summaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
authorKlement Sekera <ksekera@cisco.com>2018-05-16 10:52:45 +0200
committerFlorin Coras <florin.coras@gmail.com>2018-06-21 14:50:10 +0000
commita98346f664aae148d26a8e158008b773d73db96f (patch)
tree2a850b1925f3dd70817fb0e41324baef71fd7a05 /test
parent56ba844d6a8b8f58b18fe51bf22707b0c37d3a87 (diff)
ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums
Calculate IP/TCP/UDP checksums in software before adding authentication. Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b Signed-off-by: Klement Sekera <ksekera@cisco.com>
Diffstat (limited to 'test')
-rw-r--r--test/bfd.py11
-rwxr-xr-xtest/discover_tests.py2
-rw-r--r--test/framework.py19
-rw-r--r--test/template_ipsec.py208
-rw-r--r--test/test_ipsec_ah.py287
-rw-r--r--test/test_ipsec_esp.py404
-rw-r--r--test/test_ipsec_nat.py8
-rw-r--r--test/test_ipsec_tun_if_esp.py52
-rw-r--r--test/vpp_interface.py4
-rw-r--r--test/vpp_ipsec_tun_interface.py43
-rw-r--r--test/vpp_papi_provider.py132
-rw-r--r--test/vpp_pg_interface.py6
-rw-r--r--test/vpp_tunnel_interface.py32
13 files changed, 634 insertions, 574 deletions
diff --git a/test/bfd.py b/test/bfd.py
index 452a1804988..d99bbf6165c 100644
--- a/test/bfd.py
+++ b/test/bfd.py
@@ -35,9 +35,6 @@ class BFDDiagCode(NumericConstant):
reverse_concatenated_path_down: "Reverse Concatenated Path Down",
}
- def __init__(self, value):
- NumericConstant.__init__(self, value)
-
class BFDState(NumericConstant):
""" BFD State """
@@ -53,9 +50,6 @@ class BFDState(NumericConstant):
up: "Up",
}
- def __init__(self, value):
- NumericConstant.__init__(self, value)
-
class BFDAuthType(NumericConstant):
""" BFD Authentication Type """
@@ -75,9 +69,6 @@ class BFDAuthType(NumericConstant):
meticulous_keyed_sha1: "Meticulous Keyed SHA1",
}
- def __init__(self, value):
- NumericConstant.__init__(self, value)
-
def bfd_is_auth_used(pkt):
""" is packet authenticated? """
@@ -148,6 +139,7 @@ class BFD(Packet):
return self.sprintf("BFD(my_disc=%BFD.my_discriminator%,"
"your_disc=%BFD.your_discriminator%)")
+
# glue the BFD packet class to scapy parser
bind_layers(UDP, BFD, dport=BFD.udp_dport)
@@ -169,6 +161,7 @@ class BFD_vpp_echo(Packet):
"BFD_VPP_ECHO(disc=%BFD_VPP_ECHO.discriminator%,"
"expire_time_clocks=%BFD_VPP_ECHO.expire_time_clocks%)")
+
# glue the BFD echo packet class to scapy parser
bind_layers(UDP, BFD_vpp_echo, dport=BFD_vpp_echo.udp_dport)
diff --git a/test/discover_tests.py b/test/discover_tests.py
index eea594107b6..99016e2845e 100755
--- a/test/discover_tests.py
+++ b/test/discover_tests.py
@@ -30,7 +30,7 @@ def discover_tests(directory, callback):
continue
if not issubclass(cls, unittest.TestCase):
continue
- if name == "VppTestCase":
+ if name == "VppTestCase" or name.startswith("Template"):
continue
for method in dir(cls):
if not callable(getattr(cls, method)):
diff --git a/test/framework.py b/test/framework.py
index f90197b9b6f..be8c209f4ea 100644
--- a/test/framework.py
+++ b/test/framework.py
@@ -25,6 +25,7 @@ from vpp_papi_provider import VppPapiProvider
from log import RED, GREEN, YELLOW, double_line_delim, single_line_delim, \
getLogger, colorize
from vpp_object import VppObjectRegistry
+from util import ppp
from scapy.layers.inet import IPerror, TCPerror, UDPerror, ICMPerror
from scapy.layers.inet6 import ICMPv6DestUnreach, ICMPv6EchoRequest
from scapy.layers.inet6 import ICMPv6EchoReply
@@ -735,11 +736,14 @@ class VppTestCase(unittest.TestCase):
def assert_packet_checksums_valid(self, packet,
ignore_zero_udp_checksums=True):
+ received = packet.__class__(str(packet))
+ self.logger.debug(
+ ppp("Verifying packet checksums for packet:", received))
udp_layers = ['UDP', 'UDPerror']
checksum_fields = ['cksum', 'chksum']
checksums = []
counter = 0
- temp = packet.__class__(str(packet))
+ temp = received.__class__(str(received))
while True:
layer = temp.getlayer(counter)
if layer:
@@ -754,12 +758,17 @@ class VppTestCase(unittest.TestCase):
else:
break
counter = counter + 1
+ if 0 == len(checksums):
+ return
temp = temp.__class__(str(temp))
for layer, cf in checksums:
- self.assert_equal(getattr(packet[layer], cf),
- getattr(temp[layer], cf),
- "packet checksum on layer #%d: %s" % (
- layer, temp[layer].name))
+ calc_sum = getattr(temp[layer], cf)
+ self.assert_equal(
+ getattr(received[layer], cf), calc_sum,
+ "packet checksum on layer #%d: %s" % (layer, temp[layer].name))
+ self.logger.debug(
+ "Checksum field `%s` on `%s` layer has correct value `%s`" %
+ (cf, temp[layer].name, calc_sum))
def assert_checksum_valid(self, received_packet, layer,
field_name='chksum',
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
new file mode 100644
index 00000000000..9d95185cb9e
--- /dev/null
+++ b/test/template_ipsec.py
@@ -0,0 +1,208 @@
+import unittest
+
+from scapy.layers.inet import IP, ICMP, TCP
+from scapy.layers.ipsec import SecurityAssociation
+from scapy.layers.l2 import Ether, Raw
+
+from framework import VppTestCase, VppTestRunner
+from util import ppp
+
+
+class TemplateIpsec(VppTestCase):
+ """
+ TRANSPORT MODE:
+
+ ------ encrypt ---
+ |tra_if| <-------> |VPP|
+ ------ decrypt ---
+
+ TUNNEL MODE:
+
+ ------ encrypt --- plain ---
+ |tun_if| <------- |VPP| <------ |pg1|
+ ------ --- ---
+
+ ------ decrypt --- plain ---
+ |tun_if| -------> |VPP| ------> |pg1|
+ ------ --- ---
+ """
+
+ remote_tun_if_host = '1.1.1.1'
+ payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+
+ tun_spd_id = 1
+ scapy_tun_sa_id = 10
+ scapy_tun_spi = 1001
+ vpp_tun_sa_id = 20
+ vpp_tun_spi = 1000
+
+ tra_spd_id = 2
+ scapy_tra_sa_id = 30
+ scapy_tra_spi = 2001
+ vpp_tra_sa_id = 40
+ vpp_tra_spi = 2000
+
+ vpp_esp_protocol = 1
+ vpp_ah_protocol = 0
+
+ auth_algo_vpp_id = 2 # internal VPP enum value for SHA1_96
+ auth_algo = 'HMAC-SHA1-96' # scapy name
+ auth_key = 'C91KUR9GYMm5GfkEvNjX'
+
+ crypt_algo_vpp_id = 1 # internal VPP enum value for AES_CBC_128
+ crypt_algo = 'AES-CBC' # scapy name
+ crypt_key = 'JPjyOWBeVEQiMe7h'
+
+ @classmethod
+ def setUpClass(cls):
+ super(TemplateIpsec, cls).setUpClass()
