aboutsummaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-04-01 09:45:23 +0000
committerPaul Vinciguerra <pvinci@vinciconsulting.com>2020-05-05 18:36:33 +0000
commitabc5660c61698fa29252dc202358002a97f2608c (patch)
tree969edc7dc2145e40e3fb96c470df917f2053abfe /test
parent6fdd7a5f77301a3398c4445bfef202b123ce90d8 (diff)
ipsec: User can choose the UDP source port
Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
Diffstat (limited to 'test')
-rw-r--r--test/patches/scapy-2.4.3/ipsec.patch11
-rw-r--r--test/test_ipsec_api.py51
-rw-r--r--test/test_ipsec_tun_if_esp.py136
-rw-r--r--test/vpp_ipsec.py96
-rw-r--r--test/vpp_papi_provider.py55
5 files changed, 252 insertions, 97 deletions
diff --git a/test/patches/scapy-2.4.3/ipsec.patch b/test/patches/scapy-2.4.3/ipsec.patch
index 993604768ff..7ee8316bce3 100644
--- a/test/patches/scapy-2.4.3/ipsec.patch
+++ b/test/patches/scapy-2.4.3/ipsec.patch
@@ -2,6 +2,14 @@ diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py
index f8c601fa..f566d288 100644
--- a/scapy/layers/ipsec.py
+++ b/scapy/layers/ipsec.py
+@@ -138,6 +138,7 @@ bind_layers(IP, ESP, proto=socket.IPPROTO_ESP)
+ bind_layers(IPv6, ESP, nh=socket.IPPROTO_ESP)
+ bind_layers(UDP, ESP, dport=4500) # NAT-Traversal encapsulation
+ bind_layers(UDP, ESP, sport=4500) # NAT-Traversal encapsulation
++bind_layers(UDP, ESP, dport=4545) # NAT-Traversal encapsulation - random port
+
+ ###############################################################################
+
@@ -359,11 +359,8 @@ class CryptAlgo(object):
encryptor = cipher.encryptor()
@@ -147,7 +155,7 @@ index f8c601fa..f566d288 100644
esp = self.crypt_algo.decrypt(self, encrypted, self.crypt_key,
self.crypt_algo.icv_size or
-@@ -1050,9 +1069,10 @@ class SecurityAssociation(object):
+@@ -1050,11 +1069,12 @@ class SecurityAssociation(object):
def _decrypt_ah(self, pkt, verify=True):
@@ -160,3 +168,4 @@ index f8c601fa..f566d288 100644
ah = pkt[AH]
payload = ah.payload
+
diff --git a/test/test_ipsec_api.py b/test/test_ipsec_api.py
index 00885ae05b6..b5b4adac66b 100644
--- a/test/test_ipsec_api.py
+++ b/test/test_ipsec_api.py
@@ -70,23 +70,48 @@ class IpsecApiTestCase(VppTestCase):
crypt_algo_vpp_id = params.crypt_algo_vpp_id
crypt_key = params.crypt_key
- self.vapi.ipsec_sad_entry_add_del(scapy_tun_sa_id, scapy_tun_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_ah_protocol,
- self.pg0.local_addr[addr_type],
- self.pg0.remote_addr[addr_type])
+ self.vapi.ipsec_sad_entry_add_del(
+ is_add=1,
+ entry={
+ 'sad_id': scapy_tun_sa_id,
+ 'spi': scapy_tun_spi,
+ 'integrity_algorithm': auth_algo_vpp_id,
+ 'integrity_key': {
+ 'data': auth_key,
+ 'length': len(auth_key),
+ },
+ 'crypto_algorithm': crypt_algo_vpp_id,
+ 'crypto_key': {
+ 'data': crypt_key,
+ 'length': len(crypt_key),
+ },
+ 'protocol': self.vpp_ah_protocol,
+ 'tunnel_src': self.pg0.local_addr[addr_type],
+ 'tunnel_dst': self.pg0.remote_addr[addr_type]
+ })
with self.vapi.assert_negative_api_retval():
self.vapi.ipsec_select_backend(
protocol=self.vpp_ah_protocol, index=0)
- self.vapi.ipsec_sad_entry_add_del(scapy_tun_sa_id, scapy_tun_spi,
- auth_algo_vpp_id, auth_key,
- crypt_algo_vpp_id, crypt_key,
- self.vpp_ah_protocol,
- self.pg0.local_addr[addr_type],
- self.pg0.remote_addr[addr_type],
- is_add=0)
+ self.vapi.ipsec_sad_entry_add_del(
+ is_add=0,
+ entry={
+ 'sad_id': scapy_tun_sa_id,
+ 'spi': scapy_tun_spi,
+ 'integrity_algorithm': auth_algo_vpp_id,
+ 'integrity_key': {
+ 'data': auth_key,
+ 'length': len(auth_key),
+ },
+ 'crypto_algorithm': crypt_algo_vpp_id,
+ 'crypto_key': {
+ 'data': crypt_key,
