ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums

Browse Source 
Calculate IP/TCP/UDP checksums in software before adding authentication.

Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b
Signed-off-by: Klement Sekera <ksekera@cisco.com>
This commit is contained in:
Klement Sekera
2018-05-16 10:52:45 +02:00
committed by Florin Coras
parent 56ba844d6a
commit a98346f664
19 changed files with 808 additions and 763 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/vnet.am
View File

@ -451,7 +451,6 @@ libvnet_la_SOURCES += \
vnet/ipsec/ipsec_input.c \
vnet/ipsec/ipsec_if.c \
vnet/ipsec/ipsec_if_in.c \
vnet/ipsec/ipsec_if_out.c \
vnet/ipsec/esp_format.c \
vnet/ipsec/esp_encrypt.c \
vnet/ipsec/esp_decrypt.c \

22
src/vnet/ipsec/ah_encrypt.c
View File

@ -263,19 +263,17 @@ ah_encrypt_node_fn (vlib_main_t * vm,
u8 sig[64];
memset (sig, 0, sizeof (sig));
u8 *digest = NULL;
{
digest = vlib_buffer_get_current (i_b0) + ip_hdr_size + icv_size;
memset (digest, 0, icv_size);
}
u8 *digest =
vlib_buffer_get_current (i_b0) + ip_hdr_size + icv_size;
memset (digest, 0, icv_size);
hmac_calc (sa0->integ_alg, sa0->integ_key,
sa0->integ_key_len,
(u8 *) vlib_buffer_get_current (i_b0),
i_b0->current_length, sig, sa0->use_esn, sa0->seq_hi);
memcpy (digest, (char *) &sig[0], 12);
unsigned size = hmac_calc (sa0->integ_alg, sa0->integ_key,
sa0->integ_key_len,
vlib_buffer_get_current (i_b0),
i_b0->current_length, sig, sa0->use_esn,
sa0->seq_hi);
memcpy (digest, sig, size);
if (PREDICT_FALSE (is_ipv6))
{
}
@ -287,7 +285,7 @@ ah_encrypt_node_fn (vlib_main_t * vm,
}
if (transport_mode)
vlib_buffer_advance (i_b0, -sizeof (ethernet_header_t));;
vlib_buffer_advance (i_b0, -sizeof (ethernet_header_t));
trace:
if (PREDICT_FALSE (i_b0->flags & VLIB_BUFFER_IS_TRACED))

2
src/vnet/ipsec/ipsec.h
View File

@ -310,7 +310,6 @@ extern vlib_node_registration_t esp_encrypt_node;
extern vlib_node_registration_t esp_decrypt_node;
extern vlib_node_registration_t ah_encrypt_node;
extern vlib_node_registration_t ah_decrypt_node;
extern vlib_node_registration_t ipsec_if_output_node;
extern vlib_node_registration_t ipsec_if_input_node;
@ -328,7 +327,6 @@ int ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update);
u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
u8 ipsec_is_sa_used (u32 sa_index);
u8 *format_ipsec_if_output_trace (u8 * s, va_list * args);
u8 *format_ipsec_policy_action (u8 * s, va_list * args);
u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
u8 *format_ipsec_integ_alg (u8 * s, va_list * args);

