5 from scapy.layers.inet import IP, ICMP, TCP, UDP
6 from scapy.layers.ipsec import SecurityAssociation, ESP
7 from scapy.layers.l2 import Ether
8 from scapy.packet import raw, Raw
9 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest, IPv6ExtHdrHopByHop, \
10 IPv6ExtHdrFragment, IPv6ExtHdrDestOpt
13 from framework import VppTestCase, VppTestRunner
14 from util import ppp, reassemble4, fragment_rfc791, fragment_rfc8200
15 from vpp_papi import VppEnum
17 from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, \
19 from ipaddress import ip_address
24 class IPsecIPv4Params:
26 addr_type = socket.AF_INET
28 addr_bcast = "255.255.255.255"
33 self.remote_tun_if_host = '1.1.1.1'
34 self.remote_tun_if_host6 = '1111::1'
36 self.scapy_tun_sa_id = 100
37 self.scapy_tun_spi = 1000
38 self.vpp_tun_sa_id = 200
39 self.vpp_tun_spi = 2000
41 self.scapy_tra_sa_id = 300
42 self.scapy_tra_spi = 3000
43 self.vpp_tra_sa_id = 400
44 self.vpp_tra_spi = 4000
46 self.outer_hop_limit = 64
47 self.inner_hop_limit = 255
48 self.outer_flow_label = 0
49 self.inner_flow_label = 0x12345
51 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
52 IPSEC_API_INTEG_ALG_SHA1_96)
53 self.auth_algo = 'HMAC-SHA1-96' # scapy name
54 self.auth_key = b'C91KUR9GYMm5GfkEvNjX'
56 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
57 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
58 self.crypt_algo = 'AES-CBC' # scapy name
59 self.crypt_key = b'JPjyOWBeVEQiMe7h'
62 self.nat_header = None
63 self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
64 TUNNEL_API_ENCAP_DECAP_FLAG_NONE)
66 self.async_mode = False
69 class IPsecIPv6Params:
71 addr_type = socket.AF_INET6
73 addr_bcast = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
78 self.remote_tun_if_host = '1111:1111:1111:1111:1111:1111:1111:1111'
79 self.remote_tun_if_host4 = '1.1.1.1'
81 self.scapy_tun_sa_id = 500
82 self.scapy_tun_spi = 3001
83 self.vpp_tun_sa_id = 600
84 self.vpp_tun_spi = 3000
86 self.scapy_tra_sa_id = 700
87 self.scapy_tra_spi = 4001
88 self.vpp_tra_sa_id = 800
89 self.vpp_tra_spi = 4000
91 self.outer_hop_limit = 64
92 self.inner_hop_limit = 255
93 self.outer_flow_label = 0
94 self.inner_flow_label = 0x12345
96 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
97 IPSEC_API_INTEG_ALG_SHA1_96)
98 self.auth_algo = 'HMAC-SHA1-96' # scapy name
99 self.auth_key = b'C91KUR9GYMm5GfkEvNjX'
101 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
102 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
103 self.crypt_algo = 'AES-CBC' # scapy name
104 self.crypt_key = b'JPjyOWBeVEQiMe7h'
107 self.nat_header = None
108 self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
109 TUNNEL_API_ENCAP_DECAP_FLAG_NONE)
111 self.async_mode = False
114 def mk_scapy_crypt_key(p):
115 if p.crypt_algo in ("AES-GCM", "AES-CTR"):
116 return p.crypt_key + struct.pack("!I", p.salt)
121 def config_tun_params(p, encryption_type, tun_if):
122 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
123 esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
124 IPSEC_API_SAD_FLAG_USE_ESN))
125 p.tun_dst = tun_if.remote_addr[p.addr_type]
126 p.tun_src = tun_if.local_addr[p.addr_type]
127 crypt_key = mk_scapy_crypt_key(p)
128 p.scapy_tun_sa = SecurityAssociation(
129 encryption_type, spi=p.vpp_tun_spi,
130 crypt_algo=p.crypt_algo,
132 auth_algo=p.auth_algo, auth_key=p.auth_key,
133 tunnel_header=ip_class_by_addr_type[p.addr_type](
136 nat_t_header=p.nat_header,
138 p.vpp_tun_sa = SecurityAssociation(
139 encryption_type, spi=p.scapy_tun_spi,
140 crypt_algo=p.crypt_algo,
142 auth_algo=p.auth_algo, auth_key=p.auth_key,
143 tunnel_header=ip_class_by_addr_type[p.addr_type](
146 nat_t_header=p.nat_header,
150 def config_tra_params(p, encryption_type):
151 esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
152 IPSEC_API_SAD_FLAG_USE_ESN))
153 crypt_key = mk_scapy_crypt_key(p)
154 p.scapy_tra_sa = SecurityAssociation(
157 crypt_algo=p.crypt_algo,
159 auth_algo=p.auth_algo,
161 nat_t_header=p.nat_header,
163 p.vpp_tra_sa = SecurityAssociation(
166 crypt_algo=p.crypt_algo,
168 auth_algo=p.auth_algo,
170 nat_t_header=p.nat_header,
174 class TemplateIpsec(VppTestCase):
179 |tra_if| <-------> |VPP|
184 ------ encrypt --- plain ---
185 |tun_if| <------- |VPP| <------ |pg1|
188 ------ decrypt --- plain ---
189 |tun_if| -------> |VPP| ------> |pg1|
195 def ipsec_select_backend(self):
196 """ empty method to be overloaded when necessary """
201 super(TemplateIpsec, cls).setUpClass()
204 def tearDownClass(cls):
205 super(TemplateIpsec, cls).tearDownClass()
207 def setup_params(self):
208 if not hasattr(self, 'ipv4_params'):
209 self.ipv4_params = IPsecIPv4Params()
210 if not hasattr(self, 'ipv6_params'):
211 self.ipv6_params = IPsecIPv6Params()
212 self.params = {self.ipv4_params.addr_type: self.ipv4_params,
213 self.ipv6_params.addr_type: self.ipv6_params}
215 def config_interfaces(self):
216 self.create_pg_interfaces(range(3))
217 self.interfaces = list(self.pg_interfaces)
218 for i in self.interfaces:
226 super(TemplateIpsec, self).setUp()
230 self.vpp_esp_protocol = (VppEnum.vl_api_ipsec_proto_t.
232 self.vpp_ah_protocol = (VppEnum.vl_api_ipsec_proto_t.
