+ :type is_ipv6: bool
+ """
+ err_msg = f"Failed to add entry to Security Policy Database " \
+ f"{spd_id} on host {node[u'host']}"
+ with PapiSocketExecutor(node, is_async=True) as papi_exec:
+ IPsecUtil._vpp_ipsec_add_spd_entry_internal(
+ papi_exec, spd_id, priority, action, inbound, sa_id, proto,
+ laddr_range, raddr_range, lport_range, rport_range, is_ipv6
+ )
+ papi_exec.get_replies(err_msg)
+
+ @staticmethod
+ def vpp_ipsec_add_spd_entries(
+ node, n_entries, spd_id, priority, action, inbound, sa_id=None,
+ proto=None, laddr_range=None, raddr_range=None, lport_range=None,
+ rport_range=None, is_ipv6=False):
+ """Create multiple Security Policy Database entries on the VPP node.
+
+ :param node: VPP node to add SPD entries on.
+ :param n_entries: Number of SPD entries to be added.
+ :param spd_id: SPD ID to add entries on.
+ :param priority: SPD entries priority, higher number = higher priority.
+ :param action: Policy action.
+ :param inbound: If True policy is for inbound traffic, otherwise
+ outbound.
+ :param sa_id: SAD entry ID for action PolicyAction.PROTECT.
+ :param proto: Policy selector next layer protocol number.
+ :param laddr_range: Policy selector local IPv4 or IPv6 address range
+ in format IP/prefix or IP/mask. If no mask is provided,
+ it's considered to be /32.
+ :param raddr_range: Policy selector remote IPv4 or IPv6 address range
+ in format IP/prefix or IP/mask. If no mask is provided,
+ it's considered to be /32.
+ :param lport_range: Policy selector local TCP/UDP port range in format
+ <port_start>-<port_end>.
+ :param rport_range: Policy selector remote TCP/UDP port range in format
+ <port_start>-<port_end>.
+ :param is_ipv6: True in case of IPv6 policy when IPv6 address range is
+ not defined so it will default to address ::/0, otherwise False.
+ :type node: dict
+ :type n_entries: int
+ :type spd_id: int
+ :type priority: IPsecUtil.ObjIncrement
+ :type action: IPsecUtil.PolicyAction
+ :type inbound: bool
+ :type sa_id: IPsecUtil.ObjIncrement
+ :type proto: int
+ :type laddr_range: IPsecUtil.NetworkIncrement
+ :type raddr_range: IPsecUtil.NetworkIncrement
+ :type lport_range: string
+ :type rport_range: string
+ :type is_ipv6: bool
+ """
+ if laddr_range is None:
+ laddr_range = u"::/0" if is_ipv6 else u"0.0.0.0/0"
+ laddr_range = NetworkIncrement(ip_network(laddr_range), 0)
+
+ if raddr_range is None:
+ raddr_range = u"::/0" if is_ipv6 else u"0.0.0.0/0"
+ raddr_range = NetworkIncrement(ip_network(raddr_range), 0)
+
+ lport_range_start = 0
+ lport_range_stop = 65535
+ if lport_range:
+ lport_range_start, lport_range_stop = lport_range.split('-')
+
+ rport_range_start = 0
+ rport_range_stop = 65535
+ if rport_range:
+ rport_range_start, rport_range_stop = rport_range.split('-')
+
+ err_msg = f"Failed to add entry to Security Policy Database " \
+ f"{spd_id} on host {node[u'host']}"
+ with PapiSocketExecutor(node, is_async=True) as papi_exec:
+ for _ in range(n_entries):
+ IPsecUtil._vpp_ipsec_add_spd_entry_internal(
+ papi_exec, spd_id, next(priority), action, inbound,
+ next(sa_id) if sa_id is not None else sa_id,
+ proto, next(laddr_range), next(raddr_range), lport_range,
+ rport_range, is_ipv6
+ )
+ papi_exec.get_replies(err_msg)
+
+ @staticmethod
+ def _ipsec_create_loopback_dut1_papi(nodes, tun_ips, if1_key, if2_key):
+ """Create loopback interface and set IP address on VPP node 1 interface
+ using PAPI.
+
+ :param nodes: VPP nodes to create tunnel interfaces.
+ :param tun_ips: Dictionary with VPP node 1 ipsec tunnel interface
+ IPv4/IPv6 address (ip1) and VPP node 2 ipsec tunnel interface
+ IPv4/IPv6 address (ip2).
+ :param if1_key: VPP node 1 interface key from topology file.
+ :param if2_key: VPP node 2 / TG node (in case of 2-node topology)
+ interface key from topology file.
