X-Git-Url: https://gerrit.fd.io/r/gitweb?p=csit.git;a=blobdiff_plain;f=resources%2Ftraffic_scripts%2Fipsec.py;fp=resources%2Ftraffic_scripts%2Fipsec.py;h=b853b6c09fde31bbbaa096bc088562c5f72b1d76;hp=1561738c6037a1557a8eff71231561fb16f3053d;hb=a4cad14b7e0b7e94f9e80b1a45cd86b3bc09d0a0;hpb=d5e00a369ffef5edf929ef5b03b7c544021b2e41 diff --git a/resources/traffic_scripts/ipsec.py b/resources/traffic_scripts/ipsec.py index 1561738c60..b853b6c09f 100755 --- a/resources/traffic_scripts/ipsec.py +++ b/resources/traffic_scripts/ipsec.py @@ -1,6 +1,6 @@ #!/usr/bin/env python -# Copyright (c) 2016 Cisco and/or its affiliates. +# Copyright (c) 2019 Cisco and/or its affiliates. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: @@ -23,9 +23,8 @@ import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import Ether -from scapy.layers.inet import ICMP, IP +from scapy.layers.inet import IP from scapy.layers.inet6 import IPv6, ICMPv6ND_NS -from scapy.layers.inet6 import ICMPv6EchoRequest, ICMPv6EchoReply from scapy.layers.ipsec import SecurityAssociation, ESP from ipaddress import ip_address @@ -33,114 +32,113 @@ from resources.libraries.python.TrafficScriptArg import TrafficScriptArg from resources.libraries.python.PacketVerifier import RxQueue, TxQueue -def check_ipv4(pkt_recv, dst_tun, src_ip, dst_ip, sa_in): - """Check received IPv4 IPsec packet. +def check_ipsec(pkt_recv, ip_layer, dst_tun, src_ip, dst_ip, sa_in): + """Check received IPsec packet. :param pkt_recv: Received packet to verify. + :param ip_layer: Scapy IP layer. :param dst_tun: IPsec tunnel destination address. - :param src_ip: Source address of original IPv4 packet. - :param dst_ip: Destination address of original IPv4 packet. + :param src_ip: Source IP/IPv6 address of original IP/IPv6 packet. + :param dst_ip: Destination IP/IPv6 address of original IP/IPv6 packet. :param sa_in: IPsec SA for packet decryption. :type pkt_recv: scapy.Ether + :type ip_layer: scapy.layers.inet.IP or scapy.layers.inet6.IPv6 :type dst_tun: str :type src_ip: str :type dst_ip: str :type sa_in: scapy.layers.ipsec.SecurityAssociation :raises RuntimeError: If received packet is invalid. """ - if not pkt_recv.haslayer(IP): - raise RuntimeError( - 'Not an IPv4 packet received: {0}'.format(pkt_recv.__repr__())) + if not pkt_recv.haslayer(ip_layer): + raise RuntimeError('Not an {ip} packet received: {pkt}'.format( + ip=ip_layer.name, pkt=pkt_recv.__repr__())) - if pkt_recv['IP'].dst != dst_tun: + if pkt_recv[ip_layer.name].dst != dst_tun: raise RuntimeError( - 'Received packet has invalid destination address: {0} ' - 'should be: {1}'.format(pkt_recv['IP'].dst, dst_tun)) + 'Received packet has invalid destination address: {rec_ip} ' + 'should be: {exp_ip}'.format( + rec_ip=pkt_recv[ip_layer.name].dst, exp_ip=dst_tun)) if not pkt_recv.haslayer(ESP): raise RuntimeError( - 'Not an ESP packet received: {0}'.format(pkt_recv.__repr__())) + 'Not an ESP packet received: {pkt}'.format(pkt=pkt_recv.__repr__())) - ip_pkt = pkt_recv[IP] + ip_pkt = pkt_recv[ip_layer] d_pkt = sa_in.decrypt(ip_pkt) - if d_pkt[IP].dst != dst_ip: + if d_pkt[ip_layer].dst != dst_ip: raise RuntimeError( - 'Decrypted packet has invalid destination address: {0} ' - 'should be: {1}'.format(d_pkt['IP'].dst, dst_ip)) + 'Decrypted packet has invalid destination address: {rec_ip} ' + 'should be: {exp_ip}'.format( + rec_ip=d_pkt[ip_layer].dst, exp_ip=dst_ip)) - if d_pkt[IP].src != src_ip: + if d_pkt[ip_layer].src != src_ip: raise RuntimeError( - 'Decrypted packet has invalid source address: {0} should be: {1}' - .format(d_pkt['IP'].src, src_ip)) + 'Decrypted packet has invalid source address: {rec_ip} should be: ' + '{exp_ip}'.format(rec_ip=d_pkt[ip_layer].src, exp_ip=src_ip)) - if not d_pkt.haslayer(ICMP): + if ip_layer == IP and d_pkt[ip_layer.name].proto != 61: raise RuntimeError( - 'Decrypted packet does not have ICMP layer: {0}'.format( - d_pkt.