5 from scapy.layers.ipsec import SecurityAssociation, ESP
6 from scapy.layers.l2 import Ether, GRE, Dot1Q
7 from scapy.packet import Raw, bind_layers
8 from scapy.layers.inet import IP, UDP
9 from scapy.layers.inet6 import IPv6
10 from scapy.contrib.mpls import MPLS
11 from asfframework import VppTestRunner, tag_fixme_vpp_workers
12 from template_ipsec import (
20 IpsecTun6HandoffTests,
21 IpsecTun4HandoffTests,
24 from vpp_gre_interface import VppGreInterface
25 from vpp_ipip_tun_interface import VppIpIpTunInterface
26 from vpp_ip_route import (
35 from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect, VppIpsecInterface
36 from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort
37 from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint
38 from vpp_teib import VppTeib
40 from vpp_papi import VppEnum
41 from vpp_papi_provider import CliFailedCommandError
42 from vpp_acl import AclRule, VppAcl, VppAclInterface
43 from vpp_policer import PolicerAction, VppPolicer, Dir
46 def config_tun_params(p, encryption_type, tun_if, src=None, dst=None):
47 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
49 p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN)
51 crypt_key = mk_scapy_crypt_key(p)
53 p.tun_dst = tun_if.remote_ip
54 p.tun_src = tun_if.local_ip
60 is_default_port = p.nat_header.dport == 4500
62 is_default_port = True
65 outbound_nat_header = p.nat_header
67 outbound_nat_header = UDP(sport=p.nat_header.dport, dport=p.nat_header.sport)
68 bind_layers(UDP, ESP, dport=p.nat_header.dport)
70 p.scapy_tun_sa = SecurityAssociation(
73 crypt_algo=p.crypt_algo,
75 auth_algo=p.auth_algo,
77 tunnel_header=ip_class_by_addr_type[p.addr_type](src=p.tun_dst, dst=p.tun_src),
78 nat_t_header=outbound_nat_header,
81 p.vpp_tun_sa = SecurityAssociation(
84 crypt_algo=p.crypt_algo,
86 auth_algo=p.auth_algo,
88 tunnel_header=ip_class_by_addr_type[p.addr_type](dst=p.tun_dst, src=p.tun_src),
89 nat_t_header=p.nat_header,
94 def config_tra_params(p, encryption_type, tun_if):
95 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
97 p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN)
99 crypt_key = mk_scapy_crypt_key(p)
100 p.tun_dst = tun_if.remote_ip
101 p.tun_src = tun_if.local_ip
104 is_default_port = p.nat_header.dport == 4500
106 is_default_port = True
109 outbound_nat_header = p.nat_header
111 outbound_nat_header = UDP(sport=p.nat_header.dport, dport=p.nat_header.sport)
112 bind_layers(UDP, ESP, dport=p.nat_header.dport)
114 p.scapy_tun_sa = SecurityAssociation(
117 crypt_algo=p.crypt_algo,
119 auth_algo=p.auth_algo,
122 nat_t_header=outbound_nat_header,
124 p.vpp_tun_sa = SecurityAssociation(
127 crypt_algo=p.crypt_algo,
129 auth_algo=p.auth_algo,
132 nat_t_header=p.nat_header,
136 class TemplateIpsec4TunProtect(object):
137 """IPsec IPv4 Tunnel protect"""
139 encryption_type = ESP
140 tun4_encrypt_node_name = "esp4-encrypt-tun"
141 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
142 tun4_input_node = "ipsec4-tun-input"
144 def config_sa_tra(self, p):
145 config_tun_params(p, self.encryption_type, p.tun_if)
147 p.tun_sa_out = VppIpsecSA(
155 self.vpp_esp_protocol,
158 p.tun_sa_out.add_vpp_config()
160 p.tun_sa_in = VppIpsecSA(
168 self.vpp_esp_protocol,
171 p.tun_sa_in.add_vpp_config()
173 def config_sa_tun(self, p):
174 config_tun_params(p, self.encryption_type, p.tun_if)
176 p.tun_sa_out = VppIpsecSA(
184 self.vpp_esp_protocol,
185 self.tun_if.local_addr[p.addr_type],
186 self.tun_if.remote_addr[p.addr_type],
189 p.tun_sa_out.add_vpp_config()
191 p.tun_sa_in = VppIpsecSA(
199 self.vpp_esp_protocol,
200 self.tun_if.remote_addr[p.addr_type],
201 self.tun_if.local_addr[p.addr_type],
204 p.tun_sa_in.add_vpp_config()
206 def config_protect(self, p):
207 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
208 p.tun_protect.add_vpp_config()
210 def config_network(self, p):
211 if hasattr(p, "tun_dst"):
214 tun_dst = self.pg0.remote_ip4
215 p.tun_if = VppIpIpTunInterface(self, self.pg0, self.pg0.local_ip4, tun_dst)
216 p.tun_if.add_vpp_config()
218 p.tun_if.config_ip4()
219 p.tun_if.config_ip6()
221 p.route = VppIpRoute(
223 p.remote_tun_if_host,
225 [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)],
227 p.route.add_vpp_config()
230 p.remote_tun_if_host6,
234 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
240 def unconfig_network(self, p):
241 p.route.remove_vpp_config()
242 p.tun_if.remove_vpp_config()
244 def unconfig_protect(self, p):
245 p.tun_protect.remove_vpp_config()
247 def unconfig_sa(self, p):
248 p.tun_sa_out.remove_vpp_config()
249 p.tun_sa_in.remove_vpp_config()
252 class TemplateIpsec4TunIfEsp(TemplateIpsec4TunProtect, TemplateIpsec):
253 """IPsec tunnel interface tests"""
255 encryption_type = ESP
259 super(TemplateIpsec4TunIfEsp, cls).setUpClass()
262 def tearDownClass(cls):
263 super(TemplateIpsec4TunIfEsp, cls).tearDownClass()
266 super(TemplateIpsec4TunIfEsp, self).setUp()
268 self.tun_if = self.pg0
272 self.config_network(p)
273 self.config_sa_tra(p)
274 self.config_protect(p)
277 super(TemplateIpsec4TunIfEsp, self).tearDown()
280 class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, TemplateIpsec):
281 """IPsec UDP tunnel interface tests"""
283 tun4_encrypt_node_name = "esp4-encrypt-tun"
284 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
285 encryption_type = ESP
289 super(TemplateIpsec4TunIfEspUdp, cls).setUpClass()
292 def tearDownClass(cls):
293 super(TemplateIpsec4TunIfEspUdp, cls).tearDownClass()
295 def verify_encrypted(self, p, sa, rxs):
298 # ensure the UDP ports are correct before we decrypt
300 self.assertTrue(rx.haslayer(UDP))
301 self.assert_equal(rx[UDP].sport, p.nat_header.sport)
302 self.assert_equal(rx[UDP].dport, p.nat_header.dport)
304 pkt = sa.decrypt(rx[IP])
305 if not pkt.haslayer(IP):
306 pkt = IP(pkt[Raw].load)
308 self.assert_packet_checksums_valid(pkt)
309 self.assert_equal(pkt[IP].dst, "1.1.1.1")
310 self.assert_equal(pkt[IP].src, self.pg1.remote_ip4)
311 except (IndexError, AssertionError):
312 self.logger.debug(ppp("Unexpected packet:", rx))
314 self.logger.debug(ppp("Decrypted packet:", pkt))
319 def config_sa_tra(self, p):
320 config_tun_params(p, self.encryption_type, p.tun_if)
322 p.tun_sa_out = VppIpsecSA(
330 self.vpp_esp_protocol,
332 udp_src=p.nat_header.sport,
333 udp_dst=p.nat_header.dport,
335 p.tun_sa_out.add_vpp_config()
337 p.tun_sa_in = VppIpsecSA(
345 self.vpp_esp_protocol,
347 | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
348 udp_src=p.nat_header.sport,
349 udp_dst=p.nat_header.dport,
351 p.tun_sa_in.add_vpp_config()
354 super(TemplateIpsec4TunIfEspUdp, self).setUp()
357 p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
358 p.nat_header = UDP(sport=5454, dport=4500)
360 self.tun_if = self.pg0
362 self.config_network(p)
363 self.config_sa_tra(p)
364 self.config_protect(p)
367 super(TemplateIpsec4TunIfEspUdp, self).tearDown()
370 class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
371 """Ipsec ESP - TUN tests"""
373 tun4_encrypt_node_name = "esp4-encrypt-tun"
374 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
376 def test_tun_basic64(self):
377 """ipsec 6o4 tunnel basic test"""
378 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
380 self.verify_tun_64(self.params[socket.AF_INET], count=1)
382 def test_tun_burst64(self):
383 """ipsec 6o4 tunnel basic test"""
384 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
386 self.verify_tun_64(self.params[socket.AF_INET], count=257)
388 def test_tun_basic_frag44(self):
389 """ipsec 4o4 tunnel frag basic test"""
390 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
394 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index, [1500, 0, 0, 0])
396 self.params[socket.AF_INET], count=1, payload_size=1800, n_rx=2
398 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index, [9000, 0, 0, 0])
401 class TestIpsec4TunIfEspUdp(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
402 """Ipsec ESP UDP tests"""
404 tun4_input_node = "ipsec4-tun-input"
407 super(TestIpsec4TunIfEspUdp, self).setUp()
409 def test_keepalive(self):
410 """IPSEC NAT Keepalive"""
411 self.verify_keepalive(self.ipv4_params)
414 class TestIpsec4TunIfEspUdpGCM(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
415 """Ipsec ESP UDP GCM tests"""
417 tun4_input_node = "ipsec4-tun-input"
420 super(TestIpsec4TunIfEspUdpGCM, self).setUp()
422 p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
423 p.crypt_algo_vpp_id = (
424 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256
426 p.crypt_algo = "AES-GCM"
428 p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"
432 class TestIpsec4TunIfEspUdpUpdate(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
433 """Ipsec ESP UDP update tests"""
435 tun4_input_node = "ipsec4-tun-input"
438 super(TestIpsec4TunIfEspUdpUpdate, self).setUp()
440 p.nat_header = UDP(sport=6565, dport=7676)
441 config_tun_params(p, self.encryption_type, p.tun_if)
442 p.tun_sa_in.update_vpp_config(
443 udp_src=p.nat_header.dport, udp_dst=p.nat_header.sport
445 p.tun_sa_out.update_vpp_config(
446 udp_src=p.nat_header.sport, udp_dst=p.nat_header.dport
450 class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
451 """Ipsec ESP - TCP tests"""
456 class TemplateIpsec6TunProtect(object):
457 """IPsec IPv6 Tunnel protect"""
459 def config_sa_tra(self, p):
460 config_tun_params(p, self.encryption_type, p.tun_if)
462 p.tun_sa_out = VppIpsecSA(
470 self.vpp_esp_protocol,
472 p.tun_sa_out.add_vpp_config()
474 p.tun_sa_in = VppIpsecSA(
482 self.vpp_esp_protocol,
484 p.tun_sa_in.add_vpp_config()
486 def config_sa_tun(self, p):
487 config_tun_params(p, self.encryption_type, p.tun_if)
489 p.tun_sa_out = VppIpsecSA(
497 self.vpp_esp_protocol,
498 self.tun_if.local_addr[p.addr_type],
499 self.tun_if.remote_addr[p.addr_type],
501 p.tun_sa_out.add_vpp_config()
503 p.tun_sa_in = VppIpsecSA(
511 self.vpp_esp_protocol,
512 self.tun_if.remote_addr[p.addr_type],
513 self.tun_if.local_addr[p.addr_type],
515 p.tun_sa_in.add_vpp_config()
517 def config_protect(self, p):
518 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
519 p.tun_protect.add_vpp_config()
521 def config_network(self, p):
522 if hasattr(p, "tun_dst"):
525 tun_dst = self.pg0.remote_ip6
526 p.tun_if = VppIpIpTunInterface(self, self.pg0, self.pg0.local_ip6, tun_dst)
527 p.tun_if.add_vpp_config()
529 p.tun_if.config_ip6()
530 p.tun_if.config_ip4()
532 p.route = VppIpRoute(
534 p.remote_tun_if_host,
538 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
542 p.route.add_vpp_config()
545 p.remote_tun_if_host4,
547 [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)],
551 def unconfig_network(self, p):
552 p.route.remove_vpp_config()
553 p.tun_if.remove_vpp_config()
555 def unconfig_protect(self, p):
