summaryrefslogtreecommitdiffstats
path: root/test/test_ipsec_tun_if_esp.py
AgeCommit message (Collapse)AuthorFilesLines
2020-11-02ipsec: Tunnel SA DSCP behaviourNeale Ranns1-12/+18
Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
2020-10-21ipsec: support for multipoint on ipsec interfacesNeale Ranns1-1/+124
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iae9fe35cfbce4c675fa25e0800c0f4629a83e012
2020-10-16ipsec: fix instance, and cli del for new ipsec interfaceEric Kinzie1-2/+20
- use user instance number in interface name Restore the behavior of previous versions where the IPsec tunnel interface name contained the value of the user-provided instance number. For example, a command similar to create ipsec tunnel local-ip . . . instance 5 would result in the creation of interface "ipsec5". - ipsec: delete tunnel protection when asked The "ipsec tunnel protect" command will parse a "del" argument but does not undo the tunnel protection, leaving the SAs hanging around with reference counts that were incremented by a previous invocation of the command. Allow the tunnel protection to be deleted and also update the help text to indicate that deletion is an option. - test: ipsec: add test for ipsec interface instance Also cleanup (unconfig) after TestIpsecItf4 NULL algo test. Type: fix Fixes: dd4ccf2623b5 ("ipsec: Dedicated IPSec interface type") Signed-off-by: Eric Kinzie <ekinzie@labn.net> Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Idb59ceafa0633040344473c9942b6536e3d941ce
2020-10-08ipsec: Allow SAs with NULL auth &crypto on IPSec interfaceNeale Ranns1-4/+25
Type: improvement on the dedicated IPSec interface, the SA describes the peer, so it is not possible to forward to a peer for which there is no SA. Therefore if an SA is added with NULL auth and integ then this explicitly states that this is what the peer desires. on the contrary on the IP-IP/GRE interface, in the absence of protection and an SA, then the traffic is sent in the clear. So adding NULL auth/crypto iSA is a means to describe that the peer should not be sent traffic. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I7ad2d466cc74eb7ff8c4c84e0d7897d06e2fcf86
2020-07-21ipsec: Dedicated IPSec interface typeNeale Ranns1-4/+302
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8bd50df163aea2798e9f9d35a13dcadc4a4a4b2
2020-05-13feature: Config end nodes are user specificNeale Ranns1-0/+12
Type: fix it is possible for a user to change the end node of a feature arc, but this change should only apply to that 'instnace' of the arc, not all arcs. for example, if a tunnel has its ipx-output end node changed to adj-midchain-tx, this shouldn't affect all ipx-output arcs. obviously... Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I41daea7ba6907963e42140307d065c8bcfdcb585
2020-05-05ipsec: User can choose the UDP source portNeale Ranns1-3/+133
Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-04fib: midchain adjacency optimisationsNeale Ranns1-2/+3
Type: improvement - inline some common encap fixup functions into the midchain rewrite node so we don't incur the cost of the virtual function call - change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header - add adj-midchain-tx to multiarch sources - don't run adj-midchain-tx as a feature, instead put this node as the adj's next and at the end of the feature arc. - cache the feature arc config index (to save the cache miss going to fetch it) - don't check if features are enabled when taking the arc (since we know they are) the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc) for IPSec: - don't run esp_encrypt as a feature, instead when required insert this node into the adj's next and into the end of the feature arc. this implies that encrypt is always 'the last feature' run, which is symmetric with decrypt always being the first. - esp_encrpyt for tunnels has adj-midchain-tx as next node Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-03-31ipsec: fix udp-encap in transport modeAlexander Chernavin1-2/+51
Now UDP enacapsulation doesn't work in transport mode with crypto algorithms that have iv_sz=8 like AES GCM or 3DES CBC. That happens because the inserted UDP header overlaps with the old IP header and gets filled before the information from the old IP header can be copied to a new IP header. The result is a broken packet: 00:03:39:620863: esp4-encrypt-tun esp: sa-index 3 spi 3464048590 (0xce792fce) seq 31 sa-seq-hi 0 crypto aes-gcm-128 integrity none udp-encap-enabled 00:03:39:620867: adj-midchain-tx ... 00:03:39:620868: ip4-rewrite ... 00:03:39:620869: GigabitEthernet0/8/0-output GigabitEthernet0/8/0 IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 00:03:39:620870: GigabitEthernet0/8/0-tx GigabitEthernet0/8/0 tx queue 0 ... IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 With this commit, fill UDP header after copying the IP headers in transport mode. Type: fix Change-Id: Ie9a6e562aa05a8378114329d6a9ff395189fa6a8 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-02-21ipsec: IPSec protection for multi-point tunnel interfacesNeale Ranns1-16/+281
