diff options
Diffstat (limited to 'resources/libraries/python/IPsecUtil.py')
| -rw-r--r-- | resources/libraries/python/IPsecUtil.py | 1783 |
1 files changed, 882 insertions, 901 deletions
diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py index 6ed2db1eae..dd7bd068fa 100644 --- a/resources/libraries/python/IPsecUtil.py +++ b/resources/libraries/python/IPsecUtil.py @@ -1,5 +1,5 @@ -# Copyright (c) 2022 Cisco and/or its affiliates. -# Copyright (c) 2022 PANTHEON.tech s.r.o. +# Copyright (c) 2024 Cisco and/or its affiliates. +# Copyright (c) 2024 PANTHEON.tech s.r.o. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: @@ -14,30 +14,36 @@ """IPsec utilities library.""" -import os - from enum import Enum, IntEnum from io import open from ipaddress import ip_network, ip_address from random import choice from string import ascii_letters +from robot.libraries.BuiltIn import BuiltIn + from resources.libraries.python.Constants import Constants from resources.libraries.python.IncrementUtil import ObjIncrement -from resources.libraries.python.InterfaceUtil import InterfaceUtil, \ - InterfaceStatusFlags +from resources.libraries.python.InterfaceUtil import ( + InterfaceUtil, + InterfaceStatusFlags, +) from resources.libraries.python.IPAddress import IPAddress -from resources.libraries.python.IPUtil import IPUtil, IpDscp, \ - MPLS_LABEL_INVALID, NetworkIncrement +from resources.libraries.python.IPUtil import ( + IPUtil, + IpDscp, + MPLS_LABEL_INVALID, + NetworkIncrement, +) from resources.libraries.python.PapiExecutor import PapiSocketExecutor from resources.libraries.python.ssh import scp_node from resources.libraries.python.topology import Topology, NodeType -from resources.libraries.python.VatExecutor import VatExecutor from resources.libraries.python.VPPUtil import VPPUtil from resources.libraries.python.FlowUtil import FlowUtil -IPSEC_UDP_PORT_NONE = 0xffff +IPSEC_UDP_PORT_DEFAULT = 4500 +IPSEC_REPLAY_WINDOW_DEFAULT = 64 def gen_key(length): @@ -48,16 +54,17 @@ def gen_key(length): :returns: The generated payload. :rtype: bytes """ - return u"".join( - choice(ascii_letters) for _ in range(length) - ).encode(encoding=u"utf-8") + return "".join(choice(ascii_letters) for _ in range(length)).encode( + encoding="utf-8" + ) class PolicyAction(Enum): """Policy actions.""" - BYPASS = (u"bypass", 0) - DISCARD = (u"discard", 1) - PROTECT = (u"protect", 3) + + BYPASS = ("bypass", 0) + DISCARD = ("discard", 1) + PROTECT = ("protect", 3) def __init__(self, policy_name, policy_int_repr): self.policy_name = policy_name @@ -72,10 +79,11 @@ class PolicyAction(Enum): class CryptoAlg(Enum): """Encryption algorithms.""" - AES_CBC_128 = (u"aes-cbc-128", 1, u"AES-CBC", 16) - AES_CBC_256 = (u"aes-cbc-256", 3, u"AES-CBC", 32) - AES_GCM_128 = (u"aes-gcm-128", 7, u"AES-GCM", 16) - AES_GCM_256 = (u"aes-gcm-256", 9, u"AES-GCM", 32) + + AES_CBC_128 = ("aes-cbc-128", 1, "AES-CBC", 16) + AES_CBC_256 = ("aes-cbc-256", 3, "AES-CBC", 32) + AES_GCM_128 = ("aes-gcm-128", 7, "AES-GCM", 16) + AES_GCM_256 = ("aes-gcm-256", 9, "AES-GCM", 32) def __init__(self, alg_name, alg_int_repr, scapy_name, key_len): self.alg_name = alg_name @@ -86,8 +94,9 @@ class CryptoAlg(Enum): class IntegAlg(Enum): """Integrity algorithm.""" - SHA_256_128 = (u"sha-256-128", 4, u"SHA2-256-128", 32) - SHA_512_256 = (u"sha-512-256", 6, u"SHA2-512-256", 64) + + SHA_256_128 = ("sha-256-128", 4, "SHA2-256-128", 32) + SHA_512_256 = ("sha-512-256", 6, "SHA2-512-256", 64) def __init__(self, alg_name, alg_int_repr, scapy_name, key_len): self.alg_name = alg_name @@ -98,12 +107,14 @@ class IntegAlg(Enum): class IPsecProto(IntEnum): """IPsec protocol.""" + IPSEC_API_PROTO_ESP = 50 IPSEC_API_PROTO_AH = 51 class IPsecSadFlags(IntEnum): """IPsec Security Association Database flags.""" + IPSEC_API_SAD_FLAG_NONE = 0 # Enable extended sequence numbers IPSEC_API_SAD_FLAG_USE_ESN = 0x01 @@ -122,6 +133,7 @@ class IPsecSadFlags(IntEnum): class TunnelEncpaDecapFlags(IntEnum): """Flags controlling tunnel behaviour.""" + TUNNEL_API_ENCAP_DECAP_FLAG_NONE = 0 # at encap, copy the DF bit of the payload into the tunnel header TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DF = 1 @@ -137,6 +149,7 @@ class TunnelEncpaDecapFlags(IntEnum): class TunnelMode(IntEnum): """Tunnel modes.""" + # point-to-point TUNNEL_API_MODE_P2P = 0 # multi-point @@ -304,12 +317,9 @@ class IPsecUtil: :raises RuntimeError: If failed to select IPsec backend or if no API reply received. """ - cmd = u"ipsec_select_backend" - err_msg = f"Failed to select IPsec backend on host {node[u'host']}" - args = dict( - protocol=protocol, - index=index - ) + cmd = "ipsec_select_backend" + err_msg = f"Failed to select IPsec backend on host {node['host']}" + args = dict(protocol=protocol, index=index) with PapiSocketExecutor(node) as papi_exec: papi_exec.add(cmd, **args).get_reply(err_msg) @@ -317,6 +327,8 @@ class IPsecUtil: def vpp_ipsec_set_async_mode(node, async_enable=1): """Set IPsec async mode on|off. + Unconditionally, attempt to switch crypto dispatch into polling mode. + :param node: VPP node to set IPsec async mode. :param async_enable: Async mode on or off. :type node: dict @@ -324,17 +336,26 @@ class IPsecUtil: :raises RuntimeError: If failed to set IPsec async mode or if no API reply received. """ - cmd = u"ipsec_set_async_mode" - err_msg = f"Failed to set IPsec async mode on host {node[u'host']}" - args = dict( - async_enable=async_enable - ) with PapiSocketExecutor(node) as papi_exec: + cmd = "ipsec_set_async_mode" + err_msg = f"Failed to set IPsec async mode on host {node['host']}" + args = dict(async_enable=async_enable) papi_exec.add(cmd, **args).get_reply(err_msg) + cmd = "crypto_set_async_dispatch_v2" + err_msg = "Failed to set dispatch mode." + args = dict(mode=0, adaptive=False) + try: + papi_exec.add(cmd, **args).get_reply(err_msg) + except (AttributeError, RuntimeError): + # Expected when VPP build does not have the _v2 yet + # (after and before the first CRC check). + # TODO: Fail here when testing of pre-23.10 builds is over. + pass @staticmethod def vpp_ipsec_crypto_sw_scheduler_set_worker( - node, workers, crypto_enable=False): + node, workers, crypto_enable=False + ): """Enable or disable crypto on specific vpp worker threads. :param node: VPP node to enable or disable crypto for worker threads. @@ -347,39 +368,40 @@ class IPsecUtil: thread or if no API reply received. """ for worker in workers: - cmd = u"crypto_sw_scheduler_set_worker" - err_msg = f"Failed to disable/enable crypto for worker thread " \ - f"on host {node[u'host']}" - args = dict( - worker_index=worker - 1, - crypto_enable=crypto_enable + cmd = "crypto_sw_scheduler_set_worker" + err_msg = ( + "Failed to disable/enable crypto for worker thread" + f" on host {node['host']}" ) + args = dict(worker_index=worker - 1, crypto_enable=crypto_enable) with PapiSocketExecutor(node) as papi_exec: papi_exec.add(cmd, **args).get_reply(err_msg) @staticmethod def vpp_ipsec_crypto_sw_scheduler_set_worker_on_all_duts( - nodes, workers, crypto_enable=False): + nodes, crypto_enable=False + ): """Enable or disable crypto on specific vpp worker threads. :param node: VPP node to enable or disable crypto for worker threads. - :param workers: List of VPP thread numbers. :param crypto_enable: Disable or enable crypto work. :type node: dict - :type workers: Iterable[int] :type crypto_enable: bool :raises RuntimeError: If failed to enable or disable crypto for worker thread or if no API reply received. """ - for node in nodes.values(): - if node[u"type"] == NodeType.DUT: + for node_name, node in nodes.items(): + if node["type"] == NodeType.DUT: thread_data = VPPUtil.vpp_show_threads(node) worker_cnt = len(thread_data) - 1 if not worker_cnt: - return None + return worker_ids = list() + workers = BuiltIn().get_variable_value( + f"${{{node_name}_cpu_dp}}" + ) for item in thread_data: - if str(item.cpu_id) in workers.split(u","): + if str(item.cpu_id) in workers.split(","): worker_ids.append(item.id) IPsecUtil.vpp_ipsec_crypto_sw_scheduler_set_worker( @@ -388,8 +410,16 @@ class IPsecUtil: @staticmethod def vpp_ipsec_add_sad_entry( - node, sad_id, spi, crypto_alg, crypto_key, integ_alg=None, - integ_key=u"", tunnel_src=None, tunnel_dst=None): + node, + sad_id, + spi, + crypto_alg, + crypto_key, + integ_alg=None, + integ_key="", + tunnel_src=None, + tunnel_dst=None, + ): """Create Security Association Database entry on the VPP node. :param node: VPP node to add SAD entry on. @@ -414,17 +444,11 @@ class IPsecUtil: :type tunnel_dst: str """ if isinstance(crypto_key, str): - crypto_key = crypto_key.encode(encoding=u"utf-8") + crypto_key = crypto_key.encode(encoding="utf-8") if isinstance(integ_key, str): - integ_key = integ_key.encode(encoding=u"utf-8") - ckey = dict( - length=len(crypto_key), - data=crypto_key - ) - ikey = dict( - length=len(integ_key), - data=integ_key if integ_key else 0 - ) + integ_key = integ_key.encode(encoding="utf-8") + ckey = dict(length=len(crypto_key), data=crypto_key) + ikey = dict(length=len(integ_key), data=integ_key if integ_key else 0) flags = int(IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE) if tunnel_src and tunnel_dst: @@ -432,15 +456,18 @@ class IPsecUtil: src_addr = ip_address(tunnel_src) dst_addr = ip_address(tunnel_dst) if src_addr.version == 6: - flags = \ - flags | int(IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_TUNNEL_V6) + flags = flags | int( + IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 + ) else: - src_addr = u"" - dst_addr = u"" + src_addr = "" + dst_addr = "" - cmd = u"ipsec_sad_entry_add_del_v3" - err_msg = f"Failed to add Security Association Database entry " \ - f"on host {node[u'host']}" + cmd = "ipsec_sad_entry_add_v2" + err_msg = ( + "Failed to add Security Association Database entry" + f" on host {node['host']}" + ) sad_entry = dict( sad_id=int(sad_id), spi=int(spi), @@ -459,21 +486,28 @@ class IPsecUtil: dscp=int(IpDscp.IP_API_DSCP_CS0), ), protocol=int(IPsecProto.IPSEC_API_PROTO_ESP), - udp_src_port=4500, # default value in api - udp_dst_port=4500 # default value in api - ) - args = dict( - is_add=True, - entry=sad_entry + udp_src_port=IPSEC_UDP_PORT_DEFAULT, + udp_dst_port=IPSEC_UDP_PORT_DEFAULT, + anti_replay_window_size=IPSEC_REPLAY_WINDOW_DEFAULT, ) + args = dict(entry=sad_entry) with PapiSocketExecutor(node) as papi_exec: papi_exec.add(cmd, **args).get_reply(err_msg) @staticmethod def vpp_ipsec_add_sad_entries( - node, n_entries, sad_id, spi, crypto_alg, crypto_key, - integ_alg=None, integ_key=u"", tunnel_src=None,tunnel_dst=None, - tunnel_addr_incr=True): + node, + n_entries, + sad_id, + spi, + crypto_alg, + crypto_key, + integ_alg=None, + integ_key="", + tunnel_src=None, + tunnel_dst=None, + tunnel_addr_incr=True, + ): """Create multiple Security Association Database entries on VPP node. :param node: VPP node to add SAD entry on. @@ -505,54 +539,25 @@ class IPsecUtil: :type tunnel_addr_incr: bool """ if isinstance(crypto_key, str): - crypto_key = crypto_key.encode(encoding=u"utf-8") + crypto_key = crypto_key.encode(encoding="utf-8") if isinstance(integ_key, str): - integ_key = integ_key.encode(encoding=u"utf-8") + integ_key = integ_key.encode(encoding="utf-8") if tunnel_src and tunnel_dst: src_addr = ip_address(tunnel_src) dst_addr = ip_address(tunnel_dst) else: - src_addr = u"" - dst_addr = u"" + src_addr = "" + dst_addr = "" if tunnel_addr_incr: - addr_incr = 1 << (128 - 96) if src_addr.version == 6 \ - else 1 << (32 - 24) + addr_incr = ( + 1 << (128 - 96) if src_addr.version == 6 else 1 << (32 - 24) + ) else: addr_incr = 0 - if int(n_entries) > 10: - tmp_filename = f"/tmp/ipsec_sad_{sad_id}_add_del_entry.script" - - with open(tmp_filename, 'w') as tmp_file: - for i in range(n_entries): - integ = f"integ-alg {integ_alg.alg_name} " \ - f"integ-key {integ_key.hex()}" \ - if integ_alg else u"" - tunnel = f"tunnel src {src_addr + i * addr_incr} " \ - f"tunnel dst {dst_addr + i * addr_incr}" \ - if tunnel_src and tunnel_dst else u"" - conf = f"exec ipsec sa add {sad_id + i} esp spi {spi + i} "\ - f"crypto-alg {crypto_alg.alg_name} " \ - f"crypto-key {crypto_key.hex()} " \ - f"{integ} {tunnel}\n" - tmp_file.write(conf) - vat = VatExecutor() - vat.execute_script( - tmp_filename, node, timeout=300, json_out=False, - copy_on_execute=True - ) - os.remove(tmp_filename) - return - - ckey = dict( - length=len(crypto_key), - data=crypto_key - ) - ikey = dict( - length=len(integ_key), - data=integ_key if integ_key else 0 - ) + ckey = dict(length=len(crypto_key), data=crypto_key) + ikey = dict(length=len(integ_key), data=integ_key if integ_key else 0) flags = int(IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE) if tunnel_src and tunnel_dst: @@ -562,9 +567,11 @@ class IPsecUtil: IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 ) - cmd = u"ipsec_sad_entry_add_del_v3" - err_msg = f"Failed to add Security Association Database entry " \ - f"on host {node[u'host']}" + cmd = "ipsec_sad_entry_add_v2" + err_msg = ( + "Failed to add Security Association Database entry" + f" on host {node['host']}" + ) sad_entry = dict( sad_id=int(sad_id), @@ -584,24 +591,24 @@ class IPsecUtil: dscp=int(IpDscp.IP_API_DSCP_CS0), ), protocol=int(IPsecProto.IPSEC_API_PROTO_ESP), - udp_src_port=4500, # default value in api - udp_dst_port=4500 # default value in api - ) - args = dict( - is_add=True, - entry=sad_entry + udp_src_port=IPSEC_UDP_PORT_DEFAULT, + udp_dst_port=IPSEC_UDP_PORT_DEFAULT, + anti_replay_window_size=IPSEC_REPLAY_WINDOW_DEFAULT, ) - with PapiSocketExecutor(node) as papi_exec: + args = dict(entry=sad_entry) + with PapiSocketExecutor(node, is_async=True) as papi_exec: for i in range(n_entries): - args[u"entry"][u"sad_id"] = int(sad_id) + i - args[u"entry"][u"spi"] = int(spi) + i - args[u"entry"][u"tunnel"][u"src"] = ( + args["entry"]["sad_id"] = int(sad_id) + i + args["entry"]["spi"] = int(spi) + i + args["entry"]["tunnel"]["src"] = ( str(src_addr + i * addr_incr) - if tunnel_src and tunnel_dst else src_addr + if tunnel_src and tunnel_dst + else src_addr ) - args[u"entry"][u"tunnel"][u"dst"] = ( + args["entry"]["tunnel"]["dst"] = ( str(dst_addr + i * addr_incr) - if tunnel_src and tunnel_dst else dst_addr + if tunnel_src and tunnel_dst + else dst_addr ) history = bool(not 1 < i < n_entries - 2) papi_exec.add(cmd, history=history, **args) @@ -609,8 +616,15 @@ class IPsecUtil: @staticmethod def vpp_ipsec_set_ip_route( - node, n_tunnels, tunnel_src, traffic_addr, tunnel_dst, interface, - raddr_range, dst_mac=None): + node, + n_tunnels, + tunnel_src, + traffic_addr, + tunnel_dst, + interface, + raddr_range, + dst_mac=None, + ): """Set IP address and route on interface. :param node: VPP node to add config on. @@ -636,89 +650,67 @@ class IPsecUtil: tunnel_dst = ip_address(tunnel_dst) traffic_addr = ip_address(traffic_addr) tunnel_dst_prefix = 128 if tunnel_dst.version == 6 else 32 - addr_incr = 1 << (128 - raddr_range) if tunnel_src.version == 6 \ + addr_incr = ( + 1 << (128 - raddr_range) + if tunnel_src.version == 6 else 1 << (32 - raddr_range) + ) - if int(n_tunnels) > 10: - tmp_filename = u"/tmp/ipsec_set_ip.script" - - with open(tmp_filename, 'w') as tmp_file: - if_name = Topology.get_interface_name(node, interface) - for i in range(n_tunnels): - tunnel_dst_addr = tunnel_dst + i * addr_incr - conf = f"exec set interface ip address {if_name} " \ - f"{tunnel_src + i * addr_incr}/{raddr_range}\n" \ - f"exec ip route add {traffic_addr + i}/" \ - f"{tunnel_dst_prefix} " \ - f"via {tunnel_dst_addr} {if_name}\n" \ - f"exec ip route add {tunnel_dst_addr}/" \ - f"{tunnel_dst_prefix} " \ - f"via {tunnel_dst_addr} {if_name}\n" - if dst_mac: - conf = f"{conf}exec set ip neighbor {if_name} " \ - f"{tunnel_dst + i * addr_incr} {dst_mac}\n" - tmp_file.write(conf) - - VatExecutor().execute_script( - tmp_filename, node, timeout=300, json_out=False, - copy_on_execute=True - ) - os.remove(tmp_filename) - return - - cmd1 = u"sw_interface_add_del_address" + cmd1 = "sw_interface_add_del_address" args1 = dict( sw_if_index=InterfaceUtil.get_interface_index(node, interface), is_add=True, del_all=False, - prefix=None - ) - cmd2 = u"ip_route_add_del" - args2 = dict( - is_add=1, - is_multipath=0, - route=None + prefix=None, ) - cmd3 = u"ip_neighbor_add_del" + cmd2 = "ip_route_add_del" + args2 = dict(is_add=1, is_multipath=0, route=None) + cmd3 = "ip_neighbor_add_del" args3 = dict( is_add=True, neighbor=dict( sw_if_index=Topology.get_interface_sw_index(node, interface), flags=0, mac_address=str(dst_mac), - ip_address=None - ) + ip_address=None, + ), + ) + err_msg = ( + "Failed to configure IP addresses, IP routes and" + f" IP neighbor on interface {interface} on host {node['host']}" + if dst_mac + else "Failed to configure IP addresses and IP routes" + f" on interface {interface} on host {node['host']}" ) - err_msg = f"Failed to configure IP addresses, IP routes and " \ - f"IP neighbor on interface {interface} on host {node[u'host']}" \ - if dst_mac \ - else f"Failed to configure IP addresses and IP routes " \ - f"on interface {interface} on host {node[u'host']}" - with PapiSocketExecutor(node) as papi_exec: + with PapiSocketExecutor(node, is_async=True) as papi_exec: for i in range(n_tunnels): tunnel_dst_addr = tunnel_dst + i * addr_incr - args1[u"prefix"] = IPUtil.create_prefix_object( + args1["prefix"] = IPUtil.create_prefix_object( tunnel_src + i * addr_incr, raddr_range ) - args2[u"route"] = IPUtil.compose_vpp_route_structure( - node, traffic_addr + i, + args2["route"] = IPUtil.compose_vpp_route_structure( + node, + traffic_addr + i, prefix_len=tunnel_dst_prefix, - interface=interface, gateway=tunnel_dst_addr + interface=interface, + gateway=tunnel_dst_addr, ) history = bool(not 1 < i < n_tunnels - 2) - papi_exec.add(cmd1, history=history, **args1).