+ :type nodes: dict
+ :type tun_ips: dict
+ :type if1_key: str
+ :type if2_key: str
+ """
+ with PapiSocketExecutor(nodes[u"DUT1"]) as papi_exec:
+ # Create loopback interface on DUT1, set it to up state
+ cmd = u"create_loopback_instance"
+ args = dict(
+ mac_address=0,
+ is_specified=False,
+ user_instance=0,
+ )
+ err_msg = f"Failed to create loopback interface " \
+ f"on host {nodes[u'DUT1'][u'host']}"
+ papi_exec.add(cmd, **args)
+ loop_sw_if_idx = papi_exec.get_sw_if_index(err_msg)
+ cmd = u"sw_interface_set_flags"
+ args = dict(
+ sw_if_index=loop_sw_if_idx,
+ flags=InterfaceStatusFlags.IF_STATUS_API_FLAG_ADMIN_UP.value
+ )
+ err_msg = f"Failed to set loopback interface state up " \
+ f"on host {nodes[u'DUT1'][u'host']}"
+ papi_exec.add(cmd, **args).get_reply(err_msg)
+ # Set IP address on VPP node 1 interface
+ cmd = u"sw_interface_add_del_address"
+ args = dict(
+ sw_if_index=InterfaceUtil.get_interface_index(
+ nodes[u"DUT1"], if1_key
+ ),
+ is_add=True,
+ del_all=False,
+ prefix=IPUtil.create_prefix_object(
+ tun_ips[u"ip2"] - 1, 96 if tun_ips[u"ip2"].version == 6
+ else 24
+ )
+ )
+ err_msg = f"Failed to set IP address on interface {if1_key} " \
+ f"on host {nodes[u'DUT1'][u'host']}"
+ papi_exec.add(cmd, **args).get_reply(err_msg)
+ cmd2 = u"ip_neighbor_add_del"
+ args2 = dict(
+ is_add=1,
+ neighbor=dict(
+ sw_if_index=Topology.get_interface_sw_index(
+ nodes[u"DUT1"], if1_key
+ ),
+ flags=1,
+ mac_address=str(
+ Topology.get_interface_mac(nodes[u"DUT2"], if2_key)
+ if u"DUT2" in nodes.keys()
+ else Topology.get_interface_mac(
+ nodes[u"TG"], if2_key
+ )
+ ),
+ ip_address=tun_ips[u"ip2"].compressed
+ )
+ )
+ err_msg = f"Failed to add IP neighbor on interface {if1_key}"
+ papi_exec.add(cmd2, **args2).get_reply(err_msg)
+
+ return loop_sw_if_idx
+
+ @staticmethod
+ def _ipsec_create_tunnel_interfaces_dut1_papi(
+ nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg, integ_alg,
+ raddr_ip2, addr_incr, spi_d, existing_tunnels=0):
+ """Create multiple IPsec tunnel interfaces on DUT1 node using PAPI.
+
+ Generate random keys and return them (so DUT2 or TG can decrypt).
+
+ :param nodes: VPP nodes to create tunnel interfaces.
+ :param tun_ips: Dictionary with VPP node 1 ipsec tunnel interface
+ IPv4/IPv6 address (ip1) and VPP node 2 ipsec tunnel interface
+ IPv4/IPv6 address (ip2).
+ :param if1_key: VPP node 1 interface key from topology file.
+ :param if2_key: VPP node 2 / TG node (in case of 2-node topology)
+ interface key from topology file.
+ :param n_tunnels: Number of tunnel interfaces to be there at the end.
+ :param crypto_alg: The encryption algorithm name.
+ :param integ_alg: The integrity algorithm name.
+ :param raddr_ip2: Policy selector remote IPv4/IPv6 start address for the
+ first tunnel in direction node2->node1.
+ :param spi_d: Dictionary with SPIs for VPP node 1 and VPP node 2.
+ :param addr_incr: IP / IPv6 address incremental step.
+ :param existing_tunnels: Number of tunnel interfaces before creation.
+ Useful mainly for reconf tests. Default 0.
+ :type nodes: dict
+ :type tun_ips: dict
+ :type if1_key: str
+ :type if2_key: str
+ :type n_tunnels: int
+ :type crypto_alg: CryptoAlg
+ :type integ_alg: Optional[IntegAlg]
+ :type raddr_ip2: IPv4Address or IPv6Address
+ :type addr_incr: int
+ :type spi_d: dict
+ :type existing_tunnels: int
+ :returns: Generated ckeys and ikeys.