556 p.tun_protect.remove_vpp_config()
558 def unconfig_sa(self, p):
559 p.tun_sa_out.remove_vpp_config()
560 p.tun_sa_in.remove_vpp_config()
563 class TemplateIpsec6TunIfEsp(TemplateIpsec6TunProtect, TemplateIpsec):
564 """IPsec tunnel interface tests"""
566 encryption_type = ESP
569 super(TemplateIpsec6TunIfEsp, self).setUp()
571 self.tun_if = self.pg0
574 self.config_network(p)
575 self.config_sa_tra(p)
576 self.config_protect(p)
579 super(TemplateIpsec6TunIfEsp, self).tearDown()
582 class TemplateIpsec6TunIfEspUdp(TemplateIpsec6TunProtect, TemplateIpsec):
583 """IPsec6 UDP tunnel interface tests"""
585 tun4_encrypt_node_name = "esp6-encrypt-tun"
586 tun4_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
587 encryption_type = ESP
591 super(TemplateIpsec6TunIfEspUdp, cls).setUpClass()
594 def tearDownClass(cls):
595 super(TemplateIpsec6TunIfEspUdp, cls).tearDownClass()
597 def verify_encrypted(self, p, sa, rxs):
600 # ensure the UDP ports are correct before we decrypt
602 self.assertTrue(rx.haslayer(UDP))
603 self.assert_equal(rx[UDP].sport, p.nat_header.sport)
604 self.assert_equal(rx[UDP].dport, p.nat_header.dport)
606 pkt = sa.decrypt(rx[IP])
607 if not pkt.haslayer(IP):
608 pkt = IP(pkt[Raw].load)
610 self.assert_packet_checksums_valid(pkt)
612 pkt[IP].dst, "1111:1111:1111:1111:1111:1111:1111:1111"
614 self.assert_equal(pkt[IP].src, self.pg1.remote_ip6)
615 except (IndexError, AssertionError):
616 self.logger.debug(ppp("Unexpected packet:", rx))
618 self.logger.debug(ppp("Decrypted packet:", pkt))
623 def config_sa_tra(self, p):
624 config_tun_params(p, self.encryption_type, p.tun_if)
626 p.tun_sa_out = VppIpsecSA(
634 self.vpp_esp_protocol,
636 udp_src=p.nat_header.sport,
637 udp_dst=p.nat_header.dport,
639 p.tun_sa_out.add_vpp_config()
641 p.tun_sa_in = VppIpsecSA(
649 self.vpp_esp_protocol,
651 | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
652 udp_src=p.nat_header.sport,
653 udp_dst=p.nat_header.dport,
655 p.tun_sa_in.add_vpp_config()
658 super(TemplateIpsec6TunIfEspUdp, self).setUp()
661 p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
662 p.nat_header = UDP(sport=5454, dport=4500)
664 self.tun_if = self.pg0
666 self.config_network(p)
667 self.config_sa_tra(p)
668 self.config_protect(p)
671 super(TemplateIpsec6TunIfEspUdp, self).tearDown()
674 class TestIpsec6TunIfEspUdp(TemplateIpsec6TunIfEspUdp, IpsecTun6Tests):
675 """Ipsec ESP 6 UDP tests"""
677 tun6_input_node = "ipsec6-tun-input"
678 tun6_encrypt_node_name = "esp6-encrypt-tun"
679 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
682 super(TestIpsec6TunIfEspUdp, self).setUp()
684 def test_keepalive(self):
685 """IPSEC6 NAT Keepalive"""
686 self.verify_keepalive(self.ipv6_params)
689 class TestIpsec6TunIfEspUdpGCM(TemplateIpsec6TunIfEspUdp, IpsecTun6Tests):
690 """Ipsec ESP 6 UDP GCM tests"""
692 tun6_input_node = "ipsec6-tun-input"
693 tun6_encrypt_node_name = "esp6-encrypt-tun"
694 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
697 super(TestIpsec6TunIfEspUdpGCM, self).setUp()
699 p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
700 p.crypt_algo_vpp_id = (
701 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256
703 p.crypt_algo = "AES-GCM"
705 p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"
709 class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp, IpsecTun6Tests):
710 """Ipsec ESP - TUN tests"""
712 tun6_encrypt_node_name = "esp6-encrypt-tun"
713 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
715 def test_tun_basic46(self):
716 """ipsec 4o6 tunnel basic test"""
717 self.tun6_encrypt_node_name = "esp6-encrypt-tun"
718 self.verify_tun_46(self.params[socket.AF_INET6], count=1)
720 def test_tun_burst46(self):
721 """ipsec 4o6 tunnel burst test"""
722 self.tun6_encrypt_node_name = "esp6-encrypt-tun"
723 self.verify_tun_46(self.params[socket.AF_INET6], count=257)
726 class TestIpsec6TunIfEspHandoff(TemplateIpsec6TunIfEsp, IpsecTun6HandoffTests):
727 """Ipsec ESP 6 Handoff tests"""
729 tun6_encrypt_node_name = "esp6-encrypt-tun"
730 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
732 def test_tun_handoff_66_police(self):
733 """ESP 6o6 tunnel with policer worker hand-off test"""
734 self.vapi.cli("clear errors")
735 self.vapi.cli("clear ipsec sa")
738 p = self.params[socket.AF_INET6]
740 action_tx = PolicerAction(
741 VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0
743 policer = VppPolicer(
750 conform_action=action_tx,
751 exceed_action=action_tx,
752 violate_action=action_tx,
754 policer.add_vpp_config()
756 # Start policing on tun
757 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True)
759 for pol_bind in [1, 0]:
760 policer.bind_vpp_config(pol_bind, True)
762 # inject alternately on worker 0 and 1.
763 for worker in [0, 1, 0, 1]:
764 send_pkts = self.gen_encrypt_pkts6(
768 src=p.remote_tun_if_host,
769 dst=self.pg1.remote_ip6,
772 recv_pkts = self.send_and_expect(
773 self.tun_if, send_pkts, self.pg1, worker=worker
775 self.verify_decrypted6(p, recv_pkts)
776 self.logger.debug(self.vapi.cli("show trace max 100"))
778 stats = policer.get_stats()
779 stats0 = policer.get_stats(worker=0)
780 stats1 = policer.get_stats(worker=1)
783 # First pass: Worker 1, should have done all the policing
784 self.assertEqual(stats, stats1)
786 # Worker 0, should have handed everything off
787 self.assertEqual(stats0["conform_packets"], 0)
788 self.assertEqual(stats0["exceed_packets"], 0)
789 self.assertEqual(stats0["violate_packets"], 0)
791 # Second pass: both workers should have policed equal amounts
792 self.assertGreater(stats1["conform_packets"], 0)
793 self.assertEqual(stats1["exceed_packets"], 0)
794 self.assertGreater(stats1["violate_packets"], 0)
796 self.assertGreater(stats0["conform_packets"], 0)
797 self.assertEqual(stats0["exceed_packets"], 0)
798 self.assertGreater(stats0["violate_packets"], 0)
801 stats0["conform_packets"] + stats0["violate_packets"],
802 stats1["conform_packets"] + stats1["violate_packets"],
805 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False)
806 policer.remove_vpp_config()
809 class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp, IpsecTun4HandoffTests):
810 """Ipsec ESP 4 Handoff tests"""
812 tun4_encrypt_node_name = "esp4-encrypt-tun"
813 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
815 def test_tun_handoff_44_police(self):
816 """ESP 4o4 tunnel with policer worker hand-off test"""
817 self.vapi.cli("clear errors")
818 self.vapi.cli("clear ipsec sa")
821 p = self.params[socket.AF_INET]
823 action_tx = PolicerAction(
824 VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0
826 policer = VppPolicer(
833 conform_action=action_tx,
834 exceed_action=action_tx,
835 violate_action=action_tx,
837 policer.add_vpp_config()
839 # Start policing on tun
840 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True)
842 for pol_bind in [1, 0]:
843 policer.bind_vpp_config(pol_bind, True)
845 # inject alternately on worker 0 and 1.
846 for worker in [0, 1, 0, 1]:
847 send_pkts = self.gen_encrypt_pkts(
851 src=p.remote_tun_if_host,
852 dst=self.pg1.remote_ip4,
855 recv_pkts = self.send_and_expect(
856 self.tun_if, send_pkts, self.pg1, worker=worker
858 self.verify_decrypted(p, recv_pkts)
859 self.logger.debug(self.vapi.cli("show trace max 100"))
861 stats = policer.get_stats()
862 stats0 = policer.get_stats(worker=0)
863 stats1 = policer.get_stats(worker=1)
866 # First pass: Worker 1, should have done all the policing
867 self.assertEqual(stats, stats1)
869 # Worker 0, should have handed everything off
870 self.assertEqual(stats0["conform_packets"], 0)
871 self.assertEqual(stats0["exceed_packets"], 0)
872 self.assertEqual(stats0["violate_packets"], 0)
874 # Second pass: both workers should have policed equal amounts
875 self.assertGreater(stats1["conform_packets"], 0)
876 self.assertEqual(stats1["exceed_packets"], 0)
877 self.assertGreater(stats1["violate_packets"], 0)
879 self.assertGreater(stats0["conform_packets"], 0)
880 self.assertEqual(stats0["exceed_packets"], 0)
881 self.assertGreater(stats0["violate_packets"], 0)
884 stats0["conform_packets"] + stats0["violate_packets"],
885 stats1["conform_packets"] + stats1["violate_packets"],
888 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False)
889 policer.remove_vpp_config()
892 @tag_fixme_vpp_workers
893 class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4):
894 """IPsec IPv4 Multi Tunnel interface"""
896 encryption_type = ESP
897 tun4_encrypt_node_name = "esp4-encrypt-tun"
898 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
901 super(TestIpsec4MultiTunIfEsp, self).setUp()
903 self.tun_if = self.pg0
905 self.multi_params = []
906 self.pg0.generate_remote_hosts(10)
907 self.pg0.configure_ipv4_neighbors()
910 p = copy.copy(self.ipv4_params)
912 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
913 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
914 p.scapy_tun_spi = p.scapy_tun_spi + ii
915 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
916 p.vpp_tun_spi = p.vpp_tun_spi + ii
918 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
919 p.scapy_tra_spi = p.scapy_tra_spi + ii
920 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
921 p.vpp_tra_spi = p.vpp_tra_spi + ii
922 p.tun_dst = self.pg0.remote_hosts[ii].ip4
924 self.multi_params.append(p)
925 self.config_network(p)
926 self.config_sa_tra(p)
927 self.config_protect(p)
930 super(TestIpsec4MultiTunIfEsp, self).tearDown()
932 def test_tun_44(self):
933 """Multiple IPSEC tunnel interfaces"""
934 for p in self.multi_params:
935 self.verify_tun_44(p, count=127)
936 self.assertEqual(p.tun_if.get_rx_stats(), 127)
937 self.assertEqual(p.tun_if.get_tx_stats(), 127)
939 def test_tun_rr_44(self):
940 """Round-robin packets acrros multiple interface"""
942 for p in self.multi_params:
943 tx = tx + self.gen_encrypt_pkts(
947 src=p.remote_tun_if_host,
948 dst=self.pg1.remote_ip4,
950 rxs = self.send_and_expect(self.tun_if, tx, self.pg1)
952 for rx, p in zip(rxs, self.multi_params):
953 self.verify_decrypted(p, [rx])
956 for p in self.multi_params:
957 tx = tx + self.gen_pkts(
958 self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host
960 rxs = self.send_and_expect(self.pg1, tx, self.tun_if)
962 for rx, p in zip(rxs, self.multi_params):
963 self.verify_encrypted(p, p.vpp_tun_sa, [rx])
966 class TestIpsec4TunIfEspAll(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4):
967 """IPsec IPv4 Tunnel interface all Algos"""
969 encryption_type = ESP
970 tun4_encrypt_node_name = "esp4-encrypt-tun"
971 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
974 super(TestIpsec4TunIfEspAll, self).setUp()
976 self.tun_if = self.pg0
979 self.config_network(p)
980 self.config_sa_tra(p)
981 self.config_protect(p)
