diff options
Diffstat (limited to 'test')
-rw-r--r-- | test/bfd.py | 11 | ||||
-rwxr-xr-x | test/discover_tests.py | 2 | ||||
-rw-r--r-- | test/framework.py | 19 | ||||
-rw-r--r-- | test/template_ipsec.py | 208 | ||||
-rw-r--r-- | test/test_ipsec_ah.py | 287 | ||||
-rw-r--r-- | test/test_ipsec_esp.py | 404 | ||||
-rw-r--r-- | test/test_ipsec_nat.py | 8 | ||||
-rw-r--r-- | test/test_ipsec_tun_if_esp.py | 52 | ||||
-rw-r--r-- | test/vpp_interface.py | 4 | ||||
-rw-r--r-- | test/vpp_ipsec_tun_interface.py | 43 | ||||
-rw-r--r-- | test/vpp_papi_provider.py | 132 | ||||
-rw-r--r-- | test/vpp_pg_interface.py | 6 | ||||
-rw-r--r-- | test/vpp_tunnel_interface.py | 32 |
13 files changed, 574 insertions, 634 deletions
diff --git a/test/bfd.py b/test/bfd.py index d99bbf6165c..452a1804988 100644 --- a/test/bfd.py +++ b/test/bfd.py @@ -35,6 +35,9 @@ class BFDDiagCode(NumericConstant): reverse_concatenated_path_down: "Reverse Concatenated Path Down", } + def __init__(self, value): + NumericConstant.__init__(self, value) + class BFDState(NumericConstant): """ BFD State """ @@ -50,6 +53,9 @@ class BFDState(NumericConstant): up: "Up", } + def __init__(self, value): + NumericConstant.__init__(self, value) + class BFDAuthType(NumericConstant): """ BFD Authentication Type """ @@ -69,6 +75,9 @@ class BFDAuthType(NumericConstant): meticulous_keyed_sha1: "Meticulous Keyed SHA1", } + def __init__(self, value): + NumericConstant.__init__(self, value) + def bfd_is_auth_used(pkt): """ is packet authenticated? """ @@ -139,7 +148,6 @@ class BFD(Packet): return self.sprintf("BFD(my_disc=%BFD.my_discriminator%," "your_disc=%BFD.your_discriminator%)") - # glue the BFD packet class to scapy parser bind_layers(UDP, BFD, dport=BFD.udp_dport) @@ -161,7 +169,6 @@ class BFD_vpp_echo(Packet): "BFD_VPP_ECHO(disc=%BFD_VPP_ECHO.discriminator%," "expire_time_clocks=%BFD_VPP_ECHO.expire_time_clocks%)") - # glue the BFD echo packet class to scapy parser bind_layers(UDP, BFD_vpp_echo, dport=BFD_vpp_echo.udp_dport) diff --git a/test/discover_tests.py b/test/discover_tests.py index 99016e2845e..eea594107b6 100755 --- a/test/discover_tests.py +++ b/test/discover_tests.py @@ -30,7 +30,7 @@ def discover_tests(directory, callback): continue if not issubclass(cls, unittest.TestCase): continue - if name == "VppTestCase" or name.startswith("Template"): + if name == "VppTestCase": continue for method in dir(cls): if not callable(getattr(cls, method)): diff --git a/test/framework.py b/test/framework.py index be8c209f4ea..f90197b9b6f 100644 --- a/test/framework.py +++ b/test/framework.py @@ -25,7 +25,6 @@ from vpp_papi_provider import VppPapiProvider from log import RED, GREEN, YELLOW, double_line_delim, single_line_delim, \ getLogger, colorize from vpp_object import VppObjectRegistry -from util import ppp from scapy.layers.inet import IPerror, TCPerror, UDPerror, ICMPerror from scapy.layers.inet6 import ICMPv6DestUnreach, ICMPv6EchoRequest from scapy.layers.inet6 import ICMPv6EchoReply @@ -736,14 +735,11 @@ class VppTestCase(unittest.TestCase): def assert_packet_checksums_valid(self, packet, ignore_zero_udp_checksums=True): - received = packet.__class__(str(packet)) - self.logger.debug( - ppp("Verifying packet checksums for packet:", received)) udp_layers = ['UDP', 'UDPerror'] checksum_fields = ['cksum', 'chksum'] checksums = [] counter = 0 - temp = received.__class__(str(received)) + temp = packet.__class__(str(packet)) while True: layer = temp.getlayer(counter) if layer: @@ -758,17 +754,12 @@ class VppTestCase(unittest.TestCase): else: break counter = counter + 1 - if 0 == len(checksums): - return temp = temp.__class__(str(temp)) for layer, cf in checksums: - calc_sum = getattr(temp[layer], cf) - self.assert_equal( - getattr(received[layer], cf), calc_sum, - "packet checksum on layer #%d: %s" % (layer, temp[layer].name)) - self.logger.debug( - "Checksum field `%s` on `%s` layer has correct value `%s`" % - (cf, temp[layer].name, calc_sum)) + self.assert_equal(getattr(packet[layer], cf), + getattr(temp[layer], cf), + "packet checksum on layer #%d: %s" % ( + layer, temp[layer].name)) def assert_checksum_valid(self, received_packet, layer, field_name='chksum', diff --git a/test/template_ipsec.py b/test/template_ipsec.py deleted file mode 100644 index 9d95185cb9e..00000000000 --- a/test/template_ipsec.py +++ /dev/null @@ -1,208 +0,0 @@ -import unittest - -from scapy.layers.inet import IP, ICMP, TCP -from scapy.layers.ipsec import SecurityAssociation -from scapy.layers.l2 import Ether, Raw - -from framework import VppTestCase, VppTestRunner -from util import ppp - - -class TemplateIpsec(VppTestCase): - """ - TRANSPORT MODE: - - ------ encrypt --- - |tra_if| <-------> |VPP| - ------ decrypt --- - - TUNNEL MODE: - - ------ encrypt --- plain --- - |tun_if| <------- |VPP| <------ |pg1| - ------ --- --- - - ------ decrypt --- plain --- - |tun_if| -------> |VPP| ------> |pg1| - ------ --- --- - """ - - remote_tun_if_host = '1.1.1.1' - payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" - - tun_spd_id = 1 - scapy_tun_sa_id = 10 - scapy_tun_spi = 1001 - vpp_tun_sa_id = 20 - vpp_tun_spi = 1000 - - tra_spd_id = 2 - scapy_tra_sa_id = 30 - scapy_tra_spi = 2001 - vpp_tra_sa_id = 40 - vpp_tra_spi = 2000 - - vpp_esp_protocol = 1 - vpp_ah_protocol = 0 - - auth_algo_vpp_id = 2 # internal VPP enum value for SHA1_96 - auth_algo = 'HMAC-SHA1-96' # scapy name - auth_key = 'C91KUR9GYMm5GfkEvNjX' - - crypt_algo_vpp_id = 1 # internal VPP enum value for AES_CBC_128 - crypt_algo = 'AES-CBC' # scapy name - crypt_key = 'JPjyOWBeVEQiMe7h' - - @classmethod - def setUpClass(cls): - super(TemplateIpsec, cls).setUpClass() - cls.create_pg_interfaces(range(3)) - cls.interfaces = list(cls.pg_interfaces) - for i in cls.interfaces: - i.admin_up() - i.config_ip4() - i.resolve_arp() - - def tearDown(self): - super(TemplateIpsec, self).tearDown() - if not self.vpp_dead: - self.vapi.cli("show hardware") - - def send_and_expect(self, input, pkts, output, count=1): - input.