X-Git-Url: https://gerrit.fd.io/r/gitweb?p=csit.git;a=blobdiff_plain;f=GPL%2Ftraffic_scripts%2Fipsec_interface.py;h=e6e90a25988a595265f4720eddd910283118785e;hp=1254388b1322289174c24083064ab3ec761b4d6a;hb=9f7e749f98f1437b90647749501d43b02a2be5eb;hpb=6b40a760505ae11c896deb68f92775cdf04ba965 diff --git a/GPL/traffic_scripts/ipsec_interface.py b/GPL/traffic_scripts/ipsec_interface.py index 1254388b13..e6e90a2598 100644 --- a/GPL/traffic_scripts/ipsec_interface.py +++ b/GPL/traffic_scripts/ipsec_interface.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# Copyright (c) 2020 Cisco and/or its affiliates. +# Copyright (c) 2022 Cisco and/or its affiliates. # # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later # @@ -14,7 +14,8 @@ # # Note: If this file is linked with Scapy, which is GPLv2+, your use of it # must be under GPLv2+. If at any point in the future it is no longer linked -# with Scapy (or other GPLv2+ licensed software), you are free to choose Apache 2. +# with Scapy (or other GPLv2+ licensed software), you are free to choose +# Apache 2. # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -28,7 +29,7 @@ import sys from ipaddress import ip_address from scapy.layers.inet import IP -from scapy.layers.inet6 import IPv6, ICMPv6ND_NS +from scapy.layers.inet6 import IPv6, ICMPv6ND_NS, ICMPv6MLReport2, ICMPv6ND_RA from scapy.layers.ipsec import SecurityAssociation, ESP from scapy.layers.l2 import Ether from scapy.packet import Raw @@ -76,7 +77,7 @@ def check_ipsec( if not pkt_recv.haslayer(ip_layer): raise RuntimeError( - f"Not an {ip_layer.__name__} packet received: {pkt_recv!r}" + f"Not an {ip_layer.name} packet received: {pkt_recv!r}" ) if pkt_recv[ip_layer].src != src_tun: @@ -96,9 +97,6 @@ def check_ipsec( ip_pkt = pkt_recv[ip_layer] d_pkt = sa_in.decrypt(ip_pkt) - print(u"Decrypted packet:") - d_pkt.show2() - print() if d_pkt[ip_layer].dst != dst_ip: raise RuntimeError( @@ -150,19 +148,19 @@ def check_ip(pkt_recv, ip_layer, src_mac, dst_mac, src_ip, dst_ip): if not pkt_recv.haslayer(ip_layer): raise RuntimeError( - f"Not an {ip_layer.__name__} packet received: {pkt_recv!r}" + f"Not an {ip_layer.name} packet received: {pkt_recv!r}" ) if pkt_recv[ip_layer].dst != dst_ip: raise RuntimeError( f"Received packet has invalid destination address: " - f"{pkt_recv[ip_layer.__name__].dst} should be: {dst_ip}" + f"{pkt_recv[ip_layer.name].dst} should be: {dst_ip}" ) if pkt_recv[ip_layer].src != src_ip: raise RuntimeError( f"Received packet has invalid destination address: " - f"{pkt_recv[ip_layer.