aboutsummaryrefslogtreecommitdiffstats
path: root/resources/libraries/python/IPsecUtil.py
AgeCommit message (Collapse)AuthorFilesLines
2021-06-10FIX: Pylint reducepmikus1-6/+6
Signed-off-by: pmikus <pmikus@cisco.com> Change-Id: I909942dbb920df7f0fe15c0c92cda92c3cd8d8ad
2021-04-01IPsec: add 4, 40 and 400 tunnel policy testsJuraj Linkeš1-0/+2
Add more granularity test policy tests. Mirror the number of tunnels in other IPsec tests under 1000 tunnels. Change-Id: I9bde7447a5d809bab05db132bf6cb524e97e19b3 Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
2021-03-31IPsec: add 2n crypto policy udir perf testsJuraj Linkeš1-35/+65
Add 2n1l udir 1 and 1000 tunnel sw policy IPsec tests to mirror the existing 3n tests. Add static ip neighbor mac entries which can't be retrieved in 2node setups. Change-Id: I13dd557cbeed7f907fa9b4c21e4e245d48916513 Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
2021-03-17IPsec: fix SA policy cliJuraj Linkeš1-2/+2
The tunnel specification in "ipsec sa add" has changed. Update the cli the reflect this. Change-Id: I11d788798419b96b1289c53052eedb9767252df6 Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
2021-02-22Ipsec: Always generate ikeyVratko Polak1-43/+67
Some tests use a crypto algorithm with no integrity algorithm. Generate empty binary strings as fake integrity keys to keep return values of low level methods consistent. + Add return_keys argument to avoid returning long lists. + Improve various docstrings. Change-Id: Idae1877bdde32d194ce4e3bb3053c8dba39d377a Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2021-02-19Add test suites for crypto sw scheduler engineYulong Pei1-0/+24
This patch is to add test suites for vpp plugin crypto_sw_scheduler, IPsec sync mode is to do crypto and packet forward work in same worker cores, crypto_sw_scheduler can schedule crypto work to other async crypto cores to improve whole crypto processing capability. This test suites configure fixed 1 rx queues per port, then measure IPsec performance with 1, 2, 3 crypto cores. This patchset include 1, 2, 4, 8 ipsec tunnels test cases. +Vratko help to change to count total physical cores instead of previous only count crypto cores in test cases. Change-Id: I0e67182e3d13273890a23703d838101900e25126 Signed-off-by: Yulong Pei <yulong.pei@intel.com> Signed-off-by: Vratko Polak <vrpolak@cisco.com> Signed-off-by: pmikus <pmikus@cisco.com>
2021-02-19API: Use newer messagesVratko Polak1-5/+15
The mesages are the newest present in last common ancestor of master and rls2101 (so not yet ipsec_sad_entry_add_del_v3). Added a TODO for the RDMA create improvement, to be implemented in a separate change. Change-Id: I94bcd2f1bc109fb995c4dd6df44f8928865634f5 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2020-12-16API: deprecated IPSEC APIsJan Gelety1-111/+352
Jira: CSIT-1597 + add ipsec_sa tear down action Change-Id: I4d1e6f26c14e61e8ddc6f29fbf5528a034c84eb0 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-09-11Add ipsec async mode performance test casesYulong Pei1-0/+19
In VPP 20.05, vpp added async crypto engine that support to use QAT hardware to do encryption and decryption, vnet/ipsec enabled async mode to use async crypto engine. Current async crypto engine also use dpdk_cryptodev as async handlers, in the future it may add other native QAT driver as async handlers. Note that async crypto engine is to support vnet/ipsec, it is different with current existing dpdk backend which itself has ESP implementation in plugins/dpdk/ipsec. Change-Id: I4e6eaa7ca1eddb8b1c45212de0684fb26907119b Signed-off-by: Yulong Pei <yulong.pei@intel.com>
2020-05-11CSIT-1597 API cleanup: ipsecJan Gelety1-2/+6
- cover API changes in VPP: https://gerrit.fd.io/r/c/vpp/+/26276 - update vpp stable to version 20.05-rc0~727 Change-Id: I39a0b5e60fac6a74aff2426f6a448c0e117ab647 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-04-17VPP-DEV API Coverages: IPSEC interfaceJan Gelety1-315/+575
