summaryrefslogtreecommitdiffstats
path: root/test/test_ipsec_ah.py
AgeCommit message (Collapse)AuthorFilesLines
2021-08-13tests docs: upgrade python packagesDave Wallace1-22/+24
- Upgrade python package requirements for test & docs - Clean up docs generation warnings - Consolidate python requirements for docs in test requirements specs. - Upgrade pip Type: make Change-Id: I74a3924b43ed93d15b32ec9f6fc41ed1ba95b69b Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2021-02-25tests: Add tests for IPSec async mode using the crypto SW schedulerNeale Ranns1-4/+4
Type: test Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Iabc8f2b09ee10a82aacebd36acfe8648cf69b7d7
2021-02-10ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-2/+4
support Type: feature attmpet 2. this includes changes in ah_encrypt that don't use uninitialised memory when doing tunnel mode fixups. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
2021-02-09Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"Matthew Smith1-4/+2
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f. Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged. Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-08ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-2/+4
support Type: feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
2020-11-02ipsec: Tunnel SA DSCP behaviourNeale Ranns1-2/+94
Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
2019-12-23ipsec: Test and fix IPSec worker hand-offNeale Ranns1-1/+9
Type: fix Change-Id: I5cb9a3845ddbc5f4de4eb4e9c481f606fe5cec9a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns1-0/+1
APIs for dedicated IPSec tunnels will remain in this release and are used to programme the IPIP tunnel protect. APIs will be removed in a future release. see: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18fib: fib api updatesNeale Ranns1-2/+1
Enhance the route add/del APIs to take a set of paths rather than just one. Most unicast routing protocols calcualte all the available paths in one run of the algorithm so updating all the paths at once is beneficial for the client. two knobs control the behaviour: is_multipath - if set the the set of paths passed will be added to those that already exist, otherwise the set will replace them. is_add - add or remove the set is_add=0, is_multipath=1 and an empty set, results in deleting the route. It is also considerably faster to add multiple paths at once, than one at a time: vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.11 100000 routes in .572240 secs, 174751.80 routes/sec vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.12 100000 routes in .528383 secs, 189256.54 routes/sec vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.13 100000 routes in .757131 secs, 132077.52 routes/sec vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.14 100000 routes in .878317 secs, 113854.12 routes/sec vat# ip_route_add_del 1.1.1.1/32 count 100000 multipath via 10.10.10.11 via 10.10.10.12 via 10.10.10.13 via 10.10.10.14 100000 routes in .900212 secs, 111084.93 routes/sec Change-Id: I416b93f7684745099c1adb0b33edac58c9339c1a Signed-off-by: Neale Ranns <neale.ranns@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-04-25crypto_ipsecmb: use pre-expanded keysDamjan Marion1-1/+1
Change-Id: Ie1d34b7e71554516595e0cd228e2cd54a3b8d629 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-11IPSEC-MB: Use random & non-repeating IV (VPP-1642)Neale Ranns1-1/+1
hard code IV and key lengths based on cipher. Init IV from random data, use AES instruction to rotate. Change-Id: I13a6507d12267b823c528660a903787baeba47a0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-10crypto: Intel IPSEC-MB engineNeale Ranns1-39/+47
A plugin to use Intel IPSec MB library as a VPP crypto engine This changes uses concepts from: https://gerrit.fd.io/r/#/c/17301/ hence that author's work is acknowledge below Change-Id: I2bf3beeb10f3c9706fa5efbdc9bc023e310f5a92 Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-04-10IPSEC: for each engine and algorithm testsNeale Ranns1-189/+229
refactor the IPSEC tests a bit so we can parameterise the setup. Change-Id: I777e5eb8f29ca1dce3dd273ebd05dae5846790af Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-10Tests Cleanup: Fix missing calls to setUpClass/tearDownClass.Paul Vinciguerra1-0/+8
Continuation/Part 2 of https://gerrit.fd.io/r/#/c/17092/ Change-Id: Id0122d84eaf2c05d29e5be63a594d5e528ee7c9a Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-04-08IPSEC TEST: various hash alogrithmsNeale Ranns1-8/+87
Change-Id: I925aa5bf9472e81f98072d63df499b19e6ddf43d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESNDamjan Marion1-1/+1
Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-25IPSEC tests fnd fix or Extended Sequence NumbersNeale Ranns1-5/+29
Change-Id: Iad6c4b867961ec8036110a4e15a829ddb93193ed Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-21IPSEC: Mutli-tunnel testsNeale Ranns1-2/+3
Change-Id: I46f1db6579835c6613fdbb2b726246cc62b135fe Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-28TEST: IPSEC NAT-T with UDP headerNeale Ranns1-2/+2
Change-Id: I5ef8b3f4be40a7a0b0f1cb90dc0e15a4711e8664 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18IPSEC: move SA counters into the stats segmentNeale Ranns1-22/+26
