5 from scapy.layers.inet import IP, ICMP, TCP, UDP
6 from scapy.layers.ipsec import SecurityAssociation, ESP
7 from scapy.layers.l2 import Ether
8 from scapy.packet import Raw
9 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
11 from framework import VppTestCase, VppTestRunner
12 from util import ppp, reassemble4, fragment_rfc791, fragment_rfc8200
13 from vpp_papi import VppEnum
16 class IPsecIPv4Params(object):
18 addr_type = socket.AF_INET
20 addr_bcast = "255.255.255.255"
25 self.remote_tun_if_host = '1.1.1.1'
26 self.remote_tun_if_host6 = '1111::1'
28 self.scapy_tun_sa_id = 10
29 self.scapy_tun_spi = 1001
30 self.vpp_tun_sa_id = 20
31 self.vpp_tun_spi = 1000
33 self.scapy_tra_sa_id = 30
34 self.scapy_tra_spi = 2001
35 self.vpp_tra_sa_id = 40
36 self.vpp_tra_spi = 2000
38 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
39 IPSEC_API_INTEG_ALG_SHA1_96)
40 self.auth_algo = 'HMAC-SHA1-96' # scapy name
41 self.auth_key = b'C91KUR9GYMm5GfkEvNjX'
43 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
44 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
45 self.crypt_algo = 'AES-CBC' # scapy name
46 self.crypt_key = b'JPjyOWBeVEQiMe7h'
49 self.nat_header = None
52 class IPsecIPv6Params(object):
54 addr_type = socket.AF_INET6
56 addr_bcast = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
61 self.remote_tun_if_host = '1111:1111:1111:1111:1111:1111:1111:1111'
62 self.remote_tun_if_host4 = '1.1.1.1'
64 self.scapy_tun_sa_id = 50
65 self.scapy_tun_spi = 3001
66 self.vpp_tun_sa_id = 60
67 self.vpp_tun_spi = 3000
69 self.scapy_tra_sa_id = 70
70 self.scapy_tra_spi = 4001
71 self.vpp_tra_sa_id = 80
72 self.vpp_tra_spi = 4000
74 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
75 IPSEC_API_INTEG_ALG_SHA1_96)
76 self.auth_algo = 'HMAC-SHA1-96' # scapy name
77 self.auth_key = b'C91KUR9GYMm5GfkEvNjX'
79 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
80 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
81 self.crypt_algo = 'AES-CBC' # scapy name
82 self.crypt_key = b'JPjyOWBeVEQiMe7h'
85 self.nat_header = None
88 def mk_scapy_crypt_key(p):
89 if p.crypt_algo == "AES-GCM":
90 return p.crypt_key + struct.pack("!I", p.salt)
95 def config_tun_params(p, encryption_type, tun_if):
96 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
97 esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
98 IPSEC_API_SAD_FLAG_USE_ESN))
99 crypt_key = mk_scapy_crypt_key(p)
100 p.scapy_tun_sa = SecurityAssociation(
101 encryption_type, spi=p.vpp_tun_spi,
102 crypt_algo=p.crypt_algo,
104 auth_algo=p.auth_algo, auth_key=p.auth_key,
105 tunnel_header=ip_class_by_addr_type[p.addr_type](
106 src=tun_if.remote_addr[p.addr_type],
107 dst=tun_if.local_addr[p.addr_type]),
108 nat_t_header=p.nat_header,
110 p.vpp_tun_sa = SecurityAssociation(
111 encryption_type, spi=p.scapy_tun_spi,
112 crypt_algo=p.crypt_algo,
114 auth_algo=p.auth_algo, auth_key=p.auth_key,
115 tunnel_header=ip_class_by_addr_type[p.addr_type](
116 dst=tun_if.remote_addr[p.addr_type],
117 src=tun_if.local_addr[p.addr_type]),
118 nat_t_header=p.nat_header,
122 def config_tra_params(p, encryption_type):
123 esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
124 IPSEC_API_SAD_FLAG_USE_ESN))
125 crypt_key = mk_scapy_crypt_key(p)
126 p.scapy_tra_sa = SecurityAssociation(
129 crypt_algo=p.crypt_algo,
131 auth_algo=p.auth_algo,
133 nat_t_header=p.nat_header,
135 p.vpp_tra_sa = SecurityAssociation(
138 crypt_algo=p.crypt_algo,
140 auth_algo=p.auth_algo,
142 nat_t_header=p.nat_header,
146 class TemplateIpsec(VppTestCase):
151 |tra_if| <-------> |VPP|
156 ------ encrypt --- plain ---
157 |tun_if| <------- |VPP| <------ |pg1|
160 ------ decrypt --- plain ---