+ some pylint fixies Change-Id: I650ce16282ae953a1a5ee96e810702c01f71efd6 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-03-13Use separate module for ip address objectJan Gelety1-16/+17
Reason: with upcomming vpp api changes the ip object will be used in more csit python libraries, e.g. InterfaceUtil.py, so we need to avoid circular import issue (e.g. InterfaceUtil.pyu <-> IPUtil.py) Change-Id: Ia658b187d4e326f58e33019dd54f8ac7b9137d78 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-03-10CSIT-1597 API cleanup: ipsecJan Gelety1-16/+16
- cover API changes in VPP: https://gerrit.fd.io/r/c/vpp/+/25529 - update vpp stable to version 20.05-rc0~312-g287d5e109 Change-Id: I6c7b3520f4bb306c3b0b59247b4ba2d5f170686c Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-02-04Add more reconf tests, for IPsecVratko Polak1-100/+119
- Not adding nf_density tests. - Not adding hardware ipsec tests. - Not adding -policy- tests. - Using old crypto_ia32_plugin.so plugin name. + Suitable for cherry-picking to rls2001. Change-Id: Ibf44d6d91e2afa2320637ecd9eb69d5d5dc364aa Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2020-01-13FIX: NF_density testsPeter Mikus1-2/+2
+ Because arp->neigbor was so important to do. Signed-off-by: Peter Mikus <pmikus@cisco.com> Change-Id: I552e175b7555ebf5053d7994c0c9173c0c96fc58
2019-12-11Introduce VPP-IPsec container tests.Ludovit Mikula1-2/+155
Change-Id: Ie64d662e81879bd52785e0188450d998bf056bda Signed-off-by: Ludovit Mikula <ludovit.mikula@pantheon.tech>
2019-11-30FIX: ip route config for ipsec via VATJan Gelety1-13/+1
Change-Id: Ibf1979b87aeea0f4c195b97c8e6b59a4a23b1b77 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-11-30FIX: IPsec naming creationPeter Mikus1-8/+10
Change-Id: I066a8b85649654c1c575eb63722de6c51f3d4f78 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-11-28Python3: resources and librariesJan Gelety1-400/+379
Change-Id: I1392c06b1d64f62b141d24c0d42a8e36913b15e2 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-11-14FIX: Ipsec perfPeter Mikus1-0/+19
Signed-off-by: Peter Mikus <pmikus@cisco.com> Change-Id: I6e3ce086978c383303724d989702b1c1273c50c0
2019-08-20Interface API cleanupJan Gelety1-28/+28
CSIT code alignment with API changes in VPP introduced by patch https://gerrit.fd.io/r/c/vpp/+/18361 Change-Id: Ib0357bba79f55d297ef1086fbf3b760caca16cdb Signed-off-by: Jan Gelety <jgelety@cisco.com> Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-08-07FIX: IPsecUtil - create IP object separately in ever iterationJan Gelety1-33/+24
- if we are trying to update ip field of already existing IP object in more iterations of e.g. ip_route_add_del the PapiExecutor uses value from last iteration for all iterations so it ends up in creation of ip route only for one IP not for all required IPs Change-Id: I5ffa622e2a06d0c5c71720d2cf743a4c2104ab79 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-07-26FIX: IPsec UtilPeter Mikus1-25/+4
Because: >>> for i in xrange(4): ... if i > 0 and i % 250 / 3 == 0: ... i ... 1 2 Change-Id: Ia4eba227ea1e4c6222f32ac598f254428d95adc9 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-07-23Add scale ipsec tunnel tests 40K, 60KPeter Mikus1-4/+8
Change-Id: Iecfd7e69a72c8d5893a703fa93439cde0a3edf5f Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-07-11CSIT-1469: Migrate IPsecUtil library from VAT to PAPIJan Gelety1-340/+775
Change-Id: Iac790bf5755a70697e4c4eff32242b04f8e7f789 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-07-17Use PapiSocketProvider for most PAPI callsVratko Polak1-3/+3