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - rx = output.get_capture(count) - return rx - - def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1): - return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / - sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload) - for i in range(count)] - - def gen_pkts(self, sw_intf, src, dst, count=1): - return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / - IP(src=src, dst=dst) / ICMP() / self.payload - for i in range(count)] - - def configure_sa_tun(self): - scapy_tun_sa = SecurityAssociation(self.encryption_type, - spi=self.vpp_tun_spi, - crypt_algo=self.crypt_algo, - crypt_key=self.crypt_key, - auth_algo=self.auth_algo, - auth_key=self.auth_key, - tunnel_header=IP( - src=self.tun_if.remote_ip4, - dst=self.tun_if.local_ip4)) - vpp_tun_sa = SecurityAssociation(self.encryption_type, - spi=self.scapy_tun_spi, - crypt_algo=self.crypt_algo, - crypt_key=self.crypt_key, - auth_algo=self.auth_algo, - auth_key=self.auth_key, - tunnel_header=IP( - dst=self.tun_if.remote_ip4, - src=self.tun_if.local_ip4)) - return vpp_tun_sa, scapy_tun_sa - - def configure_sa_tra(self): - scapy_tra_sa = SecurityAssociation(self.encryption_type, - spi=self.vpp_tra_spi, - crypt_algo=self.crypt_algo, - crypt_key=self.crypt_key, - auth_algo=self.auth_algo, - auth_key=self.auth_key) - vpp_tra_sa = SecurityAssociation(self.encryption_type, - spi=self.scapy_tra_spi, - crypt_algo=self.crypt_algo, - crypt_key=self.crypt_key, - auth_algo=self.auth_algo, - auth_key=self.auth_key) - return vpp_tra_sa, scapy_tra_sa - - -class IpsecTcpTests(object): - def test_tcp_checksum(self): - """ verify checksum correctness for vpp generated packets """ - self.vapi.cli("test http server") - vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun() - send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) / - scapy_tun_sa.encrypt(IP(src=self.remote_tun_if_host, - dst=self.tun_if.local_ip4) / - TCP(flags='S', dport=80))) - self.logger.debug(ppp("Sending packet:", send)) - recv = self.send_and_expect(self.tun_if, [send], self.tun_if, 1) - recv = recv[0] - decrypted = vpp_tun_sa.decrypt(recv[IP]) - self.assert_packet_checksums_valid(decrypted) - - -class IpsecTraTests(object): - def test_tra_basic(self, count=1): - """ ipsec v4 transport basic test """ - try: - vpp_tra_sa, scapy_tra_sa = self.configure_sa_tra() - send_pkts = self.gen_encrypt_pkts(scapy_tra_sa, self.tra_if, - src=self.tra_if.remote_ip4, - dst=self.tra_if.local_ip4, - count=count) - recv_pkts = self.send_and_expect(self.tra_if, send_pkts, - self.tra_if, count=count) - for p in recv_pkts: - decrypted = vpp_tra_sa.decrypt(p[IP]) - self.assert_packet_checksums_valid(decrypted) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - def test_tra_burst(self): - """ ipsec v4 transport burst test """ - try: - self.test_tra_basic(count=257) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - -class IpsecTunTests(object): - def test_tun_basic(self, count=1): - """ ipsec 4o4 tunnel basic test """ - try: - vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun() - send_pkts = self.gen_encrypt_pkts(scapy_tun_sa, self.tun_if, - src=self.remote_tun_if_host, - dst=self.pg1.remote_ip4, - count=count) - recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1, - count=count) - for recv_pkt in recv_pkts: - self.assert_equal(recv_pkt[IP].src, self.remote_tun_if_host) - self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4) - self.assert_packet_checksums_valid(recv_pkt) - send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, - dst=self.remote_tun_if_host, count=count) - recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if, - count=count) - for recv_pkt in recv_pkts: - decrypt_pkt = vpp_tun_sa.decrypt(recv_pkt[IP]) - if not decrypt_pkt.haslayer(IP): - decrypt_pkt = IP(decrypt_pkt[Raw].load) - self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4) - self.assert_equal(decrypt_pkt.dst, self.remote_tun_if_host) - self.assert_packet_checksums_valid(decrypt_pkt) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - def test_tun_burst(self): - """ ipsec 4o4 tunnel burst test """ - try: - self.test_tun_basic(count=257) - finally: - self.logger.info(self.vapi.ppcli("show error")) - self.logger.info(self.vapi.ppcli("show ipsec")) - - -if __name__ == '__main__': - unittest.main(testRunner=VppTestRunner) diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py index 729f8716d03..d173b2e3b23 100644 --- a/test/test_ipsec_ah.py +++ b/test/test_ipsec_ah.py @@ -1,14 +1,14 @@ import socket import unittest -from scapy.layers.ipsec import AH +from scapy.layers.inet import IP, ICMP +from scapy.layers.l2 import Ether, Raw +from scapy.layers.ipsec import SecurityAssociation, AH -from framework import VppTestRunner -from template_ipsec import TemplateIpsec, IpsecTraTests, IpsecTunTests -from template_ipsec import IpsecTcpTests +from framework import VppTestCase, VppTestRunner -class TemplateIpsecAh(TemplateIpsec): +class TestIpsecAh(VppTestCase): """ Basic test for IPSEC using AH transport and Tunnel mode @@ -41,123 +41,214 @@ class TemplateIpsecAh(TemplateIpsec): Note : IPv6 is not covered """ - encryption_type = AH + remote_pg0_lb_addr = '1.1.1.1' + remote_pg1_lb_addr = '2.2.2.2' + payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" @classmethod def setUpClass(cls): - super(TemplateIpsecAh, cls).setUpClass() - cls.tun_if = cls.pg0 - cls.tra_if = cls.pg2 - cls.logger.info(cls.vapi.ppcli("show