235 self.config_interfaces()
237 self.ipsec_select_backend()
239 def unconfig_interfaces(self):
240 for i in self.interfaces:
246 super(TemplateIpsec, self).tearDown()
248 self.unconfig_interfaces()
250 def show_commands_at_teardown(self):
251 self.logger.info(self.vapi.cli("show hardware"))
253 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
255 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
256 sa.encrypt(IP(src=src, dst=dst) /
257 ICMP() / Raw(b'X' * payload_size))
258 for i in range(count)]
260 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
262 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
263 sa.encrypt(IPv6(src=src, dst=dst,
264 hlim=p.inner_hop_limit,
265 fl=p.inner_flow_label) /
266 ICMPv6EchoRequest(id=0, seq=1,
267 data='X' * payload_size))
268 for i in range(count)]
270 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
271 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
272 IP(src=src, dst=dst) / ICMP() / Raw(b'X' * payload_size)
273 for i in range(count)]
275 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
276 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
277 IPv6(src=src, dst=dst,
278 hlim=p.inner_hop_limit, fl=p.inner_flow_label) /
279 ICMPv6EchoRequest(id=0, seq=1, data='X' * payload_size)
280 for i in range(count)]
283 class IpsecTcp(object):
284 def verify_tcp_checksum(self):
285 # start http cli server listener on http://0.0.0.0:80
286 self.vapi.cli("http cli server")
287 p = self.params[socket.AF_INET]
288 send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
289 p.scapy_tun_sa.encrypt(IP(src=p.remote_tun_if_host,
290 dst=self.tun_if.local_ip4) /
291 TCP(flags='S', dport=80)))
292 self.logger.debug(ppp("Sending packet:", send))
293 recv = self.send_and_expect(self.tun_if, [send], self.tun_if)
295 decrypted = p.vpp_tun_sa.decrypt(recv[IP])
296 self.assert_packet_checksums_valid(decrypted)
299 class IpsecTcpTests(IpsecTcp):
300 def test_tcp_checksum(self):
301 """ verify checksum correctness for vpp generated packets """
302 self.verify_tcp_checksum()
305 class IpsecTra4(object):
306 """ verify methods for Transport v4 """
307 def get_replay_counts(self, p):
308 replay_node_name = ('/err/%s/SA replayed packet' %
309 self.tra4_decrypt_node_name[0])
310 count = self.statistics.get_err_counter(replay_node_name)
313 replay_post_node_name = ('/err/%s/SA replayed packet' %
314 self.tra4_decrypt_node_name[p.async_mode])
315 count += self.statistics.get_err_counter(replay_post_node_name)
319 def get_hash_failed_counts(self, p):
320 if ESP == self.encryption_type and p.crypt_algo == "AES-GCM":
321 hash_failed_node_name = ('/err/%s/ESP decryption failed' %
322 self.tra4_decrypt_node_name[p.async_mode])
324 hash_failed_node_name = ('/err/%s/Integrity check failed' %
325 self.tra4_decrypt_node_name[p.async_mode])
326 count = self.statistics.get_err_counter(hash_failed_node_name)
329 count += self.statistics.get_err_counter(
330 '/err/crypto-dispatch/bad-hmac')
334 def verify_hi_seq_num(self):
335 p = self.params[socket.AF_INET]
336 saf = VppEnum.vl_api_ipsec_sad_flags_t
337 esn_on = p.vpp_tra_sa.esn_en
338 ar_on = p.flags & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
340 seq_cycle_node_name = \
341 ('/err/%s/sequence number cycled (packet dropped)' %
342 self.tra4_encrypt_node_name)
343 replay_count = self.get_replay_counts(p)
344 hash_failed_count = self.get_hash_failed_counts(p)
345 seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
347 # a few packets so we get the rx seq number above the window size and
348 # thus can simulate a wrap with an out of window packet
349 pkts = [(Ether(src=self.tra_if.remote_mac,
350 dst=self.tra_if.local_mac) /
351 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
352 dst=self.tra_if.local_ip4) /
355 for seq in range(63, 80)]
356 recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
358 # these 4 packets will all choose seq-num 0 to decrpyt since none
359 # are out of window when first checked. however, once #200 has
360 # decrypted it will move the window to 200 and has #81 is out of
361 # window. this packet should be dropped.
362 pkts = [(Ether(src=self.tra_if.remote_mac,
363 dst=self.tra_if.local_mac) /
364 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
365 dst=self.tra_if.local_ip4) /
368 (Ether(src=self.tra_if.remote_mac,
369 dst=self.tra_if.local_mac) /
370 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
371 dst=self.tra_if.local_ip4) /
374 (Ether(src=self.tra_if.remote_mac,
375 dst=self.tra_if.local_mac) /
376 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
377 dst=self.tra_if.local_ip4) /
380 (Ether(src=self.tra_if.remote_mac,
381 dst=self.tra_if.local_mac) /
382 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
383 dst=self.tra_if.local_ip4) /
387 # if anti-replay is off then we won't drop #81
388 n_rx = 3 if ar_on else 4
389 self.send_and_expect(self.tra_if, pkts, self.tra_if, n_rx=n_rx)
390 # this packet is one before the wrap
391 pkts = [(Ether(src=self.tra_if.remote_mac,
392 dst=self.tra_if.local_mac) /
393 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
394 dst=self.tra_if.local_ip4) /
397 recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
399 # move the window over half way to a wrap
400 pkts = [(Ether(src=self.tra_if.remote_mac,
401 dst=self.tra_if.local_mac) /
402 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
403 dst=self.tra_if.local_ip4) /
405 seq_num=0x80000001))]
406 recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
408 # anti-replay will drop old packets, no anti-replay will not
409 pkts = [(Ether(src=self.tra_if.remote_mac,
410 dst=self.tra_if.local_mac) /
411 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
412 dst=self.tra_if.local_ip4) /
414 seq_num=0x44000001))]
417 self.send_and_assert_no_replies(self.tra_if, pkts)
419 recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
423 # validate wrapping the ESN
426 # wrap scapy's TX SA SN
427 p.scapy_tra_sa.seq_num = 0x100000005
429 # send a packet that wraps the window for both AR and no AR
430 pkts = [(Ether(src=self.tra_if.remote_mac,
431 dst=self.tra_if.local_mac) /
432 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
433 dst=self.tra_if.local_ip4) /
435 seq_num=0x100000005))]
437 rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if)
439 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
441 # move the window forward to half way to the next wrap
442 pkts = [(Ether(src=self.tra_if.remote_mac,
443 dst=self.tra_if.local_mac) /
444 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
445 dst=self.tra_if.local_ip4) /
447 seq_num=0x180000005))]
449 rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if)
451 # a packet less than 2^30 from the current position is:
452 # - AR: out of window and dropped
454 pkts = [(Ether(src=self.tra_if.remote_mac,
455 dst=self.tra_if.local_mac) /
456 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
457 dst=self.tra_if.local_ip4) /
459 seq_num=0x170000005))]
462 self.send_and_assert_no_replies(self.tra_if, pkts)
464 self.send_and_expect(self.tra_if, pkts, self.tra_if)
466 # a packet more than 2^30 from the current position is:
467 # - AR: out of window and dropped
468 # - non-AR: considered a wrap, but since it's not a wrap
469 # it won't decrpyt and so will be dropped
470 pkts = [(Ether(src=self.tra_if.remote_mac,
471 dst=self.tra_if.local_mac) /
472 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
473 dst=self.tra_if.local_ip4) /
475 seq_num=0x130000005))]
477 self.send_and_assert_no_replies(self.tra_if, pkts)
479 # a packet less than 2^30 from the current position and is a
480 # wrap; (the seq is currently at 0x180000005).
481 # - AR: out of window so considered a wrap, so accepted
482 # - non-AR: not considered a wrap, so won't decrypt
483 p.scapy_tra_sa.seq_num = 0x260000005
484 pkts = [(Ether(src=self.tra_if.remote_mac,
485 dst=self.tra_if.local_mac) /
486 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
487 dst=self.tra_if.local_ip4) /
489 seq_num=0x260000005))]
491 self.send_and_expect(self.tra_if, pkts, self.tra_if)
493 self.send_and_assert_no_replies(self.tra_if, pkts)
496 # window positions are different now for AR/non-AR
497 # move non-AR forward
500 # a packet more than 2^30 from the current position and is a
501 # wrap; (the seq is currently at 0x180000005).
