aboutsummaryrefslogtreecommitdiffstats
path: root/resources/libraries/python/IPsecUtil.py
AgeCommit message (Collapse)AuthorFilesLines
2023-04-20Add 100k tunnels ipsec policy mode with fastpath enabled test suiteYulong Pei1-24/+39
Signed-off-by: xinfeng zhao <xinfengx.zhao@intel.com> Signed-off-by: Yulong Pei <yulong.pei@intel.com> Change-Id: I3708253adf4c7421ff48eee6aefb735b39726359
2023-04-18fix(api): bump messages to 23.02 usageVratko Polak1-2/+2
New features are generally not used in CSIT, but some edits in code are needed to continue using defaults. 3 messages have newer versions: * bridge_domain_add_del_v2 * ipsec_spd_entry_add_del_v2 * lb_add_del_vip_v2 Change-Id: Ibcc089ccbf933c019b5e7188c06ef229e68d39a8 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2023-01-16feat(papi): switch ipsec from vat to async papiVratko Polak1-345/+82
+ Move papi_exec resource out of for loops. Change-Id: I39d75ad2552986f82f7e2c8e3aae2fbc07f042e0 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2023-01-16feat(papi): add async mode, use it in scale callsVratko Polak1-7/+7
+ Introduce two explicit handling modes to save memory in scale test. + Connect in async mode for both handling modes (to avoid reconnects). + Support both pre- and post-37758 VPP PAPI async behavior. + Use control-ping in dumps to emulate sync mode. + Do not use it for single reply to avoid VPP-2033. + Fix call sites to get their replies with correct handling mode. + Drain enqueued replies to avoid subsequent errors. + Retry if read returns None too early. + Update docstrings. - Complexity issues reported by pylint postponed, needs larger refactor. - Explicit replace of VAT is done in subsequent changes. Ticket: CSIT-1547 CSIT-1671 Change-Id: I3c63fa5c578975cc4dd7fce0babe3ab04ec15ed3 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2022-08-18feat(papi): use newer API messagesVratko Polak1-21/+9
Updated for what is available in (last common ancestor of) 2206. (So newer messages such as ipsec_spd_entry_add_del_v2 are not used yet.) + Removed messgages documented as unused. - Did not check if more become unused. + Restored alphabetical order. Change-Id: I4191c3f8629106f52ce387d03f30f9f973ffbefe Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2022-06-17Add ipsec policy test suites with flow director or rss acceleratedYulong Pei1-8/+72
The test scenario is about two private networks which communication was protected by ipsec. The test suites are to show performance impovement about ipsec esp flow lookup that offloaded by NIC flow director and rss. Verified on 3n-clx and Intel E810 NIC environment, with 64B ipsec packet flow, performance improved ~31% with 1C2T, ~110% with 2C4T, ~250% with 4C8T. Signed-off-by: xinfeng zhao <xinfengx.zhao@intel.com> Signed-off-by: Yulong Pei <yulong.pei@intel.com> Change-Id: I30aec8c5115e5a6fbef88c11d1bef2624029d1b9
2022-01-17fix(IPsec): fix policy testsJuraj Linkeš1-14/+35
Replace the hardcoded SPD inbound/outbound ranges with values derived from test inputs. Add the necessary routes now that the tunnel endpoints are not in the same subnet. Also add ip neighbor entry on DUT2 for the same reason. Also replace ipsec sa dump with show ipsec all in teardown of tests where both SAs and SPDs are configured to improve troubleshooting. Change-Id: I7d89a99fcf457a701c87bf6ac07364b62802677d Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
2021-10-08fix(Pylint): Small fixespmikus1-6/+8
+ Just few obvious one Signed-off-by: pmikus <pmikus@cisco.com> Change-Id: I9bbac293a56d6b2943bef03cb3b8943e967dae6b
2021-09-14API: Use newer message versionsVratko Polak1-33/+45