int addr")) - cls.config_ah_tra() - cls.logger.info(cls.vapi.ppcli("show ipsec")) - cls.config_ah_tun() - cls.logger.info(cls.vapi.ppcli("show ipsec")) - src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host) - cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n) + super(TestIpsecAh, cls).setUpClass() + try: + cls.create_pg_interfaces(range(3)) + cls.interfaces = list(cls.pg_interfaces) + for i in cls.interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + cls.logger.info(cls.vapi.ppcli("show int addr")) + cls.config_ah_tra() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + cls.config_ah_tun() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + except Exception: + super(TestIpsecAh, cls).tearDownClass() + raise @classmethod def config_ah_tun(cls): - cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id, - cls.scapy_tun_spi, - cls.auth_algo_vpp_id, cls.auth_key, - cls.crypt_algo_vpp_id, - cls.crypt_key, cls.vpp_ah_protocol, - cls.tun_if.local_ip4n, - cls.tun_if.remote_ip4n) - cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id, - cls.vpp_tun_spi, - cls.auth_algo_vpp_id, cls.auth_key, - cls.crypt_algo_vpp_id, - cls.crypt_key, cls.vpp_ah_protocol, - cls.tun_if.remote_ip4n, - cls.tun_if.local_ip4n) - cls.vapi.ipsec_spd_add_del(cls.tun_spd_id) - cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id, - cls.tun_if.sw_if_index) + spd_id = 1 + remote_sa_id = 10 + local_sa_id = 20 + remote_tun_spi = 1001 + local_tun_spi = 1000 + src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr) + cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n) + dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr) + cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n) + cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tun_spi, + cls.pg0.local_ip4n, + cls.pg0.remote_ip4n, + integrity_key_length=20) + cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tun_spi, + cls.pg0.remote_ip4n, + cls.pg0.local_ip4n, + integrity_key_length=20) + cls.vapi.ipsec_spd_add_del(spd_id) + cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index) l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0") l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, "255.255.255.255") - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, + cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, + r_startaddr, r_stopaddr, protocol=socket.IPPROTO_AH) - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, is_outbound=0, - protocol=socket.IPPROTO_AH) - l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET, - cls.remote_tun_if_host) - r_startaddr = r_stopaddr = cls.pg1.remote_ip4n - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, priority=10, policy=3, + cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, + r_startaddr, r_stopaddr, + protocol=socket.IPPROTO_AH, is_outbound=0) - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, - r_startaddr, r_stopaddr, l_startaddr, - l_stopaddr, priority=10, policy=3) - r_startaddr = r_stopaddr = cls.pg0.local_ip4n - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, priority=20, policy=3, - is_outbound=0) - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, - r_startaddr, r_stopaddr, l_startaddr, - l_stopaddr, priority=20, policy=3) + l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET, + cls.remote_pg0_lb_addr) + r_startaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, + cls.remote_pg1_lb_addr) + cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, + r_startaddr, r_stopaddr, + priority=10, policy=3, + is_outbound=0, sa_id=local_sa_id) + cls.vapi.ipsec_spd_add_del_entry(spd_id, r_startaddr, r_stopaddr, + l_startaddr, l_stopaddr, priority=10, + policy=3, sa_id=remote_sa_id) @classmethod def config_ah_tra(cls): - cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id, - cls.scapy_tra_spi, - cls.auth_algo_vpp_id, cls.auth_key, - cls.crypt_algo_vpp_id, - cls.crypt_key, cls.vpp_ah_protocol, - is_tunnel=0) - cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id, - cls.vpp_tra_spi, - cls.auth_algo_vpp_id, cls.auth_key, - cls.crypt_algo_vpp_id, - cls.crypt_key, cls.vpp_ah_protocol, - is_tunnel=0) - cls.vapi.ipsec_spd_add_del(cls.tra_spd_id) - cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id, - cls.tra_if.sw_if_index) + spd_id = 2 + remote_sa_id = 30 + local_sa_id = 40 + remote_tra_spi = 2001 + local_tra_spi = 2000 + cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tra_spi, + integrity_key_length=20, is_tunnel=0) + cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tra_spi, + integrity_key_length=20, is_tunnel=0) + cls.vapi.ipsec_spd_add_del(spd_id) + cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index) l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0") l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, "255.255.255.255") - cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, + cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, + r_startaddr, r_stopaddr, protocol=socket.IPPROTO_AH) - cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, is_outbound=0, - protocol=socket.IPPROTO_AH) - l_startaddr = l_stopaddr = cls.tra_if.local_ip4n - r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n - cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, priority=10, policy=3, + cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, + r_startaddr, r_stopaddr, + protocol=socket.IPPROTO_AH, is_outbound=0) - cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, priority=10, - policy=3) + l_startaddr = l_stopaddr = cls.pg2.local_ip4n + r_startaddr = r_stopaddr = cls.pg2.remote_ip4n + cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, + r_startaddr, r_stopaddr, + priority=10, policy=3, + is_outbound=0, sa_id=local_sa_id) + cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr, + r_startaddr, r_stopaddr, priority=10, + policy=3, sa_id=remote_sa_id) + + def configure_scapy_sa_tun(self): + remote_tun_sa = SecurityAssociation(AH, spi=0x000003e8, + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX', + tunnel_header=IP( + src=self.pg0.remote_ip4, + dst=self.pg0.local_ip4)) + local_tun_sa = SecurityAssociation(AH, spi=0x000003e9, + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX', + tunnel_header=IP( + dst=self.pg0.remote_ip4, + src=self.pg0.local_ip4)) + return local_tun_sa, remote_tun_sa + + def configure_scapy_sa_tra(self): + remote_tra_sa = SecurityAssociation(AH, spi=0x000007d0, + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX') + local_tra_sa = SecurityAssociation(AH, spi=0x000007d1, + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX') + return local_tra_sa, remote_tra_sa def tearDown(self): - super(TemplateIpsecAh, self).tearDown() + super(TestIpsecAh, self).tearDown() if not self.vpp_dead: self.vapi.cli("show hardware") - -class TestIpsecAh1(TemplateIpsecAh, IpsecTraTests, IpsecTunTests): - """ Ipsec AH - TUN & TRA tests """ - pass - - -class TestIpsecAh2(TemplateIpsecAh, IpsecTcpTests): - """ Ipsec AH - TCP tests """ - pass + def send_and_expect(self, input, pkts, output, count=1): + input.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + rx = output.get_capture(count) + return rx + + def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload) + ] * count + + def gen_pkts(self, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src=src, dst=dst) / ICMP() / self.payload + ] * count + + def test_ipsec_ah_tra_basic(self, count=1): + """ ipsec ah v4 transport basic test """ + try: + local_tra_sa, remote_tra_sa = self.configure_scapy_sa_tra() + send_pkts = self.gen_encrypt_pkts(remote_tra_sa, self.pg2, + src=self.pg2.remote_ip4, + dst=self.pg2.local_ip4, + count=count) + recv_pkts = self.send_and_expect(self.pg2, send_pkts, self.pg2, + count=count) + # ESP TRA VPP encryption/decryption verification + for Pkts in recv_pkts: + Pkts[AH].padding = Pkts[AH].icv[12:] + Pkts[AH].icv = Pkts[AH].icv[:12] + local_tra_sa.decrypt(Pkts[IP]) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_ah_tra_burst(self): + """ ipsec ah v4 transport burst test """ + try: + self.test_ipsec_ah_tra_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_ah_tun_basic(self, count=1): + """ ipsec ah 4o4 tunnel basic test """ + try: + local_tun_sa, remote_tun_sa = self.configure_scapy_sa_tun() + send_pkts = self.gen_encrypt_pkts(remote_tun_sa, self.pg0, + src=self.remote_pg0_lb_addr, + dst=self.remote_pg1_lb_addr, + count=count) + recv_pkts = self.send_and_expect(self.pg0, send_pkts, self.pg1, + count=count) + # ESP TUN VPP decryption verification + for recv_pkt in recv_pkts: + self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr) + self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr) + send_pkts = self.gen_pkts(self.pg1, src=self.remote_pg1_lb_addr, + dst=self.remote_pg0_lb_addr, + count=count) + recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.pg0, + count=count) + # ESP TUN VPP encryption verification + for recv_pkt in recv_pkts: + decrypt_pkt = local_tun_sa.decrypt(recv_pkt[IP]) + decrypt_pkt = IP(decrypt_pkt[Raw].load) + self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr) + self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_ah_tun_burst(self): + """ ipsec ah 4o4 tunnel burst test """ + try: + self.test_ipsec_ah_tun_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) if __name__ == '__main__': diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py index 58d159a7213..15ce4a96878 100644 --- a/test/test_ipsec_esp.py +++ b/test/test_ipsec_esp.py @@ -1,13 +1,14 @@ import socket import unittest -from scapy.layers.ipsec import ESP -from framework import VppTestRunner -from template_ipsec import IpsecTraTests, IpsecTunTests -from template_ipsec import TemplateIpsec, IpsecTcpTests +from scapy.layers.inet import IP, ICMP +from scapy.layers.l2 import Ether +from scapy.layers.ipsec import SecurityAssociation, ESP +from framework import VppTestCase, VppTestRunner -class TemplateIpsecEsp(TemplateIpsec): + +class TestIpsecEsp(VppTestCase): """ Basic test for ipsec esp sanity - tunnel and transport modes. @@ -40,121 +41,298 @@ class TemplateIpsecEsp(TemplateIpsec): Note : IPv6 is not covered """ - encryption_type = ESP + remote_pg0_lb_addr = '1.1.1.1' + remote_pg1_lb_addr = '2.2.2.2' @classmethod def setUpClass(cls): - super(TemplateIpsecEsp, cls).setUpClass() - cls.tun_if = cls.pg0 - cls.tra_if = cls.pg2 - cls.logger.info(cls.vapi.ppcli("show int addr")) - cls.config_esp_tra() - cls.logger.info(cls.vapi.ppcli("show ipsec")) - cls.config_esp_tun() - cls.logger.info(cls.vapi.ppcli("show ipsec")) - src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host) - cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n) + super(TestIpsecEsp, cls).setUpClass() + try: + cls.create_pg_interfaces(range(3)) + cls.interfaces = list(cls.pg_interfaces) + for i in cls.interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + cls.logger.info(cls.vapi.ppcli("show int addr")) + cls.configEspTra() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + cls.configEspTun() + cls.logger.info(cls.vapi.ppcli("show ipsec")) + except Exception: + super(TestIpsecEsp, cls).tearDownClass() + raise @classmethod - def