eba31ecebe
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
486 lines
20 KiB
Python
486 lines
20 KiB
Python
import unittest
|
|
import socket
|
|
|
|
from scapy.layers.inet import IP, ICMP, TCP
|
|
from scapy.layers.ipsec import SecurityAssociation
|
|
from scapy.layers.l2 import Ether, Raw
|
|
from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
|
|
|
|
from framework import VppTestCase, VppTestRunner
|
|
from util import ppp
|
|
from vpp_papi import VppEnum
|
|
|
|
|
|
class IPsecIPv4Params(object):
|
|
|
|
addr_type = socket.AF_INET
|
|
addr_any = "0.0.0.0"
|
|
addr_bcast = "255.255.255.255"
|
|
addr_len = 32
|
|
is_ipv6 = 0
|
|
|
|
def __init__(self):
|
|
self.remote_tun_if_host = '1.1.1.1'
|
|
|
|
self.scapy_tun_sa_id = 10
|
|
self.scapy_tun_spi = 1001
|
|
self.vpp_tun_sa_id = 20
|
|
self.vpp_tun_spi = 1000
|
|
|
|
self.scapy_tra_sa_id = 30
|
|
self.scapy_tra_spi = 2001
|
|
self.vpp_tra_sa_id = 40
|
|
self.vpp_tra_spi = 2000
|
|
|
|
self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
|
|
IPSEC_API_INTEG_ALG_SHA1_96)
|
|
self.auth_algo = 'HMAC-SHA1-96' # scapy name
|
|
self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
|
|
|
|
self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
|
|
IPSEC_API_CRYPTO_ALG_AES_CBC_128)
|
|
self.crypt_algo = 'AES-CBC' # scapy name
|
|
self.crypt_key = 'JPjyOWBeVEQiMe7h'
|
|
|
|
|
|
class IPsecIPv6Params(object):
|
|
|
|
addr_type = socket.AF_INET6
|
|
addr_any = "0::0"
|
|
addr_bcast = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
|
|
addr_len = 128
|
|
is_ipv6 = 1
|
|
|
|
def __init__(self):
|
|
self.remote_tun_if_host = '1111:1111:1111:1111:1111:1111:1111:1111'
|
|
|
|
self.scapy_tun_sa_id = 50
|
|
self.scapy_tun_spi = 3001
|
|
self.vpp_tun_sa_id = 60
|
|
self.vpp_tun_spi = 3000
|
|
|
|
self.scapy_tra_sa_id = 70
|
|
self.scapy_tra_spi = 4001
|
|
self.vpp_tra_sa_id = 80
|
|
self.vpp_tra_spi = 4000
|
|
|
|
self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
|
|
IPSEC_API_INTEG_ALG_SHA_256_128)
|
|
self.auth_algo = 'SHA2-256-128' # scapy name
|
|
self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
|
|
|
|
self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
|
|
IPSEC_API_CRYPTO_ALG_AES_CBC_256)
|
|
self.crypt_algo = 'AES-CBC' # scapy name
|
|
self.crypt_key = 'JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h'
|
|
|
|
|
|
class TemplateIpsec(VppTestCase):
|
|
"""
|
|
TRANSPORT MODE:
|
|
|
|
------ encrypt ---
|
|
|tra_if| <-------> |VPP|
|
|
------ decrypt ---
|
|
|
|
TUNNEL MODE:
|
|
|
|
------ encrypt --- plain ---
|
|
|tun_if| <------- |VPP| <------ |pg1|
|
|
------ --- ---
|
|
|
|
------ decrypt --- plain ---
|
|
|tun_if| -------> |VPP| ------> |pg1|
|
|
------ --- ---
|
|
"""
|
|
|
|
def ipsec_select_backend(self):
|
|
""" empty method to be overloaded when necessary """
|
|
pass
|
|
|
|
def setUp(self):
|
|
super(TemplateIpsec, self).setUp()
|
|
|
|
self.ipv4_params = IPsecIPv4Params()
|
|
self.ipv6_params = IPsecIPv6Params()
|
|
self.params = {self.ipv4_params.addr_type: self.ipv4_params,
|
|
self.ipv6_params.addr_type: self.ipv6_params}
|
|
|
|
self.payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"\
|
|
"XXXXXXXXXXXXXXXXXXXXX"
|
|
|
|
self.tun_spd_id = 1
|
|
self.tra_spd_id = 2
|
|
|
|
self.vpp_esp_protocol = (VppEnum.vl_api_ipsec_proto_t.
