From abc5660c61698fa29252dc202358002a97f2608c Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Wed, 1 Apr 2020 09:45:23 +0000 Subject: ipsec: User can choose the UDP source port Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra --- test/patches/scapy-2.4.3/ipsec.patch | 11 ++- test/test_ipsec_api.py | 51 +++++++++---- test/test_ipsec_tun_if_esp.py | 136 ++++++++++++++++++++++++++++++++++- test/vpp_ipsec.py | 96 ++++++++++++++++++------- test/vpp_papi_provider.py | 55 -------------- 5 files changed, 252 insertions(+), 97 deletions(-) (limited to 'test') diff --git a/test/patches/scapy-2.4.3/ipsec.patch b/test/patches/scapy-2.4.3/ipsec.patch index 993604768ff..7ee8316bce3 100644 --- a/test/patches/scapy-2.4.3/ipsec.patch +++ b/test/patches/scapy-2.4.3/ipsec.patch @@ -2,6 +2,14 @@ diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py index f8c601fa..f566d288 100644 --- a/scapy/layers/ipsec.py +++ b/scapy/layers/ipsec.py +@@ -138,6 +138,7 @@ bind_layers(IP, ESP, proto=socket.IPPROTO_ESP) + bind_layers(IPv6, ESP, nh=socket.IPPROTO_ESP) + bind_layers(UDP, ESP, dport=4500) # NAT-Traversal encapsulation + bind_layers(UDP, ESP, sport=4500) # NAT-Traversal encapsulation ++bind_layers(UDP, ESP, dport=4545) # NAT-Traversal encapsulation - random port + + ############################################################################### + @@ -359,11 +359,8 @@ class CryptAlgo(object): encryptor = cipher.encryptor() @@ -147,7 +155,7 @@ index f8c601fa..f566d288 100644 esp = self.crypt_algo.decrypt(self, encrypted, self.crypt_key, self.crypt_algo.icv_size or -@@ -1050,9 +1069,10 @@ class SecurityAssociation(object): +@@ -1050,11 +1069,12 @@ class SecurityAssociation(object): def _decrypt_ah(self, pkt, verify=True): @@ -160,3 +168,4 @@ index f8c601fa..f566d288 100644 ah = pkt[AH] payload = ah.payload + diff --git a/test/test_ipsec_api.py b/test/test_ipsec_api.py index 00885ae05b6..b5b4adac66b 100644 --- a/test/test_ipsec_api.py +++ b/test/test_ipsec_api.py @@ -70,23 +70,48 @@ class IpsecApiTestCase(VppTestCase): crypt_algo_vpp_id = params.crypt_algo_vpp_id crypt_key = params.crypt_key - self.vapi.ipsec_sad_entry_add_del(scapy_tun_sa_id, scapy_tun_spi, - auth_algo_vpp_id, auth_key, - crypt_algo_vpp_id, crypt_key, - self.vpp_ah_protocol, - self.pg0.local_addr[addr_type], - self.pg0.remote_addr[addr_type]) + self.vapi.ipsec_sad_entry_add_del( + is_add=1, + entry={ + 'sad_id': scapy_tun_sa_id, + 'spi': scapy_tun_spi, + 'integrity_algorithm': auth_algo_vpp_id, + 'integrity_key': { + 'data': auth_key, + 'length': len(auth_key), + }, + 'crypto_algorithm': crypt_algo_vpp_id, + 'crypto_key': { + 'data': crypt_key, + 'length': len(crypt_key), + }, + 'protocol': self.vpp_ah_protocol, + 'tunnel_src': self.pg0.local_addr[addr_type], + 'tunnel_dst': self.pg0.remote_addr[addr_type] + }) with self.vapi.assert_negative_api_retval(): self.vapi.ipsec_select_backend( protocol=self.vpp_ah_protocol, index=0) - self.vapi.ipsec_sad_entry_add_del(scapy_tun_sa_id, scapy_tun_spi, - auth_algo_vpp_id, auth_key, - crypt_algo_vpp_id, crypt_key, - self.vpp_ah_protocol, - self.pg0.local_addr[addr_type], - self.pg0.remote_addr[addr_type], - is_add=0) + self.vapi.ipsec_sad_entry_add_del( + is_add=0, + entry={ + 'sad_id': scapy_tun_sa_id, + 'spi': scapy_tun_spi, + 'integrity_algorithm': auth_algo_vpp_id, + 'integrity_key': { + 'data': auth_key, + 'length': len(auth_key), + }, + 'crypto_algorithm': crypt_algo_vpp_id, + 'crypto_key': { + 'data': crypt_key, + 'length': len(crypt_key), + }, + 'protocol': self.vpp_ah_protocol, + 