Based on latest common ancestor of master and stable/2106: 1372178e0e674143bfec14b17050d5e92e4fcf1a Only ipsec_sad_entry_add_del_v3 needs non-trivial argument edits. Change-Id: I813367292a830e5a1fac765e9f24057b6b0192ee Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2021-08-20Improve NetworkIncrementVratko Polak1-8/+8
+ Set 1 as default value for increment. + Update IPsecUtil. + Tolerate address with host bits set when incrementing. + Call sites can check initial value on their own. + Support multiple ways of converting to string. - Only the previous "dash" format is supported here. + Update docstrings. Change-Id: I0c71a6327cca6a319715b3fcfbbee800cac14287 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2021-07-28IPsec: add nth matching SPD entry outbound TCsJuraj Linkeš1-101/+250
Add testcases with plain ipv4 forwarding with 1, 10, 100 and 1000 SPD entries on outbound traffic in both directions both directions. Only match the last SPD entry and process others before the matching entry. Add testcases only without flow cache optimization. Refactor the Python functions that add SPD entries: - Unify the args in functions that add one and multiple entries. - For multiple entries, add the ability to pass an object that will handle how values in each iteration (i.e. for each entry) are modified. Change-Id: I061922eec6acc75a4e115202c07e72d89bf1f4d3 Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
2021-06-17Core: Rework CPU allocationpmikus1-13/+44
Signed-off-by: pmikus <pmikus@cisco.com> Change-Id: I6826add7b3032041632c3952c45a3c64409400b0
2021-06-10FIX: Pylint reducepmikus1-6/+6
Signed-off-by: pmikus <pmikus@cisco.com> Change-Id: I909942dbb920df7f0fe15c0c92cda92c3cd8d8ad
2021-04-01IPsec: add 4, 40 and 400 tunnel policy testsJuraj Linkeš1-0/+2
Add more granularity test policy tests. Mirror the number of tunnels in other IPsec tests under 1000 tunnels. Change-Id: I9bde7447a5d809bab05db132bf6cb524e97e19b3 Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
2021-03-31IPsec: add 2n crypto policy udir perf testsJuraj Linkeš1-35/+65
Add 2n1l udir 1 and 1000 tunnel sw policy IPsec tests to mirror the existing 3n tests. Add static ip neighbor mac entries which can't be retrieved in 2node setups. Change-Id: I13dd557cbeed7f907fa9b4c21e4e245d48916513 Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
2021-03-17IPsec: fix SA policy cliJuraj Linkeš1-2/+2
The tunnel specification in "ipsec sa add" has changed. Update the cli the reflect this. Change-Id: I11d788798419b96b1289c53052eedb9767252df6 Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
2021-02-22Ipsec: Always generate ikeyVratko Polak1-43/+67
Some tests use a crypto algorithm with no integrity algorithm. Generate empty binary strings as fake integrity keys to keep return values of low level methods consistent. + Add return_keys argument to avoid returning long lists. + Improve various docstrings. Change-Id: Idae1877bdde32d194ce4e3bb3053c8dba39d377a Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2021-02-19Add test suites for crypto sw scheduler engineYulong Pei1-0/+24
This patch is to add test suites for vpp plugin crypto_sw_scheduler, IPsec sync mode is to do crypto and packet forward work in same worker cores, crypto_sw_scheduler can schedule crypto work to other async crypto cores to improve whole crypto processing capability. This test suites configure fixed 1 rx queues per port, then measure IPsec performance with 1, 2, 3 crypto cores. This patchset include 1, 2, 4, 8 ipsec tunnels test cases. +Vratko help to change to count total physical cores instead of previous only count crypto cores in test cases. Change-Id: I0e67182e3d13273890a23703d838101900e25126 Signed-off-by: Yulong Pei <yulong.pei@intel.com> Signed-off-by: Vratko Polak <vrpolak@cisco.com> Signed-off-by: pmikus <pmikus@cisco.com>
