aboutsummaryrefslogtreecommitdiffstats
path: root/resources/traffic_scripts/ipsec.py
diff options
context:
space:
mode:
Diffstat (limited to 'resources/traffic_scripts/ipsec.py')
-rwxr-xr-xresources/traffic_scripts/ipsec.py207
1 files changed, 107 insertions, 100 deletions
diff --git a/resources/traffic_scripts/ipsec.py b/resources/traffic_scripts/ipsec.py
index 1561738c60..b853b6c09f 100755
--- a/resources/traffic_scripts/ipsec.py
+++ b/resources/traffic_scripts/ipsec.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python
-# Copyright (c) 2016 Cisco and/or its affiliates.
+# Copyright (c) 2019 Cisco and/or its affiliates.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
@@ -23,9 +23,8 @@ import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import Ether
-from scapy.layers.inet import ICMP, IP
+from scapy.layers.inet import IP
from scapy.layers.inet6 import IPv6, ICMPv6ND_NS
-from scapy.layers.inet6 import ICMPv6EchoRequest, ICMPv6EchoReply
from scapy.layers.ipsec import SecurityAssociation, ESP
from ipaddress import ip_address
@@ -33,114 +32,113 @@ from resources.libraries.python.TrafficScriptArg import TrafficScriptArg
from resources.libraries.python.PacketVerifier import RxQueue, TxQueue
-def check_ipv4(pkt_recv, dst_tun, src_ip, dst_ip, sa_in):
- """Check received IPv4 IPsec packet.
+def check_ipsec(pkt_recv, ip_layer, dst_tun, src_ip, dst_ip, sa_in):
+ """Check received IPsec packet.
:param pkt_recv: Received packet to verify.
+ :param ip_layer: Scapy IP layer.
:param dst_tun: IPsec tunnel destination address.
- :param src_ip: Source address of original IPv4 packet.
- :param dst_ip: Destination address of original IPv4 packet.
+ :param src_ip: Source IP/IPv6 address of original IP/IPv6 packet.
+ :param dst_ip: Destination IP/IPv6 address of original IP/IPv6 packet.
:param sa_in: IPsec SA for packet decryption.
:type pkt_recv: scapy.Ether
+ :type ip_layer: scapy.layers.inet.IP or scapy.layers.inet6.IPv6
:type dst_tun: str
:type src_ip: str
:type dst_ip: str
:type sa_in: scapy.layers.ipsec.SecurityAssociation
:raises RuntimeError: If received packet is invalid.
"""
- if not pkt_recv.haslayer(IP):
- raise RuntimeError(
- 'Not an IPv4 packet received: {0}'.format(pkt_recv.__repr__()))
+ if not pkt_recv.haslayer(ip_layer):
+ raise RuntimeError('Not an {ip} packet received: {pkt}'.format(
+ ip=ip_layer.name, pkt=pkt_recv.__repr__()))
- if pkt_recv['IP'].dst != dst_tun:
+ if pkt_recv[ip_layer.name].dst != dst_tun:
raise RuntimeError(
- 'Received packet has invalid destination address: {0} '
- 'should be: {1}'.format(pkt_recv['IP'].dst, dst_tun))
+ 'Received packet has invalid destination address: {rec_ip} '
+ 'should be: {exp_ip}'.format(
+ rec_ip=pkt_recv[ip_layer.name].dst, exp_ip=dst_tun))
if not pkt_recv.haslayer(ESP):
raise RuntimeError(
- 'Not an ESP packet received: {0}'.format(pkt_recv.__repr__()))
+ 'Not an ESP packet received: {pkt}'.format(pkt=pkt_recv.__repr__()))
- ip_pkt = pkt_recv[IP]
+ ip_pkt = pkt_recv[ip_layer]
d_pkt = sa_in.decrypt(ip_pkt)
- if d_pkt[IP].dst != dst_ip:
+ if d_pkt[ip_layer].dst != dst_ip:
raise RuntimeError(
- 'Decrypted packet has invalid destination address: {0} '
- 'should be: {1}'.format(d_pkt['IP'].dst, dst_ip))
+ 'Decrypted packet has invalid destination address: {rec_ip} '
+ 'should be: {exp_ip}'.format(
+ rec_ip=d_pkt[ip_layer].dst, exp_ip=dst_ip))
- if d_pkt[IP].src != src_ip:
+ if d_pkt[ip_layer].src != src_ip:
raise RuntimeError(
- 'Decrypted packet has invalid source address: {0} should be: {1}'
- .format(d_pkt['IP'].src, src_ip))
+ 'Decrypted packet has invalid source address: {rec_ip} should be: '
+ '{exp_ip}'.format(rec_ip=d_pkt[ip_layer].src, exp_ip=src_ip))
- if not d_pkt.haslayer(ICMP):
+ if ip_layer == IP and d_pkt[ip_layer.name].proto != 61:
raise RuntimeError(
- 'Decrypted packet does not have ICMP layer: {0}'.format(
- d_pkt.__repr__()))
+ 'Decrypted packet has invalid IP protocol: {rec_proto} '
+ 'should be: 61'.format(rec_proto=d_pkt[ip_layer.name].proto))
-def check_ipv6(pkt_recv, dst_tun, src_ip, dst_ip, sa_in):
- """Check received IPv6 IPsec packet.