+ 'length': len(crypt_key),
+ },
+ 'protocol': self.vpp_ah_protocol,
+ 'tunnel_src': self.pg0.local_addr[addr_type],
+ 'tunnel_dst': self.pg0.remote_addr[addr_type]
+ })
self.vapi.ipsec_select_backend(
protocol=self.vpp_ah_protocol, index=0)
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index d8527a3d6c1..3ab0e73ff74 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -64,13 +64,15 @@ def config_tra_params(p, encryption_type, tun_if):
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo, auth_key=p.auth_key,
- esn_en=esn_en)
+ esn_en=esn_en,
+ nat_t_header=p.nat_header)
p.vpp_tun_sa = SecurityAssociation(
encryption_type, spi=p.scapy_tun_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo, auth_key=p.auth_key,
- esn_en=esn_en)
+ esn_en=esn_en,
+ nat_t_header=p.nat_header)
class TemplateIpsec4TunIfEsp(TemplateIpsec):
@@ -1060,6 +1062,127 @@ class TestIpsecGreTebIfEspTra(TemplateIpsec,
super(TestIpsecGreTebIfEspTra, self).tearDown()
+class TestIpsecGreTebUdpIfEspTra(TemplateIpsec,
+ IpsecTun4Tests):
+ """ Ipsec GRE TEB UDP ESP - Tra tests """
+ tun4_encrypt_node_name = "esp4-encrypt-tun"
+ tun4_decrypt_node_name = "esp4-decrypt-tun"
+ encryption_type = ESP
+ omac = "00:11:22:33:44:55"
+
+ def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
+ payload_size=100):
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ sa.encrypt(IP(src=self.pg0.remote_ip4,
+ dst=self.pg0.local_ip4) /
+ GRE() /
+ Ether(dst=self.omac) /
+ IP(src="1.1.1.1", dst="1.1.1.2") /
+ UDP(sport=1144, dport=2233) /
+ Raw(b'X' * payload_size))
+ for i in range(count)]
+
+ def gen_pkts(self, sw_intf, src, dst, count=1,
+ payload_size=100):
+ return [Ether(dst=self.omac) /
+ IP(src="1.1.1.1", dst="1.1.1.2") /
+ UDP(sport=1144, dport=2233) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_decrypted(self, p, rxs):
+ for rx in rxs:
+ self.assert_equal(rx[Ether].dst, self.omac)
+ self.assert_equal(rx[IP].dst, "1.1.1.2")
+
+ def verify_encrypted(self, p, sa, rxs):
+ for rx in rxs:
+ self.assertTrue(rx.haslayer(UDP))
+ self.assertEqual(rx[UDP].dport, 4545)
+ self.assertEqual(rx[UDP].sport, 5454)
+ try:
+ pkt = sa.decrypt(rx[IP])
+ if not pkt.haslayer(IP):
+ pkt = IP(pkt[Raw].load)
+ self.assert_packet_checksums_valid(pkt)
+ self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
+ self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
+ self.assertTrue(pkt.haslayer(GRE))
+ e = pkt[Ether]
+ self.assertEqual(e[Ether].dst, self.omac)
+ self.assertEqual(e[IP].dst, "1.1.1.2")
+ except (IndexError, AssertionError):
+ self.logger.debug(ppp("Unexpected packet:", rx))
+ try:
+ self.logger.debug(ppp("Decrypted packet:", pkt))
+ except:
+ pass
+ raise
+
+ def setUp(self):
+ super(TestIpsecGreTebUdpIfEspTra, self).setUp()
+
+ self.tun_if = self.pg0
+
+ p = self.ipv4_params
+ p = self.ipv4_params
+ p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
+ IPSEC_API_SAD_FLAG_UDP_ENCAP)
+ p.nat_header = UDP(sport=5454, dport=4545)
+
+ bd1 = VppBridgeDomain(self, 1)
+ bd1.add_vpp_config()
+
+ p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ flags=p.flags,
+ udp_src=5454,
+ udp_dst=4545)
+ p.tun_sa_out.add_vpp_config()
+
+ p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
+ p.auth_algo_vpp_id, p.auth_key,
+ p.crypt_algo_vpp_id, p.crypt_key,
+ self.vpp_esp_protocol,
+ flags=(p.flags |
+ VppEnum.vl_api_ipsec_sad_flags_t.
+ IPSEC_API_SAD_FLAG_IS_INBOUND),
+ udp_src=5454,
+ udp_dst=4545)
+ p.tun_sa_in.add_vpp_config()
+
+ p.tun_if = VppGreInterface(self,
+ self.pg0.local_ip4,
+ self.pg0.remote_ip4,
+ type=(VppEnum.vl_api_gre_tunnel_type_t.