config_esp_tun(cls): - cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id, - cls.scapy_tun_spi, - cls.auth_algo_vpp_id, cls.auth_key, - cls.crypt_algo_vpp_id, - cls.crypt_key, cls.vpp_esp_protocol, - cls.tun_if.local_ip4n, - cls.tun_if.remote_ip4n) - cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id, - cls.vpp_tun_spi, - cls.auth_algo_vpp_id, cls.auth_key, - cls.crypt_algo_vpp_id, - cls.crypt_key, cls.vpp_esp_protocol, - cls.tun_if.remote_ip4n, - cls.tun_if.local_ip4n) - cls.vapi.ipsec_spd_add_del(cls.tun_spd_id) - cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id, - cls.tun_if.sw_if_index) - l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, - "0.0.0.0") - l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, - "255.255.255.255") - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, - protocol=socket.IPPROTO_ESP) - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, is_outbound=0, - protocol=socket.IPPROTO_ESP) - l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET, - cls.remote_tun_if_host) - r_startaddr = r_stopaddr = cls.pg1.remote_ip4n - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, priority=10, policy=3, - is_outbound=0) - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, - r_startaddr, r_stopaddr, l_startaddr, - l_stopaddr, priority=10, policy=3) - l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET, - cls.remote_tun_if_host) - r_startaddr = r_stopaddr = cls.pg0.local_ip4n - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, priority=20, policy=3, - is_outbound=0) - cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id, - r_startaddr, r_stopaddr, l_startaddr, - l_stopaddr, priority=20, policy=3) + def configEspTun(cls): + try: + spd_id = 1 + remote_sa_id = 10 + local_sa_id = 20 + remote_tun_spi = 1001 + local_tun_spi = 1000 + src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr) + cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n) + dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr) + cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n) + cls.vapi.ipsec_sad_add_del_entry( + remote_sa_id, + remote_tun_spi, + cls.pg0.local_ip4n, + cls.pg0.remote_ip4n, + integrity_key_length=20, + crypto_key_length=16, + protocol=1) + cls.vapi.ipsec_sad_add_del_entry( + local_sa_id, + local_tun_spi, + cls.pg0.remote_ip4n, + cls.pg0.local_ip4n, + integrity_key_length=20, + crypto_key_length=16, + protocol=1) + cls.vapi.ipsec_spd_add_del(spd_id) + cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index) + l_startaddr = r_startaddr = socket.inet_pton( + socket.AF_INET, "0.0.0.0") + l_stopaddr = r_stopaddr = socket.inet_pton( + socket.AF_INET, "255.255.255.255") + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=socket.IPPROTO_ESP) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=socket.IPPROTO_ESP, + is_outbound=0) + l_startaddr = l_stopaddr = socket.inet_pton( + socket.AF_INET, cls.remote_pg0_lb_addr) + r_startaddr = r_stopaddr = socket.inet_pton( + socket.AF_INET, cls.remote_pg1_lb_addr) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + priority=10, + policy=3, + is_outbound=0, + sa_id=local_sa_id) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + r_startaddr, + r_stopaddr, + l_startaddr, + l_stopaddr, + priority=10, + policy=3, + sa_id=remote_sa_id) + except Exception: + raise @classmethod - def config_esp_tra(cls): - cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id, - cls.scapy_tra_spi, - cls.auth_algo_vpp_id, cls.auth_key, - cls.crypt_algo_vpp_id, - cls.crypt_key, cls.vpp_esp_protocol, - is_tunnel=0) - cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id, - cls.vpp_tra_spi, - cls.auth_algo_vpp_id, cls.auth_key, - cls.crypt_algo_vpp_id, - cls.crypt_key, cls.vpp_esp_protocol, - is_tunnel=0) - cls.vapi.ipsec_spd_add_del(cls.tra_spd_id) - cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id, - cls.tra_if.sw_if_index) - l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, - "0.0.0.0") - l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET, - "255.255.255.255") - cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, - protocol=socket.IPPROTO_ESP) - cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, is_outbound=0, - protocol=socket.IPPROTO_ESP) - l_startaddr = l_stopaddr = cls.tra_if.local_ip4n - r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n - cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, priority=10, policy=3, - is_outbound=0) - cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id, - l_startaddr, l_stopaddr, r_startaddr, - r_stopaddr, priority=10, policy=3) - - -class TestIpsecEsp1(TemplateIpsecEsp, IpsecTraTests, IpsecTunTests): - """ Ipsec ESP - TUN & TRA tests """ - pass - - -class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests): - """ Ipsec ESP - TCP tests """ - pass + def configEspTra(cls): + try: + spd_id = 2 + remote_sa_id = 30 + local_sa_id = 40 + remote_tra_spi = 2001 + local_tra_spi = 2000 + cls.vapi.ipsec_sad_add_del_entry( + remote_sa_id, + remote_tra_spi, + integrity_key_length=20, + crypto_key_length=16, + protocol=1, + is_tunnel=0) + cls.vapi.ipsec_sad_add_del_entry( + local_sa_id, + local_tra_spi, + integrity_key_length=20, + crypto_key_length=16, + protocol=1, + is_tunnel=0) + cls.vapi.ipsec_spd_add_del(spd_id) + cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index) + l_startaddr = r_startaddr = socket.inet_pton( + socket.AF_INET, "0.0.0.0") + l_stopaddr = r_stopaddr = socket.inet_pton( + socket.AF_INET, "255.255.255.255") + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=socket.IPPROTO_ESP) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + protocol=socket.IPPROTO_ESP, + is_outbound=0) + l_startaddr = l_stopaddr = cls.pg2.local_ip4n + r_startaddr = r_stopaddr = cls.pg2.remote_ip4n + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + priority=10, + policy=3, + is_outbound=0, + sa_id=local_sa_id) + cls.vapi.ipsec_spd_add_del_entry( + spd_id, + l_startaddr, + l_stopaddr, + r_startaddr, + r_stopaddr, + priority=10, + policy=3, + sa_id=remote_sa_id) + except