2021-02-19API: Use newer messagesVratko Polak1-5/+15
The mesages are the newest present in last common ancestor of master and rls2101 (so not yet ipsec_sad_entry_add_del_v3). Added a TODO for the RDMA create improvement, to be implemented in a separate change. Change-Id: I94bcd2f1bc109fb995c4dd6df44f8928865634f5 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2020-12-16API: deprecated IPSEC APIsJan Gelety1-111/+352
Jira: CSIT-1597 + add ipsec_sa tear down action Change-Id: I4d1e6f26c14e61e8ddc6f29fbf5528a034c84eb0 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-09-11Add ipsec async mode performance test casesYulong Pei1-0/+19
In VPP 20.05, vpp added async crypto engine that support to use QAT hardware to do encryption and decryption, vnet/ipsec enabled async mode to use async crypto engine. Current async crypto engine also use dpdk_cryptodev as async handlers, in the future it may add other native QAT driver as async handlers. Note that async crypto engine is to support vnet/ipsec, it is different with current existing dpdk backend which itself has ESP implementation in plugins/dpdk/ipsec. Change-Id: I4e6eaa7ca1eddb8b1c45212de0684fb26907119b Signed-off-by: Yulong Pei <yulong.pei@intel.com>
2020-05-11CSIT-1597 API cleanup: ipsecJan Gelety1-2/+6
- cover API changes in VPP: https://gerrit.fd.io/r/c/vpp/+/26276 - update vpp stable to version 20.05-rc0~727 Change-Id: I39a0b5e60fac6a74aff2426f6a448c0e117ab647 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-04-17VPP-DEV API Coverages: IPSEC interfaceJan Gelety1-315/+575
+ some pylint fixies Change-Id: I650ce16282ae953a1a5ee96e810702c01f71efd6 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-03-13Use separate module for ip address objectJan Gelety1-16/+17
Reason: with upcomming vpp api changes the ip object will be used in more csit python libraries, e.g. InterfaceUtil.py, so we need to avoid circular import issue (e.g. InterfaceUtil.pyu <-> IPUtil.py) Change-Id: Ia658b187d4e326f58e33019dd54f8ac7b9137d78 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-03-10CSIT-1597 API cleanup: ipsecJan Gelety1-16/+16
- cover API changes in VPP: https://gerrit.fd.io/r/c/vpp/+/25529 - update vpp stable to version 20.05-rc0~312-g287d5e109 Change-Id: I6c7b3520f4bb306c3b0b59247b4ba2d5f170686c Signed-off-by: Jan Gelety <jgelety@cisco.com>
2020-02-04Add more reconf tests, for IPsecVratko Polak1-100/+119
- Not adding nf_density tests. - Not adding hardware ipsec tests. - Not adding -policy- tests. - Using old crypto_ia32_plugin.so plugin name. + Suitable for cherry-picking to rls2001. Change-Id: Ibf44d6d91e2afa2320637ecd9eb69d5d5dc364aa Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2020-01-13FIX: NF_density testsPeter Mikus1-2/+2
+ Because arp->neigbor was so important to do. Signed-off-by: Peter Mikus <pmikus@cisco.com> Change-Id: I552e175b7555ebf5053d7994c0c9173c0c96fc58
2019-12-11Introduce VPP-IPsec container tests.Ludovit Mikula1-2/+155
Change-Id: Ie64d662e81879bd52785e0188450d998bf056bda Signed-off-by: Ludovit Mikula <ludovit.mikula@pantheon.tech>
2019-11-30FIX: ip route config for ipsec via VATJan Gelety1-13/+1
Change-Id: Ibf1979b87aeea0f4c195b97c8e6b59a4a23b1b77 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-11-30FIX: IPsec naming creationPeter Mikus1-8/+10
Change-Id: I066a8b85649654c1c575eb63722de6c51f3d4f78 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-11-28Python3: resources and librariesJan Gelety1-400/+379
Change-Id: I1392c06b1d64f62b141d24c0d42a8e36913b15e2 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-11-14FIX: Ipsec perfPeter Mikus1-0/+19
Signed-off-by: Peter Mikus <pmikus@cisco.com> Change-Id: I6e3ce086978c383303724d989702b1c1273c50c0
2019-08-20Interface API cleanupJan Gelety1-28/+28