'tunnel_src': self.pg0.local_addr[addr_type], + 'tunnel_dst': self.pg0.remote_addr[addr_type] + }) self.vapi.ipsec_select_backend( protocol=self.vpp_ah_protocol, index=0) diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index d8527a3d6c1..3ab0e73ff74 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -64,13 +64,15 @@ def config_tra_params(p, encryption_type, tun_if): crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, - esn_en=esn_en) + esn_en=esn_en, + nat_t_header=p.nat_header) p.vpp_tun_sa = SecurityAssociation( encryption_type, spi=p.scapy_tun_spi, crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, - esn_en=esn_en) + esn_en=esn_en, + nat_t_header=p.nat_header) class TemplateIpsec4TunIfEsp(TemplateIpsec): @@ -1060,6 +1062,127 @@ class TestIpsecGreTebIfEspTra(TemplateIpsec, super(TestIpsecGreTebIfEspTra, self).tearDown() +class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, + IpsecTun4Tests): + """ Ipsec GRE TEB UDP ESP - Tra tests """ + tun4_encrypt_node_name = "esp4-encrypt-tun" + tun4_decrypt_node_name = "esp4-decrypt-tun" + encryption_type = ESP + omac = "00:11:22:33:44:55" + + def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, + payload_size=100): + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + sa.encrypt(IP(src=self.pg0.remote_ip4, + dst=self.pg0.local_ip4) / + GRE() / + Ether(dst=self.omac) / + IP(src="1.1.1.1", dst="1.1.1.2") / + UDP(sport=1144, dport=2233) / + Raw(b'X' * payload_size)) + for i in range(count)] + + def gen_pkts(self, sw_intf, src, dst, count=1, + payload_size=100): + return [Ether(dst=self.omac) / + IP(src="1.1.1.1", dst="1.1.1.2") / + UDP(sport=1144, dport=2233) / + Raw(b'X' * payload_size) + for i in range(count)] + + def verify_decrypted(self, p, rxs): + for rx in rxs: + self.assert_equal(rx[Ether].dst, self.omac) + self.assert_equal(rx[IP].dst, "1.1.1.2") + + def verify_encrypted(self, p, sa, rxs): + for rx in rxs: + self.assertTrue(rx.haslayer(UDP)) + self.assertEqual(rx[UDP].dport, 4545) + self.assertEqual(rx[UDP].sport, 5454) + try: + pkt = sa.decrypt(rx[IP]) + if not pkt.haslayer(IP): + pkt = IP(pkt[Raw].load) + self.assert_packet_checksums_valid(pkt) + self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4) + self.assert_equal(pkt[IP].src, self.pg0.local_ip4) + self.assertTrue(pkt.haslayer(GRE)) + e = pkt[Ether] + self.assertEqual(e[Ether].dst, self.omac) + self.assertEqual(e[IP].dst, "1.1.1.2") + except (IndexError, AssertionError): + self.logger.debug(ppp("Unexpected packet:", rx)) + try: + self.logger.debug(ppp("Decrypted packet:", pkt)) + except: + pass + raise + + def setUp(self): + super(TestIpsecGreTebUdpIfEspTra, self).setUp() + + self.tun_if = self.pg0 + + p = self.ipv4_params + p = self.ipv4_params + p.flags = (VppEnum.vl_api_ipsec_sad_flags_t. + IPSEC_API_SAD_FLAG_UDP_ENCAP) + p.nat_header = UDP(sport=5454, dport=4545) + + bd1 = VppBridgeDomain(self, 1) + bd1.add_vpp_config() + + p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi, + p.auth_algo_vpp_id, p.auth_key, + p.crypt_algo_vpp_id, p.crypt_key, + self.vpp_esp_protocol, + flags=p.flags, + udp_src=5454, + udp_dst=4545) + p.tun_sa_out.add_vpp_config() + + p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi, + p.auth_algo_vpp_id, p.auth_key, + p.crypt_algo_vpp_id, p.crypt_key, + self.vpp_esp_protocol, + flags=(p.flags | + VppEnum.vl_api_ipsec_sad_flags_t. + IPSEC_API_SAD_FLAG_IS_INBOUND), + udp_src=5454, + udp_dst=4545) + p.tun_sa_in.add_vpp_config() + + p.tun_if = VppGreInterface(self, + self.pg0.local_ip4, + self.pg0.remote_ip4, + type=(VppEnum.vl_api_gre_tunnel_type_t. + GRE_API_TUNNEL_TYPE_TEB)) + p.tun_if.add_vpp_config() + + p.tun_protect = VppIpsecTunProtect(self, + p.tun_if, + p.tun_sa_out, + [p.tun_sa_in]) + + p.tun_protect.add_vpp_config() + + p.tun_if.admin_up() + p.tun_if.config_ip4() + config_tra_params(p, self.encryption_type, p.tun_if) + + VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config() + VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config() + + self.vapi.cli("clear ipsec sa") + self.logger.info(self.vapi.cli("sh ipsec sa 0")) + + def tearDown(self): + p = self.ipv4_params + p.tun_if.unconfig_ip4() + super(TestIpsecGreTebUdpIfEspTra, self).tearDown() + + class TestIpsecGreIfEsp(TemplateIpsec, IpsecTun4Tests): """ Ipsec GRE ESP - TUN tests """ @@ -1799,7 +1922,7 @@ class TestIpsec4TunProtectUdp(TemplateIpsec, p = self.ipv4_params p.flags = (VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_UDP_ENCAP) - p.nat_header = UDP(sport=5454, dport=4500) + p.nat_header = UDP(sport=4500, dport=4500) self.config_network(p) self.config_sa_tra(p) self.config_protect(p) @@ -1811,6 +1934,13 @@ class TestIpsec4TunProtectUdp(TemplateIpsec, self.unconfig_network(p) super(TestIpsec4TunProtectUdp, self).tearDown() + def verify_encrypted(self, p, sa, rxs): + # ensure encrypted packets are recieved with the default UDP ports + for rx in rxs: + self.assertEqual(rx[UDP].sport, 4500) + self.assertEqual(rx[UDP].dport, 4500) + super(TestIpsec4TunProtectUdp, self).verify_encrypted(p, sa, rxs) + def test_tun_44(self): """IPSEC UDP tunnel protect""" diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py index 268fe687876..985f6d4dc4e 100644 --- a/test/vpp_ipsec.py +++ b/test/vpp_ipsec.py @@ -184,12 +184,15 @@ class VppIpsecSA(VppObject): VPP SAD Entry """ + DEFAULT_UDP_PORT = 4500 + def __init__(self, test, id, spi, integ_alg, integ_key, crypto_alg, crypto_key, proto, tun_src=None, tun_dst=None, - flags=None, salt=0): + flags=None, salt=0, udp_src=None, + udp_dst=None): e = VppEnum.vl_api_ipsec_sad_flags_t self.test = test self.id = id @@ -214,44 +217,87 @@ class VppIpsecSA(VppObject): self.flags = self.flags | e.IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 if (tun_dst): self.tun_dst = ip_address(text_type(tun_dst)) + self.udp_src = udp_src + self.udp_dst = udp_dst def add_vpp_config(self): - r = self.test.vapi.ipsec_sad_entry_add_del( - self.id, - self.spi, - self.integ_alg, - self.integ_key, - self.crypto_alg, - self.crypto_key, - self.proto, - (self.tun_src if self.tun_src else []), - (self.tun_dst if self.tun_dst else []), - flags=self.flags, - salt=self.salt) + entry = { + 'sad_id': self.id, + 'spi': self.spi, + 'integrity_algorithm': self.integ_alg, + 'integrity_key': { + 'length': len(self.integ_key), + 'data': self.integ_key, + }, + 'crypto_algorithm': self.crypto_alg, + 'crypto_key': { + 'data': self.crypto_key, + 'length': len(self.crypto_key), + }, + 'protocol': self.proto, + 'tunnel_src': (self.tun_src if self.tun_src else []), + 'tunnel_dst': (self.tun_dst if self.tun_dst else []), + 'flags': self.flags, + 'salt': self.salt + } + # don't explicitly send the defaults, let papi fill them in + if self.udp_src: + entry['udp_src_port'] = self.udp_src + if self.udp_dst: + entry['udp_dst_port'] = self.udp_dst + r = self.test.vapi.ipsec_sad_entry_add_del(is_add=1, entry=entry) self.stat_index = r.stat_index self.test.registry.register(self, self.test.logger) def