diff options
| author |   Neale Ranns <nranns@cisco.com> | 2019-12-16 00:53:11 +0000 |
|---|---|---|
| committer |   Damjan Marion <dmarion@me.com> | 2020-02-21 09:54:19 +0000 |
| commit | 282872127bbeee6ae59ab3f885c09bad601ee0cc (patch) | |
| tree | 4f1ef8243b194ca8bf6f1acd62ba4a7d688d371e /test | |
| parent | d057625d499525625d60d2207665eaeb755e380e (diff) | |
ipsec: IPSec protection for multi-point tunnel interfaces
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
Diffstat (limited to 'test')
| -rw-r--r-- | test/template_ipsec.py | 65 | ||||
| -rw-r--r-- | test/test_gre.py | 14 | ||||
| -rw-r--r-- | test/test_ipip.py | 8 | ||||
| -rw-r--r-- | test/test_ipsec_tun_if_esp.py | 297 | ||||
| -rw-r--r-- | test/vpp_ipsec.py | 19 | ||||
| -rw-r--r-- | test/vpp_teib.py | 5 |
6 files changed, 352 insertions, 56 deletions
diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 56f4b456468..5a700e89f6f 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -27,14 +27,14 @@ class IPsecIPv4Params(object): self.remote_tun_if_host = '1.1.1.1' self.remote_tun_if_host6 = '1111::1' - self.scapy_tun_sa_id = 10 + self.scapy_tun_sa_id = 100 self.scapy_tun_spi = 1001 - self.vpp_tun_sa_id = 20 + self.vpp_tun_sa_id = 200 self.vpp_tun_spi = 1000 - self.scapy_tra_sa_id = 30 + self.scapy_tra_sa_id = 300 self.scapy_tra_spi = 2001 - self.vpp_tra_sa_id = 40 + self.vpp_tra_sa_id = 400 self.vpp_tra_spi = 2000 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t. @@ -63,14 +63,14 @@ class IPsecIPv6Params(object): self.remote_tun_if_host = '1111:1111:1111:1111:1111:1111:1111:1111' self.remote_tun_if_host4 = '1.1.1.1' - self.scapy_tun_sa_id = 50 + self.scapy_tun_sa_id = 500 self.scapy_tun_spi = 3001 - self.vpp_tun_sa_id = 60 + self.vpp_tun_sa_id = 600 self.vpp_tun_spi = 3000 - self.scapy_tra_sa_id = 70 + self.scapy_tra_sa_id = 700 self.scapy_tra_spi = 4001 - self.vpp_tra_sa_id = 80 + self.vpp_tra_sa_id = 800 self.vpp_tra_spi = 4000 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t. @@ -224,14 +224,14 @@ class TemplateIpsec(VppTestCase): def show_commands_at_teardown(self): self.logger.info(self.vapi.cli("show hardware")) - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=54): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IP(src=src, dst=dst) / ICMP() / Raw(b'X' * payload_size)) for i in range(count)] - def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=54): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IPv6(src=src, dst=dst) / @@ -562,7 +562,7 @@ class IpsecTra4(object): self.vapi.cli("clear ipsec sa") try: p = self.params[socket.AF_INET] - send_pkts = self.gen_encrypt_pkts(p.scapy_tra_sa, self.tra_if, + send_pkts = self.gen_encrypt_pkts(p, p.scapy_tra_sa, self.tra_if, src=self.tra_if.remote_ip4, dst=self.tra_if.local_ip4, count=count, @@ -617,7 +617,7 @@ class IpsecTra6(object): self.vapi.cli("clear ipsec sa") try: p = self.params[socket.AF_INET6] - send_pkts = self.gen_encrypt_pkts6(p.scapy_tra_sa, self.tra_if, + send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tra_sa, self.tra_if, src=self.tra_if.remote_ip6, dst=self.tra_if.local_ip6, count=count, @@ -831,10 +831,11 @@ class IpsecTun4(object): def verify_tun_44(self, p, count=1, payload_size=64, n_rx=None): self.vapi.cli("clear errors") self.vapi.cli("clear ipsec counters") + self.vapi.cli("clear ipsec sa") if not n_rx: n_rx = count try: - send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if, + send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host, dst=self.pg1.remote_ip4, count=count, @@ -861,13 +862,33 @@ class IpsecTun4(object): self.logger.info(self.vapi.ppcli("show ipsec sa 4")) self.verify_counters4(p, count, n_rx) + def verify_tun_dropped_44(self, p, count=1, payload_size=64, n_rx=None): + self.vapi.cli("clear errors") + if not n_rx: + n_rx = count + try: + send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, + src=p.remote_tun_if_host, + dst=self.pg1.remote_ip4, + count=count) + self.send_and_assert_no_replies(self.tun_if, send_pkts) + + send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, + dst=p.remote_tun_if_host, count=count, + payload_size=payload_size) + self.send_and_assert_no_replies(self.pg1, send_pkts) + + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec all")) + def verify_tun_reass_44(self, p): self.vapi.cli("clear errors") self.vapi.ip_reassembly_enable_disable( sw_if_index=self.tun_if.sw_if_index, enable_ip4=True) try: - send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if, + send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host, dst=self.pg1.remote_ip4, payload_size=1900, @@ -894,7 +915,7 @@ class IpsecTun4(object): def verify_tun_64(self, p, count=1): self.vapi.cli("clear errors") try: - send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if, + send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host6, dst=self.pg1.remote_ip6, count=count) @@ -1011,7 +1032,8 @@ class IpsecTun6(object): self.vapi.cli("clear errors") self.vapi.cli("clear ipsec sa") - send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if, + send_pkts = self.gen_encrypt_pkts6(p_in, p_in.scapy_tun_sa, + self.tun_if, src=p_in.remote_tun_if_host, dst=self.pg1.remote_ip6, count=count) @@ -1024,7 +1046,8 @@ class IpsecTun6(object): if not p_out: p_out = p_in try: - send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if, + send_pkts = self.gen_encrypt_pkts6(p_in, p_in.scapy_tun_sa, + self.tun_if, src=p_in.remote_tun_if_host, dst=self.pg1.remote_ip6, count=count, @@ -1054,7 +1077,7 @@ class IpsecTun6(object): sw_if_index=self.tun_if.sw_if_index, enable_ip6=True) try: - send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if, + send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host, dst=self.pg1.remote_ip6, count=1, @@ -1082,7 +1105,7 @@ class IpsecTun6(object): """ ipsec 4o6 tunnel basic test """ self.vapi.cli("clear errors") try: - send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if, + send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host4, dst=self.pg1.remote_ip4, count=count) @@ -1145,7 +1168,7 @@ class IpsecTun6HandoffTests(IpsecTun6): # inject alternately on worker 0 and 1. all counts on the SA # should be against worker 0 for worker in [0, 1, 0, 1]: - send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if, + send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host, dst=self.pg1.remote_ip6, count=N_PKTS) @@ -1176,7 +1199,7 @@ class IpsecTun4HandoffTests(IpsecTun4): # inject alternately on worker 0 and 1. all counts on the SA # should be against worker 0 for worker in [0, 1, 0, 1]: - send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if, + send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host, dst=self.pg1.remote_ip4, count=N_PKTS) diff --git a/test/test_gre.py b/test/test_gre.py index 