|
|
IPSEC_API_PROTO_ESP)
|
|
self.vpp_ah_protocol = (VppEnum.vl_api_ipsec_proto_t.
|
|
IPSEC_API_PROTO_AH)
|
|
|
|
self.create_pg_interfaces(range(3))
|
|
self.interfaces = list(self.pg_interfaces)
|
|
for i in self.interfaces:
|
|
i.admin_up()
|
|
i.config_ip4()
|
|
i.resolve_arp()
|
|
i.config_ip6()
|
|
i.resolve_ndp()
|
|
self.ipsec_select_backend()
|
|
|
|
def tearDown(self):
|
|
super(TemplateIpsec, self).tearDown()
|
|
|
|
for i in self.interfaces:
|
|
i.admin_down()
|
|
i.unconfig_ip4()
|
|
i.unconfig_ip6()
|
|
|
|
if not self.vpp_dead:
|
|
self.vapi.cli("show hardware")
|
|
|
|
def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1):
|
|
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
|
|
sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload)
|
|
for i in range(count)]
|
|
|
|
def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1):
|
|
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
|
|
sa.encrypt(IPv6(src=src, dst=dst) /
|
|
ICMPv6EchoRequest(id=0, seq=1, data=self.payload))
|
|
for i in range(count)]
|
|
|
|
def gen_pkts(self, sw_intf, src, dst, count=1):
|
|
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
|
|
IP(src=src, dst=dst) / ICMP() / self.payload
|
|
for i in range(count)]
|
|
|
|
def gen_pkts6(self, sw_intf, src, dst, count=1):
|
|
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
|
|
IPv6(src=src, dst=dst) /
|
|
ICMPv6EchoRequest(id=0, seq=1, data=self.payload)
|
|
for i in range(count)]
|
|
|
|
def configure_sa_tun(self, params):
|
|
ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
|
|
scapy_tun_sa = SecurityAssociation(
|
|
self.encryption_type, spi=params.vpp_tun_spi,
|
|
crypt_algo=params.crypt_algo, crypt_key=params.crypt_key,
|
|
auth_algo=params.auth_algo, auth_key=params.auth_key,
|
|
tunnel_header=ip_class_by_addr_type[params.addr_type](
|
|
src=self.tun_if.remote_addr[params.addr_type],
|
|
dst=self.tun_if.local_addr[params.addr_type]))
|
|
vpp_tun_sa = SecurityAssociation(
|
|
self.encryption_type, spi=params.scapy_tun_spi,
|
|
crypt_algo=params.crypt_algo, crypt_key=params.crypt_key,
|
|
auth_algo=params.auth_algo, auth_key=params.auth_key,
|
|
tunnel_header=ip_class_by_addr_type[params.addr_type](
|
|
dst=self.tun_if.remote_addr[params.addr_type],
|
|
src=self.tun_if.local_addr[params.addr_type]))
|
|
return vpp_tun_sa, scapy_tun_sa
|
|
|
|
def configure_sa_tra(self, params):
|
|
params.scapy_tra_sa = SecurityAssociation(self.encryption_type,
|
|
spi=params.vpp_tra_spi,
|
|
crypt_algo=params.crypt_algo,
|
|
crypt_key=params.crypt_key,
|
|
auth_algo=params.auth_algo,
|
|
auth_key=params.auth_key)
|
|
params.vpp_tra_sa = SecurityAssociation(self.encryption_type,
|
|
spi=params.scapy_tra_spi,
|
|
crypt_algo=params.crypt_algo,
|
|
crypt_key=params.crypt_key,
|
|
auth_algo=params.auth_algo,
|
|
auth_key=params.auth_key)
|
|
|
|
|
|
class IpsecTcpTests(object):
|
|
def test_tcp_checksum(self):
|
|
""" verify checksum correctness for vpp generated packets """
|
|
self.vapi.cli("test http server")
|
|
p = self.params[socket.AF_INET]
|
|
vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun(p)
|
|
send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
|
|
scapy_tun_sa.encrypt(IP(src=p.remote_tun_if_host,
|
|
dst=self.tun_if.local_ip4) /
|
|