161 |tun_if| -------> |VPP| ------> |pg1|
167 def ipsec_select_backend(self):
168 """ empty method to be overloaded when necessary """
173 super(TemplateIpsec, cls).setUpClass()
176 def tearDownClass(cls):
177 super(TemplateIpsec, cls).tearDownClass()
179 def setup_params(self):
180 self.ipv4_params = IPsecIPv4Params()
181 self.ipv6_params = IPsecIPv6Params()
182 self.params = {self.ipv4_params.addr_type: self.ipv4_params,
183 self.ipv6_params.addr_type: self.ipv6_params}
185 def config_interfaces(self):
186 self.create_pg_interfaces(range(3))
187 self.interfaces = list(self.pg_interfaces)
188 for i in self.interfaces:
196 super(TemplateIpsec, self).setUp()
200 self.vpp_esp_protocol = (VppEnum.vl_api_ipsec_proto_t.
202 self.vpp_ah_protocol = (VppEnum.vl_api_ipsec_proto_t.
205 self.config_interfaces()
207 self.ipsec_select_backend()
209 def unconfig_interfaces(self):
210 for i in self.interfaces:
216 super(TemplateIpsec, self).tearDown()
218 self.unconfig_interfaces()
220 def show_commands_at_teardown(self):
221 self.logger.info(self.vapi.cli("show hardware"))
223 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
225 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
226 sa.encrypt(IP(src=src, dst=dst) /
227 ICMP() / Raw(b'X' * payload_size))
228 for i in range(count)]
230 def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1,
232 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
233 sa.encrypt(IPv6(src=src, dst=dst) /
234 ICMPv6EchoRequest(id=0, seq=1,
235 data='X' * payload_size))
236 for i in range(count)]
238 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
239 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
240 IP(src=src, dst=dst) / ICMP() / Raw(b'X' * payload_size)
241 for i in range(count)]
243 def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
244 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
245 IPv6(src=src, dst=dst) /
246 ICMPv6EchoRequest(id=0, seq=1, data='X' * payload_size)
247 for i in range(count)]
250 class IpsecTcp(object):
251 def verify_tcp_checksum(self):
252 self.vapi.cli("test http server")
253 p = self.params[socket.AF_INET]
254 send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
255 p.scapy_tun_sa.encrypt(IP(src=p.remote_tun_if_host,
256 dst=self.tun_if.local_ip4) /
257 TCP(flags='S', dport=80)))
258 self.logger.debug(ppp("Sending packet:", send))
259 recv = self.send_and_expect(self.tun_if, [send], self.tun_if)
261 decrypted = p.vpp_tun_sa.decrypt(recv[IP])
262 self.assert_packet_checksums_valid(decrypted)
265 class IpsecTcpTests(IpsecTcp):
266 def test_tcp_checksum(self):
267 """ verify checksum correctness for vpp generated packets """
268 self.verify_tcp_checksum()
271 class IpsecTra4(object):
272 """ verify methods for Transport v4 """
273 def verify_tra_anti_replay(self):
274 p = self.params[socket.AF_INET]
275 esn_en = p.vpp_tra_sa.esn_en
277 seq_cycle_node_name = ('/err/%s/sequence number cycled' %
278 self.tra4_encrypt_node_name)
279 replay_node_name = ('/err/%s/SA replayed packet' %
280 self.tra4_decrypt_node_name)
281 if ESP == self.encryption_type and p.crypt_algo == "AES-GCM":
282 hash_failed_node_name = ('/err/%s/ESP decryption failed' %
283 self.tra4_decrypt_node_name)
285 hash_failed_node_name = ('/err/%s/Integrity check failed' %
286 self.tra4_decrypt_node_name)
287 replay_count = self.statistics.get_err_counter(replay_node_name)
288 hash_failed_count = self.statistics.get_err_counter(
289 hash_failed_node_name)
290 seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
292 if ESP == self.encryption_type:
293 undersize_node_name = ('/err/%s/undersized packet' %
294 self.tra4_decrypt_node_name)
295 undersize_count = self.statistics.get_err_counter(