Ticket: CSIT-1541 Ticket: VPP-1722 Ticket: CSIT-1546 + Increase timeout to hide x520 slownes of show hardware detail. - Install sshpass and update ssh client in virl bootstrap. + Added TODOs to remove when CSIT-1546 is fixed. + Enable default socksvr on any startup conf. + Improve OptionString init and repr. - The non-socket executor still kept for stats. + Remove everything unrelated to stats from non-socket executor. - Remove some debug-loooking calls to avoid failures. TODO: Introduce proper parsing to the affected keywords. + Reduce logging from PAPI code to level INFO. - Needs https://gerrit.fd.io/r/20660 to fully work. + Change default values for LocalExecution.run() + Return code check enabled by default. Code is more readable when rc!=0 is allowed explicitly, and the test code will now detect unexpected failures. + Logging disabled by default. Output XML is large already. Important logging can be enabled explicitly. + Restore alphabetical order in common.sh functions. Change-Id: I05882cb6b620ad14638f7404b5ad38c7a5de9e6c Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-07-12PapiExecutor always verifiesVratko Polak1-8/+2
Do not support returning unverified replies anymore. Basically, ".get_replies().verify_replies()" is now just ".get_replies()". This allows fairly large simplifications both at call sites and in PapiExecutor.py + Rename get_dumps to get_details. + Introduce get_reply and get_sw_if_index. + Rename variables holding get_*() value, + e.g. get_stats() value is stored to variable named "stats". + Rename "item" of subsequent loop to hint the type instead. + Rename "details" function argument to "verbose". + Process reply details in place, instead of building new list. - Except hybrid blocks which can return both list or single item. - Except human readable text building blocks. + Rename most similar names to sw_if_index. - Except "vpp_sw_index" and some function names. + Use single run_cli_cmd from PapiExecutor. + Do not chain methods over multiple lines. + Small space gain is not worth readability loss. + Include minor code and docstrings improvement. + Add some TODOs. Change-Id: Ib2110a3d2101a74d5837baab3a58dc46aafc6ce3 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-07-10Fix few pylint violationsVratko Polak1-3/+1
+ Stop attempting to check test/ as module inits are not there. Change-Id: Ia4e498061be3e3118b07e98c9c2f761f2454653e Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-07-09Add scale ipsec tunnel tests 20KPeter Mikus1-15/+28
Change-Id: Ib52e1735b6b82ea9fea44c06c379f117068e94c1 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-06-14FIX: IPsec TNL modePeter Mikus1-32/+6
Change-Id: Ide82ae5fa03d3fec8f4db9db7634be0a1e339cd1 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-06-14FIX: IPsec INT modePeter Mikus1-7/+4
Change-Id: I286490280b6e62f9f212831a5bf1d14db1838fa7 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-06-05Even more Crypto combinationsPeter Mikus1-173/+250
Change-Id: I10eeb4ee30a57712824e68176d92d1ecb5f0d1b0 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-05-23CSIT-1506: Rework IPsec base testcasesPeter Mikus1-11/+23
- Add: aes-128-gcm aes-128-gcm aes-256-gcm aes-256-gcm aes-128-cbc hmac-sha-256 aes-256-cbc hmac-sha-512 - Remove: hmac-sha1 - Scale will follow in next patch Change-Id: I789f71cf66cf61b8dbb3c6dbe9b6fdc79866ac33 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-03-06CSIT-1450: PAPI executorVratko Polak1-58/+28
Change-Id: I4c756cc4b29901184594a728f6184c30cadd9c1a Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-02-26FIX: ipsec + vpp stable version updateJan Gelety1-54/+54
- use exec ipsec sa add - use exec ipsec spd add - use exec set ipsec sa Change-Id: I69d59dd230b99d8efc9bcb5e3fbab79a8b11b18a Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-02-06FIX: Set ipsec backend to dpdk backend when aes-gcm cipher usedJan Gelety1-15/+121
Change-Id: I008b9e0fd62cdc8e29136930762bd7412bd50181 Signed-off-by: Jan Gelety <jgelety@cisco.com> (cherry picked from commit 2230a8ab108fa114752decfc69321ec5a47f36a6)