985 self.unconfig_protect(p)
986 self.unconfig_network(p)
989 super(TestIpsec4TunIfEspAll, self).tearDown()
993 # change the key and the SPI
996 p.crypt_key = b"X" + p.crypt_key[1:]
998 p.scapy_tun_sa_id += 1
1000 p.vpp_tun_sa_id += 1
1001 p.tun_if.local_spi = p.vpp_tun_spi
1002 p.tun_if.remote_spi = p.scapy_tun_spi
1004 config_tun_params(p, self.encryption_type, p.tun_if)
1006 p.tun_sa_out = VppIpsecSA(
1012 p.crypt_algo_vpp_id,
1014 self.vpp_esp_protocol,
1018 p.tun_sa_in = VppIpsecSA(
1024 p.crypt_algo_vpp_id,
1026 self.vpp_esp_protocol,
1030 p.tun_sa_in.add_vpp_config()
1031 p.tun_sa_out.add_vpp_config()
1033 self.config_protect(p)
1034 np.tun_sa_out.remove_vpp_config()
1035 np.tun_sa_in.remove_vpp_config()
1036 self.logger.info(self.vapi.cli("sh ipsec sa"))
1038 def test_tun_44(self):
1039 """IPSEC tunnel all algos"""
1041 # foreach VPP crypto engine
1042 engines = ["ia32", "ipsecmb", "openssl"]
1044 # foreach crypto algorithm
1048 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_128
1051 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
1053 "scapy-crypto": "AES-GCM",
1054 "scapy-integ": "NULL",
1055 "key": b"JPjyOWBeVEQiMe7h",
1060 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_192
1063 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
1065 "scapy-crypto": "AES-GCM",
1066 "scapy-integ": "NULL",
1067 "key": b"JPjyOWBeVEQiMe7hJPjyOWBe",
1072 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256
1075 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
1077 "scapy-crypto": "AES-GCM",
1078 "scapy-integ": "NULL",
1079 "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
1084 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_128
1087 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96
1089 "scapy-crypto": "AES-CBC",
1090 "scapy-integ": "HMAC-SHA1-96",
1092 "key": b"JPjyOWBeVEQiMe7h",
1096 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_192
1099 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_512_256
1101 "scapy-crypto": "AES-CBC",
1102 "scapy-integ": "SHA2-512-256",
1104 "key": b"JPjyOWBeVEQiMe7hJPjyOWBe",
1108 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_256
1111 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_256_128
1113 "scapy-crypto": "AES-CBC",
1114 "scapy-integ": "SHA2-256-128",
1116 "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
1120 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_NONE
1123 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96
1125 "scapy-crypto": "NULL",
1126 "scapy-integ": "HMAC-SHA1-96",
1128 "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
1132 for engine in engines:
1133 self.vapi.cli("set crypto handler all %s" % engine)
1136 # loop through each of the algorithms
1139 # with self.subTest(algo=algo['scapy']):
1141 p = self.ipv4_params
1142 p.auth_algo_vpp_id = algo["vpp-integ"]
1143 p.crypt_algo_vpp_id = algo["vpp-crypto"]
1144 p.crypt_algo = algo["scapy-crypto"]
1145 p.auth_algo = algo["scapy-integ"]
1146 p.crypt_key = algo["key"]
1147 p.salt = algo["salt"]
1153 self.verify_tun_44(p, count=127)
1156 class TestIpsec4TunIfEspNoAlgo(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4):
1157 """IPsec IPv4 Tunnel interface no Algos"""
1159 encryption_type = ESP
1160 tun4_encrypt_node_name = "esp4-encrypt-tun"
1161 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
1164 super(TestIpsec4TunIfEspNoAlgo, self).setUp()
1166 self.tun_if = self.pg0
1167 p = self.ipv4_params
1168 p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
1169 p.auth_algo = "NULL"
1172 p.crypt_algo_vpp_id = (
1173 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_NONE
1175 p.crypt_algo = "NULL"
1179 super(TestIpsec4TunIfEspNoAlgo, self).tearDown()
1181 def test_tun_44(self):
1182 """IPSec SA with NULL algos"""
1183 p = self.ipv4_params
1185 self.config_network(p)
1186 self.config_sa_tra(p)
1187 self.config_protect(p)
1189 tx = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host)
1190 self.send_and_assert_no_replies(self.pg1, tx)
1192 self.unconfig_protect(p)
1194 self.unconfig_network(p)
1197 @tag_fixme_vpp_workers
1198 class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect, TemplateIpsec, IpsecTun6):
1199 """IPsec IPv6 Multi Tunnel interface"""
1201 encryption_type = ESP
1202 tun6_encrypt_node_name = "esp6-encrypt-tun"
1203 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
1206 super(TestIpsec6MultiTunIfEsp, self).setUp()
1208 self.tun_if = self.pg0
1210 self.multi_params = []
1211 self.pg0.generate_remote_hosts(10)
1212 self.pg0.configure_ipv6_neighbors()
1214 for ii in range(10):
1215 p = copy.copy(self.ipv6_params)
1217 p.remote_tun_if_host = "1111::%d" % (ii + 1)
1218 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
1219 p.scapy_tun_spi = p.scapy_tun_spi + ii
1220 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
1221 p.vpp_tun_spi = p.vpp_tun_spi + ii
1223 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
1224 p.scapy_tra_spi = p.scapy_tra_spi + ii
1225 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
1226 p.vpp_tra_spi = p.vpp_tra_spi + ii
1227 p.tun_dst = self.pg0.remote_hosts[ii].ip6
1229 self.multi_params.append(p)
1230 self.config_network(p)
1231 self.config_sa_tra(p)
1232 self.config_protect(p)
1235 super(TestIpsec6MultiTunIfEsp, self).tearDown()
1237 def test_tun_66(self):
1238 """Multiple IPSEC tunnel interfaces"""
1239 for p in self.multi_params:
1240 self.verify_tun_66(p, count=127)
1241 self.assertEqual(p.tun_if.get_rx_stats(), 127)
1242 self.assertEqual(p.tun_if.get_tx_stats(), 127)
1245 class TestIpsecGreTebIfEsp(TemplateIpsec, IpsecTun4Tests):
1246 """Ipsec GRE TEB ESP - TUN tests"""
1248 tun4_encrypt_node_name = "esp4-encrypt-tun"
1249 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
1250 encryption_type = ESP
1251 omac = "00:11:22:33:44:55"
1253 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1255 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1257 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1259 / Ether(dst=self.omac)
1260 / IP(src="1.1.1.1", dst="1.1.1.2")
1261 / UDP(sport=1144, dport=2233)
1262 / Raw(b"X" * payload_size)
1264 for i in range(count)
1267 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1269 Ether(dst=self.omac)
1270 / IP(src="1.1.1.1", dst="1.1.1.2")
1271 / UDP(sport=1144, dport=2233)
1272 / Raw(b"X" * payload_size)
1273 for i in range(count)
1276 def verify_decrypted(self, p, rxs):
1278 self.assert_equal(rx[Ether].dst, self.omac)
1279 self.assert_equal(rx[IP].dst, "1.1.1.2")
1281 def verify_encrypted(self, p, sa, rxs):
1284 pkt = sa.decrypt(rx[IP])
1285 if not pkt.haslayer(IP):
1286 pkt = IP(pkt[Raw].load)
1287 self.assert_packet_checksums_valid(pkt)
1288 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1289 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1290 self.assertTrue(pkt.haslayer(GRE))
1292 self.assertEqual(e[Ether].dst, self.omac)
1293 self.assertEqual(e[IP].dst, "1.1.1.2")
1294 except (IndexError, AssertionError):
1295 self.logger.debug(ppp("Unexpected packet:", rx))
1297 self.logger.debug(ppp("Decrypted packet:", pkt))
1303 super(TestIpsecGreTebIfEsp, self).setUp()
1305 self.tun_if = self.pg0
1307 p = self.ipv4_params
1309 bd1 = VppBridgeDomain(self, 1)
1310 bd1.add_vpp_config()
1312 p.tun_sa_out = VppIpsecSA(
1318 p.crypt_algo_vpp_id,
1320 self.vpp_esp_protocol,
1322 self.pg0.remote_ip4,
1324 p.tun_sa_out.add_vpp_config()
1326 p.tun_sa_in = VppIpsecSA(
1332 p.crypt_algo_vpp_id,
1334 self.vpp_esp_protocol,
1335 self.pg0.remote_ip4,
1338 p.tun_sa_in.add_vpp_config()
1340 p.tun_if = VppGreInterface(
1343 self.pg0.remote_ip4,
1344 type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB),
1346 p.tun_if.add_vpp_config()
1348 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
1350 p.tun_protect.add_vpp_config()
1353 p.tun_if.config_ip4()
1354 config_tun_params(p, self.encryption_type, p.tun_if)
1356 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
1357 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
1359 self.vapi.cli("clear ipsec sa")
1360 self.vapi.cli("sh adj")
1361 self.vapi.cli("sh ipsec tun")
1364 p = self.ipv4_params
1365 p.tun_if.unconfig_ip4()
1366 super(TestIpsecGreTebIfEsp, self).tearDown()
1369 class TestIpsecGreTebVlanIfEsp(TemplateIpsec, IpsecTun4Tests):
1370 """Ipsec GRE TEB ESP - TUN tests"""
1372 tun4_encrypt_node_name = "esp4-encrypt-tun"
1373 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
1374 encryption_type = ESP
1375 omac = "00:11:22:33:44:55"
1377 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1379 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1381 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1383 / Ether(dst=self.omac)
1384 / IP(src="1.1.1.1", dst="1.1.1.2")
1385 / UDP(sport=1144, dport=2233)
1386 / Raw(b"X" * payload_size)
1388 for i in range(count)
1391 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1393 Ether(dst=self.omac)
1395 / IP(src="1.1.1.1", dst="1.1.1.2")
1396 / UDP(sport=1144, dport=2233)
1397 / Raw(b"X" * payload_size)
1398 for i in range(count)
1401 def verify_decrypted(self, p, rxs):
1403 self.assert_equal(rx[Ether].dst, self.omac)
1404 self.assert_equal(rx[Dot1Q].vlan, 11)
1405 self.assert_equal(rx[IP].dst, "1.1.1.2")
1407 def verify_encrypted(self, p, sa, rxs):
1410 pkt = sa.decrypt(rx[IP])
1411 if not pkt.haslayer(IP):
1412 pkt = IP(pkt[Raw].load)
1413 self.assert_packet_checksums_valid(pkt)
1414 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1415 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1416 self.assertTrue(pkt.haslayer(GRE))
1418 self.assertEqual(e[Ether].dst, self.omac)
1419 self.assertFalse(e.haslayer(Dot1Q))
1420 self.assertEqual(e[IP].dst, "1.1.1.2")
1421 except (IndexError, AssertionError):
1422 self.logger.debug(ppp("Unexpected packet:", rx))
1424 self.logger.debug(ppp("Decrypted packet:", pkt))
1430 super(TestIpsecGreTebVlanIfEsp, self).setUp()
1432 self.tun_if = self.pg0
1434 p = self.ipv4_params
1436 bd1 = VppBridgeDomain(self, 1)
1437 bd1.add_vpp_config()
1439 self.pg1_11 = VppDot1QSubint(self, self.pg1, 11)
1440 self.vapi.l2_interface_vlan_tag_rewrite(
1441 sw_if_index=self.pg1_11.sw_if_index,
1442 vtr_op=L2_VTR_OP.L2_POP_1,
1445 self.pg1_11.admin_up()
1447 p.tun_sa_out = VppIpsecSA(
1453 p.crypt_algo_vpp_id,
1455 self.vpp_esp_protocol,
1457 self.pg0.remote_ip4,
1459 p.tun_sa_out.add_vpp_config()
1461 p.tun_sa_in = VppIpsecSA(
1467 p.crypt_algo_vpp_id,
1469 self.vpp_esp_protocol,
1470 self.pg0.remote_ip4,
1473 p.tun_sa_in.add_vpp_config()
1475 p.tun_if = VppGreInterface(
1478 self.pg0.remote_ip4,
1479 type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB),
1481 p.tun_if.add_vpp_config()
1483 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
1485 p.tun_protect.add_vpp_config()
1488 p.tun_if.config_ip4()