+def check_ip(pkt_recv, ip_layer, src_ip, dst_ip):
+ """Check received IP/IPv6 packet.
:param pkt_recv: Received packet to verify.
- :param dst_tun: IPsec tunnel destination address.
- :param src_ip: Source address of original IPv6 packet.
- :param dst_ip: Destination address of original IPv6 packet.
- :param sa_in: IPsec SA for packet decryption.
+ :param ip_layer: Scapy IP layer.
+ :param src_ip: Source IP/IPv6 address.
+ :param dst_ip: Destination IP/IPv6 address.
:type pkt_recv: scapy.Ether
- :type dst_tun: str
+ :type ip_layer: scapy.layers.inet.IP or scapy.layers.inet6.IPv6
:type src_ip: str
:type dst_ip: str
- :type sa_in: scapy.layers.ipsec.SecurityAssociation
:raises RuntimeError: If received packet is invalid.
"""
- if not pkt_recv.haslayer(IPv6):
- raise RuntimeError(
- 'Not an IPv6 packet received: {0}'.format(pkt_recv.__repr__()))
-
- if pkt_recv[IPv6].dst != dst_tun:
- raise RuntimeError(
- 'Received packet has invalid destination address: {0} '
- 'should be: {1}'.format(pkt_recv['IPv6'].dst, dst_tun))
+ if not pkt_recv.haslayer(ip_layer):
+ raise RuntimeError('Not an {ip} packet received: {pkt}'.format(
+ ip=ip_layer.name, pkt=pkt_recv.__repr__()))
- if not pkt_recv.haslayer(ESP):
- raise RuntimeError(
- 'Not an ESP packet received: {0}'.format(pkt_recv.__repr__()))
-
- ip_pkt = pkt_recv[IPv6]
- d_pkt = sa_in.decrypt(ip_pkt)
-
- if d_pkt[IPv6].dst != dst_ip:
+ if pkt_recv[ip_layer.name].dst != dst_ip:
raise RuntimeError(
- 'Decrypted packet has invalid destination address {0}: '
- 'should be: {1}'.format(d_pkt['IPv6'].dst, dst_ip))
+ 'Received packet has invalid destination address: {rec_ip} '
+ 'should be: {exp_ip}'.format(
+ rec_ip=pkt_recv[ip_layer.name].dst, exp_ip=dst_ip))
- if d_pkt[IPv6].src != src_ip:
+ if pkt_recv[ip_layer.name].src != src_ip:
raise RuntimeError(
- 'Decrypted packet has invalid source address: {0} should be: {1}'
- .format(d_pkt['IPv6'].src, src_ip))
+ 'Received packet has invalid destination address: {rec_ip} '
+ 'should be: {exp_ip}'.format(
+ rec_ip=pkt_recv[ip_layer.name].dst, exp_ip=src_ip))
- if not d_pkt.haslayer(ICMPv6EchoReply):
+ if ip_layer == IP and pkt_recv[ip_layer.name].proto != 61:
raise RuntimeError(
- 'Decrypted packet does not have ICMP layer: {0}'.format(
- d_pkt.__repr__()))
+ 'Received packet has invalid IP protocol: {rec_proto} '
+ 'should be: 61'.format(rec_proto=pkt_recv[ip_layer.name].proto))
# pylint: disable=too-many-locals
# pylint: disable=too-many-statements
def main():
"""Send and receive IPsec packet."""