2018-04-25Fix warnings reported by gen_doc.shVratko Polak1-26/+26
+ Docstring warnings fixed. + Multiline param descriptions indented by 4 spaces. - Except the PacketVerifier.py one - I have tried several quote-like blocks, nothing works. - Rst warnings not fixed. - How can I fix them? They refer to temporarily created files. + Other improvements: + Python lines no longer than 80 characters. + :return: -> :returns: + Notes before params. + :raises + closing colon after exception class. + Description is a sentence. + Present tense in conditional sentences. + Bumped copyright year in edited files. Change-Id: I462c194eeecb666dc146e26858486a07c990be9b Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2018-04-10FIX: Crypto execution orderPeter Mikus1-51/+79
Currently, VAT history looks like this: sw_interface_set_flags sw_if_index 2 admin-up sw_interface_set_flags sw_if_index 1 admin-up sw_interface_dump sw_interface_set_flags sw_if_index 2 admin-up sw_interface_set_flags sw_if_index 1 admin-up sw_interface_add_del_address sw_if_index 2 192.168.10.1/24 sw_interface_add_del_address sw_if_index 1 172.168.1.1/24 ip_neighbor_add_del sw_if_index 2 dst 192.168.10.2 mac 68:05:ca:3a:af:40 ip_neighbor_add_del sw_if_index 1 dst 172.168.1.2 mac 68:05:ca:35:78:e9 ip_add_del_route 10.0.0.0/8 via 192.168.10.2 sw_if_index 2 resolve-attempts 10 count 1 exec exec /tmp/ipsec_create_tunnel_dut1.config It should be like this: sw_interface_add_del_address sw_if_index 2 192.168.10.1/24 sw_interface_add_del_address sw_if_index 1 172.168.1.1/24 ip_neighbor_add_del sw_if_index 2 dst 192.168.10.2 mac 68:05:ca:3a:af:40 ip_neighbor_add_del sw_if_index 1 dst 172.168.1.2 mac 68:05:ca:35:78:e9 ip_add_del_route 10.0.0.0/8 via 192.168.10.2 sw_if_index 2 resolve-attempts 10 count 1 exec exec /tmp/ipsec_create_tunnel_dut1.config sw_interface_set_flags sw_if_index 2 admin-up sw_interface_set_flags sw_if_index 1 admin-up Change-Id: I4e943436dee00166966b4f53d9d0a40440bbf1e4 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2017-10-23FIX: IPSec tunnel interfaceJan Gelety1-3/+16
- add following line per interface tunnel: set int unnum <ipsec> use <interface> Change-Id: Iff75f27b7cf25f3d24eea92366b1fd4a718c253b Signed-off-by: Jan Gelety <jgelety@cisco.com>
2017-04-10IPsec Multi-Tunnel performance test suiteKirill Rybalchenko1-10/+321
Change-Id: I4b0ba83960e50089f29cab9a30ab760241c6f566 Signed-off-by: Kirill Rybalchenko <kirill.rybalchenko@intel.com>
2016-12-16Pylint fixesTibor Frank1-18/+14
- Fix PyLint errors - Fix comments in touched python modules Change-Id: I26db2d292a41969cf38b9b0bdd49c4fb15349102 Signed-off-by: Tibor Frank <tifrank@cisco.com>
2016-10-31CSIT-385 CSIT-386 IPv4/IPv6 IPsec testsPatrik Hrnciar1-0/+24
- encryption/integrity key update tests Change-Id: Iddbe35e2f421b5048e60663bff2b0bf1968a9782 Signed-off-by: Patrik Hrnciar <phrnciar@cisco.com> Signed-off-by: Matej Klotton <mklotton@cisco.com>
2016-09-12CSIT-383: IPSEC IPv4 negative test casesJan Gelety1-8/+6
- use integrity and/or encryption key(s) different from integrity and encryption keys stored on VPP node to create tx packet on TG Change-Id: I38bf7e1dd6f488e605bad991c7a7f4d1ff226e8c Signed-off-by: Jan Gelety <jgelety@cisco.com>
2016-08-25CSIT-28: IPSEC basic conectivity test - IPv4Jan Gelety1-1/+1
- use all supported encryption and integrity algorithms in tunnel mode and in transport mode Change-Id: I2ae395d88d514b2ca3f62ab9aecbb27d8fb827b0 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2016-08-23Small fixies in IPSEC resourcesJan Gelety1-8/+6
Change-Id: I06e4000d93a86d885200ef1d0dd9b00e520ba77f Signed-off-by: Jan Gelety <jgelety@cisco.com>
2016-04-26Add IPsec utilities python libraryMatus Fabian1-0/+362
JIRA: CSIT-28 Change-Id: I9513f14a9920bfbdaf34c5cc5d4619d16a383ca2 Signed-off-by: Matus Fabian <matfabia@cisco.com>