1489 config_tun_params(p, self.encryption_type, p.tun_if)
1491 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
1492 VppBridgeDomainPort(self, bd1, self.pg1_11).add_vpp_config()
1494 self.vapi.cli("clear ipsec sa")
1497 p = self.ipv4_params
1498 p.tun_if.unconfig_ip4()
1499 super(TestIpsecGreTebVlanIfEsp, self).tearDown()
1500 self.pg1_11.admin_down()
1501 self.pg1_11.remove_vpp_config()
1504 class TestIpsecGreTebIfEspTra(TemplateIpsec, IpsecTun4Tests):
1505 """Ipsec GRE TEB ESP - Tra tests"""
1507 tun4_encrypt_node_name = "esp4-encrypt-tun"
1508 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
1509 encryption_type = ESP
1510 omac = "00:11:22:33:44:55"
1512 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1514 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1516 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1518 / Ether(dst=self.omac)
1519 / IP(src="1.1.1.1", dst="1.1.1.2")
1520 / UDP(sport=1144, dport=2233)
1521 / Raw(b"X" * payload_size)
1523 for i in range(count)
1526 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1528 Ether(dst=self.omac)
1529 / IP(src="1.1.1.1", dst="1.1.1.2")
1530 / UDP(sport=1144, dport=2233)
1531 / Raw(b"X" * payload_size)
1532 for i in range(count)
1535 def verify_decrypted(self, p, rxs):
1537 self.assert_equal(rx[Ether].dst, self.omac)
1538 self.assert_equal(rx[IP].dst, "1.1.1.2")
1540 def verify_encrypted(self, p, sa, rxs):
1543 pkt = sa.decrypt(rx[IP])
1544 if not pkt.haslayer(IP):
1545 pkt = IP(pkt[Raw].load)
1546 self.assert_packet_checksums_valid(pkt)
1547 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1548 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1549 self.assertTrue(pkt.haslayer(GRE))
1551 self.assertEqual(e[Ether].dst, self.omac)
1552 self.assertEqual(e[IP].dst, "1.1.1.2")
1553 except (IndexError, AssertionError):
1554 self.logger.debug(ppp("Unexpected packet:", rx))
1556 self.logger.debug(ppp("Decrypted packet:", pkt))
1562 super(TestIpsecGreTebIfEspTra, self).setUp()
1564 self.tun_if = self.pg0
1566 p = self.ipv4_params
1568 bd1 = VppBridgeDomain(self, 1)
1569 bd1.add_vpp_config()
1571 p.tun_sa_out = VppIpsecSA(
1577 p.crypt_algo_vpp_id,
1579 self.vpp_esp_protocol,
1581 p.tun_sa_out.add_vpp_config()
1583 p.tun_sa_in = VppIpsecSA(
1589 p.crypt_algo_vpp_id,
1591 self.vpp_esp_protocol,
1593 p.tun_sa_in.add_vpp_config()
1595 p.tun_if = VppGreInterface(
1598 self.pg0.remote_ip4,
1599 type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB),
1601 p.tun_if.add_vpp_config()
1603 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
1605 p.tun_protect.add_vpp_config()
1608 p.tun_if.config_ip4()
1609 config_tra_params(p, self.encryption_type, p.tun_if)
1611 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
1612 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
1614 self.vapi.cli("clear ipsec sa")
1617 p = self.ipv4_params
1618 p.tun_if.unconfig_ip4()
1619 super(TestIpsecGreTebIfEspTra, self).tearDown()
1622 class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, IpsecTun4Tests):
1623 """Ipsec GRE TEB UDP ESP - Tra tests"""
1625 tun4_encrypt_node_name = "esp4-encrypt-tun"
1626 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
1627 encryption_type = ESP
1628 omac = "00:11:22:33:44:55"
1630 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1632 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1634 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1636 / Ether(dst=self.omac)
1637 / IP(src="1.1.1.1", dst="1.1.1.2")
1638 / UDP(sport=1144, dport=2233)
1639 / Raw(b"X" * payload_size)
1641 for i in range(count)
1644 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1646 Ether(dst=self.omac)
1647 / IP(src="1.1.1.1", dst="1.1.1.2")
1648 / UDP(sport=1144, dport=2233)
1649 / Raw(b"X" * payload_size)
1650 for i in range(count)
1653 def verify_decrypted(self, p, rxs):
1655 self.assert_equal(rx[Ether].dst, self.omac)
1656 self.assert_equal(rx[IP].dst, "1.1.1.2")
1658 def verify_encrypted(self, p, sa, rxs):
1660 self.assertTrue(rx.haslayer(UDP))
1661 self.assertEqual(rx[UDP].dport, 4545)
1662 self.assertEqual(rx[UDP].sport, 5454)
1664 pkt = sa.decrypt(rx[IP])
1665 if not pkt.haslayer(IP):
1666 pkt = IP(pkt[Raw].load)
1667 self.assert_packet_checksums_valid(pkt)
1668 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1669 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1670 self.assertTrue(pkt.haslayer(GRE))
1672 self.assertEqual(e[Ether].dst, self.omac)
1673 self.assertEqual(e[IP].dst, "1.1.1.2")
1674 except (IndexError, AssertionError):
1675 self.logger.debug(ppp("Unexpected packet:", rx))
1677 self.logger.debug(ppp("Decrypted packet:", pkt))
1683 super(TestIpsecGreTebUdpIfEspTra, self).setUp()
1685 self.tun_if = self.pg0
1687 p = self.ipv4_params
1688 p = self.ipv4_params
1689 p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
1690 p.nat_header = UDP(sport=5454, dport=4545)
1692 bd1 = VppBridgeDomain(self, 1)
1693 bd1.add_vpp_config()
1695 p.tun_sa_out = VppIpsecSA(
1701 p.crypt_algo_vpp_id,
1703 self.vpp_esp_protocol,
1708 p.tun_sa_out.add_vpp_config()
1710 p.tun_sa_in = VppIpsecSA(
1716 p.crypt_algo_vpp_id,
1718 self.vpp_esp_protocol,
1720 p.flags | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND
1725 p.tun_sa_in.add_vpp_config()
1727 p.tun_if = VppGreInterface(
1730 self.pg0.remote_ip4,
1731 type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB),
1733 p.tun_if.add_vpp_config()
1735 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
1737 p.tun_protect.add_vpp_config()
1740 p.tun_if.config_ip4()
1741 config_tra_params(p, self.encryption_type, p.tun_if)
1743 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
1744 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
1746 self.vapi.cli("clear ipsec sa")
1747 self.logger.info(self.vapi.cli("sh ipsec sa 0"))
1750 p = self.ipv4_params
1751 p.tun_if.unconfig_ip4()
1752 super(TestIpsecGreTebUdpIfEspTra, self).tearDown()
1755 class TestIpsecGreIfEsp(TemplateIpsec, IpsecTun4Tests):
1756 """Ipsec GRE ESP - TUN tests"""
1758 tun4_encrypt_node_name = "esp4-encrypt-tun"
1759 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
1760 encryption_type = ESP
1762 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1764 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1766 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1768 / IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4)
1769 / UDP(sport=1144, dport=2233)
1770 / Raw(b"X" * payload_size)
1772 for i in range(count)
1775 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1777 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1778 / IP(src="1.1.1.1", dst="1.1.1.2")
1779 / UDP(sport=1144, dport=2233)
1780 / Raw(b"X" * payload_size)
1781 for i in range(count)
1784 def verify_decrypted(self, p, rxs):
1786 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
1787 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
1789 def verify_encrypted(self, p, sa, rxs):
1792 pkt = sa.decrypt(rx[IP])
1793 if not pkt.haslayer(IP):
1794 pkt = IP(pkt[Raw].load)
1795 self.assert_packet_checksums_valid(pkt)
1796 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1797 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1798 self.assertTrue(pkt.haslayer(GRE))
1800 self.assertEqual(e[IP].dst, "1.1.1.2")
1801 except (IndexError, AssertionError):
1802 self.logger.debug(ppp("Unexpected packet:", rx))
1804 self.logger.debug(ppp("Decrypted packet:", pkt))
1810 super(TestIpsecGreIfEsp, self).setUp()
1812 self.tun_if = self.pg0
1814 p = self.ipv4_params
1816 bd1 = VppBridgeDomain(self, 1)
1817 bd1.add_vpp_config()
1819 p.tun_sa_out = VppIpsecSA(
1825 p.crypt_algo_vpp_id,
1827 self.vpp_esp_protocol,
1829 self.pg0.remote_ip4,
1831 p.tun_sa_out.add_vpp_config()
1833 p.tun_sa_in = VppIpsecSA(
1839 p.crypt_algo_vpp_id,
1841 self.vpp_esp_protocol,
1842 self.pg0.remote_ip4,
1845 p.tun_sa_in.add_vpp_config()
1847 p.tun_if = VppGreInterface(self, self.pg0.local_ip4, self.pg0.remote_ip4)
1848 p.tun_if.add_vpp_config()
1850 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
1851 p.tun_protect.add_vpp_config()
1854 p.tun_if.config_ip4()
1855 config_tun_params(p, self.encryption_type, p.tun_if)
1858 self, "1.1.1.2", 32, [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)]
1862 p = self.ipv4_params
1863 p.tun_if.unconfig_ip4()
1864 super(TestIpsecGreIfEsp, self).tearDown()
1867 class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests):
1868 """Ipsec GRE ESP - TRA tests"""
1870 tun4_encrypt_node_name = "esp4-encrypt-tun"
1871 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
1872 encryption_type = ESP
1874 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1876 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1878 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1880 / IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4)
1881 / UDP(sport=1144, dport=2233)
1882 / Raw(b"X" * payload_size)
1884 for i in range(count)
1887 def gen_encrypt_non_ip_pkts(self, sa, sw_intf, src, dst, count=1, payload_size=100):
1889 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1891 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1893 / UDP(sport=1144, dport=2233)
1894 / Raw(b"X" * payload_size)
1896 for i in range(count)
1899 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1901 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1902 / IP(src="1.1.1.1", dst="1.1.1.2")
1903 / UDP(sport=1144, dport=2233)
1904 / Raw(b"X" * payload_size)
1905 for i in range(count)
1908 def verify_decrypted(self, p, rxs):
1910 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
1911 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
1913 def verify_encrypted(self, p, sa, rxs):
1916 pkt = sa.decrypt(rx[IP])
1917 if not pkt.haslayer(IP):
1918 pkt = IP(pkt[Raw].load)
1919 self.assert_packet_checksums_valid(pkt)
1920 self.assertTrue(pkt.haslayer(GRE))
1922 self.assertEqual(e[IP].dst, "1.1.1.2")
1923 except (IndexError, AssertionError):
1924 self.logger.debug(ppp("Unexpected packet:", rx))
1926 self.logger.debug(ppp("Decrypted packet:", pkt))
1932 super(TestIpsecGreIfEspTra, self).setUp()
1934 self.tun_if = self.pg0
1936 p = self.ipv4_params
1938 p.tun_sa_out = VppIpsecSA(
1944 p.crypt_algo_vpp_id,
1946 self.vpp_esp_protocol,
1948 p.tun_sa_out.add_vpp_config()
1950 p.tun_sa_in = VppIpsecSA(
1956 p.crypt_algo_vpp_id,
1958 self.vpp_esp_protocol,
1960 p.tun_sa_in.add_vpp_config()
1962 p.tun_if = VppGreInterface(self, self.pg0.local_ip4, self.pg0.remote_ip4)
1963 p.tun_if.add_vpp_config()
1965 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
1966 p.tun_protect.add_vpp_config()
1969 p.tun_if.config_ip4()
1970 config_tra_params(p, self.encryption_type, p.tun_if)
1973 self, "1.1.1.2", 32, [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)]