503 # - non-AR: not considered a wrap, so won't decrypt
505 pkts = [(Ether(src=self.tra_if.remote_mac,
506 dst=self.tra_if.local_mac) /
507 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
508 dst=self.tra_if.local_ip4) /
510 seq_num=0x200000005)),
511 (Ether(src=self.tra_if.remote_mac,
512 dst=self.tra_if.local_mac) /
513 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
514 dst=self.tra_if.local_ip4) /
516 seq_num=0x200000006))]
517 self.send_and_expect(self.tra_if, pkts, self.tra_if)
519 pkts = [(Ether(src=self.tra_if.remote_mac,
520 dst=self.tra_if.local_mac) /
521 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
522 dst=self.tra_if.local_ip4) /
524 seq_num=0x260000005))]
525 self.send_and_expect(self.tra_if, pkts, self.tra_if)
527 def verify_tra_anti_replay(self):
528 p = self.params[socket.AF_INET]
529 esn_en = p.vpp_tra_sa.esn_en
531 seq_cycle_node_name = \
532 ('/err/%s/sequence number cycled (packet dropped)' %
533 self.tra4_encrypt_node_name)
534 replay_count = self.get_replay_counts(p)
535 hash_failed_count = self.get_hash_failed_counts(p)
536 seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
538 if ESP == self.encryption_type:
539 undersize_node_name = ('/err/%s/undersized packet' %
540 self.tra4_decrypt_node_name[0])
541 undersize_count = self.statistics.get_err_counter(
545 # send packets with seq numbers 1->34
546 # this means the window size is still in Case B (see RFC4303
549 # for reasons i haven't investigated Scapy won't create a packet with
552 pkts = [(Ether(src=self.tra_if.remote_mac,
553 dst=self.tra_if.local_mac) /
554 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
555 dst=self.tra_if.local_ip4) /
558 for seq in range(1, 34)]
559 recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
561 # replayed packets are dropped
562 self.send_and_assert_no_replies(self.tra_if, pkts, timeout=0.2)
563 replay_count += len(pkts)
564 self.assertEqual(self.get_replay_counts(p), replay_count)
567 # now send a batch of packets all with the same sequence number
568 # the first packet in the batch is legitimate, the rest bogus
570 self.vapi.cli("clear error")
571 self.vapi.cli("clear node counters")
572 pkts = (Ether(src=self.tra_if.remote_mac,
573 dst=self.tra_if.local_mac) /
574 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
575 dst=self.tra_if.local_ip4) /
578 recv_pkts = self.send_and_expect(self.tra_if, pkts * 8,
581 self.assertEqual(self.get_replay_counts(p), replay_count)
584 # now move the window over to 257 (more than one byte) and into Case A
586 self.vapi.cli("clear error")
587 pkt = (Ether(src=self.tra_if.remote_mac,
588 dst=self.tra_if.local_mac) /
589 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
590 dst=self.tra_if.local_ip4) /
593 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
595 # replayed packets are dropped
596 self.send_and_assert_no_replies(self.tra_if, pkt * 3, timeout=0.2)
598 self.assertEqual(self.get_replay_counts(p), replay_count)
600 # the window size is 64 packets
601 # in window are still accepted
602 pkt = (Ether(src=self.tra_if.remote_mac,
603 dst=self.tra_if.local_mac) /
604 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
605 dst=self.tra_if.local_ip4) /
608 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
610 # a packet that does not decrypt does not move the window forward
611 bogus_sa = SecurityAssociation(self.encryption_type,
613 crypt_algo=p.crypt_algo,
614 crypt_key=mk_scapy_crypt_key(p)[::-1],
615 auth_algo=p.auth_algo,
616 auth_key=p.auth_key[::-1])
617 pkt = (Ether(src=self.tra_if.remote_mac,
618 dst=self.tra_if.local_mac) /
619 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
620 dst=self.tra_if.local_ip4) /
623 self.send_and_assert_no_replies(self.tra_if, pkt * 17, timeout=0.2)
625 hash_failed_count += 17
626 self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count)
628 # a malformed 'runt' packet
629 # created by a mis-constructed SA
630 if (ESP == self.encryption_type and p.crypt_algo != "NULL"):
631 bogus_sa = SecurityAssociation(self.encryption_type,
633 pkt = (Ether(src=self.tra_if.remote_mac,
634 dst=self.tra_if.local_mac) /
635 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
636 dst=self.tra_if.local_ip4) /
639 self.send_and_assert_no_replies(self.tra_if, pkt * 17, timeout=0.2)
641 undersize_count += 17
642 self.assert_error_counter_equal(undersize_node_name,
645 # which we can determine since this packet is still in the window
646 pkt = (Ether(src=self.tra_if.remote_mac,
647 dst=self.tra_if.local_mac) /
648 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
649 dst=self.tra_if.local_ip4) /
652 self.send_and_expect(self.tra_if, [pkt], self.tra_if)
655 # out of window are dropped
656 # this is Case B. So VPP will consider this to be a high seq num wrap
657 # and so the decrypt attempt will fail
659 pkt = (Ether(src=self.tra_if.remote_mac,
660 dst=self.tra_if.local_mac) /
661 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
662 dst=self.tra_if.local_ip4) /
665 self.send_and_assert_no_replies(self.tra_if, pkt * 17, timeout=0.2)
668 # an out of window error with ESN looks like a high sequence
669 # wrap. but since it isn't then the verify will fail.
670 hash_failed_count += 17
671 self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count)
675 self.assertEqual(self.get_replay_counts(p), replay_count)
677 # valid packet moves the window over to 258
678 pkt = (Ether(src=self.tra_if.remote_mac,
679 dst=self.tra_if.local_mac) /
680 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
681 dst=self.tra_if.local_ip4) /
684 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
685 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
688 # move VPP's SA TX seq-num to just before the seq-number wrap.
689 # then fire in a packet that VPP should drop on TX because it
690 # causes the TX seq number to wrap; unless we're using extened sequence
693 self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id)
694 self.logger.info(self.vapi.ppcli("show ipsec sa 0"))
695 self.logger.info(self.vapi.ppcli("show ipsec sa 1"))
697 pkts = [(Ether(src=self.tra_if.remote_mac,
698 dst=self.tra_if.local_mac) /
699 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
700 dst=self.tra_if.local_ip4) /
703 for seq in range(259, 280)]
706 rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if)
709 # in order for scapy to decrypt its SA's high order number needs
712 p.vpp_tra_sa.seq_num = 0x100000000
714 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
717 # wrap scapy's TX high sequence number. VPP is in case B, so it
718 # will consider this a high seq wrap also.
719 # The low seq num we set it to will place VPP's RX window in Case A
721 p.scapy_tra_sa.seq_num = 0x100000005
722 pkt = (Ether(src=self.tra_if.remote_mac,
723 dst=self.tra_if.local_mac) /
724 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
725 dst=self.tra_if.local_ip4) /
727 seq_num=0x100000005))
728 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
730 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
733 # A packet that has seq num between (2^32-64) and 5 is within
736 p.scapy_tra_sa.seq_num = 0xfffffffd
737 pkt = (Ether(src=self.tra_if.remote_mac,
738 dst=self.tra_if.local_mac) /
739 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
740 dst=self.tra_if.local_ip4) /
743 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
744 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
747 # While in case A we cannot wrap the high sequence number again
748 # because VPP will consider this packet to be one that moves the
751 pkt = (Ether(src=self.tra_if.remote_mac,
752 dst=self.tra_if.local_mac) /
753 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
754 dst=self.tra_if.local_ip4) /
756 seq_num=0x200000999))
757 self.send_and_assert_no_replies(self.tra_if, [pkt], self.tra_if,
760 hash_failed_count += 1
761 self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count)
764 # but if we move the window forward to case B, then we can wrap
767 p.scapy_tra_sa.seq_num = 0x100000555
768 pkt = (Ether(src=self.tra_if.remote_mac,
769 dst=self.tra_if.local_mac) /
770 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
771 dst=self.tra_if.local_ip4) /
773 seq_num=0x100000555))
774 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
775 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
777 p.scapy_tra_sa.seq_num = 0x200000444
778 pkt = (Ether(src=self.tra_if.remote_mac,
779 dst=self.tra_if.local_mac) /
780 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
781 dst=self.tra_if.local_ip4) /
783 seq_num=0x200000444))
784 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
785 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
789 # without ESN TX sequence numbers can't wrap and packets are
790 # dropped from here on out.
