+class IpsecTra4(object):
+ """ verify methods for Transport v4 """
+ def verify_tra_anti_replay(self):
+ p = self.params[socket.AF_INET]
+ esn_en = p.vpp_tra_sa.esn_en
+
+ seq_cycle_node_name = ('/err/%s/sequence number cycled' %
+ self.tra4_encrypt_node_name)
+ replay_node_name = ('/err/%s/SA replayed packet' %
+ self.tra4_decrypt_node_name)
+ if ESP == self.encryption_type and p.crypt_algo == "AES-GCM":
+ hash_failed_node_name = ('/err/%s/ESP decryption failed' %
+ self.tra4_decrypt_node_name)
+ else:
+ hash_failed_node_name = ('/err/%s/Integrity check failed' %
+ self.tra4_decrypt_node_name)
+ replay_count = self.statistics.get_err_counter(replay_node_name)
+ hash_failed_count = self.statistics.get_err_counter(
+ hash_failed_node_name)
+ seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name)
+
+ if ESP == self.encryption_type:
+ undersize_node_name = ('/err/%s/undersized packet' %
+ self.tra4_decrypt_node_name)
+ undersize_count = self.statistics.get_err_counter(
+ undersize_node_name)
+
+ #
+ # send packets with seq numbers 1->34
+ # this means the window size is still in Case B (see RFC4303
+ # Appendix A)
+ #
+ # for reasons i haven't investigated Scapy won't create a packet with
+ # seq_num=0
+ #
+ pkts = [(Ether(src=self.tra_if.remote_mac,
+ dst=self.tra_if.local_mac) /
+ p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+ dst=self.tra_if.local_ip4) /
+ ICMP(),
+ seq_num=seq))
+ for seq in range(1, 34)]
+ recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if)
+
+ # replayed packets are dropped
+ self.send_and_assert_no_replies(self.tra_if, pkts)
+ replay_count += len(pkts)
+ self.assert_error_counter_equal(replay_node_name, replay_count)
+
+ #
+ # now send a batch of packets all with the same sequence number
+ # the first packet in the batch is legitimate, the rest bogus
+ #
+ pkts = (Ether(src=self.tra_if.remote_mac,
+ dst=self.tra_if.local_mac) /
+ p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+ dst=self.tra_if.local_ip4) /
+ ICMP(),
+ seq_num=35))
+ recv_pkts = self.send_and_expect(self.tra_if, pkts * 8,
+ self.tra_if, n_rx=1)
+ replay_count += 7
+ self.assert_error_counter_equal(replay_node_name, replay_count)
+
+ #
+ # now move the window over to 257 (more than one byte) and into Case A
+ #