__name__].dst} should be: {src_ip}" + f"{pkt_recv[ip_layer.name].dst} should be: {src_ip}" ) if ip_layer == IP and pkt_recv[ip_layer].proto != 61: @@ -213,19 +211,18 @@ def main(): sa_in = SecurityAssociation( ESP, spi=l_spi, crypt_algo=crypto_alg, crypt_key=crypto_key.encode(encoding=u"utf-8"), auth_algo=integ_alg, - auth_key=integ_key.encode(encoding=u"utf-8"), - tunnel_header=tunnel_in + auth_key=integ_key.encode(encoding=u"utf-8"), tunnel_header=tunnel_in ) sa_out = SecurityAssociation( ESP, spi=r_spi, crypt_algo=crypto_alg, crypt_key=crypto_key.encode(encoding=u"utf-8"), auth_algo=integ_alg, - auth_key=integ_key.encode(encoding=u"utf-8"), - tunnel_header=tunnel_out + auth_key=integ_key.encode(encoding=u"utf-8"), tunnel_header=tunnel_out ) sent_packets = list() - tx_pkt_send = (Ether(src=tx_src_mac, dst=tx_dst_mac) / ip_pkt) + tx_pkt_send = ( + Ether(src=tx_src_mac, dst=tx_dst_mac) / ip_pkt) tx_pkt_send /= Raw() size_limit = 78 if ip_layer == IPv6 else 64 if len(tx_pkt_send) < size_limit: @@ -237,46 +234,58 @@ def main(): rx_pkt_recv = rx_rxq.recv(2) if rx_pkt_recv is None: - raise RuntimeError(f"{ip_layer.__name__} packet Rx timeout") + raise RuntimeError(f"{ip_layer.name} packet Rx timeout") if rx_pkt_recv.haslayer(ICMPv6ND_NS): # read another packet in the queue if the current one is ICMPv6ND_NS continue - else: - # otherwise process the current packet - break + if rx_pkt_recv.haslayer(ICMPv6MLReport2): + # read another packet in the queue if the current one is + # ICMPv6MLReport2 + continue + if rx_pkt_recv.haslayer(ICMPv6ND_RA): + # read another packet in the queue if the current one is + # ICMPv6ND_RA + continue + + # otherwise process the current packet + break check_ipsec( rx_pkt_recv, ip_layer, rx_src_mac, rx_dst_mac, src_tun, dst_tun, src_ip, dst_ip, sa_in ) - ip_pkt = ip_layer(src=dst_ip, dst=src_ip, proto=61) if ip_layer == IP \ + rx_ip_pkt = ip_layer(src=dst_ip, dst=src_ip, proto=61) if ip_layer == IP \ else ip_layer(src=dst_ip, dst=src_ip) - ip_pkt /= Raw() - if len(ip_pkt) < (size_limit - 14): - ip_pkt[Raw].load += (b"\0" * (size_limit - 14 - len(ip_pkt))) - e_pkt = sa_out.encrypt(ip_pkt) - rx_pkt_send = (Ether(src=rx_dst_mac, dst=rx_src_mac) / - e_pkt) + rx_ip_pkt /= Raw() + if len(rx_ip_pkt) < (size_limit - 14): + rx_ip_pkt[Raw].load += (b"\0" * (size_limit - 14 - len(rx_ip_pkt))) + rx_pkt_send = ( + Ether(src=rx_dst_mac, dst=rx_src_mac) / sa_out.encrypt(rx_ip_pkt)) rx_txq.send(rx_pkt_send) while True: tx_pkt_recv = tx_rxq.recv(2, ignore=sent_packets) if tx_pkt_recv is None: - raise RuntimeError(f"{ip_layer.__name__} packet Rx timeout") + raise RuntimeError(f"{ip_layer.name} packet Rx timeout") if tx_pkt_recv.haslayer(ICMPv6ND_NS): # read another packet in the queue if the current one is ICMPv6ND_NS continue - else: - # otherwise process the current packet - break + if tx_pkt_recv.haslayer(ICMPv6MLReport2): + # read another packet in the queue if the current one is + # ICMPv6MLReport2 + continue + if tx_pkt_recv.haslayer(ICMPv6ND_RA): + # read another packet in the queue if the current one is + # ICMPv6ND_RA + continue - check_ip(tx_pkt_recv, ip_layer, tx_dst_mac, tx_src_mac, dst_ip, src_ip) + break - sys.exit(0) + check_ip(tx_pkt_recv, ip_layer, tx_dst_mac, tx_src_mac, dst_ip, src_ip) if __name__ == u"__main__":