TCP(flags='S', dport=80)))
|
|
self.logger.debug(ppp("Sending packet:", send))
|
|
recv = self.send_and_expect(self.tun_if, [send], self.tun_if)
|
|
recv = recv[0]
|
|
decrypted = vpp_tun_sa.decrypt(recv[IP])
|
|
self.assert_packet_checksums_valid(decrypted)
|
|
|
|
|
|
class IpsecTraTests(object):
|
|
def test_tra_anti_replay(self, count=1):
|
|
""" ipsec v4 transport anti-reply test """
|
|
p = self.params[socket.AF_INET]
|
|
|
|
# fire in a packet with seq number 1
|
|
pkt = (Ether(src=self.tra_if.remote_mac,
|
|
dst=self.tra_if.local_mac) /
|
|
p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
|
|
dst=self.tra_if.local_ip4) /
|
|
ICMP(),
|
|
seq_num=1))
|
|
recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
|
|
|
|
# now move the window over to 235
|
|
pkt = (Ether(src=self.tra_if.remote_mac,
|
|
dst=self.tra_if.local_mac) /
|
|
p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
|
|
dst=self.tra_if.local_ip4) /
|
|
ICMP(),
|
|
seq_num=235))
|
|
recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
|
|
|
|
# the window size is 64 packets
|
|
# in window are still accepted
|
|
pkt = (Ether(src=self.tra_if.remote_mac,
|
|
dst=self.tra_if.local_mac) /
|
|
p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
|
|
dst=self.tra_if.local_ip4) /
|
|
ICMP(),
|
|
seq_num=172))
|
|
recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
|
|
|
|
# out of window are dropped
|
|
pkt = (Ether(src=self.tra_if.remote_mac,
|
|
dst=self.tra_if.local_mac) /
|
|
p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
|
|
dst=self.tra_if.local_ip4) /
|
|
ICMP(),
|
|
seq_num=17))
|
|
self.send_and_assert_no_replies(self.tra_if, pkt * 17)
|
|
|
|
self.assert_packet_counter_equal(
|
|
'/err/%s/SA replayed packet' % self.tra4_decrypt_node_name, 17)
|
|
|
|
# a packet that does not decrypt does not move the window forward
|
|
bogus_sa = SecurityAssociation(self.encryption_type,
|
|
p.vpp_tra_spi)
|
|
pkt = (Ether(src=self.tra_if.remote_mac,
|
|
dst=self.tra_if.local_mac) /
|
|
bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
|
|
dst=self.tra_if.local_ip4) /
|
|
ICMP(),
|
|
seq_num=350))
|
|
self.send_and_assert_no_replies(self.tra_if, pkt * 17)
|
|
|
|
self.assert_packet_counter_equal(
|
|
'/err/%s/Integrity check failed' % self.tra4_decrypt_node_name, 17)
|
|
|
|
# which we can determine since this packet is still in the window
|
|
pkt = (Ether(src=self.tra_if.remote_mac,
|
|
dst=self.tra_if.local_mac) /
|
|
p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
|
|
dst=self.tra_if.local_ip4) /
|
|
ICMP(),
|
|
seq_num=234))
|
|
self.send_and_expect(self.tra_if, [pkt], self.tra_if)
|
|
|
|
# move the security-associations seq number on to the last we used
|
|
p.scapy_tra_sa.seq_num = 351
|
|
p.vpp_tra_sa.seq_num = 351
|
|
|
|
def test_tra_basic(self, count=1):
|
|
""" ipsec v4 transport basic test """
|
|
self.vapi.cli("clear errors")
|
|
try:
|
|
p = self.params[socket.AF_INET]
|
|
send_pkts = self.gen_encrypt_pkts(p.scapy_tra_sa, self.tra_if,
|
|
src=self.tra_if.remote_ip4,
|
|
dst=self.tra_if.local_ip4,
|
|
count=count)
|
|
recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
|
|
self.tra_if)
|
|
for rx in recv_pkts:
|
|
try:
|
|
decrypted = p.vpp_tra_sa.decrypt(rx[IP])
|
|
self.assert_packet_checksums_valid(decrypted)