792 self.send_and_assert_no_replies(self.tra_if, pkts, timeout=0.2)
793 seq_cycle_count += len(pkts)
794 self.assert_error_counter_equal(seq_cycle_node_name,
797 # move the security-associations seq number on to the last we used
798 self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id)
799 p.scapy_tra_sa.seq_num = 351
800 p.vpp_tra_sa.seq_num = 351
802 def verify_tra_lost(self):
803 p = self.params[socket.AF_INET]
804 esn_en = p.vpp_tra_sa.esn_en
807 # send packets with seq numbers 1->34
808 # this means the window size is still in Case B (see RFC4303
811 # for reasons i haven't investigated Scapy won't create a packet with
814 pkts = [(Ether(src=self.tra_if.remote_mac,
815 dst=self.tra_if.local_mac) /
816 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
817 dst=self.tra_if.local_ip4) /
820 for seq in range(1, 3)]
821 self.send_and_expect(self.tra_if, pkts, self.tra_if)
823 self.assertEqual(p.tra_sa_out.get_lost(), 0)
825 # skip a sequence number
826 pkts = [(Ether(src=self.tra_if.remote_mac,
827 dst=self.tra_if.local_mac) /
828 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
829 dst=self.tra_if.local_ip4) /
832 for seq in range(4, 6)]
833 self.send_and_expect(self.tra_if, pkts, self.tra_if)
835 self.assertEqual(p.tra_sa_out.get_lost(), 0)
837 # the lost packet are counted untill we get up past the first
838 # sizeof(replay_window) packets
839 pkts = [(Ether(src=self.tra_if.remote_mac,
840 dst=self.tra_if.local_mac) /
841 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
842 dst=self.tra_if.local_ip4) /
845 for seq in range(6, 100)]
846 self.send_and_expect(self.tra_if, pkts, self.tra_if)
848 self.assertEqual(p.tra_sa_out.get_lost(), 1)
850 # lost of holes in the sequence
851 pkts = [(Ether(src=self.tra_if.remote_mac,
852 dst=self.tra_if.local_mac) /
853 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
854 dst=self.tra_if.local_ip4) /
857 for seq in range(100, 200, 2)]
858 self.send_and_expect(self.tra_if, pkts, self.tra_if, n_rx=50)
860 pkts = [(Ether(src=self.tra_if.remote_mac,
861 dst=self.tra_if.local_mac) /
862 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
863 dst=self.tra_if.local_ip4) /
866 for seq in range(200, 300)]
867 self.send_and_expect(self.tra_if, pkts, self.tra_if)
869 self.assertEqual(p.tra_sa_out.get_lost(), 51)
871 # a big hole in the seq number space
872 pkts = [(Ether(src=self.tra_if.remote_mac,
873 dst=self.tra_if.local_mac) /
874 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
875 dst=self.tra_if.local_ip4) /
878 for seq in range(400, 500)]
879 self.send_and_expect(self.tra_if, pkts, self.tra_if)
881 self.assertEqual(p.tra_sa_out.get_lost(), 151)
883 def verify_tra_basic4(self, count=1, payload_size=54):
884 """ ipsec v4 transport basic test """
885 self.vapi.cli("clear errors")
886 self.vapi.cli("clear ipsec sa")
888 p = self.params[socket.AF_INET]
889 send_pkts = self.gen_encrypt_pkts(p, p.scapy_tra_sa, self.tra_if,
890 src=self.tra_if.remote_ip4,
891 dst=self.tra_if.local_ip4,
893 payload_size=payload_size)
894 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
897 self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
898 self.assert_packet_checksums_valid(rx)
900 decrypted = p.vpp_tra_sa.decrypt(rx[IP])
901 self.assert_packet_checksums_valid(decrypted)
903 self.logger.debug(ppp("Unexpected packet:", rx))
906 self.logger.info(self.vapi.ppcli("show error"))
907 self.logger.info(self.vapi.ppcli("show ipsec all"))
909 pkts = p.tra_sa_in.get_stats()['packets']
910 self.assertEqual(pkts, count,
911 "incorrect SA in counts: expected %d != %d" %
913 pkts = p.tra_sa_out.get_stats()['packets']
914 self.assertEqual(pkts, count,
915 "incorrect SA out counts: expected %d != %d" %
917 self.assertEqual(p.tra_sa_out.get_lost(), 0)
918 self.assertEqual(p.tra_sa_in.get_lost(), 0)
920 self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count)
921 self.assert_packet_counter_equal(self.tra4_decrypt_node_name[0], count)
924 class IpsecTra4Tests(IpsecTra4):
925 """ UT test methods for Transport v4 """
926 def test_tra_anti_replay(self):
927 """ ipsec v4 transport anti-replay test """
928 self.verify_tra_anti_replay()
930 def test_tra_lost(self):
931 """ ipsec v4 transport lost packet test """
932 self.verify_tra_lost()
934 def test_tra_basic(self, count=1):
935 """ ipsec v4 transport basic test """
936 self.verify_tra_basic4(count=1)
938 def test_tra_burst(self):
939 """ ipsec v4 transport burst test """
940 self.verify_tra_basic4(count=257)
943 class IpsecTra6(object):
944 """ verify methods for Transport v6 """
945 def verify_tra_basic6(self, count=1, payload_size=54):
946 self.vapi.cli("clear errors")
947 self.vapi.cli("clear ipsec sa")
949 p = self.params[socket.AF_INET6]
950 send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tra_sa, self.tra_if,
951 src=self.tra_if.remote_ip6,
952 dst=self.tra_if.local_ip6,
954 payload_size=payload_size)
955 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
958 self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
961 decrypted = p.vpp_tra_sa.decrypt(rx[IPv6])
962 self.assert_packet_checksums_valid(decrypted)
964 self.logger.debug(ppp("Unexpected packet:", rx))
967 self.logger.info(self.vapi.ppcli("show error"))
968 self.logger.info(self.vapi.ppcli("show ipsec all"))
970 pkts = p.tra_sa_in.get_stats()['packets']
971 self.assertEqual(pkts, count,
972 "incorrect SA in counts: expected %d != %d" %
974 pkts = p.tra_sa_out.get_stats()['packets']
975 self.assertEqual(pkts, count,
976 "incorrect SA out counts: expected %d != %d" %
978 self.assert_packet_counter_equal(self.tra6_encrypt_node_name, count)
979 self.assert_packet_counter_equal(self.tra6_decrypt_node_name[0], count)
981 def gen_encrypt_pkts_ext_hdrs6(self, sa, sw_intf, src, dst, count=1,
983 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
984 sa.encrypt(IPv6(src=src, dst=dst) /
985 ICMPv6EchoRequest(id=0, seq=1,
986 data='X' * payload_size))
987 for i in range(count)]
989 def gen_pkts_ext_hdrs6(self, sw_intf, src, dst, count=1, payload_size=54):
990 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
991 IPv6(src=src, dst=dst) /
992 IPv6ExtHdrHopByHop() /
993 IPv6ExtHdrFragment(id=2, offset=200) /
995 for i in range(count)]
997 def verify_tra_encrypted6(self, p, sa, rxs):
1000 self.assert_packet_checksums_valid(rx)
1002 decrypt_pkt = p.vpp_tra_sa.decrypt(rx[IPv6])
1003 decrypted.append(decrypt_pkt)
1004 self.assert_equal(decrypt_pkt.src, self.tra_if.local_ip6)