CSIT code alignment with API changes in VPP introduced by patch https://gerrit.fd.io/r/c/vpp/+/18361 Change-Id: Ib0357bba79f55d297ef1086fbf3b760caca16cdb Signed-off-by: Jan Gelety <jgelety@cisco.com> Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-08-07FIX: IPsecUtil - create IP object separately in ever iterationJan Gelety1-33/+24
- if we are trying to update ip field of already existing IP object in more iterations of e.g. ip_route_add_del the PapiExecutor uses value from last iteration for all iterations so it ends up in creation of ip route only for one IP not for all required IPs Change-Id: I5ffa622e2a06d0c5c71720d2cf743a4c2104ab79 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-07-26FIX: IPsec UtilPeter Mikus1-25/+4
Because: >>> for i in xrange(4): ... if i > 0 and i % 250 / 3 == 0: ... i ... 1 2 Change-Id: Ia4eba227ea1e4c6222f32ac598f254428d95adc9 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-07-23Add scale ipsec tunnel tests 40K, 60KPeter Mikus1-4/+8
Change-Id: Iecfd7e69a72c8d5893a703fa93439cde0a3edf5f Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-07-11CSIT-1469: Migrate IPsecUtil library from VAT to PAPIJan Gelety1-340/+775
Change-Id: Iac790bf5755a70697e4c4eff32242b04f8e7f789 Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-07-17Use PapiSocketProvider for most PAPI callsVratko Polak1-3/+3
Ticket: CSIT-1541 Ticket: VPP-1722 Ticket: CSIT-1546 + Increase timeout to hide x520 slownes of show hardware detail. - Install sshpass and update ssh client in virl bootstrap. + Added TODOs to remove when CSIT-1546 is fixed. + Enable default socksvr on any startup conf. + Improve OptionString init and repr. - The non-socket executor still kept for stats. + Remove everything unrelated to stats from non-socket executor. - Remove some debug-loooking calls to avoid failures. TODO: Introduce proper parsing to the affected keywords. + Reduce logging from PAPI code to level INFO. - Needs https://gerrit.fd.io/r/20660 to fully work. + Change default values for LocalExecution.run() + Return code check enabled by default. Code is more readable when rc!=0 is allowed explicitly, and the test code will now detect unexpected failures. + Logging disabled by default. Output XML is large already. Important logging can be enabled explicitly. + Restore alphabetical order in common.sh functions. Change-Id: I05882cb6b620ad14638f7404b5ad38c7a5de9e6c Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-07-12PapiExecutor always verifiesVratko Polak1-8/+2
Do not support returning unverified replies anymore. Basically, ".get_replies().verify_replies()" is now just ".get_replies()". This allows fairly large simplifications both at call sites and in PapiExecutor.py + Rename get_dumps to get_details. + Introduce get_reply and get_sw_if_index. + Rename variables holding get_*() value, + e.g. get_stats() value is stored to variable named "stats". + Rename "item" of subsequent loop to hint the type instead. + Rename "details" function argument to "verbose". + Process reply details in place, instead of building new list. - Except hybrid blocks which can return both list or single item. - Except human readable text building blocks. + Rename most similar names to sw_if_index. - Except "vpp_sw_index" and some function names. + Use single run_cli_cmd from PapiExecutor. + Do not chain methods over multiple lines. + Small space gain is not worth readability loss. + Include minor code and docstrings improvement. + Add some TODOs. Change-Id: Ib2110a3d2101a74d5837baab3a58dc46aafc6ce3 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-07-10Fix few pylint violationsVratko Polak1-3/+1
