5 from scapy.layers.inet import IP, ICMP, TCP, UDP
6 from scapy.layers.ipsec import SecurityAssociation, ESP
7 from scapy.layers.l2 import Ether, Raw
8 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
10 from framework import VppTestCase, VppTestRunner
11 from util import ppp, reassemble4
12 from vpp_papi import VppEnum
15 class IPsecIPv4Params(object):
17 addr_type = socket.AF_INET
19 addr_bcast = "255.255.255.255"
24 self.remote_tun_if_host = '1.1.1.1'
25 self.remote_tun_if_host6 = '1111::1'
27 self.scapy_tun_sa_id = 10
28 self.scapy_tun_spi = 1001
29 self.vpp_tun_sa_id = 20
30 self.vpp_tun_spi = 1000
32 self.scapy_tra_sa_id = 30
33 self.scapy_tra_spi = 2001
34 self.vpp_tra_sa_id = 40
35 self.vpp_tra_spi = 2000
37 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
38 IPSEC_API_INTEG_ALG_SHA1_96)
39 self.auth_algo = 'HMAC-SHA1-96' # scapy name
40 self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
42 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
43 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
44 self.crypt_algo = 'AES-CBC' # scapy name
45 self.crypt_key = 'JPjyOWBeVEQiMe7h'
48 self.nat_header = None
51 class IPsecIPv6Params(object):
53 addr_type = socket.AF_INET6
55 addr_bcast = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
60 self.remote_tun_if_host = '1111:1111:1111:1111:1111:1111:1111:1111'
61 self.remote_tun_if_host4 = '1.1.1.1'
63 self.scapy_tun_sa_id = 50
64 self.scapy_tun_spi = 3001
65 self.vpp_tun_sa_id = 60
66 self.vpp_tun_spi = 3000
68 self.scapy_tra_sa_id = 70
69 self.scapy_tra_spi = 4001
70 self.vpp_tra_sa_id = 80
71 self.vpp_tra_spi = 4000
73 self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
74 IPSEC_API_INTEG_ALG_SHA1_96)
75 self.auth_algo = 'HMAC-SHA1-96' # scapy name
76 self.auth_key = 'C91KUR9GYMm5GfkEvNjX'
78 self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
79 IPSEC_API_CRYPTO_ALG_AES_CBC_128)
80 self.crypt_algo = 'AES-CBC' # scapy name
81 self.crypt_key = 'JPjyOWBeVEQiMe7h'
84 self.nat_header = None
87 def config_tun_params(p, encryption_type, tun_if):
88 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
89 use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
90 IPSEC_API_SAD_FLAG_USE_ESN))
91 if p.crypt_algo == "AES-GCM":
92 crypt_key = p.crypt_key + struct.pack("!I", p.salt)
94 crypt_key = p.crypt_key
95 p.scapy_tun_sa = SecurityAssociation(
96 encryption_type, spi=p.vpp_tun_spi,
97 crypt_algo=p.crypt_algo,
99 auth_algo=p.auth_algo, auth_key=p.auth_key,
100 tunnel_header=ip_class_by_addr_type[p.addr_type](
101 src=tun_if.remote_addr[p.addr_type],
102 dst=tun_if.local_addr[p.addr_type]),
103 nat_t_header=p.nat_header,
105 p.vpp_tun_sa = SecurityAssociation(
106 encryption_type, spi=p.scapy_tun_spi,
107 crypt_algo=p.crypt_algo,
109 auth_algo=p.auth_algo, auth_key=p.auth_key,
110 tunnel_header=ip_class_by_addr_type[p.addr_type](
111 dst=tun_if.remote_addr[p.addr_type],
112 src=tun_if.local_addr[p.addr_type]),
113 nat_t_header=p.nat_header,
117 def config_tra_params(p, encryption_type):
118 use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
119 IPSEC_API_SAD_FLAG_USE_ESN))
120 if p.crypt_algo == "AES-GCM":
121 crypt_key = p.crypt_key + struct.pack("!I", p.salt)
123 crypt_key = p.crypt_key
124 p.scapy_tra_sa = SecurityAssociation(
127 crypt_algo=p.crypt_algo,
129 auth_algo=p.auth_algo,
131 nat_t_header=p.nat_header,
133 p.vpp_tra_sa = SecurityAssociation(
136 crypt_algo=p.crypt_algo,
138 auth_algo=p.auth_algo,
140 nat_t_header=p.nat_header,
144 class TemplateIpsec(VppTestCase):
149 |tra_if| <-------> |VPP|
154 ------ encrypt --- plain ---
155 |tun_if| <------- |VPP| <------ |pg1|
158 ------ decrypt --- plain ---
159 |tun_if| -------> |VPP| ------> |pg1|
165 def ipsec_select_backend(self):
166 """ empty method to be overloaded when necessary """
171 super(TemplateIpsec, cls).setUpClass()
174 def tearDownClass(cls):
175 super(TemplateIpsec, cls).tearDownClass()
177 def setup_params(self):