299 # send packets with seq numbers 1->34
300 # this means the window size is still in Case B (see RFC4303
303 # for reasons i haven't investigated Scapy won't create a packet with
306 pkts = [(Ether(src=self.tra_if.remote_mac,
307 dst=self.tra_if.local_mac) /
308 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
309 dst=self.tra_if.local_ip4) /
312 for seq in range(1, 34)]
313 recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
315 # replayed packets are dropped
316 self.send_and_assert_no_replies(self.tra_if, pkts)
317 replay_count += len(pkts)
318 self.assert_error_counter_equal(replay_node_name, replay_count)
321 # now send a batch of packets all with the same sequence number
322 # the first packet in the batch is legitimate, the rest bogus
324 pkts = (Ether(src=self.tra_if.remote_mac,
325 dst=self.tra_if.local_mac) /
326 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
327 dst=self.tra_if.local_ip4) /
330 recv_pkts = self.send_and_expect(self.tra_if, pkts * 8,
333 self.assert_error_counter_equal(replay_node_name, replay_count)
336 # now move the window over to 257 (more than one byte) and into Case A
338 pkt = (Ether(src=self.tra_if.remote_mac,
339 dst=self.tra_if.local_mac) /
340 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
341 dst=self.tra_if.local_ip4) /
344 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
346 # replayed packets are dropped
347 self.send_and_assert_no_replies(self.tra_if, pkt * 3)
349 self.assert_error_counter_equal(replay_node_name, replay_count)
351 # the window size is 64 packets
352 # in window are still accepted
353 pkt = (Ether(src=self.tra_if.remote_mac,
354 dst=self.tra_if.local_mac) /
355 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
356 dst=self.tra_if.local_ip4) /
359 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
361 # a packet that does not decrypt does not move the window forward
362 bogus_sa = SecurityAssociation(self.encryption_type,
364 crypt_algo=p.crypt_algo,
365 crypt_key=mk_scapy_crypt_key(p)[::-1],
366 auth_algo=p.auth_algo,
367 auth_key=p.auth_key[::-1])
368 pkt = (Ether(src=self.tra_if.remote_mac,
369 dst=self.tra_if.local_mac) /
370 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
371 dst=self.tra_if.local_ip4) /
374 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
376 hash_failed_count += 17
377 self.assert_error_counter_equal(hash_failed_node_name,
380 # a malformed 'runt' packet
381 # created by a mis-constructed SA
382 if (ESP == self.encryption_type and p.crypt_algo != "NULL"):
383 bogus_sa = SecurityAssociation(self.encryption_type,
385 pkt = (Ether(src=self.tra_if.remote_mac,
386 dst=self.tra_if.local_mac) /
387 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
388 dst=self.tra_if.local_ip4) /
391 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
393 undersize_count += 17
394 self.assert_error_counter_equal(undersize_node_name,
397 # which we can determine since this packet is still in the window
398 pkt = (Ether(src=self.tra_if.remote_mac,
399 dst=self.tra_if.local_mac) /
400 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
401 dst=self.tra_if.local_ip4) /
404 self.send_and_expect(self.tra_if, [pkt], self.tra_if)
407 # out of window are dropped
408 # this is Case B. So VPP will consider this to be a high seq num wrap
409 # and so the decrypt attempt will fail
411 pkt = (Ether(src=self.tra_if.remote_mac,
412 dst=self.tra_if.local_mac) /
413 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
414 dst=self.tra_if.local_ip4) /
417 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
420 # an out of window error with ESN looks like a high sequence
421 # wrap. but since it isn't then the verify will fail.
