From 69bc73179fe39ea02c9d53c0eb167e1320bcf090 Mon Sep 17 00:00:00 2001 From: Jan Gelety Date: Thu, 16 Nov 2017 18:47:05 +0100 Subject: CSIT-859: KW to add crypto SW device to startup.conf Change-Id: I8441d58a2d7f604b64fff358a3cef8d72289dcdc Signed-off-by: Jan Gelety --- bootstrap.sh | 2 +- resources/libraries/python/VppConfigGenerator.py | 98 +++- resources/libraries/robot/crypto/ipsec.robot | 47 +- resources/libraries/robot/shared/default.robot | 30 +- .../eth2p-ethip4ipsectnl-ip4base-func.robot | 523 +++++++++++++++++++ .../eth2p-ethip4ipsectpt-ip4base-func.robot | 487 ++++++++++++++++++ .../eth2p-ethip4ipsectptlispgpe-ip4base-func.robot | 270 ++++++++++ .../eth2p-ethip4ipsectptlispgpe-ip6base-func.robot | 160 ++++++ ...h2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot | 135 +++++ .../eth2p-ethip6ipsectnl-ip6base-func.robot | 523 +++++++++++++++++++ .../eth2p-ethip6ipsectpt-ip6base-func.robot | 487 ++++++++++++++++++ .../eth2p-ethip6ipsectptlispgpe-ip4base-func.robot | 158 ++++++ .../eth2p-ethip6ipsectptlispgpe-ip6base-func.robot | 174 +++++++ .../crypto/eth2p-ethip4ipsectnl-ip4base-func.robot | 523 ------------------- .../crypto/eth2p-ethip4ipsectpt-ip4base-func.robot | 487 ------------------ .../eth2p-ethip4ipsectptlispgpe-ip4base-func.robot | 270 ---------- .../eth2p-ethip4ipsectptlispgpe-ip6base-func.robot | 160 ------ ...h2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot | 135 ----- .../crypto/eth2p-ethip6ipsectnl-ip6base-func.robot | 523 ------------------- .../crypto/eth2p-ethip6ipsectpt-ip6base-func.robot | 487 ------------------ .../eth2p-ethip6ipsectptlispgpe-ip4base-func.robot | 158 ------ .../eth2p-ethip6ipsectptlispgpe-ip6base-func.robot | 174 ------- .../eth2p-ethip4ipsectnlsw-ip4base-func.robot | 560 +++++++++++++++++++++ .../eth2p-ethip4ipsectptsw-ip4base-func.robot | 535 ++++++++++++++++++++ 24 files changed, 4174 insertions(+), 2932 deletions(-) create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectnl-ip4base-func.robot create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectpt-ip4base-func.robot create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip6ipsectnl-ip6base-func.robot create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip6ipsectpt-ip6base-func.robot create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectnl-ip4base-func.robot delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectpt-ip4base-func.robot delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot delete mode 100644 tests/vpp/func/crypto/eth2p-ethip6ipsectnl-ip6base-func.robot delete mode 100644 tests/vpp/func/crypto/eth2p-ethip6ipsectpt-ip6base-func.robot delete mode 100644 tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot delete mode 100644 tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot create mode 100644 tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot create mode 100644 tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot diff --git a/bootstrap.sh b/bootstrap.sh index ebbe752a4e..9c8c0710af 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -92,7 +92,7 @@ VIRL_SERVER_EXPECTED_STATUS="PRODUCTION" SSH_OPTIONS="-i ${VIRL_PKEY} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes -o LogLevel=error" -TEST_GROUPS=("crypto,ip4_tunnels.softwire,ip4_tunnels.vxlan,telemetry" "ip4,ip4_tunnels.gre,ip4_tunnels.lisp,ip6_tunnels.vxlan,vm_vhost.ip4,vm_vhost.ip6" "interfaces,ip6,ip6_tunnels.lisp,l2bd,l2xc,vm_vhost.l2bd,vm_vhost.l2xc") +TEST_GROUPS=("crypto,ip4_tunnels.softwire,ip4_tunnels.vxlan" "ip4,ip4_tunnels.gre,ip4_tunnels.lisp,ip6_tunnels.vxlan,ip6_tunnels.lisp,vm_vhost.ip4,vm_vhost.ip6" "interfaces,ip6,l2bd,l2xc,vm_vhost.l2bd,vm_vhost.l2xc,telemetry") SUITE_PATH="tests.vpp.func" SKIP_PATCH="SKIP_PATCH" diff --git a/resources/libraries/python/VppConfigGenerator.py b/resources/libraries/python/VppConfigGenerator.py index 25862025e1..eccada9979 100644 --- a/resources/libraries/python/VppConfigGenerator.py +++ b/resources/libraries/python/VppConfigGenerator.py @@ -38,6 +38,12 @@ class VppConfigGenerator(object): self._vpp_config = '' # VPP Service name self._vpp_service_name = 'vpp' + # VPP Logfile location + self._vpp_logfile = '/tmp/vpe.log' + # VPP Startup config location + self._vpp_startup_conf = '/etc/vpp/startup.conf' + # VPP Startup config backup location + self._vpp_startup_conf_backup = None def set_node(self, node): """Set DUT node. @@ -52,6 +58,22 @@ class VppConfigGenerator(object): self._node = node self._hostname = Topology.get_node_hostname(node) + def set_vpp_logfile(self, logfile): + """Set VPP logfile location. + + :param logfile: VPP logfile location. + :type logfile: str + """ + self._vpp_logfile = logfile + + def set_vpp_startup_conf_backup(self, backup='/etc/vpp/startup.backup'): + """Set VPP startup configuration backup. + + :param backup: VPP logfile location. + :type backup: str + """ + self._vpp_startup_conf_backup = backup + def get_config_str(self): """Get dumped startup configuration in VPP config format. @@ -105,24 +127,35 @@ class VppConfigGenerator(object): if level >= 0: self._vpp_config += '{}}}\n'.format(level * indent) - def add_unix_log(self, value='/tmp/vpe.log'): + def add_unix_log(self, value=None): """Add UNIX log configuration. :param value: Log file. :type value: str """ path = ['unix', 'log'] + if value is None: + value = self._vpp_logfile self.add_config_item(self._nodeconfig, value, path) def add_unix_cli_listen(self, value='localhost:5002'): """Add UNIX cli-listen configuration. - :param value: CLI listen address and port. + :param value: CLI listen address and port or path to CLI socket. :type value: str """ path = ['unix', 'cli-listen'] self.add_config_item(self._nodeconfig, value, path) + def add_unix_gid(self, value='vpp'): + """Add UNIX gid configuration. + + :param value: Gid. + :type value: str + """ + path = ['unix', 'gid'] + self.add_config_item(self._nodeconfig, value, path) + def add_unix_nodaemon(self): """Add UNIX nodaemon configuration.""" path = ['unix', 'nodaemon'] @@ -138,6 +171,15 @@ class VppConfigGenerator(object): path = ['unix', 'exec'] self.add_config_item(self._nodeconfig, value, path) + def add_api_segment_gid(self, value='vpp'): + """Add API-SEGMENT gid configuration. + + :param value: Gid. + :type value: str + """ + path = ['api-segment', 'gid'] + self.add_config_item(self._nodeconfig, value, path) + def add_dpdk_dev(self, *devices): """Add DPDK PCI device configuration. @@ -158,7 +200,7 @@ class VppConfigGenerator(object): def add_dpdk_cryptodev(self, count): """Add DPDK Crypto PCI device configuration. - :param count: Number of crypto devices to add. + :param count: Number of HW crypto devices to add. :type count: int """ cryptodev = Topology.get_cryptodev(self._node) @@ -169,6 +211,18 @@ class VppConfigGenerator(object): self.add_config_item(self._nodeconfig, '', path) self.add_dpdk_uio_driver('igb_uio') + def add_dpdk_sw_cryptodev(self, count): + """Add DPDK Crypto SW device configuration. + + :param count: Number of crypto SW devices to add. + :type count: int + """ + for i in range(count): + cryptodev_config = 'vdev cryptodev_aesni_mb_pmd,socket_id={0}'.\ + format(str(i)) + path = ['dpdk', cryptodev_config] + self.add_config_item(self._nodeconfig, '', path) + def add_dpdk_dev_default_rxq(self, value): """Add DPDK dev default rxq configuration. @@ -297,7 +351,7 @@ class VppConfigGenerator(object): path = ['nat'] self.add_config_item(self._nodeconfig, value, path) - def apply_config(self, filename='/etc/vpp/startup.conf', waittime=5, + def apply_config(self, filename=None, waittime=5, retries=12, restart_vpp=True): """Generate and apply VPP configuration for node. @@ -312,14 +366,26 @@ class VppConfigGenerator(object): :type waittime: int :type retries: int :type restart_vpp: bool. - :raises RuntimeError: If writing config file failed, or restarting of - VPP failed. + :raises RuntimeError: If writing config file failed or restart of VPP + failed or backup of VPP startup.conf failed. """ self.dump_config(self._nodeconfig) ssh = SSH() ssh.connect(self._node) + if filename is None: + filename = self._vpp_startup_conf + + if self._vpp_startup_conf_backup is not None: + (ret, _, _) = \ + ssh.exec_command('sudo cp {0} {1}'. + format(self._vpp_startup_conf, + self._vpp_startup_conf_backup)) + if ret != 0: + raise RuntimeError('Backup of config file failed on node {}'. + format(self._hostname)) + (ret, _, _) = \ ssh.exec_command('echo "{config}" | sudo tee {filename}'. format(config=self._vpp_config, @@ -346,11 +412,27 @@ class VppConfigGenerator(object): # and verify if VPP is running. for _ in range(retries): time.sleep(waittime) - (ret, _, _) = \ + (ret, stdout, _) = \ ssh.exec_command('echo show hardware-interfaces | ' 'nc 0 5002 || echo "VPP not yet running"') - if ret == 0: + if ret == 0 and stdout != 'VPP not yet running': break else: raise RuntimeError('VPP failed to restart on node {}'. format(self._hostname)) + + def restore_config(self): + """Restore VPP startup.conf from backup. + + :raises RuntimeError: When restoration of startup.conf file failed. + """ + + ssh = SSH() + ssh.connect(self._node) + + (ret, _, _) = ssh.exec_command('sudo cp {0} {1}'. + format(self._vpp_startup_conf_backup, + self._vpp_startup_conf)) + if ret != 0: + raise RuntimeError('Restoration of config file failed on node {}'. + format(self._hostname)) diff --git a/resources/libraries/robot/crypto/ipsec.robot b/resources/libraries/robot/crypto/ipsec.robot index 74a1a53f25..80d2937e37 100644 --- a/resources/libraries/robot/crypto/ipsec.robot +++ b/resources/libraries/robot/crypto/ipsec.robot @@ -254,21 +254,21 @@ | Set up IPv4 IPSec functional test | | [Documentation] -| | ... | Set up IPv4 IPSec functional test +| | ... | Set up IPv4 IPSec functional test. | | ... | | Set up functional test | | Configure topology for IPv4 IPsec testing | Set up IPv6 IPSec functional test | | [Documentation] -| | ... | Set up IPv6 IPSec functional test +| | ... | Set up IPv6 IPSec functional test. | | ... | | Set up functional test | | Configure topology for IPv6 IPsec testing | Tear down IPSec functional test | | [Documentation] -| | ... | Tear down IPSec functional test +| | ... | Tear down IPSec functional test. | | ... | | ... | *Example:* | | ... @@ -278,3 +278,44 @@ | | ... | | VPP IPsec Show | ${dut_node} | | Tear down functional test + +| Set up IPSec SW device functional test +| | [Documentation] +| | ... | Set up IPSec SW device functional test for required IP version. +| | ... +| | ... | *Arguments:* +| | ... | - ${ip_version} - IP version: IPv4 or IPv6. Type: string +| | ... +| | ... | *Example:* +| | ... +| | ... | \| Set up IPSec SW device functional test \| IPv4 \| +| | ... +| | [Arguments] | ${ip_version} +| | ... +| | ${duts}= | Get Matches | ${nodes} | DUT* +| | :FOR | ${dut} | IN | @{duts} +| | | Import Library | resources.libraries.python.VppConfigGenerator +| | | ... | WITH NAME | ${dut} +| | | Run keyword | ${dut}.Set Node | ${nodes['${dut}']} +| | | Run keyword | ${dut}.Set Vpp Startup Conf Backup +| | | Run keyword | ${dut}.Set Vpp Logfile | /tmp/vpp.log +| | | Run keyword | ${dut}.Add Unix Nodaemon +| | | Run keyword | ${dut}.Add Unix Log +| | | Run keyword | ${dut}.Add Unix Coredump +| | | Run keyword | ${dut}.Add Unix CLI Listen | /run/vpp/cli.sock +| | | Run keyword | ${dut}.Add Unix Gid +| | | Run keyword | ${dut}.Add Api Segment Gid +| | | Run keyword | ${dut}.Add DPDK SW Cryptodev | ${1} +| | Apply startup configuration on all VPP DUTs | restart_vpp=${FALSE} +| | Set up functional test +| | Run Keyword | Configure topology for ${ip_version} IPsec testing + +| Tear down IPSec SW device functional test +| | [Documentation] +| | ... | Tear down IPSec SW device functional test. +| | ... +| | ${duts}= | Get Matches | ${nodes} | DUT* +| | :FOR | ${dut} | IN | @{duts} +| | | VPP IPsec Show | ${nodes['${dut}']} +| | | Run keyword | ${dut}.Restore Config +| | Tear down functional test diff --git a/resources/libraries/robot/shared/default.robot b/resources/libraries/robot/shared/default.robot index 6c80f9827d..74ad8d3f09 100644 --- a/resources/libraries/robot/shared/default.robot +++ b/resources/libraries/robot/shared/default.robot @@ -24,7 +24,6 @@ | Library | resources.libraries.python.TGSetup | Library | resources.libraries.python.L2Util | Library | resources.libraries.python.Tap -| Library | resources.libraries.python.VppConfigGenerator | Library | resources.libraries.python.VppCounters | Library | resources.libraries.python.VPPUtil | Library | resources.libraries.python.Trace @@ -265,13 +264,38 @@ | | :FOR | ${dut} | IN | @{duts} | | | Run keyword | ${dut}.Add DPDK Cryptodev | ${count} +| Add crypto SW device on all DUTs +| | [Documentation] | Add required number of crypto SW devices to VPP startup +| | ... | configuration on all DUTs. +| | ... +| | ... | *Arguments:* +| | ... | - ${count} - Number of SW crypto devices. Type: integer +| | ... +| | ... | *Example:* +| | ... +| | ... | \| Add SW cryptodev on all DUTs \| ${4} \| +| | ... +| | [Arguments] | ${count} +| | ${duts}= | Get Matches | ${nodes} | DUT* +| | :FOR | ${dut} | IN | @{duts} +| | | Run keyword | ${dut}.Add DPDK SW Cryptodev | ${count} + | Apply startup configuration on all VPP DUTs | | [Documentation] | Write startup configuration and restart VPP on all DUTs. | | ... +| | ... | *Arguments:* +| | ... | - ${restart_vpp} - Whether to restart VPP (Optional). Type: boolean +| | ... +| | ... | *Example:* +| | ... +| | ... | \| Apply startup configuration on all VPP DUTs \| ${False} \| +| | ... +| | [Arguments] | ${restart_vpp}=${True} +| | ... | | ${duts}= | Get Matches | ${nodes} | DUT* | | :FOR | ${dut} | IN | @{duts} -| | | Run keyword | ${dut}.Apply Config -| | Update All Interface Data On All Nodes | ${nodes} | skip_tg=${TRUE} +| | | Run keyword | ${dut}.Apply Config | restart_vpp=${restart_vpp} +| | Update All Interface Data On All Nodes | ${nodes} | skip_tg=${True} | Save VPP PIDs | | [Documentation] | Get PIDs of VPP processes from all DUTs in topology and\ diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectnl-ip4base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectnl-ip4base-func.robot new file mode 100644 index 0000000000..814d8ee45c --- /dev/null +++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectnl-ip4base-func.robot @@ -0,0 +1,523 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Library | resources.libraries.python.Trace +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO +| ... | VM_ENV | HW_ENV | SKIP_VPP_PATCH +| ... +| Test Setup | Set up IPv4 IPSec functional test +| ... +| Test Teardown | Tear down IPSec functional test | ${dut_node} +| ... +| Documentation | *IPv4 IPsec tunnel mode test suite.* +| ... +| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ +| ... | between nodes. +| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\ +| ... | loopback an physical interface IPv4 addresses, static ARP record, route\ +| ... | and IPsec manual keyed connection in tunnel mode. +| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\ +| ... | is received on TG from DUT1. +| ... | *[Ref] Applicable standard specifications:* RFC4303. + +*** Variables *** +| ${tg_spi}= | ${1000} +| ${dut_spi}= | ${1001} +| ${ESP_PROTO}= | ${50} +| ${tg_if_ip4}= | 192.168.100.2 +| ${dut_if_ip4}= | 192.168.100.3 +| ${tg_lo_ip4}= | 192.168.3.3 +| ${dut_lo_ip4}= | 192.168.4.4 +| ${ip4_plen}= | ${24} + +*** Test Cases *** +| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +*** Keywords *** +| Get Second Random String +| | [Arguments] | ${req_alg} | ${req_type} +| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} +| | :FOR | ${index} | IN RANGE | 100 +| | | ${req_key}= | Generate Random String | ${req_key_len} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectpt-ip4base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectpt-ip4base-func.robot new file mode 100644 index 0000000000..e599cf9506 --- /dev/null +++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectpt-ip4base-func.robot @@ -0,0 +1,487 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Library | resources.libraries.python.Trace +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO +| ... | VM_ENV | HW_ENV | SKIP_VPP_PATCH +| Test Setup | Set up IPv4 IPSec functional test +| ... +| Test Teardown | Tear down IPSec functional test | ${dut_node} +| ... +| Documentation | *IPv4 IPsec transport mode test suite.* +| ... +| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ +| ... | between nodes. +| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\ +| ... | loopback an physical interface IPv4 addresses, static ARP record, route\ +| ... | and IPsec manual keyed connection in transport mode. +| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\ +| ... | is received on TG from DUT1. +| ... | *[Ref] Applicable standard specifications:* RFC4303. + +*** Variables *** +| ${tg_spi}= | ${1000} +| ${dut_spi}= | ${1001} +| ${ESP_PROTO}= | ${50} +| ${tg_if_ip4}= | 192.168.100.2 +| ${dut_if_ip4}= | 192.168.100.3 +| ${tg_lo_ip4}= | 192.168.3.3 +| ${dut_lo_ip4}= | 192.168.4.4 +| ${ip4_plen}= | ${24} + +*** Test Cases *** +| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + + +| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +*** Keywords *** +| Get Second Random String +| | [Arguments] | ${req_alg} | ${req_type} +| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} +| | :FOR | ${index} | IN RANGE | 100 +| | | ${req_key}= | Generate Random String | ${req_key_len} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot new file mode 100644 index 0000000000..15c10d40fc --- /dev/null +++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot @@ -0,0 +1,270 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Library | resources.libraries.python.topology.Topology +| Library | resources.libraries.python.NodePath +| Library | resources.libraries.python.Trace +| Library | resources.libraries.python.LispUtil +| Library | resources.libraries.python.VhostUser +| Library | resources.libraries.python.QemuUtils +| Library | resources.libraries.python.VPPUtil +| Library | resources.libraries.python.IPsecUtil +| Resource | resources/libraries/robot/shared/traffic.robot +| Resource | resources/libraries/robot/shared/default.robot +| Resource | resources/libraries/robot/shared/interfaces.robot +| Resource | resources/libraries/robot/shared/testing_path.robot +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Resource | resources/libraries/robot/vm/qemu.robot +| Resource | resources/libraries/robot/overlay/lispgpe.robot +| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot +| Resource | resources/libraries/robot/overlay/l2lisp.robot +# Import configuration and test data: +| Variables | resources/test_data/lisp/ipv4_ipsec_lispgpe_ipv4/ipv4_ipsec_lispgpe_ipv4.py +| ... +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH +| ... +| Test Setup | Set up functional test +| ... +| Test Teardown | Tear down LISP functional test +| ... +| Documentation | *IPv4-ip4-ipsec-lispgpe-ip4 - main fib, vrf (gpe_vni-to-vrf)* +| ... +| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ +| ... | with single links between nodes. +| ... | *[Enc] Packet Encapsulations:* ICMPv4-IPv4-IPSec-LISPGPE-IPv4-ICMPv4. +| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ +| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ +| ... | on RLOC interface or lisp_gpe0 interface. +| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\ +| ... | DUT2 where it is forwarded to TG(if2). +| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. + +*** Variables *** +| ${dut2_spi}= | ${1000} +| ${dut1_spi}= | ${1001} + +| ${ESP_PROTO}= | ${50} + +| ${bid}= | 10 + +*** Test Cases *** +| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\ +| | ... | Eth-IPv4-ICMPv4 on TG-DUTn. +| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTs. +| | ... | [Ver] Case: ip4-lispgpe-ipsec-ip4 - main fib +| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\ +| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup 3-node Topology +| | And Add IP Neighbors +| | And Configure LISP GPE topology in 3-node circular topology +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} +| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} +| | ... | ${dut1_to_dut2_ip4_static_adjacency} +| | ... | ${dut2_to_dut1_ip4_static_adjacency} +| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} +| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} +| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) lisp_gpe0 Int. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\ +| | ... | Eth-IPv4-ICMPv4 on TG-DUTn. +| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTs. +| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip4 - main fib +| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\ +| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup 3-node Topology +| | And Add IP Neighbors +| | And Configure LISP GPE topology in 3-node circular topology +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} +| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} +| | ... | ${dut1_to_dut2_ip4_static_adjacency} +| | ... | ${dut2_to_dut1_ip4_static_adjacency} +| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.Get sw if index +| | ... | ${dut1_node} | lisp_gpe0 +| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip4} +| | ... | ${tg2_ip4} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip4} +| | ... | ${tg1_ip4} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +| TC03: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int and VRF on EID is enabled. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\ +| | ... | Eth-IPv4-ICMPv4 on TG-DUTn. +| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTs. +| | ... | [Ver] Case: ip4-lispgpe-ipsec-ip4 - vrf, main fib +| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\ +| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup 3-node Topology | ${fib_table_1} +| | And Add IP Neighbors +| | When Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | And Configure LISP GPE topology in 3-node circular topology +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} +| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} +| | ... | ${dut1_to_dut2_ip4_static_adjacency} +| | ... | ${dut2_to_dut1_ip4_static_adjacency} +| | ... | ${dut1_dut2_vni} | ${fib_table_1} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} +| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} +| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +| TC04: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int and VRF is enabled. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\ +| | ... | Eth-IPv4-ICMPv4 on TG-DUTn. +| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTs. +| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip4 - vrf, main fib +| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\ +| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup 3-node Topology | ${fib_table_1} +| | And Add IP Neighbors +| | And Configure LISP GPE topology in 3-node circular topology +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} +| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} +| | ... | ${dut1_to_dut2_ip4_static_adjacency} +| | ... | ${dut2_to_dut1_ip4_static_adjacency} +| | ... | ${dut1_dut2_vni} | ${fib_table_1} +| | When Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.Get sw if index +| | ... | ${dut1_node} | lisp_gpe0 +| | And Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip4} +| | ... | ${tg2_ip4} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip4} +| | ... | ${tg1_ip4} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +*** Keywords *** +| Setup 3-node Topology +| | [Documentation] +| | ... | Setup 3-node topology for this test suite. Set all physical\ +| | ... | interfaces up and assing IP adresses to them.\ +| | ... | You can specify fib table ID where the DUT-TG interfaces assign to.