import socket
import unittest
from scapy.layers.ipsec import ESP
-from scapy.layers.inet import UDP
+from scapy.layers.inet import IP, ICMP, UDP
+from scapy.layers.inet6 import IPv6
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from parameterized import parameterized
from framework import VppTestRunner
addr_bcast = params.addr_bcast
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags
+ tun_flags = params.tun_flags
salt = params.salt
objs = []
self.vpp_esp_protocol,
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
+ tun_flags=tun_flags,
+ dscp=params.dscp,
flags=flags,
salt=salt)
params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
self.vpp_esp_protocol,
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
+ tun_flags=tun_flags,
+ dscp=params.dscp,
flags=flags,
salt=salt)
objs.append(params.tun_sa_in)
self.tun4_encrypt_node_name = old_name
+class TestIpsecEspTun(TemplateIpsecEsp, IpsecTun46Tests):
+ """ Ipsec ESP - TUN encap tests """
+
+ def setUp(self):
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ c = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
+ c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
+
+ self.ipv4_params.tun_flags = c
+ self.ipv6_params.tun_flags = c1
+
+ super(TestIpsecEspTun, self).setUp()
+
+ def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy only DSCP
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst, tos=5) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy both
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IPv6(src=src, dst=dst, tc=5) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_encrypted(self, p, sa, rxs):
+ # just check that only the DSCP is copied
+ for rx in rxs:
+ self.assertEqual(rx[IP].tos, 4)
+
+ def verify_encrypted6(self, p, sa, rxs):
+ # just check that the DSCP & ECN are copied
+ for rx in rxs:
+ self.assertEqual(rx[IPv6].tc, 5)
+
+
+class TestIpsecEspTun2(TemplateIpsecEsp, IpsecTun46Tests):
+ """ Ipsec ESP - TUN DSCP tests """
+
+ def setUp(self):
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ self.ipv4_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF
+ self.ipv6_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11
+
+ super(TestIpsecEspTun2, self).setUp()
+
+ def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy only DSCP
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy both
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IPv6(src=src, dst=dst) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_encrypted(self, p, sa, rxs):
+ # just check that only the DSCP is copied
+ for rx in rxs:
+ self.assertEqual(rx[IP].tos,
+ VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
+
+ def verify_encrypted6(self, p, sa, rxs):
+ # just check that the DSCP & ECN are copied
+ for rx in rxs:
+ self.assertEqual(rx[IPv6].tc,
+ VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11 << 2)
+
+
class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
""" Ipsec ESP - TCP tests """
pass
self.run_a_test(self.engine, self.flag, self.algo)
def run_a_test(self, engine, flag, algo, payload_size=None):
+ if engine == "ia32":
+ engine = "native"
self.vapi.cli("set crypto handler all %s" % engine)
self.ipv4_params = IPsecIPv4Params()
self.verify_tra_basic4(count=NUM_PKTS)
self.verify_tun_66(self.params[socket.AF_INET6],
count=NUM_PKTS)
+ #
+ # Use an odd-byte payload size to check for correct padding.
+ #
+ # 49 + 2 == 51 which should pad +1 to 52 for 4 byte alignment, +5
+ # to 56 for 8 byte alignment, and +13 to 64 for 64 byte alignment.
+ # This should catch bugs where the code is incorrectly over-padding
+ # for algorithms that don't require it
+ psz = 49 - len(IP()/ICMP()) if payload_size is None else payload_size
self.verify_tun_44(self.params[socket.AF_INET],
- count=NUM_PKTS)
+ count=NUM_PKTS, payload_size=psz)
LARGE_PKT_SZ = [
1970, # results in 2 chained buffers entering decrypt node
# but leaving as simple buffer due to ICV removal (tra4)
+ 2004, # footer+ICV will be added to 2nd buffer (tun4)
4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
# for transport4; transport6 takes normal path
4020, # same as above but tra4 and tra6 are switched