+ cls.create_pg_interfaces(range(3))
+ cls.interfaces = list(cls.pg_interfaces)
+ for i in cls.interfaces:
+ i.admin_up()
+ i.config_ip4()
+ i.resolve_arp()
+
+ def tearDown(self):
+ super(TemplateIpsec, self).tearDown()
+ if not self.vpp_dead:
+ self.vapi.cli("show hardware")
+
+ def send_and_expect(self, input, pkts, output, count=1):
+ input.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ rx = output.get_capture(count)
+ return rx
+
+ def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1):
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload)
+ for i in range(count)]
+
+ def gen_pkts(self, sw_intf, src, dst, count=1):
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst) / ICMP() / self.payload
+ for i in range(count)]
+
+ def configure_sa_tun(self):
+ scapy_tun_sa = SecurityAssociation(self.encryption_type,
+ spi=self.vpp_tun_spi,
+ crypt_algo=self.crypt_algo,
+ crypt_key=self.crypt_key,
+ auth_algo=self.auth_algo,
+ auth_key=self.auth_key,
+ tunnel_header=IP(
+ src=self.tun_if.remote_ip4,
+ dst=self.tun_if.local_ip4))
+ vpp_tun_sa = SecurityAssociation(self.encryption_type,
+ spi=self.scapy_tun_spi,
+ crypt_algo=self.crypt_algo,
+ crypt_key=self.crypt_key,
+ auth_algo=self.auth_algo,
+ auth_key=self.auth_key,
+ tunnel_header=IP(
+ dst=self.tun_if.remote_ip4,
+ src=self.tun_if.local_ip4))
+ return vpp_tun_sa, scapy_tun_sa
+
+ def configure_sa_tra(self):
+ scapy_tra_sa = SecurityAssociation(self.encryption_type,
+ spi=self.vpp_tra_spi,
+ crypt_algo=self.crypt_algo,
+ crypt_key=self.crypt_key,
+ auth_algo=self.auth_algo,
+ auth_key=self.auth_key)
+ vpp_tra_sa = SecurityAssociation(self.encryption_type,
+ spi=self.scapy_tra_spi,
+ crypt_algo=self.crypt_algo,
+ crypt_key=self.crypt_key,
+ auth_algo=self.auth_algo,
+ auth_key=self.auth_key)
+ return vpp_tra_sa, scapy_tra_sa
+
+
+class IpsecTcpTests(object):
+ def test_tcp_checksum(self):
+ """ verify checksum correctness for vpp generated packets """
+ self.vapi.cli("test http server")
+ vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun()
+ send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
+ scapy_tun_sa.encrypt(IP(src=self.remote_tun_if_host,
+ dst=self.tun_if.local_ip4) /
+ TCP(flags='S', dport=80)))
+ self.logger.debug(ppp("Sending packet:", send))
+ recv = self.send_and_expect(self.tun_if, [send], self.tun_if, 1)
+ recv = recv[0]
+ decrypted = vpp_tun_sa.decrypt(recv[IP])
+ self.assert_packet_checksums_valid(decrypted)
+
+
+class IpsecTraTests(object):
+ def test_tra_basic(self, count=1):
+ """ ipsec v4 transport basic test """
+ try:
+ vpp_tra_sa, scapy_tra_sa = self.configure_sa_tra()
+ send_pkts = self.gen_encrypt_pkts(scapy_tra_sa, self.tra_if,
+ src=self.tra_if.remote_ip4,
+ dst=self.tra_if.local_ip4,
+ count=count)
+ recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
+ self.tra_if, count=count)
+ for p in recv_pkts:
+ decrypted = vpp_tra_sa.decrypt(p[IP])
+ self.assert_packet_checksums_valid(decrypted)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+ def test_tra_burst(self):
+ """ ipsec v4 transport burst test """
+ try:
+ self.test_tra_basic(count=257)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+
+class IpsecTunTests(object):
+ def test_tun_basic(self, count=1):
+ """ ipsec 4o4 tunnel basic test """
+ try:
+ vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun()
+ send_pkts = self.gen_encrypt_pkts(scapy_tun_sa, self.tun_if,
+ src=self.remote_tun_if_host,
+ dst=self.pg1.remote_ip4,
+ count=count)
+ recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1,
+ count=count)
+ for recv_pkt in recv_pkts:
+ self.assert_equal(recv_pkt[IP].src, self.remote_tun_if_host)
+ self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
+ self.assert_packet_checksums_valid(recv_pkt)
+ send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
+ dst=self.remote_tun_if_host, count=count)
+ recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if,
+ count=count)
+ for recv_pkt in recv_pkts:
+ decrypt_pkt = vpp_tun_sa.decrypt(recv_pkt[IP])
+ if not decrypt_pkt.haslayer(IP):
+ decrypt_pkt = IP(decrypt_pkt[Raw].load)
+ self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
+ self.assert_equal(decrypt_pkt.dst, self.remote_tun_if_host)
+ self.assert_packet_checksums_valid(decrypt_pkt)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+ def test_tun_burst(self):
+ """ ipsec 4o4 tunnel burst test """
+ try:
+ self.test_tun_basic(count=257)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+
+if __name__ == '__main__':
+ unittest.main(testRunner=VppTestRunner)
diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py
index d173b2e3b23..729f8716d03 100644
--- a/test/test_ipsec_ah.py
+++ b/test/test_ipsec_ah.py
@@ -1,14 +1,14 @@
import socket
import unittest
-from scapy.layers.inet import IP, ICMP
-from scapy.layers.l2 import Ether, Raw
-from scapy.layers.ipsec import SecurityAssociation, AH
+from scapy.layers.ipsec import AH
-from framework import VppTestCase, VppTestRunner
+from framework import VppTestRunner
+from template_ipsec import TemplateIpsec, IpsecTraTests, IpsecTunTests
+from template_ipsec import IpsecTcpTests
-class TestIpsecAh(VppTestCase):
+class TemplateIpsecAh(TemplateIpsec):
"""
Basic test for IPSEC using AH transport and Tunnel mode
@@ -41,214 +41,123 @@ class TestIpsecAh(VppTestCase):
Note : IPv6 is not covered
"""
- remote_pg0_lb_addr = '1.1.1.1'
- remote_pg1_lb_addr = '2.2.2.2'
- payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ encryption_type = AH
@classmethod
def setUpClass(cls):
- super(TestIpsecAh, cls).setUpClass()
- try:
- cls.create_pg_interfaces(range(3))
- cls.interfaces = list(cls.pg_interfaces)
- for i in cls.interfaces:
- i.admin_up()
- i.config_ip4()
- i.resolve_arp()
- cls.logger.info(cls.vapi.ppcli("show int addr"))
- cls.config_ah_tra()
- cls.logger.info(cls.vapi.ppcli("show ipsec"))
- cls.config_ah_tun()
- cls.logger.info(cls.vapi.ppcli("show ipsec"))
- except Exception:
- super(TestIpsecAh, cls).tearDownClass()
- raise
+ super(TemplateIpsecAh, cls).setUpClass()