386d5dacabc..74dd5edcb08 100644 --- a/test/test_gre.py +++ b/test/test_gre.py @@ -12,7 +12,7 @@ from scapy.volatile import RandMAC, RandIP from framework import VppTestCase, VppTestRunner from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint from vpp_gre_interface import VppGreInterface -from vpp_teib import VppNhrp +from vpp_teib import VppTeib from vpp_ip import DpoProto from vpp_ip_route import VppIpRoute, VppRoutePath, VppIpTable, FibPathProto from util import ppp, ppc @@ -1067,9 +1067,9 @@ class TestGRE(VppTestCase): route_via_tun.add_vpp_config() # - # Add a NHRP entry resolves the peer + # Add a TEIB entry resolves the peer # - teib = VppNhrp(self, gre_if, + teib = VppTeib(self, gre_if, gre_if._remote_hosts[ii].ip4, itf._remote_hosts[ii].ip4) teib.add_vpp_config() @@ -1093,7 +1093,7 @@ class TestGRE(VppTestCase): self.verify_decapped_4o4(self.pg0, rx, tx_i) # - # delete and re-add the NHRP + # delete and re-add the TEIB # teib.remove_vpp_config() self.send_and_assert_no_replies(self.pg0, tx_e) @@ -1152,9 +1152,9 @@ class TestGRE(VppTestCase): route_addr = "4::%d" % ii # - # Add a NHRP entry resolves the peer + # Add a TEIB entry resolves the peer # - teib = VppNhrp(self, gre_if, + teib = VppTeib(self, gre_if, gre_if._remote_hosts[ii].ip6, itf._remote_hosts[ii].ip6) teib.add_vpp_config() @@ -1188,7 +1188,7 @@ class TestGRE(VppTestCase): self.verify_decapped_6o6(self.pg0, rx, tx_i) # - # delete and re-add the NHRP + # delete and re-add the TEIB # teib.remove_vpp_config() self.send_and_assert_no_replies(self.pg0, tx_e) diff --git a/test/test_ipip.py b/test/test_ipip.py index 1cc4a7df803..04034874ddd 100644 --- a/test/test_ipip.py +++ b/test/test_ipip.py @@ -8,7 +8,7 @@ from framework import VppTestCase, VppTestRunner from vpp_ip import DpoProto from vpp_ip_route import VppIpRoute, VppRoutePath, VppIpTable, FibPathProto from vpp_ipip_tun_interface import VppIpIpTunInterface -from vpp_teib import VppNhrp +from vpp_teib import VppTeib from vpp_papi import VppEnum from socket import AF_INET, AF_INET6, inet_pton from util import reassemble4 @@ -528,9 +528,9 @@ class TestIPIP(VppTestCase): route_via_tun.add_vpp_config() # - # Add a NHRP entry resolves the peer + # Add a TEIB entry resolves the peer # - teib = VppNhrp(self, ipip_if, + teib = VppTeib(self, ipip_if, ipip_if._remote_hosts[ii].ip4, itf._remote_hosts[ii].ip4) teib.add_vpp_config() @@ -566,7 +566,7 @@ class TestIPIP(VppTestCase): rx = self.send_and_expect(self.pg0, tx_i, self.pg0) # - # delete and re-add the NHRP + # delete and re-add the TEIB # teib.remove_vpp_config() self.send_and_assert_no_replies(self.pg0, tx_e) diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 57c90f93ca8..55e85b1a4b2 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -18,6 +18,7 @@ from vpp_ip_route import VppIpRoute, VppRoutePath, DpoProto from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint +from vpp_teib import VppTeib from util import ppp from vpp_papi import VppEnum @@ -344,7 +345,7 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4): """ Round-robin packets acrros multiple interface """ tx = [] for p in self.multi_params: - tx = tx + self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if, + tx = tx + self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host, dst=self.pg1.remote_ip4) rxs = self.send_and_expect(self.tun_if, tx, self.pg1) @@ -681,7 +682,7 @@ class