aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-01-02 04:06:10 +0000
committerOle Tr�an <otroan@employees.org>2020-11-02 08:49:08 +0000
commit041add7d12217494934b651e4e38b5eab5216ddc (patch)
tree42f6ed8c3e4477b7c7cf93b19f227e4fc0afb4cb
parent62877029aac3e05a1e1db579aeaad42bca5a70a4 (diff)
ipsec: Tunnel SA DSCP behaviour
Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
-rw-r--r--src/plugins/ikev2/ikev2.c8
-rw-r--r--src/vnet/ip/ip.c18
-rw-r--r--src/vnet/ip/ip6_packet.h13
-rw-r--r--src/vnet/ip/ip_packet.h2
-rw-r--r--src/vnet/ipsec/ah_encrypt.c38
-rw-r--r--src/vnet/ipsec/esp_encrypt.c39
-rw-r--r--src/vnet/ipsec/ipsec.api48
-rw-r--r--src/vnet/ipsec/ipsec_api.c188
-rw-r--r--src/vnet/ipsec/ipsec_cli.c16
-rw-r--r--src/vnet/ipsec/ipsec_format.c6
-rw-r--r--src/vnet/ipsec/ipsec_sa.c11
-rw-r--r--src/vnet/ipsec/ipsec_sa.h7
-rw-r--r--src/vnet/ipsec/ipsec_types.api30
-rw-r--r--src/vnet/tunnel/tunnel_dp.h57
-rw-r--r--test/template_ipsec.py12
-rw-r--r--test/test_ipsec_ah.py96
-rw-r--r--test/test_ipsec_esp.py93
-rw-r--r--test/test_ipsec_tun_if_esp.py30
-rw-r--r--test/vpp_ipsec.py20
-rw-r--r--test/vpp_papi_provider.py4
20 files changed, 664 insertions, 72 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 05dfb604006..f3ac6f69318 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -1856,13 +1856,17 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
IPSEC_PROTOCOL_ESP, a->encr_type,
&a->loc_ckey, a->integ_type, &a->loc_ikey,
a->flags, 0, a->salt_local, &zero_addr,
- &zero_addr, NULL, a->src_port, a->dst_port);
+ &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL, a->src_port, a->dst_port);
+
rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
a->integ_type, &a->rem_ikey,
(a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
a->salt_remote, &zero_addr,
- &zero_addr, NULL, a->ipsec_over_udp_port,
+ &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
+ a->ipsec_over_udp_port,
a->ipsec_over_udp_port);
rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);
diff --git a/src/vnet/ip/ip.c b/src/vnet/ip/ip.c
index bceb529ee6f..062f5e7a4ef 100644
--- a/src/vnet/ip/ip.c
+++ b/src/vnet/ip/ip.c
@@ -155,6 +155,24 @@ format_ip_dscp (u8 * s, va_list * va)
return (format (s, "unknown"));
}
+uword
+unformat_ip_dscp (unformat_input_t * input, va_list * args)
+{
+ ip_dscp_t *dscp = va_arg (*args, ip_dscp_t *);
+
+ if (0)
+ ;
+#define _(n,v) \
+ else if (unformat (input, #v)) \
+ *dscp = IP_DSCP_##v;
+ foreach_ip_dscp
+#undef _
+ else
+ return 0;
+
+ return 1;
+}
+
u8 *
format_ip_ecn (u8 * s, va_list * va)
{
diff --git a/src/vnet/ip/ip6_packet.h b/src/vnet/ip/ip6_packet.h
index 7bbdd197f2f..34bc7a8ec1a 100644
--- a/src/vnet/ip/ip6_packet.h
+++ b/src/vnet/ip/ip6_packet.h
@@ -310,31 +310,36 @@ typedef struct
ip6_address_t src_address, dst_address;
} ip6_header_t;
+#define IP6_PACKET_TC_MASK 0x0FF00000
+#define IP6_PACKET_DSCP_MASK 0x0FC00000
+#define IP6_PACKET_ECN_MASK 0x00300000
+
always_inline ip_dscp_t
ip6_traffic_class (const ip6_header_t * i)
{
- return (i->ip_version_traffic_class_and_flow_label & 0x0FF00000) >> 20;
+ return (i->ip_version_traffic_class_and_flow_label & IP6_PACKET_TC_MASK) >>
+ 20;
}
static_always_inline ip_dscp_t
ip6_traffic_class_network_order (const ip6_header_t * ip6)
{
return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
- & 0x0ff00000) >> 20;
+ & IP6_PACKET_TC_MASK) >> 20;
}
static_always_inline ip_dscp_t
ip6_dscp_network_order (const ip6_header_t * ip6)
{
return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
- & 0x0fc00000) >> 22;
+ & IP6_PACKET_DSCP_MASK) >> 22;
}
static_always_inline ip_ecn_t
ip6_ecn_network_order (const ip6_header_t * ip6)
{
return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
- & 0x00300000) >> 20;
+ & IP6_PACKET_ECN_MASK) >> 20;
}
static_always_inline void
diff --git a/src/vnet/ip/ip_packet.h b/src/vnet/ip/ip_packet.h
index 52a65e78c24..e1089ec308e 100644
--- a/src/vnet/ip/ip_packet.h