\ +| | ... | Default is 0. +| | ... +| | [Arguments] | ${fib_table}=0 +| | Configure path in 3-node circular topology +| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} +| | Set interfaces in 3-node circular topology up +| | And Add Fib Table | ${dut1_node} | ${fib_table} +| | Assign Interface To Fib Table | ${dut1_node} +| | ... | ${dut1_to_tg} | ${fib_table} +| | And Add Fib Table | ${dut2_node} | ${fib_table} +| | Assign Interface To Fib Table | ${dut2_node} +| | ... | ${dut2_to_tg} | ${fib_table} +| | Set Interface Address | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4} +| | ... | ${prefix4} +| | Set Interface Address | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip4} +| | ... | ${prefix4} +| | Set Interface Address | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4} +| | ... | ${prefix4} +| | Set Interface Address | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip4} +| | ... | ${prefix4} + +| Add IP Neighbors +| | [Documentation] +| | ... | Add IP neighbors to physical interfaces on DUTs. +| | ... +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip4} +| | ... | ${tg_to_dut1_mac} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip4} +| | ... | ${tg_to_dut2_mac} +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4} +| | ... | ${dut2_to_dut1_mac} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4} +| | ... | ${dut1_to_dut2_mac} diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot new file mode 100644 index 0000000000..550c9405cc --- /dev/null +++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot @@ -0,0 +1,160 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Library | resources.libraries.python.topology.Topology +| Library | resources.libraries.python.NodePath +| Library | resources.libraries.python.Trace +| Library | resources.libraries.python.IPUtil +| Library | resources.libraries.python.L2Util +| Library | resources.libraries.python.LispUtil +| Library | resources.libraries.python.IPsecUtil +| Library | resources.libraries.python.VatJsonUtil +| Library | resources.libraries.python.IPv6Setup +| Library | resources.libraries.python.VhostUser +| Library | resources.libraries.python.QemuUtils +| Library | resources.libraries.python.VPPUtil +| Library | String +| Resource | resources/libraries/robot/shared/traffic.robot +| Resource | resources/libraries/robot/shared/default.robot +| Resource | resources/libraries/robot/shared/interfaces.robot +| Resource | resources/libraries/robot/shared/testing_path.robot +| Resource | resources/libraries/robot/ip/ip6.robot +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Resource | resources/libraries/robot/vm/qemu.robot +| Resource | resources/libraries/robot/overlay/lispgpe.robot +| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot +# Import configuration and test data: +| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv4/ipv6_lispgpe_ipsec_ipv4.py +| ... +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH +| ... +| Test Setup | Set up functional test +| ... +| Test Teardown | Tear down LISP functional test +| ... +| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, vrf, virt2lisp,\ +| ... | phy2lisp* +| ... +| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ +| ... | with single links between nodes. +| ... | *[Enc] Packet Encapsulations:* Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP,\ +| ... | Eth-IPv4-IPSec-LISPGPE-IPv6-ICMP +| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ +| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ +| ... | on RLOC interface or lisp_gpe0 interface. +| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\ +| ... | DUT2 where it is forwarded to TG(if2). +| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. + +*** Test Cases *** +| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP on DUT1-DUT2, Eth-IPv6-ICMP\ +| | ... | on TG-DUTn. +| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTS. +| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\ +| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup Topology And Lisp +| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} +| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} +| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2, Eth-IPv6-ICMP\ +| | ... | on TG-DUTn. +| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTS. +| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\ +| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup Topology And Lisp +| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index +| | ... | ${dut1_node} | ${lisp_gpe_int} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} +| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} +| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +*** Keywords *** +| Setup Topology And Lisp +| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\ +| | ... | and then setup LISP. +| | [Arguments] | ${fib_table}=0 | ${vni_table}=0 | ${ip6}=${FALSE} +| | Configure path in 3-node circular topology +| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} +| | Set interfaces in 3-node circular topology up +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4} +| | ... | ${prefix4} +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6} +| | ... | ${prefix6} +| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4} +| | ... | ${prefix4} +| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6} +| | ... | ${prefix6} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6} +| | ... | ${tg_to_dut2_mac} +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4} +| | ... | ${dut2_to_dut1_mac} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4} +| | ... | ${dut1_to_dut2_mac} +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6} +| | ... | ${tg_to_dut1_mac} +| | Vpp All RA Suppress Link Layer | ${nodes} +| | Configure LISP GPE topology in 3-node circular topology +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} +| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid} +| | ... | ${dut1_to_dut2_ip_static_adjacency} +| | ... | ${dut2_to_dut1_ip_static_adjacency} +| | ... | ${vni_table} | ${fib_table} diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot new file mode 100644 index 0000000000..8c131181f3 --- /dev/null +++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot @@ -0,0 +1,135 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Library | resources.libraries.python.topology.Topology +| Library | resources.libraries.python.NodePath +| Library | resources.libraries.python.Trace +| Library | resources.libraries.python.IPUtil +| Library | resources.libraries.python.L2Util +| Library | resources.libraries.python.LispUtil +| Library | resources.libraries.python.IPsecUtil +| Library | resources.libraries.python.VatJsonUtil +| Library | resources.libraries.python.IPv6Setup +| Library | resources.libraries.python.VhostUser +| Library | resources.libraries.python.QemuUtils +| Library | resources.libraries.python.VPPUtil +| Library | String +| Resource | resources/libraries/robot/shared/traffic.robot +| Resource | resources/libraries/robot/shared/default.robot +| Resource | resources/libraries/robot/shared/interfaces.robot +| Resource | resources/libraries/robot/shared/testing_path.robot +| Resource | resources/libraries/robot/ip/ip6.robot +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Resource | resources/libraries/robot/vm/qemu.robot +| Resource | resources/libraries/robot/overlay/lispgpe.robot +| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot +# Import configuration and test data: +| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv4/ipv6_lispgpe_ipsec_ipv4.py +| ... +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH +| ... +| Test Setup | Set up functional test +| ... +| Test Teardown | Tear down LISP functional test +| ... +| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, vrf, virt2lisp,\ +| ... | phy2lisp* +| ... +| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ +| ... | with single links between nodes. +| ... | *[Enc] Packet Encapsulations:* Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP,\ +| ... | Eth-IPv4-IPSec-LISPGPE-IPv6-ICMP +| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ +| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ +| ... | on RLOC interface or lisp_gpe0 interface. +| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\ +| ... | DUT2 where it is forwarded to TG(if2). +| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. + +*** Test Cases *** +| TC01: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using physical interfaces and VRF is enabled +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\ +| | ... | Eth-IPv6-ICMPv6, on TG-DUTn. +| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTS. +| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip6 - vrf, phy2lisp +| | ... | Make TG send ICMPv6 Echo Req between its interfaces across both\ +| | ... | DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Configure path in 3-node circular topology +| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} +| | And Set interfaces in 3-node circular topology up +| | And Add Fib Table | ${dut1_node} | ${fib_table_1} | ip6=${TRUE} +| | And Add Fib Table | ${dut2_node} | ${fib_table_1} | ip6=${TRUE} +| | Assign Interface To Fib Table | ${dut1_node} +| | ... | ${dut1_to_tg} | ${fib_table_1} | ip6=${TRUE} +| | Assign Interface To Fib Table | ${dut2_node} +| | ... | ${dut2_to_tg} | ${fib_table_1} | ip6=${TRUE} +| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} +| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} +| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} +| | Setup Topology And Lisp | ${fib_table_1} | ${dut1_dut2_vni} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +*** Keywords *** +| Setup Topology And Lisp +| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\ +| | ... | and then setup LISP. +| | [Arguments] | ${fib_table}=0 | ${vni_table}=0 | ${ip6}=${FALSE} +| | Configure path in 3-node circular topology +| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} +| | Set interfaces in 3-node circular topology up +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4} +| | ... | ${prefix4} +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6} +| | ... | ${prefix6} +| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4} +| | ... | ${prefix4} +| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6} +| | ... | ${prefix6} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6} +| | ... | ${tg_to_dut2_mac} +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4} +| | ... | ${dut2_to_dut1_mac} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4} +| | ... | ${dut1_to_dut2_mac} +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6} +| | ... | ${tg_to_dut1_mac} +| | Vpp All RA Suppress Link Layer | ${nodes} +| | Configure LISP GPE topology in 3-node circular topology +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} +| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid} +| | ... | ${dut1_to_dut2_ip_static_adjacency} +| | ... | ${dut2_to_dut1_ip_static_adjacency} +| | ... | ${vni_table} | ${fib_table} diff --git a/tests/vpp/func/crypto/default/eth2p-ethip6ipsectnl-ip6base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectnl-ip6base-func.robot new file mode 100644 index 0000000000..26d109a0b7 --- /dev/null +++ b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectnl-ip6base-func.robot @@ -0,0 +1,523 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Library | resources.libraries.python.Trace +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO +| ... | VM_ENV | HW_ENV | SKIP_VPP_PATCH +| Test Setup | Set up IPv6 IPSec functional test +| ... +| Test Teardown | Tear down IPSec functional test | ${dut_node} +| ... +| Documentation | *IPv6 IPsec tunnel mode test suite.