TestIpsecGreTebIfEsp(TemplateIpsec, encryption_type = ESP omac = "00:11:22:33:44:55" - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IP(src=self.pg0.remote_ip4, @@ -775,6 +776,8 @@ class TestIpsecGreTebIfEsp(TemplateIpsec, VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config() self.vapi.cli("clear ipsec sa") + self.vapi.cli("sh adj") + self.vapi.cli("sh ipsec tun") def tearDown(self): p = self.ipv4_params @@ -790,7 +793,7 @@ class TestIpsecGreTebVlanIfEsp(TemplateIpsec, encryption_type = ESP omac = "00:11:22:33:44:55" - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IP(src=self.pg0.remote_ip4, @@ -910,7 +913,7 @@ class TestIpsecGreTebIfEspTra(TemplateIpsec, encryption_type = ESP omac = "00:11:22:33:44:55" - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IP(src=self.pg0.remote_ip4, @@ -1014,7 +1017,7 @@ class TestIpsecGreIfEsp(TemplateIpsec, tun4_decrypt_node_name = "esp4-decrypt-tun" encryption_type = ESP - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IP(src=self.pg0.remote_ip4, @@ -1117,7 +1120,7 @@ class TestIpsecGreIfEspTra(TemplateIpsec, tun4_decrypt_node_name = "esp4-decrypt-tun" encryption_type = ESP - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IP(src=self.pg0.remote_ip4, @@ -1177,9 +1180,6 @@ class TestIpsecGreIfEspTra(TemplateIpsec, p = self.ipv4_params - bd1 = VppBridgeDomain(self, 1) - bd1.add_vpp_config() - p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, @@ -1234,7 +1234,7 @@ class TestIpsecGre6IfEspTra(TemplateIpsec, tun6_decrypt_node_name = "esp6-decrypt-tun" encryption_type = ESP - def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IPv6(src=self.pg0.remote_ip6, @@ -1326,6 +1326,271 @@ class TestIpsecGre6IfEspTra(TemplateIpsec, super(TestIpsecGre6IfEspTra, self).tearDown() +class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4): + """ Ipsec mGRE ESP v4 TRA tests """ + tun4_encrypt_node_name = "esp4-encrypt-tun" + tun4_decrypt_node_name = "esp4-decrypt-tun" + encryption_type = ESP + + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, + payload_size=100): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + sa.encrypt(IP(src=p.tun_dst, + dst=self.pg0.local_ip4) / + GRE() / + IP(src=self.pg1.local_ip4, + dst=self.pg1.remote_ip4) / + UDP(sport=1144, dport=2233) / + Raw(b'X' * payload_size)) + for i in range(count)] + + def gen_pkts(self, sw_intf, src, dst, count=1, + payload_size=100): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src="1.1.1.1", dst=dst) / + UDP(sport=1144, dport=2233) / + Raw(b'X' * payload_size) + for i in range(count)] + + def verify_decrypted(self, p, rxs): + for rx in rxs: + self.assert_equal(rx[Ether].dst, self.pg1.remote_mac) + self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) + + def verify_encrypted(self, p, sa, rxs): + for rx in rxs: + try: + pkt = sa.decrypt(rx[IP]) + if not pkt.haslayer(IP): + pkt = IP(pkt[Raw].load) + self.assert_packet_checksums_valid(pkt) + self.assertTrue(pkt.haslayer(GRE)) + e = pkt[GRE] + self.assertEqual(e[IP].dst, p.remote_tun_if_host) + except (IndexError, AssertionError): + self.logger.debug(ppp("Unexpected packet:", rx)) + try: + self.logger.debug(ppp("Decrypted packet:", pkt)) + except: + pass + raise + + def setUp(self): + super(TestIpsecMGreIfEspTra4, self).setUp() + + N_NHS = 16 + self.tun_if = self.pg0 + p = self.ipv4_params + p.tun_if = VppGreInterface(self, + self.pg0.local_ip4, + "0.0.0.0", + mode=(VppEnum.vl_api_tunnel_mode_t. + TUNNEL_API_MODE_MP)) + p.tun_if.add_vpp_config() + p.tun_if.admin_up() + p.tun_if.config_ip4() + p.tun_if.generate_remote_hosts(N_NHS) + self.pg0.generate_remote_hosts(N_NHS) + self.pg0.configure_ipv4_neighbors() + + # setup some SAs for several next-hops on the interface + self.multi_params = [] + + for ii in range(N_NHS): + p = copy.copy(self.ipv4_params) + + p.remote_tun_if_host = "1.1.1.