,
cls.crypt_algo_vpp_id, cls.vpp_esp_protocol,
cls.crypt_key, cls.vpp_esp_protocol, cls.tun_if.remote_addr_n[addr_type],
cls.tun_if.remote_ip4n, cls.pg1.remote_addr_n[addr_type],
cls.pg1.remote_ip4n,
udp_encap=1) udp_encap=1)
cls.vapi.ipsec_spd_add_del(cls.tun_spd_id) l_startaddr = r_startaddr = socket.inet_pton(addr_type, addr_any)
cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id, l_stopaddr = r_stopaddr = socket.inet_pton(addr_type, addr_bcast)
cls.tun_if.sw_if_index) cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET,
"0.0.0.0")
l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
"255.255.255.255")
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, r_stopaddr,
protocol=socket.IPPROTO_ESP) protocol=socket.IPPROTO_ESP)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, is_outbound=0, r_stopaddr, is_outbound=0,
protocol=socket.IPPROTO_ESP) protocol=socket.IPPROTO_ESP)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, remote_port_start=4500, r_stopaddr, remote_port_start=4500,
remote_port_stop=4500, remote_port_stop=4500,
protocol=socket.IPPROTO_UDP) protocol=socket.IPPROTO_UDP)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, remote_port_start=4500, r_stopaddr, remote_port_start=4500,
remote_port_stop=4500, remote_port_stop=4500,
protocol=socket.IPPROTO_UDP, protocol=socket.IPPROTO_UDP,
is_outbound=0) is_outbound=0)
l_startaddr = l_stopaddr = cls.tun_if.remote_ip4n l_startaddr = l_stopaddr = cls.tun_if.remote_addr_n[addr_type]
r_startaddr = r_stopaddr = cls.pg1.remote_ip4n r_startaddr = r_stopaddr = cls.pg1.remote_addr_n[addr_type]
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, vpp_tun_sa_id,
l_startaddr, l_stopaddr, r_startaddr, l_startaddr, l_stopaddr, r_startaddr,
r_stopaddr, priority=10, policy=3, r_stopaddr, priority=10, policy=3,
is_outbound=0) is_outbound=0)
cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, scapy_tun_sa_id,
r_startaddr, r_stopaddr, l_startaddr, r_startaddr, r_stopaddr, l_startaddr,
l_stopaddr, priority=10, policy=3) l_stopaddr, priority=10, policy=3)
def test_ipsec_nat_tun(self): def test_ipsec_nat_tun(self):
""" IPSec/NAT tunnel test case """ """ IPSec/NAT tunnel test case """
scapy_tun_sa = SecurityAssociation(ESP, spi=self.scapy_tun_spi, p = self.ipv4_params
crypt_algo=self.crypt_algo, scapy_tun_sa = SecurityAssociation(ESP, spi=p.scapy_tun_spi,
crypt_key=self.crypt_key, crypt_algo=p.crypt_algo,
auth_algo=self.auth_algo, crypt_key=p.crypt_key,
auth_key=self.auth_key, auth_algo=p.auth_algo,
auth_key=p.auth_key,
tunnel_header=IP( tunnel_header=IP(
src=self.pg1.remote_ip4, src=self.pg1.remote_ip4,
dst=self.tun_if.remote_ip4), dst=self.tun_if.remote_ip4),
@ -203,11 +214,11 @@ class IPSecNATTestCase(TemplateIpsec):
self.verify_capture_encrypted(capture, scapy_tun_sa) self.verify_capture_encrypted(capture, scapy_tun_sa)
vpp_tun_sa = SecurityAssociation(ESP, vpp_tun_sa = SecurityAssociation(ESP,
spi=self.vpp_tun_spi, spi=p.vpp_tun_spi,
crypt_algo=self.crypt_algo, crypt_algo=p.crypt_algo,
crypt_key=self.crypt_key, crypt_key=p.crypt_key,
auth_algo=self.auth_algo, auth_algo=p.auth_algo,
auth_key=self.auth_key, auth_key=p.auth_key,
tunnel_header=IP( tunnel_header=IP(
src=self.tun_if.remote_ip4, src=self.tun_if.remote_ip4,
dst=self.pg1.remote_ip4), dst=self.pg1.remote_ip4),