\ - add(cmd2, history=history, **args2) + papi_exec.add(cmd1, history=history, **args1) + papi_exec.add(cmd2, history=history, **args2) - args2[u"route"] = IPUtil.compose_vpp_route_structure( - node, tunnel_dst_addr, + args2["route"] = IPUtil.compose_vpp_route_structure( + node, + tunnel_dst_addr, prefix_len=tunnel_dst_prefix, - interface=interface, gateway=tunnel_dst_addr + interface=interface, + gateway=tunnel_dst_addr, ) papi_exec.add(cmd2, history=history, **args2) if dst_mac: - args3[u"neighbor"][u"ip_address"] = ip_address( + args3["neighbor"]["ip_address"] = ip_address( tunnel_dst_addr ) papi_exec.add(cmd3, history=history, **args3) @@ -733,13 +725,11 @@ class IPsecUtil: :type node: dict :type spd_id: int """ - cmd = u"ipsec_spd_add_del" - err_msg = f"Failed to add Security Policy Database " \ - f"on host {node[u'host']}" - args = dict( - is_add=True, - spd_id=int(spd_id) + cmd = "ipsec_spd_add_del" + err_msg = ( + f"Failed to add Security Policy Database on host {node['host']}" ) + args = dict(is_add=True, spd_id=int(spd_id)) with PapiSocketExecutor(node) as papi_exec: papi_exec.add(cmd, **args).get_reply(err_msg) @@ -754,22 +744,31 @@ class IPsecUtil: :type spd_id: int :type interface: str or int """ - cmd = u"ipsec_interface_add_del_spd" - err_msg = f"Failed to add interface {interface} to Security Policy " \ - f"Database {spd_id} on host {node[u'host']}" + cmd = "ipsec_interface_add_del_spd" + err_msg = ( + f"Failed to add interface {interface} to Security Policy" + f" Database {spd_id} on host {node['host']}" + ) args = dict( is_add=True, sw_if_index=InterfaceUtil.get_interface_index(node, interface), - spd_id=int(spd_id) + spd_id=int(spd_id), ) with PapiSocketExecutor(node) as papi_exec: papi_exec.add(cmd, **args).get_reply(err_msg) @staticmethod def vpp_ipsec_create_spds_match_nth_entry( - node, dir1_interface, dir2_interface, entry_amount, - local_addr_range, remote_addr_range, action=PolicyAction.BYPASS, - inbound=False, bidirectional=True): + node, + dir1_interface, + dir2_interface, + entry_amount, + local_addr_range, + remote_addr_range, + action=PolicyAction.BYPASS, + inbound=False, + bidirectional=True, + ): """Create one matching SPD entry for inbound or outbound traffic on a DUT for each traffic direction and also create entry_amount - 1 non-matching SPD entries. Create a Security Policy Database on each @@ -813,7 +812,7 @@ class IPsecUtil: """ if action == PolicyAction.PROTECT: - raise NotImplementedError('Policy action PROTECT is not supported.') + raise NotImplementedError("Policy action PROTECT is not supported.") spd_id_dir1 = 1 spd_id_dir2 = 2 @@ -823,9 +822,13 @@ class IPsecUtil: IPsecUtil.vpp_ipsec_spd_add_if(node, spd_id_dir1, dir1_interface) # matching entry direction 1 IPsecUtil.vpp_ipsec_add_spd_entry( - node, spd_id_dir1, matching_priority, action, - inbound=inbound, laddr_range=local_addr_range, - raddr_range=remote_addr_range + node, + spd_id_dir1, + matching_priority, + action, + inbound=inbound, + laddr_range=local_addr_range, + raddr_range=remote_addr_range, ) if bidirectional: @@ -834,9 +837,13 @@ class IPsecUtil: # matching entry direction 2, the address ranges are switched IPsecUtil.vpp_ipsec_add_spd_entry( - node, spd_id_dir2, matching_priority, action, - inbound=inbound, laddr_range=remote_addr_range, - raddr_range=local_addr_range + node, + spd_id_dir2, + matching_priority, + action, + inbound=inbound, + laddr_range=remote_addr_range, + raddr_range=local_addr_range, ) # non-matching entries @@ -856,10 +863,14 @@ class IPsecUtil: # non-matching entries direction 1 IPsecUtil.vpp_ipsec_add_spd_entries( - node, no_match_entry_amount, spd_id_dir1, - ObjIncrement(matching_priority + 1, 1), action, - inbound=inbound, laddr_range=no_match_local_addr_range, - raddr_range=no_match_remote_addr_range + node, + no_match_entry_amount, + spd_id_dir1, + ObjIncrement(matching_priority + 1, 1), + action, + inbound=inbound, + laddr_range=no_match_local_addr_range, + raddr_range=no_match_remote_addr_range, ) if bidirectional: @@ -876,22 +887,40 @@ class IPsecUtil: next(no_match_local_addr_range) # non-matching entries direction 2 IPsecUtil.vpp_ipsec_add_spd_entries( - node, no_match_entry_amount, spd_id_dir2, - ObjIncrement(matching_priority + 1, 1), action, - inbound=inbound, laddr_range=no_match_local_addr_range, - raddr_range=no_match_remote_addr_range + node, + no_match_entry_amount, + spd_id_dir2, + ObjIncrement(matching_priority + 1, 1), + action, + inbound=inbound, + laddr_range=no_match_local_addr_range, + raddr_range=no_match_remote_addr_range, ) IPsecUtil.vpp_ipsec_show_all(node) @staticmethod - def vpp_ipsec_add_spd_entry( - node, spd_id, priority, action, inbound=True, sa_id=None, - proto=None, laddr_range=None, raddr_range=None, lport_range=None, - rport_range=None, is_ipv6=False): - """Create Security Policy Database entry on the VPP node. - - :param node: VPP node to add SPD entry on. + def _vpp_ipsec_add_spd_entry_internal( + executor, + spd_id, + priority, + action, + inbound=True, + sa_id=None, + proto=None, + laddr_range=None, + raddr_range=None, + lport_range=None, + rport_range=None, + is_ipv6=False, + ): + """Prepare to create Security Policy Database entry on the VPP node. + + This just adds one more command to the executor. + The call site shall get replies once all entries are added, + to get speed benefit from async PAPI. + + :param executor: Open PAPI executor (async handling) to add commands to. :param spd_id: SPD ID to add entry on. :param priority: SPD entry priority, higher number = higher priority. :param action: Policy action. @@ -911,7 +940,7 @@ class IPsecUtil: <port_start>-<port_end>. :param is_ipv6: True in case of IPv6 policy when IPv6 address range is not defined so it will default to address ::/0, otherwise False. - :type node: dict + :type executor: PapiSocketExecutor :type spd_id: int :type priority: int :type action: IPsecUtil.PolicyAction @@ -925,17 +954,15 @@ class IPsecUtil: :type is_ipv6: bool """ if laddr_range is None: - laddr_range = u"::/0" if is_ipv6 else u"0.0.0.0/0" + laddr_range = "::/0" if is_ipv6 else "0.0.0.0/0" if raddr_range is None: - raddr_range = u"::/0" if is_ipv6 else u"0.0.0.0/0" + raddr_range = "::/0" if is_ipv6 else "0.0.0.0/0" local_net = ip_network(laddr_range, strict=False) remote_net = ip_network(raddr_range, strict=False) - cmd = u"ipsec_spd_entry_add_del" - err_msg = f"Failed to add entry to Security Policy Database " \ - f"{spd_id} on host {node[u'host']}" + cmd = "ipsec_spd_entry_add_del_v2" spd_entry = dict( spd_id=int(spd_id), @@ -943,7 +970,7 @@ class IPsecUtil: is_outbound=not inbound, sa_id=int(sa_id) if sa_id else 0, policy=int(action), - protocol=int(proto) if proto else 0, + protocol=255 if proto is None else int(proto), remote_address_start=IPAddress.create_ip_address_object( remote_net.network_address ), @@ -956,27 +983,109 @@ class IPsecUtil: local_address_stop=IPAddress.create_ip_address_object( local_net.broadcast_address ), - remote_port_start=int(rport_range.split(u"-")[0]) if rport_range - else 0, - remote_port_stop=int(rport_range.split(u"-")[1]) if rport_range - else 65535, - local_port_start=int(lport_range.split(u"-")[0]) if lport_range - else 0, - local_port_stop=int(lport_range.split(u"-")[1]) if rport_range - else 65535 + remote_port_start=( + int(rport_range.split("-")[0]) if rport_range else 0 + ), + remote_port_stop=( + int(rport_range.split("-")[1]) if rport_range else 65535 + ), + local_port_start=( + int(lport_range.split("-")[0]) if lport_range else 0 + ), + local_port_stop=( + int(lport_range.split("-")[1]) if rport_range else 65535 + ), ) - args = dict( - is_add=True, - entry=spd_entry + args = dict(is_add=True, entry=spd_entry) + executor.add(cmd, **args) + + @staticmethod + def vpp_ipsec_add_spd_entry( + node, + spd_id, + priority, + action, + inbound=True, + sa_id=None, + proto=None, + laddr_range=None, + raddr_range=None, + lport_range=None, + rport_range=None, + is_ipv6=False, + ): + """Create Security Policy Database entry on the VPP node. + + :param node: VPP node to add SPD entry on. + :param spd_id: SPD ID to add entry on. + :param priority: SPD entry priority, higher number = higher priority. + :param action: Policy action. + :param inbound: If True policy is for inbound traffic, otherwise + outbound. + :param sa_id: SAD entry ID for action PolicyAction.PROTECT. + :param proto: Policy selector next layer protocol number. + :param laddr_range: Policy selector local IPv4 or IPv6 address range + in format IP/prefix or IP/mask. If no mask is provided, + it's considered to be /32. + :param raddr_range: Policy selector remote IPv4 or IPv6 address range + in format IP/prefix or IP/mask. If no mask is provided, + it's considered to be /32. + :param lport_range: Policy selector local TCP/UDP port range in format + <port_start>-<port_end>. + :param rport_range: Policy selector remote TCP/UDP port range in format + <port_start>-<port_end>. + :param is_ipv6: True in case of IPv6 policy when IPv6 address range is + not defined so it will default to address ::/0, otherwise False. + :type node: dict + :type spd_id: int + :type priority: int + :type action: IPsecUtil.PolicyAction + :type inbound: bool + :type sa_id: int + :type proto: int + :type laddr_range: string + :type raddr_range: string + :type lport_range: string + :type rport_range: string + :type is_ipv6: bool + """ + err_msg = ( + "Failed to add entry to Security Policy Database" + f" {spd_id} on host {node['host']}" ) - with PapiSocketExecutor(node) as papi_exec: - papi_exec.add(cmd, **args).get_reply(err_msg) + with PapiSocketExecutor(node, is_async=True) as papi_exec: + IPsecUtil._vpp_ipsec_add_spd_entry_internal( + papi_exec, + spd_id, + priority, + action, + inbound, + sa_id, + proto, + laddr_range, + raddr_range, + lport_range, + rport_range, + is_ipv6, + ) + papi_exec.get_replies(err_msg) @staticmethod def vpp_ipsec_add_spd_entries( - node, n_entries, spd_id, priority, action, inbound, sa_id=None, - proto=None, laddr_range=None, raddr_range=None, lport_range=None, - rport_range=None, is_ipv6=False): + node, + n_entries, + spd_id, + priority, + action, + inbound, + sa_id=None, + proto=None, + laddr_range=None, + raddr_range=None, + lport_range=None, + rport_range=None, + is_ipv6=False, + ): """Create multiple Security Policy Database entries on the VPP node. :param node: VPP node to add SPD entries on. @@ -1015,283 +1124,34 @@ class IPsecUtil: :type is_ipv6: bool """ if laddr_range is None: - laddr_range = u"::/0" if is_ipv6 else u"0.0.0.0/0" + laddr_range = "::/0" if is_ipv6 else "0.0.0.0/0" laddr_range = NetworkIncrement(ip_network(laddr_range), 0) if raddr_range is None: - raddr_range = u"::/0" if is_ipv6 else u"0.0.0.0/0" + raddr_range = "::/0" if is_ipv6 else "0.0.0.0/0" raddr_range = NetworkIncrement(ip_network(raddr_range), 0) - lport_range_start = 0 - lport_range_stop = 65535 - if lport_range: - lport_range_start, lport_range_stop = lport_range.split('-') - - rport_range_start = 0 - rport_range_stop = 65535 - if rport_range: - rport_range_start, rport_range_stop = rport_range.split('-') - - if int(n_entries) > 10: - tmp_filename = f"/tmp/ipsec_spd_{spd_id}_add_del_entry.script" - - with open(tmp_filename, 'w') as tmp_file: - for _ in range(n_entries): - direction = u'inbound' if inbound else u'outbound' - sa = f' sa {sa_id.inc_fmt()}' if sa_id is not None else '' - protocol = f' protocol {protocol}' if proto else '' - local_port_range = f' local-port-range ' \ - f'{lport_range_start} - {lport_range_stop}' \ - if lport_range else '' - remote_port_range = f' remote-port-range ' \ - f'{rport_range_start} - {rport_range_stop}' \ - if rport_range else '' - - spd_cfg = f"exec ipsec policy add spd {spd_id} " \ - f"priority {priority.inc_fmt()} {direction}" \ - f"{protocol} action {action}{sa} " \ - f"local-ip-range {laddr_range.inc_fmt()} " \ - f"remote-ip-range {raddr_range.inc_fmt()}" \ - f"{local_port_range}{remote_port_range}\n" - - tmp_file.write(spd_cfg) - - VatExecutor().execute_script( - tmp_filename, node, timeout=300, json_out=False, - copy_on_execute=True - ) - os.remove(tmp_filename) - return - - for _ in range(n_entries): - IPsecUtil.vpp_ipsec_add_spd_entry( - node, spd_id, next(priority), action, inbound, - next(sa_id) if sa_id is not None else sa_id, - proto, next(laddr_range), next(raddr_range), lport_range, - rport_range, is_ipv6 - ) - - @staticmethod - def _ipsec_create_tunnel_interfaces_dut1_vat( - nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg, integ_alg, - raddr_ip2, addr_incr, spi_d, existing_tunnels=0): - """Create multiple IPsec tunnel interfaces on DUT1 node using VAT. - - Generate random keys and return them (so DUT2 or TG can decrypt). - - :param nodes: VPP nodes to create tunnel interfaces. - :param tun_ips: Dictionary with VPP node 1 ipsec tunnel interface - IPv4/IPv6 address (ip1) and VPP node 2 ipsec tunnel interface - IPv4/IPv6 address (ip2). - :param if1_key: VPP node 1 interface key from topology file. - :param if2_key: VPP node 2 / TG node (in case of 2-node topology) - interface key from topology file. - :param n_tunnels: Number of tunnel interfaces to be there at the end. - :param crypto_alg: The encryption algorithm name. - :param integ_alg: The integrity algorithm name. - :param raddr_ip2: Policy selector remote IPv4/IPv6 start address for the - first tunnel in direction node2->node1. - :param spi_d: Dictionary with SPIs for VPP node 1 and VPP node 2. - :param addr_incr: IP / IPv6 address incremental step. - :param existing_tunnels: Number of tunnel interfaces before creation. - Useful mainly for reconf tests. Default 0. - :type nodes: dict - :type tun_ips: dict - :type if1_key: str - :type if2_key: str - :type n_tunnels: int - :type crypto_alg: CryptoAlg - :type integ_alg: Optional[IntegAlg] - :type raddr_ip2: IPv4Address or IPv6Address - :type addr_incr: int - :type spi_d: dict - :type existing_tunnels: int - :returns: Generated ckeys and ikeys. - :rtype: List[bytes], List[bytes] - """ - tmp_fn1 = u"/tmp/ipsec_create_tunnel_dut1.config" - if1_n = Topology.get_interface_name(nodes[u"DUT1"], if1_key) - - ckeys = [bytes()] * existing_tunnels - ikeys = [bytes()] * existing_tunnels - - vat = VatExecutor() - with open(tmp_fn1, u"w") as tmp_f1: - rmac = Topology.get_interface_mac(nodes[u"DUT2"], if2_key) \ - if u"DUT2" in nodes.keys() \ - else Topology.get_interface_mac(nodes[u"TG"], if2_key) - if not existing_tunnels: - tmp_f1.write( - f"exec create loopback interface\n" - f"exec set interface state loop0 up\n" - f"exec set interface ip address {if1_n} " - f"{tun_ips[u'ip2'] - 1}/" - f"{len(tun_ips[u'ip2'].packed)*8*3//4}\n" - f"exec set ip neighbor {if1_n} {tun_ips[u'ip2']} {rmac} " - f"static\n" - ) - for i in range(existing_tunnels, n_tunnels): - ckeys.append( - gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg)) - ) - ikeys.append( - gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg)) - ) - if integ_alg: - integ = f"integ-alg {integ_alg.alg_name} " \ - f"integ-key {ikeys[i].hex()} " - else: - integ = u"" - tmp_f1.write( - f"exec set interface ip address loop0 " - f"{tun_ips[u'ip1'] + i * addr_incr}/32\n" - f"exec create ipip tunnel " - f"src {tun_ips[u'ip1'] + i * addr_incr} " - f"dst {tun_ips[u'ip2']} " - f"p2p\n" - f"exec ipsec sa add {i} " - f"spi {spi_d[u'spi_1'] + i} " - f"crypto-alg {crypto_alg.alg_name} " - f"crypto-key {ckeys[i].hex()} " - f"{integ}" - f"esp\n" - f"exec ipsec sa add {100000 + i} " - f"spi {spi_d[u'spi_2'] + i} " - f"crypto-alg {crypto_alg.alg_name} " - f"crypto-key {ckeys[i].hex()} " - f"{integ}" - f"esp\n" - f"exec ipsec tunnel protect ipip{i} " - f"sa-out {i} " - f"sa-in {100000 + i} " - f"add\n" - ) - vat.execute_script( - tmp_fn1, nodes[u"DUT1"], timeout=1800, json_out=False, - copy_on_execute=True, - history=bool(n_tunnels < 100) + err_msg = ( + "Failed to add entry to Security Policy Database" + f" {spd_id} on host {node['host']}" ) - os.remove(tmp_fn1) - - with open(tmp_fn1, 'w') as tmp_f1: - for i in range(existing_tunnels, n_tunnels): - tmp_f1.write( - f"exec set interface unnumbered ipip{i} use {if1_n}\n" - f"exec set interface state ipip{i} up\n" - f"exec ip route add " - f"{raddr_ip2 + i}/{len(raddr_ip2.packed)*8} " - f"via ipip{i}\n" + with PapiSocketExecutor(node, is_async=True) as papi_exec: + for _ in range(n_entries): + IPsecUtil._vpp_ipsec_add_spd_entry_internal( + papi_exec, + spd_id, + next(priority), + action, + inbound, + next(sa_id) if sa_id is not None else sa_id, + proto, + next(laddr_range), + next(raddr_range), + lport_range, + rport_range, + is_ipv6, ) - vat.execute_script( - tmp_fn1, nodes[u"DUT1"], timeout=1800, json_out=False, - copy_on_execute=True, - history=bool(n_tunnels < 100) - ) - os.remove(tmp_fn1) - - return ckeys, ikeys - - @staticmethod - def _ipsec_create_tunnel_interfaces_dut2_vat( - nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys, integ_alg, - ikeys, raddr_ip1, addr_incr, spi_d, existing_tunnels=0): - """Create multiple IPsec tunnel interfaces on DUT2 node using VAT. - - This method accesses keys generated by DUT1 method - and does not return anything. - - :param nodes: VPP nodes to create tunnel interfaces. - :param tun_ips: Dictionary with VPP node 1 ipsec tunnel interface - IPv4/IPv6 address (ip1) and VPP node 2 ipsec tunnel interface - IPv4/IPv6 address (ip2). - :param if2_key: VPP node 2 / TG node (in case of 2-node topology) - interface key from topology file. - :param n_tunnels: Number of tunnel interfaces to be there at the end. - :param crypto_alg: The encryption algorithm name. - :param ckeys: List of encryption keys. - :param integ_alg: The integrity algorithm name. - :param ikeys: List of integrity keys. - :param spi_d: Dictionary with SPIs for VPP node 1 and VPP node 2. - :param addr_incr: IP / IPv6 address incremental step. - :param existing_tunnels: Number of tunnel interfaces before creation. - Useful mainly for reconf tests. Default 0. - :type nodes: dict - :type tun_ips: dict - :type if2_key: str - :type n_tunnels: int - :type crypto_alg: CryptoAlg - :type ckeys: Sequence[bytes] - :type integ_alg: Optional[IntegAlg] - :type ikeys: Sequence[bytes] - :type addr_incr: int - :type spi_d: dict - :type existing_tunnels: int - """ - tmp_fn2 = u"/tmp/ipsec_create_tunnel_dut2.config" - if2_n = Topology.get_interface_name(nodes[u"DUT2"], if2_key) - - vat = VatExecutor() - with open(tmp_fn2, 'w') as tmp_f2: - if not existing_tunnels: - tmp_f2.write( - f"exec set interface ip address {if2_n}" - f" {tun_ips[u'ip2']}/{len(tun_ips[u'ip2'].packed)*8*3/4}\n" - ) - for i in range(existing_tunnels, n_tunnels): - if integ_alg: - integ = f"integ-alg {integ_alg.alg_name} " \ - f"integ-key {ikeys[i].hex()} " - else: - integ = u"" - tmp_f2.write( - f"exec create ipip tunnel " - f"src {tun_ips[u'ip2']} " - f"dst {tun_ips[u'ip1'] + i * addr_incr} " - f"p2p\n" - f"exec ipsec sa add {100000 + i} " - f"spi {spi_d[u'spi_2'] + i} " - f"crypto-alg {crypto_alg.alg_name} " - f"crypto-key {ckeys[i].hex()} " - f"{integ}" - f"esp\n" - f"exec ipsec sa add {i} " - f"spi {spi_d[u'spi_1'] + i} " - f"crypto-alg {crypto_alg.alg_name} " - f"crypto-key {ckeys[i].hex()} " - f"{integ}" - f"esp\n" - f"exec ipsec tunnel protect ipip{i} " - f"sa-out {100000 + i} " - f"sa-in {i} " - f"add\n" - ) - vat.execute_script( - tmp_fn2, nodes[u"DUT2"], timeout=1800, json_out=False, - copy_on_execute=True, - history=bool(n_tunnels < 100) - ) - os.remove(tmp_fn2) - - with open(tmp_fn2, 'w') as tmp_f2: - if not existing_tunnels: - tmp_f2.write( - f"exec ip route add {tun_ips[u'ip1']}/8 " - f"via {tun_ips[u'ip2'] - 1} {if2_n}\n" - ) - for i in range(existing_tunnels, n_tunnels): - tmp_f2.write( - f"exec set interface unnumbered ipip{i} use {if2_n}\n" - f"exec set interface state ipip{i} up\n" - f"exec ip route add " - f"{raddr_ip1 + i}/{len(raddr_ip1.packed)*8} " - f"via ipip{i}\n" - ) - vat.execute_script( - tmp_fn2, nodes[u"DUT2"], timeout=1800, json_out=False, - copy_on_execute=True, - history=bool(n_tunnels < 100) - ) - os.remove(tmp_fn2) + papi_exec.get_replies(err_msg) @staticmethod def _ipsec_create_loopback_dut1_papi(nodes, tun_ips, if1_key, if2_key): @@ -1310,59 +1170,63 @@ class IPsecUtil: :type if1_key: str :type if2_key: str """ - with PapiSocketExecutor(nodes[u"DUT1"]) as papi_exec: + with PapiSocketExecutor(nodes["DUT1"]) as papi_exec: # Create loopback interface on DUT1, set it to up state - cmd = u"create_loopback_instance" + cmd = "create_loopback_instance" args = dict( mac_address=0, is_specified=False, user_instance=0, ) - err_msg = f"Failed to create loopback interface " \ - f"on host {nodes[u'DUT1'][u'host']}" - loop_sw_if_idx = papi_exec.add(cmd, **args). \ - get_sw_if_index(err_msg) - cmd = u"sw_interface_set_flags" + err_msg = ( + "Failed to create loopback interface" + f" on host {nodes['DUT1']['host']}" + ) + papi_exec.add(cmd, **args) + loop_sw_if_idx = papi_exec.get_sw_if_index(err_msg) + cmd = "sw_interface_set_flags" args = dict( sw_if_index=loop_sw_if_idx, - flags=InterfaceStatusFlags.IF_STATUS_API_FLAG_ADMIN_UP.value + flags=InterfaceStatusFlags.IF_STATUS_API_FLAG_ADMIN_UP.value, + ) + err_msg = ( + "Failed to set loopback interface state up" + f" on host {nodes['DUT1']['host']}" ) - err_msg = f"Failed to set loopback interface state up " \ - f"on host {nodes[u'DUT1'][u'host']}" papi_exec.add(cmd, **args).get_reply(err_msg) # Set IP address on VPP node 1 interface - cmd = u"sw_interface_add_del_address" + cmd = "sw_interface_add_del_address" args = dict( sw_if_index=InterfaceUtil.get_interface_index( - nodes[u"DUT1"], if1_key + nodes["DUT1"], if1_key ), is_add=True, del_all=False, prefix=IPUtil.create_prefix_object( - tun_ips[u"ip2"] - 1, 96 if tun_ips[u"ip2"].version == 6 - else 24 - ) + tun_ips["ip2"] - 1, + 96 if tun_ips["ip2"].version == 6 else 24, + ), + ) + err_msg = ( + f"Failed to set IP address on interface {if1_key}" + f" on host {nodes['DUT1']['host']}" ) - err_msg = f"Failed to set IP address on interface {if1_key} " \ - f"on host {nodes[u'DUT1'][u'host']}" papi_exec.add(cmd, **args).get_reply(err_msg) - cmd2 = u"ip_neighbor_add_del" + cmd2 = "ip_neighbor_add_del" args2 = dict( is_add=1, neighbor=dict( sw_if_index=Topology.get_interface_sw_index( - nodes[u"DUT1"], if1_key + nodes["DUT1"], if1_key ), flags=1, mac_address=str( - Topology.get_interface_mac(nodes[u"DUT2"], if2_key) - if u"DUT2" in nodes.keys() - else Topology.get_interface_mac( - nodes[u"TG"], if2_key - ) + Topology.get_interface_mac(nodes["DUT2"], if2_key) + if "DUT2" in nodes.keys() + else Topology.get_interface_mac(nodes["TG"], if2_key) ), - ip_address=tun_ips[u"ip2"].compressed - ) + ip_address=tun_ips["ip2"].compressed, + ), ) err_msg = f"Failed to add IP neighbor on interface {if1_key}" papi_exec.add(cmd2, **args2).get_reply(err_msg) @@ -1371,8 +1235,18 @@ class IPsecUtil: @staticmethod def _ipsec_create_tunnel_interfaces_dut1_papi( - nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg, integ_alg, - raddr_ip2, addr_incr, spi_d, existing_tunnels=0): + nodes, + tun_ips, + if1_key, + if2_key, + n_tunnels, + crypto_alg, + integ_alg, + raddr_ip2, + addr_incr, + spi_d, + existing_tunnels=0, + ): """Create multiple IPsec tunnel interfaces on DUT1 node using PAPI. Generate random keys and return them (so DUT2 or TG can decrypt). @@ -1413,27 +1287,27 @@ class IPsecUtil: ) else: loop_sw_if_idx = InterfaceUtil.vpp_get_interface_sw_index( - nodes[u"DUT1"], u"loop0" + nodes["DUT1"], "loop0" ) - with PapiSocketExecutor(nodes[u"DUT1"]) as papi_exec: + with PapiSocketExecutor(nodes["DUT1"], is_async=True) as papi_exec: # Configure IP addresses on loop0 interface - cmd = u"sw_interface_add_del_address" + cmd = "sw_interface_add_del_address" args = dict( sw_if_index=loop_sw_if_idx, is_add=True, del_all=False, - prefix=None + prefix=None, ) for i in range(existing_tunnels, n_tunnels): - args[u"prefix"] = IPUtil.create_prefix_object( - tun_ips[u"ip1"] + i * addr_incr, - 128 if tun_ips[u"ip1"].version == 6 else 32 + args["prefix"] = IPUtil.create_prefix_object( + tun_ips["ip1"] + i * addr_incr, + 128 if tun_ips["ip1"].version == 6 else 32, ) papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) # Configure IPIP tunnel interfaces - cmd = u"ipip_add_tunnel" + cmd = "ipip_add_tunnel" ipip_tunnel = dict( instance=Constants.BITWISE_NON_ZERO, src=None, @@ -1443,43 +1317,38 @@ class IPsecUtil: TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE ), mode=int(TunnelMode.TUNNEL_API_MODE_P2P), - dscp=int(IpDscp.IP_API_DSCP_CS0) - ) - args = dict( - tunnel=ipip_tunnel + dscp=int(IpDscp.IP_API_DSCP_CS0), ) + args = dict(tunnel=ipip_tunnel) ipip_tunnels = [None] * existing_tunnels for i in range(existing_tunnels, n_tunnels): - args[u"tunnel"][u"src"] = IPAddress.create_ip_address_object( - tun_ips[u"ip1"] + i * addr_incr + ipip_tunnel["src"] = IPAddress.create_ip_address_object( + tun_ips["ip1"] + i * addr_incr ) - args[u"tunnel"][u"dst"] = IPAddress.create_ip_address_object( - tun_ips[u"ip2"] + ipip_tunnel["dst"] = IPAddress.create_ip_address_object( + tun_ips["ip2"] ) papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) - err_msg = f"Failed to add IPIP tunnel interfaces on host" \ - f" {nodes[u'DUT1'][u'host']}" + err_msg = ( + "Failed to add IPIP tunnel interfaces on host" + f" {nodes['DUT1']['host']}" + ) ipip_tunnels.extend( [ - reply[u"sw_if_index"] + reply["sw_if_index"] for reply in papi_exec.get_replies(err_msg) - if u"sw_if_index" in reply + if "sw_if_index" in reply ] ) # Configure IPSec SAD entries ckeys = [bytes()] * existing_tunnels ikeys = [bytes()] * existing_tunnels - cmd = u"ipsec_sad_entry_add_del_v3" - c_key = dict( - length=0, - data=None - ) - i_key = dict( - length=0, - data=None - ) + cmd = "ipsec_sad_entry_add_v2" + c_key = dict(length=0, data=None) + i_key = dict(length=0, data=None) + common_flags = IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE sad_entry = dict( sad_id=None, spi=None, @@ -1488,7 +1357,7 @@ class IPsecUtil: crypto_key=c_key, integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0, integrity_key=i_key, - flags=None, + flags=common_flags, tunnel=dict( src=0, dst=0, @@ -1499,13 +1368,11 @@ class IPsecUtil: dscp=int(IpDscp.IP_API_DSCP_CS0), ), salt=0, - udp_src_port=IPSEC_UDP_PORT_NONE, - udp_dst_port=IPSEC_UDP_PORT_NONE, - ) - args = dict( - is_add=True, - entry=sad_entry + udp_src_port=IPSEC_UDP_PORT_DEFAULT, + udp_dst_port=IPSEC_UDP_PORT_DEFAULT, + anti_replay_window_size=IPSEC_REPLAY_WINDOW_DEFAULT, ) + args = dict(entry=sad_entry) for i in range(existing_tunnels, n_tunnels): ckeys.append( gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg)) @@ -1514,118 +1381,118 @@ class IPsecUtil: gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg)) ) # SAD entry for outband / tx path - args[u"entry"][u"sad_id"] = i - args[u"entry"][u"spi"] = spi_d[u"spi_1"] + i + sad_entry["sad_id"] = i + sad_entry["spi"] = spi_d["spi_1"] + i - args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i]) - args[u"entry"][u"crypto_key"][u"data"] = ckeys[i] + sad_entry["crypto_key"]["length"] = len(ckeys[i]) + sad_entry["crypto_key"]["data"] = ckeys[i] if integ_alg: - args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i]) - args[u"entry"][u"integrity_key"][u"data"] = ikeys[i] - args[u"entry"][u"flags"] = int( - IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE - ) + sad_entry["integrity_key"]["length"] = len(ikeys[i]) + sad_entry["integrity_key"]["data"] = ikeys[i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) + sad_entry["flags"] |= IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_INBOUND + for i in range(existing_tunnels, n_tunnels): # SAD entry for inband / rx path - args[u"entry"][u"sad_id"] = 100000 + i - args[u"entry"][u"spi"] = spi_d[u"spi_2"] + i + sad_entry["sad_id"] = 100000 + i + sad_entry["spi"] = spi_d["spi_2"] + i - args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i]) - args[u"entry"][u"crypto_key"][u"data"] = ckeys[i] + sad_entry["crypto_key"]["length"] = len(ckeys[i]) + sad_entry["crypto_key"]["data"] = ckeys[i] if integ_alg: - args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i]) - args[u"entry"][u"integrity_key"][u"data"] = ikeys[i] - args[u"entry"][u"flags"] = int( - IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE | - IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_INBOUND - ) + sad_entry["integrity_key"]["length"] = len(ikeys[i]) + sad_entry["integrity_key"]["data"] = ikeys[i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) - err_msg = f"Failed to add IPsec SAD entries on host" \ - f" {nodes[u'DUT1'][u'host']}" + err_msg = ( + "Failed to add IPsec SAD entries on host" + f" {nodes['DUT1']['host']}" + ) papi_exec.get_replies(err_msg) # Add protection for tunnels with IPSEC - cmd = u"ipsec_tunnel_protect_update" + cmd = "ipsec_tunnel_protect_update" n_hop = dict( address=0, via_label=MPLS_LABEL_INVALID, - obj_id=Constants.BITWISE_NON_ZERO + obj_id=Constants.BITWISE_NON_ZERO, ) ipsec_tunnel_protect = dict( - sw_if_index=None, - nh=n_hop, - sa_out=None, - n_sa_in=1, - sa_in=None - ) - args = dict( - tunnel=ipsec_tunnel_protect + sw_if_index=None, nh=n_hop, sa_out=None, n_sa_in=1, sa_in=None ) + args = dict(tunnel=ipsec_tunnel_protect) for i in range(existing_tunnels, n_tunnels): - args[u"tunnel"][u"sw_if_index"] = ipip_tunnels[i] - args[u"tunnel"][u"sa_out"] = i - args[u"tunnel"][u"sa_in"] = [100000 + i] + args["tunnel"]["sw_if_index"] = ipip_tunnels[i] + args["tunnel"]["sa_out"] = i + args["tunnel"]["sa_in"] = [100000 + i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) - err_msg = f"Failed to add protection for tunnels with IPSEC " \ - f"on host {nodes[u'DUT1'][u'host']}" + err_msg = ( + "Failed to add protection for tunnels with IPSEC" + f" on host {nodes['DUT1']['host']}" + ) papi_exec.get_replies(err_msg) # Configure unnumbered interfaces - cmd = u"sw_interface_set_unnumbered" + cmd = "sw_interface_set_unnumbered" args = dict( is_add=True, sw_if_index=InterfaceUtil.get_interface_index( - nodes[u"DUT1"], if1_key + nodes["DUT1"], if1_key ), - unnumbered_sw_if_index=0 + unnumbered_sw_if_index=0, ) for i in range(existing_tunnels, n_tunnels): - args[u"unnumbered_sw_if_index"] = ipip_tunnels[i] + args["unnumbered_sw_if_index"] = ipip_tunnels[i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) # Set interfaces up - cmd = u"sw_interface_set_flags" + cmd = "sw_interface_set_flags" args = dict( sw_if_index=0, - flags=InterfaceStatusFlags.IF_STATUS_API_FLAG_ADMIN_UP.value + flags=InterfaceStatusFlags.IF_STATUS_API_FLAG_ADMIN_UP.value, ) for i in range(existing_tunnels, n_tunnels): - args[u"sw_if_index"] = ipip_tunnels[i] + args["sw_if_index"] = ipip_tunnels[i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) # Configure IP routes - cmd = u"ip_route_add_del" - args = dict( - is_add=1, - is_multipath=0, - route=None - ) + cmd = "ip_route_add_del" + args = dict(is_add=1, is_multipath=0, route=None) for i in range(existing_tunnels, n_tunnels): - args[u"route"] = IPUtil.compose_vpp_route_structure( - nodes[u"DUT1"], (raddr_ip2 + i).compressed, + args["route"] = IPUtil.compose_vpp_route_structure( + nodes["DUT1"], + (raddr_ip2 + i).compressed, prefix_len=128 if raddr_ip2.version == 6 else 32, - interface=ipip_tunnels[i] + interface=ipip_tunnels[i], ) papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) - err_msg = f"Failed to add IP routes on host " \ - f"{nodes[u'DUT1'][u'host']}" + err_msg = f"Failed to add IP routes on host {nodes['DUT1']['host']}" papi_exec.get_replies(err_msg) return ckeys, ikeys @staticmethod def _ipsec_create_tunnel_interfaces_dut2_papi( - nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys, integ_alg, - ikeys, raddr_ip1, addr_incr, spi_d, existing_tunnels=0): + nodes, + tun_ips, + if2_key, + n_tunnels, + crypto_alg, + ckeys, + integ_alg, + ikeys, + raddr_ip1, + addr_incr, + spi_d, + existing_tunnels=0, + ): """Create multiple IPsec tunnel interfaces on DUT2 node using PAPI. This method accesses keys generated by DUT1 method @@ -1658,26 +1525,28 @@ class IPsecUtil: :type spi_d: dict :type existing_tunnels: int """ - with PapiSocketExecutor(nodes[u"DUT2"]) as papi_exec: + with PapiSocketExecutor(nodes["DUT2"], is_async=True) as papi_exec: if not existing_tunnels: # Set IP address on VPP node 2 interface - cmd = u"sw_interface_add_del_address" + cmd = "sw_interface_add_del_address" args = dict( sw_if_index=InterfaceUtil.get_interface_index( - nodes[u"DUT2"], if2_key + nodes["DUT2"], if2_key ), is_add=True, del_all=False, prefix=IPUtil.create_prefix_object( - tun_ips[u"ip2"], 96 if tun_ips[u"ip2"].version == 6 - else 24 - ) + tun_ips["ip2"], + 96 if tun_ips["ip2"].version == 6 else 24, + ), ) - err_msg = f"Failed to set IP address on interface {if2_key} " \ - f"on host {nodes[u'DUT2'][u'host']}" - papi_exec.add(cmd, **args).get_reply(err_msg) + err_msg = ( + f"Failed to set IP address on interface {if2_key}" + f" on host {nodes['DUT2']['host']}" + ) + papi_exec.add(cmd, **args).get_replies(err_msg) # Configure IPIP tunnel interfaces - cmd = u"ipip_add_tunnel" + cmd = "ipip_add_tunnel" ipip_tunnel = dict( instance=Constants.BITWISE_NON_ZERO, src=None, @@ -1687,41 +1556,36 @@ class IPsecUtil: TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE ), mode=int(TunnelMode.TUNNEL_API_MODE_P2P), - dscp=int(IpDscp.IP_API_DSCP_CS0) - ) - args = dict( - tunnel=ipip_tunnel + dscp=int(IpDscp.IP_API_DSCP_CS0), ) + args = dict(tunnel=ipip_tunnel) ipip_tunnels = [None] * existing_tunnels for i in range(existing_tunnels, n_tunnels): - args[u"tunnel"][u"src"] = IPAddress.create_ip_address_object( - tun_ips[u"ip2"] + ipip_tunnel["src"] = IPAddress.create_ip_address_object( + tun_ips["ip2"] ) - args[u"tunnel"][u"dst"] = IPAddress.create_ip_address_object( - tun_ips[u"ip1"] + i * addr_incr + ipip_tunnel["dst"] = IPAddress.create_ip_address_object( + tun_ips["ip1"] + i * addr_incr ) papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) - err_msg = f"Failed to add IPIP tunnel interfaces on host" \ - f" {nodes[u'DUT2'][u'host']}" + err_msg = ( + "Failed to add IPIP tunnel interfaces on host" + f" {nodes['DUT2']['host']}" + ) ipip_tunnels.extend( [ - reply[u"sw_if_index"] + reply["sw_if_index"] for reply in papi_exec.get_replies(err_msg) - if u"sw_if_index" in reply + if "sw_if_index" in reply ] ) # Configure IPSec SAD entries - cmd = u"ipsec_sad_entry_add_del_v3" - c_key = dict( - length=0, - data=None - ) - i_key = dict( - length=0, - data=None - ) + cmd = "ipsec_sad_entry_add_v2" + c_key = dict(length=0, data=None) + i_key = dict(length=0, data=None) + common_flags = IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE sad_entry = dict( sad_id=None, spi=None, @@ -1730,7 +1594,7 @@ class IPsecUtil: crypto_key=c_key, integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0, integrity_key=i_key, - flags=None, + flags=common_flags, tunnel=dict( src=0, dst=0, @@ -1741,13 +1605,11 @@ class IPsecUtil: dscp=int(IpDscp.IP_API_DSCP_CS0), ), salt=0, - udp_src_port=IPSEC_UDP_PORT_NONE, - udp_dst_port=IPSEC_UDP_PORT_NONE, - ) - args = dict( - is_add=True, - entry=sad_entry + udp_src_port=IPSEC_UDP_PORT_DEFAULT, + udp_dst_port=IPSEC_UDP_PORT_DEFAULT, + anti_replay_window_size=IPSEC_REPLAY_WINDOW_DEFAULT, ) + args = dict(entry=sad_entry) for i in range(existing_tunnels, n_tunnels): ckeys.append( gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg)) @@ -1756,132 +1618,129 @@ class IPsecUtil: gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg)) ) # SAD entry for outband / tx path - args[u"entry"][u"sad_id"] = 100000 + i - args[u"entry"][u"spi"] = spi_d[u"spi_2"] + i + sad_entry["sad_id"] = 100000 + i + sad_entry["spi"] = spi_d["spi_2"] + i - args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i]) - args[u"entry"][u"crypto_key"][u"data"] = ckeys[i] + sad_entry["crypto_key"]["length"] = len(ckeys[i]) + sad_entry["crypto_key"]["data"] = ckeys[i] if integ_alg: - args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i]) - args[u"entry"][u"integrity_key"][u"data"] = ikeys[i] - args[u"entry"][u"flags"] = int( - IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE - ) + sad_entry["integrity_key"]["length"] = len(ikeys[i]) + sad_entry["integrity_key"]["data"] = ikeys[i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) + sad_entry["flags"] |= IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_INBOUND + for i in range(existing_tunnels, n_tunnels): # SAD entry for inband / rx path - args[u"entry"][u"sad_id"] = i - args[u"entry"][u"spi"] = spi_d[u"spi_1"] + i + sad_entry["sad_id"] = i + sad_entry["spi"] = spi_d["spi_1"] + i - args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i]) - args[u"entry"][u"crypto_key"][u"data"] = ckeys[i] + sad_entry["crypto_key"]["length"] = len(ckeys[i]) + sad_entry["crypto_key"]["data"] = ckeys[i] if integ_alg: - args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i]) - args[u"entry"][u"integrity_key"][u"data"] = ikeys[i] - args[u"entry"][u"flags"] = int( - IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE | - IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_INBOUND - ) + sad_entry["integrity_key"]["length"] = len(ikeys[i]) + sad_entry["integrity_key"]["data"] = ikeys[i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) - err_msg = f"Failed to add IPsec SAD entries on host" \ - f" {nodes[u'DUT2'][u'host']}" + err_msg = ( + f"Failed to add IPsec SAD entries on host" + f" {nodes['DUT2']['host']}" + ) papi_exec.get_replies(err_msg) # Add protection for tunnels with IPSEC - cmd = u"ipsec_tunnel_protect_update" + cmd = "ipsec_tunnel_protect_update" n_hop = dict( address=0, via_label=MPLS_LABEL_INVALID, - obj_id=Constants.BITWISE_NON_ZERO + obj_id=Constants.BITWISE_NON_ZERO, ) ipsec_tunnel_protect = dict( - sw_if_index=None, - nh=n_hop, - sa_out=None, - n_sa_in=1, - sa_in=None - ) - args = dict( - tunnel=ipsec_tunnel_protect + sw_if_index=None, nh=n_hop, sa_out=None, n_sa_in=1, sa_in=None ) + args = dict(tunnel=ipsec_tunnel_protect) for i in range(existing_tunnels, n_tunnels): - args[u"tunnel"][u"sw_if_index"] = ipip_tunnels[i] - args[u"tunnel"][u"sa_out"] = 100000 + i - args[u"tunnel"][u"sa_in"] = [i] + args["tunnel"]["sw_if_index"] = ipip_tunnels[i] + args["tunnel"]["sa_out"] = 100000 + i + args["tunnel"]["sa_in"] = [i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) - err_msg = f"Failed to add protection for tunnels with IPSEC " \ - f"on host {nodes[u'DUT2'][u'host']}" + err_msg = ( + "Failed to add protection for tunnels with IPSEC" + f" on host {nodes['DUT2']['host']}" + ) papi_exec.get_replies(err_msg) if not existing_tunnels: # Configure IP route - cmd = u"ip_route_add_del" + cmd = "ip_route_add_del" route = IPUtil.compose_vpp_route_structure( - nodes[u"DUT2"], tun_ips[u"ip1"].compressed, - prefix_len=32 if tun_ips[u"ip1"].version == 6 else 8, + nodes["DUT2"], + tun_ips["ip1"].compressed, + prefix_len=32 if tun_ips["ip1"].version == 6 else 8, interface=if2_key, - gateway=(tun_ips[u"ip2"] - 1).compressed - ) - args = dict( - is_add=1, - is_multipath=0, - route=route + gateway=(tun_ips["ip2"] - 1).compressed, ) + args = dict(is_add=1, is_multipath=0, route=route) papi_exec.add(cmd, **args) # Configure unnumbered interfaces - cmd = u"sw_interface_set_unnumbered" + cmd = "sw_interface_set_unnumbered" args = dict( is_add=True, sw_if_index=InterfaceUtil.get_interface_index( - nodes[u"DUT2"], if2_key + nodes["DUT2"], if2_key ), - unnumbered_sw_if_index=0 + unnumbered_sw_if_index=0, ) for i in range(existing_tunnels, n_tunnels): - args[u"unnumbered_sw_if_index"] = ipip_tunnels[i] + args["unnumbered_sw_if_index"] = ipip_tunnels[i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) # Set