__repr__())) + 'Decrypted packet has invalid IP protocol: {rec_proto} ' + 'should be: 61'.format(rec_proto=d_pkt[ip_layer.name].proto)) -def check_ipv6(pkt_recv, dst_tun, src_ip, dst_ip, sa_in): - """Check received IPv6 IPsec packet. +def check_ip(pkt_recv, ip_layer, src_ip, dst_ip): + """Check received IP/IPv6 packet. :param pkt_recv: Received packet to verify. - :param dst_tun: IPsec tunnel destination address. - :param src_ip: Source address of original IPv6 packet. - :param dst_ip: Destination address of original IPv6 packet. - :param sa_in: IPsec SA for packet decryption. + :param ip_layer: Scapy IP layer. + :param src_ip: Source IP/IPv6 address. + :param dst_ip: Destination IP/IPv6 address. :type pkt_recv: scapy.Ether - :type dst_tun: str + :type ip_layer: scapy.layers.inet.IP or scapy.layers.inet6.IPv6 :type src_ip: str :type dst_ip: str - :type sa_in: scapy.layers.ipsec.SecurityAssociation :raises RuntimeError: If received packet is invalid. """ - if not pkt_recv.haslayer(IPv6): - raise RuntimeError( - 'Not an IPv6 packet received: {0}'.format(pkt_recv.__repr__())) - - if pkt_recv[IPv6].dst != dst_tun: - raise RuntimeError( - 'Received packet has invalid destination address: {0} ' - 'should be: {1}'.format(pkt_recv['IPv6'].dst, dst_tun)) + if not pkt_recv.haslayer(ip_layer): + raise RuntimeError('Not an {ip} packet received: {pkt}'.format( + ip=ip_layer.name, pkt=pkt_recv.__repr__())) - if not pkt_recv.haslayer(ESP): - raise RuntimeError( - 'Not an ESP packet received: {0}'.format(pkt_recv.__repr__())) - - ip_pkt = pkt_recv[IPv6] - d_pkt = sa_in.decrypt(ip_pkt) - - if d_pkt[IPv6].dst != dst_ip: + if pkt_recv[ip_layer.name].dst != dst_ip: raise RuntimeError( - 'Decrypted packet has invalid destination address {0}: ' - 'should be: {1}'.format(d_pkt['IPv6'].dst, dst_ip)) + 'Received packet has invalid destination address: {rec_ip} ' + 'should be: {exp_ip}'.format( + rec_ip=pkt_recv[ip_layer.name].dst, exp_ip=dst_ip)) - if d_pkt[IPv6].src != src_ip: + if pkt_recv[ip_layer.name].src != src_ip: raise RuntimeError( - 'Decrypted packet has invalid source address: {0} should be: {1}' - .format(d_pkt['IPv6'].src, src_ip)) + 'Received packet has invalid destination address: {rec_ip} ' + 'should be: {exp_ip}'.format( + rec_ip=pkt_recv[ip_layer.name].dst, exp_ip=src_ip)) - if not d_pkt.haslayer(ICMPv6EchoReply): + if ip_layer == IP and pkt_recv[ip_layer.name].proto != 61: raise RuntimeError( - 'Decrypted packet does not have ICMP layer: {0}'.format( - d_pkt.__repr__())) + 'Received packet has invalid IP protocol: {rec_proto} ' + 'should be: 61'.format(rec_proto=pkt_recv[ip_layer.name].proto)) # pylint: disable=too-many-locals # pylint: disable=too-many-statements def main(): """Send and receive IPsec packet.""" - args = TrafficScriptArg(['src_mac', 'dst_mac', 'src_ip', 'dst_ip', - 'crypto_alg', 'crypto_key', 'integ_alg', - 'integ_key', 'l_spi', 'r_spi'], - ['src_tun', 'dst_tun']) - - rxq = RxQueue(args.get_arg('rx_if')) - txq = TxQueue(args.get_arg('tx_if')) - src_mac = args.get_arg('src_mac') - dst_mac = args.get_arg('dst_mac') + args = TrafficScriptArg( + ['tx_src_mac', 