summaryrefslogtreecommitdiffstats
path: root/MAINTAINERS
blob: 4db3f9d353775348c34c4be914085a79b6f3eefd (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193

Descriptions of section entries:

	M: Maintainer Full name and E-mail address: Full Name <address@domain>
	   One maintainer per line.  Multiple M: lines acceptable.
	F: Files and directories with wildcard patterns.
	   A trailing slash includes all files and subdirectory files.
	   F:	drivers/net/	all files in and below drivers/net
	   F:	drivers/net/*	all files in drivers/net, but not below
	   One pattern per line.  Multiple F: lines acceptable.
	C: Single line comment related to current section.

		-----------------------------------

Build System
M:	Damjan Marion <damarion@cisco.com>
F:	Makefile
F:	src/*.ac
F:	src/*.am
F:	src/*.mk
F:	src/m4/

Build System Internal
M:	Dave Barach <dave@barachs.net>
F:	build-root/Makefile
F:	build-data/*

Doxygen
M:	Chris Luke <chrisy@flirble.org>
F:	doxygen/

DPDK Development Packaging
M:	Damjan Marion <damarion@cisco.com>
F:	dpdk/
F:	dpdk/*

Infrastructure Library
M:	Dave Barach <dave@barachs.net>
F:	src/vppinfra/

VLIB Library
M:	Dave Barach <dave@barachs.net>
M:	Damjan Marion <damarion@cisco.com>
F:	src/vlib/

VLIB API Libraries
M:	Dave Barach <dave@barachs.net>
F:	src/vlibapi/
F:	src/vlibmemory/
F:	src/vlibsocket/

VNET Bidirectonal Forwarding Detection (BFD)
M:	Klement Sekera <ksekera@cisco.com>
F:	src/vnet/bfd/

VNET Device Drivers
M:	Damjan Marion <damarion@cisco.com>
F:	src/vnet/devices/

VNET Device Drivers - DPDK Crypto
M:	Sergio Gonzalez Monroy <sergio.gonzalez.monroy@outlook.com>
M:      Radu Nicolau <radu.nicolau@intel.com>
F:	src/devices/dpdk/ipsec/

VNET Feature Arcs
M:	Dave Barach <dave@barachs.net>
M:	Damjan Marion <damarion@cisco.com>
F:	src/vnet/feature/

VNET FIB
M:	Neale Ranns <nranns@cisco.com>
F:	src/vnet/fib/
F:	src/vnet/mfib/
F:	src/vnet/dpo
F:	src/vnet/adj

VNET IPv4 and IPv6 LPM
M:	Dave Barach <dave@barachs.net>
F:	src/vnet/ip/

VNET Segment Routing (IPv6 and MPLS)
M:	Pablo Camarillo <pcamaril@cisco.com>
F:	src/vnet/srv6/
F:	src/vnet/srmpls/
F:	src/examples/srv6-sample-localsid/

VNET IPSec
M:	Matus Fabian <matfabia@cisco.com>
M:	Radu Nicolau <radu.nicolau@intel.com>
F:	src/vnet/ipsec/

VNET L2
M:	John Lo <loj@cisco.com>
F:	src/vnet/l2/

VNET Link Layer Discovery Protocol (LLDP)
M:	Klement Sekera <ksekera@cisco.com>
F:	src/vnet/lldp/

VNET LISP
M:	Florin Coras <fcoras@cisco.com>
F:	src/vnet/lisp-cp/
F:	src/vnet/lisp-gpe/

VNET MAP
M:	Ole Troan <ot@cisco.com>
F:	src/vnet/map

VNET MPLS
M:	Neale Ranns <nranns@cisco.com>
F:	src/vnet/mpls/

VNET Host Stack Session Layer
M:	Florin Coras <fcoras@cisco.com>
F:	src/vnet/session

VNET TCP Stack
M:	Florin Coras <fcoras@cisco.com>
F:	src/vnet/tcp

VNET VXLAN
M:	John Lo <loj@cisco.com>
F:	src/vnet/vxlan/

VNET VXLAN-GPE
M:	Keith Burns <alagalah@gmail.com>
M:	Hongjun Ni <hongjun.ni@intel.com>
F:	src/vnet/vxlan-gpe/

VNET GENEVE
M:	Marco Varlese <marco.varlese@suse.com>
F:	src/vnet/geneve/

Plugin - ACL
M:	Andrew Yourtchenko <ayourtch@gmail.com>
F:	src/plugins/acl/
F:	src/plugins/acl.am