interfaces up - cmd = u"sw_interface_set_flags" + cmd = "sw_interface_set_flags" args = dict( sw_if_index=0, - flags=InterfaceStatusFlags.IF_STATUS_API_FLAG_ADMIN_UP.value + flags=InterfaceStatusFlags.IF_STATUS_API_FLAG_ADMIN_UP.value, ) for i in range(existing_tunnels, n_tunnels): - args[u"sw_if_index"] = ipip_tunnels[i] + args["sw_if_index"] = ipip_tunnels[i] papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) # Configure IP routes - cmd = u"ip_route_add_del" - args = dict( - is_add=1, - is_multipath=0, - route=None - ) + cmd = "ip_route_add_del" + args = dict(is_add=1, is_multipath=0, route=None) for i in range(existing_tunnels, n_tunnels): - args[u"route"] = IPUtil.compose_vpp_route_structure( - nodes[u"DUT1"], (raddr_ip1 + i).compressed, + args["route"] = IPUtil.compose_vpp_route_structure( + nodes["DUT1"], + (raddr_ip1 + i).compressed, prefix_len=128 if raddr_ip1.version == 6 else 32, - interface=ipip_tunnels[i] + interface=ipip_tunnels[i], ) papi_exec.add( cmd, history=bool(not 1 < i < n_tunnels - 2), **args ) - err_msg = f"Failed to add IP routes " \ - f"on host {nodes[u'DUT2'][u'host']}" + err_msg = f"Failed to add IP routes on host {nodes['DUT2']['host']}" papi_exec.get_replies(err_msg) @staticmethod def vpp_ipsec_create_tunnel_interfaces( - nodes, tun_if1_ip_addr, tun_if2_ip_addr, if1_key, if2_key, - n_tunnels, crypto_alg, integ_alg, raddr_ip1, raddr_ip2, raddr_range, - existing_tunnels=0, return_keys=False): + nodes, + tun_if1_ip_addr, + tun_if2_ip_addr, + if1_key, + if2_key, + n_tunnels, + crypto_alg, + integ_alg, + raddr_ip1, + raddr_ip2, + raddr_range, + existing_tunnels=0, + return_keys=False, + ): """Create multiple IPsec tunnel interfaces between two VPP nodes. Some deployments (e.g. devicetest) need to know the generated keys. @@ -1927,44 +1786,49 @@ class IPsecUtil: """ n_tunnels = int(n_tunnels) existing_tunnels = int(existing_tunnels) - spi_d = dict( - spi_1=100000, - spi_2=200000 - ) + spi_d = dict(spi_1=100000, spi_2=200000) tun_ips = dict( - ip1=ip_address(tun_if1_ip_addr), - ip2=ip_address(tun_if2_ip_addr) + ip1=ip_address(tun_if1_ip_addr), ip2=ip_address(tun_if2_ip_addr) ) raddr_ip1 = ip_address(raddr_ip1) raddr_ip2 = ip_address(raddr_ip2) - addr_incr = 1 << (128 - raddr_range) if tun_ips[u"ip1"].version == 6 \ + addr_incr = ( + 1 << (128 - raddr_range) + if tun_ips["ip1"].version == 6 else 1 << (32 - raddr_range) + ) - if n_tunnels - existing_tunnels > 10: - ckeys, ikeys = IPsecUtil._ipsec_create_tunnel_interfaces_dut1_vat( - nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg, - integ_alg, raddr_ip2, addr_incr, spi_d, existing_tunnels - ) - if u"DUT2" in nodes.keys(): - IPsecUtil._ipsec_create_tunnel_interfaces_dut2_vat( - nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys, - integ_alg, ikeys, raddr_ip1, addr_incr, spi_d, - existing_tunnels - ) - else: - ckeys, ikeys = IPsecUtil._ipsec_create_tunnel_interfaces_dut1_papi( - nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg, - integ_alg, raddr_ip2, addr_incr, spi_d, existing_tunnels + ckeys, ikeys = IPsecUtil._ipsec_create_tunnel_interfaces_dut1_papi( + nodes, + tun_ips, + if1_key, + if2_key, + n_tunnels, + crypto_alg, + integ_alg, + raddr_ip2, + addr_incr, + spi_d, + existing_tunnels, + ) + if "DUT2" in nodes.keys(): + IPsecUtil._ipsec_create_tunnel_interfaces_dut2_papi( + nodes, + tun_ips, + if2_key, + n_tunnels, + crypto_alg, + ckeys, + integ_alg, + ikeys, + raddr_ip1, + addr_incr, + spi_d, + existing_tunnels, ) - if u"DUT2" in nodes.keys(): - IPsecUtil._ipsec_create_tunnel_interfaces_dut2_papi( - nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys, - integ_alg, ikeys, raddr_ip1, addr_incr, spi_d, - existing_tunnels - ) if return_keys: - return ckeys, ikeys, spi_d[u"spi_1"], spi_d[u"spi_2"] + return ckeys, ikeys, spi_d["spi_1"], spi_d["spi_2"] return None @staticmethod @@ -1981,12 +1845,11 @@ class IPsecUtil: script_filename = ( f"/tmp/ipsec_create_tunnel_cnf_{dut}_{cnf + 1}.config" ) - scripts.append(open(script_filename, 'w')) + scripts.append(open(script_filename, "w", encoding="utf-8")) return scripts @staticmethod - def _close_and_copy_ipsec_script_files( - dut, nodes, instances, scripts): + def _close_and_copy_ipsec_script_files(dut, nodes, instances, scripts): """Close created scripts and copy them to containers :param dut: DUT node on which to create the script files @@ -2005,11 +1868,19 @@ class IPsecUtil: ) scp_node(nodes[dut], script_filename, script_filename) - @staticmethod def vpp_ipsec_create_tunnel_interfaces_in_containers( - nodes, if1_ip_addr, if2_ip_addr, n_tunnels, crypto_alg, integ_alg, - raddr_ip1, raddr_ip2, raddr_range, n_instances): + nodes, + if1_ip_addr, + if2_ip_addr, + n_tunnels, + crypto_alg, + integ_alg, + raddr_ip1, + raddr_ip2, + raddr_range, + n_instances, + ): """Create multiple IPsec tunnel interfaces between two VPP nodes. :param nodes: VPP nodes to create tunnel interfaces. @@ -2040,90 +1911,95 @@ class IPsecUtil: spi_2 = 200000 addr_incr = 1 << (32 - raddr_range) - dut1_scripts = IPsecUtil._create_ipsec_script_files( - u"DUT1", n_instances - ) - dut2_scripts = IPsecUtil._create_ipsec_script_files( - u"DUT2", n_instances - ) + dut1_scripts = IPsecUtil._create_ipsec_script_files("DUT1", n_instances) + dut2_scripts = IPsecUtil._create_ipsec_script_files("DUT2", n_instances) for cnf in range(0, n_instances): dut1_scripts[cnf].write( - u"create loopback interface\n" - u"set interface state loop0 up\n\n" + "create loopback interface\nset interface state loop0 up\n\n" ) dut2_scripts[cnf].write( - f"ip route add {if1_ip_addr}/8 via " - f"{ip_address(if2_ip_addr) + cnf + 100} memif1/{cnf + 1}\n\n" + f"ip route add {if1_ip_addr}/8 via" + f" {ip_address(if2_ip_addr) + cnf + 100} memif1/{cnf + 1}\n\n" ) for tnl in range(0, n_tunnels): cnf = tnl % n_instances ckey = getattr( - gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg)), u"hex" + gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg)), "hex" ) - integ = u"" + integ = "" ikey = getattr( - gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg)), u"hex" + gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg)), "hex" ) if integ_alg: integ = ( - f"integ-alg {integ_alg.alg_name} " - f"local-integ-key {ikey} " - f"remote-integ-key {ikey} " + f"integ-alg {integ_alg.alg_name}" + f" local-integ-key {ikey}" + f" remote-integ-key {ikey}" ) # Configure tunnel end point(s) on left side dut1_scripts[cnf].write( - u"set interface ip address loop0 " - f"{ip_address(if1_ip_addr) + tnl * addr_incr}/32\n" - f"create ipsec tunnel " - f"local-ip {ip_address(if1_ip_addr) + tnl * addr_incr} " - f"local-spi {spi_1 + tnl} " - f"remote-ip {ip_address(if2_ip_addr) + cnf} " - f"remote-spi {spi_2 + tnl} " - f"crypto-alg {crypto_alg.alg_name} " - f"local-crypto-key {ckey} " - f"remote-crypto-key {ckey} " - f"instance {tnl // n_instances} " - f"salt 0x0 " - f"{integ} \n" + "set interface ip address loop0" + f" {ip_address(if1_ip_addr) + tnl * addr_incr}/32\n" + "create ipsec tunnel" + f" local-ip {ip_address(if1_ip_addr) + tnl * addr_incr}" + f" local-spi {spi_1 + tnl}" + f" remote-ip {ip_address(if2_ip_addr) + cnf}" + f" remote-spi {spi_2 + tnl}" + f" crypto-alg {crypto_alg.alg_name}" + f" local-crypto-key {ckey}" + f" remote-crypto-key {ckey}" + f" instance {tnl // n_instances}" + f" salt 0x0 {integ}\n" f"set interface unnumbered ipip{tnl // n_instances} use loop0\n" f"set interface state ipip{tnl // n_instances} up\n" - f"ip route add {ip_address(raddr_ip2)+tnl}/32 " - f"via ipip{tnl // n_instances}\n\n" + f"ip route add {ip_address(raddr_ip2)+tnl}/32" + f" via ipip{tnl // n_instances}\n\n" ) # Configure tunnel end point(s) on right side dut2_scripts[cnf].write( - f"set ip neighbor memif1/{cnf + 1} " - f"{ip_address(if1_ip_addr) + tnl * addr_incr} " - f"02:02:00:00:{17:02X}:{cnf:02X} static\n" - f"create ipsec tunnel local-ip {ip_address(if2_ip_addr) + cnf} " - f"local-spi {spi_2 + tnl} " - f"remote-ip {ip_address(if1_ip_addr) + tnl * addr_incr} " - f"remote-spi {spi_1 + tnl} " - f"crypto-alg {crypto_alg.alg_name} " - f"local-crypto-key {ckey} " - f"remote-crypto-key {ckey} " - f"instance {tnl // n_instances} " - f"salt 0x0 " - f"{integ}\n" - f"set interface unnumbered ipip{tnl // n_instances} " - f"use memif1/{cnf + 1}\n" + f"set ip neighbor memif1/{cnf + 1}" + f" {ip_address(if1_ip_addr) + tnl * addr_incr}" + f" 02:02:00:00:{17:02X}:{cnf:02X} static\n" + f"create ipsec tunnel local-ip {ip_address(if2_ip_addr) + cnf}" + f" local-spi {spi_2 + tnl}" + f" remote-ip {ip_address(if1_ip_addr) + tnl * addr_incr}" + f" remote-spi {spi_1 + tnl}" + f" crypto-alg {crypto_alg.alg_name}" + f" local-crypto-key {ckey}" + f" remote-crypto-key {ckey}" + f" instance {tnl // n_instances}" + f" salt 0x0 {integ}\n" + f"set interface unnumbered ipip{tnl // n_instances}" + f" use memif1/{cnf + 1}\n" f"set interface state ipip{tnl // n_instances} up\n" - f"ip route add {ip_address(raddr_ip1) + tnl}/32 " - f"via ipip{tnl // n_instances}\n\n" + f"ip route add {ip_address(raddr_ip1) + tnl}/32" + f" via ipip{tnl // n_instances}\n\n" ) IPsecUtil._close_and_copy_ipsec_script_files( - u"DUT1", nodes, n_instances, dut1_scripts) + "DUT1", nodes, n_instances, dut1_scripts + ) IPsecUtil._close_and_copy_ipsec_script_files( - u"DUT2", nodes, n_instances, dut2_scripts) + "DUT2", nodes, n_instances, dut2_scripts + ) @staticmethod def vpp_ipsec_add_multiple_tunnels( - nodes, interface1, interface2, n_tunnels, crypto_alg, integ_alg, - tunnel_ip1, tunnel_ip2, raddr_ip1, raddr_ip2, raddr_range, - tunnel_addr_incr=True): + nodes, + interface1, + interface2, + n_tunnels, + crypto_alg, + integ_alg, + tunnel_ip1, + tunnel_ip2, + raddr_ip1, + raddr_ip2, + raddr_range, + tunnel_addr_incr=True, + ): """Create multiple IPsec tunnels between two VPP nodes. :param nodes: VPP nodes to create tunnels. @@ -2162,104 +2038,208 @@ class IPsecUtil: sa_id_2 = 200000 spi_1 = 300000 spi_2 = 400000 - dut1_local_outbound_range = ip_network(f"{tunnel_ip1}/8", False).