import socket import unittest from scapy.layers.ipsec import ESP from scapy.layers.inet import UDP from framework import VppTestRunner from template_ipsec import IpsecTra46Tests, IpsecTun46Tests, TemplateIpsec, \ IpsecTcpTests, IpsecTun4Tests, IpsecTra4Tests, config_tra_params, \ IPsecIPv4Params, IPsecIPv6Params, \ IpsecTra4, IpsecTun4, IpsecTra6, IpsecTun6 from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSA,\ VppIpsecSpdItfBinding from vpp_ip_route import VppIpRoute, VppRoutePath from vpp_ip import DpoProto from vpp_papi import VppEnum class ConfigIpsecESP(TemplateIpsec): encryption_type = ESP tra4_encrypt_node_name = "esp4-encrypt" tra4_decrypt_node_name = "esp4-decrypt" tra6_encrypt_node_name = "esp6-encrypt" tra6_decrypt_node_name = "esp6-decrypt" tun4_encrypt_node_name = "esp4-encrypt" tun4_decrypt_node_name = "esp4-decrypt" tun6_encrypt_node_name = "esp6-encrypt" tun6_decrypt_node_name = "esp6-decrypt" @classmethod def setUpClass(cls): super(ConfigIpsecESP, cls).setUpClass() @classmethod def tearDownClass(cls): super(ConfigIpsecESP, cls).tearDownClass() def setUp(self): super(ConfigIpsecESP, self).setUp() def tearDown(self): super(ConfigIpsecESP, self).tearDown() def config_network(self, params): self.net_objs = [] self.tun_if = self.pg0 self.tra_if = self.pg2 self.logger.info(self.vapi.ppcli("show int addr")) self.tra_spd = VppIpsecSpd(self, self.tra_spd_id) self.tra_spd.add_vpp_config() self.net_objs.append(self.tra_spd) self.tun_spd = VppIpsecSpd(self, self.tun_spd_id) self.tun_spd.add_vpp_config() self.net_objs.append(self.tun_spd) b = VppIpsecSpdItfBinding(self, self.tun_spd, self.tun_if) b.add_vpp_config() self.net_objs.append(b) b = VppIpsecSpdItfBinding(self, self.tra_spd, self.tra_if) b.add_vpp_config() self.net_objs.append(b) for p in params: self.config_esp_tra(p) config_tra_params(p, self.encryption_type) for p in params: self.config_esp_tun(p) for p in params: d = DpoProto.DPO_PROTO_IP6 if p.is_ipv6 else DpoProto.DPO_PROTO_IP4 r = VppIpRoute(self, p.remote_tun_if_host, p.addr_len, [VppRoutePath(self.tun_if.remote_addr[p.addr_type], 0xffffffff, proto=d)], is_ip6=p.is_ipv6) r.add_vpp_config() self.net_objs.append(r) self.logger.info(self.vapi.ppcli("show ipsec all")) def unconfig_network(self): for o in reversed(self.net_objs): o.remove_vpp_config() self.net_objs = [] def config_esp_tun(self, params): addr_type = params.addr_type scapy_tun_sa_id = params.scapy_tun_sa_id scapy_tun_spi = params.scapy_tun_spi vpp_tun_sa_id = params.vpp_tun_sa_id vpp_tun_spi = params.vpp_tun_spi auth_algo_vpp_id = params.auth_algo_vpp_id auth_key = params.auth_key crypt_algo_vpp_id = params.crypt_algo_vpp_id crypt_key = params.crypt_key remote_tun_if_host = params.remote_tun_if_host addr_any = params.addr_any addr_bcast = params.addr_bcast e = VppEnum.vl_api_ipsec_spd_action_t flags = params.flags salt = params.salt objs = [] params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi, auth_algo_vpp_id, auth_key, crypt_algo_vpp_id, crypt_key, self.vpp_esp_protocol, self.tun_if.local_addr[addr_type], self.tun_if.remote_addr[addr_type], flags=flags, salt=salt) params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi, auth_algo_vpp_id, auth_key, crypt_algo_vpp_id, crypt_key, self.vpp_esp_protocol, self.tun_if.remote_addr[addr_type], self.tun_if.local_addr[addr_type], flags=flags, salt=salt) objs.append(params.tun_sa_in) objs.append(params.tun_sa_out) params.spd_policy_in_any = VppIpsecSpdEntry(self, self.tun_spd, scapy_tun_sa_id, addr_any, addr_bcast, addr_any, addr_bcast, socket.IPPROTO_ESP) params.spd_policy_out_any = VppIpsecSpdEntry(self, self.tun_spd, scapy_tun_sa_id, addr_any, addr_bcast, addr_any, addr_bcast, socket.IPPROTO_ESP, is_outboun
---
name: ACLs for Security Groups
maintainer: Andrew Yourtchenko <ayourtch@gmail.com>
features:
- Inbound MACIP ACLs:
- filter the source IP:MAC address statically configured bindings
- Stateless inbound and outbound ACLs:
- permit/deny packets based on their L3/L4 info
- Stateful inbound and outbound ACLs:
- create inbound sessions based on outbound traffic and vice versa
description: |-
The ACL plugin allows to implement access control policies
at the levels of IP address ownership (by locking down
the IP-MAC associations by MACIP ACLs), and by using network
and transport level policies in inbound and outbound ACLs.
For non-initial fragments the matching is done on network
layer only. The session state in stateful ACLs is maintained
per-interface (e.g. outbound interface ACL creates the session
while inbound ACL matches it), which simplifies the design
and operation. For TCP handling, the session processing
tracks "established" (seen both SYN segments and seen ACKs for them),
and "transient" (all the other TCP states) sessions.
state: production
properties: [API, CLI, STATS, MULTITHREAD]