- args = TrafficScriptArg(['src_mac', 'dst_mac', 'src_ip', 'dst_ip',
- 'crypto_alg', 'crypto_key', 'integ_alg',
- 'integ_key', 'l_spi', 'r_spi'],
- ['src_tun', 'dst_tun'])
-
- rxq = RxQueue(args.get_arg('rx_if'))
- txq = TxQueue(args.get_arg('tx_if'))
- src_mac = args.get_arg('src_mac')
- dst_mac = args.get_arg('dst_mac')
+ args = TrafficScriptArg(
+ ['tx_src_mac', 'tx_dst_mac', 'rx_src_mac', 'rx_dst_mac', 'src_ip',
+ 'dst_ip','crypto_alg', 'crypto_key', 'integ_alg', 'integ_key',
+ 'l_spi', 'r_spi'],
+ ['src_tun', 'dst_tun']
+ )
+
+ tx_txq = TxQueue(args.get_arg('tx_if'))
+ tx_rxq = RxQueue(args.get_arg('tx_if'))
+ rx_txq = TxQueue(args.get_arg('rx_if'))
+ rx_rxq = RxQueue(args.get_arg('rx_if'))
+
+ tx_src_mac = args.get_arg('tx_src_mac')
+ tx_dst_mac = args.get_arg('tx_dst_mac')
+ rx_src_mac = args.get_arg('rx_src_mac')
+ rx_dst_mac = args.get_arg('rx_dst_mac')
src_ip = args.get_arg('src_ip')
dst_ip = args.get_arg('dst_ip')
crypto_alg = args.get_arg('crypto_alg')
@@ -152,23 +150,18 @@ def main():
src_tun = args.get_arg('src_tun')
dst_tun = args.get_arg('dst_tun')
- is_ipv4 = True
- if 6 == ip_address(unicode(src_ip)).version:
- is_ipv4 = False
+ if ip_address(unicode(src_ip)).version == 6:
+ ip_layer = IPv6
+ else:
+ ip_layer = IP
- tunnel_out = None
- tunnel_in = None
+ tunnel_out = ip_layer(src=src_tun, dst=dst_tun) if src_tun and dst_tun \
+ else None
+ tunnel_in = ip_layer(src=dst_tun, dst=src_tun) if src_tun and dst_tun \
+ else None
- if src_tun and dst_tun:
- if is_ipv4:
- tunnel_out = IP(src=src_tun, dst=dst_tun)
- tunnel_in = IP(src=dst_tun, dst=src_tun)
- else:
- tunnel_out = IPv6(src=src_tun, dst=dst_tun)
- tunnel_in = IPv6(src=dst_tun, dst=src_tun)
- else:
+ if not (src_tun and dst_tun):
src_tun = src_ip
- dst_tun = dst_ip
sa_in = SecurityAssociation(ESP, spi=r_spi, crypt_algo=crypto_alg,
crypt_key=crypto_key, auth_algo=integ_alg,
@@ -178,41 +171,55 @@ def main():
crypt_key=crypto_key, auth_algo=integ_alg,
auth_key=integ_key, tunnel_header=tunnel_out)
- sent_packets = []
-
- if is_ipv4:
- ip_pkt = (IP(src=src_ip, dst=dst_ip) /
- ICMP())
- ip_pkt = IP(str(ip_pkt))
- else:
- ip_pkt = (IPv6(src=src_ip, dst=dst_ip) /
- ICMPv6EchoRequest())
- ip_pkt = IPv6(str(ip_pkt))
+ ip_pkt = ip_layer(src=src_ip, dst=dst_ip, proto=61) if ip_layer == IP \
+ else ip_layer(src=src_ip, dst=dst_ip)
+ ip_pkt = ip_layer(str(ip_pkt))
e_pkt = sa_out.encrypt(ip_pkt)
- pkt_send = (Ether(src=src_mac, dst=dst_mac) /
- e_pkt)
+ tx_pkt_send = (Ether(src=tx_src_mac, dst=tx_dst_mac) /
+ e_pkt)
+
+ sent_packets = list()
+ sent_packets.append(tx_pkt_send)
+ tx_txq.send(tx_pkt_send)
+
+ while True:
+ rx_pkt_recv = rx_rxq.recv(2)
+
+ if rx_pkt_recv is None:
+ raise RuntimeError(
+ '{ip} packet Rx timeout'.format(ip=ip_layer.name))
+
+ if rx_pkt_recv.haslayer(ICMPv6ND_NS):
+ # read another packet in the queue if the current one is ICMPv6ND_NS
+ continue
+ else:
+ # otherwise process the current packet
+ break
+
+ check_ip(rx_pkt_recv, ip_layer, src_ip, dst_ip)
- sent_packets.append(pkt_send)
- txq.send(pkt_send)
+ rx_ip_pkt = ip_layer(src=dst_ip, dst=src_ip, proto=61) if ip_layer == IP \
+ else ip_layer(src=dst_ip, dst=src_ip)
+ rx_pkt_send = (Ether(src=rx_dst_mac, dst=rx_src_mac) /
+ rx_ip_pkt)
+
+ rx_txq.send(rx_pkt_send)
while True:
- pkt_recv = rxq.recv(2, sent_packets)
+ tx_pkt_recv = tx_rxq.recv(2, sent_packets)
- if pkt_recv is None:
+ if tx_pkt_recv is None:
raise RuntimeError('ESP packet Rx timeout')
- if pkt_recv.haslayer(ICMPv6ND_NS):
+ if rx_pkt_recv.haslayer(ICMPv6ND_NS):
# read another packet in the queue if the current one is ICMPv6ND_NS
continue
else:
# otherwise process the current packet
break
- if is_ipv4:
- check_ipv4(pkt_recv, src_tun, dst_ip, src_ip, sa_in)
- else:
- check_ipv6(pkt_recv, src_tun, dst_ip, src_ip, sa_in)
+ check_ipsec(tx_pkt_recv, ip_layer, src_tun, dst_ip, src_ip, sa_in)
sys.exit(0)