+++ b/src/vnet/ip/ip_packet.h
@@ -42,6 +42,7 @@
#include <vppinfra/byte_order.h>
#include <vppinfra/error.h>
+#include <vppinfra/format.h>
typedef enum ip_protocol
{
@@ -119,6 +120,7 @@ typedef enum ip_dscp_t_
} __clib_packed ip_dscp_t;
extern u8 *format_ip_dscp (u8 * s, va_list * va);
+unformat_function_t unformat_ip_dscp;
/**
* IP DSCP bit shift
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c
index b4e9af34802..d89cb093f26 100644
--- a/src/vnet/ipsec/ah_encrypt.c
+++ b/src/vnet/ipsec/ah_encrypt.c
@@ -22,6 +22,7 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ah.h>
+#include <vnet/tunnel/tunnel_dp.h>
#define foreach_ah_encrypt_next \
_ (DROP, "error-drop") \
@@ -111,12 +112,13 @@ typedef struct
{
union
{
+ /* Variable fields in the IP header not covered by the AH
+ * integrity check */
struct
{
u8 hop_limit;
u32 ip_version_traffic_class_and_flow_label;
};
-
struct
{
u8 ttl;
@@ -209,8 +211,6 @@ ah_encrypt_inline (vlib_main_t * vm,
ssize_t adv;
ih0 = vlib_buffer_get_current (b[0]);
- pd->ttl = ih0->ip4.ttl;
- pd->tos = ih0->ip4.tos;
if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
{
@@ -246,10 +246,20 @@ ah_encrypt_inline (vlib_main_t * vm,
ip_hdr_size = sizeof (ip6_header_t);
oh6_0 = vlib_buffer_get_current (b[0]);
pd->current_data = b[0]->current_data;
-
pd->hop_limit = ih6_0->ip6.hop_limit;
- pd->ip_version_traffic_class_and_flow_label =
+
+ oh6_0->ip6.ip_version_traffic_class_and_flow_label =
ih6_0->ip6.ip_version_traffic_class_and_flow_label;
+
+ ip6_set_dscp_network_order (&oh6_0->ip6, sa0->dscp);
+
+ tunnel_encap_fixup_6o6 (sa0->tunnel_flags,
+ &ih6_0->ip6, &oh6_0->ip6);
+
+ pd->ip_version_traffic_class_and_flow_label =
+ oh6_0->ip6.ip_version_traffic_class_and_flow_label;
+ oh6_0->ip6.ip_version_traffic_class_and_flow_label = 0;
+
if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
{
next_hdr_type = IP_PROTOCOL_IPV6;
@@ -275,8 +285,24 @@ ah_encrypt_inline (vlib_main_t * vm,
{
ip_hdr_size = sizeof (ip4_header_t);
oh0 = vlib_buffer_get_current (b[0]);
- clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t));
+ pd->ttl = ih0->ip4.ttl;
+
+ if (sa0->dscp)
+ pd->tos = sa0->dscp << 2;
+ else
+ {
+ pd->tos = ih0->ip4.tos;
+ if (!
+ (sa0->tunnel_flags &
+ TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP))
+ pd->tos &= 0x3;
+ if (!
+ (sa0->tunnel_flags &
+ TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN))
+ pd->tos &= 0xfc;
+ }
pd->current_data = b[0]->current_data;
+ clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t));
if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
{
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index f5461684166..ed49cdc97eb 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -24,6 +24,7 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ipsec_tun.h>
#include <vnet/ipsec/esp.h>
+#include <vnet/tunnel/tunnel_dp.h>
#define foreach_esp_encrypt_next \
_(DROP4, "ip4-drop") \
@@ -743,9 +744,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
u16 len = sizeof (ip6_header_t);
hdr_len += len;
ip6 = (ip6_header_t *) (payload - hdr_len);
- clib_memcpy_fast (ip6, &sa0->ip6_hdr, len);
- *next_hdr_ptr = (is_ip6 ?
- IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
+ clib_memcpy_fast (ip6, &sa0->ip6_hdr, sizeof (ip6_header_t));
+
+ if (is_ip6)
+ {
+ *next_hdr_ptr = IP_PROTOCOL_IPV6;
+ tunnel_encap_fixup_6o6 (sa0->tunnel_flags,
+ (const ip6_header_t *) payload,
+ ip6);
+ }
+ else
+ {
+ *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP;
+ tunnel_encap_fixup_4o6 (sa0->tunnel_flags,
+ (const ip4_header_t *) payload,
+ ip6);
+ }
len = payload_len_total + hdr_len - len;
ip6->payload_length = clib_net_to_host_u16 (len);
}
@@ -755,9 +769,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
u16 len = sizeof (ip4_header_t);
hdr_len += len;
ip4 = (ip4_header_t *) (payload - hdr_len);
- clib_memcpy_fast (ip4, &sa0->ip4_hdr, len);
- *next_hdr_ptr = (is_ip6 ?
- IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
+ clib_memcpy_fast (ip4, &sa0->ip4_hdr, sizeof (ip4_header_t));
+
+ if (is_ip6)
+ {
+ *next_hdr_ptr = IP_PROTOCOL_IPV6;
+ tunnel_encap_fixup_6o4_w_chksum (sa0->tunnel_flags,
+ (const ip6_header_t *)
+ payload, ip4);
+ }
+ else
+ {
+ *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP;
+ tunnel_encap_fixup_4o4_w_chksum (sa0->tunnel_flags,
+ (const ip4_header_t *)
+ payload, ip4);
+ }
len = payload_len_total + hdr_len;
esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0);
}
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 89dcdb761de..178c7c6f46e 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -196,12 +196,25 @@ define ipsec_sad_entry_add_del
bool is_add;
vl_api_ipsec_sad_entry_t entry;
};
+define ipsec_sad_entry_add_del_v2
+{
+ u32 client_index;
+ u32 context;
+ bool is_add;
+ vl_api_ipsec_sad_entry_v2_t entry;
+};
define ipsec_sad_entry_add_del_reply
{
u32 context;
i32 retval;
u32 stat_index;
};
+define ipsec_sad_entry_add_del_v2_reply
+{
+ u32 context;
+ i32 retval;
+ u32 stat_index;
+};
/** \brief Add or Update Protection for a tunnel with IPSEC
@@ -439,25 +452,17 @@ define ipsec_sa_dump
u32 context;
u32 sa_id;
};
+define ipsec_sa_v2_dump
+{
+ u32 client_index;
+ u32 context;
+ u32 sa_id;
+};
/** \brief IPsec security association database response
@param context - sender context which was passed in the request
- @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0
+ @param entry - The SA details
@param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
- @param spi - security parameter index
- @param protocol - IPsec protocol (value from ipsec_protocol_t)
- @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t)
- @param crypto_key_len - length of crypto_key in bytes
- @param crypto_key - crypto keying material
- @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t)
- @param integ_key_len - length of integ_key in bytes
- @param integ_key - integrity keying material
- @param use_esn - using extended sequence numbers when non-zero
- @param use_anti_replay - using anti-replay window when non-zero
- @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode
- @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6
- @param tunnel_src_addr - Tunnel source address if using tunnel mode
- @param tunnel_dst_addr - Tunnel destination address is using tunnel mode
@param salt - 4 byte salt
@param seq - current sequence number for outbound
@param seq_hi - high 32 bits of ESN for outbound
@@ -465,7 +470,6 @@ define ipsec_sa_dump
@param last_seq_hi - high 32 bits of highest ESN received inbound
@param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
@param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
- @param udp_encap - 1 if UDP encap enabled, 0 otherwise
*/
define ipsec_sa_details {
u32 context;
@@ -479,6 +483,18 @@ define ipsec_sa_details {
u32 stat_index;
};
+define ipsec_sa_v2_details {
+ u32 context;
+ vl_api_ipsec_sad_entry_v2_t entry;
+
+ vl_api_interface_index_t sw_if_index;
+ u32 salt;
+ u64 seq_outbound;
+ u64 last_seq_inbound;
+ u64 replay_window;
+
+ u32 stat_index;
+};
/** \brief Set new SA on IPsec interface
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index f623cced0c7..7003791c8c8 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -28,6 +28,7 @@
#include <vnet/tunnel/tunnel_types_api.h>
#include <vnet/fib/fib.h>
#include <vnet/ipip/ipip.h>
+#include <vnet/tunnel/tunnel_types_api.h>
#include <vnet/vnet_msg_enum.h>
@@ -58,7 +59,9 @@ _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
_(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
_(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
_(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
+_(IPSEC_SAD_ENTRY_ADD_DEL_V2, ipsec_sad_entry_add_del_v2) \
_(IPSEC_SA_DUMP, ipsec_sa_dump) \
+_(IPSEC_SA_V2_DUMP, ipsec_sa_v2_dump) \
_(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
_(IPSEC_SPD_DUMP, ipsec_spd_dump) \
_(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
@@ -380,7 +383,10 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
0, mp->entry.salt, &tun_src, &tun_dst,
- &sa_index, htons (mp->entry.udp_src_port),
+ TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0,
+ &sa_index,
+ htons (mp->entry.udp_src_port),
htons (mp->entry.udp_dst_port));
else
rv = ipsec_sa_unlock_id (id);
@@ -398,6 +404,83 @@ out:
/* *INDENT-ON* */
}
+static void vl_api_ipsec_sad_entry_add_del_v2_t_handler
+ (vl_api_ipsec_sad_entry_add_del_v2_t * mp)
+{
+ vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
+ vl_api_ipsec_sad_entry_add_del_v2_reply_t *rmp;
+ ip46_address_t tun_src = { }, tun_dst =
+ {
+ };
+ tunnel_encap_decap_flags_t tunnel_flags;
+ ipsec_key_t crypto_key, integ_key;
+ ipsec_crypto_alg_t crypto_alg;
+ ipsec_integ_alg_t integ_alg;
+ ipsec_protocol_t proto;
+ ipsec_sa_flags_t flags;
+ u32 id, spi, sa_index = ~0;
+ int rv;
+
+#if WITH_LIBSSL > 0