Exception: + raise + + def configScapySA(self, is_tun=False): + if is_tun: + self.remote_tun_sa = SecurityAssociation( + ESP, + spi=0x000003e8, + crypt_algo='AES-CBC', + crypt_key='JPjyOWBeVEQiMe7h', + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX', + tunnel_header=IP( + src=self.pg0.remote_ip4, + dst=self.pg0.local_ip4)) + self.local_tun_sa = SecurityAssociation( + ESP, + spi=0x000003e9, + crypt_algo='AES-CBC', + crypt_key='JPjyOWBeVEQiMe7h', + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX', + tunnel_header=IP( + dst=self.pg0.remote_ip4, + src=self.pg0.local_ip4)) + else: + self.remote_tra_sa = SecurityAssociation( + ESP, + spi=0x000007d0, + crypt_algo='AES-CBC', + crypt_key='JPjyOWBeVEQiMe7h', + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX') + self.local_tra_sa = SecurityAssociation( + ESP, + spi=0x000007d1, + crypt_algo='AES-CBC', + crypt_key='JPjyOWBeVEQiMe7h', + auth_algo='HMAC-SHA1-96', + auth_key='C91KUR9GYMm5GfkEvNjX') + + def tearDown(self): + super(TestIpsecEsp, self).tearDown() + if not self.vpp_dead: + self.vapi.cli("show hardware") + + def send_and_expect(self, input, pkts, output, count=1): + input.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + rx = output.get_capture(count) + return rx + + def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + sa.encrypt(IP(src=src, dst=dst) / ICMP() / + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") + ] * count + + def gen_pkts(self, sw_intf, src, dst, count=1): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src=src, dst=dst) / ICMP() / + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" + ] * count + + def test_ipsec_esp_tra_basic(self, count=1): + """ ipsec esp v4 transport basic test """ + try: + self.configScapySA() + send_pkts = self.gen_encrypt_pkts( + self.remote_tra_sa, + self.pg2, + src=self.pg2.remote_ip4, + dst=self.pg2.local_ip4, + count=count) + recv_pkts = self.send_and_expect( + self.pg2, send_pkts, self.pg2, count=count) + # ESP TRA VPP encryption/decryption verification + for Pkts in recv_pkts: + self.local_tra_sa.decrypt(Pkts[IP]) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_esp_tra_burst(self): + """ ipsec esp v4 transport burst test """ + try: + self.test_ipsec_esp_tra_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_esp_tun_basic(self, count=1): + """ ipsec esp 4o4 tunnel basic test """ + try: + self.configScapySA(is_tun=True) + send_pkts = self.gen_encrypt_pkts( + self.remote_tun_sa, + self.pg0, + src=self.remote_pg0_lb_addr, + dst=self.remote_pg1_lb_addr, + count=count) + recv_pkts = self.send_and_expect( + self.pg0, send_pkts, self.pg1, count=count) + # ESP TUN VPP decryption verification + for recv_pkt in recv_pkts: + self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr) + self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr) + send_pkts = self.gen_pkts( + self.pg1, + src=self.remote_pg1_lb_addr, + dst=self.remote_pg0_lb_addr, + count=count) + recv_pkts = self.send_and_expect( + self.pg1, send_pkts, self.pg0, count=count) + # ESP TUN VPP encryption verification + for recv_pkt in recv_pkts: + decrypt_pkt = self.local_tun_sa.decrypt(recv_pkt[IP]) + self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr) + self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) + + def test_ipsec_esp_tun_burst(self): + """ ipsec esp 4o4 tunnel burst test """ + try: + self.test_ipsec_esp_tun_basic(count=257) + finally: + self.logger.info(self.vapi.ppcli("show error")) + self.logger.info(self.vapi.ppcli("show ipsec")) if __name__ == '__main__': diff --git a/test/test_ipsec_nat.py b/test/test_ipsec_nat.py index 7a5aca6bb7b..cebbfc8ec67 100644 --- a/test/test_ipsec_nat.py +++ b/test/test_ipsec_nat.py @@ -141,17 +141,17 @@ class IPSecNATTestCase(VppTestCase): spd_id = 1 remote_sa_id = 10 local_sa_id = 20 - scapy_tun_spi = 1001 - vpp_tun_spi = 1000 + remote_tun_spi = 1001 + local_tun_spi = 1000 client = socket.inet_pton(socket.AF_INET, cls.remote_pg0_client_addr) cls.vapi.ip_add_del_route(client, 32, cls.pg0.remote_ip4n) - cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, scapy_tun_spi, + cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tun_spi, cls.pg1.remote_ip4n, cls.pg0.remote_ip4n, integrity_key_length=20, crypto_key_length=16, protocol=1, udp_encap=1) - cls.vapi.ipsec_sad_add_del_entry(local_sa_id, vpp_tun_spi, + cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tun_spi, cls.pg0.remote_ip4n, cls.pg1.remote_ip4n, integrity_key_length=20, diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py deleted file mode 100644 index c260f03b63d..00000000000 --- a/test/test_ipsec_tun_if_esp.py +++ /dev/null @@ -1,52 +0,0 @@ -import unittest -import socket -from scapy.layers.ipsec import ESP -from framework import VppTestRunner -from template_ipsec import TemplateIpsec, IpsecTunTests, IpsecTcpTests -from vpp_ipsec_tun_interface import VppIpsecTunInterface - - -class TemplateIpsecTunIfEsp(TemplateIpsec): - """ IPsec tunnel interface tests """ - - encryption_type = ESP - - @classmethod - def setUpClass(cls): - super(TemplateIpsecTunIfEsp, cls).setUpClass() - cls.tun_if = cls.pg0 - - def setUp(self): - self.ipsec_tun_if = VppIpsecTunInterface(self, self.pg0, - self.vpp_tun_spi, - self.scapy_tun_spi, - self.crypt_algo_vpp_id, - self.crypt_key, - self.crypt_key, - self.auth_algo_vpp_id, - self.auth_key, - self.auth_key) - self.ipsec_tun_if.add_vpp_config() - self.ipsec_tun_if.admin_up() - self.ipsec_tun_if.config_ip4() - src4 = socket.inet_pton(socket.AF_INET, self.remote_tun_if_host) - self.vapi.ip_add_del_route(src4, 32, self.ipsec_tun_if.remote_ip4n) - - def tearDown(self): - if not self.vpp_dead: - self.vapi.cli("show hardware") - super(TemplateIpsecTunIfEsp, self).tearDown() - - -class TestIpsecTunIfEsp1(TemplateIpsecTunIfEsp, IpsecTunTests): - """ Ipsec ESP - TUN tests """ - pass - - -class TestIpsecTunIfEsp2(TemplateIpsecTunIfEsp, IpsecTcpTests): - """ Ipsec ESP - TCP tests """ - pass - - -if __name__ == '__main__': - unittest.main(testRunner=VppTestRunner) diff --git a/test/vpp_interface.py b/test/vpp_interface.py index e14a31eb722..194a0c4fb32 100644 --- a/test/vpp_interface.py +++ b/test/vpp_interface.py @@ -2,6 +2,7 @@ from abc import abstractmethod, ABCMeta import socket from util import Host, mk_ll_addr +from vpp_neighbor import VppNeighbor class VppInterface(object): @@ -170,9 +171,6 @@ class VppInterface(object): self._hosts_by_ip4 = {} self._hosts_by_ip6 = {} - def set_sw_if_index(self, sw_if_index): - self._sw_if_index = sw_if_index - self.generate_remote_hosts() self._local_ip4 = "172.16.