1005 self.assert_equal(decrypt_pkt.dst, self.tra_if.remote_ip6)
1007 self.logger.debug(ppp("Unexpected packet:", rx))
1009 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
1015 def verify_tra_66_ext_hdrs(self, p):
1019 # check we can decrypt with options
1021 tx = self.gen_encrypt_pkts_ext_hdrs6(p.scapy_tra_sa, self.tra_if,
1022 src=self.tra_if.remote_ip6,
1023 dst=self.tra_if.local_ip6,
1025 self.send_and_expect(self.tra_if, tx, self.tra_if)
1028 # injecting a packet from ourselves to be routed of box is a hack
1029 # but it matches an outbout policy, alors je ne regrette rien
1032 # one extension before ESP
1033 tx = (Ether(src=self.pg2.remote_mac, dst=self.pg2.local_mac) /
1034 IPv6(src=self.tra_if.local_ip6,
1035 dst=self.tra_if.remote_ip6) /
1036 IPv6ExtHdrFragment(id=2, offset=200) /
1039 rxs = self.send_and_expect(self.pg2, [tx], self.tra_if)
1040 dcs = self.verify_tra_encrypted6(p, p.vpp_tra_sa, rxs)
1043 # for reasons i'm not going to investigate scapy does not
1044 # created the correct headers after decrypt. but reparsing
1045 # the ipv6 packet fixes it
1046 dc = IPv6(raw(dc[IPv6]))
1047 self.assert_equal(dc[IPv6ExtHdrFragment].id, 2)
1049 # two extensions before ESP
1050 tx = (Ether(src=self.pg2.remote_mac, dst=self.pg2.local_mac) /
1051 IPv6(src=self.tra_if.local_ip6,
1052 dst=self.tra_if.remote_ip6) /
1053 IPv6ExtHdrHopByHop() /
1054 IPv6ExtHdrFragment(id=2, offset=200) /
1057 rxs = self.send_and_expect(self.pg2, [tx], self.tra_if)
1058 dcs = self.verify_tra_encrypted6(p, p.vpp_tra_sa, rxs)
1061 dc = IPv6(raw(dc[IPv6]))
1062 self.assertTrue(dc[IPv6ExtHdrHopByHop])
1063 self.assert_equal(dc[IPv6ExtHdrFragment].id, 2)
1065 # two extensions before ESP, one after
1066 tx = (Ether(src=self.pg2.remote_mac, dst=self.pg2.local_mac) /
1067 IPv6(src=self.tra_if.local_ip6,
1068 dst=self.tra_if.remote_ip6) /
1069 IPv6ExtHdrHopByHop() /
1070 IPv6ExtHdrFragment(id=2, offset=200) /
1071 IPv6ExtHdrDestOpt() /
1074 rxs = self.send_and_expect(self.pg2, [tx], self.tra_if)
1075 dcs = self.verify_tra_encrypted6(p, p.vpp_tra_sa, rxs)
1078 dc = IPv6(raw(dc[IPv6]))
1079 self.assertTrue(dc[IPv6ExtHdrDestOpt])
1080 self.assertTrue(dc[IPv6ExtHdrHopByHop])
1081 self.assert_equal(dc[IPv6ExtHdrFragment].id, 2)
1084 class IpsecTra6Tests(IpsecTra6):
1085 """ UT test methods for Transport v6 """
1086 def test_tra_basic6(self):
1087 """ ipsec v6 transport basic test """
1088 self.verify_tra_basic6(count=1)
1090 def test_tra_burst6(self):
1091 """ ipsec v6 transport burst test """
1092 self.verify_tra_basic6(count=257)
1095 class IpsecTra6ExtTests(IpsecTra6):
1096 def test_tra_ext_hdrs_66(self):
1097 """ ipsec 6o6 tra extension headers test """
1098 self.verify_tra_66_ext_hdrs(self.params[socket.AF_INET6])
1101 class IpsecTra46Tests(IpsecTra4Tests, IpsecTra6Tests):
1102 """ UT test methods for Transport v6 and v4"""
1106 class IpsecTun4(object):
1107 """ verify methods for Tunnel v4 """
1108 def verify_counters4(self, p, count, n_frags=None, worker=None):
1111 if (hasattr(p, "spd_policy_in_any")):
1112 pkts = p.spd_policy_in_any.get_stats(worker)['packets']
1113 self.assertEqual(pkts, count,
1114 "incorrect SPD any policy: expected %d != %d" %
1117 if (hasattr(p, "tun_sa_in")):
1118 pkts = p.tun_sa_in.get_stats(worker)['packets']
1119 self.assertEqual(pkts, count,
1120 "incorrect SA in counts: expected %d != %d" %
1122 pkts = p.tun_sa_out.get_stats(worker)['packets']
1123 self.assertEqual(pkts, n_frags,
1124 "incorrect SA out counts: expected %d != %d" %
1127 self.assert_packet_counter_equal(self.tun4_encrypt_node_name, n_frags)
1128 self.assert_packet_counter_equal(self.tun4_decrypt_node_name[0], count)
1130 def verify_decrypted(self, p, rxs):
1132 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
1133 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
1134 self.assert_packet_checksums_valid(rx)
1136 def verify_esp_padding(self, sa, esp_payload, decrypt_pkt):
1137 align = sa.crypt_algo.block_size
1140 exp_len = (len(decrypt_pkt) + 2 + (align - 1)) & ~(align - 1)
1141 exp_len += sa.crypt_algo.iv_size
1142 exp_len += sa.crypt_algo.icv_size or sa.auth_algo.icv_size
1143 self.assertEqual(exp_len, len(esp_payload))
1145 def verify_encrypted(self, p, sa, rxs):
1149 self.assertEqual(rx[UDP].dport, 4500)
1150 self.assert_packet_checksums_valid(rx)
1151 self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
1154 decrypt_pkt = p.vpp_tun_sa.decrypt(rx_ip)
1155 if not decrypt_pkt.haslayer(IP):
1156 decrypt_pkt = IP(decrypt_pkt[Raw].load)
1157 if rx_ip.proto == socket.IPPROTO_ESP:
1158 self.verify_esp_padding(sa, rx_ip[ESP].data, decrypt_pkt)
1159 decrypt_pkts.append(decrypt_pkt)
1160 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
1161 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
1163 self.logger.debug(ppp("Unexpected packet:", rx))
1165 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
1169 pkts = reassemble4(decrypt_pkts)
1171 self.assert_packet_checksums_valid(pkt)
1173 def verify_tun_44(self, p, count=1, payload_size=64, n_rx=None):
1174 self.vapi.cli("clear errors")
1175 self.vapi.cli("clear ipsec counters")
1176 self.vapi.cli("clear ipsec sa")
1180 send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if,
1181 src=p.remote_tun_if_host,
1182 dst=self.pg1.remote_ip4,
1184 payload_size=payload_size)
1185 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
1186 self.verify_decrypted(p, recv_pkts)
1188 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
1189 dst=p.remote_tun_if_host, count=count,
1190 payload_size=payload_size)
1191 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
1193 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
1195 for rx in recv_pkts:
1196 self.assertEqual(rx[IP].src, p.tun_src)
1197 self.assertEqual(rx[IP].dst, p.tun_dst)
1200 self.logger.info(self.vapi.ppcli("show error"))
1201 self.logger.info(self.vapi.ppcli("show ipsec all"))
1203 self.logger.info(self.vapi.ppcli("show ipsec sa 0"))
1204 self.logger.info(self.vapi.ppcli("show ipsec sa 4"))
1205 self.verify_counters4(p, count, n_rx)
1207 def verify_tun_dropped_44(self, p, count=1, payload_size=64, n_rx=None):
1208 self.vapi.cli("clear errors")
1212 send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if,
1213 src=p.remote_tun_if_host,
1214 dst=self.pg1.remote_ip4,
1216 self.send_and_assert_no_replies(self.tun_if, send_pkts)
1218 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
1219 dst=p.remote_tun_if_host, count=count,