|
|
except:
|
|
self.logger.debug(ppp("Unexpected packet:", rx))
|
|
raise
|
|
finally:
|
|
self.logger.info(self.vapi.ppcli("show error"))
|
|
self.logger.info(self.vapi.ppcli("show ipsec"))
|
|
|
|
pkts = p.tra_sa_in.get_stats()['packets']
|
|
self.assertEqual(pkts, count,
|
|
"incorrect SA in counts: expected %d != %d" %
|
|
(count, pkts))
|
|
pkts = p.tra_sa_out.get_stats()['packets']
|
|
self.assertEqual(pkts, count,
|
|
"incorrect SA out counts: expected %d != %d" %
|
|
(count, pkts))
|
|
|
|
self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count)
|
|
self.assert_packet_counter_equal(self.tra4_decrypt_node_name, count)
|
|
|
|
def test_tra_burst(self):
|
|
""" ipsec v4 transport burst test """
|
|
self.test_tra_basic(count=257)
|
|
|
|
def test_tra_basic6(self, count=1):
|
|
""" ipsec v6 transport basic test """
|
|
self.vapi.cli("clear errors")
|
|
try:
|
|
p = self.params[socket.AF_INET6]
|
|
send_pkts = self.gen_encrypt_pkts6(p.scapy_tra_sa, self.tra_if,
|
|
src=self.tra_if.remote_ip6,
|
|
dst=self.tra_if.local_ip6,
|
|
count=count)
|
|
recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
|
|
self.tra_if)
|
|
for rx in recv_pkts:
|
|
try:
|
|
decrypted = p.vpp_tra_sa.decrypt(rx[IPv6])
|
|
self.assert_packet_checksums_valid(decrypted)
|
|
except:
|
|
self.logger.debug(ppp("Unexpected packet:", rx))
|
|
raise
|
|
finally:
|
|
self.logger.info(self.vapi.ppcli("show error"))
|
|
self.logger.info(self.vapi.ppcli("show ipsec"))
|
|
|
|
pkts = p.tra_sa_in.get_stats()['packets']
|
|
self.assertEqual(pkts, count,
|
|
"incorrect SA in counts: expected %d != %d" %
|
|
(count, pkts))
|
|
pkts = p.tra_sa_out.get_stats()['packets']
|
|
self.assertEqual(pkts, count,
|
|
"incorrect SA out counts: expected %d != %d" %
|
|
(count, pkts))
|
|
self.assert_packet_counter_equal(self.tra6_encrypt_node_name, count)
|
|
self.assert_packet_counter_equal(self.tra6_decrypt_node_name, count)
|
|
|
|
def test_tra_burst6(self):
|
|
""" ipsec v6 transport burst test """
|
|
self.test_tra_basic6(count=257)
|
|
|
|
|
|
class IpsecTun4Tests(object):
|
|
def test_tun_basic44(self, count=1):
|
|
""" ipsec 4o4 tunnel basic test """
|
|
self.vapi.cli("clear errors")
|
|
try:
|
|
p = self.params[socket.AF_INET]
|
|
vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun(p)
|
|
send_pkts = self.gen_encrypt_pkts(scapy_tun_sa, self.tun_if,
|
|
src=p.remote_tun_if_host,
|
|
dst=self.pg1.remote_ip4,
|
|
count=count)
|
|
recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
|
|
for recv_pkt in recv_pkts:
|
|
self.assert_equal(recv_pkt[IP].src, p.remote_tun_if_host)
|
|
self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
|
|
self.assert_packet_checksums_valid(recv_pkt)
|
|
send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
|
|
dst=p.remote_tun_if_host, count=count)
|
|
recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
|
|
for recv_pkt in recv_pkts:
|
|
try:
|
|
decrypt_pkt = vpp_tun_sa.decrypt(recv_pkt[IP])
|
|
if not decrypt_pkt.haslayer(IP):
|
|
decrypt_pkt = IP(decrypt_pkt[Raw].load)
|
|
self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
|
|
self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
|
|
self.assert_packet_checksums_valid(decrypt_pkt)
|
|
except:
|
|
self.logger.debug(ppp("Unexpected packet:", recv_pkt))
