diff options
author | Klement Sekera <ksekera@cisco.com> | 2018-05-16 10:52:45 +0200 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2018-06-21 14:50:10 +0000 |
commit | a98346f664aae148d26a8e158008b773d73db96f (patch) | |
tree | 2a850b1925f3dd70817fb0e41324baef71fd7a05 /test | |
parent | 56ba844d6a8b8f58b18fe51bf22707b0c37d3a87 (diff) |
ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums
Calculate IP/TCP/UDP checksums in software before adding authentication.
Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Diffstat (limited to 'test')
-rw-r--r-- | test/bfd.py | 11 | ||||
-rwxr-xr-x | test/discover_tests.py | 2 | ||||
-rw-r--r-- | test/framework.py | 19 | ||||
-rw-r--r-- | test/template_ipsec.py | 208 | ||||
-rw-r--r-- | test/test_ipsec_ah.py | 287 | ||||
-rw-r--r-- | test/test_ipsec_esp.py | 404 | ||||
-rw-r--r-- | test/test_ipsec_nat.py | 8 | ||||
-rw-r--r-- | test/test_ipsec_tun_if_esp.py | 52 | ||||
-rw-r--r-- | test/vpp_interface.py | 4 | ||||
-rw-r--r-- | test/vpp_ipsec_tun_interface.py | 43 | ||||
-rw-r--r-- | test/vpp_papi_provider.py | 132 | ||||
-rw-r--r-- | test/vpp_pg_interface.py | 6 | ||||
-rw-r--r-- | test/vpp_tunnel_interface.py | 32 |
13 files changed, 634 insertions, 574 deletions
diff --git a/test/bfd.py b/test/bfd.py index 452a1804988..d99bbf6165c 100644 --- a/test/bfd.py +++ b/test/bfd.py @@ -35,9 +35,6 @@ class BFDDiagCode(NumericConstant): reverse_concatenated_path_down: "Reverse Concatenated Path Down", } - def __init__(self, value): - NumericConstant.__init__(self, value) - class BFDState(NumericConstant): """ BFD State """ @@ -53,9 +50,6 @@ class BFDState(NumericConstant): up: "Up", } - def __init__(self, value): - NumericConstant.__init__(self, value) - class BFDAuthType(NumericConstant): """ BFD Authentication Type """ @@ -75,9 +69,6 @@ class BFDAuthType(NumericConstant): meticulous_keyed_sha1: "Meticulous Keyed SHA1", } - def __init__(self, value): - NumericConstant.__init__(self, value) - def bfd_is_auth_used(pkt): """ is packet authenticated? """ @@ -148,6 +139,7 @@ class BFD(Packet): return self.sprintf("BFD(my_disc=%BFD.my_discriminator%," "your_disc=%BFD.your_discriminator%)") + # glue the BFD packet class to scapy parser bind_layers(UDP, BFD, dport=BFD.udp_dport) @@ -169,6 +161,7 @@ class BFD_vpp_echo(Packet): "BFD_VPP_ECHO(disc=%BFD_VPP_ECHO.discriminator%," "expire_time_clocks=%BFD_VPP_ECHO.expire_time_clocks%)") + # glue the BFD echo packet class to scapy parser bind_layers(UDP, BFD_vpp_echo, dport=BFD_vpp_echo.udp_dport) diff --git a/test/discover_tests.py b/test/discover_tests.py index eea594107b6..99016e2845e 100755 --- a/test/discover_tests.py +++ b/test/discover_tests.py @@ -30,7 +30,7 @@ def discover_tests(directory, callback): continue if not issubclass(cls, unittest.TestCase): continue - if name == "VppTestCase": + if name == "VppTestCase" or name.startswith("Template"): continue for method in dir(cls): if not callable(getattr(cls, method)): diff --git a/test/framework.py b/test/framework.py index f90197b9b6f..be8c209f4ea 100644 --- a/test/framework.py +++ b/test/framework.py @@ -25,6 +25,7 @@ from vpp_papi_provider import VppPapiProvider from log import RED, GREEN, YELLOW, double_line_delim, single_line_delim, \ getLogger, colorize from vpp_object import VppObjectRegistry +from util import ppp from scapy.layers.inet import IPerror, TCPerror, UDPerror, ICMPerror from scapy.layers.inet6 import ICMPv6DestUnreach, ICMPv6EchoRequest from scapy.layers.inet6 import ICMPv6EchoReply @@ -735,11 +736,14 @@ class VppTestCase(unittest.TestCase): def assert_packet_checksums_valid(self, packet, ignore_zero_udp_checksums=True): + received = packet.__class__(str(packet)) + self.logger.debug( + ppp("Verifying packet checksums for packet:", received)) udp_layers = ['UDP', 'UDPerror'] checksum_fields = ['cksum', 'chksum'] checksums = [] counter = 0 - temp = packet.__class__(str(packet)) + temp = received.__class__(str(received)) while True: layer = temp.getlayer(counter) if layer: @@ -754,12 +758,17 @@ class VppTestCase(unittest.TestCase): else: break counter = counter + 1 + if 0 == len(checksums): + return temp = temp.__class__(str(temp)) for layer, cf in checksums: - self.assert_equal(getattr(packet[layer], cf), - getattr(temp[layer], cf), - "packet checksum on layer #%d: %s" % ( - layer, temp[layer].name)) + calc_sum = getattr(temp[layer], cf) + self.assert_equal( + getattr(received[layer], cf), calc_sum, + "packet checksum on layer #%d: %s" % (layer, temp[layer].name)) + self.logger.debug( + "Checksum field `%s` on `%s` layer has correct value `%s`" % + (cf, temp[layer].name, calc_sum)) def assert_checksum_valid(self, received_packet, layer, field_name='chksum', diff --git a/test/template_ipsec.py b/test/template_ipsec.py new file mode 100644 index 00000000000..9d95185cb9e --- /dev/null +++ b/test/template_ipsec.py @@ -0,0 +1,208 @@ +import unittest + +from scapy.layers.inet import IP, ICMP, TCP +from scapy.layers.ipsec import SecurityAssociation +from scapy.layers.l2 import Ether, Raw + +from framework import VppTestCase, VppTestRunner +from util import ppp + + +class TemplateIpsec(VppTestCase): + """ + TRANSPORT MODE: + + ------ encrypt --- + |tra_if| <-------> |VPP| + ------ decrypt --- + + TUNNEL MODE: + + ------ encrypt --- plain --- + |tun_if| <------- |VPP| <------ |pg1| + ------ --- --- + + ------ decrypt --- plain --- + |tun_if| -------> |VPP| ------> |pg1| + ------ --- --- + """ + + remote_tun_if_host = '1.1.1.1' + payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + + tun_spd_id = 1 + scapy_tun_sa_id = 10 + scapy_tun_spi = 1001 + vpp_tun_sa_id = 20 + vpp_tun_spi = 1000 + + tra_spd_id = 2 + scapy_tra_sa_id = 30 + scapy_tra_spi = 2001 + vpp_tra_sa_id = 40 + vpp_tra_spi = 2000 + + vpp_esp_protocol = 1 + vpp_ah_protocol = 0 + + auth_algo_vpp_id = 2 # internal VPP enum value for SHA1_96 + auth_algo = 'HMAC-SHA1-96' # scapy name + auth_key = 'C91KUR9GYMm5GfkEvNjX' + + crypt_algo_vpp_id = 1 # internal VPP enum value for AES_CBC_128 + crypt_algo = 'AES-CBC' # scapy name + crypt_key = 'JPjyOWBeVEQiMe7h' + + @classmethod + def setUpClass(cls): + super(TemplateIpsec, cls).setUpClass() + cls.create_pg_interfaces(range(3)) + cls.interfaces = list(cls.pg_interfaces) + for i in cls.interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + + def tearDown(self): + super(TemplateIpsec, self).tearDown() + if not self.vpp_dead: + self.vapi.cli("show hardware") + + def send_and_expect(self, input, pkts, output, count=1): + input.