140
src/vnet/ipsec/ipsec_if.c
View File

@ -34,14 +34,128 @@ format_ipsec_name (u8 * s, va_list * args)
return format (s, "ipsec%d", t->show_instance);
}
static uword
dummy_interface_tx (vlib_main_t * vm,
vlib_node_runtime_t * node, vlib_frame_t * frame)
/* Statistics (not really errors) */
#define foreach_ipsec_if_tx_error \
_(TX, "good packets transmitted")
static char *ipsec_if_tx_error_strings[] = {
#define _(sym,string) string,
foreach_ipsec_if_tx_error
#undef _
};
typedef enum
{
clib_warning ("you shouldn't be here, leaking buffers...");
return frame->n_vectors;
#define _(sym,str) IPSEC_IF_OUTPUT_ERROR_##sym,
foreach_ipsec_if_tx_error
#undef _
IPSEC_IF_TX_N_ERROR,
} ipsec_if_tx_error_t;
typedef struct
{
u32 spi;
u32 seq;
} ipsec_if_tx_trace_t;
u8 *
format_ipsec_if_tx_trace (u8 * s, va_list * args)
{
CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
ipsec_if_tx_trace_t *t = va_arg (*args, ipsec_if_tx_trace_t *);
s = format (s, "IPSec: spi %u seq %u", t->spi, t->seq);
return s;
}
static uword
ipsec_if_tx_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node,
vlib_frame_t * from_frame)
{
ipsec_main_t *im = &ipsec_main;
vnet_main_t *vnm = im->vnet_main;
vnet_interface_main_t *vim = &vnm->interface_main;
u32 *from, *to_next = 0, next_index;
u32 n_left_from, sw_if_index0, last_sw_if_index = ~0;
u32 thread_index = vlib_get_thread_index ();
u32 n_bytes = 0, n_packets = 0;
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
next_index = node->cached_next_index;
while (n_left_from > 0)
{
u32 n_left_to_next;
vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
while (n_left_from > 0 && n_left_to_next > 0)
{
u32 bi0, next0, len0;
vlib_buffer_t *b0;
ipsec_tunnel_if_t *t0;
vnet_hw_interface_t *hi0;
bi0 = to_next[0] = from[0];
from += 1;
n_left_from -= 1;
to_next += 1;
n_left_to_next -= 1;
b0 = vlib_get_buffer (vm, bi0);
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
hi0 = vnet_get_sup_hw_interface (vnm, sw_if_index0);
t0 = pool_elt_at_index (im->tunnel_interfaces, hi0->dev_instance);
vnet_buffer (b0)->ipsec.sad_index = t0->output_sa_index;
next0 = IPSEC_OUTPUT_NEXT_ESP_ENCRYPT;
len0 = vlib_buffer_length_in_chain (vm, b0);
if (PREDICT_TRUE (sw_if_index0 == last_sw_if_index))
{
n_packets++;
n_bytes += len0;
}
else
{
vlib_increment_combined_counter (vim->combined_sw_if_counters +
VNET_INTERFACE_COUNTER_TX,
thread_index, sw_if_index0,
n_packets, n_bytes);
last_sw_if_index = sw_if_index0;
n_packets = 1;
n_bytes = len0;
}
if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
{
ipsec_if_tx_trace_t *tr =
vlib_add_trace (vm, node, b0, sizeof (*tr));
ipsec_sa_t *sa0 =
pool_elt_at_index (im->sad, t0->output_sa_index);
tr->spi = sa0->spi;
tr->seq = sa0->seq;
}
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
n_left_to_next, bi0, next0);
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
if (last_sw_if_index != ~0)
{
vlib_increment_combined_counter (vim->combined_sw_if_counters +
VNET_INTERFACE_COUNTER_TX,
thread_index,
last_sw_if_index, n_packets, n_bytes);
}
return from_frame->n_vectors;
}
static clib_error_t *
ipsec_admin_up_down_function (vnet_main_t * vnm, u32 hw_if_index, u32 flags)
{
@ -113,13 +227,16 @@ ipsec_admin_up_down_function (vnet_main_t * vnm, u32 hw_if_index, u32 flags)
return /* no error */ 0;
}
/* *INDENT-OFF* */
VNET_DEVICE_CLASS (ipsec_device_class, static) =
{
.name = "IPSec",
.format_device_name = format_ipsec_name,
.format_tx_trace = format_ipsec_if_output_trace,
.tx_function = dummy_interface_tx,
.format_tx_trace = format_ipsec_if_tx_trace,
.tx_function = ipsec_if_tx_node_fn,
.tx_function_n_errors = IPSEC_IF_TX_N_ERROR,
.tx_function_error_strings = ipsec_if_tx_error_strings,
.admin_up_down_function = ipsec_admin_up_down_function,
};
/* *INDENT-ON* */
@ -162,6 +279,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
uword *p;
ipsec_sa_t *sa;
u32 dev_instance;
u32 slot;
u64 key = (u64) args->remote_ip.as_u32 << 32 | (u64) args->remote_spi;
p = hash_get (im->ipsec_if_pool_index_by_key, key);
@ -247,7 +365,13 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
t - im->tunnel_interfaces);
hi = vnet_get_hw_interface (vnm, hw_if_index);
hi->output_node_index = ipsec_if_output_node.index;
slot = vlib_node_add_named_next_with_slot
(vnm->vlib_main, hi->tx_node_index, "esp-encrypt",
IPSEC_OUTPUT_NEXT_ESP_ENCRYPT);
ASSERT (slot == IPSEC_OUTPUT_NEXT_ESP_ENCRYPT);
t->hw_if_index = hw_if_index;
vnet_feature_enable_disable ("interface-output", "ipsec-if-output",