178 self.ipv4_params = IPsecIPv4Params()
179 self.ipv6_params = IPsecIPv6Params()
180 self.params = {self.ipv4_params.addr_type: self.ipv4_params,
181 self.ipv6_params.addr_type: self.ipv6_params}
183 def config_interfaces(self):
184 self.create_pg_interfaces(range(3))
185 self.interfaces = list(self.pg_interfaces)
186 for i in self.interfaces:
194 super(TemplateIpsec, self).setUp()
198 self.vpp_esp_protocol = (VppEnum.vl_api_ipsec_proto_t.
200 self.vpp_ah_protocol = (VppEnum.vl_api_ipsec_proto_t.
203 self.config_interfaces()
205 self.ipsec_select_backend()
207 def unconfig_interfaces(self):
208 for i in self.interfaces:
214 super(TemplateIpsec, self).tearDown()
216 self.unconfig_interfaces()
218 def show_commands_at_teardown(self):
219 self.logger.info(self.vapi.cli("show hardware"))
221 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
223 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
224 sa.encrypt(IP(src=src, dst=dst) /
225 ICMP() / Raw('X' * payload_size))
226 for i in range(count)]
228 def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1,
230 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
231 sa.encrypt(IPv6(src=src, dst=dst) /
232 ICMPv6EchoRequest(id=0, seq=1,
233 data='X' * payload_size))
234 for i in range(count)]
236 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
237 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
238 IP(src=src, dst=dst) / ICMP() / Raw('X' * payload_size)
239 for i in range(count)]
241 def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
242 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
243 IPv6(src=src, dst=dst) /
244 ICMPv6EchoRequest(id=0, seq=1, data='X' * payload_size)
245 for i in range(count)]
248 class IpsecTcp(object):
249 def verify_tcp_checksum(self):
250 self.vapi.cli("test http server")
251 p = self.params[socket.AF_INET]
252 config_tun_params(p, self.encryption_type, self.tun_if)
253 send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
254 p.scapy_tun_sa.encrypt(IP(src=p.remote_tun_if_host,
255 dst=self.tun_if.local_ip4) /
256 TCP(flags='S', dport=80)))
257 self.logger.debug(ppp("Sending packet:", send))
258 recv = self.send_and_expect(self.tun_if, [send], self.tun_if)
260 decrypted = p.vpp_tun_sa.decrypt(recv[IP])
261 self.assert_packet_checksums_valid(decrypted)
264 class IpsecTcpTests(IpsecTcp):
265 def test_tcp_checksum(self):
266 """ verify checksum correctness for vpp generated packets """
267 self.verify_tcp_checksum()
270 class IpsecTra4(object):
271 """ verify methods for Transport v4 """
272 def verify_tra_anti_replay(self, count=1):
273 p = self.params[socket.AF_INET]
274 use_esn = p.vpp_tra_sa.use_esn
276 # fire in a packet with seq number 1
277 pkt = (Ether(src=self.tra_if.remote_mac,
278 dst=self.tra_if.local_mac) /
279 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
280 dst=self.tra_if.local_ip4) /
283 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
285 # now move the window over to 235
286 pkt = (Ether(src=self.tra_if.remote_mac,
287 dst=self.tra_if.local_mac) /
288 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
289 dst=self.tra_if.local_ip4) /
292 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
294 # replayed packets are dropped
295 self.send_and_assert_no_replies(self.tra_if, pkt * 3)
296 self.assert_error_counter_equal(
297 '/err/%s/SA replayed packet' % self.tra4_decrypt_node_name, 3)
299 # the window size is 64 packets
300 # in window are still accepted
301 pkt = (Ether(src=self.tra_if.remote_mac,
302 dst=self.tra_if.local_mac) /
303 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
304 dst=self.tra_if.local_ip4) /
307 recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
309 # a packet that does not decrypt does not move the window forward
310 bogus_sa = SecurityAssociation(self.encryption_type,
312 crypt_algo=p.crypt_algo,
313 crypt_key=p.crypt_key[::-1],
314 auth_algo=p.auth_algo,
315 auth_key=p.auth_key[::-1])
316 pkt = (Ether(src=self.tra_if.remote_mac,