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + rx = output.get_capture(count) + return rx + + def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload) + for i in range(count)] + + def gen_pkts(self, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src=src, dst=dst) / ICMP() / self.payload + for i in range(count)] + + def configure_sa_tun(self): + scapy_tun_sa = SecurityAssociation(self.encryption_type, + spi=self.vpp_tun_spi, + crypt_algo=self.crypt_algo, + crypt_key=self.crypt_key, + auth_algo=self.auth_algo, + auth_key=self.auth_key, + tunnel_header=IP( + src=self.tun_if.remote_ip4, + dst=self.tun_if.local_ip4)) + vpp_tun_sa = SecurityAssociation(self.encryption_type, + spi=self.scapy_tun_spi, + crypt_algo=self.crypt_algo, + crypt_key=self.crypt_key, + auth_algo=self.auth_algo, + auth_key=self.auth_key, + tunnel_header=IP( + dst=self.tun_if.remote_ip4, + src=self.tun_if.local_ip4)) + return vpp_tun_sa, scapy_tun_sa + + def configure_sa_tra(self): + scapy_tra_sa = SecurityAssociation(self.encryption_type, + spi=self.vpp_tra_spi, + crypt_algo=self.crypt_algo, + crypt_key=self.crypt_key, + auth_algo=self.auth_algo, + auth_key=self.auth_key) + vpp_tra_sa = SecurityAssociation(self.encryption_type, + spi=self.scapy_tra_spi, + crypt_algo=self.crypt_algo, + crypt_key=self.crypt_key, + auth_algo=self.auth_algo, + auth_key=self.auth_key) + return vpp_tra_sa, scapy_tra_sa + + +class IpsecTcpTests(object): + def test_tcp_checksum(self): + """ verify checksum correctness for vpp generated packets """ + self.vapi.cli("test http server") + vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun() + send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) / + scapy_tun_sa.encrypt(IP(src=self.remote_tun_if_host, + dst=self.tun_if.local_ip4) / + TCP(flags='S', dport=80))) + self.logger.debug(ppp("Sending packet:", send)) + recv = self.send_and_expect(self.tun_if, [send], self.tun_if, 1) + recv = recv[0] + decrypted = vpp_tun_sa.decrypt(recv[IP]) + self.assert_packet_checksums_valid(decrypted) + + +class IpsecTraTests(object): + def test_tra_basic(self, count=1): + """ ipsec v4 transport basic test """ + try: + vpp_tra_sa, scapy_tra_sa = self.configure_sa_tra() + send_pkts = self.gen_encrypt_pkts(scapy_tra_sa, self.tra_if, + src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4, + count=count) + recv_pkts = self.send_and_expect(self.tra_if, send_pkts, + self.tra_if, count=count) + for p in recv_pkts: + decrypted = vpp_tra_sa.decrypt(p[IP]) + self.assert_packet_checksums_valid(decrypted) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_tra_burst(self): + """ ipsec v4 transport burst test """ + try: + self.test_tra_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + +class IpsecTunTests(object): + def test_tun_basic(self, count=1): + """ ipsec 4o4 tunnel basic test """ + try: + vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun() + send_pkts = self.gen_encrypt_pkts(scapy_tun_sa, self.tun_if, + src=self.remote_tun_if_host, + dst=self.pg1.remote_ip4, + count=count) + recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1, + count=count) + for recv_pkt in recv_pkts: + self.assert_equal(recv_pkt[IP].src, self.remote_tun_if_host) + self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4) + self.assert_packet_checksums_valid(recv_pkt) + send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, + dst=self.remote_tun_if_host, count=count) + recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if, + count=count) + for recv_pkt in recv_pkts: + decrypt_pkt = vpp_tun_sa.decrypt(recv_pkt[IP]) + if not decrypt_pkt.haslayer(IP): + decrypt_pkt = IP(decrypt_pkt[Raw].load) + self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4) + self.assert_equal(decrypt_pkt.dst, self.remote_tun_if_host) + self.assert_packet_checksums_valid(decrypt_pkt) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_tun_burst(self): + """ ipsec 4o4 tunnel burst test """ + try: + self.test_tun_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + +if __name__ == '__main__': + unittest.main(testRunner=VppTestRunner) diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py index d173b2e3b23..729f8716d03 100644 --- a/test/test_ipsec_ah.py +++ b/test/test_ipsec_ah.py @@ -1,14 +1,14 @@ import socket import unittest -from scapy.layers.inet import IP, ICMP -from scapy.layers.l2 import Ether, Raw -from scapy.layers.ipsec import SecurityAssociation, AH +from scapy.layers.ipsec import AH -from framework import VppTestCase, VppTestRunner +from framework import VppTestRunner +from template_ipsec import TemplateIpsec, IpsecTraTests, IpsecTunTests +from template_ipsec import IpsecTcpTests -class TestIpsecAh(VppTestCase): +class TemplateIpsecAh(TemplateIpsec): """ Basic test for IPSEC using AH transport and Tunnel mode @@ -41,214 +41,123 @@ class TestIpsecAh(VppTestCase): Note : IPv6 is not covered """ - remote_pg0_lb_addr = '1.1.1.1' - remote_pg1_lb_addr = '2.2.2.2' - payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + encryption_type = AH @classmethod def setUpClass(cls): - super(TestIpsecAh, cls).setUpClass() - try: - cls.create_pg_interfaces(range(3)) - cls.interfaces = list(cls.pg_interfaces) - for i in cls.interfaces: - i.admin_up() - i.config_ip4() - i.resolve_arp() - cls.logger.info(cls.vapi.ppcli("show int addr")) - cls.config_ah_tra() - cls.logger.info(cls.vapi.ppcli("show ipsec")) - cls.config_ah_tun() - cls.logger.info(cls.vapi.ppcli("show ipsec")) - except Exception: - super(TestIpsecAh, cls).tearDownClass() - raise + super(TemplateIpsecAh, cls).setUpClass() + cls.tun_if = cls.pg0 + cls.tra_if = cls.pg2 + cls.logger.info(cls.vapi.ppcli("show int addr")) + cls.config_ah_tra() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + cls.config_ah_tun() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host) + cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n) @classmethod def config_ah_tun(cls): - spd_id = 1 - remote_sa_id = 10 - local_sa_id = 20 - remote_tun_spi = 1001 - local_tun_spi = 1000 - src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr) - cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n) - dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr) - cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n) - cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tun_spi, - cls.pg0.local_ip4n, - cls.pg0.remote_ip4n, - integrity_key_length=20) - cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tun_spi, - cls.pg0.remote_ip4n, - cls.pg0.local_ip4n, - integrity_key_length=20) - cls.vapi.ipsec_spd_add_del(spd_id) - cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index) + cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id, + cls.scapy_tun_spi, + cls.auth_algo_vpp_id, cls.auth_key, + cls.crypt_algo_vpp_id, + cls.crypt_key, cls.vpp_ah_protocol, + cls.tun_if.local_ip4n, + cls.tun_if.remote_ip4n) + cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id, + cls.vpp_tun_spi, + cls.auth_algo_vpp_id, cls.auth_key, + cls.crypt_algo_vpp_id, + cls.crypt_key, cls.vpp_ah_protocol, + cls.tun_if.remote_ip4n, + cls.tun_if.local_ip4n) + cls.vapi.ipsec_spd_add_del(cls.tun_spd_id) + cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id, + cls.tun_if.sw_if_index) l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0") l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, "255.255.255.255") - cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, - r_startaddr, r_stopaddr, + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, + protocol=socket.IPPROTO_AH) + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, is_outbound=0, protocol=socket.IPPROTO_AH) - cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, - r_startaddr, r_stopaddr, - protocol=socket.IPPROTO_AH, - is_outbound=0) l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET, - cls.remote_pg0_lb_addr) - r_startaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, - cls.remote_pg1_lb_addr) - cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, - r_startaddr, r_stopaddr, - priority=10, policy=3, - is_outbound=0, sa_id=local_sa_id) - cls.vapi.ipsec_spd_add_del_entry(spd_id, r_startaddr, r_stopaddr, - l_startaddr, l_stopaddr, priority=10, - policy=3, sa_id=remote_sa_id) + cls.remote_tun_if_host) + r_startaddr = r_stopaddr = cls.pg1.remote_ip4n + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, priority=10, policy=3, + is_outbound=0) + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, + r_startaddr, r_stopaddr, l_startaddr, + l_stopaddr, priority=10, policy=3) + r_startaddr = r_stopaddr = cls.pg0.local_ip4n + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, priority=20, policy=3, + is_outbound=0) + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, + r_startaddr, r_stopaddr, l_startaddr, + l_stopaddr, priority=20, policy=3) @classmethod def config_ah_tra(cls): - spd_id = 2 - remote_sa_id = 30 - local_sa_id = 40 - remote_tra_spi = 2001 - local_tra_spi = 2000 - cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tra_spi, - integrity_key_length=20, is_tunnel=0) - cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tra_spi, - integrity_key_length=20, is_tunnel=0) - cls.vapi.ipsec_spd_add_del(spd_id) - cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index) + cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id, + cls.scapy_tra_spi, + cls.auth_algo_vpp_id, cls.auth_key, + cls.crypt_algo_vpp_id, + cls.crypt_key, cls.vpp_ah_protocol, + is_tunnel=0) + cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id, + cls.vpp_tra_spi, + cls.auth_algo_vpp_id, cls.auth_key, + cls.crypt_algo_vpp_id, + cls.crypt_key, cls.vpp_ah_protocol, + is_tunnel=0) + cls.vapi.ipsec_spd_add_del(cls.tra_spd_id) + cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id, + cls.tra_if.sw_if_index) l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0") l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, "255.255.255.255") - cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, - r_startaddr, r_stopaddr, + cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, protocol=socket.IPPROTO_AH) - cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, - r_startaddr, r_stopaddr, - protocol=socket.IPPROTO_AH, + cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, is_outbound=0, + protocol=socket.IPPROTO_AH) + l_startaddr = l_stopaddr = cls.tra_if.local_ip4n + r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n + cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, priority=10, policy=3, is_outbound=0) - l_startaddr = l_stopaddr = cls.pg2.local_ip4n - r_startaddr = r_stopaddr = cls.pg2.remote_ip4n - cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, - r_startaddr, r_stopaddr, - priority=10, policy=3, - is_outbound=0, sa_id=local_sa_id) - cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, - r_startaddr, r_stopaddr, priority=10, - policy=3, sa_id=remote_sa_id) - - def configure_scapy_sa_tun(self): - remote_tun_sa = SecurityAssociation(AH, spi=0x000003e8, - auth_algo='HMAC-SHA1-96', - auth_key='C91KUR9GYMm5GfkEvNjX', - tunnel_header=IP( - src=self.pg0.remote_ip4, - dst=self.pg0.local_ip4)) - local_tun_sa = SecurityAssociation(AH, spi=0x000003e9, - auth_algo='HMAC-SHA1-96', - auth_key='C91KUR9GYMm5GfkEvNjX', - tunnel_header=IP( - dst=self.pg0.remote_ip4, - src=self.pg0.local_ip4)) - return local_tun_sa, remote_tun_sa - - def configure_scapy_sa_tra(self): - remote_tra_sa = SecurityAssociation(AH, spi=0x000007d0, - auth_algo='HMAC-SHA1-96', - auth_key='C91KUR9GYMm5GfkEvNjX') - local_tra_sa = SecurityAssociation(AH, spi=0x000007d1, - auth_algo='HMAC-SHA1-96', - auth_key='C91KUR9GYMm5GfkEvNjX') - return local_tra_sa, remote_tra_sa + cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, priority=10, + policy=3) def tearDown(self): - super(TestIpsecAh, self).tearDown() + super(TemplateIpsecAh, self).tearDown() if not self.vpp_dead: self.vapi.cli("show hardware") - def send_and_expect(self, input, pkts, output, count=1): - input.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - rx = output.get_capture(count) - return rx - - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1): - return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / - sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload) - ] * count - - def gen_pkts(self, sw_intf, src, dst, count=1): - return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / - IP(src=src, dst=dst) / ICMP() / self.payload - ] * count - - def test_ipsec_ah_tra_basic(self, count=1): - """ ipsec ah v4 transport basic test """ - try: - local_tra_sa, remote_tra_sa = self.configure_scapy_sa_tra() - send_pkts = self.gen_encrypt_pkts(remote_tra_sa, self.pg2, - src=self.pg2.remote_ip4, - dst=self.pg2.local_ip4, - count=count) - recv_pkts = self.send_and_expect(self.pg2, send_pkts, self.pg2, - count=count) - # ESP TRA VPP encryption/decryption verification - for Pkts in recv_pkts: - Pkts[AH].padding = Pkts[AH].icv[12:] - Pkts[AH].icv = Pkts[AH].icv[:12] - local_tra_sa.decrypt(Pkts[IP]) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - def test_ipsec_ah_tra_burst(self): - """ ipsec ah v4 transport burst test """ - try: - self.test_ipsec_ah_tra_basic(count=257) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - def test_ipsec_ah_tun_basic(self, count=1): - """ ipsec ah 4o4 tunnel basic test """ - try: - local_tun_sa, remote_tun_sa = self.configure_scapy_sa_tun() - send_pkts = self.gen_encrypt_pkts(remote_tun_sa, self.pg0, - src=self.remote_pg0_lb_addr, - dst=self.remote_pg1_lb_addr, - count=count) - recv_pkts = self.send_and_expect(self.pg0, send_pkts, self.pg1, - count=count) - # ESP TUN VPP decryption verification - for recv_pkt in recv_pkts: - self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr) - self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr) - send_pkts = self.gen_pkts(self.pg1, src=self.remote_pg1_lb_addr, - dst=self.remote_pg0_lb_addr, - count=count) - recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.pg0, - count=count) - # ESP TUN VPP encryption verification - for recv_pkt in recv_pkts: - decrypt_pkt = local_tun_sa.decrypt(recv_pkt[IP]) - decrypt_pkt = IP(decrypt_pkt[Raw].load) - self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr) - self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - def test_ipsec_ah_tun_burst(self): - """ ipsec ah 4o4 tunnel burst test """ - try: - self.test_ipsec_ah_tun_basic(count=257) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) + +class TestIpsecAh1(TemplateIpsecAh, IpsecTraTests, IpsecTunTests): + """ Ipsec AH - TUN & TRA tests """ + pass + + +class TestIpsecAh2(TemplateIpsecAh, IpsecTcpTests): + """ Ipsec AH - TCP tests """ + pass if __name__ == '__main__': diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py index 15ce4a96878..58d159a7213 100644 --- a/test/test_ipsec_esp.py +++ b/test/test_ipsec_esp.py @@ -1,14 +1,13 @@ import socket import unittest +from scapy.layers.ipsec import ESP -from scapy.layers.inet import IP, ICMP -from scapy.layers.l2 import Ether -from scapy.layers.ipsec import SecurityAssociation, ESP +from framework import VppTestRunner +from template_ipsec import IpsecTraTests, IpsecTunTests +from template_ipsec import TemplateIpsec, IpsecTcpTests -from framework import VppTestCase, VppTestRunner - -class TestIpsecEsp(VppTestCase): +class TemplateIpsecEsp(TemplateIpsec): """ Basic test for ipsec esp sanity - tunnel and transport modes. @@ -41,298 +40,121 @@ class TestIpsecEsp(VppTestCase): Note : IPv6 is not covered """ - remote_pg0_lb_addr = '1.1.1.1' - remote_pg1_lb_addr = '2.2.2.2' + encryption_type = ESP @classmethod def setUpClass(cls): - super(TestIpsecEsp, cls).setUpClass() - try: - cls.create_pg_interfaces(range(3)) - cls.interfaces = list(cls.pg_interfaces) - for i in cls.interfaces: - i.admin_up() - i.config_ip4() - i.resolve_arp() - cls.logger.info(cls.vapi.ppcli("show int addr")) - cls.configEspTra() - cls.logger.info(cls.vapi.ppcli("show ipsec")) - cls.configEspTun() - cls.logger.info(cls.vapi.ppcli("show ipsec")) - except Exception: - super(TestIpsecEsp, cls).tearDownClass() - raise + super(TemplateIpsecEsp, cls).setUpClass() + cls.tun_if = cls.pg0 + cls.tra_if = cls.pg2 + cls.logger.info(cls.vapi.ppcli("show int addr")) + cls.config_esp_tra() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + cls.config_esp_tun() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host) + cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n) @classmethod - def configEspTun(cls): - try: - spd_id = 1 - remote_sa_id = 10 - local_sa_id = 20 - remote_tun_spi = 1001 - local_tun_spi = 1000 - src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr) - cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n) - dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr) - cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n) - cls.vapi.ipsec_sad_add_del_entry( - remote_sa_id, - remote_tun_spi, - cls.pg0.local_ip4n, - cls.pg0.remote_ip4n, - integrity_key_length=20, - crypto_key_length=16, - protocol=1) - cls.vapi.ipsec_sad_add_del_entry( - local_sa_id, - local_tun_spi, - cls.pg0.remote_ip4n, - cls.pg0.local_ip4n, - integrity_key_length=20, - crypto_key_length=16, - protocol=1) - cls.vapi.ipsec_spd_add_del(spd_id) - cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index) - l_startaddr = r_startaddr = socket.inet_pton( - socket.AF_INET, "0.0.0.0") - l_stopaddr = r_stopaddr = socket.inet_pton( - socket.AF_INET, "255.255.255.255") - cls.vapi.ipsec_spd_add_del_entry( - spd_id, - l_startaddr, - l_stopaddr, - r_startaddr, - r_stopaddr, - protocol=socket.IPPROTO_ESP) - cls.vapi.ipsec_spd_add_del_entry( - spd_id, - l_startaddr, - l_stopaddr, - r_startaddr, - r_stopaddr, - protocol=socket.IPPROTO_ESP, - is_outbound=0) - l_startaddr = l_stopaddr = socket.inet_pton( - socket.AF_INET, cls.remote_pg0_lb_addr) - r_startaddr = r_stopaddr = socket.inet_pton( - socket.AF_INET, cls.remote_pg1_lb_addr) - cls.vapi.ipsec_spd_add_del_entry( - spd_id, - l_startaddr, - l_stopaddr, - r_startaddr, - r_stopaddr, - priority=10, - policy=3, - is_outbound=0, - sa_id=local_sa_id) - cls.vapi.ipsec_spd_add_del_entry( - spd_id, - r_startaddr, - r_stopaddr, - l_startaddr, - l_stopaddr, - priority=10, - policy=3, - sa_id=remote_sa_id) - except Exception: - raise + def config_esp_tun(cls): + cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id, + cls.scapy_tun_spi, + cls.auth_algo_vpp_id, cls.auth_key, + cls.crypt_algo_vpp_id, + cls.crypt_key, cls.vpp_esp_protocol, + cls.tun_if.local_ip4n, + cls.tun_if.remote_ip4n) + cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id, + cls.vpp_tun_spi, + cls.auth_algo_vpp_id, cls.auth_key, + cls.crypt_algo_vpp_id, + cls.crypt_key, cls.vpp_esp_protocol, + cls.tun_if.remote_ip4n, + cls.tun_if.local_ip4n) + cls.vapi.ipsec_spd_add_del(cls.tun_spd_id) + cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id, + cls.tun_if.sw_if_index) + l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, + "0.0.0.0") + l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, + "255.255.255.255") + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, + protocol=socket.IPPROTO_ESP) + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, is_outbound=0, + protocol=socket.IPPROTO_ESP) + l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET, + cls.remote_tun_if_host) + r_startaddr = r_stopaddr = cls.pg1.remote_ip4n + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, priority=10, policy=3, + is_outbound=0) + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, + r_startaddr, r_stopaddr, l_startaddr, + l_stopaddr, priority=10, policy=3) + l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET, + cls.remote_tun_if_host) + r_startaddr = r_stopaddr = cls.pg0.local_ip4n + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, priority=20, policy=3, + is_outbound=0) + cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, + r_startaddr, r_stopaddr, l_startaddr, + l_stopaddr, priority=20, policy=3) @classmethod - def configEspTra(cls): - try: - spd_id = 2 - remote_sa_id = 30 - local_sa_id = 40 - remote_tra_spi = 2001 - local_tra_spi = 2000 - cls.vapi.ipsec_sad_add_del_entry( - remote_sa_id, - remote_tra_spi, - integrity_key_length=20, - crypto_key_length=16, - protocol=1, - is_tunnel=0) - cls.vapi.ipsec_sad_add_del_entry( - local_sa_id, - local_tra_spi, - integrity_key_length=20, - crypto_key_length=16, - protocol=1, - is_tunnel=0) - cls.vapi.ipsec_spd_add_del(spd_id) - cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index) - l_startaddr = r_startaddr = socket.inet_pton( - socket.AF_INET, "0.0.0.0") - l_stopaddr = r_stopaddr = socket.inet_pton( - socket.AF_INET, "255.255.255.255") - cls.vapi.ipsec_spd_add_del_entry( - spd_id, - l_startaddr, - l_stopaddr, - r_startaddr, - r_stopaddr, - protocol=socket.IPPROTO_ESP) - cls.vapi.ipsec_spd_add_del_entry( - spd_id, - l_startaddr, - l_stopaddr, - r_startaddr, - r_stopaddr, - protocol=socket.IPPROTO_ESP, - is_outbound=0) - l_startaddr = l_stopaddr = cls.pg2.local_ip4n - r_startaddr = r_stopaddr = cls.pg2.remote_ip4n - cls.vapi.ipsec_spd_add_del_entry( - spd_id, - l_startaddr, - l_stopaddr, - r_startaddr, - r_stopaddr, - priority=10, - policy=3, - is_outbound=0, - sa_id=local_sa_id) - cls.vapi.ipsec_spd_add_del_entry( - spd_id, - l_startaddr, - l_stopaddr, - r_startaddr, - r_stopaddr, - priority=10, - policy=3, - sa_id=remote_sa_id) - except Exception: - raise - - def configScapySA(self, is_tun=False): - if is_tun: - self.remote_tun_sa = SecurityAssociation( - ESP, - spi=0x000003e8, - crypt_algo='AES-CBC', - crypt_key='JPjyOWBeVEQiMe7h', - auth_algo='HMAC-SHA1-96', - auth_key='C91KUR9GYMm5GfkEvNjX', - tunnel_header=IP( - src=self.pg0.remote_ip4, - dst=self.pg0.local_ip4)) - self.local_tun_sa = SecurityAssociation( - ESP, - spi=0x000003e9, - crypt_algo='AES-CBC', - crypt_key='JPjyOWBeVEQiMe7h', - auth_algo='HMAC-SHA1-96', - auth_key='C91KUR9GYMm5GfkEvNjX', - tunnel_header=IP( - dst=self.pg0.remote_ip4, - src=self.pg0.local_ip4)) - else: - self.remote_tra_sa = SecurityAssociation( - ESP, - spi=0x000007d0, - crypt_algo='AES-CBC', - crypt_key='JPjyOWBeVEQiMe7h', - auth_algo='HMAC-SHA1-96', - auth_key='C91KUR9GYMm5GfkEvNjX') - self.local_tra_sa = SecurityAssociation( - ESP, - spi=0x000007d1, - crypt_algo='AES-CBC', - crypt_key='JPjyOWBeVEQiMe7h', - auth_algo='HMAC-SHA1-96', - auth_key='C91KUR9GYMm5GfkEvNjX') - - def tearDown(self): - super(TestIpsecEsp, self).tearDown() - if not self.vpp_dead: - self.vapi.cli("show hardware") - - def send_and_expect(self, input, pkts, output, count=1): - input.