+
+ id = ntohl (mp->entry.sad_id);
+ spi = ntohl (mp->entry.spi);
+
+ rv = ipsec_proto_decode (mp->entry.protocol, &proto);
+
+ if (rv)
+ goto out;
+
+ rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
+
+ if (rv)
+ goto out;
+
+ rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
+
+ if (rv)
+ goto out;
+
+ rv =
+ tunnel_encap_decap_flags_decode (mp->entry.tunnel_flags, &tunnel_flags);
+
+ if (rv)
+ goto out;
+
+ ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
+ ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
+
+ flags = ipsec_sa_flags_decode (mp->entry.flags);
+
+ ip_address_decode (&mp->entry.tunnel_src, &tun_src);
+ ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
+
+ if (mp->is_add)
+ rv = ipsec_sa_add_and_lock (id, spi, proto,
+ crypto_alg, &crypto_key,
+ integ_alg, &integ_key, flags,
+ 0, mp->entry.salt, &tun_src, &tun_dst,
+ tunnel_flags,
+ ip_dscp_decode (mp->entry.dscp),
+ &sa_index,
+ htons (mp->entry.udp_src_port),
+ htons (mp->entry.udp_dst_port));
+ else
+ rv = ipsec_sa_unlock_id (id);
+
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+out:
+ /* *INDENT-OFF* */
+ REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V2_REPLY,
+ {
+ rmp->stat_index = htonl (sa_index);
+ });
+ /* *INDENT-ON* */
+}
+
static void
send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
u32 context)
@@ -671,7 +754,9 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
&integ_key,
(flags | IPSEC_SA_FLAG_IS_INBOUND),
ntohl (mp->tx_table_id),
- mp->salt, &remote_ip, &local_ip, NULL,
+ mp->salt, &remote_ip, &local_ip,
+ TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
@@ -686,7 +771,9 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
&integ_key,
flags,
ntohl (mp->tx_table_id),
- mp->salt, &local_ip, &remote_ip, NULL,
+ mp->salt, &local_ip, &remote_ip,
+ TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
@@ -905,6 +992,101 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
#endif
}
+static walk_rc_t
+send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg)
+{
+ ipsec_dump_walk_ctx_t *ctx = arg;
+ vl_api_ipsec_sa_v2_details_t *mp;
+ ipsec_main_t *im = &ipsec_main;
+
+ mp = vl_msg_api_alloc (sizeof (*mp));
+ clib_memset (mp, 0, sizeof (*mp));
+ mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_V2_DETAILS);
+ mp->context = ctx->context;
+
+ mp->entry.sad_id = htonl (sa->id);
+ mp->entry.spi = htonl (sa->spi);
+ mp->entry.protocol = ipsec_proto_encode (sa->protocol);
+ mp->entry.tx_table_id =
+ htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
+
+ mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
+ ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
+
+ mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
+ ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
+
+ mp->entry.flags = ipsec_sad_flags_encode (sa);
+ mp->entry.salt = clib_host_to_net_u32 (sa->salt);
+
+ if (ipsec_sa_is_set_IS_PROTECT (sa))
+ {
+ ipsec_sa_dump_match_ctx_t ctx = {
+ .sai = sa - im->sad,
+ .sw_if_index = ~0,
+ };
+ ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
+
+ mp->sw_if_index = htonl (ctx.sw_if_index);
+ }
+ else
+ mp->sw_if_index = ~0;
+
+ if (ipsec_sa_is_set_IS_TUNNEL (sa))
+ {
+ ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
+ &mp->entry.tunnel_src);
+ ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
+ &mp->entry.tunnel_dst);
+ }
+ if (ipsec_sa_is_set_UDP_ENCAP (sa))
+ {
+ mp->entry.udp_src_port = sa->udp_hdr.src_port;
+ mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
+ }
+
+ mp->entry.tunnel_flags = tunnel_encap_decap_flags_encode (sa->tunnel_flags);
+ mp->entry.dscp = ip_dscp_encode (sa->dscp);
+
+ mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
+ mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
+ if (ipsec_sa_is_set_USE_ESN (sa))
+ {
+ mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
+ mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
+ }
+ if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
+ mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
+
+ mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
+
+ vl_api_send_msg (ctx->reg, (u8 *) mp);
+
+ return (WALK_CONTINUE);
+}
+
+static void
+vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
+{
+ vl_api_registration_t *reg;
+
+#if WITH_LIBSSL > 0
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg)
+ return;
+
+ ipsec_dump_walk_ctx_t ctx = {
+ .reg = reg,
+ .context = mp->context,
+ };
+
+ ipsec_sa_walk (send_ipsec_sa_v2_details, &ctx);
+
+#else
+ clib_warning ("unimplemented");
+#endif
+}
+
static void
vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
{
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index d7378534eb8..fc79c4ca347 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -90,6 +90,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
u16 udp_src, udp_dst;
int is_add, rv;
u32 m_args = 0;
+ ip_dscp_t dscp;
salt = 0;
error = NULL;