Plugin - flowprobe
M:	Ole Troan <otroan@employees.org>
F:	src/plugins/flowprobe/
F:	src/plugins/flowprobe.am

Plugin - SIXRD
M:	Ole Troan <ot@cisco.com>
F:	src/plugins/sixrd/
F:	src/plugins/sixrd.am

Plugin - GTPU
M:	Hongjun Ni <hongjun.ni@intel.com>
F:	src/plugins/gtpu/
F:	src/plugins/gtpu.am

Plugin - PPPoE
M:  Hongjun Ni <hongjun.ni@intel.com>
F:  src/plugins/pppoe/
F:  src/plugins/pppoe.am

Test Infrastructure
M:	Klement Sekera <ksekera@cisco.com>
F:	test/

SVM Library
M:	Dave Barach <dave@barachs.net>
F:	src/svm

VPP API TEST
M:	Dave Barach <dave@barachs.net>
F:	src/vat/

VPP Executable
M:	Dave Barach <dave@barachs.net>
F:	src/vpp/

Graphical Event Viewer
M:	Dave Barach <dave@barachs.net>
F:	src/tools/g2/

Performance Tooling
M:	Dave Barach <dave@barachs.net>
F:	src/tools/perftool/

Binary API Compiler
M:	Dave Barach <dave@barachs.net>
F:	src/tools/vppapigen/

Ganglia Telemetry Module
M:	Dave Barach <dave@barachs.net>
F:	gmod/

THE REST
C:	Contact vpp-dev Mailing List <vpp-dev@fd.io>
F:	*
F:	*/
color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */ } 
#!/usr/bin/env python3

import socket

import scapy.compat
from scapy.layers.l2 import Ether
from scapy.layers.inet import ICMP, IP, TCP, UDP
from scapy.layers.ipsec import SecurityAssociation, ESP

from util import ppp, ppc
from template_ipsec import TemplateIpsec
from vpp_ipsec import VppIpsecSA, VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSpdItfBinding
from vpp_ip_route import VppIpRoute, VppRoutePath
from vpp_ip import DpoProto
from vpp_papi import VppEnum


class IPSecNATTestCase(TemplateIpsec):
    """IPSec/NAT

    TUNNEL MODE::

         public network  |   private network
         ---   encrypt  ---   plain   ---
        |pg0| <------- |VPP| <------ |pg1|
         ---            ---           ---

         ---   decrypt  ---   plain   ---
        |pg0| -------> |VPP| ------> |pg1|
         ---            ---           ---

    """

    tcp_port_in = 6303
    tcp_port_out = 6303
    udp_port_in = 6304
    udp_port_out = 6304
    icmp_id_in = 6305
    icmp_id_out = 6305

    @classmethod
    def setUpClass(cls):
        super(IPSecNATTestCase, cls).setUpClass()

    @classmethod
    def tearDownClass(cls):
        super(IPSecNATTestCase, cls).tearDownClass()

    def setUp(self):
        super(IPSecNATTestCase, self).setUp()
        self.tun_if = self.pg0

        self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
        self.tun_spd.add_vpp_config()
        VppIpsecSpdItfBinding(self, self.tun_spd, self.tun_if).add_vpp_config()

        p = self.ipv4_params
        self.config_esp_tun(p)
        self.logger.info(self.vapi.ppcli("show ipsec all"))

        d = DpoProto.DPO_PROTO_IP6 if p.is_ipv6 else DpoProto.DPO_PROTO_IP4
        VppIpRoute(
            self,
            p.remote_tun_if_host,
            p.addr_len,
            [VppRoutePath(self.tun_if.remote_addr[p.addr_type], 0xFFFFFFFF, proto=d)],
        ).add_vpp_config()

    def tearDown(self):
        super(IPSecNATTestCase, self).tearDown()

    def create_stream_plain(self, src_mac, dst_mac, src_ip, dst_ip):
        return [
            # TCP
            Ether(src=src_mac, dst=dst_mac)
            / IP(src=src_ip, dst=dst_ip)
            / TCP(sport=self.tcp_port_in, dport=20),
            # UDP
            Ether(src=src_mac, dst=dst_mac)
            / IP(src=src_ip, dst=dst_ip)
            / UDP(sport=self.udp_port_in, dport=20),
            # ICMP
            Ether(src=src_mac, dst=dst_mac)
            / IP(src=src_ip, dst=dst_ip)
            / ICMP(id=self.icmp_id_in, type="echo-request"),
        ]