172
src/vnet/ipsec/ipsec_if_out.c
View File

@ -1,172 +0,0 @@
/*
* ipsec_if_out.c : IPSec interface output node
*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <vnet/vnet.h>
#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/ipsec/ipsec.h>
/* Statistics (not really errors) */
#define foreach_ipsec_if_output_error \
_(TX, "good packets transmitted")
static char *ipsec_if_output_error_strings[] = {
#define _(sym,string) string,
foreach_ipsec_if_output_error
#undef _
};
typedef enum
{
#define _(sym,str) IPSEC_IF_OUTPUT_ERROR_##sym,
foreach_ipsec_if_output_error
#undef _
IPSEC_IF_OUTPUT_N_ERROR,
} ipsec_if_output_error_t;
typedef struct
{
u32 spi;
u32 seq;
} ipsec_if_output_trace_t;
u8 *
format_ipsec_if_output_trace (u8 * s, va_list * args)
{
CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
ipsec_if_output_trace_t *t = va_arg (*args, ipsec_if_output_trace_t *);
s = format (s, "IPSec: spi %u seq %u", t->spi, t->seq);
return s;
}
static uword
ipsec_if_output_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node,
vlib_frame_t * from_frame)
{
ipsec_main_t *im = &ipsec_main;
vnet_main_t *vnm = im->vnet_main;
vnet_interface_main_t *vim = &vnm->interface_main;
u32 *from, *to_next = 0, next_index;
u32 n_left_from, sw_if_index0, last_sw_if_index = ~0;
u32 thread_index = vlib_get_thread_index ();
u32 n_bytes = 0, n_packets = 0;
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
next_index = node->cached_next_index;
while (n_left_from > 0)
{
u32 n_left_to_next;
vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
while (n_left_from > 0 && n_left_to_next > 0)
{
u32 bi0, next0, len0;
vlib_buffer_t *b0;
ipsec_tunnel_if_t *t0;
vnet_hw_interface_t *hi0;
bi0 = to_next[0] = from[0];
from += 1;
n_left_from -= 1;
to_next += 1;
n_left_to_next -= 1;
b0 = vlib_get_buffer (vm, bi0);
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
hi0 = vnet_get_sup_hw_interface (vnm, sw_if_index0);
t0 = pool_elt_at_index (im->tunnel_interfaces, hi0->dev_instance);
vnet_buffer (b0)->ipsec.sad_index = t0->output_sa_index;
next0 = im->esp_encrypt_next_index;
len0 = vlib_buffer_length_in_chain (vm, b0);
if (PREDICT_TRUE (sw_if_index0 == last_sw_if_index))
{
n_packets++;
n_bytes += len0;
}
else
{
vlib_increment_combined_counter (vim->combined_sw_if_counters +
VNET_INTERFACE_COUNTER_TX,
thread_index, sw_if_index0,
n_packets, n_bytes);
last_sw_if_index = sw_if_index0;
n_packets = 1;
n_bytes = len0;
}
if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
{
ipsec_if_output_trace_t *tr =
vlib_add_trace (vm, node, b0, sizeof (*tr));
ipsec_sa_t *sa0 =
pool_elt_at_index (im->sad, t0->output_sa_index);
tr->spi = sa0->spi;
tr->seq = sa0->seq;
}
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
n_left_to_next, bi0, next0);
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
if (last_sw_if_index != ~0)
{
vlib_increment_combined_counter (vim->combined_sw_if_counters +
VNET_INTERFACE_COUNTER_TX,
thread_index,
last_sw_if_index, n_packets, n_bytes);
}
vlib_node_increment_counter (vm, ipsec_if_output_node.index,
IPSEC_IF_OUTPUT_ERROR_TX,
from_frame->n_vectors);
return from_frame->n_vectors;
}
/* *INDENT-OFF* */
VLIB_REGISTER_NODE (ipsec_if_output_node) = {
.function = ipsec_if_output_node_fn,
.name = "ipsec-if-output",
.vector_size = sizeof (u32),
.format_trace = format_ipsec_if_output_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(ipsec_if_output_error_strings),
.error_strings = ipsec_if_output_error_strings,
.sibling_of = "ipsec-output-ip4",
};
/* *INDENT-ON* */
VLIB_NODE_FUNCTION_MULTIARCH (ipsec_if_output_node, ipsec_if_output_node_fn)
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/

40
src/vnet/ipsec/ipsec_output.c
View File

@ -190,6 +190,7 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
vlib_frame_t *f = 0;
u32 spd_index0 = ~0;
ipsec_spd_t *spd0 = 0;
int bogus;
u64 nc_protect = 0, nc_bypass = 0, nc_discard = 0, nc_nomatch = 0;
from = vlib_frame_vector_args (from_frame);
@ -204,6 +205,7 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
ip6_header_t *ip6_0 = 0;
udp_header_t *udp0;
u32 iph_offset = 0;
tcp_header_t *tcp0;
bi0 = from[0];
b0 = vlib_get_buffer (vm, bi0);
@ -269,6 +271,7 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
clib_net_to_host_u16
(udp0->dst_port));
}
tcp0 = (void *) udp0;
if (PREDICT_TRUE (p0 != NULL))
{
@ -282,18 +285,53 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
else
next_node_index = im->ah_encrypt_node_index;
vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
vlib_buffer_advance (b0, iph_offset);
p0->counter.packets++;
if (is_ipv6)
{
p0->counter.bytes +=
clib_net_to_host_u16 (ip6_0->payload_length);
p0->counter.bytes += sizeof (ip6_header_t);
if (PREDICT_FALSE
(b0->flags & VNET_BUFFER_F_OFFLOAD_TCP_CKSUM))
{
tcp0->checksum =
ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0,
&bogus);
b0->flags &= ~VNET_BUFFER_F_OFFLOAD_TCP_CKSUM;
}
if (PREDICT_FALSE
(b0->flags & VNET_BUFFER_F_OFFLOAD_UDP_CKSUM))
{
udp0->checksum =
ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0,
&bogus);
b0->flags &= ~VNET_BUFFER_F_OFFLOAD_UDP_CKSUM;
}
}
else
{
p0->counter.bytes += clib_net_to_host_u16 (ip0->length);
if (b0->flags & VNET_BUFFER_F_OFFLOAD_IP_CKSUM)
{
ip0->checksum = ip4_header_checksum (ip0);
b0->flags &= ~VNET_BUFFER_F_OFFLOAD_IP_CKSUM;
}
if (PREDICT_FALSE
(b0->flags & VNET_BUFFER_F_OFFLOAD_TCP_CKSUM))
{
tcp0->checksum =
ip4_tcp_udp_compute_checksum (vm, b0, ip0);
b0->flags &= ~VNET_BUFFER_F_OFFLOAD_TCP_CKSUM;
}
if (PREDICT_FALSE
(b0->flags & VNET_BUFFER_F_OFFLOAD_UDP_CKSUM))
{
udp0->checksum =
ip4_tcp_udp_compute_checksum (vm, b0, ip0);
b0->flags &= ~VNET_BUFFER_F_OFFLOAD_UDP_CKSUM;
}
}
vlib_buffer_advance (b0, iph_offset);
}
else if (p0->policy == IPSEC_POLICY_ACTION_BYPASS)
{

