5 from scapy.layers.inet import IP, ICMP, TCP, UDP
6 from scapy.layers.ipsec import SecurityAssociation, ESP
7 from scapy.layers.l2 import Ether, Raw
8 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
10 from framework import VppTestCase, VppTestRunner
11 from util import ppp, reassemble4, fragment_rfc791, fragment_rfc8200
12 from vpp_papi import VppEnum
15 class IPsecIPv4Params(object):
17 addr_type = socket.AF_INET
19 addr_bcast = "255.255.255.255"
24 self.remote_tun_if_host = '1.1.1.1'
25 self.remote_tun_if_host6 = '1111::1'
27 self.scapy_tun_sa_id = 10
28 self.scapy_tun_spi = 1001
29 self.vpp_tun_sa_id = 20
30 self.vpp_tun_spi = 1000
32 self.scapy_tra_sa_id = 30
33 self.scapy_tra_spi = 2001
34 self.vpp_tra_sa_id = 40
35 self.vpp_tra_spi = 2000
37 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
38 IPSEC_API_INTEG_ALG_SHA1_96)
39 self.auth_algo = 'HMAC-SHA1-96' # scapy name
40 self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
42 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
43 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
44 self.crypt_algo = 'AES-CBC' # scapy name
45 self.crypt_key = 'JPjyOWBeVEQiMe7h'
48 self.nat_header = None
51 class IPsecIPv6Params(object):
53 addr_type = socket.AF_INET6
55 addr_bcast = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
60 self.remote_tun_if_host = '1111:1111:1111:1111:1111:1111:1111:1111'
61 self.remote_tun_if_host4 = '1.1.1.1'
63 self.scapy_tun_sa_id = 50
64 self.scapy_tun_spi = 3001
65 self.vpp_tun_sa_id = 60
66 self.vpp_tun_spi = 3000
68 self.scapy_tra_sa_id = 70
69 self.scapy_tra_spi = 4001
70 self.vpp_tra_sa_id = 80
71 self.vpp_tra_spi = 4000
73 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
74 IPSEC_API_INTEG_ALG_SHA1_96)
75 self.auth_algo = 'HMAC-SHA1-96' # scapy name
76 self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
78 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
79 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
80 self.crypt_algo = 'AES-CBC' # scapy name
81 self.crypt_key = 'JPjyOWBeVEQiMe7h'
84 self.nat_header = None
87 def mk_scapy_crpyt_key(p):
88 if p.crypt_algo == "AES-GCM":
89 return p.crypt_key + struct.pack("!I", p.salt)
94 def config_tun_params(p, encryption_type, tun_if):
95 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
96 use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
97 IPSEC_API_SAD_FLAG_USE_ESN))
98 crypt_key = mk_scapy_crpyt_key(p)
99 p.scapy_tun_sa = SecurityAssociation(
100 encryption_type, spi=p.vpp_tun_spi,
101 crypt_algo=p.crypt_algo,
103 auth_algo=p.auth_algo, auth_key=p.auth_key,
104 tunnel_header=ip_class_by_addr_type[p.addr_type](
105 src=tun_if.remote_addr[p.addr_type],
106 dst=tun_if.local_addr[p.addr_type]),
107 nat_t_header=p.nat_header,
109 p.vpp_tun_sa = SecurityAssociation(
110 encryption_type, spi=p.scapy_tun_spi,
111 crypt_algo=p.crypt_algo,
113 auth_algo=p.auth_algo, auth_key=p.auth_key,
114 tunnel_header=ip_class_by_addr_type[p.addr_type](
115 dst=tun_if.remote_addr[p.addr_type],
116 src=tun_if.local_addr[p.addr_type]),
117 nat_t_header=p.nat_header,
121 def config_tra_params(p, encryption_type):
122 use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
123 IPSEC_API_SAD_FLAG_USE_ESN))
124 crypt_key = mk_scapy_crpyt_key(p)
125 p.scapy_tra_sa = SecurityAssociation(
128 crypt_algo=p.crypt_algo,
130 auth_algo=p.auth_algo,
132 nat_t_header=p.nat_header,
134 p.vpp_tra_sa = SecurityAssociation(
137 crypt_algo=p.crypt_algo,
139 auth_algo=p.auth_algo,
141 nat_t_header=p.nat_header,
145 class TemplateIpsec(VppTestCase):
150 |tra_if| <-------> |VPP|
155 ------ encrypt --- plain ---
156 |tun_if| <------- |VPP| <------ |pg1|
159 ------ decrypt --- plain ---
160 |tun_if| -------> |VPP| ------> |pg1|
166 def ipsec_select_backend(self):
167 """ empty method to be overloaded when necessary """
172 super(TemplateIpsec, cls).setUpClass()
175 def tearDownClass(cls):
176 super(TemplateIpsec, cls).tearDownClass()
178 def setup_params(self):
179 self.ipv4_params = IPsecIPv4Params()
180 self.ipv6_params = IPsecIPv6Params()
181 self.params = {self.ipv4_params.addr_type: self.ipv4_params,
182 self.ipv6_params.addr_type: self.ipv6_params}
184 def config_interfaces(self):
185 self.create_pg_interfaces(range(3))
186 self.interfaces = list(self.pg_interfaces)
187 for i in self.interfaces:
195 super(TemplateIpsec, self).setUp()
199 self.vpp_esp_protocol = (VppEnum.vl_api_ipsec_proto_t.