+ GRE_API_TUNNEL_TYPE_TEB))
+ p.tun_if.add_vpp_config()
+
+ p.tun_protect = VppIpsecTunProtect(self,
+ p.tun_if,
+ p.tun_sa_out,
+ [p.tun_sa_in])
+
+ p.tun_protect.add_vpp_config()
+
+ p.tun_if.admin_up()
+ p.tun_if.config_ip4()
+ config_tra_params(p, self.encryption_type, p.tun_if)
+
+ VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
+ VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
+
+ self.vapi.cli("clear ipsec sa")
+ self.logger.info(self.vapi.cli("sh ipsec sa 0"))
+
+ def tearDown(self):
+ p = self.ipv4_params
+ p.tun_if.unconfig_ip4()
+ super(TestIpsecGreTebUdpIfEspTra, self).tearDown()
+
+
class TestIpsecGreIfEsp(TemplateIpsec,
IpsecTun4Tests):
""" Ipsec GRE ESP - TUN tests """
@@ -1799,7 +1922,7 @@ class TestIpsec4TunProtectUdp(TemplateIpsec,
p = self.ipv4_params
p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
IPSEC_API_SAD_FLAG_UDP_ENCAP)
- p.nat_header = UDP(sport=5454, dport=4500)
+ p.nat_header = UDP(sport=4500, dport=4500)
self.config_network(p)
self.config_sa_tra(p)
self.config_protect(p)
@@ -1811,6 +1934,13 @@ class TestIpsec4TunProtectUdp(TemplateIpsec,
self.unconfig_network(p)
super(TestIpsec4TunProtectUdp, self).tearDown()
+ def verify_encrypted(self, p, sa, rxs):
+ # ensure encrypted packets are recieved with the default UDP ports
+ for rx in rxs:
+ self.assertEqual(rx[UDP].sport, 4500)
+ self.assertEqual(rx[UDP].dport, 4500)
+ super(TestIpsec4TunProtectUdp, self).verify_encrypted(p, sa, rxs)
+
def test_tun_44(self):
"""IPSEC UDP tunnel protect"""
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index 268fe687876..985f6d4dc4e 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -184,12 +184,15 @@ class VppIpsecSA(VppObject):
VPP SAD Entry
"""
+ DEFAULT_UDP_PORT = 4500
+
def __init__(self, test, id, spi,
integ_alg, integ_key,
crypto_alg, crypto_key,
proto,
tun_src=None, tun_dst=None,
- flags=None, salt=0):
+ flags=None, salt=0, udp_src=None,
+ udp_dst=None):
e = VppEnum.vl_api_ipsec_sad_flags_t
self.test = test
self.id = id
@@ -214,44 +217,87 @@ class VppIpsecSA(VppObject):
self.flags = self.flags | e.IPSEC_API_SAD_FLAG_IS_TUNNEL_V6
if (tun_dst):
self.tun_dst = ip_address(text_type(tun_dst))
+ self.udp_src = udp_src
+ self.udp_dst = udp_dst
def add_vpp_config(self):
- r = self.test.vapi.ipsec_sad_entry_add_del(
- self.id,
- self.spi,
- self.integ_alg,
- self.integ_key,
- self.crypto_alg,
- self.crypto_key,
- self.proto,
- (self.tun_src if self.tun_src else []),
- (self.tun_dst if self.tun_dst else []),
- flags=self.flags,
- salt=self.salt)
+ entry = {
+ 'sad_id': self.id,
+ 'spi': self.spi,
+ 'integrity_algorithm': self.integ_alg,
+ 'integrity_key': {
+ 'length': len(self.integ_key),
+ 'data': self.integ_key,
+ },
+ 'crypto_algorithm': self.crypto_alg,
+ 'crypto_key': {
+ 'data': self.crypto_key,
+ 'length': len(self.crypto_key),
+ },
+ 'protocol': self.proto,
+ 'tunnel_src': (self.tun_src if self.tun_src else []),
+ 'tunnel_dst': (self.tun_dst if self.tun_dst else []),
+ 'flags': self.flags,
+ 'salt': self.salt
+ }
+ # don't explicitly send the defaults, let papi fill them in
+ if self.udp_src:
+ entry['udp_src_port'] = self.udp_src
+ if self.udp_dst:
+ entry['udp_dst_port'] = self.udp_dst
+ r = self.test.vapi.ipsec_sad_entry_add_del(is_add=1, entry=entry)
self.stat_index = r.stat_index
self.test.registry.register(self, self.test.logger)
def remove_vpp_config(self):
- self.test.vapi.ipsec_sad_entry_add_del(
- self.id,
- self.spi,
- self.integ_alg,
- self.integ_key,