11
test/bfd.py
View File

@ -35,9 +35,6 @@ class BFDDiagCode(NumericConstant):
reverse_concatenated_path_down: "Reverse Concatenated Path Down",
}
def __init__(self, value):
NumericConstant.__init__(self, value)
class BFDState(NumericConstant):
""" BFD State """
@ -53,9 +50,6 @@ class BFDState(NumericConstant):
up: "Up",
}
def __init__(self, value):
NumericConstant.__init__(self, value)
class BFDAuthType(NumericConstant):
""" BFD Authentication Type """
@ -75,9 +69,6 @@ class BFDAuthType(NumericConstant):
meticulous_keyed_sha1: "Meticulous Keyed SHA1",
}
def __init__(self, value):
NumericConstant.__init__(self, value)
def bfd_is_auth_used(pkt):
""" is packet authenticated? """
@ -148,6 +139,7 @@ class BFD(Packet):
return self.sprintf("BFD(my_disc=%BFD.my_discriminator%,"
"your_disc=%BFD.your_discriminator%)")
# glue the BFD packet class to scapy parser
bind_layers(UDP, BFD, dport=BFD.udp_dport)
@ -169,6 +161,7 @@ class BFD_vpp_echo(Packet):
"BFD_VPP_ECHO(disc=%BFD_VPP_ECHO.discriminator%,"
"expire_time_clocks=%BFD_VPP_ECHO.expire_time_clocks%)")
# glue the BFD echo packet class to scapy parser
bind_layers(UDP, BFD_vpp_echo, dport=BFD_vpp_echo.udp_dport)

2
test/discover_tests.py
View File

@ -30,7 +30,7 @@ def discover_tests(directory, callback):
continue
if not issubclass(cls, unittest.TestCase):
continue
if name == "VppTestCase":
if name == "VppTestCase" or name.startswith("Template"):
continue
for method in dir(cls):
if not callable(getattr(cls, method)):

19
test/framework.py
View File

@ -25,6 +25,7 @@ from vpp_papi_provider import VppPapiProvider
from log import RED, GREEN, YELLOW, double_line_delim, single_line_delim, \
getLogger, colorize
from vpp_object import VppObjectRegistry
from util import ppp
from scapy.layers.inet import IPerror, TCPerror, UDPerror, ICMPerror
from scapy.layers.inet6 import ICMPv6DestUnreach, ICMPv6EchoRequest
from scapy.layers.inet6 import ICMPv6EchoReply
@ -735,11 +736,14 @@ class VppTestCase(unittest.TestCase):
def assert_packet_checksums_valid(self, packet,
ignore_zero_udp_checksums=True):
received = packet.__class__(str(packet))
self.logger.debug(
ppp("Verifying packet checksums for packet:", received))
udp_layers = ['UDP', 'UDPerror']
checksum_fields = ['cksum', 'chksum']
checksums = []
counter = 0
temp = packet.__class__(str(packet))
temp = received.__class__(str(received))
while True:
layer = temp.getlayer(counter)
if layer:
@ -754,12 +758,17 @@ class VppTestCase(unittest.TestCase):
else:
break
counter = counter + 1
if 0 == len(checksums):
return
temp = temp.__class__(str(temp))
for layer, cf in checksums:
self.assert_equal(getattr(packet[layer], cf),
getattr(temp[layer], cf),
"packet checksum on layer #%d: %s" % (
layer, temp[layer].name))
calc_sum = getattr(temp[layer], cf)
self.assert_equal(
getattr(received[layer], cf), calc_sum,
"packet checksum on layer #%d: %s" % (layer, temp[layer].name))
self.logger.debug(
"Checksum field `%s` on `%s` layer has correct value `%s`" %
(cf, temp[layer].name, calc_sum))
def assert_checksum_valid(self, received_packet, layer,
field_name='chksum',