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - rx = output.get_capture(count) - return rx - - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1): - return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / - sa.encrypt(IP(src=src, dst=dst) / ICMP() / - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") - ] * count - - def gen_pkts(self, sw_intf, src, dst, count=1): - return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / - IP(src=src, dst=dst) / ICMP() / - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - ] * count - - def test_ipsec_esp_tra_basic(self, count=1): - """ ipsec esp v4 transport basic test """ - try: - self.configScapySA() - send_pkts = self.gen_encrypt_pkts( - self.remote_tra_sa, - self.pg2, - src=self.pg2.remote_ip4, - dst=self.pg2.local_ip4, - count=count) - recv_pkts = self.send_and_expect( - self.pg2, send_pkts, self.pg2, count=count) - # ESP TRA VPP encryption/decryption verification - for Pkts in recv_pkts: - self.local_tra_sa.decrypt(Pkts[IP]) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - def test_ipsec_esp_tra_burst(self): - """ ipsec esp v4 transport burst test """ - try: - self.test_ipsec_esp_tra_basic(count=257) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - def test_ipsec_esp_tun_basic(self, count=1): - """ ipsec esp 4o4 tunnel basic test """ - try: - self.configScapySA(is_tun=True) - send_pkts = self.gen_encrypt_pkts( - self.remote_tun_sa, - self.pg0, - src=self.remote_pg0_lb_addr, - dst=self.remote_pg1_lb_addr, - count=count) - recv_pkts = self.send_and_expect( - self.pg0, send_pkts, self.pg1, count=count) - # ESP TUN VPP decryption verification - for recv_pkt in recv_pkts: - self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr) - self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr) - send_pkts = self.gen_pkts( - self.pg1, - src=self.remote_pg1_lb_addr, - dst=self.remote_pg0_lb_addr, - count=count) - recv_pkts = self.send_and_expect( - self.pg1, send_pkts, self.pg0, count=count) - # ESP TUN VPP encryption verification - for recv_pkt in recv_pkts: - decrypt_pkt = self.local_tun_sa.decrypt(recv_pkt[IP]) - self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr) - self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - def test_ipsec_esp_tun_burst(self): - """ ipsec esp 4o4 tunnel burst test """ - try: - self.test_ipsec_esp_tun_basic(count=257) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) + def config_esp_tra(cls): + cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id, + cls.scapy_tra_spi, + cls.auth_algo_vpp_id, cls.auth_key, + cls.crypt_algo_vpp_id, + cls.crypt_key, cls.vpp_esp_protocol, + is_tunnel=0) + cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id, + cls.vpp_tra_spi, + cls.auth_algo_vpp_id, cls.auth_key, + cls.crypt_algo_vpp_id, + cls.crypt_key, cls.vpp_esp_protocol, + is_tunnel=0) + cls.vapi.ipsec_spd_add_del(cls.tra_spd_id) + cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id, + cls.tra_if.sw_if_index) + l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, + "0.0.0.0") + l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, + "255.255.255.255") + cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, + protocol=socket.IPPROTO_ESP) + cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, is_outbound=0, + protocol=socket.IPPROTO_ESP) + l_startaddr = l_stopaddr = cls.tra_if.local_ip4n + r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n + cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, priority=10, policy=3, + is_outbound=0) + cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id, + l_startaddr, l_stopaddr, r_startaddr, + r_stopaddr, priority=10, policy=3) + + +class TestIpsecEsp1(TemplateIpsecEsp, IpsecTraTests, IpsecTunTests): + """ Ipsec ESP - TUN & TRA tests """ + pass + + +class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests): + """ Ipsec ESP - TCP tests """ + pass if __name__ == '__main__': diff --git a/test/test_ipsec_nat.py b/test/test_ipsec_nat.py index cebbfc8ec67..7a5aca6bb7b 100644 --- a/test/test_ipsec_nat.py +++ b/test/test_ipsec_nat.py @@ -141,17 +141,17 @@ class IPSecNATTestCase(VppTestCase): spd_id = 1 remote_sa_id = 10 local_sa_id = 20 - remote_tun_spi = 1001 - local_tun_spi = 1000 + scapy_tun_spi = 1001 + vpp_tun_spi = 1000 client = socket.inet_pton(socket.AF_INET, cls.remote_pg0_client_addr) cls.vapi.ip_add_del_route(client, 32, cls.pg0.remote_ip4n) - cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tun_spi, + cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, scapy_tun_spi, cls.pg1.remote_ip4n, cls.pg0.remote_ip4n, integrity_key_length=20, crypto_key_length=16, protocol=1, udp_encap=1) - cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tun_spi, + cls.vapi.ipsec_sad_add_del_entry(local_sa_id, vpp_tun_spi, cls.pg0.remote_ip4n, cls.pg1.remote_ip4n, integrity_key_length=20, diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py new file mode 100644 index 00000000000..c260f03b63d --- /dev/null +++ b/test/test_ipsec_tun_if_esp.py @@ -0,0 +1,52 @@ +import unittest +import socket +from scapy.layers.ipsec import ESP +from framework import VppTestRunner +from template_ipsec import TemplateIpsec, IpsecTunTests, IpsecTcpTests +from vpp_ipsec_tun_interface import VppIpsecTunInterface + + +class TemplateIpsecTunIfEsp(TemplateIpsec): + """ IPsec tunnel interface tests """ + + encryption_type = ESP + + @classmethod + def setUpClass(cls): + super(TemplateIpsecTunIfEsp, cls).setUpClass() + cls.tun_if = cls.pg0 + + def setUp(self): + self.ipsec_tun_if = VppIpsecTunInterface(self, self.pg0, + self.vpp_tun_spi, + self.scapy_tun_spi, + self.crypt_algo_vpp_id, + self.crypt_key, + self.crypt_key, + self.auth_algo_vpp_id, + self.auth_key, + self.auth_key) + self.ipsec_tun_if.add_vpp_config() + self.ipsec_tun_if.admin_up() + self.ipsec_tun_if.config_ip4() + src4 = socket.inet_pton(socket.AF_INET, self.remote_tun_if_host) + self.vapi.ip_add_del_route(src4, 