201 self.vpp_ah_protocol = (VppEnum.vl_api_ipsec_proto_t.
204 self.config_interfaces()
206 self.ipsec_select_backend()
208 def unconfig_interfaces(self):
209 for i in self.interfaces:
215 super(TemplateIpsec, self).tearDown()
217 self.unconfig_interfaces()
219 def show_commands_at_teardown(self):
220 self.logger.info(self.vapi.cli("show hardware"))
222 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
224 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
225 sa.encrypt(IP(src=src, dst=dst) /
226 ICMP() / Raw('X' * payload_size))
227 for i in range(count)]
229 def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1,
231 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
232 sa.encrypt(IPv6(src=src, dst=dst) /
233 ICMPv6EchoRequest(id=0, seq=1,
234 data='X' * payload_size))
235 for i in range(count)]
237 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
238 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
239 IP(src=src, dst=dst) / ICMP() / Raw('X' * payload_size)
240 for i in range(count)]
242 def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
243 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
244 IPv6(src=src, dst=dst) /
245 ICMPv6EchoRequest(id=0, seq=1, data='X' * payload_size)
246 for i in range(count)]
249 class IpsecTcp(object):
250 def verify_tcp_checksum(self):
251 self.vapi.cli("test http server")
252 p = self.params[socket.AF_INET]
253 config_tun_params(p, self.encryption_type, self.tun_if)
254 send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
255 p.scapy_tun_sa.encrypt(IP(src=p.remote_tun_if_host,
256 dst=self.tun_if.local_ip4) /
257 TCP(flags='S', dport=80)))
258 self.logger.debug(ppp("Sending packet:", send))
259 recv = self.send_and_expect(self.tun_if, [send], self.tun_if)
261 decrypted = p.vpp_tun_sa.decrypt(recv[IP])
262 self.assert_packet_checksums_valid(decrypted)
265 class IpsecTcpTests(IpsecTcp):
266 def test_tcp_checksum(self):
267 """ verify checksum correctness for vpp generated packets """
268 self.verify_tcp_checksum()
271 class IpsecTra4(object):
272 """ verify methods for Transport v4 """
273 def verify_tra_anti_replay(self):
274 p = self.params[socket.AF_INET]
275 use_esn = p.vpp_tra_sa.use_esn
277 seq_cycle_node_name = ('/err/%s/sequence number cycled' %
278 self.tra4_encrypt_node_name)
279 replay_node_name = ('/err/%s/SA replayed packet' %
280 self.tra4_decrypt_node_name)
281 if ESP == self.encryption_type and p.crypt_algo == "AES-GCM":
282 hash_failed_node_name = ('/err/%s/ESP decryption failed' %
283 self.tra4_decrypt_node_name)
285 hash_failed_node_name = ('/err/%s/Integrity check failed' %
286 self.tra4_decrypt_node_name)
287 replay_count = self.statistics.get_err_counter(replay_node_name)
288 hash_failed_count = self.statistics.get_err_counter(
289 hash_failed_node_name)
290 seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
292 if ESP == self.encryption_type:
293 undersize_node_name = ('/err/%s/undersized packet' %
294 self.tra4_decrypt_node_name)
295 undersize_count = self.statistics.get_err_counter(
299 # send packets with seq numbers 1->34
300 # this means the window size is still in Case B (see RFC4303
303 # for reasons i haven't investigated Scapy won't create a packet with
306 pkts = [(Ether(src=self.tra_if.remote_mac,
307 dst=self.tra_if.local_mac) /
308 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
309 dst=self.tra_if.local_ip4) /
312 for seq in range(1, 34)]
313 recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
315 # replayed packets are dropped
316 self.send_and_assert_no_replies(self.tra_if, pkts)
317 replay_count += len(pkts)
318 self.assert_error_counter_equal(replay_node_name, replay_count)
321 # now move the window over to 257 (more than one byte) and into Case A
323 pkt = (Ether(src=self.tra_if.remote_mac,
324 dst=self.tra_if.local_mac) /