%u.1" % self.sw_if_index diff --git a/test/vpp_ipsec_tun_interface.py b/test/vpp_ipsec_tun_interface.py deleted file mode 100644 index bd635417f02..00000000000 --- a/test/vpp_ipsec_tun_interface.py +++ /dev/null @@ -1,43 +0,0 @@ -from vpp_tunnel_interface import VppTunnelInterface - - -class VppIpsecTunInterface(VppTunnelInterface): - """ - VPP IPsec Tunnel interface - """ - - def __init__(self, test, parent_if, local_spi, - remote_spi, crypto_alg, local_crypto_key, remote_crypto_key, - integ_alg, local_integ_key, remote_integ_key): - super(VppIpsecTunInterface, self).__init__(test, parent_if) - self.local_spi = local_spi - self.remote_spi = remote_spi - self.crypto_alg = crypto_alg - self.local_crypto_key = local_crypto_key - self.remote_crypto_key = remote_crypto_key - self.integ_alg = integ_alg - self.local_integ_key = local_integ_key - self.remote_integ_key = remote_integ_key - - def add_vpp_config(self): - r = self.test.vapi.ipsec_tunnel_if_add_del( - self.parent_if.local_ip4n, self.parent_if.remote_ip4n, - self.remote_spi, self.local_spi, self.crypto_alg, - self.local_crypto_key, self.remote_crypto_key, self.integ_alg, - self.local_integ_key, self.remote_integ_key) - self.set_sw_if_index(r.sw_if_index) - self.generate_remote_hosts() - self.test.registry.register(self, self.test.logger) - - def remove_vpp_config(self): - self.test.vapi.ipsec_tunnel_if_add_del( - self.parent_if.local_ip4n, self.parent_if.remote_ip4n, - self.remote_spi, self.local_spi, self.crypto_alg, - self.local_crypto_key, self.remote_crypto_key, self.integ_alg, - self.local_integ_key, self.remote_integ_key, is_add=0) - - def __str__(self): - return self.object_id() - - def object_id(self): - return "ipsec-tun-if-%d" % self._sw_if_index diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py index 32c8eebef01..3130ad06c88 100644 --- a/test/vpp_papi_provider.py +++ b/test/vpp_papi_provider.py @@ -3163,28 +3163,53 @@ class VppPapiProvider(object): def ipsec_sad_add_del_entry(self, sad_id, spi, - integrity_algorithm, - integrity_key, - crypto_algorithm, - crypto_key, - protocol, tunnel_src_address='', tunnel_dst_address='', - is_tunnel=1, + protocol=0, + integrity_algorithm=2, + integrity_key_length=0, + integrity_key='C91KUR9GYMm5GfkEvNjX', + crypto_algorithm=1, + crypto_key_length=0, + crypto_key='JPjyOWBeVEQiMe7h', is_add=1, + is_tunnel=1, udp_encap=0): """ IPSEC SA add/del - :param sad_id: security association ID - :param spi: security param index of the SA in decimal - :param integrity_algorithm: - :param integrity_key: - :param crypto_algorithm: - :param crypto_key: - :param protocol: AH(0) or ESP(1) protocol - :param tunnel_src_address: tunnel mode outer src address - :param tunnel_dst_address: tunnel mode outer dst address - :param is_add: - :param is_tunnel: + Sample CLI : 'ipsec sa add 10 spi 1001 esp \ + crypto-key 4a506a794f574265564551694d653768 \ + crypto-alg aes-cbc-128 \ + integ-key 4339314b55523947594d6d3547666b45764e6a58 \ + integ-alg sha1-96 tunnel-src 192.168.100.3 \ + tunnel-dst 192.168.100.2' + Sample CLI : 'ipsec sa add 20 spi 2001 \ + integ-key 4339314b55523947594d6d3547666b45764e6a58 \ + integ-alg sha1-96' + + :param sad_id - Security Association ID to be \ + created or deleted. mandatory + :param spi - security param index of the SA in decimal. mandatory + :param tunnel_src_address - incase of tunnel mode outer src address .\ + mandatory for tunnel mode + :param tunnel_dst_address - incase of transport mode \ + outer dst address. mandatory for tunnel mode + :param protocol - AH(0) or ESP(1) protocol (Default 0 - AH). optional + :param integrity_algorithm - value range 1-6 Default(2 - SHA1_96).\ + optional ** + :param integrity_key - value in string \ + (Default C91KUR9GYMm5GfkEvNjX).optional + :param integrity_key_length - length of the key string in bytes\ + (Default 0 - integrity disabled). optional + :param crypto_algorithm - value range 1-11 Default \ + (1- AES_CBC_128).optional ** + :param crypto_key - value in string(Default JPjyOWBeVEQiMe7h).optional + :param crypto_key_length - length of the key string in bytes\ + (Default 0 - crypto disabled). optional + :param is_add - add(1) or del(0) ipsec SA entry(Default 1 - add) .