208
test/template_ipsec.py Normal file
View File

@ -0,0 +1,208 @@
import unittest
from scapy.layers.inet import IP, ICMP, TCP
from scapy.layers.ipsec import SecurityAssociation
from scapy.layers.l2 import Ether, Raw
from framework import VppTestCase, VppTestRunner
from util import ppp
class TemplateIpsec(VppTestCase):
"""
TRANSPORT MODE:
------ encrypt ---
|tra_if| <-------> |VPP|
------ decrypt ---
TUNNEL MODE:
------ encrypt --- plain ---
|tun_if| <------- |VPP| <------ |pg1|
------ --- ---
------ decrypt --- plain ---
|tun_if| -------> |VPP| ------> |pg1|
------ --- ---
"""
remote_tun_if_host = '1.1.1.1'
payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
tun_spd_id = 1
scapy_tun_sa_id = 10
scapy_tun_spi = 1001
vpp_tun_sa_id = 20
vpp_tun_spi = 1000
tra_spd_id = 2
scapy_tra_sa_id = 30
scapy_tra_spi = 2001
vpp_tra_sa_id = 40
vpp_tra_spi = 2000
vpp_esp_protocol = 1
vpp_ah_protocol = 0
auth_algo_vpp_id = 2 # internal VPP enum value for SHA1_96
auth_algo = 'HMAC-SHA1-96' # scapy name
auth_key = 'C91KUR9GYMm5GfkEvNjX'
crypt_algo_vpp_id = 1 # internal VPP enum value for AES_CBC_128
crypt_algo = 'AES-CBC' # scapy name
crypt_key = 'JPjyOWBeVEQiMe7h'
@classmethod
def setUpClass(cls):
super(TemplateIpsec, cls).setUpClass()
cls.create_pg_interfaces(range(3))
cls.interfaces = list(cls.pg_interfaces)
for i in cls.interfaces:
i.admin_up()
i.config_ip4()
i.resolve_arp()
def tearDown(self):
super(TemplateIpsec, self).tearDown()
if not self.vpp_dead:
self.vapi.cli("show hardware")
def send_and_expect(self, input, pkts, output, count=1):
input.add_stream(pkts)
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
rx = output.get_capture(count)
return rx
def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1):
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload)
for i in range(count)]
def gen_pkts(self, sw_intf, src, dst, count=1):
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
IP(src=src, dst=dst) / ICMP() / self.payload
for i in range(count)]
def configure_sa_tun(self):
scapy_tun_sa = SecurityAssociation(self.encryption_type,
spi=self.vpp_tun_spi,
crypt_algo=self.crypt_algo,
crypt_key=self.crypt_key,
auth_algo=self.auth_algo,
auth_key=self.auth_key,
tunnel_header=IP(
src=self.tun_if.remote_ip4,
dst=self.tun_if.local_ip4))
vpp_tun_sa = SecurityAssociation(self.encryption_type,
spi=self.scapy_tun_spi,
crypt_algo=self.crypt_algo,
crypt_key=self.crypt_key,
auth_algo=self.auth_algo,
auth_key=self.auth_key,
tunnel_header=IP(
dst=self.tun_if.remote_ip4,
src=self.tun_if.local_ip4))
return vpp_tun_sa, scapy_tun_sa
def configure_sa_tra(self):
scapy_tra_sa = SecurityAssociation(self.encryption_type,
spi=self.vpp_tra_spi,
crypt_algo=self.crypt_algo,
crypt_key=self.crypt_key,
auth_algo=self.auth_algo,
auth_key=self.auth_key)
vpp_tra_sa = SecurityAssociation(self.encryption_type,
spi=self.scapy_tra_spi,
crypt_algo=self.crypt_algo,
crypt_key=self.crypt_key,
auth_algo=self.auth_algo,
auth_key=self.auth_key)
return vpp_tra_sa, scapy_tra_sa
class IpsecTcpTests(object):
def test_tcp_checksum(self):
""" verify checksum correctness for vpp generated packets """
self.vapi.cli("test http server")
vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun()
send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
scapy_tun_sa.encrypt(IP(src=self.remote_tun_if_host,
dst=self.tun_if.local_ip4) /
TCP(flags='S', dport=80)))
self.logger.debug(ppp("Sending packet:", send))
recv = self.send_and_expect(self.tun_if, [send], self.tun_if, 1)
recv = recv[0]
decrypted = vpp_tun_sa.decrypt(recv[IP])
self.assert_packet_checksums_valid(decrypted)
class IpsecTraTests(object):
def test_tra_basic(self, count=1):
""" ipsec v4 transport basic test """
try:
vpp_tra_sa, scapy_tra_sa = self.configure_sa_tra()
send_pkts = self.gen_encrypt_pkts(scapy_tra_sa, self.tra_if,
src=self.tra_if.remote_ip4,
dst=self.tra_if.local_ip4,
count=count)
recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
self.tra_if, count=count)
for p in recv_pkts:
decrypted = vpp_tra_sa.decrypt(p[IP])
self.assert_packet_checksums_valid(decrypted)
finally:
self.logger.info(self.vapi.ppcli("show error"))
self.logger.info(self.vapi.ppcli("show ipsec"))
def test_tra_burst(self):
""" ipsec v4 transport burst test """
try:
self.test_tra_basic(count=257)
finally:
self.logger.info(self.vapi.ppcli("show error"))
self.logger.info(self.vapi.ppcli("show ipsec"))
class IpsecTunTests(object):
def test_tun_basic(self, count=1):
""" ipsec 4o4 tunnel basic test """
try:
vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun()
send_pkts = self.gen_encrypt_pkts(scapy_tun_sa, self.tun_if,
src=self.remote_tun_if_host,
dst=self.pg1.remote_ip4,
count=count)
recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1,
count=count)
for recv_pkt in recv_pkts:
self.assert_equal(recv_pkt[IP].src, self.remote_tun_if_host)
self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
self.assert_packet_checksums_valid(recv_pkt)
send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
dst=self.remote_tun_if_host, count=count)
recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if,
count=count)
for recv_pkt in recv_pkts:
decrypt_pkt = vpp_tun_sa.decrypt(recv_pkt[IP])
if not decrypt_pkt.haslayer(IP):
decrypt_pkt = IP(decrypt_pkt[Raw].load)
self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
self.assert_equal(decrypt_pkt.dst, self.remote_tun_if_host)
self.assert_packet_checksums_valid(decrypt_pkt)
finally:
self.logger.info(self.vapi.ppcli("show error"))
self.logger.info(self.vapi.ppcli("show ipsec"))
def test_tun_burst(self):
""" ipsec 4o4 tunnel burst test """
try:
self.test_tun_basic(count=257)
finally:
self.logger.info(self.vapi.ppcli("show error"))
self.logger.info(self.vapi.ppcli("show ipsec"))
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)