32, self.ipsec_tun_if.remote_ip4n) + + def tearDown(self): + if not self.vpp_dead: + self.vapi.cli("show hardware") + super(TemplateIpsecTunIfEsp, self).tearDown() + + +class TestIpsecTunIfEsp1(TemplateIpsecTunIfEsp, IpsecTunTests): + """ Ipsec ESP - TUN tests """ + pass + + +class TestIpsecTunIfEsp2(TemplateIpsecTunIfEsp, IpsecTcpTests): + """ Ipsec ESP - TCP tests """ + pass + + +if __name__ == '__main__': + unittest.main(testRunner=VppTestRunner) diff --git a/test/vpp_interface.py b/test/vpp_interface.py index 194a0c4fb32..e14a31eb722 100644 --- a/test/vpp_interface.py +++ b/test/vpp_interface.py @@ -2,7 +2,6 @@ from abc import abstractmethod, ABCMeta import socket from util import Host, mk_ll_addr -from vpp_neighbor import VppNeighbor class VppInterface(object): @@ -171,6 +170,9 @@ class VppInterface(object): self._hosts_by_ip4 = {} self._hosts_by_ip6 = {} + def set_sw_if_index(self, sw_if_index): + self._sw_if_index = sw_if_index + self.generate_remote_hosts() self._local_ip4 = "172.16.%u.1" % self.sw_if_index diff --git a/test/vpp_ipsec_tun_interface.py b/test/vpp_ipsec_tun_interface.py new file mode 100644 index 00000000000..bd635417f02 --- /dev/null +++ b/test/vpp_ipsec_tun_interface.py @@ -0,0 +1,43 @@ +from vpp_tunnel_interface import VppTunnelInterface + + +class VppIpsecTunInterface(VppTunnelInterface): + """ + VPP IPsec Tunnel interface + """ + + def __init__(self, test, parent_if, local_spi, + remote_spi, crypto_alg, local_crypto_key, remote_crypto_key, + integ_alg, local_integ_key, remote_integ_key): + super(VppIpsecTunInterface, self).__init__(test, parent_if) + self.local_spi = local_spi + self.remote_spi = remote_spi + self.crypto_alg = crypto_alg + self.local_crypto_key = local_crypto_key + self.remote_crypto_key = remote_crypto_key + self.integ_alg = integ_alg + self.local_integ_key = local_integ_key + self.remote_integ_key = remote_integ_key + + def add_vpp_config(self): + r = self.test.vapi.ipsec_tunnel_if_add_del( + self.parent_if.local_ip4n, self.parent_if.remote_ip4n, + self.remote_spi, self.local_spi, self.crypto_alg, + self.local_crypto_key, self.remote_crypto_key, self.integ_alg, + self.local_integ_key, self.remote_integ_key) + self.set_sw_if_index(r.sw_if_index) + self.generate_remote_hosts() + self.test.registry.register(self, self.test.logger) + + def remove_vpp_config(self): + self.test.vapi.ipsec_tunnel_if_add_del( + self.parent_if.local_ip4n, self.parent_if.remote_ip4n, + self.remote_spi, self.local_spi, self.crypto_alg, + self.local_crypto_key, self.remote_crypto_key, self.integ_alg, + self.local_integ_key, self.remote_integ_key, is_add=0) + + def __str__(self): + return self.object_id() + + def object_id(self): + return "ipsec-tun-if-%d" % self._sw_if_index diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py index 7869afa32cc..29f07de459e 100644 --- a/test/vpp_papi_provider.py +++ b/test/vpp_papi_provider.py @@ -3163,53 +3163,28 @@ class VppPapiProvider(object): def ipsec_sad_add_del_entry(self, sad_id, spi, + integrity_algorithm, + integrity_key, + crypto_algorithm, + crypto_key, + protocol, tunnel_src_address='', tunnel_dst_address='', - protocol=0, - integrity_algorithm=2, - integrity_key_length=0, - integrity_key='C91KUR9GYMm5GfkEvNjX', - crypto_algorithm=1, - crypto_key_length=0, - crypto_key='JPjyOWBeVEQiMe7h', - is_add=1, is_tunnel=1, + is_add=1, udp_encap=0): """ IPSEC SA add/del - Sample CLI : 'ipsec sa add 10 spi 1001 esp \ - crypto-key 4a506a794f574265564551694d653768 \ - crypto-alg aes-cbc-128 \ - integ-key 4339314b55523947594d6d3547666b45764e6a58 \ - integ-alg sha1-96 tunnel-src 192.168.100.3 \ - tunnel-dst 192.168.100.2' - Sample CLI : 'ipsec sa add 20 spi 2001 \ - integ-key 4339314b55523947594d6d3547666b45764e6a58 \ - integ-alg sha1-96' - - :param sad_id - Security Association ID to be \ - created or deleted. mandatory - :param spi - security param index of the SA in decimal. mandatory - :param tunnel_src_address - incase of tunnel mode outer src address .\ - mandatory for tunnel mode - :param tunnel_dst_address - incase of transport mode \ - outer dst address. mandatory for tunnel mode - :param protocol - AH(0) or ESP(1) protocol (Default 0 - AH). optional - :param integrity_algorithm - value range 1-6 Default(2 - SHA1_96).\ - optional ** - :param integrity_key - value in string \ - (Default C91KUR9GYMm5GfkEvNjX).optional - :param integrity_key_length - length of the key string in bytes\ - (Default 0 - integrity disabled). optional - :param crypto_algorithm - value range 1-11 Default \ - (1- AES_CBC_128).optional ** - :param crypto_key - value in string(Default JPjyOWBeVEQiMe7h).optional - :param crypto_key_length - length of the key string in bytes\ - (Default 0 - crypto disabled). optional - :param is_add - add(1) or del(0) ipsec SA entry(Default 1 - add) .\ - optional - :param is_tunnel - tunnel mode (1) or transport mode(0) \ - (Default 1 - tunnel). optional - :returns: reply from the API + :param sad_id: security association ID + :param spi: security param index of the SA in decimal + :param integrity_algorithm: + :param integrity_key: + :param crypto_algorithm: + :param crypto_key: + :param protocol: AH(0) or ESP(1) protocol + :param tunnel_src_address: tunnel mode outer src address + :param tunnel_dst_address: tunnel mode outer dst address + :param is_add: + :param is_tunnel: :** reference /vpp/src/vnet/ipsec/ipsec.h file for enum values of crypto and ipsec algorithms """ @@ -3221,10 +3196,11 @@ class VppPapiProvider(object): 'tunnel_dst_address': tunnel_dst_address, 'protocol': protocol, 'integrity_algorithm': integrity_algorithm, - 'integrity_key_length': integrity_key_length, + 'integrity_key_length': len(integrity_key), 'integrity_key': integrity_key, 'crypto_algorithm': crypto_algorithm, - 'crypto_key_length': crypto_key_length, + 