* +| ... +| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ +| ... | between nodes. +| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure +| ... | loopback an physical interface IPv6 addresses, static ARP record, route +| ... | and IPsec manual keyed connection in tunnel mode. +| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet +| ... | is received on TG from DUT1. +| ... | *[Ref] Applicable standard specifications:* RFC4303. + +*** Variables *** +| ${tg_spi}= | ${1000} +| ${dut_spi}= | ${1001} +| ${ESP_PROTO}= | ${50} +| ${tg_if_ip6}= | 3ffe:5f::1 +| ${dut_if_ip6}= | 3ffe:5f::2 +| ${tg_lo_ip6}= | 3ffe:60::3 +| ${dut_lo_ip6}= | 3ffe:60::4 +| ${ip6_plen}= | ${64} +| ${ip6_plen_rt}= | ${128} + +*** Test Cases *** +| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +*** Keywords *** +| Get Second Random String +| | [Arguments] | ${req_alg} | ${req_type} +| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} +| | :FOR | ${index} | IN RANGE | 100 +| | | ${req_key}= | Generate Random String | ${req_key_len} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/vpp/func/crypto/default/eth2p-ethip6ipsectpt-ip6base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectpt-ip6base-func.robot new file mode 100644 index 0000000000..e36630b681 --- /dev/null +++ b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectpt-ip6base-func.robot @@ -0,0 +1,487 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Library | resources.libraries.python.Trace +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO +| ... | VM_ENV | HW_ENV | SKIP_VPP_PATCH +| Test Setup | Set up IPv6 IPSec functional test +| ... +| Test Teardown | Tear down IPSec functional test | ${dut_node} +| ... +| Documentation | *IPv6 IPsec transport mode test suite.* +| ... +| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ +| ... | between nodes. +| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure +| ... | loopback an physical interface IPv6 addresses, static ARP record, route +| ... | and IPsec manual keyed connection in transport mode. +| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet +| ... | is received on TG from DUT1. +| ... | *[Ref] Applicable standard specifications:* RFC4303. + +*** Variables *** +| ${tg_spi}= | ${1000} +| ${dut_spi}= | ${1001} +| ${ESP_PROTO}= | ${50} +| ${tg_if_ip6}= | 3ffe:5f::1 +| ${dut_if_ip6}= | 3ffe:5f::2 +| ${tg_lo_ip6}= | 3ffe:60::3 +| ${dut_lo_ip6}= | 3ffe:60::4 +| ${ip6_plen}= | ${64} +| ${ip6_plen_rt}= | ${128} + +*** Test Cases *** +| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | [Tags] | SKIP_PATCH +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG. +| | ... | [Ref] RFC4303. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +*** Keywords *** +| Get Second Random String +| | [Arguments] | ${req_alg} | ${req_type} +| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} +| | :FOR | ${index} | IN RANGE | 100 +| | | ${req_key}= | Generate Random String | ${req_key_len} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot new file mode 100644 index 0000000000..f3bc2e28b1 --- /dev/null +++ b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot @@ -0,0 +1,158 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Library | resources.libraries.python.topology.Topology +| Library | resources.libraries.python.NodePath +| Library | resources.libraries.python.Trace +| Library | resources.libraries.python.IPUtil +| Library | resources.libraries.python.L2Util +| Library | resources.libraries.python.LispUtil +| Library | resources.libraries.python.IPsecUtil +| Library | resources.libraries.python.VatJsonUtil +| Library | resources.libraries.python.IPv6Setup +| Library | resources.libraries.python.VhostUser +| Library | resources.libraries.python.QemuUtils +| Library | String +| Resource | resources/libraries/robot/shared/traffic.robot +| Resource | resources/libraries/robot/shared/default.robot +| Resource | resources/libraries/robot/shared/interfaces.robot +| Resource | resources/libraries/robot/shared/testing_path.robot +| Resource | resources/libraries/robot/ip/ip6.robot +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Resource | resources/libraries/robot/vm/qemu.robot +| Resource | resources/libraries/robot/overlay/lispgpe.robot +| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot +# Import configuration and test data: +| Variables | resources/test_data/lisp/ipv4_lispgpe_ipv6/ipv4_lispgpe_ipsec_ipv6.py +| ... +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH +| ... +| Test Setup | Set up functional test +| ... +| Test Teardown | Tear down functional test +| ... +| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, virt2lisp, phy2lisp* +| ... +| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ +| ... | with single links between nodes. +| ... | *[Enc] Packet Encapsulations:* Eth-IPv6-LISPGPE-IPSec-IPv4-ICMP,\ +| ... | Eth-IPv6-IPSec-LISPGPE-IPv4-ICMP +| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ +| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ +| ... | on RLOC interface or lisp_gpe0 interface. +| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\ +| ... | DUT2 where it is forwarded to TG(if2). +| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. + +*** Test Cases *** +| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv6-LISPGPE-IPSec-IPv4-ICMP on DUT1-DUT2, Eth-IPv4-ICMP\ +| | ... | on TG-DUTn. +| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTS. +| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\ +| | ... | both DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup Topology And Lisp +| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} +| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} +| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2, Eth-IPv4-ICMP\ +| | ... | on TG-DUTn. +| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTS. +| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\ +| | ... | both DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup Topology And Lisp +| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index +| | ... | ${dut1_node} | ${lisp_gpe_int} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} +| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} +| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +*** Keywords *** +| Setup Topology And Lisp +| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\ +| | ... | and then setup LISP. +| | Configure path in 3-node circular topology +| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} +| | Set interfaces in 3-node circular topology up +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6} +| | ... | ${prefix6} +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6} +| | ... | ${prefix6} +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip4} +| | ... | ${prefix4} +| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip6} +| | ... | ${prefix6} +| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip4} +| | ... | ${prefix4} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip4} +| | ... | ${tg_to_dut2_mac} +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip6} +| | ... | ${dut2_to_dut1_mac} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip6} +| | ... | ${dut1_to_dut2_mac} +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip4} +| | ... | ${tg_to_dut1_mac} +| | Vpp All RA Suppress Link Layer | ${nodes} +| | Configure LISP GPE topology in 3-node circular topology +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} +| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} +| | ... | ${dut1_to_dut2_ip_static_adjacency} +| | ... | ${dut2_to_dut1_ip_static_adjacency} diff --git a/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot new file mode 100644 index 0000000000..ca81b425c8 --- /dev/null +++ b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot @@ -0,0 +1,174 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Library | resources.libraries.python.topology.Topology +| Library | resources.libraries.python.NodePath +| Library | resources.libraries.python.Trace +| Library | resources.libraries.python.IPUtil +| Library | resources.libraries.python.L2Util +| Library | resources.libraries.python.LispUtil +| Library | resources.libraries.python.VPPUtil +| Library | resources.libraries.python.IPsecUtil +| Library | resources.libraries.python.VatJsonUtil +| Library | resources.libraries.python.IPv6Setup +| Library | resources.libraries.python.VhostUser +| Library | resources.libraries.python.QemuUtils +| Library | String +| Resource | resources/libraries/robot/shared/traffic.robot +| Resource | resources/libraries/robot/shared/default.robot +| Resource | resources/libraries/robot/shared/interfaces.robot +| Resource | resources/libraries/robot/shared/testing_path.robot +| Resource | resources/libraries/robot/ip/ip6.robot +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Resource | resources/libraries/robot/vm/qemu.robot +| Resource | resources/libraries/robot/overlay/lispgpe.robot +| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot +# Import configuration and test data: +| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv6/ipv6_lispgpe_ipsec_ipv6.py +| ... +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH +| ... +| Test Setup | Run Keywords | Set up functional test +| ... | AND | Vpp All Ra Suppress Link Layer | ${nodes} +| ... +| Test Teardown | Tear down functional test +| ... +| Documentation | *IPv6 - ip6-ipsec-lispgpe-ip6 - main fib, +| ... | vrf (gpe_vni-to-vrf), phy2lisp, virt2lisp* +| ... +| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ +| ... | with single links between nodes. +| ... | *[Enc] Packet Encapsulations:* Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6,\ +| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ +| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ +| ... | on RLOC interface or lisp_gpe0 interface. +| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1\ +| ... | to DUT2 where it is forwarded to TG(if2). +| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. + +*** Variables *** +| ${dut2_spi}= | ${1000} +| ${dut1_spi}= | ${1001} + +| ${ESP_PROTO}= | ${50} + +| ${bid}= | 10 + +*** Test Cases *** +| TC01: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\ +| | ... | Eth-IPv6-ICMPv6 on TG-DUTn. +| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTS. +| | ... | [Ver] Case: ip6-lispgpe-ipsec-ip6 - main fib, phys2lisp\ +| | ... | Make TG send ICMPv6 Echo Req between its interfaces across\ +| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup Topology +| | And Configure LISP GPE topology in 3-node circular topology +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} +| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid} +| | ... | ${dut1_to_dut2_ip6_static_adjacency} +| | ... | ${dut2_to_dut1_ip6_static_adjacency} +| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} +| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} +| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +| TC02: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using IPsec (transport) lisp_gpe0 Int. +| | [Documentation] +| | ... | [Top] TG-DUT1-DUT2-TG. +| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\ +| | ... | Eth-IPv6-ICMPv6 on TG-DUTn. +| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ +| | ... | IPsec in between DUTS. +| | ... | [Ver] Case: ip6-ipsec-lispgpe-ip6 - main fib, phys2lisp\ +| | ... | Make TG send ICMPv6 Echo Req between its interfaces across\ +| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ +| | ... | received packets are correct. +| | ... | [Ref] RFC6830, RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Setup Topology +| | And Configure LISP GPE topology in 3-node circular topology +| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} +| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} +| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid} +| | ... | ${dut1_to_dut2_ip6_static_adjacency} +| | ... | ${dut2_to_dut1_ip6_static_adjacency} +| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index +| | ... | ${dut1_node} | lisp_gpe0 +| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip6} +| | ... | ${tg2_ip6} +| | And Configure manual keyed connection for IPSec +| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} +| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip6} +| | ... | ${tg1_ip6} +| | Then Send packet and verify headers +| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} +| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} +| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} +| | And Send packet and verify headers +| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} +| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} +| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} + +*** Keywords *** +| Setup Topology +| | Configure path in 3-node circular topology +| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} +| | Set interfaces in 3-node circular topology up +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6} +| | ... | ${prefix6} +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6} +| | ... | ${prefix6} +| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6} +| | ... | ${prefix6} +| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip6} +| | ... | ${prefix6} +| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6} +| | ... | ${prefix6} +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6} +| | ... | ${tg_to_dut1_mac} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6} +| | ... | ${tg_to_dut2_mac} +| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip6} +| | ... | ${dut2_to_dut1_mac} +| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip6} +| | ... | ${dut1_to_dut2_mac} +| | Vpp All RA Suppress Link Layer | ${nodes} diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectnl-ip4base-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectnl-ip4base-func.robot deleted file mode 100644 index 814d8ee45c..0000000000 --- a/tests/vpp/func/crypto/eth2p-ethip4ipsectnl-ip4base-func.robot +++ /dev/null @@ -1,523 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Resource | resources/libraries/robot/crypto/ipsec.robot -| Library | resources.libraries.python.Trace -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO -| ... | VM_ENV | HW_ENV | SKIP_VPP_PATCH -| ... -| Test Setup | Set up IPv4 IPSec functional test -| ... -| Test Teardown | Tear down IPSec functional test | ${dut_node} -| ... -| Documentation | *IPv4 IPsec tunnel mode test suite.