1977 p = self.ipv4_params
1978 p.tun_if.unconfig_ip4()
1979 super(TestIpsecGreIfEspTra, self).tearDown()
1981 def test_gre_non_ip(self):
1982 p = self.ipv4_params
1983 tx = self.gen_encrypt_non_ip_pkts(
1986 src=p.remote_tun_if_host,
1987 dst=self.pg1.remote_ip6,
1989 self.send_and_assert_no_replies(self.tun_if, tx)
1990 node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0]
1991 self.assertEqual(1, self.statistics.get_err_counter(node_name))
1992 err = p.tun_sa_in.get_err("unsup_payload")
1993 self.assertEqual(err, 1)
1996 class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests):
1997 """Ipsec GRE ESP - TRA tests"""
1999 tun6_encrypt_node_name = "esp6-encrypt-tun"
2000 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
2001 encryption_type = ESP
2003 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2005 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2007 IPv6(src=self.pg0.remote_ip6, dst=self.pg0.local_ip6)
2009 / IPv6(src=self.pg1.local_ip6, dst=self.pg1.remote_ip6)
2010 / UDP(sport=1144, dport=2233)
2011 / Raw(b"X" * payload_size)
2013 for i in range(count)
2016 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=100):
2018 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2019 / IPv6(src="1::1", dst="1::2")
2020 / UDP(sport=1144, dport=2233)
2021 / Raw(b"X" * payload_size)
2022 for i in range(count)
2025 def verify_decrypted6(self, p, rxs):
2027 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
2028 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
2030 def verify_encrypted6(self, p, sa, rxs):
2033 pkt = sa.decrypt(rx[IPv6])
2034 if not pkt.haslayer(IPv6):
2035 pkt = IPv6(pkt[Raw].load)
2036 self.assert_packet_checksums_valid(pkt)
2037 self.assertTrue(pkt.haslayer(GRE))
2039 self.assertEqual(e[IPv6].dst, "1::2")
2040 except (IndexError, AssertionError):
2041 self.logger.debug(ppp("Unexpected packet:", rx))
2043 self.logger.debug(ppp("Decrypted packet:", pkt))
2049 super(TestIpsecGre6IfEspTra, self).setUp()
2051 self.tun_if = self.pg0
2053 p = self.ipv6_params
2055 bd1 = VppBridgeDomain(self, 1)
2056 bd1.add_vpp_config()
2058 p.tun_sa_out = VppIpsecSA(
2064 p.crypt_algo_vpp_id,
2066 self.vpp_esp_protocol,
2068 p.tun_sa_out.add_vpp_config()
2070 p.tun_sa_in = VppIpsecSA(
2076 p.crypt_algo_vpp_id,
2078 self.vpp_esp_protocol,
2080 p.tun_sa_in.add_vpp_config()
2082 p.tun_if = VppGreInterface(self, self.pg0.local_ip6, self.pg0.remote_ip6)
2083 p.tun_if.add_vpp_config()
2085 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
2086 p.tun_protect.add_vpp_config()
2089 p.tun_if.config_ip6()
2090 config_tra_params(p, self.encryption_type, p.tun_if)
2098 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
2105 p = self.ipv6_params
2106 p.tun_if.unconfig_ip6()
2107 super(TestIpsecGre6IfEspTra, self).tearDown()
2110 class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4):
2111 """Ipsec mGRE ESP v4 TRA tests"""
2113 tun4_encrypt_node_name = "esp4-encrypt-tun"
2114 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
2115 encryption_type = ESP
2117 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2119 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2121 IP(src=p.tun_dst, dst=self.pg0.local_ip4)
2123 / IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4)
2124 / UDP(sport=1144, dport=2233)
2125 / Raw(b"X" * payload_size)
2127 for i in range(count)
2130 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
2132 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2133 / IP(src="1.1.1.1", dst=dst)
2134 / UDP(sport=1144, dport=2233)
2135 / Raw(b"X" * payload_size)
2136 for i in range(count)
2139 def verify_decrypted(self, p, rxs):
2141 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
2142 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
2144 def verify_encrypted(self, p, sa, rxs):
2147 pkt = sa.decrypt(rx[IP])
2148 if not pkt.haslayer(IP):
2149 pkt = IP(pkt[Raw].load)
2150 self.assert_packet_checksums_valid(pkt)
2151 self.assertTrue(pkt.haslayer(GRE))
2153 self.assertEqual(e[IP].dst, p.remote_tun_if_host)
2154 except (IndexError, AssertionError):
2155 self.logger.debug(ppp("Unexpected packet:", rx))
2157 self.logger.debug(ppp("Decrypted packet:", pkt))
2163 super(TestIpsecMGreIfEspTra4, self).setUp()
2166 self.tun_if = self.pg0
2167 p = self.ipv4_params
2168 p.tun_if = VppGreInterface(
2172 mode=(VppEnum.vl_api_tunnel_mode_t.TUNNEL_API_MODE_MP),
2174 p.tun_if.add_vpp_config()
2176 p.tun_if.config_ip4()
2177 p.tun_if.generate_remote_hosts(N_NHS)
2178 self.pg0.generate_remote_hosts(N_NHS)
2179 self.pg0.configure_ipv4_neighbors()
2181 # setup some SAs for several next-hops on the interface
2182 self.multi_params = []
2184 for ii in range(N_NHS):
2185 p = copy.copy(self.ipv4_params)
2187 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
2188 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
2189 p.scapy_tun_spi = p.scapy_tun_spi + ii
2190 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
2191 p.vpp_tun_spi = p.vpp_tun_spi + ii
2193 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
2194 p.scapy_tra_spi = p.scapy_tra_spi + ii
2195 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
2196 p.vpp_tra_spi = p.vpp_tra_spi + ii
2197 p.tun_sa_out = VppIpsecSA(
2203 p.crypt_algo_vpp_id,
2205 self.vpp_esp_protocol,
2207 p.tun_sa_out.add_vpp_config()
2209 p.tun_sa_in = VppIpsecSA(
2215 p.crypt_algo_vpp_id,
2217 self.vpp_esp_protocol,
2219 p.tun_sa_in.add_vpp_config()
2221 p.tun_protect = VppIpsecTunProtect(
2226 nh=p.tun_if.remote_hosts[ii].ip4,
2228 p.tun_protect.add_vpp_config()
2229 config_tra_params(p, self.encryption_type, p.tun_if)
2230 self.multi_params.append(p)
2234 p.remote_tun_if_host,
2236 [VppRoutePath(p.tun_if.remote_hosts[ii].ip4, p.tun_if.sw_if_index)],
2239 # in this v4 variant add the teibs after the protect
2243 p.tun_if.remote_hosts[ii].ip4,
2244 self.pg0.remote_hosts[ii].ip4,
2246 p.tun_dst = self.pg0.remote_hosts[ii].ip4
2247 self.logger.info(self.vapi.cli("sh ipsec protect-hash"))
2250 p = self.ipv4_params
2251 p.tun_if.unconfig_ip4()
2252 super(TestIpsecMGreIfEspTra4, self).tearDown()
2254 def test_tun_44(self):
2257 for p in self.multi_params:
2258 self.verify_tun_44(p, count=N_PKTS)
2259 p.teib.remove_vpp_config()
2260 self.verify_tun_dropped_44(p, count=N_PKTS)
2261 p.teib.add_vpp_config()
2262 self.verify_tun_44(p, count=N_PKTS)
2265 class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6):
2266 """Ipsec mGRE ESP v6 TRA tests"""
2268 tun6_encrypt_node_name = "esp6-encrypt-tun"
2269 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
2270 encryption_type = ESP
2272 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2274 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2276 IPv6(src=p.tun_dst, dst=self.pg0.local_ip6)
2278 / IPv6(src=self.pg1.local_ip6, dst=self.pg1.remote_ip6)
2279 / UDP(sport=1144, dport=2233)
2280 / Raw(b"X" * payload_size)
2282 for i in range(count)
2285 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=100):
2287 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2288 / IPv6(src="1::1", dst=dst)
2289 / UDP(sport=1144, dport=2233)
2290 / Raw(b"X" * payload_size)
2291 for i in range(count)
2294 def verify_decrypted6(self, p, rxs):
2296 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
2297 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
2299 def verify_encrypted6(self, p, sa, rxs):
2302 pkt = sa.decrypt(rx[IPv6])
2303 if not pkt.haslayer(IPv6):
2304 pkt = IPv6(pkt[Raw].load)
2305 self.assert_packet_checksums_valid(pkt)
2306 self.assertTrue(pkt.haslayer(GRE))
2308 self.assertEqual(e[IPv6].dst, p.remote_tun_if_host)
2309 except (IndexError, AssertionError):
2310 self.logger.debug(ppp("Unexpected packet:", rx))
2312 self.logger.debug(ppp("Decrypted packet:", pkt))
2318 super(TestIpsecMGreIfEspTra6, self).setUp()
2320 self.vapi.cli("set logging class ipsec level debug")
2323 self.tun_if = self.pg0
2324 p = self.ipv6_params
2325 p.tun_if = VppGreInterface(
2329 mode=(VppEnum.vl_api_tunnel_mode_t.TUNNEL_API_MODE_MP),
2331 p.tun_if.add_vpp_config()
2333 p.tun_if.config_ip6()
2334 p.tun_if.generate_remote_hosts(N_NHS)
2335 self.pg0.generate_remote_hosts(N_NHS)
2336 self.pg0.configure_ipv6_neighbors()
2338 # setup some SAs for several next-hops on the interface
2339 self.multi_params = []
2341 for ii in range(N_NHS):
2342 p = copy.copy(self.ipv6_params)
2344 p.remote_tun_if_host = "1::%d" % (ii + 1)
2345 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
2346 p.scapy_tun_spi = p.scapy_tun_spi + ii
2347 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
2348 p.vpp_tun_spi = p.vpp_tun_spi + ii
2350 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
2351 p.scapy_tra_spi = p.scapy_tra_spi + ii
2352 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
2353 p.vpp_tra_spi = p.vpp_tra_spi + ii
2354 p.tun_sa_out = VppIpsecSA(
2360 p.crypt_algo_vpp_id,
2362 self.vpp_esp_protocol,
2364 p.tun_sa_out.add_vpp_config()
2366 p.tun_sa_in = VppIpsecSA(
2372 p.crypt_algo_vpp_id,
2374 self.vpp_esp_protocol,
2376 p.tun_sa_in.add_vpp_config()
2378 # in this v6 variant add the teibs first then the protection
2379 p.tun_dst = self.pg0.remote_hosts[ii].ip6
2381 self, p.tun_if, p.tun_if.remote_hosts[ii].ip6, p.tun_dst
2384 p.tun_protect = VppIpsecTunProtect(
2389 nh=p.tun_if.remote_hosts[ii].ip6,
2391 p.tun_protect.add_vpp_config()
2392 config_tra_params(p, self.encryption_type, p.tun_if)
2393 self.multi_params.append(p)
2397 p.remote_tun_if_host,
2399 [VppRoutePath(p.tun_if.remote_hosts[ii].ip6, p.tun_if.sw_if_index)],
2401 p.tun_dst = self.pg0.remote_hosts[ii].ip6
2403 self.logger.info(self.vapi.cli("sh log"))
2404 self.logger.info(self.vapi.cli("sh ipsec protect-hash"))
2405 self.logger.info(self.vapi.cli("sh adj 41"))
2408 p = self.ipv6_params
2409 p.tun_if.unconfig_ip6()
2410 super(TestIpsecMGreIfEspTra6, self).tearDown()
2412 def test_tun_66(self):
2414 for p in self.multi_params:
2415 self.verify_tun_66(p, count=63)
2418 @tag_fixme_vpp_workers
2419 class TestIpsec4TunProtect(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
2420 """IPsec IPv4 Tunnel protect - transport mode"""
2423 super(TestIpsec4TunProtect, self).setUp()
2425 self.tun_if = self.pg0
2428 super(TestIpsec4TunProtect, self).tearDown()
2430 def test_tun_44(self):
2431 """IPSEC tunnel protect"""
2433 p = self.ipv4_params
2435 self.config_network(p)
2436 self.config_sa_tra(p)
2437 self.config_protect(p)
2439 self.verify_tun_44(p, count=127)
2440 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2441 self.assertEqual(p.tun_if.get_tx_stats(), 127)
2443 self.vapi.cli("clear ipsec sa")
2444 self.verify_tun_64(p, count=127)
2445 self.assertEqual(p.tun_if.get_rx_stats(), 254)
2446 self.assertEqual(p.tun_if.get_tx_stats(), 254)