+ cls.tun_if = cls.pg0
+ cls.tra_if = cls.pg2
+ cls.logger.info(cls.vapi.ppcli("show int addr"))
+ cls.config_ah_tra()
+ cls.logger.info(cls.vapi.ppcli("show ipsec"))
+ cls.config_ah_tun()
+ cls.logger.info(cls.vapi.ppcli("show ipsec"))
+ src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host)
+ cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n)
@classmethod
def config_ah_tun(cls):
- spd_id = 1
- remote_sa_id = 10
- local_sa_id = 20
- remote_tun_spi = 1001
- local_tun_spi = 1000
- src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr)
- cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n)
- dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr)
- cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n)
- cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tun_spi,
- cls.pg0.local_ip4n,
- cls.pg0.remote_ip4n,
- integrity_key_length=20)
- cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tun_spi,
- cls.pg0.remote_ip4n,
- cls.pg0.local_ip4n,
- integrity_key_length=20)
- cls.vapi.ipsec_spd_add_del(spd_id)
- cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index)
+ cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id,
+ cls.scapy_tun_spi,
+ cls.auth_algo_vpp_id, cls.auth_key,
+ cls.crypt_algo_vpp_id,
+ cls.crypt_key, cls.vpp_ah_protocol,
+ cls.tun_if.local_ip4n,
+ cls.tun_if.remote_ip4n)
+ cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id,
+ cls.vpp_tun_spi,
+ cls.auth_algo_vpp_id, cls.auth_key,
+ cls.crypt_algo_vpp_id,
+ cls.crypt_key, cls.vpp_ah_protocol,
+ cls.tun_if.remote_ip4n,
+ cls.tun_if.local_ip4n)
+ cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
+ cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
+ cls.tun_if.sw_if_index)
l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0")
l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
"255.255.255.255")
- cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
- r_startaddr, r_stopaddr,
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr,
+ protocol=socket.IPPROTO_AH)
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, is_outbound=0,
protocol=socket.IPPROTO_AH)
- cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
- r_startaddr, r_stopaddr,
- protocol=socket.IPPROTO_AH,
- is_outbound=0)
l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET,
- cls.remote_pg0_lb_addr)
- r_startaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
- cls.remote_pg1_lb_addr)
- cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
- r_startaddr, r_stopaddr,
- priority=10, policy=3,
- is_outbound=0, sa_id=local_sa_id)
- cls.vapi.ipsec_spd_add_del_entry(spd_id, r_startaddr, r_stopaddr,
- l_startaddr, l_stopaddr, priority=10,
- policy=3, sa_id=remote_sa_id)
+ cls.remote_tun_if_host)
+ r_startaddr = r_stopaddr = cls.pg1.remote_ip4n
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, priority=10, policy=3,
+ is_outbound=0)
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
+ r_startaddr, r_stopaddr, l_startaddr,
+ l_stopaddr, priority=10, policy=3)
+ r_startaddr = r_stopaddr = cls.pg0.local_ip4n
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, priority=20, policy=3,
+ is_outbound=0)
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
+ r_startaddr, r_stopaddr, l_startaddr,
+ l_stopaddr, priority=20, policy=3)
@classmethod
def config_ah_tra(cls):
- spd_id = 2
- remote_sa_id = 30
- local_sa_id = 40
- remote_tra_spi = 2001
- local_tra_spi = 2000
- cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tra_spi,
- integrity_key_length=20, is_tunnel=0)
- cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tra_spi,
- integrity_key_length=20, is_tunnel=0)
- cls.vapi.ipsec_spd_add_del(spd_id)
- cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index)
+ cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id,
+ cls.scapy_tra_spi,
+ cls.auth_algo_vpp_id, cls.auth_key,
+ cls.crypt_algo_vpp_id,
+ cls.crypt_key, cls.vpp_ah_protocol,
+ is_tunnel=0)
+ cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id,
+ cls.vpp_tra_spi,
+ cls.auth_algo_vpp_id, cls.auth_key,
+ cls.crypt_algo_vpp_id,
+ cls.crypt_key, cls.vpp_ah_protocol,
+ is_tunnel=0)
+ cls.vapi.ipsec_spd_add_del(cls.tra_spd_id)
+ cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id,
+ cls.tra_if.sw_if_index)
l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0")
l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
"255.255.255.255")
- cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
- r_startaddr, r_stopaddr,
+ cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr,
protocol=socket.IPPROTO_AH)
- cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
- r_startaddr, r_stopaddr,
- protocol=socket.IPPROTO_AH,
+ cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, is_outbound=0,
+ protocol=socket.IPPROTO_AH)
+ l_startaddr = l_stopaddr = cls.tra_if.local_ip4n
+ r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n
+ cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, priority=10, policy=3,
is_outbound=0)
- l_startaddr = l_stopaddr = cls.pg2.local_ip4n
- r_startaddr = r_stopaddr = cls.pg2.remote_ip4n
- cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
- r_startaddr, r_stopaddr,
- priority=10, policy=3,
- is_outbound=0, sa_id=local_sa_id)
- cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
- r_startaddr, r_stopaddr, priority=10,
- policy=3, sa_id=remote_sa_id)
-
- def configure_scapy_sa_tun(self):
- remote_tun_sa = SecurityAssociation(AH, spi=0x000003e8,
- auth_algo='HMAC-SHA1-96',
- auth_key='C91KUR9GYMm5GfkEvNjX',
- tunnel_header=IP(
- src=self.pg0.remote_ip4,
- dst=self.pg0.local_ip4))
- local_tun_sa = SecurityAssociation(AH, spi=0x000003e9,
- auth_algo='HMAC-SHA1-96',
- auth_key='C91KUR9GYMm5GfkEvNjX',
- tunnel_header=IP(
- dst=self.pg0.remote_ip4,
- src=self.pg0.local_ip4))
- return local_tun_sa, remote_tun_sa
-
- def configure_scapy_sa_tra(self):
- remote_tra_sa = SecurityAssociation(AH, spi=0x000007d0,
- auth_algo='HMAC-SHA1-96',
- auth_key='C91KUR9GYMm5GfkEvNjX')
- local_tra_sa = SecurityAssociation(AH, spi=0x000007d1,
- auth_algo='HMAC-SHA1-96',