422 hash_failed_count += 17
423 self.assert_error_counter_equal(hash_failed_node_name,
428 self.assert_error_counter_equal(replay_node_name,
431 # valid packet moves the window over to 258
432 pkt = (Ether(src=self.tra_if.remote_mac,
433 dst=self.tra_if.local_mac) /
434 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
435 dst=self.tra_if.local_ip4) /
438 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
439 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
442 # move VPP's SA TX seq-num to just before the seq-number wrap.
443 # then fire in a packet that VPP should drop on TX because it
444 # causes the TX seq number to wrap; unless we're using extened sequence
447 self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id)
448 self.logger.info(self.vapi.ppcli("show ipsec sa 0"))
449 self.logger.info(self.vapi.ppcli("show ipsec sa 1"))
451 pkts = [(Ether(src=self.tra_if.remote_mac,
452 dst=self.tra_if.local_mac) /
453 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
454 dst=self.tra_if.local_ip4) /
457 for seq in range(259, 280)]
460 rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if)
463 # in order for scapy to decrypt its SA's high order number needs
466 p.vpp_tra_sa.seq_num = 0x100000000
468 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
471 # wrap scapy's TX high sequence number. VPP is in case B, so it
472 # will consider this a high seq wrap also.
473 # The low seq num we set it to will place VPP's RX window in Case A
475 p.scapy_tra_sa.seq_num = 0x100000005
476 pkt = (Ether(src=self.tra_if.remote_mac,
477 dst=self.tra_if.local_mac) /
478 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
479 dst=self.tra_if.local_ip4) /
481 seq_num=0x100000005))
482 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
483 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
486 # A packet that has seq num between (2^32-64) and 5 is within
489 p.scapy_tra_sa.seq_num = 0xfffffffd
490 pkt = (Ether(src=self.tra_if.remote_mac,
491 dst=self.tra_if.local_mac) /
492 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
493 dst=self.tra_if.local_ip4) /
496 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
497 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
500 # While in case A we cannot wrap the high sequence number again
501 # becuase VPP will consider this packet to be one that moves the
504 pkt = (Ether(src=self.tra_if.remote_mac,
505 dst=self.tra_if.local_mac) /
506 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
507 dst=self.tra_if.local_ip4) /
509 seq_num=0x200000999))
510 self.send_and_assert_no_replies(self.tra_if, [pkt], self.tra_if)
512 hash_failed_count += 1
513 self.assert_error_counter_equal(hash_failed_node_name,
517 # but if we move the wondow forward to case B, then we can wrap
520 p.scapy_tra_sa.seq_num = 0x100000555
521 pkt = (Ether(src=self.tra_if.remote_mac,
522 dst=self.tra_if.local_mac) /
523 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
524 dst=self.tra_if.local_ip4) /
526 seq_num=0x100000555))
527 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
528 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
530 p.scapy_tra_sa.seq_num = 0x200000444
531 pkt = (Ether(src=self.tra_if.remote_mac,
532 dst=self.tra_if.local_mac) /
533 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
534 dst=self.tra_if.local_ip4) /
536 seq_num=0x200000444))
537 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
538 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
542 # without ESN TX sequence numbers can't wrap and packets are
543 # dropped from here on out.