@@ -99,6 +100,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
integ_alg = IPSEC_INTEG_ALG_NONE;
crypto_alg = IPSEC_CRYPTO_ALG_NONE;
udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
+ dscp = IP_DSCP_CS0;
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
@@ -182,7 +184,9 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg,
&ck, integ_alg, &ik, flags,
0, clib_host_to_net_u32 (salt),
- &tun_src, &tun_dst, &sai, udp_src, udp_dst);
+ &tun_src, &tun_dst,
+ TUNNEL_ENCAP_DECAP_FLAG_NONE, dscp,
+ &sai, udp_src, udp_dst);
}
else
{
@@ -910,16 +914,18 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&lck, integ_alg, &lik, flags, table_id,
clib_host_to_net_u32 (salt), &local_ip,
- &remote_ip, NULL, IPSEC_UDP_PORT_NONE,
- IPSEC_UDP_PORT_NONE);
+ &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
rv |=
ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&rck, integ_alg, &rik,
(flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
clib_host_to_net_u32 (salt), &remote_ip,
- &local_ip, NULL, IPSEC_UDP_PORT_NONE,
- IPSEC_UDP_PORT_NONE);
+ &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
rv |=
ipsec_tun_protect_update_one (sw_if_index, &nh,
ipsec_tun_mk_local_sa_id (sw_if_index),
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 6781fe580c1..bf5ea3750e2 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -322,10 +322,12 @@ format_ipsec_sa (u8 * s, va_list * args)
{
tx_table_id = fib_table_get_table_id (sa->tx_fib_index,
FIB_PROTOCOL_IP4);
- s = format (s, "\n table-ID %d tunnel src %U dst %U",
+ s = format (s, "\n table-ID %d tunnel %U src %U dst %U flags %U",
tx_table_id,
+ format_ip_dscp, sa->dscp,
format_ip46_address, &sa->tunnel_src_addr, IP46_TYPE_ANY,
- format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY);
+ format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY,
+ format_tunnel_encap_decap_flags, sa->tunnel_flags);
if (!ipsec_sa_is_set_IS_INBOUND (sa))
{
s =
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 9b2f2b53fa5..71e86ac5c45 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -178,8 +178,10 @@ ipsec_sa_add_and_lock (u32 id,
u32 tx_table_id,
u32 salt,
const ip46_address_t * tun_src,
- const ip46_address_t * tun_dst, u32 * sa_out_index,
- u16 src_port, u16 dst_port)
+ const ip46_address_t * tun_dst,
+ tunnel_encap_decap_flags_t tunnel_flags,
+ ip_dscp_t dscp,
+ u32 * sa_out_index, u16 src_port, u16 dst_port)
{
vlib_main_t *vm = vlib_get_main ();
ipsec_main_t *im = &ipsec_main;
@@ -206,6 +208,8 @@ ipsec_sa_add_and_lock (u32 id,
sa->stat_index = sa_index;
sa->protocol = proto;
sa->flags = flags;
+ sa->tunnel_flags = tunnel_flags;
+ sa->dscp = dscp;
sa->salt = salt;
sa->encrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
sa->decrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
@@ -297,6 +301,8 @@ ipsec_sa_add_and_lock (u32 id,
if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
{
sa->ip6_hdr.ip_version_traffic_class_and_flow_label = 0x60;
+ ip6_set_dscp_network_order (&sa->ip6_hdr, sa->dscp);
+
sa->ip6_hdr.hop_limit = 254;
sa->ip6_hdr.src_address.as_u64[0] =
sa->tunnel_src_addr.ip6.as_u64[0];
@@ -317,6 +323,7 @@ ipsec_sa_add_and_lock (u32 id,
sa->ip4_hdr.ttl = 254;
sa->ip4_hdr.src_address.as_u32 = sa->tunnel_src_addr.ip4.as_u32;
sa->ip4_hdr.dst_address.as_u32 = sa->tunnel_dst_addr.ip4.as_u32;
+ sa->ip4_hdr.tos = sa->dscp << 2;
if (ipsec_sa_is_set_UDP_ENCAP (sa))
sa->ip4_hdr.protocol = IP_PROTOCOL_UDP;
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 02f5eaf03a0..6ed71325f69 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -19,6 +19,7 @@
#include <vnet/crypto/crypto.h>
#include <vnet/ip/ip.h>
#include <vnet/fib/fib_node.h>
+#include <vnet/tunnel/tunnel.h>
#define foreach_ipsec_crypto_alg \
_ (0, NONE, "none") \
@@ -163,7 +164,9 @@ typedef struct
u32 salt;
ipsec_protocol_t protocol;
- u8 __pad[3];
+ tunnel_encap_decap_flags_t tunnel_flags;
+ ip_dscp_t dscp;
+ u8 __pad[1];
/* data accessed by dataplane code should be above this comment */
CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
@@ -258,6 +261,8 @@ extern int ipsec_sa_add_and_lock (u32 id,
u32 salt,
const ip46_address_t * tunnel_src_addr,
const ip46_address_t * tunnel_dst_addr,
+ tunnel_encap_decap_flags_t tunnel_flags,
+ ip_dscp_t dscp,
u32 * sa_index, u16 src_port, u16 dst_port);
extern index_t ipsec_sa_find_and_lock (u32 id);
extern int ipsec_sa_unlock_id (u32 id);
diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api
index 715f3de0e12..ca1b3788e64 100644
--- a/src/vnet/ipsec/ipsec_types.api
+++ b/src/vnet/ipsec/ipsec_types.api
@@ -17,6 +17,7 @@
option version = "3.0.0";
import "vnet/ip/ip_types.api";
+import "vnet/tunnel/tunnel_types.api";
/*
* @brief Support cryptographic algorithms
@@ -108,6 +109,8 @@ typedef key
TX. It is ignored for RX.
@param udp_dst_port - If using UDP Encapsulation, use this destination port
for TX. Expect traffic on this port for RX.