%d" % (ii + 1) + p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii + p.scapy_tun_spi = p.scapy_tun_spi + ii + p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii + p.vpp_tun_spi = p.vpp_tun_spi + ii + + p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii + p.scapy_tra_spi = p.scapy_tra_spi + ii + p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii + p.vpp_tra_spi = p.vpp_tra_spi + ii + p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi, + p.auth_algo_vpp_id, p.auth_key, + p.crypt_algo_vpp_id, p.crypt_key, + self.vpp_esp_protocol) + p.tun_sa_out.add_vpp_config() + + p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi, + p.auth_algo_vpp_id, p.auth_key, + p.crypt_algo_vpp_id, p.crypt_key, + self.vpp_esp_protocol) + p.tun_sa_in.add_vpp_config() + + p.tun_protect = VppIpsecTunProtect( + self, + p.tun_if, + p.tun_sa_out, + [p.tun_sa_in], + nh=p.tun_if.remote_hosts[ii].ip4) + p.tun_protect.add_vpp_config() + config_tra_params(p, self.encryption_type, p.tun_if) + self.multi_params.append(p) + + VppIpRoute(self, p.remote_tun_if_host, 32, + [VppRoutePath(p.tun_if.remote_hosts[ii].ip4, + p.tun_if.sw_if_index)]).add_vpp_config() + + # in this v4 variant add the teibs after the protect + p.teib = VppTeib(self, p.tun_if, + p.tun_if.remote_hosts[ii].ip4, + self.pg0.remote_hosts[ii].ip4).add_vpp_config() + p.tun_dst = self.pg0.remote_hosts[ii].ip4 + self.logger.info(self.vapi.cli("sh ipsec protect-hash")) + + def tearDown(self): + p = self.ipv4_params + p.tun_if.unconfig_ip4() + super(TestIpsecMGreIfEspTra4, self).tearDown() + + def test_tun_44(self): + """mGRE IPSEC 44""" + N_PKTS = 63 + for p in self.multi_params: + self.verify_tun_44(p, count=N_PKTS) + p.teib.remove_vpp_config() + self.verify_tun_dropped_44(p, count=N_PKTS) + p.teib.add_vpp_config() + self.verify_tun_44(p, count=N_PKTS) + + +class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6): + """ Ipsec mGRE ESP v6 TRA tests """ + tun6_encrypt_node_name = "esp6-encrypt-tun" + tun6_decrypt_node_name = "esp6-decrypt-tun" + encryption_type = ESP + + def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, + payload_size=100): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + sa.encrypt(IPv6(src=p.tun_dst, + dst=self.pg0.local_ip6) / + GRE() / + IPv6(src=self.pg1.local_ip6, + dst=self.pg1.remote_ip6) / + UDP(sport=1144, dport=2233) / + Raw(b'X' * payload_size)) + for i in range(count)] + + def gen_pkts6(self, sw_intf, src, dst, count=1, + payload_size=100): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IPv6(src="1::1", dst=dst) / + UDP(sport=1144, dport=2233) / + Raw(b'X' * payload_size) + for i in range(count)] + + def verify_decrypted6(self, p, rxs): + for rx in rxs: + self.assert_equal(rx[Ether].dst, self.pg1.remote_mac) + self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6) + + def verify_encrypted6(self, p, sa, rxs): + for rx in rxs: + try: + pkt = sa.decrypt(rx[IPv6]) + if not pkt.haslayer(IPv6): + pkt = IPv6(pkt[Raw].load) + self.assert_packet_checksums_valid(pkt) + self.assertTrue(pkt.haslayer(GRE)) + e = pkt[GRE] + self.assertEqual(e[IPv6].dst, p.remote_tun_if_host) + except (IndexError, AssertionError): + self.logger.debug(ppp("Unexpected packet:", rx)) + try: + self.logger.debug(ppp("Decrypted packet:", pkt)) + except: + pass + raise + + def setUp(self): + super(TestIpsecMGreIfEspTra6, self).setUp() + + self.vapi.cli("set logging class ipsec level debug") + + N_NHS = 16 + self.tun_if = self.pg0 + p = self.ipv6_params + p.tun_if = VppGreInterface(self, + self.pg0.local_ip6, + "::", + mode=(VppEnum.vl_api_tunnel_mode_t. + TUNNEL_API_MODE_MP)) + p.tun_if.add_vpp_config() + p.tun_if.admin_up() + p.tun_if.config_ip6() + p.tun_if.generate_remote_hosts(N_NHS) + self.pg0.generate_remote_hosts(N_NHS) + self.pg0.configure_ipv6_neighbors() + + # setup some SAs for several next-hops on the interface + self.multi_params = [] + + for ii in range(N_NHS): + p = copy.copy(self.ipv6_params) + + p.remote_tun_if_host = "1::%d" % (ii + 1) + p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii + p.scapy_tun_spi = p.scapy_tun_spi + ii + p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii + p.vpp_tun_spi = p.vpp_tun_spi + ii + + p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii + p.scapy_tra_spi = p.scapy_tra_spi + ii + p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii + p.vpp_tra_spi = p.vpp_tra_spi + ii + p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi, + p.auth_algo_vpp_id, p.auth_key, + p.crypt_algo_vpp_id, p.crypt_key, + self.vpp_esp_protocol) + p.tun_sa_out.add_vpp_config() + + p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi, + p.auth_algo_vpp_id, p.auth_key, + p.crypt_algo_vpp_id, p.crypt_key, + self.vpp_esp_protocol) + p.tun_sa_in.add_vpp_config() + + # in this v6 variant add the teibs first then the protection + p.tun_dst = self.pg0.remote_hosts[ii].ip6 + VppTeib(self, p.tun_if, + p.tun_if.remote_hosts[ii].ip6, + p.tun_dst).add_vpp_config() + + p.tun_protect = VppIpsecTunProtect( + self, + p.tun_if, + p.tun_sa_out, + [p.tun_sa_in], + nh=p.tun_if.remote_hosts[ii].ip6) + p.tun_protect.add_vpp_config() + config_tra_params(p, self.encryption_type, p.tun_if) + self.multi_params.append(p) + + VppIpRoute(self, p.remote_tun_if_host, 128, + [VppRoutePath(p.tun_if.remote_hosts[ii].ip6, + p.tun_if.sw_if_index)]).add_vpp_config() + p.tun_dst = self.pg0.remote_hosts[ii].ip6 + + self.logger.info(self.vapi.cli("sh log")) + self.logger.info(self.vapi.cli("sh ipsec protect-hash")) + self.logger.info(self.vapi.cli("sh adj 41")) + + def tearDown(self): + p = self.ipv6_params + p.tun_if.unconfig_ip6() + super(TestIpsecMGreIfEspTra6, self).tearDown() + + def test_tun_66(self): + """mGRE IPSec 66""" + for p in self.multi_params: + self.verify_tun_66(p, count=63) + + class TemplateIpsec4TunProtect(object): """ IPsec IPv4 Tunnel protect """ @@ -1529,7 +1794,7 @@ class TestIpsec4TunProtectTun(TemplateIpsec, def tearDown(self): super(TestIpsec4TunProtectTun, self).tearDown() - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IP(src=sw_intf.remote_ip4, @@ -1632,7 +1897,7 @@ class TestIpsec4TunProtectTunDrop(TemplateIpsec, def tearDown(self): super(TestIpsec4TunProtectTunDrop, self).tearDown() - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IP(src=sw_intf.remote_ip4, @@ -1651,7 +1916,7 @@ class