545 self.send_and_assert_no_replies(self.tra_if, pkts)
546 seq_cycle_count += len(pkts)
547 self.assert_error_counter_equal(seq_cycle_node_name,
550 # move the security-associations seq number on to the last we used
551 self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id)
552 p.scapy_tra_sa.seq_num = 351
553 p.vpp_tra_sa.seq_num = 351
555 def verify_tra_basic4(self, count=1):
556 """ ipsec v4 transport basic test """
557 self.vapi.cli("clear errors")
558 self.vapi.cli("clear ipsec sa")
560 p = self.params[socket.AF_INET]
561 send_pkts = self.gen_encrypt_pkts(p.scapy_tra_sa, self.tra_if,
562 src=self.tra_if.remote_ip4,
563 dst=self.tra_if.local_ip4,
565 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
568 self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
569 self.assert_packet_checksums_valid(rx)
571 decrypted = p.vpp_tra_sa.decrypt(rx[IP])
572 self.assert_packet_checksums_valid(decrypted)
574 self.logger.debug(ppp("Unexpected packet:", rx))
577 self.logger.info(self.vapi.ppcli("show error"))
578 self.logger.info(self.vapi.ppcli("show ipsec all"))
580 pkts = p.tra_sa_in.get_stats()['packets']
581 self.assertEqual(pkts, count,
582 "incorrect SA in counts: expected %d != %d" %
584 pkts = p.tra_sa_out.get_stats()['packets']
585 self.assertEqual(pkts, count,
586 "incorrect SA out counts: expected %d != %d" %
589 self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count)
590 self.assert_packet_counter_equal(self.tra4_decrypt_node_name, count)
593 class IpsecTra4Tests(IpsecTra4):
594 """ UT test methods for Transport v4 """
595 def test_tra_anti_replay(self):
596 """ ipsec v4 transport anti-reply test """
597 self.verify_tra_anti_replay()
599 def test_tra_basic(self, count=1):
600 """ ipsec v4 transport basic test """
601 self.verify_tra_basic4(count=1)
603 def test_tra_burst(self):
604 """ ipsec v4 transport burst test """
605 self.verify_tra_basic4(count=257)
608 class IpsecTra6(object):
609 """ verify methods for Transport v6 """
610 def verify_tra_basic6(self, count=1):
611 self.vapi.cli("clear errors")
613 p = self.params[socket.AF_INET6]
614 send_pkts = self.gen_encrypt_pkts6(p.scapy_tra_sa, self.tra_if,
615 src=self.tra_if.remote_ip6,
616 dst=self.tra_if.local_ip6,
618 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
621 self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
624 decrypted = p.vpp_tra_sa.decrypt(rx[IPv6])
625 self.assert_packet_checksums_valid(decrypted)
627 self.logger.debug(ppp("Unexpected packet:", rx))
630 self.logger.info(self.vapi.ppcli("show error"))
631 self.logger.info(self.vapi.ppcli("show ipsec all"))
633 pkts = p.tra_sa_in.get_stats()['packets']
634 self.assertEqual(pkts, count,
635 "incorrect SA in counts: expected %d != %d" %
637 pkts = p.tra_sa_out.get_stats()['packets']
638 self.assertEqual(pkts, count,
639 "incorrect SA out counts: expected %d != %d" %
641 self.assert_packet_counter_equal(self.tra6_encrypt_node_name, count)
642 self.assert_packet_counter_equal(self.tra6_decrypt_node_name, count)
645 class IpsecTra6Tests(IpsecTra6):
646 """ UT test methods for Transport v6 """
647 def test_tra_basic6(self):
648 """ ipsec v6 transport basic test """
649 self.verify_tra_basic6(count=1)
651 def test_tra_burst6(self):
652 """ ipsec v6 transport burst test """
653 self.verify_tra_basic6(count=257)
656 class IpsecTra46Tests(IpsecTra4Tests, IpsecTra6Tests):
657 """ UT test methods for Transport v6 and v4"""
661 class IpsecTun4(object):
662 """ verify methods for Tunnel v4 """
663 def verify_counters4(self, p, count, n_frags=None, worker=None):
666 if (hasattr(p, "spd_policy_in_any")):
667 pkts = p.spd_policy_in_any.get_stats(worker)['packets']
668 self.assertEqual(pkts, count,
669 "incorrect SPD any policy: expected %d != %d" %
672 if (hasattr(p, "tun_sa_in")):
673 pkts = p.tun_sa_in.get_stats(worker)['packets']
674 self.assertEqual(pkts, count,
675 "incorrect SA in counts: expected %d != %d" %
677 pkts = p.tun_sa_out.get_stats(worker)['packets']
678 self.assertEqual(pkts, count,
679 "incorrect SA out counts: expected %d != %d" %
682 self.assert_packet_counter_equal(self.tun4_encrypt_node_name, n_frags)