281
test/test_ipsec_ah.py
View File

File diff suppressed because it is too large Load Diff

396
test/test_ipsec_esp.py
View File

File diff suppressed because it is too large Load Diff

8
test/test_ipsec_nat.py
View File

@ -141,17 +141,17 @@ class IPSecNATTestCase(VppTestCase):
spd_id = 1
remote_sa_id = 10
local_sa_id = 20
remote_tun_spi = 1001
local_tun_spi = 1000
scapy_tun_spi = 1001
vpp_tun_spi = 1000
client = socket.inet_pton(socket.AF_INET, cls.remote_pg0_client_addr)
cls.vapi.ip_add_del_route(client, 32, cls.pg0.remote_ip4n)
cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tun_spi,
cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, scapy_tun_spi,
cls.pg1.remote_ip4n,
cls.pg0.remote_ip4n,
integrity_key_length=20,
crypto_key_length=16,
protocol=1, udp_encap=1)
cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tun_spi,
cls.vapi.ipsec_sad_add_del_entry(local_sa_id, vpp_tun_spi,
cls.pg0.remote_ip4n,
cls.pg1.remote_ip4n,
integrity_key_length=20,

52
test/test_ipsec_tun_if_esp.py Normal file
View File

@ -0,0 +1,52 @@
import unittest
import socket
from scapy.layers.ipsec import ESP
from framework import VppTestRunner
from template_ipsec import TemplateIpsec, IpsecTunTests, IpsecTcpTests
from vpp_ipsec_tun_interface import VppIpsecTunInterface
class TemplateIpsecTunIfEsp(TemplateIpsec):
""" IPsec tunnel interface tests """
encryption_type = ESP
@classmethod
def setUpClass(cls):
super(TemplateIpsecTunIfEsp, cls).setUpClass()
cls.tun_if = cls.pg0
def setUp(self):
self.ipsec_tun_if = VppIpsecTunInterface(self, self.pg0,
self.vpp_tun_spi,
self.scapy_tun_spi,
self.crypt_algo_vpp_id,
self.crypt_key,
self.crypt_key,
self.auth_algo_vpp_id,
self.auth_key,
self.auth_key)
self.ipsec_tun_if.add_vpp_config()
self.ipsec_tun_if.admin_up()
self.ipsec_tun_if.config_ip4()
src4 = socket.inet_pton(socket.AF_INET, self.remote_tun_if_host)
self.vapi.ip_add_del_route(src4, 32, self.ipsec_tun_if.remote_ip4n)
def tearDown(self):
if not self.vpp_dead:
self.vapi.cli("show hardware")
super(TemplateIpsecTunIfEsp, self).tearDown()
class TestIpsecTunIfEsp1(TemplateIpsecTunIfEsp, IpsecTunTests):
""" Ipsec ESP - TUN tests """
pass
class TestIpsecTunIfEsp2(TemplateIpsecTunIfEsp, IpsecTcpTests):
""" Ipsec ESP - TCP tests """
pass
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)

4
test/vpp_interface.py
View File

@ -2,7 +2,6 @@ from abc import abstractmethod, ABCMeta
import socket
from util import Host, mk_ll_addr
from vpp_neighbor import VppNeighbor
class VppInterface(object):
@ -171,6 +170,9 @@ class VppInterface(object):
self._hosts_by_ip4 = {}
self._hosts_by_ip6 = {}
def set_sw_if_index(self, sw_if_index):
self._sw_if_index = sw_if_index
self.generate_remote_hosts()
self._local_ip4 = "172.16.%u.1" % self.sw_if_index