325 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
326 dst=self.tra_if.local_ip4) /
329 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
331 # replayed packets are dropped
332 self.send_and_assert_no_replies(self.tra_if, pkt * 3)
334 self.assert_error_counter_equal(replay_node_name, replay_count)
336 # the window size is 64 packets
337 # in window are still accepted
338 pkt = (Ether(src=self.tra_if.remote_mac,
339 dst=self.tra_if.local_mac) /
340 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
341 dst=self.tra_if.local_ip4) /
344 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
346 # a packet that does not decrypt does not move the window forward
347 bogus_sa = SecurityAssociation(self.encryption_type,
349 crypt_algo=p.crypt_algo,
350 crypt_key=mk_scapy_crpyt_key(p)[::-1],
351 auth_algo=p.auth_algo,
352 auth_key=p.auth_key[::-1])
353 pkt = (Ether(src=self.tra_if.remote_mac,
354 dst=self.tra_if.local_mac) /
355 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
356 dst=self.tra_if.local_ip4) /
359 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
361 hash_failed_count += 17
362 self.assert_error_counter_equal(hash_failed_node_name,
365 # a malformed 'runt' packet
366 # created by a mis-constructed SA
367 if (ESP == self.encryption_type):
368 bogus_sa = SecurityAssociation(self.encryption_type,
370 pkt = (Ether(src=self.tra_if.remote_mac,
371 dst=self.tra_if.local_mac) /
372 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
373 dst=self.tra_if.local_ip4) /
376 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
378 undersize_count += 17
379 self.assert_error_counter_equal(undersize_node_name,
382 # which we can determine since this packet is still in the window
383 pkt = (Ether(src=self.tra_if.remote_mac,
384 dst=self.tra_if.local_mac) /
385 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
386 dst=self.tra_if.local_ip4) /
389 self.send_and_expect(self.tra_if, [pkt], self.tra_if)
392 # out of window are dropped
393 # this is Case B. So VPP will consider this to be a high seq num wrap
394 # and so the decrypt attempt will fail
396 pkt = (Ether(src=self.tra_if.remote_mac,
397 dst=self.tra_if.local_mac) /
398 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
399 dst=self.tra_if.local_ip4) /
402 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
405 # an out of window error with ESN looks like a high sequence
406 # wrap. but since it isn't then the verify will fail.
407 hash_failed_count += 17
408 self.assert_error_counter_equal(hash_failed_node_name,
413 self.assert_error_counter_equal(replay_node_name,
416 # valid packet moves the window over to 258
417 pkt = (Ether(src=self.tra_if.remote_mac,
418 dst=self.tra_if.local_mac) /
419 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
420 dst=self.tra_if.local_ip4) /
423 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
424 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
427 # move VPP's SA TX seq-num to just before the seq-number wrap.
428 # then fire in a packet that VPP should drop on TX because it
429 # causes the TX seq number to wrap; unless we're using extened sequence
432 self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id)
433 self.logger.info(self.vapi.ppcli("show ipsec sa 0"))
434 self.logger.info(self.vapi.ppcli("show ipsec sa 1"))
436 pkts = [(Ether(src=self.tra_if.remote_mac,
437 dst=self.tra_if.local_mac) /
438 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
439 dst=self.tra_if.local_ip4) /
442 for seq in range(259, 280)]
445 rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if)
448 # in order for scapy to decrypt its SA's high order number needs
451 p.vpp_tra_sa.seq_num = 0x100000000
453 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
456 # wrap scapy's TX high sequence number. VPP is in case B, so it
457 # will consider this a high seq wrap also.