29
test/test_ipsec_tun_if_esp.py
View File

@ -2,7 +2,7 @@ import unittest
import socket import socket
from scapy.layers.ipsec import ESP from scapy.layers.ipsec import ESP
from framework import VppTestRunner from framework import VppTestRunner
from template_ipsec import TemplateIpsec, IpsecTunTests, IpsecTcpTests from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTcpTests
from vpp_ipsec_tun_interface import VppIpsecTunInterface from vpp_ipsec_tun_interface import VppIpsecTunInterface
@ -17,20 +17,17 @@ class TemplateIpsecTunIfEsp(TemplateIpsec):
cls.tun_if = cls.pg0 cls.tun_if = cls.pg0
def setUp(self): def setUp(self):
self.ipsec_tun_if = VppIpsecTunInterface(self, self.pg0, p = self.ipv4_params
self.vpp_tun_spi, tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
self.scapy_tun_spi, p.scapy_tun_spi, p.crypt_algo_vpp_id,
self.crypt_algo_vpp_id, p.crypt_key, p.crypt_key,
self.crypt_key, p.auth_algo_vpp_id, p.auth_key,
self.crypt_key, p.auth_key)
self.auth_algo_vpp_id, tun_if.add_vpp_config()
self.auth_key, tun_if.admin_up()
self.auth_key) tun_if.config_ip4()
self.ipsec_tun_if.add_vpp_config() src4 = socket.inet_pton(socket.AF_INET, p.remote_tun_if_host)
self.ipsec_tun_if.admin_up() self.vapi.ip_add_del_route(src4, 32, tun_if.remote_ip4n)
self.ipsec_tun_if.config_ip4()
src4 = socket.inet_pton(socket.AF_INET, self.remote_tun_if_host)
self.vapi.ip_add_del_route(src4, 32, self.ipsec_tun_if.remote_ip4n)
def tearDown(self): def tearDown(self):
if not self.vpp_dead: if not self.vpp_dead:
@ -38,7 +35,7 @@ class TemplateIpsecTunIfEsp(TemplateIpsec):
super(TemplateIpsecTunIfEsp, self).tearDown() super(TemplateIpsecTunIfEsp, self).tearDown()
class TestIpsecTunIfEsp1(TemplateIpsecTunIfEsp, IpsecTunTests): class TestIpsecTunIfEsp1(TemplateIpsecTunIfEsp, IpsecTun4Tests):
""" Ipsec ESP - TUN tests """ """ Ipsec ESP - TUN tests """
pass pass

3
test/util.py
View File

@ -11,6 +11,7 @@ from scapy.packet import Raw
from scapy.layers.inet import IP from scapy.layers.inet import IP
from scapy.layers.inet6 import IPv6, IPv6ExtHdrFragment, IPv6ExtHdrRouting,\ from scapy.layers.inet6 import IPv6, IPv6ExtHdrFragment, IPv6ExtHdrRouting,\
IPv6ExtHdrHopByHop IPv6ExtHdrHopByHop
from scapy.utils import hexdump
from socket import AF_INET6 from socket import AF_INET6
@ -20,6 +21,8 @@ def ppp(headline, packet):
old_stdout = sys.stdout old_stdout = sys.stdout
sys.stdout = o sys.stdout = o
print(headline) print(headline)
hexdump(packet)
print("")
packet.show() packet.show()
sys.stdout = old_stdout sys.stdout = old_stdout
return o.getvalue() return o.getvalue()