683 self.assert_packet_counter_equal(self.tun4_decrypt_node_name, count)
685 def verify_decrypted(self, p, rxs):
687 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
688 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
689 self.assert_packet_checksums_valid(rx)
691 def verify_encrypted(self, p, sa, rxs):
695 self.assertEqual(rx[UDP].dport, 4500)
696 self.assert_packet_checksums_valid(rx)
697 self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
699 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IP])
700 if not decrypt_pkt.haslayer(IP):
701 decrypt_pkt = IP(decrypt_pkt[Raw].load)
702 decrypt_pkts.append(decrypt_pkt)
703 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
704 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
706 self.logger.debug(ppp("Unexpected packet:", rx))
708 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
712 pkts = reassemble4(decrypt_pkts)
714 self.assert_packet_checksums_valid(pkt)
716 def verify_tun_44(self, p, count=1, payload_size=64, n_rx=None):
717 self.vapi.cli("clear errors")
721 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
722 src=p.remote_tun_if_host,
723 dst=self.pg1.remote_ip4,
725 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
726 self.verify_decrypted(p, recv_pkts)
728 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
729 dst=p.remote_tun_if_host, count=count,
730 payload_size=payload_size)
731 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
733 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
736 self.logger.info(self.vapi.ppcli("show error"))
737 self.logger.info(self.vapi.ppcli("show ipsec all"))
739 self.verify_counters4(p, count, n_rx)
741 def verify_tun_reass_44(self, p):
742 self.vapi.cli("clear errors")
743 self.vapi.ip_reassembly_enable_disable(
744 sw_if_index=self.tun_if.sw_if_index, enable_ip4=True)
747 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
748 src=p.remote_tun_if_host,
749 dst=self.pg1.remote_ip4,
752 send_pkts = fragment_rfc791(send_pkts[0], 1400)
753 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
755 self.verify_decrypted(p, recv_pkts)
757 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
758 dst=p.remote_tun_if_host, count=1)
759 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
761 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
764 self.logger.info(self.vapi.ppcli("show error"))
765 self.logger.info(self.vapi.ppcli("show ipsec all"))
767 self.verify_counters4(p, 1, 1)
768 self.vapi.ip_reassembly_enable_disable(
769 sw_if_index=self.tun_if.sw_if_index, enable_ip4=False)
771 def verify_tun_64(self, p, count=1):
772 self.vapi.cli("clear errors")
774 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
775 src=p.remote_tun_if_host6,
776 dst=self.pg1.remote_ip6,
778 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
779 for recv_pkt in recv_pkts:
780 self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host6)
781 self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
782 self.assert_packet_checksums_valid(recv_pkt)
783 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
784 dst=p.remote_tun_if_host6, count=count)
785 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
786 for recv_pkt in recv_pkts:
788 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IP])
789 if not decrypt_pkt.haslayer(IPv6):
790 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
791 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
792 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host6)
793 self.assert_packet_checksums_valid(decrypt_pkt)
795 self.logger.error(ppp("Unexpected packet:", recv_pkt))
798 ppp("Decrypted packet:", decrypt_pkt))
803 self.logger.info(self.vapi.ppcli("show error"))
804 self.logger.info(self.vapi.ppcli("show ipsec all"))
806 self.verify_counters4(p, count)
808 def verify_keepalive(self, p):
809 pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
810 IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) /
811 UDP(sport=333, dport=4500) /
813 self.send_and_assert_no_replies(self.tun_if, pkt*31)
814 self.assert_error_counter_equal(