    def create_stream_encrypted(self, src_mac, dst_mac, src_ip, dst_ip, sa):
        return [
            # TCP
            Ether(src=src_mac, dst=dst_mac)
            / sa.encrypt(
                IP(src=src_ip, dst=dst_ip) / TCP(dport=self.tcp_port_out, sport=20)
            ),
            # UDP
            Ether(src=src_mac, dst=dst_mac)
            / sa.encrypt(
                IP(src=src_ip, dst=dst_ip) / UDP(dport=self.udp_port_out, sport=20)
            ),
            # ICMP
            Ether(src=src_mac, dst=dst_mac)
            / sa.encrypt(
                IP(src=src_ip, dst=dst_ip)
                / ICMP(id=self.icmp_id_out, type="echo-request")
            ),
        ]

    def verify_capture_plain(self, capture):
        for packet in capture:
            try:
                self.assert_packet_checksums_valid(packet)
                self.assert_equal(
                    packet[IP].src,
                    self.tun_if.remote_ip4,
                    "decrypted packet source address",
                )
                self.assert_equal(
                    packet[IP].dst,
                    self.pg1.remote_ip4,
                    "decrypted packet destination address",
                )
                if packet.haslayer(TCP):
                    self.assertFalse(
                        packet.haslayer(UDP),
                        "unexpected UDP header in decrypted packet",
                    )
                    self.assert_equal(
                        packet[TCP].dport,
                        self.tcp_port_in,
                        "decrypted packet TCP destination port",
                    )
                elif packet.haslayer(UDP):
                    if packet[UDP].payload:
                        self.assertFalse(
                            packet[UDP][1].haslayer(UDP),
                            "unexpected UDP header in decrypted packet",
                        )
                    self.assert_equal(
                        packet[UDP].dport,
                        self.udp_port_in,
                        "decrypted packet UDP destination port",
                    )
                else:
                    self.assertFalse(
                        packet.haslayer(UDP),
                        "unexpected UDP header in decrypted packet",
                    )
                    self.assert_equal(
                        packet[ICMP].id, self.icmp_id_in, "decrypted packet ICMP ID"
                    )
            except Exception:
                self.logger.error(ppp("Unexpected or invalid plain packet:", packet))
                raise

    def verify_capture_encrypted(self, capture, sa):
        for packet in capture:
            try:
                copy = packet.__class__(scapy.compat.raw(packet))
                del copy[UDP].len
                copy = packet.__class__(scapy.compat.raw(copy))
                self.assert_equal(packet[UDP].len, copy[UDP].len, "UDP header length")
                self.assert_packet_checksums_valid(packet)
                self.assertIn(ESP, packet[IP])
                decrypt_pkt = sa.decrypt(packet[IP])
                self.assert_packet_checksums_valid(decrypt_pkt)
                self.assert_equal(
                    decrypt_pkt[IP].src,
                    self.pg1.remote_ip4,
                    "encrypted packet source address",
                )
                self.assert_equal(
                    decrypt_pkt[IP].dst,
                    self.tun_if.remote_ip4,
                    "encrypted packet destination address",
                )
            except Exception:
                self.logger.error(
                    ppp("Unexpected or invalid encrypted packet:", packet)
                )
                raise

    def config_esp_tun(self, params):
        addr_type = params.addr_type
        scapy_tun_sa_id = params.scapy_tun_sa_id
        scapy_tun_spi = params.scapy_tun_spi
        vpp_tun_sa_id = params.vpp_tun_sa_id
        vpp_tun_spi = params.vpp_tun_spi
        auth_algo_vpp_id = params.auth_algo_vpp_id
        auth_key = params.auth_key
        crypt_algo_vpp_id = params.crypt_algo_vpp_id
        crypt_key = params.crypt_key
        addr_any = params.addr_any
        addr_bcast = params.addr_bcast
        flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
        e = VppEnum.vl_api_ipsec_spd_action_t

        VppIpsecSA(
            self,
            scapy_tun_sa_id,
            scapy_tun_spi,
            auth_algo_vpp_id,
            auth_key,
            crypt_algo_vpp_id,
            crypt_key,
            self.vpp_esp_protocol,
            self.pg1.remote_addr[addr_type],
            self.tun_if.remote_addr[addr_type],
            flags=flags,
        ).add_vpp_config()
        VppIpsecSA(
            self,
            vpp_tun_sa_id,
            vpp_tun_spi,
            auth_algo_vpp_id,
            auth_key,
            crypt_algo_vpp_id,
            crypt_key,
            self.vpp_esp_protocol,
            self.tun_if.remote_addr[addr_type],
            self.pg1.remote_addr[addr_type],
            flags=flags,
        ).add_vpp_config()