|
|
try:
|
|
self.logger.debug(
|
|
ppp("Decrypted packet:", decrypt_pkt))
|
|
except:
|
|
pass
|
|
raise
|
|
finally:
|
|
self.logger.info(self.vapi.ppcli("show error"))
|
|
self.logger.info(self.vapi.ppcli("show ipsec"))
|
|
|
|
if (hasattr(p, "spd_policy_in_any")):
|
|
pkts = p.spd_policy_in_any.get_stats()['packets']
|
|
self.assertEqual(pkts, count,
|
|
"incorrect SPD any policy: expected %d != %d" %
|
|
(count, pkts))
|
|
|
|
if (hasattr(p, "tun_sa_in")):
|
|
pkts = p.tun_sa_in.get_stats()['packets']
|
|
self.assertEqual(pkts, count,
|
|
"incorrect SA in counts: expected %d != %d" %
|
|
(count, pkts))
|
|
pkts = p.tun_sa_out.get_stats()['packets']
|
|
self.assertEqual(pkts, count,
|
|
"incorrect SA out counts: expected %d != %d" %
|
|
(count, pkts))
|
|
|
|
self.assert_packet_counter_equal(self.tun4_encrypt_node_name, count)
|
|
self.assert_packet_counter_equal(self.tun4_decrypt_node_name, count)
|
|
|
|
def test_tun_burst44(self):
|
|
""" ipsec 4o4 tunnel burst test """
|
|
self.test_tun_basic44(count=257)
|
|
|
|
|
|
class IpsecTun6Tests(object):
|
|
def test_tun_basic66(self, count=1):
|
|
""" ipsec 6o6 tunnel basic test """
|
|
self.vapi.cli("clear errors")
|
|
try:
|
|
p = self.params[socket.AF_INET6]
|
|
vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun(p)
|
|
send_pkts = self.gen_encrypt_pkts6(scapy_tun_sa, self.tun_if,
|
|
src=p.remote_tun_if_host,
|
|
dst=self.pg1.remote_ip6,
|
|
count=count)
|
|
recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
|
|
for recv_pkt in recv_pkts:
|
|
self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host)
|
|
self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
|
|
self.assert_packet_checksums_valid(recv_pkt)
|
|
send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
|
|
dst=p.remote_tun_if_host,
|
|
count=count)
|
|
recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
|
|
for recv_pkt in recv_pkts:
|
|
try:
|
|
decrypt_pkt = vpp_tun_sa.decrypt(recv_pkt[IPv6])
|
|
if not decrypt_pkt.haslayer(IPv6):
|
|
decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
|
|
self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
|
|
self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
|
|
self.assert_packet_checksums_valid(decrypt_pkt)
|
|
except:
|
|
self.logger.debug(ppp("Unexpected packet:", recv_pkt))
|
|
try:
|
|
self.logger.debug(
|
|
ppp("Decrypted packet:", decrypt_pkt))
|
|
except:
|
|
pass
|
|
raise
|
|
finally:
|
|
self.logger.info(self.vapi.ppcli("show error"))
|
|
self.logger.info(self.vapi.ppcli("show ipsec"))
|
|
|
|
pkts = p.tun_sa_in.get_stats()['packets']
|
|
self.assertEqual(pkts, count,
|
|
"incorrect SA in counts: expected %d != %d" %
|
|
(count, pkts))
|
|
pkts = p.tun_sa_out.get_stats()['packets']
|
|
self.assertEqual(pkts, count,
|
|
"incorrect SA out counts: expected %d != %d" %
|
|
(count, pkts))
|
|
self.assert_packet_counter_equal(self.tun6_encrypt_node_name, count)
|
|
self.assert_packet_counter_equal(self.tun6_decrypt_node_name, count)
|
|
|
|
def test_tun_burst66(self):
|
|
""" ipsec 6o6 tunnel burst test """
|
|
self.test_tun_basic66(count=257)
|
|
|
|
|
|
class IpsecTunTests(IpsecTun4Tests, IpsecTun6Tests):
|
|
pass
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main(testRunner=VppTestRunner)
|