aboutsummaryrefslogtreecommitdiffstats
path: root/resources/libraries/python/IPsecUtil.py
diff options
context:
space:
mode:
Diffstat (limited to 'resources/libraries/python/IPsecUtil.py')
-rw-r--r--resources/libraries/python/IPsecUtil.py427
1 files changed, 82 insertions, 345 deletions
diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py
index d7f2136138..6ae8d10c43 100644
--- a/resources/libraries/python/IPsecUtil.py
+++ b/resources/libraries/python/IPsecUtil.py
@@ -32,7 +32,6 @@ from resources.libraries.python.IPUtil import IPUtil, IpDscp, \
from resources.libraries.python.PapiExecutor import PapiSocketExecutor
from resources.libraries.python.ssh import scp_node
from resources.libraries.python.topology import Topology, NodeType
-from resources.libraries.python.VatExecutor import VatExecutor
from resources.libraries.python.VPPUtil import VPPUtil
from resources.libraries.python.FlowUtil import FlowUtil
@@ -518,30 +517,6 @@ class IPsecUtil:
else:
addr_incr = 0
- if int(n_entries) > 10:
- tmp_filename = f"/tmp/ipsec_sad_{sad_id}_add_del_entry.script"
-
- with open(tmp_filename, 'w') as tmp_file:
- for i in range(n_entries):
- integ = f"integ-alg {integ_alg.alg_name} " \
- f"integ-key {integ_key.hex()}" \
- if integ_alg else u""
- tunnel = f"tunnel src {src_addr + i * addr_incr} " \
- f"tunnel dst {dst_addr + i * addr_incr}" \
- if tunnel_src and tunnel_dst else u""
- conf = f"exec ipsec sa add {sad_id + i} esp spi {spi + i} "\
- f"crypto-alg {crypto_alg.alg_name} " \
- f"crypto-key {crypto_key.hex()} " \
- f"{integ} {tunnel}\n"
- tmp_file.write(conf)
- vat = VatExecutor()
- vat.execute_script(
- tmp_filename, node, timeout=300, json_out=False,
- copy_on_execute=True
- )
- os.remove(tmp_filename)
- return
-
ckey = dict(
length=len(crypto_key),
data=crypto_key
@@ -633,33 +608,6 @@ class IPsecUtil:
addr_incr = 1 << (128 - raddr_range) if tunnel_src.version == 6 \
else 1 << (32 - raddr_range)
- if int(n_tunnels) > 10:
- tmp_filename = u"/tmp/ipsec_set_ip.script"
-
- with open(tmp_filename, 'w') as tmp_file:
- if_name = Topology.get_interface_name(node, interface)
- for i in range(n_tunnels):
- tunnel_dst_addr = tunnel_dst + i * addr_incr
- conf = f"exec set interface ip address {if_name} " \
- f"{tunnel_src + i * addr_incr}/{raddr_range}\n" \
- f"exec ip route add {traffic_addr + i}/" \
- f"{tunnel_dst_prefix} " \
- f"via {tunnel_dst_addr} {if_name}\n" \
- f"exec ip route add {tunnel_dst_addr}/" \
- f"{tunnel_dst_prefix} " \
- f"via {tunnel_dst_addr} {if_name}\n"
- if dst_mac:
- conf = f"{conf}exec set ip neighbor {if_name} " \
- f"{tunnel_dst + i * addr_incr} {dst_mac}\n"
- tmp_file.write(conf)
-
- VatExecutor().execute_script(
- tmp_filename, node, timeout=300, json_out=False,
- copy_on_execute=True
- )
- os.remove(tmp_filename)
- return
-
cmd1 = u"sw_interface_add_del_address"
args1 = dict(
sw_if_index=InterfaceUtil.get_interface_index(node, interface),
@@ -701,8 +649,8 @@ class IPsecUtil:
interface=interface, gateway=tunnel_dst_addr
)
history = bool(not 1 < i < n_tunnels - 2)
- papi_exec.add(cmd1, history=history, **args1).\
- add(cmd2, history=history, **args2)
+ papi_exec.add(cmd1, history=history, **args1)
+ papi_exec.add(cmd2, history=history, **args2)
args2[u"route"] = IPUtil.compose_vpp_route_structure(
node, tunnel_dst_addr,
@@ -879,13 +827,17 @@ class IPsecUtil:
IPsecUtil.vpp_ipsec_show_all(node)
@staticmethod
- def vpp_ipsec_add_spd_entry(
- node, spd_id, priority, action, inbound=True, sa_id=None,
+ def _vpp_ipsec_add_spd_entry_internal(
+ executor, spd_id, priority, action, inbound=True, sa_id=None,
proto=None, laddr_range=None, raddr_range=None, lport_range=None,
rport_range=None, is_ipv6=False):
- """Create Security Policy Database entry on the VPP node.