2448 # rekey - create new SAs and update the tunnel protection
2450 np.crypt_key = b"X" + p.crypt_key[1:]
2451 np.scapy_tun_spi += 100
2452 np.scapy_tun_sa_id += 1
2453 np.vpp_tun_spi += 100
2454 np.vpp_tun_sa_id += 1
2455 np.tun_if.local_spi = p.vpp_tun_spi
2456 np.tun_if.remote_spi = p.scapy_tun_spi
2458 self.config_sa_tra(np)
2459 self.config_protect(np)
2462 self.verify_tun_44(np, count=127)
2463 self.assertEqual(p.tun_if.get_rx_stats(), 381)
2464 self.assertEqual(p.tun_if.get_tx_stats(), 381)
2467 self.unconfig_protect(np)
2468 self.unconfig_sa(np)
2469 self.unconfig_network(p)
2472 @tag_fixme_vpp_workers
2473 class TestIpsec4TunProtectUdp(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
2474 """IPsec IPv4 Tunnel protect - transport mode"""
2477 super(TestIpsec4TunProtectUdp, self).setUp()
2479 self.tun_if = self.pg0
2481 p = self.ipv4_params
2482 p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
2483 p.nat_header = UDP(sport=4500, dport=4500)
2484 self.config_network(p)
2485 self.config_sa_tra(p)
2486 self.config_protect(p)
2489 p = self.ipv4_params
2490 self.unconfig_protect(p)
2492 self.unconfig_network(p)
2493 super(TestIpsec4TunProtectUdp, self).tearDown()
2495 def verify_encrypted(self, p, sa, rxs):
2496 # ensure encrypted packets are recieved with the default UDP ports
2498 self.assertEqual(rx[UDP].sport, 4500)
2499 self.assertEqual(rx[UDP].dport, 4500)
2500 super(TestIpsec4TunProtectUdp, self).verify_encrypted(p, sa, rxs)
2502 def test_tun_44(self):
2503 """IPSEC UDP tunnel protect"""
2505 p = self.ipv4_params
2507 self.verify_tun_44(p, count=127)
2508 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2509 self.assertEqual(p.tun_if.get_tx_stats(), 127)
2511 def test_keepalive(self):
2512 """IPSEC NAT Keepalive"""
2513 self.verify_keepalive(self.ipv4_params)
2516 @tag_fixme_vpp_workers
2517 class TestIpsec4TunProtectTun(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
2518 """IPsec IPv4 Tunnel protect - tunnel mode"""
2520 encryption_type = ESP
2521 tun4_encrypt_node_name = "esp4-encrypt-tun"
2522 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
2525 super(TestIpsec4TunProtectTun, self).setUp()
2527 self.tun_if = self.pg0
2530 super(TestIpsec4TunProtectTun, self).tearDown()
2532 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2534 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2536 IP(src=sw_intf.remote_ip4, dst=sw_intf.local_ip4)
2537 / IP(src=src, dst=dst)
2538 / UDP(sport=1144, dport=2233)
2539 / Raw(b"X" * payload_size)
2541 for i in range(count)
2544 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
2546 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2547 / IP(src=src, dst=dst)
2548 / UDP(sport=1144, dport=2233)
2549 / Raw(b"X" * payload_size)
2550 for i in range(count)
2553 def verify_decrypted(self, p, rxs):
2555 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
2556 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
2557 self.assert_packet_checksums_valid(rx)
2559 def verify_encrypted(self, p, sa, rxs):
2562 pkt = sa.decrypt(rx[IP])
2563 if not pkt.haslayer(IP):
2564 pkt = IP(pkt[Raw].load)
2565 self.assert_packet_checksums_valid(pkt)
2566 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
2567 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
2568 inner = pkt[IP].payload
2569 self.assertEqual(inner[IP][IP].dst, p.remote_tun_if_host)
2571 except (IndexError, AssertionError):
2572 self.logger.debug(ppp("Unexpected packet:", rx))
2574 self.logger.debug(ppp("Decrypted packet:", pkt))
2579 def test_tun_44(self):
2580 """IPSEC tunnel protect"""
2582 p = self.ipv4_params
2584 self.config_network(p)
2585 self.config_sa_tun(p)
2586 self.config_protect(p)
2588 # also add an output features on the tunnel and physical interface
2589 # so we test they still work
2590 r_all = AclRule(True, src_prefix="0.0.0.0/0", dst_prefix="0.0.0.0/0", proto=0)
2591 a = VppAcl(self, [r_all]).add_vpp_config()
2593 VppAclInterface(self, self.pg0.sw_if_index, [a]).add_vpp_config()
2594 VppAclInterface(self, p.tun_if.sw_if_index, [a]).add_vpp_config()
2596 self.verify_tun_44(p, count=127)
2598 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2599 self.assertEqual(p.tun_if.get_tx_stats(), 127)
2601 # rekey - create new SAs and update the tunnel protection
2603 np.crypt_key = b"X" + p.crypt_key[1:]
2604 np.scapy_tun_spi += 100
2605 np.scapy_tun_sa_id += 1
2606 np.vpp_tun_spi += 100
2607 np.vpp_tun_sa_id += 1
2608 np.tun_if.local_spi = p.vpp_tun_spi
2609 np.tun_if.remote_spi = p.scapy_tun_spi
2611 self.config_sa_tun(np)
2612 self.config_protect(np)
2615 self.verify_tun_44(np, count=127)
2616 self.assertEqual(p.tun_if.get_rx_stats(), 254)
2617 self.assertEqual(p.tun_if.get_tx_stats(), 254)
2620 self.unconfig_protect(np)
2621 self.unconfig_sa(np)
2622 self.unconfig_network(p)
2625 class TestIpsec4TunProtectTunDrop(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
2626 """IPsec IPv4 Tunnel protect - tunnel mode - drop"""
2628 encryption_type = ESP
2629 tun4_encrypt_node_name = "esp4-encrypt-tun"
2630 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
2633 super(TestIpsec4TunProtectTunDrop, self).setUp()
2635 self.tun_if = self.pg0
2638 super(TestIpsec4TunProtectTunDrop, self).tearDown()
2640 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2642 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2644 IP(src=sw_intf.remote_ip4, dst="5.5.5.5")
2645 / IP(src=src, dst=dst)
2646 / UDP(sport=1144, dport=2233)
2647 / Raw(b"X" * payload_size)
2649 for i in range(count)
2652 def test_tun_drop_44(self):
2653 """IPSEC tunnel protect bogus tunnel header"""
2655 p = self.ipv4_params
2657 self.config_network(p)
2658 self.config_sa_tun(p)
2659 self.config_protect(p)
2661 tx = self.gen_encrypt_pkts(
2665 src=p.remote_tun_if_host,
2666 dst=self.pg1.remote_ip4,
2669 self.send_and_assert_no_replies(self.tun_if, tx)
2672 self.unconfig_protect(p)
2674 self.unconfig_network(p)
2677 @tag_fixme_vpp_workers
2678 class TestIpsec6TunProtect(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6):
2679 """IPsec IPv6 Tunnel protect - transport mode"""
2681 encryption_type = ESP
2682 tun6_encrypt_node_name = "esp6-encrypt-tun"
2683 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
2686 super(TestIpsec6TunProtect, self).setUp()
2688 self.tun_if = self.pg0
2691 super(TestIpsec6TunProtect, self).tearDown()
2693 def test_tun_66(self):
2694 """IPSEC tunnel protect 6o6"""
2696 p = self.ipv6_params
2698 self.config_network(p)
2699 self.config_sa_tra(p)
2700 self.config_protect(p)
2702 self.verify_tun_66(p, count=127)
2703 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2704 self.assertEqual(p.tun_if.get_tx_stats(), 127)
2706 # rekey - create new SAs and update the tunnel protection
2708 np.crypt_key = b"X" + p.crypt_key[1:]
2709 np.scapy_tun_spi += 100
2710 np.scapy_tun_sa_id += 1
2711 np.vpp_tun_spi += 100
2712 np.vpp_tun_sa_id += 1
2713 np.tun_if.local_spi = p.vpp_tun_spi
2714 np.tun_if.remote_spi = p.scapy_tun_spi
2716 self.config_sa_tra(np)
2717 self.config_protect(np)
2720 self.verify_tun_66(np, count=127)
2721 self.assertEqual(p.tun_if.get_rx_stats(), 254)
2722 self.assertEqual(p.tun_if.get_tx_stats(), 254)
2724 # bounce the interface state
2725 p.tun_if.admin_down()
2726 self.verify_drop_tun_66(np, count=127)
2727 node = "/err/ipsec6-tun-input/disabled"
2728 self.assertEqual(127, self.statistics.get_err_counter(node))
2730 self.verify_tun_66(np, count=127)
2733 # 1) add two input SAs [old, new]
2734 # 2) swap output SA to [new]
2735 # 3) use only [new] input SA
2737 np3.crypt_key = b"Z" + p.crypt_key[1:]
2738 np3.scapy_tun_spi += 100
2739 np3.scapy_tun_sa_id += 1
2740 np3.vpp_tun_spi += 100
2741 np3.vpp_tun_sa_id += 1
2742 np3.tun_if.local_spi = p.vpp_tun_spi
2743 np3.tun_if.remote_spi = p.scapy_tun_spi
2745 self.config_sa_tra(np3)
2748 p.tun_protect.update_vpp_config(np.tun_sa_out, [np.tun_sa_in, np3.tun_sa_in])
2749 self.verify_tun_66(np, np, count=127)
2750 self.verify_tun_66(np3, np, count=127)
2753 p.tun_protect.update_vpp_config(np3.tun_sa_out, [np.tun_sa_in, np3.tun_sa_in])
2754 self.verify_tun_66(np, np3, count=127)
2755 self.verify_tun_66(np3, np3, count=127)
2758 p.tun_protect.update_vpp_config(np3.tun_sa_out, [np3.tun_sa_in])
2759 self.verify_tun_66(np3, np3, count=127)
2760 self.verify_drop_tun_rx_66(np, count=127)
2762 self.assertEqual(p.tun_if.get_rx_stats(), 127 * 9)
2763 self.assertEqual(p.tun_if.get_tx_stats(), 127 * 8)
2764 self.unconfig_sa(np)
2767 self.unconfig_protect(np3)
2768 self.unconfig_sa(np3)
2769 self.unconfig_network(p)
2771 def test_tun_46(self):
2772 """IPSEC tunnel protect 4o6"""
2774 p = self.ipv6_params
2776 self.config_network(p)
2777 self.config_sa_tra(p)
2778 self.config_protect(p)
2780 self.verify_tun_46(p, count=127)
2781 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2782 self.assertEqual(p.tun_if.get_tx_stats(), 127)
2785 self.unconfig_protect(p)
2787 self.unconfig_network(p)
2790 @tag_fixme_vpp_workers
2791 class TestIpsec6TunProtectTun(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6):
2792 """IPsec IPv6 Tunnel protect - tunnel mode"""
2794 encryption_type = ESP
2795 tun6_encrypt_node_name = "esp6-encrypt-tun"
2796 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
2799 super(TestIpsec6TunProtectTun, self).setUp()
2801 self.tun_if = self.pg0
2804 super(TestIpsec6TunProtectTun, self).tearDown()
2806 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2808 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2810 IPv6(src=sw_intf.remote_ip6, dst=sw_intf.local_ip6)
2811 / IPv6(src=src, dst=dst)
2812 / UDP(sport=1166, dport=2233)
2813 / Raw(b"X" * payload_size)
2815 for i in range(count)
2818 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=100):
2820 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2821 / IPv6(src=src, dst=dst)
2822 / UDP(sport=1166, dport=2233)
2823 / Raw(b"X" * payload_size)
2824 for i in range(count)
2827 def verify_decrypted6(self, p, rxs):
2829 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
2830 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
2831 self.assert_packet_checksums_valid(rx)
2833 def verify_encrypted6(self, p, sa, rxs):
2836 pkt = sa.decrypt(rx[IPv6])
2837 if not pkt.haslayer(IPv6):
2838 pkt = IPv6(pkt[Raw].load)
2839 self.assert_packet_checksums_valid(pkt)
2840 self.assert_equal(pkt[IPv6].dst, self.pg0.remote_ip6)
2841 self.assert_equal(pkt[IPv6].src, self.pg0.local_ip6)
2842 inner = pkt[IPv6].payload
2843 self.assertEqual(inner[IPv6][IPv6].dst, p.remote_tun_if_host)
2845 except (IndexError, AssertionError):
2846 self.logger.debug(ppp("Unexpected packet:", rx))
2848 self.logger.debug(ppp("Decrypted packet:", pkt))
2853 def test_tun_66(self):
2854 """IPSEC tunnel protect"""