317 dst=self.tra_if.local_mac) /
318 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
319 dst=self.tra_if.local_ip4) /
322 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
324 self.assert_error_counter_equal(
325 '/err/%s/Integrity check failed' % self.tra4_decrypt_node_name, 17)
327 # a malformed 'runt' packet
328 # created by a mis-constructed SA
329 if (ESP == self.encryption_type):
330 bogus_sa = SecurityAssociation(self.encryption_type,
332 pkt = (Ether(src=self.tra_if.remote_mac,
333 dst=self.tra_if.local_mac) /
334 bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4,
335 dst=self.tra_if.local_ip4) /
338 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
340 self.assert_error_counter_equal(
341 '/err/%s/undersized packet' % self.tra4_decrypt_node_name, 17)
343 # which we can determine since this packet is still in the window
344 pkt = (Ether(src=self.tra_if.remote_mac,
345 dst=self.tra_if.local_mac) /
346 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
347 dst=self.tra_if.local_ip4) /
350 self.send_and_expect(self.tra_if, [pkt], self.tra_if)
352 # out of window are dropped
353 pkt = (Ether(src=self.tra_if.remote_mac,
354 dst=self.tra_if.local_mac) /
355 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
356 dst=self.tra_if.local_ip4) /
359 self.send_and_assert_no_replies(self.tra_if, pkt * 17)
362 # an out of window error with ESN looks like a high sequence
363 # wrap. but since it isn't then the verify will fail.
364 self.assert_error_counter_equal(
365 '/err/%s/Integrity check failed' %
366 self.tra4_decrypt_node_name, 34)
369 self.assert_error_counter_equal(
370 '/err/%s/SA replayed packet' %
371 self.tra4_decrypt_node_name, 20)
373 # valid packet moves the window over to 236
374 pkt = (Ether(src=self.tra_if.remote_mac,
375 dst=self.tra_if.local_mac) /
376 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
377 dst=self.tra_if.local_ip4) /
380 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
381 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
383 # move VPP's SA to just before the seq-number wrap
384 self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id)
386 # then fire in a packet that VPP should drop because it causes the
387 # seq number to wrap unless we're using extended.
388 pkt = (Ether(src=self.tra_if.remote_mac,
389 dst=self.tra_if.local_mac) /
390 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
391 dst=self.tra_if.local_ip4) /
396 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
397 # in order to decrpyt the high order number needs to wrap
398 p.vpp_tra_sa.seq_num = 0x100000000
399 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
401 # send packets with high bits set
402 p.scapy_tra_sa.seq_num = 0x100000005
403 pkt = (Ether(src=self.tra_if.remote_mac,
404 dst=self.tra_if.local_mac) /
405 p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
406 dst=self.tra_if.local_ip4) /
408 seq_num=0x100000005))
409 rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if)
410 # in order to decrpyt the high order number needs to wrap
411 decrypted = p.vpp_tra_sa.decrypt(rx[0][IP])
413 self.send_and_assert_no_replies(self.tra_if, [pkt])
414 self.assert_error_counter_equal(
415 '/err/%s/sequence number cycled' %
416 self.tra4_encrypt_node_name, 1)
418 # move the security-associations seq number on to the last we used
419 self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id)
420 p.scapy_tra_sa.seq_num = 351
421 p.vpp_tra_sa.seq_num = 351
423 def verify_tra_basic4(self, count=1):
424 """ ipsec v4 transport basic test """
425 self.vapi.cli("clear errors")
427 p = self.params[socket.AF_INET]
428 send_pkts = self.gen_encrypt_pkts(p.scapy_tra_sa, self.tra_if,
429 src=self.tra_if.remote_ip4,
430 dst=self.tra_if.local_ip4,
432 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
435 self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
436 self.assert_packet_checksums_valid(rx)
438 decrypted = p.vpp_tra_sa.decrypt(rx[IP])