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
2020-02-05ipsec: set l2_len for GRE-TEB tunnel decapJohn Lo1-1/+122
Type: fix Ticket: VPP-1831 Signed-off-by: John Lo <loj@cisco.com> Change-Id: I655964b22021ac38cbced577091a1156286d4fd6
2020-01-04ipsec: AH copy destination and source address from templateNeale Ranns1-8/+12
Type: fix Change-Id: I63d4df68eed6589763b5ce62bcd7f3fd867c60e1 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-01-04ipsec: Targeted unit testingNeale Ranns1-5/+315
Type: fix 1 - big packets; chained buffers and those without enoguh space to add ESP header 2 - IPv6 extension headers in packets that are encrypted/decrypted 3 - Interface protection with SAs that have null algorithms Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
2019-12-23ipsec: Test and fix IPSec worker hand-offNeale Ranns1-2/+18
Type: fix Change-Id: I5cb9a3845ddbc5f4de4eb4e9c481f606fe5cec9a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-18ipsec: Fix decap of IPSEC/GRE in transport modeNeale Ranns1-1/+125
Type: fix in transport mode the header sequence is: MAC - IP (tun) - ESP - GRE - L2 so popping the GRE header is done in the ESP decrypt node. Change-Id: Ia125eb65b9300368617d2bffca09683851e43be0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-14tests: changes for scapy 2.4.3 migrationsnaramre1-5/+6
Type: fix Change-Id: I7e041b666dabd90df23a920a1f1d99db4c10ddfe Signed-off-by: snaramre <snaramre@cisco.com>
2019-12-02tests: GRE over IPSec unit testsNeale Ranns1-0/+97
Type: test Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I4ae1b56f273026aca86775fb61feabcdeb62c62e
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns1-56/+90
APIs for dedicated IPSec tunnels will remain in this release and are used to programme the IPIP tunnel protect. APIs will be removed in a future release. see: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-08tests: python3 use byte strings in raw()Ole Troan1-8/+8
Raw('\xaf) and Raw(b'\xaf) are two quite different things in python 2 versus 3. In most cases this didn't make a difference, apart from those cases where length of payload actually mattered. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I3cba5c1486e436a3ca8aa10a7b393da75aa9f6b9
2019-10-18ipsec: make tests support python3Ole Troan1-13/+13
Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I3255702e7c562c8d04a91a095e245756c6443a9e
2019-09-27ipsec: support 4o6 and 6o4 for tunnel protectNeale Ranns1-2/+40
Type: feature Change-Id: Ib2352ca4c7abf4645f21fa16aaaf27408890a2bf Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-08-27ipsec: Fix NULL encryption algorithmNeale Ranns1-0/+8
Type: fix Ticket: VPP-1756 the block-size was set to 0 resulting in incorrect placement of the ESP footer. add tests for NULL encrypt + integ. Change-Id: I8ab3afda8e68f9ff649540cba3f2cac68f12bbba Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-16ipsec: handle UDP keepalivesNeale Ranns1-8/+113
Type: feature Change-Id: I87cc1168466f267e8c4bbec318401982f4bdf03a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-10tests: Re-enable ipsec tests on ARMjuraj.linkes1-3/+1
Type: fix * test_ipsec_tun_if_esp.TestIpsecGreTebIfEsp * test_ipsec_esp.TestIpsecEspAll add keepalive messages before each algo/engine to prevent test timeout Change-Id: I726f3f9613bab02a65e65542cee494c68176ded7 Signed-off-by: juraj.linkes <juraj.linkes@pantheon.tech>
2019-06-18ipsec: fix ipv6 tunnel protect testsFlorin Coras1-2/+1
Type: fix Change-Id: I1f8007ae659097152046aa1396cc23f126e29018 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-06-18ipsec: ipsec-tun protectNeale Ranns1-30/+629
please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18fib: fib api updatesNeale Ranns1-21/+23