2856 p = self.ipv6_params
2858 self.config_network(p)
2859 self.config_sa_tun(p)
2860 self.config_protect(p)
2862 self.verify_tun_66(p, count=127)
2864 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2865 self.assertEqual(p.tun_if.get_tx_stats(), 127)
2867 # rekey - create new SAs and update the tunnel protection
2869 np.crypt_key = b"X" + p.crypt_key[1:]
2870 np.scapy_tun_spi += 100
2871 np.scapy_tun_sa_id += 1
2872 np.vpp_tun_spi += 100
2873 np.vpp_tun_sa_id += 1
2874 np.tun_if.local_spi = p.vpp_tun_spi
2875 np.tun_if.remote_spi = p.scapy_tun_spi
2877 self.config_sa_tun(np)
2878 self.config_protect(np)
2881 self.verify_tun_66(np, count=127)
2882 self.assertEqual(p.tun_if.get_rx_stats(), 254)
2883 self.assertEqual(p.tun_if.get_tx_stats(), 254)
2886 self.unconfig_protect(np)
2887 self.unconfig_sa(np)
2888 self.unconfig_network(p)
2891 class TestIpsec6TunProtectTunDrop(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6):
2892 """IPsec IPv6 Tunnel protect - tunnel mode - drop"""
2894 encryption_type = ESP
2895 tun6_encrypt_node_name = "esp6-encrypt-tun"
2896 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
2899 super(TestIpsec6TunProtectTunDrop, self).setUp()
2901 self.tun_if = self.pg0
2904 super(TestIpsec6TunProtectTunDrop, self).tearDown()
2906 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2907 # the IP destination of the revelaed packet does not match
2908 # that assigned to the tunnel
2910 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2912 IPv6(src=sw_intf.remote_ip6, dst="5::5")
2913 / IPv6(src=src, dst=dst)
2914 / UDP(sport=1144, dport=2233)
2915 / Raw(b"X" * payload_size)
2917 for i in range(count)
2920 def test_tun_drop_66(self):
2921 """IPSEC 6 tunnel protect bogus tunnel header"""
2923 p = self.ipv6_params
2925 self.config_network(p)
2926 self.config_sa_tun(p)
2927 self.config_protect(p)
2929 tx = self.gen_encrypt_pkts6(
2933 src=p.remote_tun_if_host,
2934 dst=self.pg1.remote_ip6,
2937 self.send_and_assert_no_replies(self.tun_if, tx)
2939 self.unconfig_protect(p)
2941 self.unconfig_network(p)
2944 class TemplateIpsecItf4(object):
2945 """IPsec Interface IPv4"""
2947 encryption_type = ESP
2948 tun4_encrypt_node_name = "esp4-encrypt-tun"
2949 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
2950 tun4_input_node = "ipsec4-tun-input"
2952 def config_sa_tun(self, p, src, dst):
2953 config_tun_params(p, self.encryption_type, None, src, dst)
2955 p.tun_sa_out = VppIpsecSA(
2961 p.crypt_algo_vpp_id,
2963 self.vpp_esp_protocol,
2968 p.tun_sa_out.add_vpp_config()
2970 p.tun_sa_in = VppIpsecSA(
2976 p.crypt_algo_vpp_id,
2978 self.vpp_esp_protocol,
2982 | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
2984 p.tun_sa_in.add_vpp_config()
2986 def config_protect(self, p):
2987 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
2988 p.tun_protect.add_vpp_config()
2990 def config_network(self, p, instance=0xFFFFFFFF):
2991 p.tun_if = VppIpsecInterface(self, instance=instance)
2993 p.tun_if.add_vpp_config()
2995 p.tun_if.config_ip4()
2996 p.tun_if.config_ip6()
2998 p.route = VppIpRoute(
3000 p.remote_tun_if_host,
3002 [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)],
3004 p.route.add_vpp_config()
3007 p.remote_tun_if_host6,
3011 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
3017 def unconfig_network(self, p):
3018 p.route.remove_vpp_config()
3019 p.tun_if.remove_vpp_config()
3021 def unconfig_protect(self, p):
3022 p.tun_protect.remove_vpp_config()
3024 def unconfig_sa(self, p):
3025 p.tun_sa_out.remove_vpp_config()
3026 p.tun_sa_in.remove_vpp_config()
3029 @tag_fixme_vpp_workers
3030 class TestIpsecItf4(TemplateIpsec, TemplateIpsecItf4, IpsecTun4):
3031 """IPsec Interface IPv4"""
3034 super(TestIpsecItf4, self).setUp()
3036 self.tun_if = self.pg0
3039 super(TestIpsecItf4, self).tearDown()
3041 def test_tun_instance_44(self):
3042 p = self.ipv4_params
3043 self.config_network(p, instance=3)
3045 with self.assertRaises(CliFailedCommandError):
3046 self.vapi.cli("show interface ipsec0")
3048 output = self.vapi.cli("show interface ipsec3")
3049 self.assertTrue("unknown" not in output)
3051 self.unconfig_network(p)
3053 def test_tun_44(self):
3054 """IPSEC interface IPv4"""
3057 p = self.ipv4_params
3059 self.config_network(p)
3061 p, self.encryption_type, None, self.pg0.local_ip4, self.pg0.remote_ip4
3063 self.verify_tun_dropped_44(p, count=n_pkts)
3064 self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4)
3065 self.config_protect(p)
3067 self.verify_tun_44(p, count=n_pkts)
3068 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3069 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
3071 p.tun_if.admin_down()
3072 self.verify_tun_dropped_44(p, count=n_pkts)
3074 self.verify_tun_44(p, count=n_pkts)
3076 self.assertEqual(p.tun_if.get_rx_stats(), 3 * n_pkts)
3077 self.assertEqual(p.tun_if.get_tx_stats(), 2 * n_pkts)
3079 # it's a v6 packet when its encrypted
3080 self.tun4_encrypt_node_name = "esp6-encrypt-tun"
3082 self.verify_tun_64(p, count=n_pkts)
3083 self.assertEqual(p.tun_if.get_rx_stats(), 4 * n_pkts)
3084 self.assertEqual(p.tun_if.get_tx_stats(), 3 * n_pkts)
3086 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
3088 # update the SA tunnel
3090 p, self.encryption_type, None, self.pg2.local_ip4, self.pg2.remote_ip4
3092 p.tun_sa_in.update_vpp_config(
3093 is_tun=True, tun_src=self.pg2.remote_ip4, tun_dst=self.pg2.local_ip4
3095 p.tun_sa_out.update_vpp_config(
3096 is_tun=True, tun_src=self.pg2.local_ip4, tun_dst=self.pg2.remote_ip4
3098 self.verify_tun_44(p, count=n_pkts)
3099 self.assertEqual(p.tun_if.get_rx_stats(), 5 * n_pkts)
3100 self.assertEqual(p.tun_if.get_tx_stats(), 4 * n_pkts)
3102 self.vapi.cli("clear interfaces")
3104 # rekey - create new SAs and update the tunnel protection
3106 np.crypt_key = b"X" + p.crypt_key[1:]
3107 np.scapy_tun_spi += 100
3108 np.scapy_tun_sa_id += 1
3109 np.vpp_tun_spi += 100
3110 np.vpp_tun_sa_id += 1
3111 np.tun_if.local_spi = p.vpp_tun_spi
3112 np.tun_if.remote_spi = p.scapy_tun_spi
3114 self.config_sa_tun(np, self.pg0.local_ip4, self.pg0.remote_ip4)
3115 self.config_protect(np)
3118 self.verify_tun_44(np, count=n_pkts)
3119 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3120 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
3123 self.unconfig_protect(np)
3124 self.unconfig_sa(np)
3125 self.unconfig_network(p)
3127 def test_tun_44_null(self):
3128 """IPSEC interface IPv4 NULL auth/crypto"""
3131 p = copy.copy(self.ipv4_params)
3133 p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
3134 p.crypt_algo_vpp_id = (
3135 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_NONE
3137 p.crypt_algo = "NULL"
3138 p.auth_algo = "NULL"
3140 self.config_network(p)
3141 self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4)
3142 self.config_protect(p)
3144 self.logger.info(self.vapi.cli("sh ipsec sa"))
3145 self.verify_tun_44(p, count=n_pkts)
3148 self.unconfig_protect(p)
3150 self.unconfig_network(p)
3152 def test_tun_44_police(self):
3153 """IPSEC interface IPv4 with input policer"""
3155 p = self.ipv4_params
3157 self.config_network(p)
3158 self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4)
3159 self.config_protect(p)
3161 action_tx = PolicerAction(
3162 VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0
3164 policer = VppPolicer(
3171 conform_action=action_tx,
3172 exceed_action=action_tx,
3173 violate_action=action_tx,
3175 policer.add_vpp_config()
3177 # Start policing on tun
3178 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True)
3180 self.verify_tun_44(p, count=n_pkts)
3181 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3182 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
3184 stats = policer.get_stats()
3186 # Single rate, 2 colour policer - expect conform, violate but no exceed
3187 self.assertGreater(stats["conform_packets"], 0)
3188 self.assertEqual(stats["exceed_packets"], 0)
3189 self.assertGreater(stats["violate_packets"], 0)
3191 # Stop policing on tun
3192 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False)
3193 self.verify_tun_44(p, count=n_pkts)
3195 # No new policer stats
3196 statsnew = policer.get_stats()
3197 self.assertEqual(stats, statsnew)
3200 policer.remove_vpp_config()
3201 self.unconfig_protect(p)
3203 self.unconfig_network(p)
3206 class TestIpsecItf4MPLS(TemplateIpsec, TemplateIpsecItf4, IpsecTun4):
3207 """IPsec Interface MPLSoIPv4"""
3209 tun4_encrypt_node_name = "esp-mpls-encrypt-tun"
3212 super(TestIpsecItf4MPLS, self).setUp()
3214 self.tun_if = self.pg0
3217 super(TestIpsecItf4MPLS, self).tearDown()
3219 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
3221 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
3223 MPLS(label=44, ttl=3)
3224 / IP(src=src, dst=dst)
3225 / UDP(sport=1166, dport=2233)
3226 / Raw(b"X" * payload_size)
3228 for i in range(count)
3231 def verify_encrypted(self, p, sa, rxs):
3234 pkt = sa.decrypt(rx[IP])
3235 if not pkt.haslayer(IP):
3236 pkt = IP(pkt[Raw].load)
3237 self.assert_packet_checksums_valid(pkt)
3238 self.assert_equal(pkt[MPLS].label, 44)
3239 self.assert_equal(pkt[IP].dst, p.remote_tun_if_host)
3240 except (IndexError, AssertionError):
3241 self.logger.debug(ppp("Unexpected packet:", rx))
3243 self.logger.debug(ppp("Decrypted packet:", pkt))
3248 def test_tun_mpls_o_ip4(self):
3249 """IPSEC interface MPLS over IPv4"""
3252 p = self.ipv4_params
3255 tbl = VppMplsTable(self, 0)
3256 tbl.add_vpp_config()
3258 self.config_network(p)
3259 # deag MPLS routes from the tunnel
3261 self, 44, 1, [VppRoutePath(self.pg1.remote_ip4, self.pg1.sw_if_index)]
3266 p.tun_if.remote_ip4, p.tun_if.sw_if_index, labels=[VppMplsLabel(44)]
3270 p.tun_if.enable_mpls()
3272 self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4)
3273 self.config_protect(p)
3275 self.verify_tun_44(p, count=n_pkts)
3278 p.tun_if.disable_mpls()
3279 self.unconfig_protect(p)
3281 self.unconfig_network(p)
3284 class TemplateIpsecItf6(object):
3285 """IPsec Interface IPv6"""
3287 encryption_type = ESP
3288 tun6_encrypt_node_name = "esp6-encrypt-tun"
3289 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
3290 tun6_input_node = "ipsec6-tun-input"
3292 def config_sa_tun(self, p, src, dst):
3293 config_tun_params(p, self.encryption_type, None, src, dst)
3295 if not hasattr(p, "tun_flags"):
3297 if not hasattr(p, "hop_limit"):
3300 p.tun_sa_out = VppIpsecSA(
3306 p.crypt_algo_vpp_id,
3308 self.vpp_esp_protocol,
3312 tun_flags=p.tun_flags,
3313 hop_limit=p.hop_limit,
3315 p.tun_sa_out.add_vpp_config()
3317 p.tun_sa_in = VppIpsecSA(
3323 p.crypt_algo_vpp_id,
3325 self.vpp_esp_protocol,
3330 p.tun_sa_in.add_vpp_config()
3332 def config_protect(self, p):
3333 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
3334 p.tun_protect.add_vpp_config()