439 self.assert_packet_checksums_valid(decrypted)
441 self.logger.debug(ppp("Unexpected packet:", rx))
444 self.logger.info(self.vapi.ppcli("show error"))
445 self.logger.info(self.vapi.ppcli("show ipsec all"))
447 pkts = p.tra_sa_in.get_stats()['packets']
448 self.assertEqual(pkts, count,
449 "incorrect SA in counts: expected %d != %d" %
451 pkts = p.tra_sa_out.get_stats()['packets']
452 self.assertEqual(pkts, count,
453 "incorrect SA out counts: expected %d != %d" %
456 self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count)
457 self.assert_packet_counter_equal(self.tra4_decrypt_node_name, count)
460 class IpsecTra4Tests(IpsecTra4):
461 """ UT test methods for Transport v4 """
462 def test_tra_anti_replay(self):
463 """ ipsec v4 transport anti-reply test """
464 self.verify_tra_anti_replay(count=1)
466 def test_tra_basic(self, count=1):
467 """ ipsec v4 transport basic test """
468 self.verify_tra_basic4(count=1)
470 def test_tra_burst(self):
471 """ ipsec v4 transport burst test """
472 self.verify_tra_basic4(count=257)
475 class IpsecTra6(object):
476 """ verify methods for Transport v6 """
477 def verify_tra_basic6(self, count=1):
478 self.vapi.cli("clear errors")
480 p = self.params[socket.AF_INET6]
481 send_pkts = self.gen_encrypt_pkts6(p.scapy_tra_sa, self.tra_if,
482 src=self.tra_if.remote_ip6,
483 dst=self.tra_if.local_ip6,
485 recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
488 self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
491 decrypted = p.vpp_tra_sa.decrypt(rx[IPv6])
492 self.assert_packet_checksums_valid(decrypted)
494 self.logger.debug(ppp("Unexpected packet:", rx))
497 self.logger.info(self.vapi.ppcli("show error"))
498 self.logger.info(self.vapi.ppcli("show ipsec all"))
500 pkts = p.tra_sa_in.get_stats()['packets']
501 self.assertEqual(pkts, count,
502 "incorrect SA in counts: expected %d != %d" %
504 pkts = p.tra_sa_out.get_stats()['packets']
505 self.assertEqual(pkts, count,
506 "incorrect SA out counts: expected %d != %d" %
508 self.assert_packet_counter_equal(self.tra6_encrypt_node_name, count)
509 self.assert_packet_counter_equal(self.tra6_decrypt_node_name, count)
512 class IpsecTra6Tests(IpsecTra6):
513 """ UT test methods for Transport v6 """
514 def test_tra_basic6(self):
515 """ ipsec v6 transport basic test """
516 self.verify_tra_basic6(count=1)
518 def test_tra_burst6(self):
519 """ ipsec v6 transport burst test """
520 self.verify_tra_basic6(count=257)
523 class IpsecTra46Tests(IpsecTra4Tests, IpsecTra6Tests):
524 """ UT test methods for Transport v6 and v4"""
528 class IpsecTun4(object):
529 """ verify methods for Tunnel v4 """
530 def verify_counters4(self, p, count, n_frags=None):
533 if (hasattr(p, "spd_policy_in_any")):
534 pkts = p.spd_policy_in_any.get_stats()['packets']
535 self.assertEqual(pkts, count,
536 "incorrect SPD any policy: expected %d != %d" %
539 if (hasattr(p, "tun_sa_in")):
540 pkts = p.tun_sa_in.get_stats()['packets']
541 self.assertEqual(pkts, count,
542 "incorrect SA in counts: expected %d != %d" %
544 pkts = p.tun_sa_out.get_stats()['packets']
545 self.assertEqual(pkts, count,
546 "incorrect SA out counts: expected %d != %d" %
549 self.assert_packet_counter_equal(self.tun4_encrypt_node_name, n_frags)
550 self.assert_packet_counter_equal(self.tun4_decrypt_node_name, count)
552 def verify_decrypted(self, p, rxs):
554 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
555 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
556 self.assert_packet_checksums_valid(rx)
558 def verify_encrypted(self, p, sa, rxs):
562 self.assertEqual(rx[UDP].dport, 4500)
563 self.assert_packet_checksums_valid(rx)
564 self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
566 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IP])
567 if not decrypt_pkt.haslayer(IP):
568 decrypt_pkt = IP(decrypt_pkt[Raw].load)
569 decrypt_pkts.append(decrypt_pkt)
570 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