'tx_dst_mac', 'rx_src_mac', 'rx_dst_mac', 'src_ip', + 'dst_ip','crypto_alg', 'crypto_key', 'integ_alg', 'integ_key', + 'l_spi', 'r_spi'], + ['src_tun', 'dst_tun'] + ) + + tx_txq = TxQueue(args.get_arg('tx_if')) + tx_rxq = RxQueue(args.get_arg('tx_if')) + rx_txq = TxQueue(args.get_arg('rx_if')) + rx_rxq = RxQueue(args.get_arg('rx_if')) + + tx_src_mac = args.get_arg('tx_src_mac') + tx_dst_mac = args.get_arg('tx_dst_mac') + rx_src_mac = args.get_arg('rx_src_mac') + rx_dst_mac = args.get_arg('rx_dst_mac') src_ip = args.get_arg('src_ip') dst_ip = args.get_arg('dst_ip') crypto_alg = args.get_arg('crypto_alg') @@ -152,23 +150,18 @@ def main(): src_tun = args.get_arg('src_tun') dst_tun = args.get_arg('dst_tun') - is_ipv4 = True - if 6 == ip_address(unicode(src_ip)).version: - is_ipv4 = False + if ip_address(unicode(src_ip)).version == 6: + ip_layer = IPv6 + else: + ip_layer = IP - tunnel_out = None - tunnel_in = None + tunnel_out = ip_layer(src=src_tun, dst=dst_tun) if src_tun and dst_tun \ + else None + tunnel_in = ip_layer(src=dst_tun, dst=src_tun) if src_tun and dst_tun \ + else None - if src_tun and dst_tun: - if is_ipv4: - tunnel_out = IP(src=src_tun, dst=dst_tun) - tunnel_in = IP(src=dst_tun, dst=src_tun) - else: - tunnel_out = IPv6(src=src_tun, dst=dst_tun) - tunnel_in = IPv6(src=dst_tun, dst=src_tun) - else: + if not (src_tun and dst_tun): src_tun = src_ip - dst_tun = dst_ip sa_in = SecurityAssociation(ESP, spi=r_spi, crypt_algo=crypto_alg, crypt_key=crypto_key, auth_algo=integ_alg, @@ -178,41 +171,55 @@ def main(): crypt_key=crypto_key, auth_algo=integ_alg, auth_key=integ_key, tunnel_header=tunnel_out) - sent_packets = [] - - if is_ipv4: - ip_pkt = (IP(src=src_ip, dst=dst_ip) / - ICMP()) - ip_pkt = IP(str(ip_pkt)) - else: - ip_pkt = (IPv6(src=src_ip, dst=dst_ip) / - ICMPv6EchoRequest()) - ip_pkt = IPv6(str(ip_pkt)) + ip_pkt = ip_layer(src=src_ip, dst=dst_ip, proto=61) if ip_layer == IP \ + else ip_layer(src=src_ip, dst=dst_ip) + ip_pkt = ip_layer(str(ip_pkt)) e_pkt = sa_out.encrypt(ip_pkt) - pkt_send = (Ether(src=src_mac, dst=dst_mac) / - e_pkt) + tx_pkt_send = (Ether(src=tx_src_mac, dst=tx_dst_mac) / + e_pkt) + + sent_packets = list() + sent_packets.append(tx_pkt_send) + tx_txq.send(tx_pkt_send) + + while True: + rx_pkt_recv = rx_rxq.recv(2) + + if rx_pkt_recv is None: + raise RuntimeError( + '{ip} packet Rx timeout'.format(ip=ip_layer.name)) + + if rx_pkt_recv.haslayer(ICMPv6ND_NS): + # read another packet in the queue if the current one is ICMPv6ND_NS + continue + else: + # otherwise process the current packet + break + + check_ip(rx_pkt_recv, ip_layer, src_ip, dst_ip) - sent_packets.append(pkt_send) - txq.send(pkt_send) + rx_ip_pkt = ip_layer(src=dst_ip, dst=src_ip, proto=61) if ip_layer == IP \ + else ip_layer(src=dst_ip, dst=src_ip) + rx_pkt_send = (Ether(src=rx_dst_mac, dst=rx_src_mac) / + rx_ip_pkt) + + rx_txq.send(rx_pkt_send) while True: - pkt_recv = rxq.recv(2, sent_packets) + tx_pkt_recv = tx_rxq.recv(2, sent_packets) - if pkt_recv is None: + if tx_pkt_recv is None: raise RuntimeError('ESP packet Rx timeout') - if pkt_recv.haslayer(ICMPv6ND_NS): + if rx_pkt_recv.haslayer(ICMPv6ND_NS): # read another packet in the queue if the current one is ICMPv6ND_NS continue else: # otherwise process the current packet break - if is_ipv4: - check_ipv4(pkt_recv, src_tun, dst_ip, src_ip, sa_in) - else: - check_ipv6(pkt_recv, src_tun, dst_ip, src_ip, sa_in) + check_ipsec(tx_pkt_recv, ip_layer, src_tun, dst_ip, src_ip, sa_in) sys.exit(0)