from scapy.layers.ipsec import SecurityAssociation, ESP
from scapy.layers.l2 import Ether, GRE, Dot1Q
from scapy.packet import Raw, bind_layers
-from scapy.layers.inet import IP, UDP
-from scapy.layers.inet6 import IPv6
+from scapy.layers.inet import IP, UDP, ICMP
+from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
from scapy.contrib.mpls import MPLS
-from framework import tag_fixme_vpp_workers
-from framework import VppTestRunner
+from asfframework import VppTestRunner, tag_fixme_vpp_workers
from template_ipsec import (
TemplateIpsec,
IpsecTun4Tests,
super(TemplateIpsec4TunIfEspUdp, self).tearDown()
+class TemplateIpsec4TunTfc:
+ """IPsec IPv4 tunnel with TFC"""
+
+ def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=54):
+ pkt = (
+ IP(src=src, dst=dst, len=28 + payload_size)
+ / ICMP()
+ / Raw(b"X" * payload_size)
+ / Padding(b"Y" * 100)
+ )
+ return [
+ Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(pkt)
+ for i in range(count)
+ ]
+
+ def verify_decrypted(self, p, rxs):
+ for rx in rxs:
+ self.assert_equal(rx[IP].src, p.remote_tun_if_host)
+ self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
+ self.assert_equal(rx[IP].len, len(rx[IP]))
+ self.assert_packet_checksums_valid(rx)
+
+
class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
"""Ipsec ESP - TUN tests"""
super(TemplateIpsec6TunIfEspUdp, self).tearDown()
+class TemplateIpsec6TunTfc:
+ """IPsec IPv6 tunnel with TFC"""
+
+ def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=54):
+ return [
+ Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
+ / sa.encrypt(
+ IPv6(src=src, dst=dst, hlim=p.inner_hop_limit, fl=p.inner_flow_label)
+ / ICMPv6EchoRequest(id=0, seq=1, data="X" * payload_size)
+ / Padding(b"Y" * 100)
+ )
+ for i in range(count)
+ ]
+
+ def verify_decrypted6(self, p, rxs):
+ for rx in rxs:
+ self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
+ self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
+ self.assert_equal(rx[IPv6].plen, len(rx[IPv6].payload))
+ self.assert_packet_checksums_valid(rx)
+
+
class TestIpsec6TunIfEspUdp(TemplateIpsec6TunIfEspUdp, IpsecTun6Tests):
"""Ipsec ESP 6 UDP tests"""
self.config_sa_tra(p)
self.config_protect(p)
- tx = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host)
+ tx = self.gen_pkts(
+ self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host, count=127
+ )
+ self.send_and_assert_no_replies(self.pg1, tx)
+
+ self.unconfig_protect(p)
+ self.unconfig_sa(p)
+ self.unconfig_network(p)
+
+ def test_tun_44_async(self):
+ """IPSec SA with NULL algos using async crypto"""
+ p = self.ipv4_params
+
+ self.vapi.ipsec_set_async_mode(async_enable=True)
+ self.config_network(p)
+ self.config_sa_tra(p)
+ self.config_protect(p)
+
+ tx = self.gen_pkts(
+ self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host, count=127
+ )
self.send_and_assert_no_replies(self.pg1, tx)
self.unconfig_protect(p)
self.unconfig_sa(p)
self.unconfig_network(p)
+ self.vapi.ipsec_set_async_mode(async_enable=False)
+
@tag_fixme_vpp_workers
class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect, TemplateIpsec, IpsecTun6):
self.send_and_assert_no_replies(self.tun_if, tx)
node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0]
self.assertEqual(1, self.statistics.get_err_counter(node_name))
+ err = p.tun_sa_in.get_err("unsup_payload")
+ self.assertEqual(err, 1)
class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests):
self.unconfig_network(p)
+@tag_fixme_vpp_workers
+class TestIpsec4TunProtectTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtect):
+ """IPsec IPv4 Tunnel protect with TFC - transport mode"""
+
+
@tag_fixme_vpp_workers
class TestIpsec4TunProtectUdp(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
- """IPsec IPv4 Tunnel protect - transport mode"""
+ """IPsec IPv4 UDP Tunnel protect - transport mode"""
def setUp(self):
super(TestIpsec4TunProtectUdp, self).setUp()
self.verify_keepalive(self.ipv4_params)
+@tag_fixme_vpp_workers
+class TestIpsec4TunProtectUdpTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtectUdp):
+ """IPsec IPv4 UDP Tunnel protect with TFC - transport mode"""
+
+
@tag_fixme_vpp_workers
class TestIpsec4TunProtectTun(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
"""IPsec IPv4 Tunnel protect - tunnel mode"""
self.unconfig_network(p)
+@tag_fixme_vpp_workers
+class TestIpsec6TunProtectTfc(TemplateIpsec6TunTfc, TestIpsec6TunProtect):
+ """IPsec IPv6 Tunnel protect with TFC - transport mode"""
+
+
@tag_fixme_vpp_workers
class TestIpsec6TunProtectTun(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6):
"""IPsec IPv6 Tunnel protect - tunnel mode"""
self.unconfig_network(p)
+@tag_fixme_vpp_workers
+class TestIpsecItf4Tfc(TemplateIpsec4TunTfc, TestIpsecItf4):
+ """IPsec Interface IPv4 with TFC"""
+
+
class TestIpsecItf4MPLS(TemplateIpsec, TemplateIpsecItf4, IpsecTun4):
"""IPsec Interface MPLSoIPv4"""
self.unconfig_network(p)
+@tag_fixme_vpp_workers
+class TestIpsecItf6Tfc(TemplateIpsec6TunTfc, TestIpsecItf6):
+ """IPsec Interface IPv6 with TFC"""
+
+
class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
"""Ipsec P2MP ESP v4 tests"""