\ - with_prefixlen - dut1_remote_outbound_range = ip_network(f"{tunnel_ip2}/8", False).\ - with_prefixlen crypto_key = gen_key( IPsecUtil.get_crypto_alg_key_len(crypto_alg) ).decode() - integ_key = gen_key( - IPsecUtil.get_integ_alg_key_len(integ_alg) - ).decode() if integ_alg else u"" + integ_key = ( + gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg)).decode() + if integ_alg + else "" + ) - rmac = Topology.get_interface_mac(nodes[u"DUT2"], interface2) \ - if u"DUT2" in nodes.keys() \ - else Topology.get_interface_mac(nodes[u"TG"], interface2) + rmac = ( + Topology.get_interface_mac(nodes["DUT2"], interface2) + if "DUT2" in nodes.keys() + else Topology.get_interface_mac(nodes["TG"], interface2) + ) IPsecUtil.vpp_ipsec_set_ip_route( - nodes[u"DUT1"], n_tunnels, tunnel_ip1, raddr_ip2, tunnel_ip2, - interface1, raddr_range, rmac) - - IPsecUtil.vpp_ipsec_add_spd(nodes[u"DUT1"], spd_id) - IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT1"], spd_id, interface1) - IPsecUtil.vpp_ipsec_add_spd_entry( - nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=False, - proto=50, laddr_range=dut1_local_outbound_range, - raddr_range=dut1_remote_outbound_range + nodes["DUT1"], + n_tunnels, + tunnel_ip1, + raddr_ip2, + tunnel_ip2, + interface1, + raddr_range, + rmac, ) - IPsecUtil.vpp_ipsec_add_spd_entry( - nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=True, - proto=50, laddr_range=dut1_remote_outbound_range, - raddr_range=dut1_local_outbound_range + + IPsecUtil.vpp_ipsec_add_spd(nodes["DUT1"], spd_id) + IPsecUtil.vpp_ipsec_spd_add_if(nodes["DUT1"], spd_id, interface1) + + addr_incr = ( + 1 << (128 - 96) + if ip_address(tunnel_ip1).version == 6 + else 1 << (32 - 24) ) + for i in range(n_tunnels // (addr_incr**2) + 1): + dut1_local_outbound_range = ip_network( + f"{ip_address(tunnel_ip1) + i*(addr_incr**3)}/8", False + ).with_prefixlen + dut1_remote_outbound_range = ip_network( + f"{ip_address(tunnel_ip2) + i*(addr_incr**3)}/8", False + ).with_prefixlen + + IPsecUtil.vpp_ipsec_add_spd_entry( + nodes["DUT1"], + spd_id, + p_hi, + PolicyAction.BYPASS, + inbound=False, + proto=50, + laddr_range=dut1_local_outbound_range, + raddr_range=dut1_remote_outbound_range, + ) + IPsecUtil.vpp_ipsec_add_spd_entry( + nodes["DUT1"], + spd_id, + p_hi, + PolicyAction.BYPASS, + inbound=True, + proto=50, + laddr_range=dut1_remote_outbound_range, + raddr_range=dut1_local_outbound_range, + ) IPsecUtil.vpp_ipsec_add_sad_entries( - nodes[u"DUT1"], n_tunnels, sa_id_1, spi_1, crypto_alg, crypto_key, - integ_alg, integ_key, tunnel_ip1, tunnel_ip2, tunnel_addr_incr + nodes["DUT1"], + n_tunnels, + sa_id_1, + spi_1, + crypto_alg, + crypto_key, + integ_alg, + integ_key, + tunnel_ip1, + tunnel_ip2, + tunnel_addr_incr, ) IPsecUtil.vpp_ipsec_add_spd_entries( - nodes[u"DUT1"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0), - action=PolicyAction.PROTECT, inbound=False, + nodes["DUT1"], + n_tunnels, + spd_id, + priority=ObjIncrement(p_lo, 0), + action=PolicyAction.PROTECT, + inbound=False, sa_id=ObjIncrement(sa_id_1, 1), - raddr_range=NetworkIncrement(ip_network(raddr_ip2)) + raddr_range=NetworkIncrement(ip_network(raddr_ip2)), ) IPsecUtil.vpp_ipsec_add_sad_entries( - nodes[u"DUT1"], n_tunnels, sa_id_2, spi_2, crypto_alg, crypto_key, - integ_alg, integ_key, tunnel_ip2, tunnel_ip1, tunnel_addr_incr + nodes["DUT1"], + n_tunnels, + sa_id_2, + spi_2, + crypto_alg, + crypto_key, + integ_alg, + integ_key, + tunnel_ip2, + tunnel_ip1, + tunnel_addr_incr, ) IPsecUtil.vpp_ipsec_add_spd_entries( - nodes[u"DUT1"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0), - action=PolicyAction.PROTECT, inbound=True, + nodes["DUT1"], + n_tunnels, + spd_id, + priority=ObjIncrement(p_lo, 0), + action=PolicyAction.PROTECT, + inbound=True, sa_id=ObjIncrement(sa_id_2, 1), - raddr_range=NetworkIncrement(ip_network(raddr_ip1)) + raddr_range=NetworkIncrement(ip_network(raddr_ip1)), ) - if u"DUT2" in nodes.keys(): - rmac = Topology.get_interface_mac(nodes[u"DUT1"], interface1) + if "DUT2" in nodes.keys(): + rmac = Topology.get_interface_mac(nodes["DUT1"], interface1) IPsecUtil.vpp_ipsec_set_ip_route( - nodes[u"DUT2"], n_tunnels, tunnel_ip2, raddr_ip1, tunnel_ip1, - interface2, raddr_range, rmac) - - IPsecUtil.vpp_ipsec_add_spd(nodes[u"DUT2"], spd_id) - IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT2"], spd_id, interface2) - IPsecUtil.vpp_ipsec_add_spd_entry( - nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS, - inbound=False, proto=50, laddr_range=dut1_remote_outbound_range, - raddr_range=dut1_local_outbound_range - ) - IPsecUtil.vpp_ipsec_add_spd_entry( - nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS, - inbound=True, proto=50, laddr_range=dut1_local_outbound_range, - raddr_range=dut1_remote_outbound_range + nodes["DUT2"], + n_tunnels, + tunnel_ip2, + raddr_ip1, + tunnel_ip1, + interface2, + raddr_range, + rmac, ) + IPsecUtil.vpp_ipsec_add_spd(nodes["DUT2"], spd_id) + IPsecUtil.vpp_ipsec_spd_add_if(nodes["DUT2"], spd_id, interface2) + for i in range(n_tunnels // (addr_incr**2) + 1): + dut2_local_outbound_range = ip_network( + f"{ip_address(tunnel_ip1) + i*(addr_incr**3)}/8", False + ).with_prefixlen + dut2_remote_outbound_range = ip_network( + f"{ip_address(tunnel_ip2) + i*(addr_incr**3)}/8", False + ).with_prefixlen + + IPsecUtil.vpp_ipsec_add_spd_entry( + nodes["DUT2"], + spd_id, + p_hi, + PolicyAction.BYPASS, + inbound=False, + proto=50, + laddr_range=dut2_remote_outbound_range, + raddr_range=dut2_local_outbound_range, + ) + IPsecUtil.vpp_ipsec_add_spd_entry( + nodes["DUT2"], + spd_id, + p_hi, + PolicyAction.BYPASS, + inbound=True, + proto=50, + laddr_range=dut2_local_outbound_range, + raddr_range=dut2_remote_outbound_range, + ) + IPsecUtil.vpp_ipsec_add_sad_entries( - nodes[u"DUT2"], n_tunnels, sa_id_1, spi_1, crypto_alg, - crypto_key, integ_alg, integ_key, tunnel_ip1, tunnel_ip2, - tunnel_addr_incr + nodes["DUT2"], + n_tunnels, + sa_id_1, + spi_1, + crypto_alg, + crypto_key, + integ_alg, + integ_key, + tunnel_ip1, + tunnel_ip2, + tunnel_addr_incr, ) IPsecUtil.vpp_ipsec_add_spd_entries( - nodes[u"DUT2"], n_tunnels, spd_id, + nodes["DUT2"], + n_tunnels, + spd_id, priority=ObjIncrement(p_lo, 0), - action=PolicyAction.PROTECT, inbound=True, + action=PolicyAction.PROTECT, + inbound=True, sa_id=ObjIncrement(sa_id_1, 1), - raddr_range=NetworkIncrement(ip_network(raddr_ip2)) + raddr_range=NetworkIncrement(ip_network(raddr_ip2)), ) IPsecUtil.vpp_ipsec_add_sad_entries( - nodes[u"DUT2"], n_tunnels, sa_id_2, spi_2, crypto_alg, - crypto_key, integ_alg, integ_key, tunnel_ip2, tunnel_ip1, - tunnel_addr_incr + nodes["DUT2"], + n_tunnels, + sa_id_2, + spi_2, + crypto_alg, + crypto_key, + integ_alg, + integ_key, + tunnel_ip2, + tunnel_ip1, + tunnel_addr_incr, ) IPsecUtil.vpp_ipsec_add_spd_entries( - nodes[u"DUT2"], n_tunnels, spd_id, + nodes["DUT2"], + n_tunnels, + spd_id, priority=ObjIncrement(p_lo, 0), - action=PolicyAction.PROTECT, inbound=False, + action=PolicyAction.PROTECT, + inbound=False, sa_id=ObjIncrement(sa_id_2, 1), - raddr_range=NetworkIncrement(ip_network(raddr_ip1)) + raddr_range=NetworkIncrement(ip_network(raddr_ip1)), ) @staticmethod @@ -2269,7 +2249,7 @@ class IPsecUtil: :param node: Node to run command on. :type node: dict """ - PapiSocketExecutor.run_cli_cmd(node, u"show ipsec all") + PapiSocketExecutor.run_cli_cmd(node, "show ipsec all") @staticmethod def show_ipsec_security_association(node): @@ -2278,29 +2258,29 @@ class IPsecUtil: :param node: DUT node. :type node: dict """ - cmds = [ - u"ipsec_sa_v3_dump" - ] - PapiSocketExecutor.dump_and_log(node, cmds) + cmd = "ipsec_sa_v5_dump" + PapiSocketExecutor.dump_and_log(node, [cmd]) @staticmethod - def vpp_ipsec_flow_enale_rss(node, proto, type, function="default"): + def vpp_ipsec_flow_enable_rss(node, proto, rss_type, function="default"): """Ipsec flow enable rss action. :param node: DUT node. :param proto: The flow protocol. - :param type: RSS type. + :param rss_type: RSS type. :param function: RSS function. :type node: dict :type proto: str - :type type: str + :type rss_type: str :type function: str :returns: flow_index. """ # TODO: to be fixed to use full PAPI when it is ready in VPP - cmd = f"test flow add src-ip any proto {proto} rss function " \ - f"{function} rss types {type}" + cmd = ( + f"test flow add src-ip any proto {proto} rss function" + f" {function} rss types {rss_type}" + ) stdout = PapiSocketExecutor.run_cli_cmd(node, cmd) flow_index = stdout.split()[1] @@ -2308,7 +2288,8 @@ class IPsecUtil: @staticmethod def vpp_create_ipsec_flows_on_dut( - node, n_flows, rx_queues, spi_start, interface): + node, n_flows, rx_queues, spi_start, interface + ): """Create mutiple ipsec flows and enable flows onto interface. :param node: DUT node. @@ -2326,9 +2307,9 @@ class IPsecUtil: """ for i in range(0, n_flows): - rx_queue = i%rx_queues - + rx_queue = i % rx_queues spi = spi_start + i flow_index = FlowUtil.vpp_create_ip4_ipsec_flow( - node, "ESP", spi, "redirect-to-queue", value=rx_queue) + node, "ESP", spi, "redirect-to-queue", value=rx_queue + ) FlowUtil.vpp_flow_enable(node, interface, flow_index) |