remove_vpp_config(self): - self.test.vapi.ipsec_sad_entry_add_del( - self.id, - self.spi, - self.integ_alg, - self.integ_key, - self.crypto_alg, - self.crypto_key, - self.proto, - (self.tun_src if self.tun_src else []), - (self.tun_dst if self.tun_dst else []), - flags=self.flags, - is_add=0) + r = self.test.vapi.ipsec_sad_entry_add_del( + is_add=0, + entry={ + 'sad_id': self.id, + 'spi': self.spi, + 'integrity_algorithm': self.integ_alg, + 'integrity_key': { + 'length': len(self.integ_key), + 'data': self.integ_key, + }, + 'crypto_algorithm': self.crypto_alg, + 'crypto_key': { + 'data': self.crypto_key, + 'length': len(self.crypto_key), + }, + 'protocol': self.proto, + 'tunnel_src': (self.tun_src if self.tun_src else []), + 'tunnel_dst': (self.tun_dst if self.tun_dst else []), + 'flags': self.flags, + 'salt': self.salt + }) def object_id(self): return "ipsec-sa-%d" % self.id def query_vpp_config(self): + e = VppEnum.vl_api_ipsec_sad_flags_t + bs = self.test.vapi.ipsec_sa_dump() for b in bs: if b.entry.sad_id == self.id: + # if udp encap is configured then the ports should match + # those configured or the default + if (self.flags & e.IPSEC_API_SAD_FLAG_UDP_ENCAP): + if not b.entry.flags & e.IPSEC_API_SAD_FLAG_UDP_ENCAP: + return False + if self.udp_src: + if self.udp_src != b.entry.udp_src_port: + return False + else: + if self.DEFAULT_UDP_PORT != b.entry.udp_src_port: + return False + if self.udp_dst: + if self.udp_dst != b.entry.udp_dst_port: + return False + else: + if self.DEFAULT_UDP_PORT != b.entry.udp_dst_port: + return False return True return False diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py index 73544125a7c..ec2f222b540 100644 --- a/test/vpp_papi_provider.py +++ b/test/vpp_papi_provider.py @@ -53,7 +53,6 @@ defaultmapping = { 'ip_punt_redirect': {'is_add': 1, }, 'ip_route_add_del': {'is_add': 1, }, 'ipsec_interface_add_del_spd': {'is_add': 1, }, - 'ipsec_sad_entry_add_del': {'is_add': 1, }, 'ipsec_spd_add_del': {'is_add': 1, }, 'ipsec_spd_dump': {'sa_id': 4294967295, }, 'ipsec_spd_entry_add_del': {'local_port_stop': 65535, @@ -947,60 +946,6 @@ class VppPapiProvider(object): {'spd_index': spd_index if spd_index else 0, 'spd_index_valid': 1 if spd_index else 0}) - def ipsec_sad_entry_add_del(self, - sad_id, - spi, - integrity_algorithm, - integrity_key, - crypto_algorithm, - crypto_key, - protocol, - tunnel_src_address='', - tunnel_dst_address='', - flags=0, - salt=0, - is_add=1): - """ IPSEC SA add/del - :param sad_id: security association ID - :param spi: security param index of the SA in decimal - :param integrity_algorithm: - :param integrity_key: - :param crypto_algorithm: - :param crypto_key: - :param protocol: AH(0) or ESP(1) protocol - :param tunnel_src_address: tunnel mode outer src address - :param tunnel_dst_address: tunnel mode outer dst address - :param is_add: - :param is_tunnel: - :** reference /vpp/src/vnet/ipsec/ipsec.h file for enum values of - crypto and ipsec algorithms - """ - return self.api( - self.papi.ipsec_sad_entry_add_del, - { - 'is_add': is_add, - 'entry': - { - 'sad_id': sad_id, - 'spi': spi, - 'tunnel_src': tunnel_src_address, - 'tunnel_dst': tunnel_dst_address, - 'protocol': protocol, - 'integrity_algorithm': integrity_algorithm, - 'integrity_key': { - 'length': len(integrity_key), - 'data': integrity_key, - }, - 'crypto_algorithm': crypto_algorithm, - 'crypto_key': { - 'length': len(crypto_key), - 'data': crypto_key, - }, - 'flags': flags, - 'salt': salt, - } - }) - def ipsec_sa_dump(self, sa_id=None): return self.api(self.papi.ipsec_sa_dump, {'sa_id': sa_id if sa_id else 0xffffffff}) -- cgit 1.2.3-korg