Enhance the route add/del APIs to take a set of paths rather than just one. Most unicast routing protocols calcualte all the available paths in one run of the algorithm so updating all the paths at once is beneficial for the client. two knobs control the behaviour: is_multipath - if set the the set of paths passed will be added to those that already exist, otherwise the set will replace them. is_add - add or remove the set is_add=0, is_multipath=1 and an empty set, results in deleting the route. It is also considerably faster to add multiple paths at once, than one at a time: vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.11 100000 routes in .572240 secs, 174751.80 routes/sec vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.12 100000 routes in .528383 secs, 189256.54 routes/sec vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.13 100000 routes in .757131 secs, 132077.52 routes/sec vat# ip_add_del_route 1.1.1.1/32 count 100000 multipath via 10.10.10.14 100000 routes in .878317 secs, 113854.12 routes/sec vat# ip_route_add_del 1.1.1.1/32 count 100000 multipath via 10.10.10.11 via 10.10.10.12 via 10.10.10.13 via 10.10.10.14 100000 routes in .900212 secs, 111084.93 routes/sec Change-Id: I416b93f7684745099c1adb0b33edac58c9339c1a Signed-off-by: Neale Ranns <neale.ranns@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-05-29make test: fix packet counter assertKlement Sekera1-5/+13
Change-Id: Ic6e6ac0629bbf07f7dad1803a85aabfdccbc2035 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-04-18IPSEC: tunnel rekey fix and test (VPP-1652)Neale Ranns1-0/+57
Change-Id: I1c2b3e40c689bedcdcea7887792b6b6b6aeb48d5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-17IPSEC: Pass the algorithm salt (used in GCM) over the APINeale Ranns1-9/+9
Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-16IPSEC: support GCM in ESPNeale Ranns1-0/+127
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-10Tests Cleanup: Fix missing calls to setUpClass/tearDownClass.Paul Vinciguerra1-0/+8
Continuation/Part 2 of https://gerrit.fd.io/r/#/c/17092/ Change-Id: Id0122d84eaf2c05d29e5be63a594d5e528ee7c9a Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-04-02IPSEC-GRE; testsNeale Ranns1-2/+114
failing test disabled on ARM Change-Id: I6b7535cd8f51fdaf9786ba77f9f61a7d8d049bbd Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-29IPSEC: tunnel fragmentationNeale Ranns1-11/+23
Change-Id: I63741a22bc82f5f861e1c0f26a93b5569cc52061 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28IPSEC: 4o6 and 6o4 for tunnel interfacesNeale Ranns1-0/+26
Change-Id: I4d3ba18ab5205317219989de55b6e50d3b1d8a79 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28IPSEC: run encrpyt as a feautre on the tunnelNeale Ranns1-2/+2
Change-Id: I6527e3fd8bbbca2d5f728621fc66b3856b39d505 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28Typos. A bunch of typos I've been collecting.Paul Vinciguerra1-1/+1
Change-Id: I53ab8d17914e6563110354e4052109ac02bf8f3b Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-03-21IPSEC: Mutli-tunnel testsNeale Ranns1-2/+125
Change-Id: I46f1db6579835c6613fdbb2b726246cc62b135fe Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-21ipsec: add ipv6 support for ipsec tunnel interfaceKingwel Xie1-7/+46
Change-Id: I6a76907dc7bed2a81282b63669bea2219d6903c9 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com> Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2019-01-25IPSEC: tests use opbject registryNeale Ranns1-2/+5
this means we test the dumps - to some extent Change-Id: I8d90745701012012b41a7b3aaf9be97b4dd2bdf8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-24IPSEC Tests: to per-test setup and tearDownNeale Ranns1-5/+4
don't do the setup and teardown in class methods so that with each test the config is added and deleted. that way we test that delete actually removes state. more helpful error codes from VPP for existing IPSEC state. Change-Id: I5de1578f73b935b420d4cdd85aa98d5fdcc682f6 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera1-1/+2
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-03ipsec: add missing ipv6 ah code & ipv6 testsKlement Sekera1-16/+13
Change-Id: I89e90193ded1beb6cb0950c15737f9467efac1c3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-24Revert "Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums""Klement Sekera1-0/+52
This reverts commit e0d2bd6bd7fc59c0c6ac48195d7f825dc99bfd91. Change-Id: If491e16f9ea66b2493a6a7c7f3c684ed585f8f51 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-22Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums"Ole Troan1-52/+0
This reverts commit a98346f664aae148d26a8e158008b773d73db96f. Change-Id: Iee5b3a5ddff0e8fd3a30fe5973cee24de434fe12 Signed-off-by: Ole Troan <ot@cisco.com>
2018-06-21ipsec: VPP-1316 calculate IP/TCP/UDP inner checksumsKlement Sekera1-0/+52
Calculate IP/TCP/UDP checksums in software before adding authentication. Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b Signed-off-by: Klement Sekera <ksekera@cisco.com>