+ """Prepare to create Security Policy Database entry on the VPP node.
- :param node: VPP node to add SPD entry on.
+ This just adds one more command to the executor.
+ The call site shall get replies once all entries are added,
+ to get speed benefit from async PAPI.
+
+ :param executor: Open PAPI executor (async handling) to add commands to.
:param spd_id: SPD ID to add entry on.
:param priority: SPD entry priority, higher number = higher priority.
:param action: Policy action.
@@ -905,7 +857,7 @@ class IPsecUtil:
<port_start>-<port_end>.
:param is_ipv6: True in case of IPv6 policy when IPv6 address range is
not defined so it will default to address ::/0, otherwise False.
- :type node: dict
+ :type executor: PapiSocketExecutor
:type spd_id: int
:type priority: int
:type action: IPsecUtil.PolicyAction
@@ -928,8 +880,6 @@ class IPsecUtil:
remote_net = ip_network(raddr_range, strict=False)
cmd = u"ipsec_spd_entry_add_del"
- err_msg = f"Failed to add entry to Security Policy Database " \
- f"{spd_id} on host {node[u'host']}"
spd_entry = dict(
spd_id=int(spd_id),
@@ -963,8 +913,56 @@ class IPsecUtil:
is_add=True,
entry=spd_entry
)
- with PapiSocketExecutor(node) as papi_exec:
- papi_exec.add(cmd, **args).get_reply(err_msg)
+ executor.add(cmd, **args)
+
+ @staticmethod
+ def vpp_ipsec_add_spd_entry(
+ node, spd_id, priority, action, inbound=True, sa_id=None,
+ proto=None, laddr_range=None, raddr_range=None, lport_range=None,
+ rport_range=None, is_ipv6=False):
+ """Create Security Policy Database entry on the VPP node.
+
+ :param node: VPP node to add SPD entry on.
+ :param spd_id: SPD ID to add entry on.
+ :param priority: SPD entry priority, higher number = higher priority.
+ :param action: Policy action.
+ :param inbound: If True policy is for inbound traffic, otherwise
+ outbound.
+ :param sa_id: SAD entry ID for action PolicyAction.PROTECT.
+ :param proto: Policy selector next layer protocol number.
+ :param laddr_range: Policy selector local IPv4 or IPv6 address range
+ in format IP/prefix or IP/mask. If no mask is provided,
+ it's considered to be /32.
+ :param raddr_range: Policy selector remote IPv4 or IPv6 address range
+ in format IP/prefix or IP/mask. If no mask is provided,
+ it's considered to be /32.
+ :param lport_range: Policy selector local TCP/UDP port range in format
+ <port_start>-<port_end>.
+ :param rport_range: Policy selector remote TCP/UDP port range in format
+ <port_start>-<port_end>.
+ :param is_ipv6: True in case of IPv6 policy when IPv6 address range is
+ not defined so it will default to address ::/0, otherwise False.
+ :type node: dict
+ :type spd_id: int
+ :type priority: int
+ :type action: IPsecUtil.PolicyAction
+ :type inbound: bool
+ :type sa_id: int
+ :type proto: int
+ :type laddr_range: string
+ :type raddr_range: string
+ :type lport_range: string
+ :type rport_range: string
+ :type is_ipv6: bool
+ """
+ err_msg = f"Failed to add entry to Security Policy Database " \
+ f"{spd_id} on host {node[u'host']}"
+ with PapiSocketExecutor(node, is_async=True) as papi_exec:
+ IPsecUtil._vpp_ipsec_add_spd_entry_internal(
+ papi_exec, spd_id, priority, action, inbound, sa_id, proto,
+ laddr_range, raddr_range, lport_range, rport_range, is_ipv6
+ )
+ papi_exec.get_replies(err_msg)
@staticmethod
def vpp_ipsec_add_spd_entries(
@@ -1026,266 +1024,17 @@ class IPsecUtil:
if rport_range:
rport_range_start, rport_range_stop = rport_range.split('-')
- if int(n_entries) > 10:
- tmp_filename = f"/tmp/ipsec_spd_{spd_id}_add_del_entry.script"
-
- with open(tmp_filename, 'w') as tmp_file:
- for _ in range(n_entries):
- direction = u'inbound' if inbound else u'outbound'
- sa = f' sa {sa_id.inc_fmt()}' if sa_id is not None else ''
- protocol = f' protocol {protocol}' if proto else ''
- local_port_range = f' local-port-range ' \
- f'{lport_range_start} - {lport_range_stop}' \
- if lport_range else ''
- remote_port_range = f' remote-port-range ' \
- f'{rport_range_start} - {rport_range_stop}' \
- if rport_range else ''
-
- spd_cfg = f"exec ipsec policy add spd {spd_id} " \
- f"priority {priority.inc_fmt()} {direction}" \
- f"{protocol} action {action}{sa} " \
- f"local-ip-range {laddr_range.inc_fmt()} " \
- f"remote-ip-range {raddr_range.inc_fmt()}" \
- f"{local_port_range}{remote_port_range}\n"
-
- tmp_file.write(spd_cfg)
-
- VatExecutor().execute_script(
- tmp_filename, node, timeout=300, json_out=False,
- copy_on_execute=True
- )
- os.remove(tmp_filename)
- return
-
- for _ in range(n_entries):
- IPsecUtil.vpp_ipsec_add_spd_entry(
- node, spd_id, next(priority), action, inbound,
- next(sa_id) if sa_id is not None else sa_id,
- proto, next(laddr_range), next(raddr_range), lport_range,
- rport_range, is_ipv6
- )
-
- @staticmethod
- def _ipsec_create_tunnel_interfaces_dut1_vat(
- nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg, integ_alg,
- raddr_ip2, addr_incr, spi_d, existing_tunnels=0):
- """Create multiple IPsec tunnel interfaces on DUT1 node using VAT.
-
- Generate random keys and return them (so DUT2 or TG can decrypt).
-
- :param nodes: VPP nodes to create tunnel interfaces.
- :param tun_ips: Dictionary with VPP node 1 ipsec tunnel interface
- IPv4/IPv6 address (ip1) and VPP node 2 ipsec tunnel interface
- IPv4/IPv6 address (ip2).
- :param if1_key: VPP node 1 interface key from topology file.
- :param if2_key: VPP node 2 / TG node (in case of 2-node topology)
- interface key from topology file.
- :param n_tunnels: Number of tunnel interfaces to be there at the end.
- :param crypto_alg: The encryption algorithm name.
- :param integ_alg: The integrity algorithm name.
- :param raddr_ip2: Policy selector remote IPv4/IPv6 start address for the
- first tunnel in direction node2->node1.
- :param spi_d: Dictionary with SPIs for VPP node 1 and VPP node 2.
- :param addr_incr: IP / IPv6 address incremental step.
- :param existing_tunnels: Number of tunnel interfaces before creation.
- Useful mainly for reconf tests. Default 0.
- :type nodes: dict
- :type tun_ips: dict
- :type if1_key: str
- :type if2_key: str
- :type n_tunnels: int
- :type crypto_alg: CryptoAlg
- :type integ_alg: Optional[IntegAlg]
- :type raddr_ip2: IPv4Address or IPv6Address
- :type addr_incr: int
- :type spi_d: dict
- :type existing_tunnels: int
- :returns: Generated ckeys and ikeys.
- :rtype: List[bytes], List[bytes]
- """
- tmp_fn1 = u"/tmp/ipsec_create_tunnel_dut1.config"
- if1_n = Topology.get_interface_name(nodes[u"DUT1"], if1_key)
-
- ckeys = [bytes()] * existing_tunnels
- ikeys = [bytes()] * existing_tunnels
-
- vat = VatExecutor()
- with open(tmp_fn1, u"w") as tmp_f1:
- rmac = Topology.get_interface_mac(nodes[u"DUT2"], if2_key) \
- if u"DUT2" in nodes.keys() \
- else Topology.get_interface_mac(nodes[u"TG"], if2_key)
- if not existing_tunnels:
- tmp_f1.write(
- f"exec create loopback interface\n"
- f"exec set interface state loop0 up\n"
- f"exec set interface ip address {if1_n} "
- f"{tun_ips[u'ip2'] - 1}/"
- f"{len(tun_ips[u'ip2'].packed)*8*3//4}\n"
- f"exec set ip neighbor {if1_n} {tun_ips[u'ip2']} {rmac} "
- f"static\n"
- )
- for i in range(existing_tunnels, n_tunnels):
- ckeys.append(
- gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg))