458 # The low seq num we set it to will place VPP's RX window in Case A
460 p.scapy_tra_sa.seq_num = 0x100000005
461 pkt = (Ether(src=self.tra_if.remote_mac,
462 dst=self.tra_if.local_mac) /
463 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
464 dst=self.tra_if.local_ip4) /
466 seq_num=0x100000005))
467 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
468 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
471 # A packet that has seq num between (2^32-64) and 5 is within
474 p.scapy_tra_sa.seq_num = 0xfffffffd
475 pkt = (Ether(src=self.tra_if.remote_mac,
476 dst=self.tra_if.local_mac) /
477 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
478 dst=self.tra_if.local_ip4) /
481 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
482 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
485 # While in case A we cannot wrap the high sequence number again
486 # becuase VPP will consider this packet to be one that moves the
489 pkt = (Ether(src=self.tra_if.remote_mac,
490 dst=self.tra_if.local_mac) /
491 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
492 dst=self.tra_if.local_ip4) /
494 seq_num=0x200000999))
495 self.send_and_assert_no_replies(self.tra_if, [pkt], self.tra_if)
497 hash_failed_count += 1
498 self.assert_error_counter_equal(hash_failed_node_name,
502 # but if we move the wondow forward to case B, then we can wrap
505 p.scapy_tra_sa.seq_num = 0x100000555
506 pkt = (Ether(src=self.tra_if.remote_mac,
507 dst=self.tra_if.local_mac) /
508 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
509 dst=self.tra_if.local_ip4) /
511 seq_num=0x100000555))
512 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
513 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
515 p.scapy_tra_sa.seq_num = 0x200000444
516 pkt = (Ether(src=self.tra_if.remote_mac,
517 dst=self.tra_if.local_mac) /
518 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
519 dst=self.tra_if.local_ip4) /
521 seq_num=0x200000444))
522 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
523 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
527 # without ESN TX sequence numbers can't wrap and packets are
528 # dropped from here on out.
530 self.send_and_assert_no_replies(self.tra_if, pkts)
531 seq_cycle_count += len(pkts)
532 self.assert_error_counter_equal(seq_cycle_node_name,
535 # move the security-associations seq number on to the last we used
536 self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id)
537 p.scapy_tra_sa.seq_num = 351
538 p.vpp_tra_sa.seq_num = 351
540 def verify_tra_basic4(self, count=1):
541 """ ipsec v4 transport basic test """
542 self.vapi.cli("clear errors")
543 self.vapi.cli("clear ipsec sa")
545 p = self.params[socket.AF_INET]
546 send_pkts = self.gen_encrypt_pkts(p.scapy_tra_sa, self.tra_if,
547 src=self.tra_if.remote_ip4,
548 dst=self.tra_if.local_ip4,
550 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
553 self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
554 self.assert_packet_checksums_valid(rx)
556 decrypted = p.vpp_tra_sa.decrypt(rx[IP])
557 self.assert_packet_checksums_valid(decrypted)
559 self.logger.debug(ppp("Unexpected packet:", rx))
562 self.logger.info(self.vapi.ppcli("show error"))
563 self.logger.info(self.vapi.ppcli("show ipsec all"))
565 pkts = p.tra_sa_in.get_stats()['packets']
566 self.assertEqual(pkts, count,
567 "incorrect SA in counts: expected %d != %d" %
569 pkts = p.tra_sa_out.get_stats()['packets']
570 self.assertEqual(pkts, count,
571 "incorrect SA out counts: expected %d != %d" %
574 self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count)
575 self.assert_packet_counter_equal(self.tra4_decrypt_node_name, count)
578 class IpsecTra4Tests(IpsecTra4):
579 """ UT test methods for Transport v4 """
580 def test_tra_anti_replay(self):
581 """ ipsec v4 transport anti-reply test """
582 self.verify_tra_anti_replay()
584 def test_tra_basic(self, count=1):
585 """ ipsec v4 transport basic test """
586 self.verify_tra_basic4(count=1)
588 def test_tra_burst(self):
589 """ ipsec v4 transport burst test """
590 self.verify_tra_basic4(count=257)
593 class IpsecTra6(object):
594 """ verify methods for Transport v6 """
595 def verify_tra_basic6(self, count=1):
596 self.vapi.cli("clear errors")
598 p = self.params[socket.AF_INET6]