+ :rtype: List[bytes], List[bytes]
+ """
+ if not existing_tunnels:
+ loop_sw_if_idx = IPsecUtil._ipsec_create_loopback_dut1_papi(
+ nodes, tun_ips, if1_key, if2_key
+ )
+ else:
+ loop_sw_if_idx = InterfaceUtil.vpp_get_interface_sw_index(
+ nodes[u"DUT1"], u"loop0"
+ )
+ with PapiSocketExecutor(nodes[u"DUT1"], is_async=True) as papi_exec:
+ # Configure IP addresses on loop0 interface
+ cmd = u"sw_interface_add_del_address"
+ args = dict(
+ sw_if_index=loop_sw_if_idx,
+ is_add=True,
+ del_all=False,
+ prefix=None
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"prefix"] = IPUtil.create_prefix_object(
+ tun_ips[u"ip1"] + i * addr_incr,
+ 128 if tun_ips[u"ip1"].version == 6 else 32
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ # Configure IPIP tunnel interfaces
+ cmd = u"ipip_add_tunnel"
+ ipip_tunnel = dict(
+ instance=Constants.BITWISE_NON_ZERO,
+ src=None,
+ dst=None,
+ table_id=0,
+ flags=int(
+ TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ ),
+ mode=int(TunnelMode.TUNNEL_API_MODE_P2P),
+ dscp=int(IpDscp.IP_API_DSCP_CS0)
+ )
+ args = dict(
+ tunnel=ipip_tunnel
+ )
+ ipip_tunnels = [None] * existing_tunnels
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"tunnel"][u"src"] = IPAddress.create_ip_address_object(
+ tun_ips[u"ip1"] + i * addr_incr
+ )
+ args[u"tunnel"][u"dst"] = IPAddress.create_ip_address_object(
+ tun_ips[u"ip2"]
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add IPIP tunnel interfaces on host" \
+ f" {nodes[u'DUT1'][u'host']}"
+ ipip_tunnels.extend(
+ [
+ reply[u"sw_if_index"]
+ for reply in papi_exec.get_replies(err_msg)
+ if u"sw_if_index" in reply
+ ]
+ )
+ # Configure IPSec SAD entries
+ ckeys = [bytes()] * existing_tunnels
+ ikeys = [bytes()] * existing_tunnels
+ cmd = u"ipsec_sad_entry_add"
+ c_key = dict(
+ length=0,
+ data=None
+ )
+ i_key = dict(
+ length=0,
+ data=None
+ )
+ sad_entry = dict(
+ sad_id=None,
+ spi=None,
+ protocol=int(IPsecProto.IPSEC_API_PROTO_ESP),
+ crypto_algorithm=crypto_alg.alg_int_repr,
+ crypto_key=c_key,
+ integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0,
+ integrity_key=i_key,
+ flags=None,
+ tunnel=dict(
+ src=0,
+ dst=0,
+ table_id=0,
+ encap_decap_flags=int(
+ TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ ),
+ dscp=int(IpDscp.IP_API_DSCP_CS0),
+ ),
+ salt=0,
+ udp_src_port=IPSEC_UDP_PORT_NONE,
+ udp_dst_port=IPSEC_UDP_PORT_NONE,
+ )
+ args = dict(entry=sad_entry)
+ for i in range(existing_tunnels, n_tunnels):
+ ckeys.append(
+ gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg))
+ )
+ ikeys.append(
+ gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg))
+ )
+ # SAD entry for outband / tx path
+ args[u"entry"][u"sad_id"] = i
+ args[u"entry"][u"spi"] = spi_d[u"spi_1"] + i
+
+ args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i])
+ args[u"entry"][u"crypto_key"][u"data"] = ckeys[i]
+ if integ_alg:
+ args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i])
+ args[u"entry"][u"integrity_key"][u"data"] = ikeys[i]
+ args[u"entry"][u"flags"] = int(
+ IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ # SAD entry for inband / rx path
+ args[u"entry"][u"sad_id"] = 100000 + i
+ args[u"entry"][u"spi"] = spi_d[u"spi_2"] + i
+
+ args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i])
+ args[u"entry"][u"crypto_key"][u"data"] = ckeys[i]
+ if integ_alg:
+ args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i])
+ args[u"entry"][u"integrity_key"][u"data"] = ikeys[i]
+ args[u"entry"][u"flags"] = int(
+ IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE |
+ IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_INBOUND
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add IPsec SAD entries on host" \
