From efcad1a9d22c4a664f3004cafe09d9c3a68e1620 Mon Sep 17 00:00:00 2001 From: Filip Tehlar Date: Tue, 4 Feb 2020 09:36:04 +0000 Subject: ipsec: add support for chained buffers Type: feature Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53 Signed-off-by: Filip Tehlar --- test/template_ipsec.py | 58 ++++++++++---------------------------------------- test/test_ipsec_esp.py | 23 ++++++++++++++++---- 2 files changed, 30 insertions(+), 51 deletions(-) (limited to 'test') diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 2eeb63c16d1..56f4b456468 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -556,7 +556,7 @@ class IpsecTra4(object): p.scapy_tra_sa.seq_num = 351 p.vpp_tra_sa.seq_num = 351 - def verify_tra_basic4(self, count=1): + def verify_tra_basic4(self, count=1, payload_size=54): """ ipsec v4 transport basic test """ self.vapi.cli("clear errors") self.vapi.cli("clear ipsec sa") @@ -565,7 +565,8 @@ class IpsecTra4(object): send_pkts = self.gen_encrypt_pkts(p.scapy_tra_sa, self.tra_if, src=self.tra_if.remote_ip4, dst=self.tra_if.local_ip4, - count=count) + count=count, + payload_size=payload_size) recv_pkts = self.send_and_expect(self.tra_if, send_pkts, self.tra_if) for rx in recv_pkts: @@ -611,14 +612,16 @@ class IpsecTra4Tests(IpsecTra4): class IpsecTra6(object): """ verify methods for Transport v6 """ - def verify_tra_basic6(self, count=1): + def verify_tra_basic6(self, count=1, payload_size=54): self.vapi.cli("clear errors") + self.vapi.cli("clear ipsec sa") try: p = self.params[socket.AF_INET6] send_pkts = self.gen_encrypt_pkts6(p.scapy_tra_sa, self.tra_if, src=self.tra_if.remote_ip6, dst=self.tra_if.local_ip6, - count=count) + count=count, + payload_size=payload_size) recv_pkts = self.send_and_expect(self.tra_if, send_pkts, self.tra_if) for rx in recv_pkts: @@ -834,7 +837,8 @@ class IpsecTun4(object): send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if, src=p.remote_tun_if_host, dst=self.pg1.remote_ip4, - count=count) + count=count, + payload_size=payload_size) recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1) self.verify_decrypted(p, recv_pkts) @@ -857,41 +861,6 @@ class IpsecTun4(object): self.logger.info(self.vapi.ppcli("show ipsec sa 4")) self.verify_counters4(p, count, n_rx) - """ verify methods for Transport v4 """ - def verify_tun_44_bad_packet_sizes(self, p): - # with a buffer size of 2048, 1989 bytes of payload - # means there isn't space to insert the ESP header - N_PKTS = 63 - for p_siz in [1989, 8500]: - send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if, - src=p.remote_tun_if_host, - dst=self.pg1.remote_ip4, - count=N_PKTS, - payload_size=p_siz) - self.send_and_assert_no_replies(self.tun_if, send_pkts) - send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, - dst=p.remote_tun_if_host, count=N_PKTS, - payload_size=p_siz) - self.send_and_assert_no_replies(self.pg1, send_pkts, - self.tun_if) - - # both large packets on decrpyt count against chained buffers - # the 9000 bytes one does on encrypt - self.assertEqual(2 * N_PKTS, - self.statistics.get_err_counter( - '/err/%s/chained buffers (packet dropped)' % - self.tun4_decrypt_node_name)) - self.assertEqual(N_PKTS, - self.statistics.get_err_counter( - '/err/%s/chained buffers (packet dropped)' % - self.tun4_encrypt_node_name)) - - # on encrypt the 1989 size is no trailer space - self.assertEqual(N_PKTS, - self.statistics.get_err_counter( - '/err/%s/no trailer space (packet dropped)' % - self.tun4_encrypt_node_name)) - def verify_tun_reass_44(self, p): self.vapi.cli("clear errors") self.vapi.ip_reassembly_enable_disable( @@ -996,12 +965,6 @@ class IpsecTun4Tests(IpsecTun4): self.verify_tun_44(self.params[socket.AF_INET], count=127) -class IpsecTunEsp4Tests(IpsecTun4): - def test_tun_bad_packet_sizes(self): - """ ipsec v4 tunnel bad packet size """ - self.verify_tun_44_bad_packet_sizes(self.params[socket.AF_INET]) - - class IpsecTun6(object): """ verify methods for Tunnel v6 """ def verify_counters6(self, p_in, p_out, count, worker=None): @@ -1064,7 +1027,8 @@ class IpsecTun6(object): send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if, src=p_in.remote_tun_if_host, dst=self.pg1.remote_ip6, - count=count) + count=count, + payload_size=payload_size) recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1) self.verify_decrypted6(p_in, recv_pkts) diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py index 60e5c93ed65..5b057e750cc 100644 --- a/test/test_ipsec_esp.py +++ b/test/test_ipsec_esp.py @@ -10,7 +10,7 @@ from template_ipsec import IpsecTra46Tests, IpsecTun46Tests, TemplateIpsec, \ config_tun_params, IPsecIPv4Params, IPsecIPv6Params, \ IpsecTra4, IpsecTun4, IpsecTra6, IpsecTun6, \ IpsecTun6HandoffTests, IpsecTun4HandoffTests, \ - IpsecTra6ExtTests, IpsecTunEsp4Tests + IpsecTra6ExtTests from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSA,\ VppIpsecSpdItfBinding from vpp_ip_route import VppIpRoute, VppRoutePath @@ -18,6 +18,7 @@ from vpp_ip import DpoProto from vpp_papi import VppEnum NUM_PKTS = 67 +engines_supporting_chain_bufs = ["openssl"] class ConfigIpsecESP(TemplateIpsec): @@ -288,8 +289,7 @@ class TemplateIpsecEsp(ConfigIpsecESP): class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests, - IpsecTun46Tests, IpsecTunEsp4Tests, - IpsecTra6ExtTests): + IpsecTun46Tests, IpsecTra6ExtTests): """ Ipsec ESP - TUN & TRA tests """ pass @@ -469,7 +469,7 @@ class RunTestIpsecEspAll(ConfigIpsecESP, def run_test(self): self.run_a_test(self.engine, self.flag, self.algo) - def run_a_test(self, engine, flag, algo): + def run_a_test(self, engine, flag, algo, payload_size=None): self.vapi.cli("set crypto handler all %s" % engine) self.ipv4_params = IPsecIPv4Params() @@ -508,6 +508,21 @@ class RunTestIpsecEspAll(ConfigIpsecESP, self.verify_tun_44(self.params[socket.AF_INET], count=NUM_PKTS) + LARGE_PKT_SZ = [ + 4010, # ICV ends up splitted accross 2 buffers in esp_decrypt + # for transport4; transport6 takes normal path + + 4020, # same as above but tra4 and tra6 are switched + ] + if self.engine in engines_supporting_chain_bufs: + for sz in LARGE_PKT_SZ: + self.verify_tra_basic4(count=NUM_PKTS, payload_size=sz) + self.verify_tra_basic6(count=NUM_PKTS, payload_size=sz) + self.verify_tun_66(self.params[socket.AF_INET6], + count=NUM_PKTS, payload_size=sz) + self.verify_tun_44(self.params[socket.AF_INET], + count=NUM_PKTS, payload_size=sz) + # # remove the SPDs, SAs, etc # -- cgit 1.2.3-korg