43
test/vpp_ipsec_tun_interface.py Normal file
View File

@ -0,0 +1,43 @@
from vpp_tunnel_interface import VppTunnelInterface
class VppIpsecTunInterface(VppTunnelInterface):
"""
VPP IPsec Tunnel interface
"""
def __init__(self, test, parent_if, local_spi,
remote_spi, crypto_alg, local_crypto_key, remote_crypto_key,
integ_alg, local_integ_key, remote_integ_key):
super(VppIpsecTunInterface, self).__init__(test, parent_if)
self.local_spi = local_spi
self.remote_spi = remote_spi
self.crypto_alg = crypto_alg
self.local_crypto_key = local_crypto_key
self.remote_crypto_key = remote_crypto_key
self.integ_alg = integ_alg
self.local_integ_key = local_integ_key
self.remote_integ_key = remote_integ_key
def add_vpp_config(self):
r = self.test.vapi.ipsec_tunnel_if_add_del(
self.parent_if.local_ip4n, self.parent_if.remote_ip4n,
self.remote_spi, self.local_spi, self.crypto_alg,
self.local_crypto_key, self.remote_crypto_key, self.integ_alg,
self.local_integ_key, self.remote_integ_key)
self.set_sw_if_index(r.sw_if_index)
self.generate_remote_hosts()
self.test.registry.register(self, self.test.logger)
def remove_vpp_config(self):
self.test.vapi.ipsec_tunnel_if_add_del(
self.parent_if.local_ip4n, self.parent_if.remote_ip4n,
self.remote_spi, self.local_spi, self.crypto_alg,
self.local_crypto_key, self.remote_crypto_key, self.integ_alg,
self.local_integ_key, self.remote_integ_key, is_add=0)
def __str__(self):
return self.object_id()
def object_id(self):
return "ipsec-tun-if-%d" % self._sw_if_index

132
test/vpp_papi_provider.py
View File

@ -3163,53 +3163,28 @@ class VppPapiProvider(object):
def ipsec_sad_add_del_entry(self,
sad_id,
spi,
integrity_algorithm,
integrity_key,
crypto_algorithm,
crypto_key,
protocol,
tunnel_src_address='',
tunnel_dst_address='',
protocol=0,
integrity_algorithm=2,
integrity_key_length=0,
integrity_key='C91KUR9GYMm5GfkEvNjX',
crypto_algorithm=1,
crypto_key_length=0,
crypto_key='JPjyOWBeVEQiMe7h',
is_add=1,
is_tunnel=1,
is_add=1,
udp_encap=0):
""" IPSEC SA add/del
Sample CLI : 'ipsec sa add 10 spi 1001 esp \
crypto-key 4a506a794f574265564551694d653768 \
crypto-alg aes-cbc-128 \
integ-key 4339314b55523947594d6d3547666b45764e6a58 \
integ-alg sha1-96 tunnel-src 192.168.100.3 \
tunnel-dst 192.168.100.2'
Sample CLI : 'ipsec sa add 20 spi 2001 \
integ-key 4339314b55523947594d6d3547666b45764e6a58 \
integ-alg sha1-96'
:param sad_id - Security Association ID to be \
created or deleted. mandatory
:param spi - security param index of the SA in decimal. mandatory
:param tunnel_src_address - incase of tunnel mode outer src address .\
mandatory for tunnel mode
:param tunnel_dst_address - incase of transport mode \
outer dst address. mandatory for tunnel mode
:param protocol - AH(0) or ESP(1) protocol (Default 0 - AH). optional
:param integrity_algorithm - value range 1-6 Default(2 - SHA1_96).\
optional **
:param integrity_key - value in string \
(Default C91KUR9GYMm5GfkEvNjX).optional
:param integrity_key_length - length of the key string in bytes\
(Default 0 - integrity disabled). optional
:param crypto_algorithm - value range 1-11 Default \
(1- AES_CBC_128).optional **
:param crypto_key - value in string(Default JPjyOWBeVEQiMe7h).optional
:param crypto_key_length - length of the key string in bytes\
(Default 0 - crypto disabled). optional
:param is_add - add(1) or del(0) ipsec SA entry(Default 1 - add) .\
optional
:param is_tunnel - tunnel mode (1) or transport mode(0) \
(Default 1 - tunnel). optional
:returns: reply from the API
:param sad_id: security association ID
:param spi: security param index of the SA in decimal
:param integrity_algorithm:
:param integrity_key:
:param crypto_algorithm:
:param crypto_key:
:param protocol: AH(0) or ESP(1) protocol
:param tunnel_src_address: tunnel mode outer src address
:param tunnel_dst_address: tunnel mode outer dst address
:param is_add:
:param is_tunnel:
:** reference /vpp/src/vnet/ipsec/ipsec.h file for enum values of
crypto and ipsec algorithms
"""
@ -3221,10 +3196,11 @@ class VppPapiProvider(object):
'tunnel_dst_address': tunnel_dst_address,
'protocol': protocol,
'integrity_algorithm': integrity_algorithm,
'integrity_key_length': integrity_key_length,
'integrity_key_length': len(integrity_key),
'integrity_key': integrity_key,
'crypto_algorithm': crypto_algorithm,
'crypto_key_length': crypto_key_length,
'crypto_key_length': len(crypto_key) if crypto_key is not None
else 0,
'crypto_key': crypto_key,
'is_add': is_add,
'is_tunnel': is_tunnel,
@ -3232,6 +3208,7 @@ class VppPapiProvider(object):
def ipsec_spd_add_del_entry(self,
spd_id,
sa_id,
local_address_start,
local_address_stop,
remote_address_start,
@ -3241,7 +3218,6 @@ class VppPapiProvider(object):
remote_port_start=0,
remote_port_stop=65535,
protocol=0,
sa_id=10,
policy=0,
priority=100,
is_outbound=1,
@ -3249,35 +3225,28 @@ class VppPapiProvider(object):
is_ip_any=0):
""" IPSEC policy SPD add/del -
Wrapper to configure ipsec SPD policy entries in VPP
Sample CLI : 'ipsec policy add spd 1 inbound priority 10 action \
protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 \
remote-ip-range 192.168.3.3 - 192.168.3.3'
:param spd_id - SPD ID for the policy . mandatory
:param local_address_start - local-ip-range start address . mandatory
:param local_address_stop - local-ip-range stop address . mandatory
:param remote_address_start - remote-ip-range start address . mandatory
:param remote_address_stop - remote-ip-range stop address . mandatory
:param local_port_start - (Default 0) . optional
:param local_port_stop - (Default 65535). optional
:param remote_port_start - (Default 0). optional
:param remote_port_stop - (Default 65535). optional
:param protocol - Any(0), AH(51) & ESP(50) protocol (Default 0 - Any).
optional
:param sa_id - Security Association ID for mapping it to SPD
(default 10). optional
:param policy - bypass(0), discard(1), resolve(2) or protect(3)action
(Default 0 - bypass). optional
:param priotity - value for the spd action (Default 100). optional
:param is_outbound - flag for inbound(0) or outbound(1)
(Default 1 - outbound). optional
:param is_add flag - for addition(1) or deletion(0) of the spd
(Default 1 - addtion). optional
:returns: reply from the API
:param spd_id: SPD ID for the policy
:param local_address_start: local-ip-range start address
:param local_address_stop : local-ip-range stop address
:param remote_address_start: remote-ip-range start address
:param remote_address_stop : remote-ip-range stop address
:param local_port_start: (Default value = 0)
:param local_port_stop: (Default value = 65535)
:param remote_port_start: (Default value = 0)
:param remote_port_stop: (Default value = 65535)
:param protocol: Any(0), AH(51) & ESP(50) protocol (Default value = 0)
:param sa_id: Security Association ID for mapping it to SPD
:param policy: bypass(0), discard(1), resolve(2) or protect(3) action
(Default value = 0)
:param priority: value for the spd action (Default value = 100)
:param is_outbound: flag for inbound(0) or outbound(1)
(Default value = 1)
:param is_add: (Default value = 1)
"""
return self.api(
self.papi.ipsec_spd_add_del_entry,
{'spd_id': spd_id,
'sa_id': sa_id,
'local_address_start': local_address_start,
'local_address_stop': local_address_stop,
'remote_address_start': remote_address_start,
@ -3291,9 +3260,30 @@ class VppPapiProvider(object):
'policy': policy,
'priority': priority,
'is_outbound': is_outbound,
'sa_id': sa_id,
'is_ip_any': is_ip_any})
def ipsec_tunnel_if_add_del(self, local_ip, remote_ip, local_spi,
remote_spi, crypto_alg, local_crypto_key,
remote_crypto_key, integ_alg, local_integ_key,
remote_integ_key, is_add=1, esn=0,
anti_replay=1, renumber=0, show_instance=0):
return self.api(
self.papi.ipsec_tunnel_if_add_del,
{'local_ip': local_ip, 'remote_ip': remote_ip,
'local_spi': local_spi, 'remote_spi': remote_spi,
'crypto_alg': crypto_alg,
'local_crypto_key_len': len(local_crypto_key),
'local_crypto_key': local_crypto_key,
'remote_crypto_key_len': len(remote_crypto_key),
'remote_crypto_key': remote_crypto_key, 'integ_alg': integ_alg,
'local_integ_key_len': len(local_integ_key),
'local_integ_key': local_integ_key,
'remote_integ_key_len': len(remote_integ_key),
'remote_integ_key': remote_integ_key, 'is_add': is_add,
'esn': esn, 'anti_replay': anti_replay, 'renumber': renumber,
'show_instance': show_instance
})
def app_namespace_add(self,
namespace_id,
ip4_fib_id=0,