- )
- ikeys.append(
- gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg))
- )
- if integ_alg:
- integ = f"integ-alg {integ_alg.alg_name} " \
- f"integ-key {ikeys[i].hex()} "
- else:
- integ = u""
- tmp_f1.write(
- f"exec set interface ip address loop0 "
- f"{tun_ips[u'ip1'] + i * addr_incr}/32\n"
- f"exec create ipip tunnel "
- f"src {tun_ips[u'ip1'] + i * addr_incr} "
- f"dst {tun_ips[u'ip2']} "
- f"p2p\n"
- f"exec ipsec sa add {i} "
- f"spi {spi_d[u'spi_1'] + i} "
- f"crypto-alg {crypto_alg.alg_name} "
- f"crypto-key {ckeys[i].hex()} "
- f"{integ}"
- f"esp\n"
- f"exec ipsec sa add {100000 + i} "
- f"spi {spi_d[u'spi_2'] + i} "
- f"crypto-alg {crypto_alg.alg_name} "
- f"crypto-key {ckeys[i].hex()} "
- f"{integ}"
- f"esp\n"
- f"exec ipsec tunnel protect ipip{i} "
- f"sa-out {i} "
- f"sa-in {100000 + i} "
- f"add\n"
- )
- vat.execute_script(
- tmp_fn1, nodes[u"DUT1"], timeout=1800, json_out=False,
- copy_on_execute=True,
- history=bool(n_tunnels < 100)
- )
- os.remove(tmp_fn1)
-
- with open(tmp_fn1, 'w') as tmp_f1:
- for i in range(existing_tunnels, n_tunnels):
- tmp_f1.write(
- f"exec set interface unnumbered ipip{i} use {if1_n}\n"
- f"exec set interface state ipip{i} up\n"
- f"exec ip route add "
- f"{raddr_ip2 + i}/{len(raddr_ip2.packed)*8} "
- f"via ipip{i}\n"
- )
- vat.execute_script(
- tmp_fn1, nodes[u"DUT1"], timeout=1800, json_out=False,
- copy_on_execute=True,
- history=bool(n_tunnels < 100)
- )
- os.remove(tmp_fn1)
-
- return ckeys, ikeys
-
- @staticmethod
- def _ipsec_create_tunnel_interfaces_dut2_vat(
- nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys, integ_alg,
- ikeys, raddr_ip1, addr_incr, spi_d, existing_tunnels=0):
- """Create multiple IPsec tunnel interfaces on DUT2 node using VAT.
-
- This method accesses keys generated by DUT1 method
- and does not return anything.
-
- :param nodes: VPP nodes to create tunnel interfaces.
- :param tun_ips: Dictionary with VPP node 1 ipsec tunnel interface
- IPv4/IPv6 address (ip1) and VPP node 2 ipsec tunnel interface
- IPv4/IPv6 address (ip2).
- :param if2_key: VPP node 2 / TG node (in case of 2-node topology)
- interface key from topology file.
- :param n_tunnels: Number of tunnel interfaces to be there at the end.
- :param crypto_alg: The encryption algorithm name.
- :param ckeys: List of encryption keys.
- :param integ_alg: The integrity algorithm name.
- :param ikeys: List of integrity keys.
- :param spi_d: Dictionary with SPIs for VPP node 1 and VPP node 2.
- :param addr_incr: IP / IPv6 address incremental step.
- :param existing_tunnels: Number of tunnel interfaces before creation.
- Useful mainly for reconf tests. Default 0.
- :type nodes: dict
- :type tun_ips: dict
- :type if2_key: str
- :type n_tunnels: int
- :type crypto_alg: CryptoAlg
- :type ckeys: Sequence[bytes]
- :type integ_alg: Optional[IntegAlg]
- :type ikeys: Sequence[bytes]
- :type addr_incr: int
- :type spi_d: dict
- :type existing_tunnels: int
- """
- tmp_fn2 = u"/tmp/ipsec_create_tunnel_dut2.config"
- if2_n = Topology.get_interface_name(nodes[u"DUT2"], if2_key)
-
- vat = VatExecutor()
- with open(tmp_fn2, 'w') as tmp_f2:
- if not existing_tunnels:
- tmp_f2.write(
- f"exec set interface ip address {if2_n}"
- f" {tun_ips[u'ip2']}/{len(tun_ips[u'ip2'].packed)*8*3/4}\n"
- )
- for i in range(existing_tunnels, n_tunnels):
- if integ_alg:
- integ = f"integ-alg {integ_alg.alg_name} " \
- f"integ-key {ikeys[i].hex()} "
- else:
- integ = u""
- tmp_f2.write(
- f"exec create ipip tunnel "
- f"src {tun_ips[u'ip2']} "
- f"dst {tun_ips[u'ip1'] + i * addr_incr} "