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-05IPSEC: SPD counters in the stats sgementNeale Ranns1-9/+13
- return the stats_index of each SPD in the create API call - no ip_any in the API as this creates 2 SPD entries. client must add both v4 and v6 explicitly - only one pool of SPD entries (rhter than one per-SPD) to support this - no packets/bytes in the dump API. Polling the stats segment is much more efficient (if the SA lifetime is based on packet/bytes) - emit the policy index in the packet trace and CLI commands. Change-Id: I7eaf52c9d0495fa24450facf55229941279b8569 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-31IPSEC: API modernisationNeale Ranns1-8/+20
- use enums to enumerate the algoritms and protocols that are supported - use address_t types to simplify encode/deocde - use typedefs of entry objects to get consistency between add/del API and dump Change-Id: I7e7c58c06a150e2439633ba9dca58bc1049677ee Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-29make test: remove generic importsKlement Sekera1-1/+2
Change-Id: I55b89f0d9fb082c7763b64b09ab14573468c6704 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-01-25IPSEC: tests use opbject registryNeale Ranns1-234/+108
this means we test the dumps - to some extent Change-Id: I8d90745701012012b41a7b3aaf9be97b4dd2bdf8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-24IPSEC Tests: to per-test setup and tearDownNeale Ranns1-102/+239
don't do the setup and teardown in class methods so that with each test the config is added and deleted. that way we test that delete actually removes state. more helpful error codes from VPP for existing IPSEC state. Change-Id: I5de1578f73b935b420d4cdd85aa98d5fdcc682f6 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-12-02IPSEC-AH: anti-replay testingNeale Ranns1-2/+5
Change-Id: Ia5d45db73e4bdb32214ed4f365d5eec8e28115f3 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera1-11/+8
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-03ipsec: add missing ipv6 ah code & ipv6 testsKlement Sekera1-70/+98
Change-Id: I89e90193ded1beb6cb0950c15737f9467efac1c3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-24Revert "Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums""Klement Sekera1-189/+98
This reverts commit e0d2bd6bd7fc59c0c6ac48195d7f825dc99bfd91. Change-Id: If491e16f9ea66b2493a6a7c7f3c684ed585f8f51 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-22Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums"Ole Troan1-98/+189
This reverts commit a98346f664aae148d26a8e158008b773d73db96f. Change-Id: Iee5b3a5ddff0e8fd3a30fe5973cee24de434fe12 Signed-off-by: Ole Troan <ot@cisco.com>
2018-06-21ipsec: VPP-1316 calculate IP/TCP/UDP inner checksumsKlement Sekera1-189/+98
Calculate IP/TCP/UDP checksums in software before adding authentication. Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-11make test: reorganize ipsec_ah test codeKlement Sekera1-191/+124
Change-Id: Ie0eb0127affd3d771d19bb7c60e79c31858d82cd Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-09ipsec: support UDP encap/decap for NAT traversalKlement Sekera1-4/+4
Change-Id: I65c12617ad49e4d5ef242e53988782f0cefa5684 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-04-17make test: ipsec test cleanupKlement Sekera1-7/+5
Change-Id: If813346b665468b25aaf5d95629bcad87212aa3e Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-03-19Scapy upgrade to 2.4.0.rc5Neale Ranns1-2/+1
- many of the patches fd.io applies in test/patches/2.3.3 are now upstreamed in 2.4 - 2.4 adds support for IGMPv3 which is my main motivation for the upgrade Change-Id: If2c0a524e3cba320b4a5d8cd07817c6ea2bf0c5a Signed-off-by: Neale Ranns <nranns@cisco.com>
2017-12-15ESP_AH_test_automation_scripts rev1“mystarrocks”1-0/+325
Change-Id: I941abdc4a02e4c52c66b9d299e380b27caca7c1d Signed-off-by: “mystarrocks” <mystarrocks@yahoo.com>
er @param context - sender context, to match reply w/ request @param entry - Entry to add or delete */ define ipsec_sad_entry_add_del { u32 client_index; u32 context; u8 is_add; vl_api_ipsec_sad_entry_t entry; }; define ipsec_sad_entry_add_del_reply { u32 context; i32 retval; u32 stat_index; }; /** \brief IPsec: Update Security Association keys @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param sa_id - sa id @param crypto_key - crypto keying material @param integrity_key - integrity keying material */ autoreply define ipsec_sa_set_key { u32 client_index; u32 context; u32 sa_id; vl_api_key_t crypto_key; vl_api_key_t integrity_key; }; /** \brief IPsec: Get SPD interfaces @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param spd_index - SPD index @param spd_index_valid - if 1 spd_index is used to filter spd_index's, if 0 no filtering is done */ define ipsec_spd_interface_dump { u32 client_index; u32 context; u32 spd_index; u8 spd_index_valid; }; /** \brief IPsec: SPD interface response @param context - sender context which was passed in the request @param spd_index - SPD index @param sw_if_index - index of the interface */ define ipsec_spd_interface_details { u32 context; u32 spd_index; u32 sw_if_index; }; /** \brief Add or delete IPsec tunnel interface @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param is_add - add IPsec tunnel interface if