+ f" {nodes[u'DUT1'][u'host']}"
+ papi_exec.get_replies(err_msg)
+ # Add protection for tunnels with IPSEC
+ cmd = u"ipsec_tunnel_protect_update"
+ n_hop = dict(
+ address=0,
+ via_label=MPLS_LABEL_INVALID,
+ obj_id=Constants.BITWISE_NON_ZERO
+ )
+ ipsec_tunnel_protect = dict(
+ sw_if_index=None,
+ nh=n_hop,
+ sa_out=None,
+ n_sa_in=1,
+ sa_in=None
+ )
+ args = dict(
+ tunnel=ipsec_tunnel_protect
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"tunnel"][u"sw_if_index"] = ipip_tunnels[i]
+ args[u"tunnel"][u"sa_out"] = i
+ args[u"tunnel"][u"sa_in"] = [100000 + i]
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add protection for tunnels with IPSEC " \
+ f"on host {nodes[u'DUT1'][u'host']}"
+ papi_exec.get_replies(err_msg)
+
+ # Configure unnumbered interfaces
+ cmd = u"sw_interface_set_unnumbered"
+ args = dict(
+ is_add=True,
+ sw_if_index=InterfaceUtil.get_interface_index(
+ nodes[u"DUT1"], if1_key
+ ),
+ unnumbered_sw_if_index=0
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"unnumbered_sw_if_index"] = ipip_tunnels[i]
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ # Set interfaces up
+ cmd = u"sw_interface_set_flags"
+ args = dict(
+ sw_if_index=0,
+ flags=InterfaceStatusFlags.IF_STATUS_API_FLAG_ADMIN_UP.value
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"sw_if_index"] = ipip_tunnels[i]
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ # Configure IP routes
+ cmd = u"ip_route_add_del"
+ args = dict(
+ is_add=1,
+ is_multipath=0,
+ route=None
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"route"] = IPUtil.compose_vpp_route_structure(
+ nodes[u"DUT1"], (raddr_ip2 + i).compressed,
+ prefix_len=128 if raddr_ip2.version == 6 else 32,
+ interface=ipip_tunnels[i]
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add IP routes on host " \
+ f"{nodes[u'DUT1'][u'host']}"
+ papi_exec.get_replies(err_msg)
+
+ return ckeys, ikeys
+
+ @staticmethod
+ def _ipsec_create_tunnel_interfaces_dut2_papi(
+ nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys, integ_alg,
+ ikeys, raddr_ip1, addr_incr, spi_d, existing_tunnels=0):
+ """Create multiple IPsec tunnel interfaces on DUT2 node using PAPI.
+
+ This method accesses keys generated by DUT1 method
+ and does not return anything.
+
+ :param nodes: VPP nodes to create tunnel interfaces.
+ :param tun_ips: Dictionary with VPP node 1 ipsec tunnel interface
+ IPv4/IPv6 address (ip1) and VPP node 2 ipsec tunnel interface
+ IPv4/IPv6 address (ip2).
+ :param if2_key: VPP node 2 / TG node (in case of 2-node topology)
+ interface key from topology file.
+ :param n_tunnels: Number of tunnel interfaces to be there at the end.
+ :param crypto_alg: The encryption algorithm name.
+ :param ckeys: List of encryption keys.
+ :param integ_alg: The integrity algorithm name.
+ :param ikeys: List of integrity keys.
+ :param spi_d: Dictionary with SPIs for VPP node 1 and VPP node 2.
+ :param addr_incr: IP / IPv6 address incremental step.
+ :param existing_tunnels: Number of tunnel interfaces before creation.
+ Useful mainly for reconf tests. Default 0.
+ :type nodes: dict
+ :type tun_ips: dict
+ :type if2_key: str
+ :type n_tunnels: int
+ :type crypto_alg: CryptoAlg
+ :type ckeys: Sequence[bytes]
+ :type integ_alg: Optional[IntegAlg]
+ :type ikeys: Sequence[bytes]
+ :type addr_incr: int
+ :type spi_d: dict
+ :type existing_tunnels: int
+ """
+ with PapiSocketExecutor(nodes[u"DUT2"], is_async=True) as papi_exec:
+ if not existing_tunnels:
+ # Set IP address on VPP node 2 interface
+ cmd = u"sw_interface_add_del_address"
+ args = dict(
+ sw_if_index=InterfaceUtil.get_interface_index(
+ nodes[u"DUT2"], if2_key
+ ),
+ is_add=True,
+ del_all=False,
+ prefix=IPUtil.create_prefix_object(