* -| ... -| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ -| ... | between nodes. -| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\ -| ... | loopback an physical interface IPv4 addresses, static ARP record, route\ -| ... | and IPsec manual keyed connection in tunnel mode. -| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\ -| ... | is received on TG from DUT1. -| ... | *[Ref] Applicable standard specifications:* RFC4303. - -*** Variables *** -| ${tg_spi}= | ${1000} -| ${dut_spi}= | ${1001} -| ${ESP_PROTO}= | ${50} -| ${tg_if_ip4}= | 192.168.100.2 -| ${dut_if_ip4}= | 192.168.100.3 -| ${tg_lo_ip4}= | 192.168.3.3 -| ${dut_lo_ip4}= | 192.168.4.4 -| ${ip4_plen}= | ${24} - -*** Test Cases *** -| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ -| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ -| | ... | response to be received on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ -| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ -| | ... | no response to be received on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ -| | ... | by encryption key different from integrity and encryption keys stored\ -| | ... | on VPP node from TG to VPP node and expect no response to be received\ -| | ... | on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ -| | ... | and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} -| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ -| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ -| | ... | response to be received on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ -| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ -| | ... | no response to be received on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ -| | ... | by encryption key different from integrity and encryption keys stored\ -| | ... | on VPP node from TG to VPP node and expect no response to be received\ -| | ... | on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -*** Keywords *** -| Get Second Random String -| | [Arguments] | ${req_alg} | ${req_type} -| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} -| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} -| | ... | '${req_type}' == 'Integ' | ${auth_key} -| | :FOR | ${index} | IN RANGE | 100 -| | | ${req_key}= | Generate Random String | ${req_key_len} -| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectpt-ip4base-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectpt-ip4base-func.robot deleted file mode 100644 index e599cf9506..0000000000 --- a/tests/vpp/func/crypto/eth2p-ethip4ipsectpt-ip4base-func.robot +++ /dev/null @@ -1,487 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Resource | resources/libraries/robot/crypto/ipsec.robot -| Library | resources.libraries.python.Trace -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO -| ... | VM_ENV | HW_ENV | SKIP_VPP_PATCH -| Test Setup | Set up IPv4 IPSec functional test -| ... -| Test Teardown | Tear down IPSec functional test | ${dut_node} -| ... -| Documentation | *IPv4 IPsec transport mode test suite.* -| ... -| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ -| ... | between nodes. -| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\ -| ... | loopback an physical interface IPv4 addresses, static ARP record, route\ -| ... | and IPsec manual keyed connection in transport mode. -| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\ -| ... | is received on TG from DUT1. -| ... | *[Ref] Applicable standard specifications:* RFC4303. - -*** Variables *** -| ${tg_spi}= | ${1000} -| ${dut_spi}= | ${1001} -| ${ESP_PROTO}= | ${50} -| ${tg_if_ip4}= | 192.168.100.2 -| ${dut_if_ip4}= | 192.168.100.3 -| ${tg_lo_ip4}= | 192.168.3.3 -| ${dut_lo_ip4}= | 192.168.4.4 -| ${ip4_plen}= | ${24} - -*** Test Cases *** -| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - - -| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. -| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ -| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ -| | ... | response to be received on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. -| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ -| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ -| | ... | no response to be received on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. -| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ -| | ... | by encryption key different from integrity and encryption keys stored\ -| | ... | on VPP node from TG to VPP node and expect no response to be received\ -| | ... | on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ -| | ... | and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} -| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ -| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ -| | ... | response to be received on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ -| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ -| | ... | no response to be received on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ -| | ... | by encryption key different from integrity and encryption keys stored\ -| | ... | on VPP node from TG to VPP node and expect no response to be received\ -| | ... | on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -*** Keywords *** -| Get Second Random String -| | [Arguments] | ${req_alg} | ${req_type} -| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} -| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} -| | ... | '${req_type}' == 'Integ' | ${auth_key} -| | :FOR | ${index} | IN RANGE | 100 -| | | ${req_key}= | Generate Random String | ${req_key_len} -| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot deleted file mode 100644 index 15c10d40fc..0000000000 --- a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot +++ /dev/null @@ -1,270 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Library | resources.libraries.python.topology.Topology -| Library | resources.libraries.python.NodePath -| Library | resources.libraries.python.Trace -| Library | resources.libraries.python.LispUtil -| Library | resources.libraries.python.VhostUser -| Library | resources.libraries.python.QemuUtils -| Library | resources.libraries.python.VPPUtil -| Library | resources.libraries.python.IPsecUtil -| Resource | resources/libraries/robot/shared/traffic.robot -| Resource | resources/libraries/robot/shared/default.robot -| Resource | resources/libraries/robot/shared/interfaces.robot -| Resource | resources/libraries/robot/shared/testing_path.robot -| Resource | resources/libraries/robot/crypto/ipsec.robot -| Resource | resources/libraries/robot/vm/qemu.robot -| Resource | resources/libraries/robot/overlay/lispgpe.robot -| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot -| Resource | resources/libraries/robot/overlay/l2lisp.robot -# Import configuration and test data: -| Variables | resources/test_data/lisp/ipv4_ipsec_lispgpe_ipv4/ipv4_ipsec_lispgpe_ipv4.py -| ... -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH -| ... -| Test Setup | Set up functional test -| ... -| Test Teardown | Tear down LISP functional test -| ... -| Documentation | *IPv4-ip4-ipsec-lispgpe-ip4 - main fib, vrf (gpe_vni-to-vrf)* -| ... -| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ -| ... | with single links between nodes. -| ... | *[Enc] Packet Encapsulations:* ICMPv4-IPv4-IPSec-LISPGPE-IPv4-ICMPv4. -| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ -| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ -| ... | on RLOC interface or lisp_gpe0 interface. -| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\ -| ... | DUT2 where it is forwarded to TG(if2). -| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. - -*** Variables *** -| ${dut2_spi}= | ${1000} -| ${dut1_spi}= | ${1001} - -| ${ESP_PROTO}= | ${50} - -| ${bid}= | 10 - -*** Test Cases *** -| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\ -| | ... | Eth-IPv4-ICMPv4 on TG-DUTn. -| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTs. -| | ... | [Ver] Case: ip4-lispgpe-ipsec-ip4 - main fib -| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\ -| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup 3-node Topology -| | And Add IP Neighbors -| | And Configure LISP GPE topology in 3-node circular topology -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} -| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} -| | ... | ${dut1_to_dut2_ip4_static_adjacency} -| | ... | ${dut2_to_dut1_ip4_static_adjacency} -| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} -| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} -| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) lisp_gpe0 Int. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\ -| | ... | Eth-IPv4-ICMPv4 on TG-DUTn. -| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTs. -| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip4 - main fib -| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\ -| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup 3-node Topology -| | And Add IP Neighbors -| | And Configure LISP GPE topology in 3-node circular topology -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} -| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} -| | ... | ${dut1_to_dut2_ip4_static_adjacency} -| | ... | ${dut2_to_dut1_ip4_static_adjacency} -| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.Get sw if index -| | ... | ${dut1_node} | lisp_gpe0 -| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip4} -| | ... | ${tg2_ip4} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip4} -| | ... | ${tg1_ip4} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -| TC03: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int and VRF on EID is enabled. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\ -| | ... | Eth-IPv4-ICMPv4 on TG-DUTn. -| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTs. -| | ... | [Ver] Case: ip4-lispgpe-ipsec-ip4 - vrf, main fib -| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\ -| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup 3-node Topology | ${fib_table_1} -| | And Add IP Neighbors -| | When Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | And Configure LISP GPE topology in 3-node circular topology -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} -| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} -| | ... | ${dut1_to_dut2_ip4_static_adjacency} -| | ... | ${dut2_to_dut1_ip4_static_adjacency} -| | ... | ${dut1_dut2_vni} | ${fib_table_1} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} -| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} -| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -| TC04: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int and VRF is enabled. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\ -| | ... | Eth-IPv4-ICMPv4 on TG-DUTn. -| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTs. -| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip4 - vrf, main fib -| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\ -| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup 3-node Topology | ${fib_table_1} -| | And Add IP Neighbors -| | And Configure LISP GPE topology in 3-node circular topology -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} -| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} -| | ... | ${dut1_to_dut2_ip4_static_adjacency} -| | ... | ${dut2_to_dut1_ip4_static_adjacency} -| | ... | ${dut1_dut2_vni} | ${fib_table_1} -| | When Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.Get sw if index -| | ... | ${dut1_node} | lisp_gpe0 -| | And Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip4} -| | ... | ${tg2_ip4} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip4} -| | ... | ${tg1_ip4} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -*** Keywords *** -| Setup 3-node Topology -| | [Documentation] -| | ... | Setup 3-node topology for this test suite. Set all physical\ -| | ... | interfaces up and assing IP adresses to them.\ -| | ... | You can specify fib table ID where the DUT-TG interfaces assign to.\ -| | ... | Default is 0. -| | ... -| | [Arguments] | ${fib_table}=0 -| | Configure path in 3-node circular topology -| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} -| | Set interfaces in 3-node circular topology up -| | And Add Fib Table | ${dut1_node} | ${fib_table} -| | Assign Interface To Fib Table | ${dut1_node} -| | ... | ${dut1_to_tg} | ${fib_table} -| | And Add Fib Table | ${dut2_node} | ${fib_table} -| | Assign Interface To Fib Table | ${dut2_node} -| | ... | ${dut2_to_tg} | ${fib_table} -| | Set Interface Address | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4} -| | ... | ${prefix4} -| | Set Interface Address | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip4} -| | ... | ${prefix4} -| | Set Interface Address | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4} -| | ... | ${prefix4} -| | Set Interface Address | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip4} -| | ... | ${prefix4} - -| Add IP Neighbors -| | [Documentation] -| | ... | Add IP neighbors to physical interfaces on DUTs. -| | ... -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip4} -| | ... | ${tg_to_dut1_mac} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip4} -| | ... | ${tg_to_dut2_mac} -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4} -| | ... | ${dut2_to_dut1_mac} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4} -| | ... | ${dut1_to_dut2_mac} diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot deleted file mode 100644 index 550c9405cc..0000000000 --- a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot +++ /dev/null @@ -1,160 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Library | resources.libraries.python.topology.Topology -| Library | resources.libraries.python.NodePath -| Library | resources.libraries.python.Trace -| Library | resources.libraries.python.IPUtil -| Library | resources.libraries.python.L2Util -| Library | resources.libraries.python.LispUtil -| Library | resources.libraries.python.IPsecUtil -| Library | resources.libraries.python.VatJsonUtil -| Library | resources.libraries.python.IPv6Setup -| Library | resources.libraries.python.VhostUser -| Library | resources.libraries.python.QemuUtils -| Library | resources.libraries.python.VPPUtil -| Library | String -| Resource | resources/libraries/robot/shared/traffic.robot -| Resource | resources/libraries/robot/shared/default.robot -| Resource | resources/libraries/robot/shared/interfaces.robot -| Resource | resources/libraries/robot/shared/testing_path.robot -| Resource | resources/libraries/robot/ip/ip6.robot -| Resource | resources/libraries/robot/crypto/ipsec.robot -| Resource | resources/libraries/robot/vm/qemu.robot -| Resource | resources/libraries/robot/overlay/lispgpe.robot -| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot -# Import configuration and test data: -| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv4/ipv6_lispgpe_ipsec_ipv4.py -| ... -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH -| ... -| Test Setup | Set up functional test -| ... -| Test Teardown | Tear down LISP functional test -| ... -| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, vrf, virt2lisp,\ -| ... | phy2lisp* -| ... -| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ -| ... | with single links between nodes. -| ... | *[Enc] Packet Encapsulations:* Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP,\ -| ... | Eth-IPv4-IPSec-LISPGPE-IPv6-ICMP -| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ -| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ -| ... | on RLOC interface or lisp_gpe0 interface. -| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\ -| ... | DUT2 where it is forwarded to TG(if2). -| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. - -*** Test Cases *** -| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP on DUT1-DUT2, Eth-IPv6-ICMP\ -| | ... | on TG-DUTn. -| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTS. -| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\ -| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup Topology And Lisp -| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} -| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} -| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2, Eth-IPv6-ICMP\ -| | ... | on TG-DUTn. -| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTS. -| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\ -| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup Topology And Lisp -| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index -| | ... | ${dut1_node} | ${lisp_gpe_int} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} -| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} -| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -*** Keywords *** -| Setup Topology And Lisp -| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\ -| | ... | and then setup LISP. -| | [Arguments] | ${fib_table}=0 | ${vni_table}=0 | ${ip6}=${FALSE} -| | Configure path in 3-node circular topology -| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} -| | Set interfaces in 3-node circular topology up -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4} -| | ... | ${prefix4} -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6} -| | ... | ${prefix6} -| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4} -| | ... | ${prefix4} -| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6} -| | ... | ${prefix6} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6} -| | ... | ${tg_to_dut2_mac} -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4} -| | ... | ${dut2_to_dut1_mac} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4} -| | ... | ${dut1_to_dut2_mac} -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6} -| | ... | ${tg_to_dut1_mac} -| | Vpp All RA Suppress Link Layer | ${nodes} -| | Configure LISP GPE topology in 3-node circular topology -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} -| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid} -| | ... | ${dut1_to_dut2_ip_static_adjacency} -| | ... | ${dut2_to_dut1_ip_static_adjacency} -| | ... | ${vni_table} | ${fib_table} diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot deleted file mode 100644 index 8c131181f3..0000000000 --- a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Library | resources.libraries.python.topology.Topology -| Library | resources.libraries.python.NodePath -| Library | resources.libraries.python.Trace -| Library | resources.libraries.python.IPUtil -| Library | resources.libraries.python.L2Util -| Library | resources.libraries.python.LispUtil -| Library | resources.libraries.python.IPsecUtil -| Library | resources.libraries.python.VatJsonUtil -| Library | resources.libraries.python.IPv6Setup -| Library | resources.libraries.python.VhostUser -| Library | resources.libraries.python.QemuUtils -| Library | resources.libraries.python.VPPUtil -| Library | String -| Resource | resources/libraries/robot/shared/traffic.robot -| Resource | resources/libraries/robot/shared/default.robot -| Resource | resources/libraries/robot/shared/interfaces.robot -| Resource | resources/libraries/robot/shared/testing_path.robot -| Resource | resources/libraries/robot/ip/ip6.robot -| Resource | resources/libraries/robot/crypto/ipsec.robot -| Resource | resources/libraries/robot/vm/qemu.robot -| Resource | resources/libraries/robot/overlay/lispgpe.robot -| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot -# Import configuration and test data: -| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv4/ipv6_lispgpe_ipsec_ipv4.py -| ... -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH -| ... -| Test Setup | Set up functional test -| ... -| Test Teardown | Tear down LISP functional test -| ... -| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, vrf, virt2lisp,\ -| ... | phy2lisp* -| ... -| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ -| ... | with single links between nodes. -| ... | *[Enc] Packet Encapsulations:* Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP,\ -| ... | Eth-IPv4-IPSec-LISPGPE-IPv6-ICMP -| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ -| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ -| ... | on RLOC interface or lisp_gpe0 interface. -| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\ -| ... | DUT2 where it is forwarded to TG(if2). -| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. - -*** Test Cases *** -| TC01: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using physical interfaces and VRF is enabled -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\ -| | ... | Eth-IPv6-ICMPv6, on TG-DUTn. -| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTS. -| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip6 - vrf, phy2lisp -| | ... | Make TG send ICMPv6 Echo Req between its interfaces across both\ -| | ... | DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Configure path in 3-node circular topology -| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} -| | And Set interfaces in 3-node circular topology up -| | And Add Fib Table | ${dut1_node} | ${fib_table_1} | ip6=${TRUE} -| | And Add Fib Table | ${dut2_node} | ${fib_table_1} | ip6=${TRUE} -| | Assign Interface To Fib Table | ${dut1_node} -| | ... | ${dut1_to_tg} | ${fib_table_1} | ip6=${TRUE} -| | Assign Interface To Fib Table | ${dut2_node} -| | ... | ${dut2_to_tg} | ${fib_table_1} | ip6=${TRUE} -| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} -| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} -| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4} -| | Setup Topology And Lisp | ${fib_table_1} | ${dut1_dut2_vni} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -*** Keywords *** -| Setup Topology And Lisp -| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\ -| | ... | and then setup LISP. -| | [Arguments] | ${fib_table}=0 | ${vni_table}=0 | ${ip6}=${FALSE} -| | Configure path in 3-node circular topology -| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} -| | Set interfaces in 3-node circular topology up -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4} -| | ... | ${prefix4} -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6} -| | ... | ${prefix6} -| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4} -| | ... | ${prefix4} -| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6} -| | ... | ${prefix6} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6} -| | ... | ${tg_to_dut2_mac} -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4} -| | ... | ${dut2_to_dut1_mac} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4} -| | ... | ${dut1_to_dut2_mac} -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6} -| | ... | ${tg_to_dut1_mac} -| | Vpp All RA Suppress Link Layer | ${nodes} -| | Configure LISP GPE topology in 3-node circular topology -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} -| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid} -| | ... | ${dut1_to_dut2_ip_static_adjacency} -| | ... | ${dut2_to_dut1_ip_static_adjacency} -| | ... | ${vni_table} | ${fib_table} diff --git a/tests/vpp/func/crypto/eth2p-ethip6ipsectnl-ip6base-func.robot b/tests/vpp/func/crypto/eth2p-ethip6ipsectnl-ip6base-func.robot deleted file mode 100644 index 26d109a0b7..0000000000 --- a/tests/vpp/func/crypto/eth2p-ethip6ipsectnl-ip6base-func.robot +++ /dev/null @@ -1,523 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Resource | resources/libraries/robot/crypto/ipsec.robot -| Library | resources.libraries.python.Trace -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO -| ... | VM_ENV | HW_ENV | SKIP_VPP_PATCH -| Test Setup | Set up IPv6 IPSec functional test -| ... -| Test Teardown | Tear down IPSec functional test | ${dut_node} -| ... -| Documentation | *IPv6 IPsec tunnel mode test suite.