        VppIpsecSpdEntry(
            self,
            self.tun_spd,
            scapy_tun_sa_id,
            addr_any,
            addr_bcast,
            addr_any,
            addr_bcast,
            socket.IPPROTO_ESP,
        ).add_vpp_config()
        VppIpsecSpdEntry(
            self,
            self.tun_spd,
            scapy_tun_sa_id,
            addr_any,
            addr_bcast,
            addr_any,
            addr_bcast,
            socket.IPPROTO_ESP,
            is_outbound=0,
        ).add_vpp_config()
        VppIpsecSpdEntry(
            self,
            self.tun_spd,
            scapy_tun_sa_id,
            addr_any,
            addr_bcast,
            addr_any,
            addr_bcast,
            socket.IPPROTO_UDP,
            remote_port_start=4500,
            remote_port_stop=4500,
        ).add_vpp_config()
        VppIpsecSpdEntry(
            self,
            self.tun_spd,
            scapy_tun_sa_id,
            addr_any,
            addr_bcast,
            addr_any,
            addr_bcast,
            socket.IPPROTO_UDP,
            remote_port_start=4500,
            remote_port_stop=4500,
            is_outbound=0,
        ).add_vpp_config()
        VppIpsecSpdEntry(
            self,
            self.tun_spd,
            vpp_tun_sa_id,
            self.tun_if.remote_addr[addr_type],
            self.tun_if.remote_addr[addr_type],
            self.pg1.remote_addr[addr_type],
            self.pg1.remote_addr[addr_type],
            socket.IPPROTO_RAW,
            priority=10,
            policy=e.IPSEC_API_SPD_ACTION_PROTECT,
            is_outbound=0,
        ).add_vpp_config()
        VppIpsecSpdEntry(
            self,
            self.tun_spd,
            scapy_tun_sa_id,
            self.pg1.remote_addr[addr_type],
            self.pg1.remote_addr[addr_type],
            self.tun_if.remote_addr[addr_type],
            self.tun_if.remote_addr[addr_type],
            socket.IPPROTO_RAW,
            policy=e.IPSEC_API_SPD_ACTION_PROTECT,
            priority=10,
        ).add_vpp_config()

    def test_ipsec_nat_tun(self):
        """IPSec/NAT tunnel test case"""
        p = self.ipv4_params
        scapy_tun_sa = SecurityAssociation(
            ESP,
            spi=p.scapy_tun_spi,
            crypt_algo=p.crypt_algo,
            crypt_key=p.crypt_key,
            auth_algo=p.auth_algo,
            auth_key=p.auth_key,
            tunnel_header=IP(src=self.pg1.remote_ip4, dst=self.tun_if.remote_ip4),
            nat_t_header=UDP(sport=4500, dport=4500),
        )
        # in2out - from private network to public
        pkts = self.create_stream_plain(
            self.pg1.remote_mac,
            self.pg1.local_mac,
            self.pg1.remote_ip4,
            self.tun_if.remote_ip4,
        )
        self.pg1.add_stream(pkts)
        self.pg_enable_capture(self.pg_interfaces)
        self.pg_start()
        capture = self.tun_if.get_capture(len(pkts))
        self.verify_capture_encrypted(capture, scapy_tun_sa)

        vpp_tun_sa = SecurityAssociation(
            ESP,
            spi=p.vpp_tun_spi,
            crypt_algo=p.crypt_algo,
            crypt_key=p.crypt_key,
            auth_algo=p.auth_algo,
            auth_key=p.auth_key,
            tunnel_header=IP(src=self.tun_if.remote_ip4, dst=self.pg1.remote_ip4),
            nat_t_header=UDP(sport=4500, dport=4500),
        )

        # out2in - from public network to private
        pkts = self.create_stream_encrypted(
            self.tun_if.remote_mac,
            self.tun_if.local_mac,
            self.tun_if.remote_ip4,
            self.pg1.remote_ip4,
            vpp_tun_sa,
        )
        self.logger.info(ppc("Sending packets:", pkts))
        self.tun_if.add_stream(pkts)
        self.pg_enable_capture(self.pg_interfaces)
        self.pg_start()
        capture = self.pg1.get_capture(len(pkts))
        self.verify_capture_plain(capture)