+ Stop attempting to check test/ as module inits are not there. Change-Id: Ia4e498061be3e3118b07e98c9c2f761f2454653e Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-07-09Add scale ipsec tunnel tests 20KPeter Mikus1-15/+28
Change-Id: Ib52e1735b6b82ea9fea44c06c379f117068e94c1 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-06-14FIX: IPsec TNL modePeter Mikus1-32/+6
Change-Id: Ide82ae5fa03d3fec8f4db9db7634be0a1e339cd1 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-06-14FIX: IPsec INT modePeter Mikus1-7/+4
Change-Id: I286490280b6e62f9f212831a5bf1d14db1838fa7 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-06-05Even more Crypto combinationsPeter Mikus1-173/+250
Change-Id: I10eeb4ee30a57712824e68176d92d1ecb5f0d1b0 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-05-23CSIT-1506: Rework IPsec base testcasesPeter Mikus1-11/+23
- Add: aes-128-gcm aes-128-gcm aes-256-gcm aes-256-gcm aes-128-cbc hmac-sha-256 aes-256-cbc hmac-sha-512 - Remove: hmac-sha1 - Scale will follow in next patch Change-Id: I789f71cf66cf61b8dbb3c6dbe9b6fdc79866ac33 Signed-off-by: Peter Mikus <pmikus@cisco.com>
2019-03-06CSIT-1450: PAPI executorVratko Polak1-58/+28
Change-Id: I4c756cc4b29901184594a728f6184c30cadd9c1a Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2019-02-26FIX: ipsec + vpp stable version updateJan Gelety1-54/+54
- use exec ipsec sa add - use exec ipsec spd add - use exec set ipsec sa Change-Id: I69d59dd230b99d8efc9bcb5e3fbab79a8b11b18a Signed-off-by: Jan Gelety <jgelety@cisco.com>
2019-02-06FIX: Set ipsec backend to dpdk backend when aes-gcm cipher usedJan Gelety1-15/+121
Change-Id: I008b9e0fd62cdc8e29136930762bd7412bd50181 Signed-off-by: Jan Gelety <jgelety@cisco.com> (cherry picked from commit 2230a8ab108fa114752decfc69321ec5a47f36a6)
2018-04-25Fix warnings reported by gen_doc.shVratko Polak1-26/+26
+ Docstring warnings fixed. + Multiline param descriptions indented by 4 spaces. - Except the PacketVerifier.py one - I have tried several quote-like blocks, nothing works. - Rst warnings not fixed. - How can I fix them? They refer to temporarily created files. + Other improvements: + Python lines no longer than 80 characters. + :return: -> :returns: + Notes before params. + :raises + closing colon after exception class. + Description is a sentence. + Present tense in conditional sentences. + Bumped copyright year in edited files. Change-Id: I462c194eeecb666dc146e26858486a07c990be9b Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2018-04-10FIX: Crypto execution orderPeter Mikus1-51/+79
Currently, VAT history looks like this: sw_interface_set_flags sw_if_index 2 admin-up sw_interface_set_flags sw_if_index 1 admin-up sw_interface_dump sw_interface_set_flags sw_if_index 2 admin-up sw_interface_set_flags sw_if_index 1 admin-up sw_interface_add_del_address sw_if_index 2 192.168.10.1/24 sw_interface_add_del_address sw_if_index 1 172.168.1.1/24 ip_neighbor_add_del sw_if_index 2 dst 192.168.10.2 mac 68:05:ca:3a:af:40 ip_neighbor_add_del sw_if_index 1 dst 172.168.1.2 mac 68:05:ca:35:78:e9 ip_add_del_route 10.0.0.0/8 via 192.168.10.2 sw_if_index 2 resolve-attempts 10 count 1 exec exec /tmp/ipsec_create_tunnel_dut1.config It should be like this: sw_interface_add_del_address sw_if_index 2 192.168.10.1/24 sw_interface_add_del_address sw_if_index 1 172.168.1.1/24 ip_neighbor_add_del sw_if_index 2 dst 192.168.10.2 mac 68:05:ca:3a:af:40 ip_neighbor_add_del sw_if_index 1 dst 172.168.1.2 mac 68:05:ca:35:78:e9 ip_add_del_route 10.0.0.0/8 via 192.168.10.2 sw_if_index 2 resolve-attempts 10 count 1 exec exec /tmp/ipsec_create_tunnel_dut1.config sw_interface_set_flags sw_if_index 2 admin-up sw_interface_set_flags sw_if_index 1 admin-up Change-Id: I4e943436dee00166966b4f53d9d0a40440bbf1e4 Signed-off-by: Peter Mikus <pmikus@cisco.com>