6
test/vpp_pg_interface.py
View File

@ -84,11 +84,11 @@ class VppPGInterface(VppInterface):
def __init__(self, test, pg_index):
""" Create VPP packet-generator interface """
r = test.vapi.pg_create_interface(pg_index)
self._sw_if_index = r.sw_if_index
super(VppPGInterface, self).__init__(test)
r = test.vapi.pg_create_interface(pg_index)
self.set_sw_if_index(r.sw_if_index)
self._in_history_counter = 0
self._out_history_counter = 0
self._out_assert_counter = 0

32
test/vpp_tunnel_interface.py Normal file
View File

@ -0,0 +1,32 @@
from abc import abstractmethod, ABCMeta
from vpp_pg_interface import is_ipv6_misc
from vpp_interface import VppInterface
class VppTunnelInterface(VppInterface):
""" VPP tunnel interface abstration """
__metaclass__ = ABCMeta
@abstractmethod
def __init__(self, test, parent_if):
super(VppTunnelInterface, self).__init__(test)
self.parent_if = parent_if
@property
def local_mac(self):
return self.parent_if.local_mac
@property
def remote_mac(self):
return self.parent_if.remote_mac
def enable_capture(self):
return self.parent_if.enable_capture()
def add_stream(self, pkts):
return self.parent_if.add_stream(pkts)
def get_capture(self, expected_count=None, remark=None, timeout=1,
filter_out_fn=is_ipv6_misc):
return self.parent_if.get_capture(expected_count, remark, timeout,
filter_out_fn)