- self.crypto_alg,
- self.crypto_key,
- self.proto,
- (self.tun_src if self.tun_src else []),
- (self.tun_dst if self.tun_dst else []),
- flags=self.flags,
- is_add=0)
+ r = self.test.vapi.ipsec_sad_entry_add_del(
+ is_add=0,
+ entry={
+ 'sad_id': self.id,
+ 'spi': self.spi,
+ 'integrity_algorithm': self.integ_alg,
+ 'integrity_key': {
+ 'length': len(self.integ_key),
+ 'data': self.integ_key,
+ },
+ 'crypto_algorithm': self.crypto_alg,
+ 'crypto_key': {
+ 'data': self.crypto_key,
+ 'length': len(self.crypto_key),
+ },
+ 'protocol': self.proto,
+ 'tunnel_src': (self.tun_src if self.tun_src else []),
+ 'tunnel_dst': (self.tun_dst if self.tun_dst else []),
+ 'flags': self.flags,
+ 'salt': self.salt
+ })
def object_id(self):
return "ipsec-sa-%d" % self.id
def query_vpp_config(self):
+ e = VppEnum.vl_api_ipsec_sad_flags_t
+
bs = self.test.vapi.ipsec_sa_dump()
for b in bs:
if b.entry.sad_id == self.id:
+ # if udp encap is configured then the ports should match
+ # those configured or the default
+ if (self.flags & e.IPSEC_API_SAD_FLAG_UDP_ENCAP):
+ if not b.entry.flags & e.IPSEC_API_SAD_FLAG_UDP_ENCAP:
+ return False
+ if self.udp_src:
+ if self.udp_src != b.entry.udp_src_port:
+ return False
+ else:
+ if self.DEFAULT_UDP_PORT != b.entry.udp_src_port:
+ return False
+ if self.udp_dst:
+ if self.udp_dst != b.entry.udp_dst_port:
+ return False
+ else:
+ if self.DEFAULT_UDP_PORT != b.entry.udp_dst_port:
+ return False
return True
return False
diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py
index 73544125a7c..ec2f222b540 100644
--- a/test/vpp_papi_provider.py
+++ b/test/vpp_papi_provider.py
@@ -53,7 +53,6 @@ defaultmapping = {
'ip_punt_redirect': {'is_add': 1, },
'ip_route_add_del': {'is_add': 1, },
'ipsec_interface_add_del_spd': {'is_add': 1, },
- 'ipsec_sad_entry_add_del': {'is_add': 1, },
'ipsec_spd_add_del': {'is_add': 1, },
'ipsec_spd_dump': {'sa_id': 4294967295, },
'ipsec_spd_entry_add_del': {'local_port_stop': 65535,
@@ -947,60 +946,6 @@ class VppPapiProvider(object):
{'spd_index': spd_index if spd_index else 0,
'spd_index_valid': 1 if spd_index else 0})
- def ipsec_sad_entry_add_del(self,
- sad_id,
- spi,
- integrity_algorithm,
- integrity_key,
- crypto_algorithm,
- crypto_key,
- protocol,
- tunnel_src_address='',
- tunnel_dst_address='',
- flags=0,
- salt=0,
- is_add=1):
- """ IPSEC SA add/del
- :param sad_id: security association ID
- :param spi: security param index of the SA in decimal
- :param integrity_algorithm:
- :param integrity_key:
- :param crypto_algorithm:
- :param crypto_key:
- :param protocol: AH(0) or ESP(1) protocol
- :param tunnel_src_address: tunnel mode outer src address
- :param tunnel_dst_address: tunnel mode outer dst address
- :param is_add:
- :param is_tunnel:
- :** reference /vpp/src/vnet/ipsec/ipsec.h file for enum values of
- crypto and ipsec algorithms
- """
- return self.api(
- self.papi.ipsec_sad_entry_add_del,
- {
- 'is_add': is_add,
- 'entry':
- {
- 'sad_id': sad_id,
- 'spi': spi,
- 'tunnel_src': tunnel_src_address,
- 'tunnel_dst': tunnel_dst_address,
- 'protocol': protocol,
- 'integrity_algorithm': integrity_algorithm,
- 'integrity_key': {
- 'length': len(integrity_key),
- 'data': integrity_key,
- },
- 'crypto_algorithm': crypto_algorithm,
- 'crypto_key': {
- 'length': len(crypto_key),
- 'data': crypto_key,
- },
- 'flags': flags,
- 'salt': salt,
- }
- })
-
def ipsec_sa_dump(self, sa_id=None):
return self.api(self.papi.ipsec_sa_dump,
{'sa_id': sa_id if sa_id else 0xffffffff})