+ tun_ips[u"ip2"], 96 if tun_ips[u"ip2"].version == 6
+ else 24
+ )
+ )
+ err_msg = f"Failed to set IP address on interface {if2_key} " \
+ f"on host {nodes[u'DUT2'][u'host']}"
+ papi_exec.add(cmd, **args).get_replies(err_msg)
+ # Configure IPIP tunnel interfaces
+ cmd = u"ipip_add_tunnel"
+ ipip_tunnel = dict(
+ instance=Constants.BITWISE_NON_ZERO,
+ src=None,
+ dst=None,
+ table_id=0,
+ flags=int(
+ TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ ),
+ mode=int(TunnelMode.TUNNEL_API_MODE_P2P),
+ dscp=int(IpDscp.IP_API_DSCP_CS0)
+ )
+ args = dict(
+ tunnel=ipip_tunnel
+ )
+ ipip_tunnels = [None] * existing_tunnels
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"tunnel"][u"src"] = IPAddress.create_ip_address_object(
+ tun_ips[u"ip2"]
+ )
+ args[u"tunnel"][u"dst"] = IPAddress.create_ip_address_object(
+ tun_ips[u"ip1"] + i * addr_incr
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add IPIP tunnel interfaces on host" \
+ f" {nodes[u'DUT2'][u'host']}"
+ ipip_tunnels.extend(
+ [
+ reply[u"sw_if_index"]
+ for reply in papi_exec.get_replies(err_msg)
+ if u"sw_if_index" in reply
+ ]
+ )
+ # Configure IPSec SAD entries
+ cmd = u"ipsec_sad_entry_add"
+ c_key = dict(
+ length=0,
+ data=None
+ )
+ i_key = dict(
+ length=0,
+ data=None
+ )
+ sad_entry = dict(
+ sad_id=None,
+ spi=None,
+ protocol=int(IPsecProto.IPSEC_API_PROTO_ESP),
+ crypto_algorithm=crypto_alg.alg_int_repr,
+ crypto_key=c_key,
+ integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0,
+ integrity_key=i_key,
+ flags=None,
+ tunnel=dict(
+ src=0,
+ dst=0,
+ table_id=0,
+ encap_decap_flags=int(
+ TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ ),
+ dscp=int(IpDscp.IP_API_DSCP_CS0),
+ ),
+ salt=0,
+ udp_src_port=IPSEC_UDP_PORT_NONE,
+ udp_dst_port=IPSEC_UDP_PORT_NONE,
+ )
+ args = dict(entry=sad_entry)
+ for i in range(existing_tunnels, n_tunnels):
+ ckeys.append(
+ gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg))
+ )
+ ikeys.append(
+ gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg))
+ )
+ # SAD entry for outband / tx path
+ args[u"entry"][u"sad_id"] = 100000 + i
+ args[u"entry"][u"spi"] = spi_d[u"spi_2"] + i
+
+ args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i])
+ args[u"entry"][u"crypto_key"][u"data"] = ckeys[i]
+ if integ_alg:
+ args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i])
+ args[u"entry"][u"integrity_key"][u"data"] = ikeys[i]
+ args[u"entry"][u"flags"] = int(
+ IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ # SAD entry for inband / rx path
+ args[u"entry"][u"sad_id"] = i
+ args[u"entry"][u"spi"] = spi_d[u"spi_1"] + i
+
+ args[u"entry"][u"crypto_key"][u"length"] = len(ckeys[i])
+ args[u"entry"][u"crypto_key"][u"data"] = ckeys[i]
+ if integ_alg:
+ args[u"entry"][u"integrity_key"][u"length"] = len(ikeys[i])
+ args[u"entry"][u"integrity_key"][u"data"] = ikeys[i]
+ args[u"entry"][u"flags"] = int(
+ IPsecSadFlags.IPSEC_API_SAD_FLAG_NONE |
+ IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_INBOUND
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add IPsec SAD entries on host" \
+ f" {nodes[u'DUT2'][u'host']}"
+ papi_exec.get_replies(err_msg)
+ # Add protection for tunnels with IPSEC
+ cmd = u"ipsec_tunnel_protect_update"
+ n_hop = dict(
+ address=0,
+ via_label=MPLS_LABEL_INVALID,
+ obj_id=Constants.BITWISE_NON_ZERO
+ )
+ ipsec_tunnel_protect = dict(
+ sw_if_index=None,
+ nh=n_hop,
+ sa_out=None,
+ n_sa_in=1,
+ sa_in=None
+ )
+ args = dict(
+ tunnel=ipsec_tunnel_protect
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"tunnel"][u"sw_if_index"] = ipip_tunnels[i]
+ args[u"tunnel"][u"sa_out"] = 100000 + i
+ args[u"tunnel"][u"sa_in"] = [i]