- auth_key='C91KUR9GYMm5GfkEvNjX')
- return local_tra_sa, remote_tra_sa
+ cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, priority=10,
+ policy=3)
def tearDown(self):
- super(TestIpsecAh, self).tearDown()
+ super(TemplateIpsecAh, self).tearDown()
if not self.vpp_dead:
self.vapi.cli("show hardware")
- def send_and_expect(self, input, pkts, output, count=1):
- input.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- rx = output.get_capture(count)
- return rx
-
- def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1):
- return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
- sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload)
- ] * count
-
- def gen_pkts(self, sw_intf, src, dst, count=1):
- return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
- IP(src=src, dst=dst) / ICMP() / self.payload
- ] * count
-
- def test_ipsec_ah_tra_basic(self, count=1):
- """ ipsec ah v4 transport basic test """
- try:
- local_tra_sa, remote_tra_sa = self.configure_scapy_sa_tra()
- send_pkts = self.gen_encrypt_pkts(remote_tra_sa, self.pg2,
- src=self.pg2.remote_ip4,
- dst=self.pg2.local_ip4,
- count=count)
- recv_pkts = self.send_and_expect(self.pg2, send_pkts, self.pg2,
- count=count)
- # ESP TRA VPP encryption/decryption verification
- for Pkts in recv_pkts:
- Pkts[AH].padding = Pkts[AH].icv[12:]
- Pkts[AH].icv = Pkts[AH].icv[:12]
- local_tra_sa.decrypt(Pkts[IP])
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
- def test_ipsec_ah_tra_burst(self):
- """ ipsec ah v4 transport burst test """
- try:
- self.test_ipsec_ah_tra_basic(count=257)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
- def test_ipsec_ah_tun_basic(self, count=1):
- """ ipsec ah 4o4 tunnel basic test """
- try:
- local_tun_sa, remote_tun_sa = self.configure_scapy_sa_tun()
- send_pkts = self.gen_encrypt_pkts(remote_tun_sa, self.pg0,
- src=self.remote_pg0_lb_addr,
- dst=self.remote_pg1_lb_addr,
- count=count)
- recv_pkts = self.send_and_expect(self.pg0, send_pkts, self.pg1,
- count=count)
- # ESP TUN VPP decryption verification
- for recv_pkt in recv_pkts:
- self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr)
- self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr)
- send_pkts = self.gen_pkts(self.pg1, src=self.remote_pg1_lb_addr,
- dst=self.remote_pg0_lb_addr,
- count=count)
- recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.pg0,
- count=count)
- # ESP TUN VPP encryption verification
- for recv_pkt in recv_pkts:
- decrypt_pkt = local_tun_sa.decrypt(recv_pkt[IP])
- decrypt_pkt = IP(decrypt_pkt[Raw].load)
- self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr)
- self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
- def test_ipsec_ah_tun_burst(self):
- """ ipsec ah 4o4 tunnel burst test """
- try:
- self.test_ipsec_ah_tun_basic(count=257)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
+
+class TestIpsecAh1(TemplateIpsecAh, IpsecTraTests, IpsecTunTests):
+ """ Ipsec AH - TUN & TRA tests """
+ pass
+
+
+class TestIpsecAh2(TemplateIpsecAh, IpsecTcpTests):
+ """ Ipsec AH - TCP tests """
+ pass
if __name__ == '__main__':
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 15ce4a96878..58d159a7213 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -1,14 +1,13 @@
import socket
import unittest
+from scapy.layers.ipsec import ESP
-from scapy.layers.inet import IP, ICMP
-from scapy.layers.l2 import Ether
-from scapy.layers.ipsec import SecurityAssociation, ESP
+from framework import VppTestRunner
+from template_ipsec import IpsecTraTests, IpsecTunTests
+from template_ipsec import TemplateIpsec, IpsecTcpTests
-from framework import VppTestCase, VppTestRunner
-
-class TestIpsecEsp(VppTestCase):
+class TemplateIpsecEsp(TemplateIpsec):
"""
Basic test for ipsec esp sanity - tunnel and transport modes.
@@ -41,298 +40,121 @@ class TestIpsecEsp(VppTestCase):
Note : IPv6 is not covered
"""
- remote_pg0_lb_addr = '1.1.1.1'
- remote_pg1_lb_addr = '2.2.2.2'
+ encryption_type = ESP
@classmethod
def setUpClass(cls):
- super(TestIpsecEsp, cls).setUpClass()
- try:
- cls.create_pg_interfaces(range(3))
- cls.interfaces = list(cls.pg_interfaces)
- for i in cls.interfaces:
- i.admin_up()
- i.config_ip4()
- i.resolve_arp()
- cls.logger.info(cls.vapi.ppcli("show int addr"))
- cls.configEspTra()
- cls.logger.info(cls.vapi.ppcli("show ipsec"))
- cls.configEspTun()
- cls.logger.info(cls.vapi.ppcli("show ipsec"))
- except Exception:
- super(TestIpsecEsp, cls).tearDownClass()
- raise
+ super(TemplateIpsecEsp, cls).setUpClass()
+ cls.tun_if = cls.pg0
+ cls.tra_if = cls.pg2
+ cls.logger.info(cls.vapi.ppcli("show int addr"))
+ cls.config_esp_tra()
+ cls.logger.info(cls.vapi.ppcli("show ipsec"))
+ cls.config_esp_tun()
+ cls.logger.info(cls.vapi.ppcli("show ipsec"))
+ src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host)
+ cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n)
@classmethod
- def configEspTun(cls):
- try:
- spd_id = 1
- remote_sa_id = 10
- local_sa_id = 20
- remote_tun_spi = 1001
- local_tun_spi = 1000
- src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr)
- cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n)
- dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr)
- cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n)
- cls.vapi.ipsec_sad_add_del_entry(
- remote_sa_id,
- remote_tun_spi,
- cls.pg0.local_ip4n,
- cls.pg0.remote_ip4n,
- integrity_key_length=20,
- crypto_key_length=16,
- protocol=1)
- cls.vapi.ipsec_sad_add_del_entry(
- local_sa_id,
- local_tun_spi,
- cls.pg0.remote_ip4n,
- cls.pg0.local_ip4n,
- integrity_key_length=20,
- crypto_key_length=16,
- protocol=1)
- cls.vapi.ipsec_spd_add_del(spd_id)
- cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index)
- l_startaddr = r_startaddr = socket.inet_pton(
- socket.AF_INET, "0.0.0.0")
- l_stopaddr = r_stopaddr = socket.inet_pton(
- socket.AF_INET, "255.255.255.255")
- cls.vapi.ipsec_spd_add_del_entry(
- spd_id,
- l_startaddr,
- l_stopaddr,
- r_startaddr,
- r_stopaddr,
- protocol=socket.IPPROTO_ESP)
- cls.vapi.ipsec_spd_add_del_entry(