TestIpsec4TunProtectTunDrop(TemplateIpsec, self.config_sa_tun(p) self.config_protect(p) - tx = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if, + tx = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host, dst=self.pg1.remote_ip4, count=63) @@ -1881,7 +2146,7 @@ class TestIpsec6TunProtectTun(TemplateIpsec, def tearDown(self): super(TestIpsec6TunProtectTun, self).tearDown() - def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(IPv6(src=sw_intf.remote_ip6, @@ -1984,7 +2249,7 @@ class TestIpsec6TunProtectTunDrop(TemplateIpsec, def tearDown(self): super(TestIpsec6TunProtectTunDrop, self).tearDown() - def gen_encrypt_pkts5(self, sa, sw_intf, src, dst, count=1, + def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): # the IP destination of the revelaed packet does not match # that assigned to the tunnel @@ -2005,7 +2270,7 @@ class TestIpsec6TunProtectTunDrop(TemplateIpsec, self.config_sa_tun(p) self.config_protect(p) - tx = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if, + tx = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host, dst=self.pg1.remote_ip6, count=63) diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py index 8144ea27c8f..268fe687876 100644 --- a/test/vpp_ipsec.py +++ b/test/vpp_ipsec.py @@ -272,13 +272,16 @@ class VppIpsecTunProtect(VppObject): VPP IPSEC tunnel protection """ - def __init__(self, test, itf, sa_out, sas_in): + def __init__(self, test, itf, sa_out, sas_in, nh=None): self.test = test self.itf = itf self.sas_in = [] for sa in sas_in: self.sas_in.append(sa.id) self.sa_out = sa_out.id + self.nh = nh + if not self.nh: + self.nh = "0.0.0.0" def update_vpp_config(self, sa_out, sas_in): self.sas_in = [] @@ -290,10 +293,11 @@ class VppIpsecTunProtect(VppObject): 'sw_if_index': self.itf._sw_if_index, 'n_sa_in': len(self.sas_in), 'sa_out': self.sa_out, - 'sa_in': self.sas_in}) + 'sa_in': self.sas_in, + 'nh': self.nh}) def object_id(self): - return "ipsec-tun-protect-%s" % self.itf + return "ipsec-tun-protect-%s-%s" % (self.itf, self.nh) def add_vpp_config(self): self.test.vapi.ipsec_tunnel_protect_update( @@ -301,17 +305,20 @@ class VppIpsecTunProtect(VppObject): 'sw_if_index': self.itf._sw_if_index, 'n_sa_in': len(self.sas_in), 'sa_out': self.sa_out, - 'sa_in': self.sas_in}) + 'sa_in': self.sas_in, + 'nh': self.nh}) self.test.registry.register(self, self.test.logger) def remove_vpp_config(self): self.test.vapi.ipsec_tunnel_protect_del( - sw_if_index=self.itf.sw_if_index) + sw_if_index=self.itf.sw_if_index, + nh=self.nh) def query_vpp_config(self): bs = self.test.vapi.ipsec_tunnel_protect_dump( sw_if_index=self.itf.sw_if_index) for b in bs: - if b.tun.sw_if_index == self.itf.sw_if_index: + if b.tun.sw_if_index == self.itf.sw_if_index and \ + self.nh == str(b.tun.nh): return True return False diff --git a/test/vpp_teib.py b/test/vpp_teib.py index e117ac39302..0fe733388e3 100644 --- a/test/vpp_teib.py +++ b/test/vpp_teib.py @@ -1,6 +1,6 @@ #!/usr/bin/env python """ - NHRP objects + TEIB objects """ from vpp_object import VppObject @@ -15,7 +15,7 @@ def find_teib(test, ne): return False -class VppNhrp(VppObject): +class VppTeib(VppObject): def __init__(self, test, itf, peer, nh, table_id=0): self._test = test @@ -34,6 +34,7 @@ class VppNhrp(VppObject): 'nh': self.nh, }) self._test.registry.register(self, self._test.logger) + return self def remove_vpp_config(self): r = self._test.vapi.teib_entry_add_del( |