\ + optional + :param is_tunnel - tunnel mode (1) or transport mode(0) \ + (Default 1 - tunnel). optional + :returns: reply from the API :** reference /vpp/src/vnet/ipsec/ipsec.h file for enum values of crypto and ipsec algorithms """ @@ -3196,11 +3221,10 @@ class VppPapiProvider(object): 'tunnel_dst_address': tunnel_dst_address, 'protocol': protocol, 'integrity_algorithm': integrity_algorithm, - 'integrity_key_length': len(integrity_key), + 'integrity_key_length': integrity_key_length, 'integrity_key': integrity_key, 'crypto_algorithm': crypto_algorithm, - 'crypto_key_length': len(crypto_key) if crypto_key is not None - else 0, + 'crypto_key_length': crypto_key_length, 'crypto_key': crypto_key, 'is_add': is_add, 'is_tunnel': is_tunnel, @@ -3208,7 +3232,6 @@ class VppPapiProvider(object): def ipsec_spd_add_del_entry(self, spd_id, - sa_id, local_address_start, local_address_stop, remote_address_start, @@ -3218,6 +3241,7 @@ class VppPapiProvider(object): remote_port_start=0, remote_port_stop=65535, protocol=0, + sa_id=10, policy=0, priority=100, is_outbound=1, @@ -3225,28 +3249,35 @@ class VppPapiProvider(object): is_ip_any=0): """ IPSEC policy SPD add/del - Wrapper to configure ipsec SPD policy entries in VPP - :param spd_id: SPD ID for the policy - :param local_address_start: local-ip-range start address - :param local_address_stop : local-ip-range stop address - :param remote_address_start: remote-ip-range start address - :param remote_address_stop : remote-ip-range stop address - :param local_port_start: (Default value = 0) - :param local_port_stop: (Default value = 65535) - :param remote_port_start: (Default value = 0) - :param remote_port_stop: (Default value = 65535) - :param protocol: Any(0), AH(51) & ESP(50) protocol (Default value = 0) - :param sa_id: Security Association ID for mapping it to SPD - :param policy: bypass(0), discard(1), resolve(2) or protect(3) action - (Default value = 0) - :param priority: value for the spd action (Default value = 100) - :param is_outbound: flag for inbound(0) or outbound(1) - (Default value = 1) - :param is_add: (Default value = 1) + Sample CLI : 'ipsec policy add spd 1 inbound priority 10 action \ + protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 \ + remote-ip-range 192.168.3.3 - 192.168.3.3' + + :param spd_id - SPD ID for the policy . mandatory + :param local_address_start - local-ip-range start address . mandatory + :param local_address_stop - local-ip-range stop address . mandatory + :param remote_address_start - remote-ip-range start address . mandatory + :param remote_address_stop - remote-ip-range stop address . mandatory + :param local_port_start - (Default 0) . optional + :param local_port_stop - (Default 65535). optional + :param remote_port_start - (Default 0). optional + :param remote_port_stop - (Default 65535). optional + :param protocol - Any(0), AH(51) & ESP(50) protocol (Default 0 - Any). + optional + :param sa_id - Security Association ID for mapping it to SPD + (default 10). optional + :param policy - bypass(0), discard(1), resolve(2) or protect(3)action + (Default 0 - bypass). optional + :param priotity - value for the spd action (Default 100). optional + :param is_outbound - flag for inbound(0) or outbound(1) + (Default 1 - outbound). optional + :param is_add flag - for addition(1) or deletion(0) of the spd + (Default 1 - addtion). optional + :returns: reply from the API """ return self.api( self.papi.ipsec_spd_add_del_entry, {'spd_id': spd_id, - 'sa_id': sa_id, 'local_address_start': local_address_start, 'local_address_stop': local_address_stop, 'remote_address_start': remote_address_start, @@ -3260,30 +3291,9 @@ class VppPapiProvider(object): 'policy': policy, 'priority': priority, 'is_outbound': is_outbound, + 'sa_id': sa_id, 'is_ip_any': is_ip_any}) - def ipsec_tunnel_if_add_del(self, local_ip, remote_ip, local_spi, - remote_spi, crypto_alg, local_crypto_key, - remote_crypto_key, integ_alg, local_integ_key, - remote_integ_key, is_add=1, esn=0, - anti_replay=1, renumber=0, show_instance=0): - return self.api( - self.papi.ipsec_tunnel_if_add_del, - {'local_ip': local_ip, 'remote_ip': remote_ip, - 'local_spi': local_spi, 'remote_spi': remote_spi, - 'crypto_alg': crypto_alg, - 'local_crypto_key_len': len(local_crypto_key), - 'local_crypto_key': local_crypto_key, - 'remote_crypto_key_len': len(remote_crypto_key), - 'remote_crypto_key': remote_crypto_key, 'integ_alg': integ_alg, - 'local_integ_key_len': len(local_integ_key), - 'local_integ_key': local_integ_key, - 'remote_integ_key_len': len(remote_integ_key), - 'remote_integ_key': remote_integ_key, 'is_add': is_add, - 'esn': esn, 'anti_replay': anti_replay, 'renumber': renumber, - 'show_instance': show_instance - }) - def app_namespace_add(self, namespace_id, ip4_fib_id=0, diff --git a/test/vpp_pg_interface.py b/test/vpp_pg_interface.py index 1300f1f1f00..81e9714a37a 100644 --- a/test/vpp_pg_interface.py +++ b/test/vpp_pg_interface.py @@ -84,10 +84,10 @@ class VppPGInterface(VppInterface): def __init__(self, test, pg_index): """ Create VPP packet-generator interface """ - super(VppPGInterface, self).__init__(test) - r = test.vapi.pg_create_interface(pg_index) - self.set_sw_if_index(r.sw_if_index) + self._sw_if_index = r.sw_if_index + + super(VppPGInterface, self).__init__(test) self._in_history_counter = 0 self._out_history_counter = 0 diff --git a/test/vpp_tunnel_interface.py b/test/vpp_tunnel_interface.py deleted file mode 100644 index c74f58532f2..00000000000 --- a/test/vpp_tunnel_interface.py +++ /dev/null @@ -1,32 +0,0 @@ -from abc import abstractmethod, ABCMeta -from vpp_pg_interface import is_ipv6_misc -from vpp_interface import VppInterface - - -class VppTunnelInterface(VppInterface): - """ VPP tunnel interface abstration """ - __metaclass__ = ABCMeta - - @abstractmethod - def __init__(self, test, parent_if): - super(VppTunnelInterface, self).__init__(test) - self.parent_if = parent_if - - @property - def local_mac(self): - return self.parent_if.local_mac - - @property - def remote_mac(self): - return self.parent_if.remote_mac - - def enable_capture(self): - return self.parent_if.enable_capture() - - def add_stream(self, pkts): - return self.parent_if.add_stream(pkts) - - def get_capture(self, expected_count=None, remark=None, timeout=1, - filter_out_fn=is_ipv6_misc): - return self.parent_if.get_capture(expected_count, remark, timeout, - filter_out_fn) |