599 send_pkts = self.gen_encrypt_pkts6(p.scapy_tra_sa, self.tra_if,
600 src=self.tra_if.remote_ip6,
601 dst=self.tra_if.local_ip6,
603 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
606 self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
609 decrypted = p.vpp_tra_sa.decrypt(rx[IPv6])
610 self.assert_packet_checksums_valid(decrypted)
612 self.logger.debug(ppp("Unexpected packet:", rx))
615 self.logger.info(self.vapi.ppcli("show error"))
616 self.logger.info(self.vapi.ppcli("show ipsec all"))
618 pkts = p.tra_sa_in.get_stats()['packets']
619 self.assertEqual(pkts, count,
620 "incorrect SA in counts: expected %d != %d" %
622 pkts = p.tra_sa_out.get_stats()['packets']
623 self.assertEqual(pkts, count,
624 "incorrect SA out counts: expected %d != %d" %
626 self.assert_packet_counter_equal(self.tra6_encrypt_node_name, count)
627 self.assert_packet_counter_equal(self.tra6_decrypt_node_name, count)
630 class IpsecTra6Tests(IpsecTra6):
631 """ UT test methods for Transport v6 """
632 def test_tra_basic6(self):
633 """ ipsec v6 transport basic test """
634 self.verify_tra_basic6(count=1)
636 def test_tra_burst6(self):
637 """ ipsec v6 transport burst test """
638 self.verify_tra_basic6(count=257)
641 class IpsecTra46Tests(IpsecTra4Tests, IpsecTra6Tests):
642 """ UT test methods for Transport v6 and v4"""
646 class IpsecTun4(object):
647 """ verify methods for Tunnel v4 """
648 def verify_counters4(self, p, count, n_frags=None):
651 if (hasattr(p, "spd_policy_in_any")):
652 pkts = p.spd_policy_in_any.get_stats()['packets']
653 self.assertEqual(pkts, count,
654 "incorrect SPD any policy: expected %d != %d" %
657 if (hasattr(p, "tun_sa_in")):
658 pkts = p.tun_sa_in.get_stats()['packets']
659 self.assertEqual(pkts, count,
660 "incorrect SA in counts: expected %d != %d" %
662 pkts = p.tun_sa_out.get_stats()['packets']
663 self.assertEqual(pkts, count,
664 "incorrect SA out counts: expected %d != %d" %
667 self.assert_packet_counter_equal(self.tun4_encrypt_node_name, n_frags)
668 self.assert_packet_counter_equal(self.tun4_decrypt_node_name, count)
670 def verify_decrypted(self, p, rxs):
672 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
673 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
674 self.assert_packet_checksums_valid(rx)
676 def verify_encrypted(self, p, sa, rxs):
680 self.assertEqual(rx[UDP].dport, 4500)
681 self.assert_packet_checksums_valid(rx)
682 self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
684 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IP])
685 if not decrypt_pkt.haslayer(IP):
686 decrypt_pkt = IP(decrypt_pkt[Raw].load)
687 decrypt_pkts.append(decrypt_pkt)
688 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
689 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
691 self.logger.debug(ppp("Unexpected packet:", rx))
693 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
697 pkts = reassemble4(decrypt_pkts)
699 self.assert_packet_checksums_valid(pkt)
701 def verify_tun_44(self, p, count=1, payload_size=64, n_rx=None):
702 self.vapi.cli("clear errors")
706 config_tun_params(p, self.encryption_type, self.tun_if)
707 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
708 src=p.remote_tun_if_host,
709 dst=self.pg1.remote_ip4,
711 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
712 self.verify_decrypted(p, recv_pkts)
714 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
715 dst=p.remote_tun_if_host, count=count,
716 payload_size=payload_size)
717 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
719 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
722 self.logger.info(self.vapi.ppcli("show error"))
723 self.logger.info(self.vapi.ppcli("show ipsec all"))
725 self.verify_counters4(p, count, n_rx)
727 def verify_tun_reass_44(self, p):
728 self.vapi.cli("clear errors")
729 self.vapi.ip_reassembly_enable_disable(
730 sw_if_index=self.tun_if.sw_if_index, enable_ip4=True)
733 config_tun_params(p, self.encryption_type, self.tun_if)
734 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
735 src=p.remote_tun_if_host,
736 dst=self.pg1.remote_ip4,
739 send_pkts = fragment_rfc791(send_pkts[0], 1400)
740 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
742 self.verify_decrypted(p, recv_pkts)
744 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