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add protection for tunnels with IPSEC " \
+ f"on host {nodes[u'DUT2'][u'host']}"
+ papi_exec.get_replies(err_msg)
+
+ if not existing_tunnels:
+ # Configure IP route
+ cmd = u"ip_route_add_del"
+ route = IPUtil.compose_vpp_route_structure(
+ nodes[u"DUT2"], tun_ips[u"ip1"].compressed,
+ prefix_len=32 if tun_ips[u"ip1"].version == 6 else 8,
+ interface=if2_key,
+ gateway=(tun_ips[u"ip2"] - 1).compressed
+ )
+ args = dict(
+ is_add=1,
+ is_multipath=0,
+ route=route
+ )
+ papi_exec.add(cmd, **args)
+ # Configure unnumbered interfaces
+ cmd = u"sw_interface_set_unnumbered"
+ args = dict(
+ is_add=True,
+ sw_if_index=InterfaceUtil.get_interface_index(
+ nodes[u"DUT2"], if2_key
+ ),
+ unnumbered_sw_if_index=0
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"unnumbered_sw_if_index"] = ipip_tunnels[i]
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ # Set interfaces up
+ cmd = u"sw_interface_set_flags"
+ args = dict(
+ sw_if_index=0,
+ flags=InterfaceStatusFlags.IF_STATUS_API_FLAG_ADMIN_UP.value
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"sw_if_index"] = ipip_tunnels[i]
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ # Configure IP routes
+ cmd = u"ip_route_add_del"
+ args = dict(
+ is_add=1,
+ is_multipath=0,
+ route=None
+ )
+ for i in range(existing_tunnels, n_tunnels):
+ args[u"route"] = IPUtil.compose_vpp_route_structure(
+ nodes[u"DUT1"], (raddr_ip1 + i).compressed,
+ prefix_len=128 if raddr_ip1.version == 6 else 32,
+ interface=ipip_tunnels[i]
+ )
+ papi_exec.add(
+ cmd, history=bool(not 1 < i < n_tunnels - 2), **args
+ )
+ err_msg = f"Failed to add IP routes " \
+ f"on host {nodes[u'DUT2'][u'host']}"
+ papi_exec.get_replies(err_msg)
+
+ @staticmethod
+ def vpp_ipsec_create_tunnel_interfaces(
+ nodes, tun_if1_ip_addr, tun_if2_ip_addr, if1_key, if2_key,
+ n_tunnels, crypto_alg, integ_alg, raddr_ip1, raddr_ip2, raddr_range,
+ existing_tunnels=0, return_keys=False):
+ """Create multiple IPsec tunnel interfaces between two VPP nodes.
+
+ Some deployments (e.g. devicetest) need to know the generated keys.
+ But other deployments (e.g. scale perf test) would get spammed
+ if we returned keys every time.
+
+ :param nodes: VPP nodes to create tunnel interfaces.
+ :param tun_if1_ip_addr: VPP node 1 ipsec tunnel interface IPv4/IPv6
+ address.
+ :param tun_if2_ip_addr: VPP node 2 ipsec tunnel interface IPv4/IPv6
+ address.
+ :param if1_key: VPP node 1 interface key from topology file.
+ :param if2_key: VPP node 2 / TG node (in case of 2-node topology)
+ interface key from topology file.
+ :param n_tunnels: Number of tunnel interfaces to be there at the end.
+ :param crypto_alg: The encryption algorithm name.
+ :param integ_alg: The integrity algorithm name.
+ :param raddr_ip1: Policy selector remote IPv4/IPv6 start address for the
+ first tunnel in direction node1->node2.
+ :param raddr_ip2: Policy selector remote IPv4/IPv6 start address for the
+ first tunnel in direction node2->node1.
+ :param raddr_range: Mask specifying range of Policy selector Remote
+ IPv4/IPv6 addresses. Valid values are from 1 to 32 in case of IPv4
+ and to 128 in case of IPv6.
+ :param existing_tunnels: Number of tunnel interfaces before creation.
+ Useful mainly for reconf tests. Default 0.
+ :param return_keys: Whether generated keys should be returned.
+ :type nodes: dict
+ :type tun_if1_ip_addr: str
+ :type tun_if2_ip_addr: str
+ :type if1_key: str
+ :type if2_key: str
+ :type n_tunnels: int
+ :type crypto_alg: CryptoAlg
+ :type integ_alg: Optonal[IntegAlg]
+ :type raddr_ip1: string
+ :type raddr_ip2: string
+ :type raddr_range: int
+ :type existing_tunnels: int
+ :type return_keys: bool
+ :returns: Ckeys, ikeys, spi_1, spi_2.