- spd_id,
- l_startaddr,
- l_stopaddr,
- r_startaddr,
- r_stopaddr,
- protocol=socket.IPPROTO_ESP,
- is_outbound=0)
- l_startaddr = l_stopaddr = socket.inet_pton(
- socket.AF_INET, cls.remote_pg0_lb_addr)
- r_startaddr = r_stopaddr = socket.inet_pton(
- socket.AF_INET, cls.remote_pg1_lb_addr)
- cls.vapi.ipsec_spd_add_del_entry(
- spd_id,
- l_startaddr,
- l_stopaddr,
- r_startaddr,
- r_stopaddr,
- priority=10,
- policy=3,
- is_outbound=0,
- sa_id=local_sa_id)
- cls.vapi.ipsec_spd_add_del_entry(
- spd_id,
- r_startaddr,
- r_stopaddr,
- l_startaddr,
- l_stopaddr,
- priority=10,
- policy=3,
- sa_id=remote_sa_id)
- except Exception:
- raise
+ def config_esp_tun(cls):
+ cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id,
+ cls.scapy_tun_spi,
+ cls.auth_algo_vpp_id, cls.auth_key,
+ cls.crypt_algo_vpp_id,
+ cls.crypt_key, cls.vpp_esp_protocol,
+ cls.tun_if.local_ip4n,
+ cls.tun_if.remote_ip4n)
+ cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id,
+ cls.vpp_tun_spi,
+ cls.auth_algo_vpp_id, cls.auth_key,
+ cls.crypt_algo_vpp_id,
+ cls.crypt_key, cls.vpp_esp_protocol,
+ cls.tun_if.remote_ip4n,
+ cls.tun_if.local_ip4n)
+ cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
+ cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
+ cls.tun_if.sw_if_index)
+ l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET,
+ "0.0.0.0")
+ l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
+ "255.255.255.255")
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr,
+ protocol=socket.IPPROTO_ESP)
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, is_outbound=0,
+ protocol=socket.IPPROTO_ESP)
+ l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET,
+ cls.remote_tun_if_host)
+ r_startaddr = r_stopaddr = cls.pg1.remote_ip4n
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, priority=10, policy=3,
+ is_outbound=0)
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
+ r_startaddr, r_stopaddr, l_startaddr,
+ l_stopaddr, priority=10, policy=3)
+ l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET,
+ cls.remote_tun_if_host)
+ r_startaddr = r_stopaddr = cls.pg0.local_ip4n
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, priority=20, policy=3,
+ is_outbound=0)
+ cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
+ r_startaddr, r_stopaddr, l_startaddr,
+ l_stopaddr, priority=20, policy=3)
@classmethod
- def configEspTra(cls):
- try:
- spd_id = 2
- remote_sa_id = 30
- local_sa_id = 40
- remote_tra_spi = 2001
- local_tra_spi = 2000
- cls.vapi.ipsec_sad_add_del_entry(
- remote_sa_id,
- remote_tra_spi,
- integrity_key_length=20,
- crypto_key_length=16,
- protocol=1,
- is_tunnel=0)
- cls.vapi.ipsec_sad_add_del_entry(
- local_sa_id,
- local_tra_spi,
- integrity_key_length=20,
- crypto_key_length=16,
- protocol=1,
- is_tunnel=0)
- cls.vapi.ipsec_spd_add_del(spd_id)
- cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index)
- l_startaddr = r_startaddr = socket.inet_pton(
- socket.AF_INET, "0.0.0.0")
- l_stopaddr = r_stopaddr = socket.inet_pton(
- socket.AF_INET, "255.255.255.255")
- cls.vapi.ipsec_spd_add_del_entry(
- spd_id,
- l_startaddr,
- l_stopaddr,
- r_startaddr,
- r_stopaddr,
- protocol=socket.IPPROTO_ESP)
- cls.vapi.ipsec_spd_add_del_entry(
- spd_id,
- l_startaddr,
- l_stopaddr,
- r_startaddr,
- r_stopaddr,
- protocol=socket.IPPROTO_ESP,
- is_outbound=0)
- l_startaddr = l_stopaddr = cls.pg2.local_ip4n
- r_startaddr = r_stopaddr = cls.pg2.remote_ip4n
- cls.vapi.ipsec_spd_add_del_entry(
- spd_id,
- l_startaddr,
- l_stopaddr,
- r_startaddr,
- r_stopaddr,
- priority=10,
- policy=3,
- is_outbound=0,
- sa_id=local_sa_id)
- cls.vapi.ipsec_spd_add_del_entry(
- spd_id,
- l_startaddr,
- l_stopaddr,
- r_startaddr,
- r_stopaddr,
- priority=10,
- policy=3,
- sa_id=remote_sa_id)
- except Exception:
- raise
-
- def configScapySA(self, is_tun=False):
- if is_tun:
- self.remote_tun_sa = SecurityAssociation(
- ESP,
- spi=0x000003e8,
- crypt_algo='AES-CBC',
- crypt_key='JPjyOWBeVEQiMe7h',
- auth_algo='HMAC-SHA1-96',
- auth_key='C91KUR9GYMm5GfkEvNjX',
- tunnel_header=IP(
- src=self.pg0.remote_ip4,
- dst=self.pg0.local_ip4))
- self.local_tun_sa = SecurityAssociation(
- ESP,
- spi=0x000003e9,
- crypt_algo='AES-CBC',
- crypt_key='JPjyOWBeVEQiMe7h',
- auth_algo='HMAC-SHA1-96',
- auth_key='C91KUR9GYMm5GfkEvNjX',
- tunnel_header=IP(
- dst=self.pg0.remote_ip4,
- src=self.pg0.local_ip4))
- else:
- self.remote_tra_sa = SecurityAssociation(
- ESP,
- spi=0x000007d0,
- crypt_algo='AES-CBC',
- crypt_key='JPjyOWBeVEQiMe7h',
- auth_algo='HMAC-SHA1-96',
- auth_key='C91KUR9GYMm5GfkEvNjX')
- self.local_tra_sa = SecurityAssociation(
- ESP,
- spi=0x000007d1,
- crypt_algo='AES-CBC',
- crypt_key='JPjyOWBeVEQiMe7h',
- auth_algo='HMAC-SHA1-96',
- auth_key='C91KUR9GYMm5GfkEvNjX')
-
- def tearDown(self):
- super(TestIpsecEsp, self).tearDown()
- if not self.vpp_dead:
- self.vapi.cli("show hardware")
-
- def send_and_expect(self, input, pkts, output, count=1):
- input.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- rx = output.get_capture(count)
- return rx
-
- def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1):
- return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
- sa.encrypt(IP(src=src, dst=dst) / ICMP() /
- "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
- ] * count
-
- def gen_pkts(self, sw_intf, src, dst, count=1):
- return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
- IP(src=src, dst=dst) / ICMP() /
- "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
- ] * count
-
- def test_ipsec_esp_tra_basic(self, count=1):
- """ ipsec esp v4 transport basic test """
- try:
- self.configScapySA()
- send_pkts = self.gen_encrypt_pkts(
- self.remote_tra_sa,
- self.pg2,
- src=self.pg2.remote_ip4,
- dst=self.pg2.local_ip4,
- count=count)
- recv_pkts = self.send_and_expect(
- self.pg2, send_pkts, self.pg2, count=count)
- # ESP TRA VPP encryption/decryption verification
- for Pkts in recv_pkts:
- self.local_tra_sa.decrypt(Pkts[IP])
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
- def test_ipsec_esp_tra_burst(self):
