1 # Copyright (c) 2016 Cisco and/or its affiliates.
2 # Licensed under the Apache License, Version 2.0 (the "License");
3 # you may not use this file except in compliance with the License.
4 # You may obtain a copy of the License at:
6 # http://www.apache.org/licenses/LICENSE-2.0
8 # Unless required by applicable law or agreed to in writing, software
9 # distributed under the License is distributed on an "AS IS" BASIS,
10 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11 # See the License for the specific language governing permissions and
12 # limitations under the License.
15 | Resource | resources/libraries/robot/crypto/ipsec.robot
16 | Library | resources.libraries.python.Trace
17 | Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
18 | ... | VM_ENV | HW_ENV | IPSEC | IPSEC_SW
20 | Test Setup | Set up IPSec SW device functional test | IPv4
22 | Test Teardown | Tear down IPSec SW device functional test
24 | Documentation | *IPv4 IPsec transport mode test suite.*
26 | ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
27 | ... | between nodes.
28 | ... | *[Cfg] DUT configuration:* With enabled SW crytodev on DUT1 create\
29 | ... | loopback interface, configure loopback and physical interface IPv4\
30 | ... | addresses, static ARP record, route and IPsec manual keyed connection\
31 | ... | in transport mode.
32 | ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\
33 | ... | is received on TG from DUT1.
34 | ... | *[Ref] Applicable standard specifications:* RFC4303.
37 | ${tg_spi}= | ${1000}
38 | ${dut_spi}= | ${1001}
39 | ${ESP_PROTO}= | ${50}
40 | ${tg_if_ip4}= | 192.168.100.2
41 | ${dut_if_ip4}= | 192.168.100.3
42 | ${tg_lo_ip4}= | 192.168.3.3
43 | ${dut_lo_ip4}= | 192.168.4.4
44 | ${ip4_plen}= | ${24}
47 | TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity
49 | | ... | [Top] TG-DUT1.
50 | | ... | [Ref] RFC4303.
51 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
52 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport
54 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
56 | | [Tags] | EXPECTED_FAILING
58 | | ${encr_alg}= | Crypto Alg AES CBC 128
59 | | ${auth_alg}= | Integ Alg SHA1 96
60 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
61 | | When Configure manual keyed connection for IPSec
62 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
63 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
64 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
65 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
66 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
67 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
69 | TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity
71 | | ... | [Top] TG-DUT1.
72 | | ... | [Ref] RFC4303.
73 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
74 | | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport
76 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
78 | | [Tags] | SKIP_PATCH | EXPECTED_FAILING
80 | | ${encr_alg}= | Crypto Alg AES CBC 192
81 | | ${auth_alg}= | Integ Alg SHA1 96
82 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
83 | | When Configure manual keyed connection for IPSec
84 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
85 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
86 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
87 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
88 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
89 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
91 | TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity
93 | | ... | [Top] TG-DUT1.
94 | | ... | [Ref] RFC4303.
95 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
96 | | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport
98 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
100 | | [Tags] | SKIP_PATCH | EXPECTED_FAILING
102 | | ${encr_alg}= | Crypto Alg AES CBC 256
103 | | ${auth_alg}= | Integ Alg SHA1 96
104 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
105 | | When Configure manual keyed connection for IPSec
106 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
107 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
108 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
109 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
110 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
111 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
113 | TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity
115 | | ... | [Top] TG-DUT1.
116 | | ... | [Ref] RFC4303.
117 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
118 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport
120 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
122 | | [Tags] | SKIP_PATCH | EXPECTED_FAILING
124 | | ${encr_alg}= | Crypto Alg AES CBC 128
125 | | ${auth_alg}= | Integ Alg SHA 256 128
126 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
127 | | When Configure manual keyed connection for IPSec
128 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
129 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
130 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
131 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
132 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
133 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
135 | TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity
137 | | ... | [Top] TG-DUT1.
138 | | ... | [Ref] RFC4303.
139 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
140 | | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport
142 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
144 | | [Tags] | EXPECTED_FAILING
146 | | ${encr_alg}= | Crypto Alg AES CBC 192
147 | | ${auth_alg}= | Integ Alg SHA 256 128
148 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
149 | | When Configure manual keyed connection for IPSec
150 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
151 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
152 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
153 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
154 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
155 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
157 | TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity
159 | | ... | [Top] TG-DUT1.
160 | | ... | [Ref] RFC4303.
161 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
162 | | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport
164 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
166 | | [Tags] | SKIP_PATCH | EXPECTED_FAILING
168 | | ${encr_alg}= | Crypto Alg AES CBC 256
169 | | ${auth_alg}= | Integ Alg SHA 256 128
170 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
171 | | When Configure manual keyed connection for IPSec
172 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
173 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
174 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
175 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
176 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
177 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
179 | TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity
181 | | ... | [Top] TG-DUT1.
182 | | ... | [Ref] RFC4303.