* -| ... -| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ -| ... | between nodes. -| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure -| ... | loopback an physical interface IPv6 addresses, static ARP record, route -| ... | and IPsec manual keyed connection in tunnel mode. -| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet -| ... | is received on TG from DUT1. -| ... | *[Ref] Applicable standard specifications:* RFC4303. - -*** Variables *** -| ${tg_spi}= | ${1000} -| ${dut_spi}= | ${1001} -| ${ESP_PROTO}= | ${50} -| ${tg_if_ip6}= | 3ffe:5f::1 -| ${dut_if_ip6}= | 3ffe:5f::2 -| ${tg_lo_ip6}= | 3ffe:60::3 -| ${dut_lo_ip6}= | 3ffe:60::4 -| ${ip6_plen}= | ${64} -| ${ip6_plen_rt}= | ${128} - -*** Test Cases *** -| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\ -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ -| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ -| | ... | response to be received on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ -| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ -| | ... | no response to be received on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. -| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ -| | ... | by encryption key different from integrity and encryption keys stored\ -| | ... | on VPP node from TG to VPP node and expect no response to be received\ -| | ... | on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ -| | ... | and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} -| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ -| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ -| | ... | response to be received on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ -| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ -| | ... | no response to be received on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ -| | ... | by encryption key different from integrity and encryption keys stored\ -| | ... | on VPP node from TG to VPP node and expect no response to be received\ -| | ... | on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} -| | ... | ${dut_tun_ip} | ${tg_tun_ip} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} -| | ... | ${dut_tun_ip} - -*** Keywords *** -| Get Second Random String -| | [Arguments] | ${req_alg} | ${req_type} -| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} -| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} -| | ... | '${req_type}' == 'Integ' | ${auth_key} -| | :FOR | ${index} | IN RANGE | 100 -| | | ${req_key}= | Generate Random String | ${req_key_len} -| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/vpp/func/crypto/eth2p-ethip6ipsectpt-ip6base-func.robot b/tests/vpp/func/crypto/eth2p-ethip6ipsectpt-ip6base-func.robot deleted file mode 100644 index e36630b681..0000000000 --- a/tests/vpp/func/crypto/eth2p-ethip6ipsectpt-ip6base-func.robot +++ /dev/null @@ -1,487 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Resource | resources/libraries/robot/crypto/ipsec.robot -| Library | resources.libraries.python.Trace -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO -| ... | VM_ENV | HW_ENV | SKIP_VPP_PATCH -| Test Setup | Set up IPv6 IPSec functional test -| ... -| Test Teardown | Tear down IPSec functional test | ${dut_node} -| ... -| Documentation | *IPv6 IPsec transport mode test suite.* -| ... -| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ -| ... | between nodes. -| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure -| ... | loopback an physical interface IPv6 addresses, static ARP record, route -| ... | and IPsec manual keyed connection in transport mode. -| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet -| ... | is received on TG from DUT1. -| ... | *[Ref] Applicable standard specifications:* RFC4303. - -*** Variables *** -| ${tg_spi}= | ${1000} -| ${dut_spi}= | ${1001} -| ${ESP_PROTO}= | ${50} -| ${tg_if_ip6}= | 3ffe:5f::1 -| ${dut_if_ip6}= | 3ffe:5f::2 -| ${tg_lo_ip6}= | 3ffe:60::3 -| ${dut_lo_ip6}= | 3ffe:60::4 -| ${ip6_plen}= | ${64} -| ${ip6_plen_rt}= | ${128} - -*** Test Cases *** -| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 256 128 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 384 192 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | [Tags] | SKIP_PATCH -| | ${encr_alg}= | Crypto Alg AES CBC 192 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport -| | ... | mode. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node. -| | ${encr_alg}= | Crypto Alg AES CBC 256 -| | ${auth_alg}= | Integ Alg SHA 512 256 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. -| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ -| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ -| | ... | response to be received on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. -| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ -| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ -| | ... | no response to be received on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. -| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ -| | ... | by encryption key different from integrity and encryption keys stored\ -| | ... | on VPP node from TG to VPP node and expect no response to be received\ -| | ... | on TG. -| | ... | [Ref] RFC4303. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ -| | ... | and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} -| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ -| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ -| | ... | response to be received on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ -| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ -| | ... | no response to be received on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used -| | [Documentation] -| | ... | [Top] TG-DUT1. -| | ... | [Ref] RFC4303. -| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ -| | ... | mode. Then update SA keys - use new keys. -| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ -| | ... | by encryption key different from integrity and encryption keys stored\ -| | ... | on VPP node from TG to VPP node and expect no response to be received\ -| | ... | on TG before and after SA keys update. -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} -| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} -| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto -| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} -| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto -| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ -| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} -| | ... | ${new_encr_key} | ${new_auth_key} -| | Then Run Keyword And Expect Error | ESP packet Rx timeout -| | ... | Send IPsec Packet and verify ESP encapsulation in received packet -| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} -| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} -| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} - -*** Keywords *** -| Get Second Random String -| | [Arguments] | ${req_alg} | ${req_type} -| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} -| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} -| | ... | '${req_type}' == 'Integ' | ${auth_key} -| | :FOR | ${index} | IN RANGE | 100 -| | | ${req_key}= | Generate Random String | ${req_key_len} -| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot b/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot deleted file mode 100644 index f3bc2e28b1..0000000000 --- a/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot +++ /dev/null @@ -1,158 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Library | resources.libraries.python.topology.Topology -| Library | resources.libraries.python.NodePath -| Library | resources.libraries.python.Trace -| Library | resources.libraries.python.IPUtil -| Library | resources.libraries.python.L2Util -| Library | resources.libraries.python.LispUtil -| Library | resources.libraries.python.IPsecUtil -| Library | resources.libraries.python.VatJsonUtil -| Library | resources.libraries.python.IPv6Setup -| Library | resources.libraries.python.VhostUser -| Library | resources.libraries.python.QemuUtils -| Library | String -| Resource | resources/libraries/robot/shared/traffic.robot -| Resource | resources/libraries/robot/shared/default.robot -| Resource | resources/libraries/robot/shared/interfaces.robot -| Resource | resources/libraries/robot/shared/testing_path.robot -| Resource | resources/libraries/robot/ip/ip6.robot -| Resource | resources/libraries/robot/crypto/ipsec.robot -| Resource | resources/libraries/robot/vm/qemu.robot -| Resource | resources/libraries/robot/overlay/lispgpe.robot -| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot -# Import configuration and test data: -| Variables | resources/test_data/lisp/ipv4_lispgpe_ipv6/ipv4_lispgpe_ipsec_ipv6.py -| ... -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH -| ... -| Test Setup | Set up functional test -| ... -| Test Teardown | Tear down functional test -| ... -| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, virt2lisp, phy2lisp* -| ... -| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ -| ... | with single links between nodes. -| ... | *[Enc] Packet Encapsulations:* Eth-IPv6-LISPGPE-IPSec-IPv4-ICMP,\ -| ... | Eth-IPv6-IPSec-LISPGPE-IPv4-ICMP -| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ -| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ -| ... | on RLOC interface or lisp_gpe0 interface. -| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\ -| ... | DUT2 where it is forwarded to TG(if2). -| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. - -*** Test Cases *** -| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv6-LISPGPE-IPSec-IPv4-ICMP on DUT1-DUT2, Eth-IPv4-ICMP\ -| | ... | on TG-DUTn. -| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTS. -| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\ -| | ... | both DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup Topology And Lisp -| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} -| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} -| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2, Eth-IPv4-ICMP\ -| | ... | on TG-DUTn. -| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTS. -| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\ -| | ... | both DUTs and LISP GPE tunnel between them; verify IPv4 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup Topology And Lisp -| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index -| | ... | ${dut1_node} | ${lisp_gpe_int} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} -| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} -| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -*** Keywords *** -| Setup Topology And Lisp -| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\ -| | ... | and then setup LISP. -| | Configure path in 3-node circular topology -| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} -| | Set interfaces in 3-node circular topology up -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6} -| | ... | ${prefix6} -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6} -| | ... | ${prefix6} -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip4} -| | ... | ${prefix4} -| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip6} -| | ... | ${prefix6} -| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip4} -| | ... | ${prefix4} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip4} -| | ... | ${tg_to_dut2_mac} -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip6} -| | ... | ${dut2_to_dut1_mac} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip6} -| | ... | ${dut1_to_dut2_mac} -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip4} -| | ... | ${tg_to_dut1_mac} -| | Vpp All RA Suppress Link Layer | ${nodes} -| | Configure LISP GPE topology in 3-node circular topology -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} -| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid} -| | ... | ${dut1_to_dut2_ip_static_adjacency} -| | ... | ${dut2_to_dut1_ip_static_adjacency} diff --git a/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot b/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot deleted file mode 100644 index ca81b425c8..0000000000 --- a/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot +++ /dev/null @@ -1,174 +0,0 @@ -# Copyright (c) 2016 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*** Settings *** -| Library | resources.libraries.python.topology.Topology -| Library | resources.libraries.python.NodePath -| Library | resources.libraries.python.Trace -| Library | resources.libraries.python.IPUtil -| Library | resources.libraries.python.L2Util -| Library | resources.libraries.python.LispUtil -| Library | resources.libraries.python.VPPUtil -| Library | resources.libraries.python.IPsecUtil -| Library | resources.libraries.python.VatJsonUtil -| Library | resources.libraries.python.IPv6Setup -| Library | resources.libraries.python.VhostUser -| Library | resources.libraries.python.QemuUtils -| Library | String -| Resource | resources/libraries/robot/shared/traffic.robot -| Resource | resources/libraries/robot/shared/default.robot -| Resource | resources/libraries/robot/shared/interfaces.robot -| Resource | resources/libraries/robot/shared/testing_path.robot -| Resource | resources/libraries/robot/ip/ip6.robot -| Resource | resources/libraries/robot/crypto/ipsec.robot -| Resource | resources/libraries/robot/vm/qemu.robot -| Resource | resources/libraries/robot/overlay/lispgpe.robot -| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot -# Import configuration and test data: -| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv6/ipv6_lispgpe_ipsec_ipv6.py -| ... -| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH -| ... -| Test Setup | Run Keywords | Set up functional test -| ... | AND | Vpp All Ra Suppress Link Layer | ${nodes} -| ... -| Test Teardown | Tear down functional test -| ... -| Documentation | *IPv6 - ip6-ipsec-lispgpe-ip6 - main fib, -| ... | vrf (gpe_vni-to-vrf), phy2lisp, virt2lisp* -| ... -| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\ -| ... | with single links between nodes. -| ... | *[Enc] Packet Encapsulations:* Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6,\ -| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\ -| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\ -| ... | on RLOC interface or lisp_gpe0 interface. -| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1\ -| ... | to DUT2 where it is forwarded to TG(if2). -| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303. - -*** Variables *** -| ${dut2_spi}= | ${1000} -| ${dut1_spi}= | ${1001} - -| ${ESP_PROTO}= | ${50} - -| ${bid}= | 10 - -*** Test Cases *** -| TC01: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\ -| | ... | Eth-IPv6-ICMPv6 on TG-DUTn. -| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTS. -| | ... | [Ver] Case: ip6-lispgpe-ipsec-ip6 - main fib, phys2lisp\ -| | ... | Make TG send ICMPv6 Echo Req between its interfaces across\ -| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup Topology -| | And Configure LISP GPE topology in 3-node circular topology -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} -| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid} -| | ... | ${dut1_to_dut2_ip6_static_adjacency} -| | ... | ${dut2_to_dut1_ip6_static_adjacency} -| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} -| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} -| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -| TC02: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using IPsec (transport) lisp_gpe0 Int. -| | [Documentation] -| | ... | [Top] TG-DUT1-DUT2-TG. -| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\ -| | ... | Eth-IPv6-ICMPv6 on TG-DUTn. -| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\ -| | ... | IPsec in between DUTS. -| | ... | [Ver] Case: ip6-ipsec-lispgpe-ip6 - main fib, phys2lisp\ -| | ... | Make TG send ICMPv6 Echo Req between its interfaces across\ -| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\ -| | ... | received packets are correct. -| | ... | [Ref] RFC6830, RFC4303. -| | ... -| | ${encr_alg}= | Crypto Alg AES CBC 128 -| | ${auth_alg}= | Integ Alg SHA1 96 -| | Given Setup Topology -| | And Configure LISP GPE topology in 3-node circular topology -| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE} -| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE} -| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid} -| | ... | ${dut1_to_dut2_ip6_static_adjacency} -| | ... | ${dut2_to_dut1_ip6_static_adjacency} -| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index -| | ... | ${dut1_node} | lisp_gpe0 -| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg} -| | When Configure manual keyed connection for IPSec -| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip6} -| | ... | ${tg2_ip6} -| | And Configure manual keyed connection for IPSec -| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key} -| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip6} -| | ... | ${tg1_ip6} -| | Then Send packet and verify headers -| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6} -| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} -| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac} -| | And Send packet and verify headers -| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6} -| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac} -| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac} - -*** Keywords *** -| Setup Topology -| | Configure path in 3-node circular topology -| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']} -| | Set interfaces in 3-node circular topology up -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6} -| | ... | ${prefix6} -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6} -| | ... | ${prefix6} -| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6} -| | ... | ${prefix6} -| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip6} -| | ... | ${prefix6} -| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6} -| | ... | ${prefix6} -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6} -| | ... | ${tg_to_dut1_mac} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6} -| | ... | ${tg_to_dut2_mac} -| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip6} -| | ... | ${dut2_to_dut1_mac} -| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip6} -| | ... | ${dut1_to_dut2_mac} -| | Vpp All RA Suppress Link Layer | ${nodes} diff --git a/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot new file mode 100644 index 0000000000..7f6207e3db --- /dev/null +++ b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot @@ -0,0 +1,560 @@ +# Copyright (c) 2017 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Library | resources.libraries.python.Trace +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO +| ... | VM_ENV | HW_ENV | IPSEC | IPSEC_SW +| ... +| Test Setup | Set up IPSec SW device functional test | IPv4 +| ... +| Test Teardown | Tear down IPSec SW device functional test +| ... +| Documentation | *IPv4 SW cryptodev IPsec tunnel mode test suite.* +| ... +| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ +| ... | between nodes. +| ... | *[Cfg] DUT configuration:* With enabled SW crytodev on DUT1 create\ +| ... | loopback interface, configure loopback and physical interface IPv4\ +| ... | addresses, static ARP record, route and IPsec manual keyed connection\ +| ... | in tunnel mode. +| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\ +| ... | is received on TG from DUT1. +| ... | *[Ref] Applicable standard specifications:* RFC4303. + +*** Variables *** +| ${tg_spi}= | ${1000} +| ${dut_spi}= | ${1001} +| ${ESP_PROTO}= | ${50} +| ${tg_if_ip4}= | 192.168.100.2 +| ${dut_if_ip4}= | 192.168.100.3 +| ${tg_lo_ip4}= | 192.168.3.3 +| ${dut_lo_ip4}= | 192.168.4.4 +| ${ip4_plen}= | ${24} + +*** Test Cases *** +| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\ +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG. +| | ... | [Ref] RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG. +| | ... | [Ref] RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG. +| | ... | [Ref] RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +*** Keywords *** +| Get Second Random String +| | [Arguments] | ${req_alg} | ${req_type} +| | ... +| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} +| | :FOR | ${index} | IN RANGE | 100 +| | | ${req_key}= | Generate Random String | ${req_key_len} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot new file mode 100644 index 0000000000..85d77be828 --- /dev/null +++ b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot @@ -0,0 +1,535 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Resource | resources/libraries/robot/crypto/ipsec.robot +| Library | resources.libraries.python.Trace +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO +| ... | VM_ENV | HW_ENV | IPSEC | IPSEC_SW +| ... +| Test Setup | Set up IPSec SW device functional test | IPv4 +| ... +| Test Teardown | Tear down IPSec SW device functional test +| ... +| Documentation | *IPv4 IPsec transport mode test suite.* +| ... +| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\ +| ... | between nodes. +| ... | *[Cfg] DUT configuration:* With enabled SW crytodev on DUT1 create\ +| ... | loopback interface, configure loopback and physical interface IPv4\ +| ... | addresses, static ARP record, route and IPsec manual keyed connection\ +| ... | in transport mode. +| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\ +| ... | is received on TG from DUT1. +| ... | *[Ref] Applicable standard specifications:* RFC4303. + +*** Variables *** +| ${tg_spi}= | ${1000} +| ${dut_spi}= | ${1001} +| ${ESP_PROTO}= | ${50} +| ${tg_if_ip4}= | 192.168.100.2 +| ${dut_if_ip4}= | 192.168.100.3 +| ${tg_lo_ip4}= | 192.168.3.3 +| ${dut_lo_ip4}= | 192.168.4.4 +| ${ip4_plen}= | ${24} + +*** Test Cases *** +| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 256 128 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 384 192 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | SKIP_PATCH | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 192 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport +| | ... | mode. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 256 +| | ${auth_alg}= | Integ Alg SHA 512 256 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + + +| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG. +| | ... | [Ref] RFC4303. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG. +| | ... | [Ref] RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG. +| | ... | [Ref] RFC4303. +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ... +| | [Tags] | EXPECTED_FAILING +| | ... +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg} +| | When Configure manual keyed connection for IPSec +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send IPsec Packet and verify ESP encapsulation in received packet +| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +*** Keywords *** +| Get Second Random String +| | [Arguments] | ${req_alg} | ${req_type} +| | ... +| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} +| | :FOR | ${index} | IN RANGE | 100 +| | | ${req_key}= | Generate Random String | ${req_key_len} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} -- cgit 1.2.3-korg