27
test/vpp_interface.py
View File

@ -23,6 +23,22 @@ class VppInterface(object):
"""MAC-address of the VPP interface.""" """MAC-address of the VPP interface."""
return self._local_mac return self._local_mac
@property
def local_addr(self):
return self._local_addr
@property
def remote_addr(self):
return self._remote_addr
@property
def local_addr_n(self):
return self._local_addr_n
@property
def remote_addr_n(self):
return self._remote_addr_n
@property @property
def local_ip4(self): def local_ip4(self):
"""Local IPv4 address on VPP interface (string).""" """Local IPv4 address on VPP interface (string)."""
@ -65,7 +81,7 @@ class VppInterface(object):
@property @property
def local_ip6_ll(self): def local_ip6_ll(self):
"""Local IPv6 linnk-local address on VPP interface (string).""" """Local IPv6 link-local address on VPP interface (string)."""
return self._local_ip6_ll return self._local_ip6_ll
@property @property
@ -200,6 +216,15 @@ class VppInterface(object):
self.has_ip6_config = False self.has_ip6_config = False
self.ip6_table_id = 0 self.ip6_table_id = 0
self._local_addr = {socket.AF_INET: self.local_ip4,
socket.AF_INET6: self.local_ip6}
self._local_addr_n = {socket.AF_INET: self.local_ip4n,
socket.AF_INET6: self.local_ip6n}
self._remote_addr = {socket.AF_INET: self.remote_ip4,
socket.AF_INET6: self.remote_ip6}
self._remote_addr_n = {socket.AF_INET: self.remote_ip4n,
socket.AF_INET6: self.remote_ip6n}
r = self.test.vapi.sw_interface_dump() r = self.test.vapi.sw_interface_dump()
for intf in r: for intf in r:
if intf.sw_if_index == self.sw_if_index: if intf.sw_if_index == self.sw_if_index:

9
test/vpp_papi_provider.py
View File

@ -71,7 +71,7 @@ class VppPapiProvider(object):
_zero, _negative = range(2) _zero, _negative = range(2)
def __init__(self, name, shm_prefix, test_class): def __init__(self, name, shm_prefix, test_class, read_timeout):
self.hook = Hook("vpp-papi-provider") self.hook = Hook("vpp-papi-provider")
self.name = name self.name = name
self.shm_prefix = shm_prefix self.shm_prefix = shm_prefix
@ -85,7 +85,8 @@ class VppPapiProvider(object):
for filename in fnmatch.filter(filenames, '*.api.json'): for filename in fnmatch.filter(filenames, '*.api.json'):
jsonfiles.append(os.path.join(root, filename)) jsonfiles.append(os.path.join(root, filename))
self.vpp = VPP(jsonfiles, logger=test_class.logger, read_timeout=5) self.vpp = VPP(jsonfiles, logger=test_class.logger,
read_timeout=read_timeout)
self._events = deque() self._events = deque()
def __enter__(self): def __enter__(self):
@ -3312,6 +3313,7 @@ class VppPapiProvider(object):
tunnel_src_address='', tunnel_src_address='',
tunnel_dst_address='', tunnel_dst_address='',
is_tunnel=1, is_tunnel=1,
is_tunnel_ipv6=0,
is_add=1, is_add=1,
udp_encap=0): udp_encap=0):
""" IPSEC SA add/del """ IPSEC SA add/del
@ -3345,6 +3347,7 @@ class VppPapiProvider(object):
'crypto_key': crypto_key, 'crypto_key': crypto_key,
'is_add': is_add, 'is_add': is_add,
'is_tunnel': is_tunnel, 'is_tunnel': is_tunnel,
'is_tunnel_ipv6': is_tunnel_ipv6,
'udp_encap': udp_encap}) 'udp_encap': udp_encap})
def ipsec_spd_add_del_entry(self, def ipsec_spd_add_del_entry(self,
@ -3363,6 +3366,7 @@ class VppPapiProvider(object):
priority=100, priority=100,
is_outbound=1, is_outbound=1,
is_add=1, is_add=1,
is_ipv6=0,
is_ip_any=0): is_ip_any=0):
""" IPSEC policy SPD add/del - """ IPSEC policy SPD add/del -
Wrapper to configure ipsec SPD policy entries in VPP Wrapper to configure ipsec SPD policy entries in VPP
@ -3401,6 +3405,7 @@ class VppPapiProvider(object):
'policy': policy, 'policy': policy,
'priority': priority, 'priority': priority,
'is_outbound': is_outbound, 'is_outbound': is_outbound,
'is_ipv6': is_ipv6,
'is_ip_any': is_ip_any}) 'is_ip_any': is_ip_any})
def ipsec_tunnel_if_add_del(self, local_ip, remote_ip, local_spi, def ipsec_tunnel_if_add_del(self, local_ip, remote_ip, local_spi,