+ :rtype: Optional[List[bytes], List[bytes], int, int]
+ """
+ n_tunnels = int(n_tunnels)
+ existing_tunnels = int(existing_tunnels)
+ spi_d = dict(
+ spi_1=100000,
+ spi_2=200000
+ )
+ tun_ips = dict(
+ ip1=ip_address(tun_if1_ip_addr),
+ ip2=ip_address(tun_if2_ip_addr)
+ )
+ raddr_ip1 = ip_address(raddr_ip1)
+ raddr_ip2 = ip_address(raddr_ip2)
+ addr_incr = 1 << (128 - raddr_range) if tun_ips[u"ip1"].version == 6 \
+ else 1 << (32 - raddr_range)
+
+ ckeys, ikeys = IPsecUtil._ipsec_create_tunnel_interfaces_dut1_papi(
+ nodes, tun_ips, if1_key, if2_key, n_tunnels, crypto_alg,
+ integ_alg, raddr_ip2, addr_incr, spi_d, existing_tunnels
+ )
+ if u"DUT2" in nodes.keys():
+ IPsecUtil._ipsec_create_tunnel_interfaces_dut2_papi(
+ nodes, tun_ips, if2_key, n_tunnels, crypto_alg, ckeys,
+ integ_alg, ikeys, raddr_ip1, addr_incr, spi_d,
+ existing_tunnels
+ )
+
+ if return_keys:
+ return ckeys, ikeys, spi_d[u"spi_1"], spi_d[u"spi_2"]
+ return None
+
+ @staticmethod
+ def _create_ipsec_script_files(dut, instances):
+ """Create script files for configuring IPsec in containers
+
+ :param dut: DUT node on which to create the script files
+ :param instances: number of containers on DUT node
+ :type dut: string
+ :type instances: int
+ """
+ scripts = []
+ for cnf in range(0, instances):
+ script_filename = (
+ f"/tmp/ipsec_create_tunnel_cnf_{dut}_{cnf + 1}.config"
+ )
+ scripts.append(open(script_filename, 'w'))
+ return scripts
+
+ @staticmethod
+ def _close_and_copy_ipsec_script_files(
+ dut, nodes, instances, scripts):
+ """Close created scripts and copy them to containers
+
+ :param dut: DUT node on which to create the script files
+ :param nodes: VPP nodes
+ :param instances: number of containers on DUT node
+ :param scripts: dictionary holding the script files
+ :type dut: string
+ :type nodes: dict
+ :type instances: int
+ :type scripts: dict
+ """
+ for cnf in range(0, instances):
+ scripts[cnf].close()
+ script_filename = (
+ f"/tmp/ipsec_create_tunnel_cnf_{dut}_{cnf + 1}.config"
+ )
+ scp_node(nodes[dut], script_filename, script_filename)
+
+
+ @staticmethod
+ def vpp_ipsec_create_tunnel_interfaces_in_containers(
+ nodes, if1_ip_addr, if2_ip_addr, n_tunnels, crypto_alg, integ_alg,
+ raddr_ip1, raddr_ip2, raddr_range, n_instances):
+ """Create multiple IPsec tunnel interfaces between two VPP nodes.
+
+ :param nodes: VPP nodes to create tunnel interfaces.
+ :param if1_ip_addr: VPP node 1 interface IP4 address.
+ :param if2_ip_addr: VPP node 2 interface IP4 address.
+ :param n_tunnels: Number of tunnell interfaces to create.
+ :param crypto_alg: The encryption algorithm name.
+ :param integ_alg: The integrity algorithm name.
+ :param raddr_ip1: Policy selector remote IPv4 start address for the
+ first tunnel in direction node1->node2.
+ :param raddr_ip2: Policy selector remote IPv4 start address for the
+ first tunnel in direction node2->node1.
+ :param raddr_range: Mask specifying range of Policy selector Remote
+ IPv4 addresses. Valid values are from 1 to 32.
+ :param n_instances: Number of containers.
+ :type nodes: dict
+ :type if1_ip_addr: str
+ :type if2_ip_addr: str
+ :type n_tunnels: int
+ :type crypto_alg: CryptoAlg
+ :type integ_alg: Optional[IntegAlg]
+ :type raddr_ip1: string
+ :type raddr_ip2: string
+ :type raddr_range: int
+ :type n_instances: int
+ """
+ spi_1 = 100000
+ spi_2 = 200000
+ addr_incr = 1 << (32 - raddr_range)
+
+ dut1_scripts = IPsecUtil._create_ipsec_script_files(
+ u"DUT1", n_instances
+ )
+ dut2_scripts = IPsecUtil._create_ipsec_script_files(
+ u"DUT2", n_instances
+ )
+
+ for cnf in range(0, n_instances):
+ dut1_scripts[cnf].write(
+ u"create loopback interface\n"
+ u"set interface state loop0 up\n\n"