- """ ipsec esp v4 transport burst test """
- try:
- self.test_ipsec_esp_tra_basic(count=257)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
- def test_ipsec_esp_tun_basic(self, count=1):
- """ ipsec esp 4o4 tunnel basic test """
- try:
- self.configScapySA(is_tun=True)
- send_pkts = self.gen_encrypt_pkts(
- self.remote_tun_sa,
- self.pg0,
- src=self.remote_pg0_lb_addr,
- dst=self.remote_pg1_lb_addr,
- count=count)
- recv_pkts = self.send_and_expect(
- self.pg0, send_pkts, self.pg1, count=count)
- # ESP TUN VPP decryption verification
- for recv_pkt in recv_pkts:
- self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr)
- self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr)
- send_pkts = self.gen_pkts(
- self.pg1,
- src=self.remote_pg1_lb_addr,
- dst=self.remote_pg0_lb_addr,
- count=count)
- recv_pkts = self.send_and_expect(
- self.pg1, send_pkts, self.pg0, count=count)
- # ESP TUN VPP encryption verification
- for recv_pkt in recv_pkts:
- decrypt_pkt = self.local_tun_sa.decrypt(recv_pkt[IP])
- self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr)
- self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
- def test_ipsec_esp_tun_burst(self):
- """ ipsec esp 4o4 tunnel burst test """
- try:
- self.test_ipsec_esp_tun_basic(count=257)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
+ def config_esp_tra(cls):
+ cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id,
+ cls.scapy_tra_spi,
+ cls.auth_algo_vpp_id, cls.auth_key,
+ cls.crypt_algo_vpp_id,
+ cls.crypt_key, cls.vpp_esp_protocol,
+ is_tunnel=0)
+ cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id,
+ cls.vpp_tra_spi,
+ cls.auth_algo_vpp_id, cls.auth_key,
+ cls.crypt_algo_vpp_id,
+ cls.crypt_key, cls.vpp_esp_protocol,
+ is_tunnel=0)
+ cls.vapi.ipsec_spd_add_del(cls.tra_spd_id)
+ cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id,
+ cls.tra_if.sw_if_index)
+ l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET,
+ "0.0.0.0")
+ l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
+ "255.255.255.255")
+ cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr,
+ protocol=socket.IPPROTO_ESP)
+ cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, is_outbound=0,
+ protocol=socket.IPPROTO_ESP)
+ l_startaddr = l_stopaddr = cls.tra_if.local_ip4n
+ r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n
+ cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, priority=10, policy=3,
+ is_outbound=0)
+ cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id,
+ l_startaddr, l_stopaddr, r_startaddr,
+ r_stopaddr, priority=10, policy=3)
+
+
+class TestIpsecEsp1(TemplateIpsecEsp, IpsecTraTests, IpsecTunTests):
+ """ Ipsec ESP - TUN & TRA tests """
+ pass
+
+
+class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
+ """ Ipsec ESP - TCP tests """
+ pass
if __name__ == '__main__':
diff --git a/test/test_ipsec_nat.py b/test/test_ipsec_nat.py
index cebbfc8ec67..7a5aca6bb7b 100644
--- a/test/test_ipsec_nat.py
+++ b/test/test_ipsec_nat.py
@@ -141,17 +141,17 @@ class IPSecNATTestCase(VppTestCase):
spd_id = 1
remote_sa_id = 10
local_sa_id = 20
- remote_tun_spi = 1001
- local_tun_spi = 1000
+ scapy_tun_spi = 1001
+ vpp_tun_spi = 1000
client = socket.inet_pton(socket.AF_INET, cls.remote_pg0_client_addr)
cls.vapi.ip_add_del_route(client, 32, cls.pg0.remote_ip4n)
- cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tun_spi,
+ cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, scapy_tun_spi,
cls.pg1.remote_ip4n,
cls.pg0.remote_ip4n,
integrity_key_length=20,
crypto_key_length=16,
protocol=1, udp_encap=1)
- cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tun_spi,
+ cls.vapi.ipsec_sad_add_del_entry(local_sa_id, vpp_tun_spi,
cls.pg0.remote_ip4n,
cls.pg1.remote_ip4n,
integrity_key_length=20,
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
new file mode 100644
index 00000000000..c260f03b63d
--- /dev/null
+++ b/test/test_ipsec_tun_if_esp.py
@@ -0,0 +1,52 @@
+import unittest
+import socket
+from scapy.layers.ipsec import ESP
+from framework import VppTestRunner
+from template_ipsec import TemplateIpsec, IpsecTunTests, IpsecTcpTests
+from vpp_ipsec_tun_interface import VppIpsecTunInterface
+
+
+class TemplateIpsecTunIfEsp(TemplateIpsec):
+ """ IPsec tunnel interface tests """
+
+ encryption_type = ESP
+
+ @classmethod
+ def setUpClass(cls):
+ super(TemplateIpsecTunIfEsp, cls).setUpClass()
+ cls.tun_if = cls.pg0
+
+ def setUp(self):
+ self.ipsec_tun_if = VppIpsecTunInterface(self, self.pg0,
+ self.vpp_tun_spi,
+ self.scapy_tun_spi,
+ self.crypt_algo_vpp_id,
+ self.crypt_key,
+ self.crypt_key,
+ self.auth_algo_vpp_id,
+ self.auth_key,
+ self.auth_key)
+ self.ipsec_tun_if.add_vpp_config()
+ self.ipsec_tun_if.admin_up()
+ self.ipsec_tun_if.config_ip4()
+ src4 = socket.inet_pton(socket.AF_INET, self.remote_tun_if_host)
+ self.vapi.ip_add_del_route(src4, 32, self.ipsec_tun_if.remote_ip4n)
+
+ def tearDown(self):
+ if not self.vpp_dead:
+ self.vapi.cli("show hardware")
+ super(TemplateIpsecTunIfEsp, self).tearDown()
+
+
+class TestIpsecTunIfEsp1(TemplateIpsecTunIfEsp, IpsecTunTests):
+ """ Ipsec ESP - TUN tests """
+ pass
+
+
+class TestIpsecTunIfEsp2(TemplateIpsecTunIfEsp, IpsecTcpTests):
+ """ Ipsec ESP - TCP tests """
+ pass
+
+
+if __name__ == '__main__':
+ unittest.main(testRunner=VppTestRunner)
diff --git a/test/vpp_interface.py b/test/vpp_interface.py
index 194a0c4fb32..e14a31eb722 100644
--- a/test/vpp_interface.py
+++ b/test/vpp_interface.py
@@ -2,7 +2,6 @@ from abc import abstractmethod, ABCMeta
import socket
from util import Host, mk_ll_addr
-from vpp_neighbor import VppNeighbor
class VppInterface(object):
@@ -171,6 +170,9 @@ class VppInterface(object):
self._hosts_by_ip4 = {}
self._hosts_by_ip6 = {}
+ def set_sw_if_index(self, sw_if_index):
+ self._sw_if_index = sw_if_index
+
self.generate_remote_hosts()
self._local_ip4 = "172.16.%u.1" % self.sw_if_index
diff --git a/test/vpp_ipsec_tun_interface.py b/test/vpp_ipsec_tun_interface.py
new file mode 100644
index 00000000000..bd635417f02
--- /dev/null
+++ b/test/vpp_ipsec_tun_interface.py