745 dst=p.remote_tun_if_host, count=1)
746 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
748 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
751 self.logger.info(self.vapi.ppcli("show error"))
752 self.logger.info(self.vapi.ppcli("show ipsec all"))
754 self.verify_counters4(p, 1, 1)
755 self.vapi.ip_reassembly_enable_disable(
756 sw_if_index=self.tun_if.sw_if_index, enable_ip4=False)
758 def verify_tun_64(self, p, count=1):
759 self.vapi.cli("clear errors")
761 config_tun_params(p, self.encryption_type, self.tun_if)
762 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
763 src=p.remote_tun_if_host6,
764 dst=self.pg1.remote_ip6,
766 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
767 for recv_pkt in recv_pkts:
768 self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host6)
769 self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
770 self.assert_packet_checksums_valid(recv_pkt)
771 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
772 dst=p.remote_tun_if_host6, count=count)
773 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
774 for recv_pkt in recv_pkts:
776 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IP])
777 if not decrypt_pkt.haslayer(IPv6):
778 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
779 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
780 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host6)
781 self.assert_packet_checksums_valid(decrypt_pkt)
783 self.logger.error(ppp("Unexpected packet:", recv_pkt))
786 ppp("Decrypted packet:", decrypt_pkt))
791 self.logger.info(self.vapi.ppcli("show error"))
792 self.logger.info(self.vapi.ppcli("show ipsec all"))
794 self.verify_counters4(p, count)
796 def verify_keepalive(self, p):
797 pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
798 IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) /
799 UDP(sport=333, dport=4500) /
801 self.send_and_assert_no_replies(self.tun_if, pkt*31)
802 self.assert_error_counter_equal(
803 '/err/%s/NAT Keepalive' % self.tun4_input_node, 31)
805 pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
806 IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) /
807 UDP(sport=333, dport=4500) /
809 self.send_and_assert_no_replies(self.tun_if, pkt*31)
810 self.assert_error_counter_equal(
811 '/err/%s/Too Short' % self.tun4_input_node, 31)
814 class IpsecTun4Tests(IpsecTun4):
815 """ UT test methods for Tunnel v4 """
816 def test_tun_basic44(self):
817 """ ipsec 4o4 tunnel basic test """
818 self.verify_tun_44(self.params[socket.AF_INET], count=1)
820 def test_tun_reass_basic44(self):
821 """ ipsec 4o4 tunnel basic reassembly test """
822 self.verify_tun_reass_44(self.params[socket.AF_INET])
824 def test_tun_burst44(self):
825 """ ipsec 4o4 tunnel burst test """
826 self.verify_tun_44(self.params[socket.AF_INET], count=257)
829 class IpsecTun6(object):
830 """ verify methods for Tunnel v6 """
831 def verify_counters6(self, p_in, p_out, count):
832 if (hasattr(p_in, "tun_sa_in")):
833 pkts = p_in.tun_sa_in.get_stats()['packets']
834 self.assertEqual(pkts, count,
835 "incorrect SA in counts: expected %d != %d" %
837 if (hasattr(p_out, "tun_sa_out")):
838 pkts = p_out.tun_sa_out.get_stats()['packets']
839 self.assertEqual(pkts, count,
840 "incorrect SA out counts: expected %d != %d" %
842 self.assert_packet_counter_equal(self.tun6_encrypt_node_name, count)
843 self.assert_packet_counter_equal(self.tun6_decrypt_node_name, count)
845 def verify_decrypted6(self, p, rxs):
847 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
848 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
849 self.assert_packet_checksums_valid(rx)
851 def verify_encrypted6(self, p, sa, rxs):
853 self.assert_packet_checksums_valid(rx)
854 self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
857 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IPv6])
858 if not decrypt_pkt.haslayer(IPv6):
859 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
860 self.assert_packet_checksums_valid(decrypt_pkt)
861 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
862 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
864 self.logger.debug(ppp("Unexpected packet:", rx))
866 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