+ )
+ dut2_scripts[cnf].write(
+ f"ip route add {if1_ip_addr}/8 via "
+ f"{ip_address(if2_ip_addr) + cnf + 100} memif1/{cnf + 1}\n\n"
+ )
+
+ for tnl in range(0, n_tunnels):
+ cnf = tnl % n_instances
+ ckey = getattr(
+ gen_key(IPsecUtil.get_crypto_alg_key_len(crypto_alg)), u"hex"
+ )
+ integ = u""
+ ikey = getattr(
+ gen_key(IPsecUtil.get_integ_alg_key_len(integ_alg)), u"hex"
+ )
+ if integ_alg:
+ integ = (
+ f"integ-alg {integ_alg.alg_name} "
+ f"local-integ-key {ikey} "
+ f"remote-integ-key {ikey} "
+ )
+ # Configure tunnel end point(s) on left side
+ dut1_scripts[cnf].write(
+ u"set interface ip address loop0 "
+ f"{ip_address(if1_ip_addr) + tnl * addr_incr}/32\n"
+ f"create ipsec tunnel "
+ f"local-ip {ip_address(if1_ip_addr) + tnl * addr_incr} "
+ f"local-spi {spi_1 + tnl} "
+ f"remote-ip {ip_address(if2_ip_addr) + cnf} "
+ f"remote-spi {spi_2 + tnl} "
+ f"crypto-alg {crypto_alg.alg_name} "
+ f"local-crypto-key {ckey} "
+ f"remote-crypto-key {ckey} "
+ f"instance {tnl // n_instances} "
+ f"salt 0x0 "
+ f"{integ} \n"
+ f"set interface unnumbered ipip{tnl // n_instances} use loop0\n"
+ f"set interface state ipip{tnl // n_instances} up\n"
+ f"ip route add {ip_address(raddr_ip2)+tnl}/32 "
+ f"via ipip{tnl // n_instances}\n\n"
+ )
+ # Configure tunnel end point(s) on right side
+ dut2_scripts[cnf].write(
+ f"set ip neighbor memif1/{cnf + 1} "
+ f"{ip_address(if1_ip_addr) + tnl * addr_incr} "
+ f"02:02:00:00:{17:02X}:{cnf:02X} static\n"
+ f"create ipsec tunnel local-ip {ip_address(if2_ip_addr) + cnf} "
+ f"local-spi {spi_2 + tnl} "
+ f"remote-ip {ip_address(if1_ip_addr) + tnl * addr_incr} "
+ f"remote-spi {spi_1 + tnl} "
+ f"crypto-alg {crypto_alg.alg_name} "
+ f"local-crypto-key {ckey} "
+ f"remote-crypto-key {ckey} "
+ f"instance {tnl // n_instances} "
+ f"salt 0x0 "
+ f"{integ}\n"
+ f"set interface unnumbered ipip{tnl // n_instances} "
+ f"use memif1/{cnf + 1}\n"
+ f"set interface state ipip{tnl // n_instances} up\n"
+ f"ip route add {ip_address(raddr_ip1) + tnl}/32 "
+ f"via ipip{tnl // n_instances}\n\n"
+ )
+
+ IPsecUtil._close_and_copy_ipsec_script_files(
+ u"DUT1", nodes, n_instances, dut1_scripts)
+ IPsecUtil._close_and_copy_ipsec_script_files(
+ u"DUT2", nodes, n_instances, dut2_scripts)
+
+ @staticmethod
+ def vpp_ipsec_add_multiple_tunnels(
+ nodes, interface1, interface2, n_tunnels, crypto_alg, integ_alg,
+ tunnel_ip1, tunnel_ip2, raddr_ip1, raddr_ip2, raddr_range,
+ tunnel_addr_incr=True):
+ """Create multiple IPsec tunnels between two VPP nodes.
+
+ :param nodes: VPP nodes to create tunnels.
+ :param interface1: Interface name or sw_if_index on node 1.
+ :param interface2: Interface name or sw_if_index on node 2.
+ :param n_tunnels: Number of tunnels to create.
+ :param crypto_alg: The encryption algorithm name.
+ :param integ_alg: The integrity algorithm name.
+ :param tunnel_ip1: Tunnel node1 IPv4 address.
+ :param tunnel_ip2: Tunnel node2 IPv4 address.
+ :param raddr_ip1: Policy selector remote IPv4 start address for the
+ first tunnel in direction node1->node2.
+ :param raddr_ip2: Policy selector remote IPv4 start address for the
+ first tunnel in direction node2->node1.
+ :param raddr_range: Mask specifying range of Policy selector Remote
+ IPv4 addresses. Valid values are from 1 to 32.
+ :param tunnel_addr_incr: Enable or disable tunnel IP address
+ incremental step.
+ :type nodes: dict
+ :type interface1: str or int
+ :type interface2: str or int
+ :type n_tunnels: int
+ :type crypto_alg: CryptoAlg
+ :type integ_alg: Optional[IntegAlg]
+ :type tunnel_ip1: str
+ :type tunnel_ip2: str
+ :type raddr_ip1: string
+ :type raddr_ip2: string
+ :type raddr_range: int
+ :type tunnel_addr_incr: bool