@@ -0,0 +1,43 @@
+from vpp_tunnel_interface import VppTunnelInterface
+
+
+class VppIpsecTunInterface(VppTunnelInterface):
+ """
+ VPP IPsec Tunnel interface
+ """
+
+ def __init__(self, test, parent_if, local_spi,
+ remote_spi, crypto_alg, local_crypto_key, remote_crypto_key,
+ integ_alg, local_integ_key, remote_integ_key):
+ super(VppIpsecTunInterface, self).__init__(test, parent_if)
+ self.local_spi = local_spi
+ self.remote_spi = remote_spi
+ self.crypto_alg = crypto_alg
+ self.local_crypto_key = local_crypto_key
+ self.remote_crypto_key = remote_crypto_key
+ self.integ_alg = integ_alg
+ self.local_integ_key = local_integ_key
+ self.remote_integ_key = remote_integ_key
+
+ def add_vpp_config(self):
+ r = self.test.vapi.ipsec_tunnel_if_add_del(
+ self.parent_if.local_ip4n, self.parent_if.remote_ip4n,
+ self.remote_spi, self.local_spi, self.crypto_alg,
+ self.local_crypto_key, self.remote_crypto_key, self.integ_alg,
+ self.local_integ_key, self.remote_integ_key)
+ self.set_sw_if_index(r.sw_if_index)
+ self.generate_remote_hosts()
+ self.test.registry.register(self, self.test.logger)
+
+ def remove_vpp_config(self):
+ self.test.vapi.ipsec_tunnel_if_add_del(
+ self.parent_if.local_ip4n, self.parent_if.remote_ip4n,
+ self.remote_spi, self.local_spi, self.crypto_alg,
+ self.local_crypto_key, self.remote_crypto_key, self.integ_alg,
+ self.local_integ_key, self.remote_integ_key, is_add=0)
+
+ def __str__(self):
+ return self.object_id()
+
+ def object_id(self):
+ return "ipsec-tun-if-%d" % self._sw_if_index
diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py
index 7869afa32cc..29f07de459e 100644
--- a/test/vpp_papi_provider.py
+++ b/test/vpp_papi_provider.py
@@ -3163,53 +3163,28 @@ class VppPapiProvider(object):
def ipsec_sad_add_del_entry(self,
sad_id,
spi,
+ integrity_algorithm,
+ integrity_key,
+ crypto_algorithm,
+ crypto_key,
+ protocol,
tunnel_src_address='',
tunnel_dst_address='',
- protocol=0,
- integrity_algorithm=2,
- integrity_key_length=0,
- integrity_key='C91KUR9GYMm5GfkEvNjX',
- crypto_algorithm=1,
- crypto_key_length=0,
- crypto_key='JPjyOWBeVEQiMe7h',
- is_add=1,
is_tunnel=1,
+ is_add=1,
udp_encap=0):
""" IPSEC SA add/del
- Sample CLI : 'ipsec sa add 10 spi 1001 esp \
- crypto-key 4a506a794f574265564551694d653768 \
- crypto-alg aes-cbc-128 \
- integ-key 4339314b55523947594d6d3547666b45764e6a58 \
- integ-alg sha1-96 tunnel-src 192.168.100.3 \
- tunnel-dst 192.168.100.2'
- Sample CLI : 'ipsec sa add 20 spi 2001 \
- integ-key 4339314b55523947594d6d3547666b45764e6a58 \
- integ-alg sha1-96'
-
- :param sad_id - Security Association ID to be \
- created or deleted. mandatory
- :param spi - security param index of the SA in decimal. mandatory
- :param tunnel_src_address - incase of tunnel mode outer src address .\
- mandatory for tunnel mode
- :param tunnel_dst_address - incase of transport mode \
- outer dst address. mandatory for tunnel mode
- :param protocol - AH(0) or ESP(1) protocol (Default 0 - AH). optional
- :param integrity_algorithm - value range 1-6 Default(2 - SHA1_96).\
- optional **
- :param integrity_key - value in string \
- (Default C91KUR9GYMm5GfkEvNjX).optional
- :param integrity_key_length - length of the key string in bytes\
- (Default 0 - integrity disabled). optional
- :param crypto_algorithm - value range 1-11 Default \
- (1- AES_CBC_128).optional **
- :param crypto_key - value in string(Default JPjyOWBeVEQiMe7h).optional
- :param crypto_key_length - length of the key string in bytes\
- (Default 0 - crypto disabled). optional
- :param is_add - add(1) or del(0) ipsec SA entry(Default 1 - add) .\
- optional
- :param is_tunnel - tunnel mode (1) or transport mode(0) \
- (Default 1 - tunnel). optional
- :returns: reply from the API
+ :param sad_id: security association ID
+ :param spi: security param index of the SA in decimal
+ :param integrity_algorithm:
+ :param integrity_key:
+ :param crypto_algorithm:
+ :param crypto_key:
+ :param protocol: AH(0) or ESP(1) protocol
+ :param tunnel_src_address: tunnel mode outer src address
+ :param tunnel_dst_address: tunnel mode outer dst address
+ :param is_add:
+ :param is_tunnel:
:** reference /vpp/src/vnet/ipsec/ipsec.h file for enum values of
crypto and ipsec algorithms
"""
@@ -3221,10 +3196,11 @@ class VppPapiProvider(object):
'tunnel_dst_address': tunnel_dst_address,
'protocol': protocol,
'integrity_algorithm': integrity_algorithm,
- 'integrity_key_length': integrity_key_length,
+ 'integrity_key_length': len(integrity_key),
'integrity_key': integrity_key,
'crypto_algorithm': crypto_algorithm,
- 'crypto_key_length': crypto_key_length,
+ 'crypto_key_length': len(crypto_key) if crypto_key is not None
+ else 0,
'crypto_key': crypto_key,
'is_add': is_add,
'is_tunnel': is_tunnel,
@@ -3232,6 +3208,7 @@ class VppPapiProvider(object):
def ipsec_spd_add_del_entry(self,
spd_id,
+ sa_id,
local_address_start,
local_address_stop,
remote_address_start,
@@ -3241,7 +3218,6 @@ class VppPapiProvider(object):
remote_port_start=0,
remote_port_stop=65535,
protocol=0,
- sa_id=10,
policy=0,
priority=100,
is_outbound=1,
@@ -3249,35 +3225,28 @@ class VppPapiProvider(object):
is_ip_any=0):
""" IPSEC policy SPD add/del -
Wrapper to configure ipsec SPD policy entries in VPP
- Sample CLI : 'ipsec policy add spd 1 inbound priority 10 action \
- protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 \
- remote-ip-range 192.168.3.3 - 192.168.3.3'
-
- :param spd_id - SPD ID for the policy . mandatory
- :param local_address_start - local-ip-range start address . mandatory
- :param local_address_stop - local-ip-range stop address . mandatory
- :param remote_address_start - remote-ip-range start address . mandatory
- :param remote_address_stop - remote-ip-range stop address . mandatory
- :param local_port_start - (Default 0) . optional
- :param local_port_stop - (Default 65535). optional
- :param remote_port_start - (Default 0). optional
- :param remote_port_stop - (Default 65535). optional
- :param protocol - Any(0), AH(51) & ESP(50) protocol (Default 0 - Any).