nonzero, else delete @param esn - enable extended sequence numbers if nonzero, else disable @param anti_replay - enable anti replay check if nonzero, else disable @param local_ip - local IP address @param remote_ip - IP address of remote IPsec peer @param local_spi - SPI of outbound IPsec SA @param remote_spi - SPI of inbound IPsec SA @param crypto_alg - encryption algorithm ID @param local_crypto_key_len - length of local crypto key in bytes @param local_crypto_key - crypto key for outbound IPsec SA @param remote_crypto_key_len - length of remote crypto key in bytes @param remote_crypto_key - crypto key for inbound IPsec SA @param integ_alg - integrity algorithm ID @param local_integ_key_len - length of local integrity key in bytes @param local_integ_key - integrity key for outbound IPsec SA @param remote_integ_key_len - length of remote integrity key in bytes @param remote_integ_key - integrity key for inbound IPsec SA @param renumber - intf display name uses a specified instance if != 0 @param show_instance - instance to display for intf if renumber is set @param udp_encap - enable UDP encapsulation for NAT traversal @param tx_table_id - the FIB id used after packet encap */ define ipsec_tunnel_if_add_del { u32 client_index; u32 context; u8 is_add; u8 esn; u8 anti_replay; u8 local_ip[4]; u8 remote_ip[4]; u32 local_spi; u32 remote_spi; u8 crypto_alg; u8 local_crypto_key_len; u8 local_crypto_key[128]; u8 remote_crypto_key_len; u8 remote_crypto_key[128]; u8 integ_alg; u8 local_integ_key_len; u8 local_integ_key[128]; u8 remote_integ_key_len; u8 remote_integ_key[128]; u8 renumber; u32 show_instance; u8 udp_encap; u32 tx_table_id; }; /** \brief Add/delete IPsec tunnel interface response @param context - sender context, to match reply w/ request @param retval - return status @param sw_if_index - sw_if_index of new interface (for successful add) */ define ipsec_tunnel_if_add_del_reply { u32 context; i32 retval; u32 sw_if_index; }; /** \brief Dump IPsec security association @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD */ define ipsec_sa_dump { u32 client_index; u32 context; u32 sa_id; }; /** \brief IPsec security association database response @param context - sender context which was passed in the request @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0 @param spi - security parameter index @param protocol - IPsec protocol (value from ipsec_protocol_t) @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t) @param crypto_key_len - length of crypto_key in bytes @param crypto_key - crypto keying material @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t) @param integ_key_len - length of integ_key in bytes @param integ_key - integrity keying material @param use_esn - using extended sequence numbers when non-zero @param use_anti_replay - using anti-replay window when non-zero @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6 @param tunnel_src_addr - Tunnel source address if using tunnel mode @param tunnel_dst_addr - Tunnel destination address is using tunnel mode @param salt - 4 byte salt @param seq - current sequence number for outbound @param seq_hi - high 32 bits of ESN for outbound @param last_seq - highest sequence number received inbound @param last_seq_hi - high 32 bits of highest ESN received inbound @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay @param total_data_size - total bytes sent or received @param udp_encap - 1 if UDP encap enabled, 0 otherwise */ define ipsec_sa_details { u32 context; vl_api_ipsec_sad_entry_t entry; u32 sw_if_index; u32 salt; u64 seq_outbound; u64 last_seq_inbound; u64 replay_window; u64 total_data_size; }; /** \brief Set key on IPsec interface @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param sw_if_index - index of tunnel interface @param key_type - type of key being set @param alg - algorithm used with key @param key_len - length key in bytes @param key - key */ autoreply define ipsec_tunnel_if_set_key { u32 client_index; u32 context; u32 sw_if_index; u8 key_type; u8 alg; u8 key_len; u8 key[128]; }; /** \brief Set new SA on IPsec interface @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param sw_if_index - index of tunnel interface @param sa_id - ID of SA to use @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote) */ autoreply define ipsec_tunnel_if_set_sa { u32 client_index; u32 context; u32 sw_if_index; u32 sa_id; u8 is_outbound; }; /** \brief Dump IPsec backends @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request */ define ipsec_backend_dump { u32 client_index; u32 context; }; /** \brief IPsec backend details @param name - name of the backend @param protocol - IPsec protocol (value from ipsec_protocol_t) @param index - backend index @param active - set to 1 if the backend is active, otherwise 0 */ define ipsec_backend_details { u32 context; u8 name[128]; vl_api_ipsec_proto_t protocol; u8 index; u8 active; }; /** \brief Select IPsec backend @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param protocol - IPsec protocol (value from ipsec_protocol_t) @param index - backend index */ autoreply define ipsec_select_backend { u32 client_index; u32 context; vl_api_ipsec_proto_t protocol; u8 index; }; /* * Local Variables: * eval: (c-set-style "gnu") * End: */