871 def verify_drop_tun_66(self, p_in, count=1, payload_size=64):
872 self.vapi.cli("clear errors")
873 self.vapi.cli("clear ipsec sa")
875 config_tun_params(p_in, self.encryption_type, self.tun_if)
876 send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if,
877 src=p_in.remote_tun_if_host,
878 dst=self.pg1.remote_ip6,
880 self.send_and_assert_no_replies(self.tun_if, send_pkts)
881 self.logger.info(self.vapi.cli("sh punt stats"))
883 def verify_tun_66(self, p_in, p_out=None, count=1, payload_size=64):
884 self.vapi.cli("clear errors")
885 self.vapi.cli("clear ipsec sa")
889 config_tun_params(p_in, self.encryption_type, self.tun_if)
890 config_tun_params(p_out, self.encryption_type, self.tun_if)
891 send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if,
892 src=p_in.remote_tun_if_host,
893 dst=self.pg1.remote_ip6,
895 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
896 self.verify_decrypted6(p_in, recv_pkts)
898 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
899 dst=p_out.remote_tun_if_host,
901 payload_size=payload_size)
902 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
904 self.verify_encrypted6(p_out, p_out.vpp_tun_sa, recv_pkts)
907 self.logger.info(self.vapi.ppcli("show error"))
908 self.logger.info(self.vapi.ppcli("show ipsec all"))
909 self.verify_counters6(p_in, p_out, count)
911 def verify_tun_reass_66(self, p):
912 self.vapi.cli("clear errors")
913 self.vapi.ip_reassembly_enable_disable(
914 sw_if_index=self.tun_if.sw_if_index, enable_ip6=True)
917 config_tun_params(p, self.encryption_type, self.tun_if)
918 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
919 src=p.remote_tun_if_host,
920 dst=self.pg1.remote_ip6,
923 send_pkts = fragment_rfc8200(send_pkts[0], 1, 1400, self.logger)
924 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
926 self.verify_decrypted6(p, recv_pkts)
928 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
929 dst=p.remote_tun_if_host,
932 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
934 self.verify_encrypted6(p, p.vpp_tun_sa, recv_pkts)
936 self.logger.info(self.vapi.ppcli("show error"))
937 self.logger.info(self.vapi.ppcli("show ipsec all"))
938 self.verify_counters6(p, p, 1)
939 self.vapi.ip_reassembly_enable_disable(
940 sw_if_index=self.tun_if.sw_if_index, enable_ip6=False)
942 def verify_tun_46(self, p, count=1):
943 """ ipsec 4o6 tunnel basic test """
944 self.vapi.cli("clear errors")
946 config_tun_params(p, self.encryption_type, self.tun_if)
947 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
948 src=p.remote_tun_if_host4,
949 dst=self.pg1.remote_ip4,
951 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
952 for recv_pkt in recv_pkts:
953 self.assert_equal(recv_pkt[IP].src, p.remote_tun_if_host4)
954 self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
955 self.assert_packet_checksums_valid(recv_pkt)
956 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
957 dst=p.remote_tun_if_host4,
959 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
960 for recv_pkt in recv_pkts:
962 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
963 if not decrypt_pkt.haslayer(IP):
964 decrypt_pkt = IP(decrypt_pkt[Raw].load)
965 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
966 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host4)
967 self.assert_packet_checksums_valid(decrypt_pkt)
969 self.logger.debug(ppp("Unexpected packet:", recv_pkt))
971 self.logger.debug(ppp("Decrypted packet:",
977 self.logger.info(self.vapi.ppcli("show error"))
978 self.logger.info(self.vapi.ppcli("show ipsec all"))
979 self.verify_counters6(p, p, count)
982 class IpsecTun6Tests(IpsecTun6):
983 """ UT test methods for Tunnel v6 """
985 def test_tun_basic66(self):
986 """ ipsec 6o6 tunnel basic test """
987 self.verify_tun_66(self.params[socket.AF_INET6], count=1)
989 def test_tun_reass_basic66(self):
990 """ ipsec 6o6 tunnel basic reassembly test """
991 self.verify_tun_reass_66(self.params[socket.AF_INET6])
993 def test_tun_burst66(self):
994 """ ipsec 6o6 tunnel burst test """
995 self.verify_tun_66(self.params[socket.AF_INET6], count=257)
998 class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests):
999 """ UT test methods for Tunnel v6 & v4 """
1003 if __name__ == '__main__':
1004 unittest.main(testRunner=VppTestRunner)