'crypto_key_length': len(crypto_key) if crypto_key is not None + else 0, 'crypto_key': crypto_key, 'is_add': is_add, 'is_tunnel': is_tunnel, @@ -3232,6 +3208,7 @@ class VppPapiProvider(object): def ipsec_spd_add_del_entry(self, spd_id, + sa_id, local_address_start, local_address_stop, remote_address_start, @@ -3241,7 +3218,6 @@ class VppPapiProvider(object): remote_port_start=0, remote_port_stop=65535, protocol=0, - sa_id=10, policy=0, priority=100, is_outbound=1, @@ -3249,35 +3225,28 @@ class VppPapiProvider(object): is_ip_any=0): """ IPSEC policy SPD add/del - Wrapper to configure ipsec SPD policy entries in VPP - Sample CLI : 'ipsec policy add spd 1 inbound priority 10 action \ - protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 \ - remote-ip-range 192.168.3.3 - 192.168.3.3' - - :param spd_id - SPD ID for the policy . mandatory - :param local_address_start - local-ip-range start address . mandatory - :param local_address_stop - local-ip-range stop address . mandatory - :param remote_address_start - remote-ip-range start address . mandatory - :param remote_address_stop - remote-ip-range stop address . mandatory - :param local_port_start - (Default 0) . optional - :param local_port_stop - (Default 65535). optional - :param remote_port_start - (Default 0). optional - :param remote_port_stop - (Default 65535). optional - :param protocol - Any(0), AH(51) & ESP(50) protocol (Default 0 - Any). - optional - :param sa_id - Security Association ID for mapping it to SPD - (default 10). optional - :param policy - bypass(0), discard(1), resolve(2) or protect(3)action - (Default 0 - bypass). optional - :param priotity - value for the spd action (Default 100). optional - :param is_outbound - flag for inbound(0) or outbound(1) - (Default 1 - outbound). optional - :param is_add flag - for addition(1) or deletion(0) of the spd - (Default 1 - addtion). optional - :returns: reply from the API + :param spd_id: SPD ID for the policy + :param local_address_start: local-ip-range start address + :param local_address_stop : local-ip-range stop address + :param remote_address_start: remote-ip-range start address + :param remote_address_stop : remote-ip-range stop address + :param local_port_start: (Default value = 0) + :param local_port_stop: (Default value = 65535) + :param remote_port_start: (Default value = 0) + :param remote_port_stop: (Default value = 65535) + :param protocol: Any(0), AH(51) & ESP(50) protocol (Default value = 0) + :param sa_id: Security Association ID for mapping it to SPD + :param policy: bypass(0), discard(1), resolve(2) or protect(3) action + (Default value = 0) + :param priority: value for the spd action (Default value = 100) + :param is_outbound: flag for inbound(0) or outbound(1) + (Default value = 1) + :param is_add: (Default value = 1) """ return self.api( self.papi.ipsec_spd_add_del_entry, {'spd_id': spd_id, + 'sa_id': sa_id, 'local_address_start': local_address_start, 'local_address_stop': local_address_stop, 'remote_address_start': remote_address_start, @@ -3291,9 +3260,30 @@ class VppPapiProvider(object): 'policy': policy, 'priority': priority, 'is_outbound': is_outbound, - 'sa_id': sa_id, 'is_ip_any': is_ip_any}) + def ipsec_tunnel_if_add_del(self, local_ip, remote_ip, local_spi, + remote_spi, crypto_alg, local_crypto_key, + remote_crypto_key, integ_alg, local_integ_key, + remote_integ_key, is_add=1, esn=0, + anti_replay=1, renumber=0, show_instance=0): + return self.api( + self.papi.ipsec_tunnel_if_add_del, + {'local_ip': local_ip, 'remote_ip': remote_ip, + 'local_spi': local_spi, 'remote_spi': remote_spi, + 'crypto_alg': crypto_alg, + 'local_crypto_key_len': len(local_crypto_key), + 'local_crypto_key': local_crypto_key, + 'remote_crypto_key_len': len(remote_crypto_key), + 'remote_crypto_key': remote_crypto_key, 'integ_alg': integ_alg, + 'local_integ_key_len': len(local_integ_key), + 'local_integ_key': local_integ_key, + 'remote_integ_key_len': len(remote_integ_key), + 'remote_integ_key': remote_integ_key, 'is_add': is_add, + 'esn': esn, 'anti_replay': anti_replay, 'renumber': renumber, + 'show_instance': show_instance + }) + def app_namespace_add(self, namespace_id, ip4_fib_id=0, diff --git a/test/vpp_pg_interface.py b/test/vpp_pg_interface.py index 81e9714a37a..1300f1f1f00 100644 --- a/test/vpp_pg_interface.py +++ b/test/vpp_pg_interface.py @@ -84,11 +84,11 @@ class VppPGInterface(VppInterface): def __init__(self, test, pg_index): """ Create VPP packet-generator interface """ - r = test.vapi.pg_create_interface(pg_index) - self._sw_if_index = r.sw_if_index - super(VppPGInterface, self).__init__(test) + r = test.vapi.pg_create_interface(pg_index) + self.set_sw_if_index(r.sw_if_index) + self._in_history_counter = 0 self._out_history_counter = 0 self._out_assert_counter = 0 diff --git a/test/vpp_tunnel_interface.py b/test/vpp_tunnel_interface.py new file mode 100644 index 00000000000..c74f58532f2 --- /dev/null +++ b/test/vpp_tunnel_interface.py @@ -0,0 +1,32 @@ +from abc import abstractmethod, ABCMeta +from vpp_pg_interface import is_ipv6_misc +from vpp_interface import VppInterface + + +class VppTunnelInterface(VppInterface): + """ VPP tunnel interface abstration """ + __metaclass__ = ABCMeta + + @abstractmethod + def __init__(self, test, parent_if): + super(VppTunnelInterface, self).__init__(test) + self.parent_if = parent_if + + @property + def local_mac(self): + return self.parent_if.local_mac + + @property + def remote_mac(self): + return self.parent_if.remote_mac + + def enable_capture(self): + return self.parent_if.enable_capture() + + def add_stream(self, pkts): + return self.parent_if.add_stream(pkts) + + def get_capture(self, expected_count=None, remark=None, timeout=1, + filter_out_fn=is_ipv6_misc): + return self.parent_if.get_capture(expected_count, remark, timeout, + filter_out_fn) |