3336 def config_network(self, p):
3337 p.tun_if = VppIpsecInterface(self)
3339 p.tun_if.add_vpp_config()
3341 p.tun_if.config_ip4()
3342 p.tun_if.config_ip6()
3346 p.remote_tun_if_host4,
3348 [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)],
3352 p.route = VppIpRoute(
3354 p.remote_tun_if_host,
3358 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
3362 p.route.add_vpp_config()
3364 def unconfig_network(self, p):
3365 p.route.remove_vpp_config()
3366 p.tun_if.remove_vpp_config()
3368 def unconfig_protect(self, p):
3369 p.tun_protect.remove_vpp_config()
3371 def unconfig_sa(self, p):
3372 p.tun_sa_out.remove_vpp_config()
3373 p.tun_sa_in.remove_vpp_config()
3376 @tag_fixme_vpp_workers
3377 class TestIpsecItf6(TemplateIpsec, TemplateIpsecItf6, IpsecTun6):
3378 """IPsec Interface IPv6"""
3381 super(TestIpsecItf6, self).setUp()
3383 self.tun_if = self.pg0
3386 super(TestIpsecItf6, self).tearDown()
3388 def test_tun_66(self):
3389 """IPSEC interface IPv6"""
3391 tf = VppEnum.vl_api_tunnel_encap_decap_flags_t
3393 p = self.ipv6_params
3394 p.inner_hop_limit = 24
3395 p.outer_hop_limit = 23
3396 p.outer_flow_label = 243224
3397 p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT
3399 self.config_network(p)
3401 p, self.encryption_type, None, self.pg0.local_ip6, self.pg0.remote_ip6
3403 self.verify_drop_tun_66(p, count=n_pkts)
3404 self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6)
3405 self.config_protect(p)
3407 self.verify_tun_66(p, count=n_pkts)
3408 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3409 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
3411 p.tun_if.admin_down()
3412 self.verify_drop_tun_66(p, count=n_pkts)
3414 self.verify_tun_66(p, count=n_pkts)
3416 self.assertEqual(p.tun_if.get_rx_stats(), 3 * n_pkts)
3417 self.assertEqual(p.tun_if.get_tx_stats(), 2 * n_pkts)
3419 # it's a v4 packet when its encrypted
3420 self.tun6_encrypt_node_name = "esp4-encrypt-tun"
3422 self.verify_tun_46(p, count=n_pkts)
3423 self.assertEqual(p.tun_if.get_rx_stats(), 4 * n_pkts)
3424 self.assertEqual(p.tun_if.get_tx_stats(), 3 * n_pkts)
3426 self.tun6_encrypt_node_name = "esp6-encrypt-tun"
3428 self.vapi.cli("clear interfaces")
3430 # rekey - create new SAs and update the tunnel protection
3432 np.crypt_key = b"X" + p.crypt_key[1:]
3433 np.scapy_tun_spi += 100
3434 np.scapy_tun_sa_id += 1
3435 np.vpp_tun_spi += 100
3436 np.vpp_tun_sa_id += 1
3437 np.tun_if.local_spi = p.vpp_tun_spi
3438 np.tun_if.remote_spi = p.scapy_tun_spi
3439 np.inner_hop_limit = 24
3440 np.outer_hop_limit = 128
3441 np.inner_flow_label = 0xABCDE
3442 np.outer_flow_label = 0xABCDE
3444 np.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_FLOW_LABEL
3446 self.config_sa_tun(np, self.pg0.local_ip6, self.pg0.remote_ip6)
3447 self.config_protect(np)
3450 self.verify_tun_66(np, count=n_pkts)
3451 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3452 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
3455 self.unconfig_protect(np)
3456 self.unconfig_sa(np)
3457 self.unconfig_network(p)
3459 def test_tun_66_police(self):
3460 """IPSEC interface IPv6 with input policer"""
3461 tf = VppEnum.vl_api_tunnel_encap_decap_flags_t
3463 p = self.ipv6_params
3464 p.inner_hop_limit = 24
3465 p.outer_hop_limit = 23
3466 p.outer_flow_label = 243224
3467 p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT
3469 self.config_network(p)
3470 self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6)
3471 self.config_protect(p)
3473 action_tx = PolicerAction(
3474 VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0
3476 policer = VppPolicer(
3483 conform_action=action_tx,
3484 exceed_action=action_tx,
3485 violate_action=action_tx,
3487 policer.add_vpp_config()
3489 # Start policing on tun
3490 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True)
3492 self.verify_tun_66(p, count=n_pkts)
3493 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3494 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
3496 stats = policer.get_stats()
3498 # Single rate, 2 colour policer - expect conform, violate but no exceed
3499 self.assertGreater(stats["conform_packets"], 0)
3500 self.assertEqual(stats["exceed_packets"], 0)
3501 self.assertGreater(stats["violate_packets"], 0)
3503 # Stop policing on tun
3504 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False)
3505 self.verify_tun_66(p, count=n_pkts)
3507 # No new policer stats
3508 statsnew = policer.get_stats()
3509 self.assertEqual(stats, statsnew)
3512 policer.remove_vpp_config()
3513 self.unconfig_protect(p)
3515 self.unconfig_network(p)
3518 class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
3519 """Ipsec P2MP ESP v4 tests"""
3521 tun4_encrypt_node_name = "esp4-encrypt-tun"
3522 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
3523 encryption_type = ESP
3525 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
3527 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
3529 IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4)
3530 / UDP(sport=1144, dport=2233)
3531 / Raw(b"X" * payload_size)
3533 for i in range(count)
3536 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
3538 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
3539 / IP(src="1.1.1.1", dst=dst)
3540 / UDP(sport=1144, dport=2233)
3541 / Raw(b"X" * payload_size)
3542 for i in range(count)
3545 def verify_decrypted(self, p, rxs):
3547 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
3548 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
3550 def verify_encrypted(self, p, sa, rxs):
3554 rx[IP].tos, VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2
3556 self.assertEqual(rx[IP].ttl, p.hop_limit)
3557 pkt = sa.decrypt(rx[IP])
3558 if not pkt.haslayer(IP):
3559 pkt = IP(pkt[Raw].load)
3560 self.assert_packet_checksums_valid(pkt)
3562 self.assertEqual(e[IP].dst, p.remote_tun_if_host)
3563 except (IndexError, AssertionError):
3564 self.logger.debug(ppp("Unexpected packet:", rx))
3566 self.logger.debug(ppp("Decrypted packet:", pkt))
3572 super(TestIpsecMIfEsp4, self).setUp()
3575 self.tun_if = self.pg0
3576 p = self.ipv4_params
3577 p.tun_if = VppIpsecInterface(
3578 self, mode=(VppEnum.vl_api_tunnel_mode_t.TUNNEL_API_MODE_MP)
3580 p.tun_if.add_vpp_config()
3582 p.tun_if.config_ip4()
3583 p.tun_if.unconfig_ip4()
3584 p.tun_if.config_ip4()
3585 p.tun_if.generate_remote_hosts(N_NHS)
3586 self.pg0.generate_remote_hosts(N_NHS)
3587 self.pg0.configure_ipv4_neighbors()
3589 r_all = AclRule(True, src_prefix="0.0.0.0/0", dst_prefix="0.0.0.0/0", proto=0)
3590 a = VppAcl(self, [r_all]).add_vpp_config()
3592 VppAclInterface(self, self.pg0.sw_if_index, [a]).add_vpp_config()
3593 VppAclInterface(self, p.tun_if.sw_if_index, [a]).add_vpp_config()
3595 # setup some SAs for several next-hops on the interface
3596 self.multi_params = []
3598 for ii in range(N_NHS):
3599 p = copy.copy(self.ipv4_params)
3601 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
3602 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
3603 p.scapy_tun_spi = p.scapy_tun_spi + ii
3604 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
3605 p.vpp_tun_spi = p.vpp_tun_spi + ii
3607 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
3608 p.scapy_tra_spi = p.scapy_tra_spi + ii
3609 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
3610 p.vpp_tra_spi = p.vpp_tra_spi + ii
3611 p.hop_limit = ii + 10
3612 p.tun_sa_out = VppIpsecSA(
3618 p.crypt_algo_vpp_id,
3620 self.vpp_esp_protocol,
3622 self.pg0.remote_hosts[ii].ip4,
3623 dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF,
3624 hop_limit=p.hop_limit,
3626 p.tun_sa_out.add_vpp_config()
3628 p.tun_sa_in = VppIpsecSA(
3634 p.crypt_algo_vpp_id,
3636 self.vpp_esp_protocol,
3637 self.pg0.remote_hosts[ii].ip4,
3639 dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF,
3640 hop_limit=p.hop_limit,
3642 p.tun_sa_in.add_vpp_config()
3644 p.tun_protect = VppIpsecTunProtect(
3649 nh=p.tun_if.remote_hosts[ii].ip4,
3651 p.tun_protect.add_vpp_config()
3654 self.encryption_type,
3657 self.pg0.remote_hosts[ii].ip4,
3659 self.multi_params.append(p)
3661 p.via_tun_route = VppIpRoute(
3663 p.remote_tun_if_host,
3665 [VppRoutePath(p.tun_if.remote_hosts[ii].ip4, p.tun_if.sw_if_index)],
3668 p.tun_dst = self.pg0.remote_hosts[ii].ip4
3671 p = self.ipv4_params
3672 p.tun_if.unconfig_ip4()
3673 super(TestIpsecMIfEsp4, self).tearDown()
3675 def test_tun_44(self):
3678 for p in self.multi_params:
3679 self.verify_tun_44(p, count=N_PKTS)
3681 # remove one tunnel protect, the rest should still work
3682 self.multi_params[0].tun_protect.remove_vpp_config()
3683 self.verify_tun_dropped_44(self.multi_params[0], count=N_PKTS)
3684 self.multi_params[0].via_tun_route.remove_vpp_config()
3685 self.verify_tun_dropped_44(self.multi_params[0], count=N_PKTS)
3687 for p in self.multi_params[1:]:
3688 self.verify_tun_44(p, count=N_PKTS)
3690 self.multi_params[0].tun_protect.add_vpp_config()
3691 self.multi_params[0].via_tun_route.add_vpp_config()
3693 for p in self.multi_params:
3694 self.verify_tun_44(p, count=N_PKTS)
3697 class TestIpsecItf6MPLS(TemplateIpsec, TemplateIpsecItf6, IpsecTun6):
3698 """IPsec Interface MPLSoIPv6"""
3700 tun6_encrypt_node_name = "esp-mpls-encrypt-tun"
3703 super(TestIpsecItf6MPLS, self).setUp()
3705 self.tun_if = self.pg0
3708 super(TestIpsecItf6MPLS, self).tearDown()
3710 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
3712 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
3714 MPLS(label=66, ttl=3)
3715 / IPv6(src=src, dst=dst)
3716 / UDP(sport=1166, dport=2233)
3717 / Raw(b"X" * payload_size)
3719 for i in range(count)
3722 def verify_encrypted6(self, p, sa, rxs):
3725 pkt = sa.decrypt(rx[IPv6])
3726 if not pkt.haslayer(IPv6):
3727 pkt = IP(pkt[Raw].load)
3728 self.assert_packet_checksums_valid(pkt)
3729 self.assert_equal(pkt[MPLS].label, 66)
3730 self.assert_equal(pkt[IPv6].dst, p.remote_tun_if_host)
3731 except (IndexError, AssertionError):
3732 self.logger.debug(ppp("Unexpected packet:", rx))
3734 self.logger.debug(ppp("Decrypted packet:", pkt))
3739 def test_tun_mpls_o_ip6(self):
3740 """IPSEC interface MPLS over IPv6"""
3743 p = self.ipv6_params
3746 tbl = VppMplsTable(self, 0)
3747 tbl.add_vpp_config()
3749 self.config_network(p)
3750 # deag MPLS routes from the tunnel
3755 [VppRoutePath(self.pg1.remote_ip6, self.pg1.sw_if_index)],
3756 eos_proto=f.FIB_PATH_NH_PROTO_IP6,
3761 p.tun_if.remote_ip6, p.tun_if.sw_if_index, labels=[VppMplsLabel(66)]
3765 p.tun_if.enable_mpls()
3767 self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6)
3768 self.config_protect(p)
3770 self.verify_tun_66(p, count=n_pkts)
3773 p.tun_if.disable_mpls()
3774 self.unconfig_protect(p)
3776 self.unconfig_network(p)
3779 if __name__ == "__main__":
3780 unittest.main(testRunner=VppTestRunner)