815 '/err/%s/NAT Keepalive' % self.tun4_input_node, 31)
817 pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
818 IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) /
819 UDP(sport=333, dport=4500) /
821 self.send_and_assert_no_replies(self.tun_if, pkt*31)
822 self.assert_error_counter_equal(
823 '/err/%s/Too Short' % self.tun4_input_node, 31)
826 class IpsecTun4Tests(IpsecTun4):
827 """ UT test methods for Tunnel v4 """
828 def test_tun_basic44(self):
829 """ ipsec 4o4 tunnel basic test """
830 self.verify_tun_44(self.params[socket.AF_INET], count=1)
832 def test_tun_reass_basic44(self):
833 """ ipsec 4o4 tunnel basic reassembly test """
834 self.verify_tun_reass_44(self.params[socket.AF_INET])
836 def test_tun_burst44(self):
837 """ ipsec 4o4 tunnel burst test """
838 self.verify_tun_44(self.params[socket.AF_INET], count=257)
841 class IpsecTun6(object):
842 """ verify methods for Tunnel v6 """
843 def verify_counters6(self, p_in, p_out, count, worker=None):
844 if (hasattr(p_in, "tun_sa_in")):
845 pkts = p_in.tun_sa_in.get_stats(worker)['packets']
846 self.assertEqual(pkts, count,
847 "incorrect SA in counts: expected %d != %d" %
849 if (hasattr(p_out, "tun_sa_out")):
850 pkts = p_out.tun_sa_out.get_stats(worker)['packets']
851 self.assertEqual(pkts, count,
852 "incorrect SA out counts: expected %d != %d" %
854 self.assert_packet_counter_equal(self.tun6_encrypt_node_name, count)
855 self.assert_packet_counter_equal(self.tun6_decrypt_node_name, count)
857 def verify_decrypted6(self, p, rxs):
859 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
860 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
861 self.assert_packet_checksums_valid(rx)
863 def verify_encrypted6(self, p, sa, rxs):
865 self.assert_packet_checksums_valid(rx)
866 self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
869 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IPv6])
870 if not decrypt_pkt.haslayer(IPv6):
871 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
872 self.assert_packet_checksums_valid(decrypt_pkt)
873 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
874 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
876 self.logger.debug(ppp("Unexpected packet:", rx))
878 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
883 def verify_drop_tun_66(self, p_in, count=1, payload_size=64):
884 self.vapi.cli("clear errors")
885 self.vapi.cli("clear ipsec sa")
887 send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if,
888 src=p_in.remote_tun_if_host,
889 dst=self.pg1.remote_ip6,
891 self.send_and_assert_no_replies(self.tun_if, send_pkts)
892 self.logger.info(self.vapi.cli("sh punt stats"))
894 def verify_tun_66(self, p_in, p_out=None, count=1, payload_size=64):
895 self.vapi.cli("clear errors")
896 self.vapi.cli("clear ipsec sa")
900 send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if,
901 src=p_in.remote_tun_if_host,
902 dst=self.pg1.remote_ip6,
904 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
905 self.verify_decrypted6(p_in, recv_pkts)
907 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
908 dst=p_out.remote_tun_if_host,
910 payload_size=payload_size)
911 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
912 self.verify_encrypted6(p_out, p_out.vpp_tun_sa, recv_pkts)
915 self.logger.info(self.vapi.ppcli("show error"))
916 self.logger.info(self.vapi.ppcli("show ipsec all"))
917 self.verify_counters6(p_in, p_out, count)
919 def verify_tun_reass_66(self, p):
920 self.vapi.cli("clear errors")
921 self.vapi.ip_reassembly_enable_disable(
922 sw_if_index=self.tun_if.sw_if_index, enable_ip6=True)
925 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
926 src=p.remote_tun_if_host,
927 dst=self.pg1.remote_ip6,
930 send_pkts = fragment_rfc8200(send_pkts[0], 1, 1400, self.logger)
931 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
933 self.verify_decrypted6(p, recv_pkts)
935 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
936 dst=p.remote_tun_if_host,
939 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
941 self.verify_encrypted6(p, p.vpp_tun_sa, recv_pkts)
943 self.logger.info(self.vapi.ppcli("show error"))