+ @param tunnel_flags - Flags controlling the copying of encap/decap value
+ @param dscp - Fixed DSCP vaule for tunnel encap
*/
typedef ipsec_sad_entry
{
@@ -133,6 +136,33 @@ typedef ipsec_sad_entry
u16 udp_dst_port [default=4500];
};
+typedef ipsec_sad_entry_v2
+{
+ u32 sad_id;
+
+ u32 spi;
+
+ vl_api_ipsec_proto_t protocol;
+
+ vl_api_ipsec_crypto_alg_t crypto_algorithm;
+ vl_api_key_t crypto_key;
+
+ vl_api_ipsec_integ_alg_t integrity_algorithm;
+ vl_api_key_t integrity_key;
+
+ vl_api_ipsec_sad_flags_t flags;
+
+ vl_api_address_t tunnel_src;
+ vl_api_address_t tunnel_dst;
+ vl_api_tunnel_encap_decap_flags_t tunnel_flags;
+ vl_api_ip_dscp_t dscp;
+ u32 tx_table_id;
+ u32 salt;
+ u16 udp_src_port [default=4500];
+ u16 udp_dst_port [default=4500];
+};
+
+
/*
* Local Variables:
* eval: (c-set-style "gnu")
diff --git a/src/vnet/tunnel/tunnel_dp.h b/src/vnet/tunnel/tunnel_dp.h
index a00a3b3e222..f84e764f7ea 100644
--- a/src/vnet/tunnel/tunnel_dp.h
+++ b/src/vnet/tunnel/tunnel_dp.h
@@ -34,6 +34,41 @@ tunnel_encap_fixup_4o4 (tunnel_encap_decap_flags_t flags,
}
static_always_inline void
+tunnel_encap_fixup_4o4_w_chksum (tunnel_encap_decap_flags_t flags,
+ const ip4_header_t * inner,
+ ip4_header_t * outer)
+{
+ if (flags & (TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP |
+ TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN))
+ {
+ ip_csum_t sum = outer->checksum;
+ u8 tos = outer->tos;
+
+ if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
+ ip4_header_set_dscp (outer, ip4_header_get_dscp (inner));
+ if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
+ ip4_header_set_ecn (outer, ip4_header_get_ecn (inner));
+
+ sum =
+ ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, tos);
+ outer->checksum = ip_csum_fold (sum);
+ }
+ if ((flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DF) &&
+ ip4_header_get_df (inner))
+ {
+ ip_csum_t sum = outer->checksum;
+ u16 tos = outer->flags_and_fragment_offset;
+
+ ip4_header_set_df (outer);
+
+ sum =
+ ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t,
+ flags_and_fragment_offset);
+ outer->checksum = ip_csum_fold (sum);
+ }
+}
+
+static_always_inline void
tunnel_encap_fixup_6o4 (tunnel_encap_decap_flags_t flags,
const ip6_header_t * inner, ip4_header_t * outer)
{
@@ -44,6 +79,28 @@ tunnel_encap_fixup_6o4 (tunnel_encap_decap_flags_t flags,
}
static_always_inline void
+tunnel_encap_fixup_6o4_w_chksum (tunnel_encap_decap_flags_t flags,
+ const ip6_header_t * inner,
+ ip4_header_t * outer)
+{
+ if (flags & (TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP |
+ TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN))
+ {
+ ip_csum_t sum = outer->checksum;
+ u8 tos = outer->tos;
+
+ if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
+ ip4_header_set_dscp (outer, ip6_dscp_network_order (inner));
+ if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
+ ip4_header_set_ecn (outer, ip6_ecn_network_order ((inner)));
+
+ sum =
+ ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, tos);
+ outer->checksum = ip_csum_fold (sum);
+ }
+}
+
+static_always_inline void
tunnel_encap_fixup_6o6 (tunnel_encap_decap_flags_t flags,
const ip6_header_t * inner, ip6_header_t * outer)
{
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 532a7a0a189..7bd0b9ec81f 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -49,6 +49,9 @@ class IPsecIPv4Params(object):
self.salt = 0
self.flags = 0
self.nat_header = None
+ self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_NONE)
+ self.dscp = 0
class IPsecIPv6Params(object):
@@ -85,6 +88,9 @@ class IPsecIPv6Params(object):
self.salt = 0
self.flags = 0
self.nat_header = None
+ self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_NONE)
+ self.dscp = 0
def mk_scapy_crypt_key(p):
@@ -181,8 +187,10 @@ class TemplateIpsec(VppTestCase):
super(TemplateIpsec, cls).tearDownClass()
def setup_params(self):
- self.ipv4_params = IPsecIPv4Params()
- self.ipv6_params = IPsecIPv6Params()
+ if not hasattr(self, 'ipv4_params'):
+ self.ipv4_params = IPsecIPv4Params()
+ if not hasattr(self, 'ipv6_params'):
+ self.ipv6_params = IPsecIPv6Params()
self.params = {self.ipv4_params.addr_type: self.ipv4_params,
self.ipv6_params.addr_type: self.ipv6_params}
diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py
index bc539a2bd03..d44492ddd26 100644
--- a/test/test_ipsec_ah.py
+++ b/test/test_ipsec_ah.py
@@ -2,6 +2,10 @@ import socket
import unittest
from scapy.layers.ipsec import AH
+from scapy.layers.inet import IP, UDP
+from scapy.layers.inet6 import IPv6
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from framework import VppTestRunner
from template_ipsec import TemplateIpsec, IpsecTra46Tests, IpsecTun46Tests, \
@@ -119,6 +123,7 @@ class ConfigIpsecAH(TemplateIpsec):
addr_any = params.addr_any
addr_bcast = params.addr_bcast
flags = params.flags
+ tun_flags = params.tun_flags
e = VppEnum.vl_api_ipsec_spd_action_t
objs = []