571 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
573 self.logger.debug(ppp("Unexpected packet:", rx))
575 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
579 pkts = reassemble4(decrypt_pkts)
581 self.assert_packet_checksums_valid(pkt)
583 def verify_tun_44(self, p, count=1, payload_size=64, n_rx=None):
584 self.vapi.cli("clear errors")
588 config_tun_params(p, self.encryption_type, self.tun_if)
589 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
590 src=p.remote_tun_if_host,
591 dst=self.pg1.remote_ip4,
593 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
594 self.verify_decrypted(p, recv_pkts)
596 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
597 dst=p.remote_tun_if_host, count=count,
598 payload_size=payload_size)
599 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
601 self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts)
604 self.logger.info(self.vapi.ppcli("show error"))
605 self.logger.info(self.vapi.ppcli("show ipsec all"))
607 self.verify_counters4(p, count, n_rx)
609 def verify_tun_64(self, p, count=1):
610 self.vapi.cli("clear errors")
612 config_tun_params(p, self.encryption_type, self.tun_if)
613 send_pkts = self.gen_encrypt_pkts6(p.scapy_tun_sa, self.tun_if,
614 src=p.remote_tun_if_host6,
615 dst=self.pg1.remote_ip6,
617 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
618 for recv_pkt in recv_pkts:
619 self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host6)
620 self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
621 self.assert_packet_checksums_valid(recv_pkt)
622 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
623 dst=p.remote_tun_if_host6, count=count)
624 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
625 for recv_pkt in recv_pkts:
627 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IP])
628 if not decrypt_pkt.haslayer(IPv6):
629 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
630 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
631 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host6)
632 self.assert_packet_checksums_valid(decrypt_pkt)
634 self.logger.error(ppp("Unexpected packet:", recv_pkt))
637 ppp("Decrypted packet:", decrypt_pkt))
642 self.logger.info(self.vapi.ppcli("show error"))
643 self.logger.info(self.vapi.ppcli("show ipsec all"))
645 self.verify_counters4(p, count)
647 def verify_keepalive(self, p):
648 pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
649 IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) /
650 UDP(sport=333, dport=4500) /
652 self.send_and_assert_no_replies(self.tun_if, pkt*31)
653 self.assert_error_counter_equal(
654 '/err/%s/NAT Keepalive' % self.tun4_input_node, 31)
656 pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
657 IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) /
658 UDP(sport=333, dport=4500) /
660 self.send_and_assert_no_replies(self.tun_if, pkt*31)
661 self.assert_error_counter_equal(
662 '/err/%s/Too Short' % self.tun4_input_node, 31)
665 class IpsecTun4Tests(IpsecTun4):
666 """ UT test methods for Tunnel v4 """
667 def test_tun_basic44(self):
668 """ ipsec 4o4 tunnel basic test """
669 self.verify_tun_44(self.params[socket.AF_INET], count=1)
671 def test_tun_burst44(self):
672 """ ipsec 4o4 tunnel burst test """
673 self.verify_tun_44(self.params[socket.AF_INET], count=257)
676 class IpsecTun6(object):
677 """ verify methods for Tunnel v6 """
678 def verify_counters6(self, p_in, p_out, count):
679 if (hasattr(p_in, "tun_sa_in")):
680 pkts = p_in.tun_sa_in.get_stats()['packets']
681 self.assertEqual(pkts, count,
682 "incorrect SA in counts: expected %d != %d" %
684 if (hasattr(p_out, "tun_sa_out")):
685 pkts = p_out.tun_sa_out.get_stats()['packets']
686 self.assertEqual(pkts, count,
687 "incorrect SA out counts: expected %d != %d" %
689 self.assert_packet_counter_equal(self.tun6_encrypt_node_name, count)
690 self.assert_packet_counter_equal(self.tun6_decrypt_node_name, count)
692 def verify_decrypted6(self, p, rxs):