183 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
184 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport
186 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
188 | | [Tags] | SKIP_PATCH | EXPECTED_FAILING
190 | | ${encr_alg}= | Crypto Alg AES CBC 128
191 | | ${auth_alg}= | Integ Alg SHA 384 192
192 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
193 | | When Configure manual keyed connection for IPSec
194 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
195 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
196 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
197 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
198 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
199 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
201 | TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity
203 | | ... | [Top] TG-DUT1.
204 | | ... | [Ref] RFC4303.
205 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
206 | | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport
208 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
210 | | [Tags] | SKIP_PATCH | EXPECTED_FAILING
212 | | ${encr_alg}= | Crypto Alg AES CBC 192
213 | | ${auth_alg}= | Integ Alg SHA 384 192
214 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
215 | | When Configure manual keyed connection for IPSec
216 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
217 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
218 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
219 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
220 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
221 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
223 | TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity
225 | | ... | [Top] TG-DUT1.
226 | | ... | [Ref] RFC4303.
227 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
228 | | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport
230 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
232 | | [Tags] | EXPECTED_FAILING
234 | | ${encr_alg}= | Crypto Alg AES CBC 256
235 | | ${auth_alg}= | Integ Alg SHA 384 192
236 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
237 | | When Configure manual keyed connection for IPSec
238 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
239 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
240 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
241 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
242 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
243 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
245 | TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity
247 | | ... | [Top] TG-DUT1.
248 | | ... | [Ref] RFC4303.
249 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
250 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport
252 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
254 | | [Tags] | SKIP_PATCH | EXPECTED_FAILING
256 | | ${encr_alg}= | Crypto Alg AES CBC 128
257 | | ${auth_alg}= | Integ Alg SHA 512 256
258 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
259 | | When Configure manual keyed connection for IPSec
260 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
261 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
262 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
263 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
264 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
265 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
267 | TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity
269 | | ... | [Top] TG-DUT1.
270 | | ... | [Ref] RFC4303.
271 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
272 | | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport
274 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
276 | | [Tags] | SKIP_PATCH | EXPECTED_FAILING
278 | | ${encr_alg}= | Crypto Alg AES CBC 192
279 | | ${auth_alg}= | Integ Alg SHA 512 256
280 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
281 | | When Configure manual keyed connection for IPSec
282 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
283 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
284 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
285 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
286 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
287 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
289 | TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity
291 | | ... | [Top] TG-DUT1.
292 | | ... | [Ref] RFC4303.
293 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
294 | | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport
296 | | ... | [Ver] Send and receive ESP packet between TG and VPP node.
298 | | [Tags] | EXPECTED_FAILING
300 | | ${encr_alg}= | Crypto Alg AES CBC 256
301 | | ${auth_alg}= | Integ Alg SHA 512 256
302 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
303 | | When Configure manual keyed connection for IPSec
304 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
305 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
306 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
307 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
308 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
309 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
312 | TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
314 | | ... | [Top] TG-DUT1.
315 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
316 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
318 | | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
319 | | ... | encryption key stored on VPP node from TG to VPP node and expect no\
320 | | ... | response to be received on TG.
321 | | ... | [Ref] RFC4303.
323 | | [Tags] | EXPECTED_FAILING
325 | | ${encr_alg}= | Crypto Alg AES CBC 128
326 | | ${auth_alg}= | Integ Alg SHA1 96
327 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
328 | | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
329 | | When Configure manual keyed connection for IPSec
330 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
331 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
332 | | Then Run Keyword And Expect Error | ESP packet Rx timeout
333 | | ... | Send IPsec Packet and verify ESP encapsulation in received packet
334 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
335 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
336 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
338 | TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
340 | | ... | [Top] TG-DUT1.
341 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
342 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
344 | | ... | [Ver] Send an ESP packet authenticated by integrity key different\
345 | | ... | from integrity key stored on VPP node from TG to VPP node and expect\
346 | | ... | no response to be received on TG.
347 | | ... | [Ref] RFC4303.
349 | | ${encr_alg}= | Crypto Alg AES CBC 128
350 | | ${auth_alg}= | Integ Alg SHA1 96
351 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
352 | | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
353 | | When Configure manual keyed connection for IPSec
354 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
355 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
356 | | Then Run Keyword And Expect Error | ESP packet Rx timeout
357 | | ... | Send IPsec Packet and verify ESP encapsulation in received packet
358 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
359 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
360 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
362 | TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
364 | | ... | [Top] TG-DUT1.
365 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
366 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
368 | | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
369 | | ... | by encryption key different from integrity and encryption keys stored\
370 | | ... | on VPP node from TG to VPP node and expect no response to be received\
372 | | ... | [Ref] RFC4303.