- f"p2p\n"
- f"exec ipsec sa add {100000 + i} "
- f"spi {spi_d[u'spi_2'] + i} "
- f"crypto-alg {crypto_alg.alg_name} "
- f"crypto-key {ckeys[i].hex()} "
- f"{integ}"
- f"esp\n"
- f"exec ipsec sa add {i} "
- f"spi {spi_d[u'spi_1'] + i} "
- f"crypto-alg {crypto_alg.alg_name} "
- f"crypto-key {ckeys[i].hex()} "
- f"{integ}"
- f"esp\n"
- f"exec ipsec tunnel protect ipip{i} "
- f"sa-out {100000 + i} "
- f"sa-in {i} "
- f"add\n"
- )
- vat.execute_script(
- tmp_fn2, nodes[u"DUT2"], timeout=1800, json_out=False,
- copy_on_execute=True,
- history=bool(n_tunnels < 100)
- )
- os.remove(tmp_fn2)
-
- with open(tmp_fn2, 'w') as tmp_f2:
- if not existing_tunnels:
- tmp_f2.write(
- f"exec ip route add {tun_ips[u'ip1']}/8 "
- f"via {tun_ips[u'ip2'] - 1} {if2_n}\n"
- )
- for i in range(existing_tunnels, n_tunnels):
- tmp_f2.write(
- f"exec set interface unnumbered ipip{i} use {if2_n}\n"
- f"exec set interface state ipip{i} up\n"
- f"exec ip route add "
- f"{raddr_ip1 + i}/{len(raddr_ip1.packed)*8} "
- f"via ipip{i}\n"
+ err_msg = f"Failed to add entry to Security Policy Database " \
+ f"{spd_id} on host {node[u'host']}"
+ with PapiSocketExecutor(node, is_async=True) as papi_exec:
+ for _ in range(n_entries):
+ IPsecUtil._vpp_ipsec_add_spd_entry_internal(
+ papi_exec, spd_id, next(priority), action, inbound,
+ next(sa_id) if sa_id is not None else sa_id,
+ proto, next(laddr_range), next(raddr_range), lport_range,
+ rport_range, is_ipv6
)
- vat.execute_script(
- tmp_fn2, nodes[u"DUT2"], timeout=1800, json_out=False,
- copy_on_execute=True,
- history=bool(n_tunnels < 100)
- )
- os.remove(tmp_fn2)
+ papi_exec.get_replies(err_msg)
@staticmethod
def _ipsec_create_loopback_dut1_papi(nodes, tun_ips, if1_key, if2_key):
@@ -1314,8 +1063,8 @@ class IPsecUtil:
)
err_msg = f"Failed to create loopback interface " \
f"on host {nodes[u'DUT1'][u'host']}"
- loop_sw_if_idx = papi_exec.add(cmd, **args). \
- get_sw_if_index(err_msg)
+ papi_exec.add(cmd, **args)
+ loop_sw_if_idx = papi_exec.get_sw_if_index(err_msg)
cmd = u"sw_interface_set_flags"
args = dict(
sw_if_index=loop_sw_if_idx,
@@ -1928,28 +1677,16 @@ class IPsecUtil:
addr_incr = 1 << (128 - raddr_range) if tun_ips[u"ip1"].version == 6 \
else 1 << (32 - raddr_range)
- if n_tunnels - existing_tunnels > 10:
- ckeys, ikeys = IPsecUtil._ipsec_create_tunnel_interfaces_dut1_vat(
- nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg,
- integ_alg, raddr_ip2, addr_incr, spi_d, existing_tunnels
- )
- if u"DUT2" in nodes.keys():
- IPsecUtil._ipsec_create_tunnel_interfaces_dut2_vat(
- nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys,
- integ_alg, ikeys, raddr_ip1, addr_incr, spi_d,
- existing_tunnels
- )
- else:
- ckeys, ikeys = IPsecUtil._ipsec_create_tunnel_interfaces_dut1_papi(
- nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg,
- integ_alg, raddr_ip2, addr_incr, spi_d, existing_tunnels
+ ckeys, ikeys = IPsecUtil._ipsec_create_tunnel_interfaces_dut1_papi(
+ nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg,
+ integ_alg, raddr_ip2, addr_incr, spi_d, existing_tunnels
+ )
+ if u"DUT2" in nodes.keys():
+ IPsecUtil._ipsec_create_tunnel_interfaces_dut2_papi(
+ nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys,
+ integ_alg, ikeys, raddr_ip1, addr_incr, spi_d,
+ existing_tunnels
)
- if u"DUT2" in nodes.keys():
- IPsecUtil._ipsec_create_tunnel_interfaces_dut2_papi(
- nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys,
- integ_alg, ikeys, raddr_ip1, addr_incr, spi_d,
- existing_tunnels
- )
if return_keys:
return ckeys, ikeys, spi_d[u"spi_1"], spi_d[u"spi_2"]