694 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
695 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
696 self.assert_packet_checksums_valid(rx)
698 def verify_encrypted6(self, p, sa, rxs):
700 self.assert_packet_checksums_valid(rx)
701 self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
704 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IPv6])
705 if not decrypt_pkt.haslayer(IPv6):
706 decrypt_pkt = IPv6(decrypt_pkt[Raw].load)
707 self.assert_packet_checksums_valid(decrypt_pkt)
708 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
709 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
711 self.logger.debug(ppp("Unexpected packet:", rx))
713 self.logger.debug(ppp("Decrypted packet:", decrypt_pkt))
718 def verify_drop_tun_66(self, p_in, count=1, payload_size=64):
719 self.vapi.cli("clear errors")
720 self.vapi.cli("clear ipsec sa")
722 config_tun_params(p_in, self.encryption_type, self.tun_if)
723 send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if,
724 src=p_in.remote_tun_if_host,
725 dst=self.pg1.remote_ip6,
727 self.send_and_assert_no_replies(self.tun_if, send_pkts)
728 self.logger.info(self.vapi.cli("sh punt stats"))
730 def verify_tun_66(self, p_in, p_out=None, count=1, payload_size=64):
731 self.vapi.cli("clear errors")
732 self.vapi.cli("clear ipsec sa")
736 config_tun_params(p_in, self.encryption_type, self.tun_if)
737 config_tun_params(p_out, self.encryption_type, self.tun_if)
738 send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if,
739 src=p_in.remote_tun_if_host,
740 dst=self.pg1.remote_ip6,
742 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
743 self.verify_decrypted6(p_in, recv_pkts)
745 send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
746 dst=p_out.remote_tun_if_host,
748 payload_size=payload_size)
749 recv_pkts = self.send_and_expect(self.pg1, send_pkts,
751 self.verify_encrypted6(p_out, p_out.vpp_tun_sa, recv_pkts)
754 self.logger.info(self.vapi.ppcli("show error"))
755 self.logger.info(self.vapi.ppcli("show ipsec all"))
756 self.verify_counters6(p_in, p_out, count)
758 def verify_tun_46(self, p, count=1):
759 """ ipsec 4o6 tunnel basic test """
760 self.vapi.cli("clear errors")
762 config_tun_params(p, self.encryption_type, self.tun_if)
763 send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
764 src=p.remote_tun_if_host4,
765 dst=self.pg1.remote_ip4,
767 recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
768 for recv_pkt in recv_pkts:
769 self.assert_equal(recv_pkt[IP].src, p.remote_tun_if_host4)
770 self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
771 self.assert_packet_checksums_valid(recv_pkt)
772 send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
773 dst=p.remote_tun_if_host4,
775 recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
776 for recv_pkt in recv_pkts:
778 decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
779 if not decrypt_pkt.haslayer(IP):
780 decrypt_pkt = IP(decrypt_pkt[Raw].load)
781 self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
782 self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host4)
783 self.assert_packet_checksums_valid(decrypt_pkt)
785 self.logger.debug(ppp("Unexpected packet:", recv_pkt))
787 self.logger.debug(ppp("Decrypted packet:",
793 self.logger.info(self.vapi.ppcli("show error"))
794 self.logger.info(self.vapi.ppcli("show ipsec all"))
795 self.verify_counters6(p, p, count)
798 class IpsecTun6Tests(IpsecTun6):
799 """ UT test methods for Tunnel v6 """
801 def test_tun_basic66(self):
802 """ ipsec 6o6 tunnel basic test """
803 self.verify_tun_66(self.params[socket.AF_INET6], count=1)
805 def test_tun_burst66(self):
806 """ ipsec 6o6 tunnel burst test """
807 self.verify_tun_66(self.params[socket.AF_INET6], count=257)
810 class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests):
811 """ UT test methods for Tunnel v6 & v4 """
815 if __name__ == '__main__':
816 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob