From b23edf1a86f82e7b9e45b70c55f0119143f97dd5 Mon Sep 17 00:00:00 2001 From: Patrik Hrnciar Date: Wed, 12 Oct 2016 14:01:16 +0200 Subject: [PATCH] CSIT-385 CSIT-386 IPv4/IPv6 IPsec tests - encryption/integrity key update tests Change-Id: Iddbe35e2f421b5048e60663bff2b0bf1968a9782 Signed-off-by: Patrik Hrnciar Signed-off-by: Matej Klotton --- resources/libraries/python/IPsecUtil.py | 24 ++++ resources/libraries/robot/ipsec.robot | 28 +++- resources/templates/vat/ipsec/ipsec_sa_set_key.vat | 1 + tests/func/ipsec/ipsec_transport_mode_ipv4.robot | 122 ++++++++++++++++- tests/func/ipsec/ipsec_transport_mode_ipv6.robot | 122 ++++++++++++++++- tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot | 134 +++++++++++++++++- tests/func/ipsec/ipsec_tunnel_mode_ipv6.robot | 152 +++++++++++++++++++-- 7 files changed, 568 insertions(+), 15 deletions(-) create mode 100644 resources/templates/vat/ipsec/ipsec_sa_set_key.vat diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py index e033e04b48..70d44e0936 100644 --- a/resources/libraries/python/IPsecUtil.py +++ b/resources/libraries/python/IPsecUtil.py @@ -240,6 +240,30 @@ class IPsecUtil(object): out[0], err_msg='Add SAD entry failed on {0}'.format(node['host'])) + @staticmethod + def vpp_ipsec_sa_set_key(node, sa_id, crypto_key, integ_key): + """Update Security Association (SA) keys. + + :param node: VPP node to update SA keys. + :param sa_id: SAD entry ID. + :param crypto_key: The encryption key string. + :param integ_key: The integrity key string. + :type node: dict + :type sa_id: int + :type crypto_key: str + :type integ_key: str + """ + ckey = crypto_key.encode('hex') + ikey = integ_key.encode('hex') + + out = VatExecutor.cmd_from_template(node, + "ipsec/ipsec_sa_set_key.vat", + sa_id=sa_id, + ckey=ckey, ikey=ikey) + VatJsonUtil.verify_vat_retval( + out[0], + err_msg='Update SA key failed on {0}'.format(node['host'])) + @staticmethod def vpp_ipsec_add_spd(node, spd_id): """Create Security Policy Database on the VPP node. diff --git a/resources/libraries/robot/ipsec.robot b/resources/libraries/robot/ipsec.robot index d4a2e440e6..92b292ede3 100644 --- a/resources/libraries/robot/ipsec.robot +++ b/resources/libraries/robot/ipsec.robot @@ -146,6 +146,10 @@ | | ... | - l_tunnel - Local tunnel IP address (optional). Type: string | | ... | - r_tunnel - Remote tunnel IP address (optional). Type: string | | ... +| | ... | _NOTE:_ This KW sets following test case variables: +| | ... | - l_sa_id +| | ... | - r_sa_id +| | ... | | ... | *Example:* | | ... | \| ${encr_alg}= \| Crypto Alg AES CBC 128 \| | | ... | \| ${auth_alg}= \| Integ Alg SHA1 96 \| @@ -156,8 +160,8 @@ | | [Arguments] | ${node} | ${interface} | ${crypto_alg} | ${crypto_key} | | ... | ${integ_alg} | ${integ_key} | ${l_spi} | ${r_spi} | ${l_ip} | | ... | ${r_ip} | ${l_tunnel}=${None} | ${r_tunnel}=${None} -| | ${l_sa_id}= | Set Variable | ${10} -| | ${r_sa_id}= | Set Variable | ${20} +| | Set Test Variable | ${l_sa_id} | ${10} +| | Set Test Variable | ${r_sa_id} | ${20} | | ${spd_id}= | Set Variable | ${1} | | ${p_hi}= | Set Variable | ${100} | | ${p_lo}= | Set Variable | ${10} @@ -182,6 +186,26 @@ | | ... | sa_id=${l_sa_id} | laddr_range=${l_ip} | | ... | raddr_range=${r_ip} | inbound=${FALSE} +| VPP Update IPsec SA Keys +| | [Documentation] | Update IPsec SA keys on VPP node. +| | ... +| | ... | *Arguments:* +| | ... | - node - VPP node to update SA keys. Type: dictionary +| | ... | - l_sa_id - Local SA ID. Type: string +| | ... | - r_sa_id - Remote SA ID. Type: string +| | ... | - crypto_key - Encryption key. Type: string +| | ... | - integ_key - Integrity key. Type: string +| | ... +| | ... | *Example:* +| | ... | \| VPP Update IPsec SA Keys \| ${nodes['DUT1']} \ +| | ... | \| 10 \| 20 \| sixteenbytes_key \| twentybytessecretkey \| +| | [Arguments] | ${node} | ${l_sa_id} | ${r_sa_id} | ${crypto_key} +| | ... | ${integ_key} +| | VPP IPsec SA Set Key | ${dut_node} | ${l_sa_id} | ${crypto_key} +| | ... | ${integ_key} +| | VPP IPsec SA Set Key | ${dut_node} | ${r_sa_id} | ${crypto_key} +| | ... | ${integ_key} + | Send and Receive IPsec Packet | | [Documentation] | Send IPsec packet from TG to DUT. Receive IPsec packet\ | | ... | from DUT on TG and verify ESP encapsulation. diff --git a/resources/templates/vat/ipsec/ipsec_sa_set_key.vat b/resources/templates/vat/ipsec/ipsec_sa_set_key.vat new file mode 100644 index 0000000000..96d570ef93 --- /dev/null +++ b/resources/templates/vat/ipsec/ipsec_sa_set_key.vat @@ -0,0 +1 @@ +ipsec_sa_set_key sa_id {sa_id} crypto_key {ckey} integ_key {ikey} \ No newline at end of file diff --git a/tests/func/ipsec/ipsec_transport_mode_ipv4.robot b/tests/func/ipsec/ipsec_transport_mode_ipv4.robot index 7fce8d5390..14ea198bbd 100644 --- a/tests/func/ipsec/ipsec_transport_mode_ipv4.robot +++ b/tests/func/ipsec/ipsec_transport_mode_ipv4.robot @@ -338,10 +338,130 @@ | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + *** Keywords *** | Get Second Random String | | [Arguments] | ${req_alg} | ${req_type} | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} | | :FOR | ${index} | IN RANGE | 100 | | | ${req_key}= | Generate Random String | ${req_key_len} -| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/func/ipsec/ipsec_transport_mode_ipv6.robot b/tests/func/ipsec/ipsec_transport_mode_ipv6.robot index 2e6b5dd688..1128e4e6c7 100644 --- a/tests/func/ipsec/ipsec_transport_mode_ipv6.robot +++ b/tests/func/ipsec/ipsec_transport_mode_ipv6.robot @@ -338,10 +338,130 @@ | | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} | | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip} + *** Keywords *** | Get Second Random String | | [Arguments] | ${req_alg} | ${req_type} | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} | | :FOR | ${index} | IN RANGE | 100 | | | ${req_key}= | Generate Random String | ${req_key_len} -| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot b/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot index 2261ae638a..d59aae6e54 100644 --- a/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot +++ b/tests/func/ipsec/ipsec_tunnel_mode_ipv4.robot @@ -361,10 +361,142 @@ | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} | | ... | ${dut_tun_ip} +| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + *** Keywords *** | Get Second Random String | | [Arguments] | ${req_alg} | ${req_type} | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} | | :FOR | ${index} | IN RANGE | 100 | | | ${req_key}= | Generate Random String | ${req_key_len} -| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} diff --git a/tests/func/ipsec/ipsec_tunnel_mode_ipv6.robot b/tests/func/ipsec/ipsec_tunnel_mode_ipv6.robot index 48e37832d9..c1c279198a 100644 --- a/tests/func/ipsec/ipsec_tunnel_mode_ipv6.robot +++ b/tests/func/ipsec/ipsec_tunnel_mode_ipv6.robot @@ -110,7 +110,7 @@ | | ... | [Top] TG-DUT1. | | ... | [Ref] RFC4303. | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\ | | ... | mode. | | ... | [Ver] Send and receive ESP packet between TG and VPP node. | | [Tags] | SKIP_PATCH @@ -131,7 +131,7 @@ | | ... | [Top] TG-DUT1. | | ... | [Ref] RFC4303. | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\ | | ... | mode. | | ... | [Ver] Send and receive ESP packet between TG and VPP node. | | ${encr_alg}= | Crypto Alg AES CBC 192 @@ -151,7 +151,7 @@ | | ... | [Top] TG-DUT1. | | ... | [Ref] RFC4303. | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\ | | ... | mode. | | ... | [Ver] Send and receive ESP packet between TG and VPP node. | | [Tags] | SKIP_PATCH @@ -172,7 +172,7 @@ | | ... | [Top] TG-DUT1. | | ... | [Ref] RFC4303. | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\ | | ... | mode. | | ... | [Ver] Send and receive ESP packet between TG and VPP node. | | [Tags] | SKIP_PATCH @@ -193,7 +193,7 @@ | | ... | [Top] TG-DUT1. | | ... | [Ref] RFC4303. | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\ | | ... | mode. | | ... | [Ver] Send and receive ESP packet between TG and VPP node. | | [Tags] | SKIP_PATCH @@ -214,7 +214,7 @@ | | ... | [Top] TG-DUT1. | | ... | [Ref] RFC4303. | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\ | | ... | mode. | | ... | [Ver] Send and receive ESP packet between TG and VPP node. | | ${encr_alg}= | Crypto Alg AES CBC 256 @@ -234,7 +234,7 @@ | | ... | [Top] TG-DUT1. | | ... | [Ref] RFC4303. | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\ | | ... | mode. | | ... | [Ver] Send and receive ESP packet between TG and VPP node. | | [Tags] | SKIP_PATCH @@ -255,7 +255,7 @@ | | ... | [Top] TG-DUT1. | | ... | [Ref] RFC4303. | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel +| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\ | | ... | mode. | | ... | [Ver] Send and receive ESP packet between TG and VPP node. | | [Tags] | SKIP_PATCH @@ -276,7 +276,7 @@ | | ... | [Top] TG-DUT1. | | ... | [Ref] RFC4303. | | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ -| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel +| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\ | | ... | mode. | | ... | [Ver] Send and receive ESP packet between TG and VPP node. | | ${encr_alg}= | Crypto Alg AES CBC 256 @@ -362,10 +362,142 @@ | | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} | | ... | ${dut_tun_ip} +| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\ +| | ... | and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key} +| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\ +| | ... | encryption key stored on VPP node from TG to VPP node and expect no\ +| | ... | response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key different\ +| | ... | from integrity key stored on VPP node from TG to VPP node and expect\ +| | ... | no response to be received on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + +| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used +| | [Documentation] +| | ... | [Top] TG-DUT1. +| | ... | [Ref] RFC4303. +| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\ +| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\ +| | ... | mode. Then update SA keys - use new keys. +| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\ +| | ... | by encryption key different from integrity and encryption keys stored\ +| | ... | on VPP node from TG to VPP node and expect no response to be received\ +| | ... | on TG before and after SA keys update. +| | ${encr_alg}= | Crypto Alg AES CBC 128 +| | ${auth_alg}= | Integ Alg SHA1 96 +| | Given IPsec Generate Keys | ${encr_alg} | ${auth_alg} +| | When VPP Setup IPsec Manual Keyed Connection +| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg} +| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip} +| | ... | ${dut_tun_ip} | ${tg_tun_ip} +| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto +| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} +| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto +| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ +| | When VPP Update IPsec SA Keys | ${dut_node} | ${l_sa_id} | ${r_sa_id} +| | ... | ${new_encr_key} | ${new_auth_key} +| | Then Run Keyword And Expect Error | ESP packet Rx timeout +| | ... | Send And Receive IPsec Packet | ${tg_node} | ${tg_if} | ${dut_if_mac} +| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi} +| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip} +| | ... | ${dut_tun_ip} + *** Keywords *** | Get Second Random String | | [Arguments] | ${req_alg} | ${req_type} | | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg} +| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key} +| | ... | '${req_type}' == 'Integ' | ${auth_key} | | :FOR | ${index} | IN RANGE | 100 | | | ${req_key}= | Generate Random String | ${req_key_len} -| | | Return From Keyword If | '${req_key}' != '${encr_key}' | ${req_key} +| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key} -- 2.16.6