944 self.logger.info(self.vapi.ppcli("show ipsec all"))
945 self.verify_counters6(p, p, 1)
946 self.vapi.ip_reassembly_enable_disable(
947 sw_if_index=self.tun_if.sw_if_index, enable_ip6=False)
949 def verify_tun_46(self, p, count=1):
950 """ ipsec 4o6 tunnel basic test """
951 self.vapi.cli("clear errors")
953 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
954 src=p.remote_tun_if_host4,
955 dst=self.pg1.remote_ip4,
957 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
958 for recv_pkt in recv_pkts:
959 self.assert_equal(recv_pkt[IP].src, p.remote_tun_if_host4)
960 self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
961 self.assert_packet_checksums_valid(recv_pkt)
962 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
963 dst=p.remote_tun_if_host4,
965 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
966 for recv_pkt in recv_pkts:
968 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
969 if not decrypt_pkt.haslayer(IP):
970 decrypt_pkt = IP(decrypt_pkt[Raw].load)
971 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
972 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host4)
973 self.assert_packet_checksums_valid(decrypt_pkt)
975 self.logger.debug(ppp("Unexpected packet:", recv_pkt))
977 self.logger.debug(ppp("Decrypted packet:",
983 self.logger.info(self.vapi.ppcli("show error"))
984 self.logger.info(self.vapi.ppcli("show ipsec all"))
985 self.verify_counters6(p, p, count)
988 class IpsecTun6Tests(IpsecTun6):
989 """ UT test methods for Tunnel v6 """
991 def test_tun_basic66(self):
992 """ ipsec 6o6 tunnel basic test """
993 self.verify_tun_66(self.params[socket.AF_INET6], count=1)
995 def test_tun_reass_basic66(self):
996 """ ipsec 6o6 tunnel basic reassembly test """
997 self.verify_tun_reass_66(self.params[socket.AF_INET6])
999 def test_tun_burst66(self):
1000 """ ipsec 6o6 tunnel burst test """
1001 self.verify_tun_66(self.params[socket.AF_INET6], count=257)
1004 class IpsecTun6HandoffTests(IpsecTun6):
1005 """ UT test methods for Tunnel v6 with multiple workers """
1006 worker_config = "workers 2"
1008 def test_tun_handoff_66(self):
1009 """ ipsec 6o6 tunnel worker hand-off test """
1011 p = self.params[socket.AF_INET6]
1013 # inject alternately on worker 0 and 1. all counts on the SA
1014 # should be against worker 0
1015 for worker in [0, 1, 0, 1]:
1016 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
1017 src=p.remote_tun_if_host,
1018 dst=self.pg1.remote_ip6,
1020 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
1021 self.pg1, worker=worker)
1022 self.verify_decrypted6(p, recv_pkts)
1024 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
1025 dst=p.remote_tun_if_host,
1027 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
1028 self.tun_if, worker=worker)
1029 self.verify_encrypted6(p, p.vpp_tun_sa, recv_pkts)
1031 # all counts against the first worker that was used
1032 self.verify_counters6(p, p, 4*N_PKTS, worker=0)
1035 class IpsecTun4HandoffTests(IpsecTun4):
1036 """ UT test methods for Tunnel v4 with multiple workers """
1037 worker_config = "workers 2"
1039 def test_tun_handooff_44(self):
1040 """ ipsec 4o4 tunnel worker hand-off test """
1042 p = self.params[socket.AF_INET]
1044 # inject alternately on worker 0 and 1. all counts on the SA
1045 # should be against worker 0
1046 for worker in [0, 1, 0, 1]:
1047 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
1048 src=p.remote_tun_if_host,
1049 dst=self.pg1.remote_ip4,
1051 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
1052 self.pg1, worker=worker)
1053 self.verify_decrypted(p, recv_pkts)
1055 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
1056 dst=p.remote_tun_if_host,
1058 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
1059 self.tun_if, worker=worker)
1060 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
1062 # all counts against the first worker that was used
1063 self.verify_counters4(p, 4*N_PKTS, worker=0)
1066 class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests):
1067 """ UT test methods for Tunnel v6 & v4 """
1071 if __name__ == '__main__':
1072 unittest.main(testRunner=VppTestRunner)