@@ -128,7 +133,9 @@ class ConfigIpsecAH(TemplateIpsec):
self.vpp_ah_protocol,
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
- flags=flags)
+ tun_flags=tun_flags,
+ flags=flags,
+ dscp=params.dscp)
params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
auth_algo_vpp_id, auth_key,
@@ -136,7 +143,9 @@ class ConfigIpsecAH(TemplateIpsec):
self.vpp_ah_protocol,
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
- flags=flags)
+ tun_flags=tun_flags,
+ flags=flags,
+ dscp=params.dscp)
objs.append(params.tun_sa_in)
objs.append(params.tun_sa_out)
@@ -302,6 +311,89 @@ class TestIpsecAh2(TemplateIpsecAh, IpsecTra46Tests, IpsecTun46Tests):
pass
+class TestIpsecAhTun(TemplateIpsecAh, IpsecTun46Tests):
+ """ Ipsec AH - TUN encap tests """
+
+ def setUp(self):
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ c = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
+ c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
+
+ self.ipv4_params.tun_flags = c
+ self.ipv6_params.tun_flags = c1
+
+ super(TestIpsecAhTun, self).setUp()
+
+ def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy only DSCP
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst, tos=5) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy both
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IPv6(src=src, dst=dst, tc=5) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_encrypted(self, p, sa, rxs):
+ # just check that only the DSCP is copied
+ for rx in rxs:
+ self.assertEqual(rx[IP].tos, 4)
+
+ def verify_encrypted6(self, p, sa, rxs):
+ # just check that the DSCP & ECN are copied
+ for rx in rxs:
+ self.assertEqual(rx[IPv6].tc, 5)
+
+
+class TestIpsecAhTun2(TemplateIpsecAh, IpsecTun46Tests):
+ """ Ipsec AH - TUN encap tests """
+
+ def setUp(self):
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ self.ipv4_params.dscp = 3
+ self.ipv6_params.dscp = 4
+
+ super(TestIpsecAhTun2, self).setUp()
+
+ def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy only DSCP
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst, tos=0) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy both
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IPv6(src=src, dst=dst, tc=0) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_encrypted(self, p, sa, rxs):
+ # just check that only the DSCP is copied
+ for rx in rxs:
+ self.assertEqual(rx[IP].tos, 0xc)
+
+ def verify_encrypted6(self, p, sa, rxs):
+ # just check that the DSCP & ECN are copied
+ for rx in rxs:
+ self.assertEqual(rx[IPv6].tc, 0x10)
+
+
class TestIpsecAhHandoff(TemplateIpsecAh,
IpsecTun6HandoffTests,
IpsecTun4HandoffTests):
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index dbd21f1f5fe..78da401ea8a 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -2,6 +2,9 @@ import socket
import unittest
from scapy.layers.ipsec import ESP
from scapy.layers.inet import IP, ICMP, UDP
+from scapy.layers.inet6 import IPv6
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from parameterized import parameterized
from framework import VppTestRunner
@@ -107,6 +110,7 @@ class ConfigIpsecESP(TemplateIpsec):
addr_bcast = params.addr_bcast
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags
+ tun_flags = params.tun_flags
salt = params.salt
objs = []
@@ -116,6 +120,8 @@ class ConfigIpsecESP(TemplateIpsec):
self.vpp_esp_protocol,
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
+ tun_flags=tun_flags,
+ dscp=params.dscp,
flags=flags,
salt=salt)
params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
@@ -124,6 +130,8 @@ class ConfigIpsecESP(TemplateIpsec):
self.vpp_esp_protocol,
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
+ tun_flags=tun_flags,
+ dscp=params.dscp,
flags=flags,
salt=salt)
objs.append(params.tun_sa_in)
@@ -368,6 +376,91 @@ class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests,
self.tun4_encrypt_node_name = old_name
+class TestIpsecEspTun(TemplateIpsecEsp, IpsecTun46Tests):
+ """ Ipsec ESP - TUN encap tests """
+
+ def setUp(self):
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ c = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
+ c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
+
+ self.ipv4_params.tun_flags = c
+ self.ipv6_params.tun_flags = c1
+
+ super(TestIpsecEspTun, self).setUp()
+
+ def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy only DSCP
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst, tos=5) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy both
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IPv6(src=src, dst=dst, tc=5) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_encrypted(self, p, sa, rxs):
+ # just check that only the DSCP is copied
+ for rx in rxs:
+ self.assertEqual(rx[IP].tos, 4)
+
+ def verify_encrypted6(self, p, sa, rxs):
+ # just check that the DSCP & ECN are copied
+ for rx in rxs:
+ self.assertEqual(rx[IPv6].tc, 5)
+
+
+class TestIpsecEspTun2(TemplateIpsecEsp, IpsecTun46Tests):