1220 payload_size=payload_size)
1221 self.send_and_assert_no_replies(self.pg1, send_pkts)
1224 self.logger.info(self.vapi.ppcli("show error"))
1225 self.logger.info(self.vapi.ppcli("show ipsec all"))
1227 def verify_tun_reass_44(self, p):
1228 self.vapi.cli("clear errors")
1229 self.vapi.ip_reassembly_enable_disable(
1230 sw_if_index=self.tun_if.sw_if_index, enable_ip4=True)
1233 send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if,
1234 src=p.remote_tun_if_host,
1235 dst=self.pg1.remote_ip4,
1238 send_pkts = fragment_rfc791(send_pkts[0], 1400)
1239 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
1241 self.verify_decrypted(p, recv_pkts)
1243 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
1244 dst=p.remote_tun_if_host, count=1)
1245 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
1247 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
1250 self.logger.info(self.vapi.ppcli("show error"))
1251 self.logger.info(self.vapi.ppcli("show ipsec all"))
1253 self.verify_counters4(p, 1, 1)
1254 self.vapi.ip_reassembly_enable_disable(
1255 sw_if_index=self.tun_if.sw_if_index, enable_ip4=False)
1257 def verify_tun_64(self, p, count=1):
1258 self.vapi.cli("clear errors")
1259 self.vapi.cli("clear ipsec sa")
1261 send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if,
1262 src=p.remote_tun_if_host6,
1263 dst=self.pg1.remote_ip6,
1265 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
1266 for recv_pkt in recv_pkts:
1267 self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host6)
1268 self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
1269 self.assert_packet_checksums_valid(recv_pkt)
1270 send_pkts = self.gen_pkts6(p, self.pg1, src=self.pg1.remote_ip6,
1271 dst=p.remote_tun_if_host6, count=count)
1272 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
1273 for recv_pkt in recv_pkts:
1275 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IP])
1276 if not decrypt_pkt.haslayer(IPv6):
1277 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
1278 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
1279 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host6)
1280 self.assert_packet_checksums_valid(decrypt_pkt)
1282 self.logger.error(ppp("Unexpected packet:", recv_pkt))
1285 ppp("Decrypted packet:", decrypt_pkt))
1290 self.logger.info(self.vapi.ppcli("show error"))
1291 self.logger.info(self.vapi.ppcli("show ipsec all"))
1293 self.verify_counters4(p, count)
1295 def verify_keepalive(self, p):
1296 # the sizeof Raw is calculated to pad to the minimum ehternet
1297 # frame size of 64 btyes
1298 pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
1299 IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) /
1300 UDP(sport=333, dport=4500) /
1303 self.send_and_assert_no_replies(self.tun_if, pkt*31)
1304 self.assert_error_counter_equal(
1305 '/err/%s/NAT Keepalive' % self.tun4_input_node, 31)
1307 pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
1308 IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) /
1309 UDP(sport=333, dport=4500) /
1311 self.send_and_assert_no_replies(self.tun_if, pkt*31)
1312 self.assert_error_counter_equal(
1313 '/err/%s/Too Short' % self.tun4_input_node, 31)
1315 pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
1316 IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) /
1317 UDP(sport=333, dport=4500) /
1320 self.send_and_assert_no_replies(self.tun_if, pkt*31)
1321 self.assert_error_counter_equal(
1322 '/err/%s/Too Short' % self.tun4_input_node, 62)
1325 class IpsecTun4Tests(IpsecTun4):
1326 """ UT test methods for Tunnel v4 """
1327 def test_tun_basic44(self):
1328 """ ipsec 4o4 tunnel basic test """
1329 self.verify_tun_44(self.params[socket.AF_INET], count=1)
1330 self.tun_if.admin_down()
1331 self.tun_if.resolve_arp()
1332 self.tun_if.admin_up()
1333 self.verify_tun_44(self.params[socket.AF_INET], count=1)
1335 def test_tun_reass_basic44(self):
1336 """ ipsec 4o4 tunnel basic reassembly test """
1337 self.verify_tun_reass_44(self.params[socket.AF_INET])
1339 def test_tun_burst44(self):
1340 """ ipsec 4o4 tunnel burst test """
1341 self.verify_tun_44(self.params[socket.AF_INET], count=127)
1344 class IpsecTun6(object):
1345 """ verify methods for Tunnel v6 """
1346 def verify_counters6(self, p_in, p_out, count, worker=None):
1347 if (hasattr(p_in, "tun_sa_in")):
1348 pkts = p_in.tun_sa_in.get_stats(worker)['packets']
1349 self.assertEqual(pkts, count,
1350 "incorrect SA in counts: expected %d != %d" %
1352 if (hasattr(p_out, "tun_sa_out")):
1353 pkts = p_out.tun_sa_out.get_stats(worker)['packets']
1354 self.assertEqual(pkts, count,
1355 "incorrect SA out counts: expected %d != %d" %
1357 self.assert_packet_counter_equal(self.tun6_encrypt_node_name, count)
1358 self.assert_packet_counter_equal(self.tun6_decrypt_node_name[0], count)
1360 def verify_decrypted6(self, p, rxs):
1362 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
1363 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
1364 self.assert_packet_checksums_valid(rx)
1366 def verify_encrypted6(self, p, sa, rxs):
1368 self.assert_packet_checksums_valid(rx)
1369 self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
1371 self.assert_equal(rx[IPv6].hlim, p.outer_hop_limit)
1372 if p.outer_flow_label:
1373 self.assert_equal(rx[IPv6].fl, p.outer_flow_label)
1375 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IPv6])
1376 if not decrypt_pkt.haslayer(IPv6):
1377 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
1378 self.assert_packet_checksums_valid(decrypt_pkt)
1379 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
1380 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
1381 self.assert_equal(decrypt_pkt.hlim, p.inner_hop_limit - 1)
1382 self.assert_equal(decrypt_pkt.fl, p.inner_flow_label)
1384 self.logger.debug(ppp("Unexpected packet:", rx))
1386 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
1391 def verify_drop_tun_tx_66(self, p_in, count=1, payload_size=64):
1392 self.vapi.cli("clear errors")
1393 self.vapi.cli("clear ipsec sa")
1395 send_pkts = self.gen_pkts6(p_in, self.pg1, src=self.pg1.remote_ip6,
1396 dst=p_in.remote_tun_if_host, count=count,
1397 payload_size=payload_size)
1398 self.send_and_assert_no_replies(self.tun_if, send_pkts)
1399 self.logger.info(self.vapi.cli("sh punt stats"))
1401 def verify_drop_tun_rx_66(self, p_in, count=1, payload_size=64):
1402 self.vapi.cli("clear errors")
1403 self.vapi.cli("clear ipsec sa")