374 | | ${encr_alg}= | Crypto Alg AES CBC 128
375 | | ${auth_alg}= | Integ Alg SHA1 96
376 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
377 | | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
378 | | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
379 | | When Configure manual keyed connection for IPSec
380 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
381 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
382 | | Then Run Keyword And Expect Error | ESP packet Rx timeout
383 | | ... | Send IPsec Packet and verify ESP encapsulation in received packet
384 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
385 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
386 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
388 | TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
390 | | ... | [Top] TG-DUT1.
391 | | ... | [Ref] RFC4303.
392 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
393 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
394 | | ... | mode. Then update SA keys - use new keys.
395 | | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
396 | | ... | and after SA keys update.
398 | | [Tags] | EXPECTED_FAILING
400 | | ${encr_alg}= | Crypto Alg AES CBC 128
401 | | ${auth_alg}= | Integ Alg SHA1 96
402 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
403 | | When Configure manual keyed connection for IPSec
404 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
405 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
406 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
407 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
408 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
409 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
410 | | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
411 | | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
412 | | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
413 | | ... | ${new_encr_key} | ${new_auth_key}
414 | | Then Send IPsec Packet and verify ESP encapsulation in received packet
415 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
416 | | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
417 | | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
419 | TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
421 | | ... | [Top] TG-DUT1.
422 | | ... | [Ref] RFC4303.
423 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
424 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
425 | | ... | mode. Then update SA keys - use new keys.
426 | | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
427 | | ... | encryption key stored on VPP node from TG to VPP node and expect no\
428 | | ... | response to be received on TG before and after SA keys update.
430 | | [Tags] | EXPECTED_FAILING
432 | | ${encr_alg}= | Crypto Alg AES CBC 128
433 | | ${auth_alg}= | Integ Alg SHA1 96
434 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
435 | | When Configure manual keyed connection for IPSec
436 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
437 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
438 | | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
439 | | Then Run Keyword And Expect Error | ESP packet Rx timeout
440 | | ... | Send IPsec Packet and verify ESP encapsulation in received packet
441 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
442 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
443 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
444 | | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
445 | | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
446 | | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
447 | | ... | ${new_encr_key} | ${new_auth_key}
448 | | Then Run Keyword And Expect Error | ESP packet Rx timeout
449 | | ... | Send IPsec Packet and verify ESP encapsulation in received packet
450 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
451 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
452 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
454 | TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
456 | | ... | [Top] TG-DUT1.
457 | | ... | [Ref] RFC4303.
458 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
459 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
460 | | ... | mode. Then update SA keys - use new keys.
461 | | ... | [Ver] Send an ESP packet authenticated by integrity key different\
462 | | ... | from integrity key stored on VPP node from TG to VPP node and expect\
463 | | ... | no response to be received on TG before and after SA keys update.
465 | | [Tags] | EXPECTED_FAILING
467 | | ${encr_alg}= | Crypto Alg AES CBC 128
468 | | ${auth_alg}= | Integ Alg SHA1 96
469 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
470 | | When Configure manual keyed connection for IPSec
471 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
472 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
473 | | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
474 | | Then Run Keyword And Expect Error | ESP packet Rx timeout
475 | | ... | Send IPsec Packet and verify ESP encapsulation in received packet
476 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
477 | | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
478 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
479 | | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
480 | | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
481 | | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
482 | | ... | ${new_encr_key} | ${new_auth_key}
483 | | Then Run Keyword And Expect Error | ESP packet Rx timeout
484 | | ... | Send IPsec Packet and verify ESP encapsulation in received packet
485 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
486 | | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
487 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
489 | TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
491 | | ... | [Top] TG-DUT1.
492 | | ... | [Ref] RFC4303.
493 | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
494 | | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
495 | | ... | mode. Then update SA keys - use new keys.
496 | | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
497 | | ... | by encryption key different from integrity and encryption keys stored\
498 | | ... | on VPP node from TG to VPP node and expect no response to be received\
499 | | ... | on TG before and after SA keys update.
501 | | [Tags] | EXPECTED_FAILING
503 | | ${encr_alg}= | Crypto Alg AES CBC 128
504 | | ${auth_alg}= | Integ Alg SHA1 96
505 | | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
506 | | When Configure manual keyed connection for IPSec
507 | | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
508 | | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
509 | | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
510 | | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
511 | | Then Run Keyword And Expect Error | ESP packet Rx timeout
512 | | ... | Send IPsec Packet and verify ESP encapsulation in received packet
513 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
514 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
515 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
516 | | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
517 | | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
518 | | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
519 | | ... | ${new_encr_key} | ${new_auth_key}
520 | | Then Run Keyword And Expect Error | ESP packet Rx timeout
521 | | ... | Send IPsec Packet and verify ESP encapsulation in received packet
522 | | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
523 | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
524 | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
527 | Get Second Random String
528 | | [Arguments] | ${req_alg} | ${req_type}
530 | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
531 | | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
532 | | ... | '${req_type}' == 'Integ' | ${auth_key}
533 | | :FOR | ${index} | IN RANGE | 100
534 | | | ${req_key}= | Generate Random String | ${req_key_len}
535 | | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}