- optional
- :param sa_id - Security Association ID for mapping it to SPD
- (default 10). optional
- :param policy - bypass(0), discard(1), resolve(2) or protect(3)action
- (Default 0 - bypass). optional
- :param priotity - value for the spd action (Default 100). optional
- :param is_outbound - flag for inbound(0) or outbound(1)
- (Default 1 - outbound). optional
- :param is_add flag - for addition(1) or deletion(0) of the spd
- (Default 1 - addtion). optional
- :returns: reply from the API
+ :param spd_id: SPD ID for the policy
+ :param local_address_start: local-ip-range start address
+ :param local_address_stop : local-ip-range stop address
+ :param remote_address_start: remote-ip-range start address
+ :param remote_address_stop : remote-ip-range stop address
+ :param local_port_start: (Default value = 0)
+ :param local_port_stop: (Default value = 65535)
+ :param remote_port_start: (Default value = 0)
+ :param remote_port_stop: (Default value = 65535)
+ :param protocol: Any(0), AH(51) & ESP(50) protocol (Default value = 0)
+ :param sa_id: Security Association ID for mapping it to SPD
+ :param policy: bypass(0), discard(1), resolve(2) or protect(3) action
+ (Default value = 0)
+ :param priority: value for the spd action (Default value = 100)
+ :param is_outbound: flag for inbound(0) or outbound(1)
+ (Default value = 1)
+ :param is_add: (Default value = 1)
"""
return self.api(
self.papi.ipsec_spd_add_del_entry,
{'spd_id': spd_id,
+ 'sa_id': sa_id,
'local_address_start': local_address_start,
'local_address_stop': local_address_stop,
'remote_address_start': remote_address_start,
@@ -3291,9 +3260,30 @@ class VppPapiProvider(object):
'policy': policy,
'priority': priority,
'is_outbound': is_outbound,
- 'sa_id': sa_id,
'is_ip_any': is_ip_any})
+ def ipsec_tunnel_if_add_del(self, local_ip, remote_ip, local_spi,
+ remote_spi, crypto_alg, local_crypto_key,
+ remote_crypto_key, integ_alg, local_integ_key,
+ remote_integ_key, is_add=1, esn=0,
+ anti_replay=1, renumber=0, show_instance=0):
+ return self.api(
+ self.papi.ipsec_tunnel_if_add_del,
+ {'local_ip': local_ip, 'remote_ip': remote_ip,
+ 'local_spi': local_spi, 'remote_spi': remote_spi,
+ 'crypto_alg': crypto_alg,
+ 'local_crypto_key_len': len(local_crypto_key),
+ 'local_crypto_key': local_crypto_key,
+ 'remote_crypto_key_len': len(remote_crypto_key),
+ 'remote_crypto_key': remote_crypto_key, 'integ_alg': integ_alg,
+ 'local_integ_key_len': len(local_integ_key),
+ 'local_integ_key': local_integ_key,
+ 'remote_integ_key_len': len(remote_integ_key),
+ 'remote_integ_key': remote_integ_key, 'is_add': is_add,
+ 'esn': esn, 'anti_replay': anti_replay, 'renumber': renumber,
+ 'show_instance': show_instance
+ })
+
def app_namespace_add(self,
namespace_id,
ip4_fib_id=0,
diff --git a/test/vpp_pg_interface.py b/test/vpp_pg_interface.py
index 81e9714a37a..1300f1f1f00 100644
--- a/test/vpp_pg_interface.py
+++ b/test/vpp_pg_interface.py
@@ -84,11 +84,11 @@ class VppPGInterface(VppInterface):
def __init__(self, test, pg_index):
""" Create VPP packet-generator interface """
- r = test.vapi.pg_create_interface(pg_index)
- self._sw_if_index = r.sw_if_index
-
super(VppPGInterface, self).__init__(test)
+ r = test.vapi.pg_create_interface(pg_index)
+ self.set_sw_if_index(r.sw_if_index)
+
self._in_history_counter = 0
self._out_history_counter = 0
self._out_assert_counter = 0
diff --git a/test/vpp_tunnel_interface.py b/test/vpp_tunnel_interface.py
new file mode 100644
index 00000000000..c74f58532f2
--- /dev/null
+++ b/test/vpp_tunnel_interface.py
@@ -0,0 +1,32 @@
+from abc import abstractmethod, ABCMeta
+from vpp_pg_interface import is_ipv6_misc
+from vpp_interface import VppInterface
+
+
+class VppTunnelInterface(VppInterface):
+ """ VPP tunnel interface abstration """
+ __metaclass__ = ABCMeta
+
+ @abstractmethod
+ def __init__(self, test, parent_if):
+ super(VppTunnelInterface, self).__init__(test)
+ self.parent_if = parent_if
+
+ @property
+ def local_mac(self):
+ return self.parent_if.local_mac
+
+ @property
+ def remote_mac(self):
+ return self.parent_if.remote_mac
+
+ def enable_capture(self):
+ return self.parent_if.enable_capture()
+
+ def add_stream(self, pkts):
+ return self.parent_if.add_stream(pkts)
+
+ def get_capture(self, expected_count=None, remark=None, timeout=1,
+ filter_out_fn=is_ipv6_misc):
+ return self.parent_if.get_capture(expected_count, remark, timeout,
+ filter_out_fn)