1405 send_pkts = self.gen_encrypt_pkts6(p_in, p_in.scapy_tun_sa,
1407 src=p_in.remote_tun_if_host,
1408 dst=self.pg1.remote_ip6,
1410 self.send_and_assert_no_replies(self.tun_if, send_pkts)
1412 def verify_drop_tun_66(self, p_in, count=1, payload_size=64):
1413 self.verify_drop_tun_tx_66(p_in, count=count,
1414 payload_size=payload_size)
1415 self.verify_drop_tun_rx_66(p_in, count=count,
1416 payload_size=payload_size)
1418 def verify_tun_66(self, p_in, p_out=None, count=1, payload_size=64):
1419 self.vapi.cli("clear errors")
1420 self.vapi.cli("clear ipsec sa")
1424 send_pkts = self.gen_encrypt_pkts6(p_in, p_in.scapy_tun_sa,
1426 src=p_in.remote_tun_if_host,
1427 dst=self.pg1.remote_ip6,
1429 payload_size=payload_size)
1430 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
1431 self.verify_decrypted6(p_in, recv_pkts)
1433 send_pkts = self.gen_pkts6(p_in, self.pg1, src=self.pg1.remote_ip6,
1434 dst=p_out.remote_tun_if_host,
1436 payload_size=payload_size)
1437 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
1438 self.verify_encrypted6(p_out, p_out.vpp_tun_sa, recv_pkts)
1440 for rx in recv_pkts:
1441 self.assertEqual(rx[IPv6].src, p_out.tun_src)
1442 self.assertEqual(rx[IPv6].dst, p_out.tun_dst)
1445 self.logger.info(self.vapi.ppcli("show error"))
1446 self.logger.info(self.vapi.ppcli("show ipsec all"))
1447 self.verify_counters6(p_in, p_out, count)
1449 def verify_tun_reass_66(self, p):
1450 self.vapi.cli("clear errors")
1451 self.vapi.ip_reassembly_enable_disable(
1452 sw_if_index=self.tun_if.sw_if_index, enable_ip6=True)
1455 send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if,
1456 src=p.remote_tun_if_host,
1457 dst=self.pg1.remote_ip6,
1460 send_pkts = fragment_rfc8200(send_pkts[0], 1, 1400, self.logger)
1461 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
1463 self.verify_decrypted6(p, recv_pkts)
1465 send_pkts = self.gen_pkts6(p, self.pg1, src=self.pg1.remote_ip6,
1466 dst=p.remote_tun_if_host,
1469 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
1471 self.verify_encrypted6(p, p.vpp_tun_sa, recv_pkts)
1473 self.logger.info(self.vapi.ppcli("show error"))
1474 self.logger.info(self.vapi.ppcli("show ipsec all"))
1475 self.verify_counters6(p, p, 1)
1476 self.vapi.ip_reassembly_enable_disable(
1477 sw_if_index=self.tun_if.sw_if_index, enable_ip6=False)
1479 def verify_tun_46(self, p, count=1):
1480 """ ipsec 4o6 tunnel basic test """
1481 self.vapi.cli("clear errors")
1482 self.vapi.cli("clear ipsec sa")
1484 send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if,
1485 src=p.remote_tun_if_host4,
1486 dst=self.pg1.remote_ip4,
1488 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
1489 for recv_pkt in recv_pkts:
1490 self.assert_equal(recv_pkt[IP].src, p.remote_tun_if_host4)
1491 self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
1492 self.assert_packet_checksums_valid(recv_pkt)
1493 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
1494 dst=p.remote_tun_if_host4,
1496 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
1497 for recv_pkt in recv_pkts:
1499 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
1500 if not decrypt_pkt.haslayer(IP):
1501 decrypt_pkt = IP(decrypt_pkt[Raw].load)
1502 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
1503 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host4)
1504 self.assert_packet_checksums_valid(decrypt_pkt)
1506 self.logger.debug(ppp("Unexpected packet:", recv_pkt))
1508 self.logger.debug(ppp("Decrypted packet:",
1514 self.logger.info(self.vapi.ppcli("show error"))
1515 self.logger.info(self.vapi.ppcli("show ipsec all"))
1516 self.verify_counters6(p, p, count)
1519 class IpsecTun6Tests(IpsecTun6):
1520 """ UT test methods for Tunnel v6 """
1522 def test_tun_basic66(self):
1523 """ ipsec 6o6 tunnel basic test """
1524 self.verify_tun_66(self.params[socket.AF_INET6], count=1)
1526 def test_tun_reass_basic66(self):
1527 """ ipsec 6o6 tunnel basic reassembly test """
1528 self.verify_tun_reass_66(self.params[socket.AF_INET6])
1530 def test_tun_burst66(self):
1531 """ ipsec 6o6 tunnel burst test """
1532 self.verify_tun_66(self.params[socket.AF_INET6], count=257)
1535 class IpsecTun6HandoffTests(IpsecTun6):
1536 """ UT test methods for Tunnel v6 with multiple workers """
1537 vpp_worker_count = 2
1539 def test_tun_handoff_66(self):
1540 """ ipsec 6o6 tunnel worker hand-off test """
1541 self.vapi.cli("clear errors")
1542 self.vapi.cli("clear ipsec sa")
1545 p = self.params[socket.AF_INET6]
1547 # inject alternately on worker 0 and 1. all counts on the SA
1548 # should be against worker 0
1549 for worker in [0, 1, 0, 1]:
1550 send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if,
1551 src=p.remote_tun_if_host,
1552 dst=self.pg1.remote_ip6,
1554 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
1555 self.pg1, worker=worker)
1556 self.verify_decrypted6(p, recv_pkts)
1558 send_pkts = self.gen_pkts6(p, self.pg1, src=self.pg1.remote_ip6,
1559 dst=p.remote_tun_if_host,
1561 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
1562 self.tun_if, worker=worker)
1563 self.verify_encrypted6(p, p.vpp_tun_sa, recv_pkts)
1565 # all counts against the first worker that was used
1566 self.verify_counters6(p, p, 4*N_PKTS, worker=0)
1569 class IpsecTun4HandoffTests(IpsecTun4):
1570 """ UT test methods for Tunnel v4 with multiple workers """
1571 vpp_worker_count = 2
1573 def test_tun_handooff_44(self):
1574 """ ipsec 4o4 tunnel worker hand-off test """
1575 self.vapi.cli("clear errors")
1576 self.vapi.cli("clear ipsec sa")
1579 p = self.params[socket.AF_INET]
1581 # inject alternately on worker 0 and 1. all counts on the SA
1582 # should be against worker 0
1583 for worker in [0, 1, 0, 1]:
1584 send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if,
1585 src=p.remote_tun_if_host,
1586 dst=self.pg1.remote_ip4,
1588 recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
1589 self.pg1, worker=worker)
1590 self.verify_decrypted(p, recv_pkts)
1592 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
1593 dst=p.remote_tun_if_host,
1595 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
1596 self.tun_if, worker=worker)
1597 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
1599 # all counts against the first worker that was used
1600 self.verify_counters4(p, 4*N_PKTS, worker=0)
1603 class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests):
1604 """ UT test methods for Tunnel v6 & v4 """
1608 class IPSecIPv4Fwd(VppTestCase):
