diff options
author | Arthur de Kerhor <arthurdekerhor@gmail.com> | 2023-06-16 09:48:52 +0200 |
---|---|---|
committer | Beno�t Ganne <bganne@cisco.com> | 2023-12-12 09:02:03 +0000 |
commit | 8fce5463707e38c14320d2d0f49cd5ec32dc791e (patch) | |
tree | 650b45c296b1eb3a3605b61d65d82aa74ad57ea5 /test | |
parent | b321325a47993a87c3550a34082fba91b3dd817d (diff) |
ipsec: allow receiving encrypted IP packets with TFC padding
Type: feature
Change-Id: I7b29c71d3d053af9a53931aa333484bf43a424ca
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'test')
-rw-r--r-- | test/test_ipsec_tun_if_esp.py | 76 |
1 files changed, 73 insertions, 3 deletions
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index e1579ebfaed..5131fbefe7d 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -5,8 +5,8 @@ import copy from scapy.layers.ipsec import SecurityAssociation, ESP from scapy.layers.l2 import Ether, GRE, Dot1Q from scapy.packet import Raw, bind_layers -from scapy.layers.inet import IP, UDP -from scapy.layers.inet6 import IPv6 +from scapy.layers.inet import IP, UDP, ICMP +from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest from scapy.contrib.mpls import MPLS from asfframework import VppTestRunner, tag_fixme_vpp_workers from template_ipsec import ( @@ -367,6 +367,29 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, TemplateIpsec): super(TemplateIpsec4TunIfEspUdp, self).tearDown() +class TemplateIpsec4TunTfc: + """IPsec IPv4 tunnel with TFC""" + + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=54): + pkt = ( + IP(src=src, dst=dst, len=28 + payload_size) + / ICMP() + / Raw(b"X" * payload_size) + / Padding(b"Y" * 100) + ) + return [ + Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(pkt) + for i in range(count) + ] + + def verify_decrypted(self, p, rxs): + for rx in rxs: + self.assert_equal(rx[IP].src, p.remote_tun_if_host) + self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) + self.assert_equal(rx[IP].len, len(rx[IP])) + self.assert_packet_checksums_valid(rx) + + class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests): """Ipsec ESP - TUN tests""" @@ -671,6 +694,28 @@ class TemplateIpsec6TunIfEspUdp(TemplateIpsec6TunProtect, TemplateIpsec): super(TemplateIpsec6TunIfEspUdp, self).tearDown() +class TemplateIpsec6TunTfc: + """IPsec IPv6 tunnel with TFC""" + + def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=54): + return [ + Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) + / sa.encrypt( + IPv6(src=src, dst=dst, hlim=p.inner_hop_limit, fl=p.inner_flow_label) + / ICMPv6EchoRequest(id=0, seq=1, data="X" * payload_size) + / Padding(b"Y" * 100) + ) + for i in range(count) + ] + + def verify_decrypted6(self, p, rxs): + for rx in rxs: + self.assert_equal(rx[IPv6].src, p.remote_tun_if_host) + self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6) + self.assert_equal(rx[IPv6].plen, len(rx[IPv6].payload)) + self.assert_packet_checksums_valid(rx) + + class TestIpsec6TunIfEspUdp(TemplateIpsec6TunIfEspUdp, IpsecTun6Tests): """Ipsec ESP 6 UDP tests""" @@ -2470,8 +2515,13 @@ class TestIpsec4TunProtect(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): @tag_fixme_vpp_workers +class TestIpsec4TunProtectTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtect): + """IPsec IPv4 Tunnel protect with TFC - transport mode""" + + +@tag_fixme_vpp_workers class TestIpsec4TunProtectUdp(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): - """IPsec IPv4 Tunnel protect - transport mode""" + """IPsec IPv4 UDP Tunnel protect - transport mode""" def setUp(self): super(TestIpsec4TunProtectUdp, self).setUp() @@ -2514,6 +2564,11 @@ class TestIpsec4TunProtectUdp(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4 @tag_fixme_vpp_workers +class TestIpsec4TunProtectUdpTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtectUdp): + """IPsec IPv4 UDP Tunnel protect with TFC - transport mode""" + + +@tag_fixme_vpp_workers class TestIpsec4TunProtectTun(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): """IPsec IPv4 Tunnel protect - tunnel mode""" @@ -2788,6 +2843,11 @@ class TestIpsec6TunProtect(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6): @tag_fixme_vpp_workers +class TestIpsec6TunProtectTfc(TemplateIpsec6TunTfc, TestIpsec6TunProtect): + """IPsec IPv6 Tunnel protect with TFC - transport mode""" + + +@tag_fixme_vpp_workers class TestIpsec6TunProtectTun(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6): """IPsec IPv6 Tunnel protect - tunnel mode""" @@ -3203,6 +3263,11 @@ class TestIpsecItf4(TemplateIpsec, TemplateIpsecItf4, IpsecTun4): self.unconfig_network(p) +@tag_fixme_vpp_workers +class TestIpsecItf4Tfc(TemplateIpsec4TunTfc, TestIpsecItf4): + """IPsec Interface IPv4 with TFC""" + + class TestIpsecItf4MPLS(TemplateIpsec, TemplateIpsecItf4, IpsecTun4): """IPsec Interface MPLSoIPv4""" @@ -3515,6 +3580,11 @@ class TestIpsecItf6(TemplateIpsec, TemplateIpsecItf6, IpsecTun6): self.unconfig_network(p) +@tag_fixme_vpp_workers +class TestIpsecItf6Tfc(TemplateIpsec6TunTfc, TestIpsecItf6): + """IPsec Interface IPv6 with TFC""" + + class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): """Ipsec P2MP ESP v4 tests""" |