+ """ Ipsec ESP - TUN DSCP tests """
+
+ def setUp(self):
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ self.ipv4_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF
+ self.ipv6_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11
+
+ super(TestIpsecEspTun2, self).setUp()
+
+ def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy only DSCP
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy both
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IPv6(src=src, dst=dst) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_encrypted(self, p, sa, rxs):
+ # just check that only the DSCP is copied
+ for rx in rxs:
+ self.assertEqual(rx[IP].tos,
+ VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
+
+ def verify_encrypted6(self, p, sa, rxs):
+ # just check that the DSCP & ECN are copied
+ for rx in rxs:
+ self.assertEqual(rx[IPv6].tc,
+ VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11 << 2)
+
+
class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
""" Ipsec ESP - TCP tests """
pass
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index fb31f221aed..ba421694d60 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -2841,6 +2841,8 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
def verify_encrypted(self, p, sa, rxs):
for rx in rxs:
try:
+ self.assertEqual(rx[IP].tos,
+ VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
pkt = sa.decrypt(rx[IP])
if not pkt.haslayer(IP):
pkt = IP(pkt[Raw].load)
@@ -2887,20 +2889,24 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
p.scapy_tra_spi = p.scapy_tra_spi + ii
p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
p.vpp_tra_spi = p.vpp_tra_spi + ii
- p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol,
- self.pg0.local_ip4,
- self.pg0.remote_hosts[ii].ip4)
+ p.tun_sa_out = VppIpsecSA(
+ self, p.scapy_tun_sa_id, p.scapy_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ self.pg0.local_ip4,
+ self.pg0.remote_hosts[ii].ip4,
+ dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF)
p.tun_sa_out.add_vpp_config()
- p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
- p.auth_algo_vpp_id, p.auth_key,
- p.crypt_algo_vpp_id, p.crypt_key,
- self.vpp_esp_protocol,
- self.pg0.remote_hosts[ii].ip4,
- self.pg0.local_ip4)
+ p.tun_sa_in = VppIpsecSA(
+ self, p.vpp_tun_sa_id, p.vpp_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ self.pg0.remote_hosts[ii].ip4,
+ self.pg0.local_ip4,
+ dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF)
p.tun_sa_in.add_vpp_config()
p.tun_protect = VppIpsecTunProtect(
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index 479870621e0..d7ed8564fc4 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -192,8 +192,9 @@ class VppIpsecSA(VppObject):
crypto_alg, crypto_key,
proto,
tun_src=None, tun_dst=None,
- flags=None, salt=0, udp_src=None,
- udp_dst=None):
+ flags=None, salt=0, tun_flags=None,
+ dscp=None,
+ udp_src=None, udp_dst=None):
e = VppEnum.vl_api_ipsec_sad_flags_t
self.test = test
self.id = id
@@ -220,6 +221,13 @@ class VppIpsecSA(VppObject):
self.tun_dst = ip_address(text_type(tun_dst))
self.udp_src = udp_src
self.udp_dst = udp_dst
+ self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_NONE)
+ if tun_flags:
+ self.tun_flags = tun_flags
+ self.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_CS0
+ if dscp:
+ self.dscp = dscp
def add_vpp_config(self):
entry = {
@@ -238,6 +246,8 @@ class VppIpsecSA(VppObject):
'protocol': self.proto,
'tunnel_src': (self.tun_src if self.tun_src else []),
'tunnel_dst': (self.tun_dst if self.tun_dst else []),
+ 'tunnel_flags': self.tun_flags,
+ 'dscp': self.dscp,
'flags': self.flags,
'salt': self.salt
}
@@ -246,12 +256,12 @@ class VppIpsecSA(VppObject):
entry['udp_src_port'] = self.udp_src
if self.udp_dst:
entry['udp_dst_port'] = self.udp_dst
- r = self.test.vapi.ipsec_sad_entry_add_del(is_add=1, entry=entry)
+ r = self.test.vapi.ipsec_sad_entry_add_del_v2(is_add=1, entry=entry)
self.stat_index = r.stat_index
self.test.registry.register(self, self.test.logger)
def remove_vpp_config(self):
- r = self.test.vapi.ipsec_sad_entry_add_del(
+ r = self.test.vapi.ipsec_sad_entry_add_del_v2(
is_add=0,
entry={
'sad_id': self.id,
@@ -279,7 +289,7 @@ class VppIpsecSA(VppObject):
def query_vpp_config(self):
e = VppEnum.vl_api_ipsec_sad_flags_t
- bs = self.test.vapi.ipsec_sa_dump()
+ bs = self.test.vapi.ipsec_sa_v2_dump()
for b in bs:
if b.entry.sad_id == self.id:
# if udp encap is configured then the ports should match
diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py
index ec2f222b540..6e5ebc25fb4 100644
--- a/test/vpp_papi_provider.py
+++ b/test/vpp_papi_provider.py
@@ -946,10 +946,6 @@ class VppPapiProvider(object):
{'spd_index': spd_index if spd_index else 0,
'spd_index_valid': 1 if spd_index else 0})
- def ipsec_sa_dump(self, sa_id=None):
- return self.api(self.papi.ipsec_sa_dump,
- {'sa_id': sa_id if sa_id else 0xffffffff})
-
def ipsec_spd_entry_add_del(self,
spd_id,
sa_id,