1609 """ Test IPSec by capturing and verifying IPv4 forwarded pkts """
1611 def setUpConstants(cls):
1612 super(IPSecIPv4Fwd, cls).setUpConstants()
1615 super(IPSecIPv4Fwd, self).setUp()
1616 # store SPD objects so we can remove configs on tear down
1618 self.spd_policies = []
1621 # remove SPD policies
1622 for obj in self.spd_policies:
1623 obj.remove_vpp_config()
1624 self.spd_policies = []
1625 # remove SPD items (interface bindings first, then SPD)
1626 for obj in reversed(self.spd_objs):
1627 obj.remove_vpp_config()
1629 # close down pg intfs
1630 for pg in self.pg_interfaces:
1633 super(IPSecIPv4Fwd, self).tearDown()
1635 def create_interfaces(self, num_ifs=2):
1636 # create interfaces pg0 ... pg<num_ifs>
1637 self.create_pg_interfaces(range(num_ifs))
1638 for pg in self.pg_interfaces:
1639 # put the interface up
1641 # configure IPv4 address on the interface
1643 # resolve ARP, so that we know VPP MAC
1645 self.logger.info(self.vapi.ppcli("show int addr"))
1647 def spd_create_and_intf_add(self, spd_id, pg_list):
1648 spd = VppIpsecSpd(self, spd_id)
1649 spd.add_vpp_config()
1650 self.spd_objs.append(spd)
1652 spdItf = VppIpsecSpdItfBinding(self, spd, pg)
1653 spdItf.add_vpp_config()
1654 self.spd_objs.append(spdItf)
1656 def get_policy(self, policy_type):
1657 e = VppEnum.vl_api_ipsec_spd_action_t
1658 if policy_type == "protect":
1659 return e.IPSEC_API_SPD_ACTION_PROTECT
1660 elif policy_type == "bypass":
1661 return e.IPSEC_API_SPD_ACTION_BYPASS
1662 elif policy_type == "discard":
1663 return e.IPSEC_API_SPD_ACTION_DISCARD
1665 raise Exception("Invalid policy type: %s", policy_type)
1667 def spd_add_rem_policy(self, spd_id, src_if, dst_if,
1668 proto, is_out, priority, policy_type,
1669 remove=False, all_ips=False):
1670 spd = VppIpsecSpd(self, spd_id)
1673 src_range_low = ip_address("0.0.0.0")
1674 src_range_high = ip_address("255.255.255.255")
1675 dst_range_low = ip_address("0.0.0.0")
1676 dst_range_high = ip_address("255.255.255.255")
1678 src_range_low = src_if.remote_ip4
1679 src_range_high = src_if.remote_ip4
1680 dst_range_low = dst_if.remote_ip4
1681 dst_range_high = dst_if.remote_ip4
1683 spdEntry = VppIpsecSpdEntry(self, spd, 0,
1690 policy=self.get_policy(policy_type),
1693 if(remove is False):
1694 spdEntry.add_vpp_config()
1695 self.spd_policies.append(spdEntry)
1697 spdEntry.remove_vpp_config()
1698 self.spd_policies.remove(spdEntry)
1699 self.logger.info(self.vapi.ppcli("show ipsec all"))
1702 def create_stream(self, src_if, dst_if, pkt_count,
1703 src_prt=1234, dst_prt=5678):
1705 for i in range(pkt_count):
1706 # create packet info stored in the test case instance
1707 info = self.create_packet_info(src_if, dst_if)
1708 # convert the info into packet payload
1709 payload = self.info_to_payload(info)
1710 # create the packet itself
1711 p = (Ether(dst=src_if.local_mac, src=src_if.remote_mac) /
1712 IP(src=src_if.remote_ip4, dst=dst_if.remote_ip4) /
1713 UDP(sport=src_prt, dport=dst_prt) /
1715 # store a copy of the packet in the packet info
1716 info.data = p.copy()
1717 # append the packet to the list
1719 # return the created packet list
1722 def verify_capture(self, src_if, dst_if, capture):
1724 for packet in capture:
1728 # convert the payload to packet info object
1729 payload_info = self.payload_to_info(packet)
1730 # make sure the indexes match
1731 self.assert_equal(payload_info.src, src_if.sw_if_index,
1732 "source sw_if_index")
1733 self.assert_equal(payload_info.dst, dst_if.sw_if_index,
1734 "destination sw_if_index")
1735 packet_info = self.get_next_packet_info_for_interface2(
1739 # make sure we didn't run out of saved packets
1740 self.assertIsNotNone(packet_info)
1741 self.assert_equal(payload_info.index, packet_info.index,
1742 "packet info index")
1743 saved_packet = packet_info.data # fetch the saved packet
1744 # assert the values match
1745 self.assert_equal(ip.src, saved_packet[IP].src,
1746 "IP source address")
1747 # ... more assertions here
1748 self.assert_equal(udp.sport, saved_packet[UDP].sport,
1750 except Exception as e:
1751 self.logger.error(ppp("Unexpected or invalid packet:",
1754 remaining_packet = self.get_next_packet_info_for_interface2(
1758 self.assertIsNone(remaining_packet,
1759 "Interface %s: Packet expected from interface "
1760 "%s didn't arrive" % (dst_if.name, src_if.name))
1762 def verify_policy_match(self, pkt_count, spdEntry):
1764 "XXXX %s %s", str(spdEntry), str(spdEntry.get_stats()))
1765 matched_pkts = spdEntry.get_stats().get('packets')
1767 "Policy %s matched: %d pkts", str(spdEntry), matched_pkts)
1768 self.assert_equal(pkt_count, matched_pkts)
1771 class SpdFlowCacheTemplate(IPSecIPv4Fwd):
1773 def setUpConstants(cls):
1774 super(SpdFlowCacheTemplate, cls).setUpConstants()
1775 # Override this method with required cmdline parameters e.g.
1776 # cls.vpp_cmdline.extend(["ipsec", "{",
1777 # "ipv4-outbound-spd-flow-cache on",
1779 # cls.logger.info("VPP modified cmdline is %s" % " "
1780 # .join(cls.vpp_cmdline))
1783 super(SpdFlowCacheTemplate, self).setUp()
1786 super(SpdFlowCacheTemplate, self).tearDown()
1788 def get_spd_flow_cache_entries(self):
1789 """ 'show ipsec spd' output:
1790 ip4-outbound-spd-flow-cache-entries: 0
1792 show_ipsec_reply = self.vapi.cli("show ipsec spd")
1793 # match the relevant section of 'show ipsec spd' output
1794 regex_match = re.search(
1795 'ip4-outbound-spd-flow-cache-entries: (.*)',
1796 show_ipsec_reply, re.DOTALL)
1797 if regex_match is None:
1798 raise Exception("Unable to find spd flow cache entries \
1799 in \'show ipsec spd\' CLI output - regex failed to match")
1802 num_entries = int(regex_match.group(1))
1804 raise Exception("Unable to get spd flow cache entries \
1805 from \'show ipsec spd\' string: %s", regex_match.group(0))
1806 self.logger.info("%s", regex_match.group(0))
1809 def verify_num_outbound_flow_cache_entries(self, expected_elements):
1810 self.assertEqual(self.get_spd_flow_cache_entries(), expected_elements)
1812 def crc32_supported(self):
1813 # lscpu is part of util-linux package, available on all Linux Distros
1814 stream = os.popen('lscpu')
1815 cpu_info = stream.read()
1816 # feature/flag "crc32" on Aarch64 and "sse4_2" on x86
1817 # see vppinfra/crc32.h
1818 if "crc32" or "sse4_2" in cpu_info:
1819 self.logger.info("\ncrc32 supported:\n" + cpu_info)
1822 self.logger.info("\ncrc32 NOT supported:\n" + cpu_info)
1825 if __name__ == '__main__':
1826 unittest.main(testRunner=VppTestRunner)