5 from scapy.layers.ipsec import ESP
6 from scapy.layers.l2 import Ether, Raw, GRE
7 from scapy.layers.inet import IP, UDP
8 from scapy.layers.inet6 import IPv6
9 from framework import VppTestRunner
10 from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTun6Tests, \
11 IpsecTun4, IpsecTun6, IpsecTcpTests, config_tun_params
12 from vpp_ipsec_tun_interface import VppIpsecTunInterface
13 from vpp_gre_interface import VppGreInterface
14 from vpp_ipip_tun_interface import VppIpIpTunInterface
15 from vpp_ip_route import VppIpRoute, VppRoutePath, DpoProto
16 from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect
17 from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort
19 from vpp_papi import VppEnum
22 class TemplateIpsec4TunIfEsp(TemplateIpsec):
23 """ IPsec tunnel interface tests """
29 super(TemplateIpsec4TunIfEsp, cls).setUpClass()
32 def tearDownClass(cls):
33 super(TemplateIpsec4TunIfEsp, cls).tearDownClass()
36 super(TemplateIpsec4TunIfEsp, self).setUp()
38 self.tun_if = self.pg0
42 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
43 p.scapy_tun_spi, p.crypt_algo_vpp_id,
44 p.crypt_key, p.crypt_key,
45 p.auth_algo_vpp_id, p.auth_key,
47 p.tun_if.add_vpp_config()
52 r = VppIpRoute(self, p.remote_tun_if_host, 32,
53 [VppRoutePath(p.tun_if.remote_ip4,
56 r = VppIpRoute(self, p.remote_tun_if_host6, 128,
57 [VppRoutePath(p.tun_if.remote_ip6,
59 proto=DpoProto.DPO_PROTO_IP6)])
63 super(TemplateIpsec4TunIfEsp, self).tearDown()
66 class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
67 """ Ipsec ESP - TUN tests """
68 tun4_encrypt_node_name = "esp4-encrypt-tun"
69 tun4_decrypt_node_name = "esp4-decrypt"
71 def test_tun_basic64(self):
72 """ ipsec 6o4 tunnel basic test """
73 self.tun4_encrypt_node_name = "esp6-encrypt-tun"
75 self.verify_tun_64(self.params[socket.AF_INET], count=1)
77 def test_tun_burst64(self):
78 """ ipsec 6o4 tunnel basic test """
79 self.tun4_encrypt_node_name = "esp6-encrypt-tun"
81 self.verify_tun_64(self.params[socket.AF_INET], count=257)
83 def test_tun_basic_frag44(self):
84 """ ipsec 4o4 tunnel frag basic test """
85 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
89 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index,
91 self.verify_tun_44(self.params[socket.AF_INET],
92 count=1, payload_size=1800, n_rx=2)
93 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index,
97 class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
98 """ Ipsec ESP - TCP tests """
102 class TemplateIpsec6TunIfEsp(TemplateIpsec):
103 """ IPsec tunnel interface tests """
105 encryption_type = ESP
108 super(TemplateIpsec6TunIfEsp, self).setUp()
110 self.tun_if = self.pg0
113 tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
114 p.scapy_tun_spi, p.crypt_algo_vpp_id,
115 p.crypt_key, p.crypt_key,
116 p.auth_algo_vpp_id, p.auth_key,
117 p.auth_key, is_ip6=True)
118 tun_if.add_vpp_config()
123 r = VppIpRoute(self, p.remote_tun_if_host, 128,
124 [VppRoutePath(tun_if.remote_ip6,
126 proto=DpoProto.DPO_PROTO_IP6)])
128 r = VppIpRoute(self, p.remote_tun_if_host4, 32,
129 [VppRoutePath(tun_if.remote_ip4,
134 super(TemplateIpsec6TunIfEsp, self).tearDown()
137 class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp, IpsecTun6Tests):
138 """ Ipsec ESP - TUN tests """
139 tun6_encrypt_node_name = "esp6-encrypt-tun"
140 tun6_decrypt_node_name = "esp6-decrypt"
142 def test_tun_basic46(self):
143 """ ipsec 4o6 tunnel basic test """
144 self.tun6_encrypt_node_name = "esp4-encrypt-tun"
145 self.verify_tun_46(self.params[socket.AF_INET6], count=1)
147 def test_tun_burst46(self):
148 """ ipsec 4o6 tunnel burst test """
149 self.tun6_encrypt_node_name = "esp4-encrypt-tun"
150 self.verify_tun_46(self.params[socket.AF_INET6], count=257)
153 class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4):
154 """ IPsec IPv4 Multi Tunnel interface """
156 encryption_type = ESP
157 tun4_encrypt_node_name = "esp4-encrypt-tun"
158 tun4_decrypt_node_name = "esp4-decrypt"
161 super(TestIpsec4MultiTunIfEsp, self).setUp()
163 self.tun_if = self.pg0
165 self.multi_params = []
168 p = copy.copy(self.ipv4_params)
170 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
171 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
172 p.scapy_tun_spi = p.scapy_tun_spi + ii
173 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
174 p.vpp_tun_spi = p.vpp_tun_spi + ii
176 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
177 p.scapy_tra_spi = p.scapy_tra_spi + ii
178 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
179 p.vpp_tra_spi = p.vpp_tra_spi + ii
181 config_tun_params(p, self.encryption_type, self.tun_if)
182 self.multi_params.append(p)
184 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
187 p.crypt_key, p.crypt_key,
188 p.auth_algo_vpp_id, p.auth_key,
190 p.tun_if.add_vpp_config()
192 p.tun_if.config_ip4()
194 VppIpRoute(self, p.remote_tun_if_host, 32,
195 [VppRoutePath(p.tun_if.remote_ip4,
196 0xffffffff)]).add_vpp_config()
199 super(TestIpsec4MultiTunIfEsp, self).tearDown()
201 def test_tun_44(self):
202 """Multiple IPSEC tunnel interfaces """
203 for p in self.multi_params:
204 self.verify_tun_44(p, count=127)
205 c = p.tun_if.get_rx_stats()
206 self.assertEqual(c['packets'], 127)
207 c = p.tun_if.get_tx_stats()
208 self.assertEqual(c['packets'], 127)
211 class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
212 """ IPsec IPv4 Tunnel interface all Algos """
214 encryption_type = ESP
215 tun4_encrypt_node_name = "esp4-encrypt-tun"
216 tun4_decrypt_node_name = "esp4-decrypt"
218 def config_network(self, p):
219 config_tun_params(p, self.encryption_type, self.tun_if)
221 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
224 p.crypt_key, p.crypt_key,
225 p.auth_algo_vpp_id, p.auth_key,
228 p.tun_if.add_vpp_config()
230 p.tun_if.config_ip4()
231 self.logger.info(self.vapi.cli("sh ipsec sa 0"))
232 self.logger.info(self.vapi.cli("sh ipsec sa 1"))
234 p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
235 [VppRoutePath(p.tun_if.remote_ip4,
237 p.route.add_vpp_config()
239 def unconfig_network(self, p):
240 p.tun_if.unconfig_ip4()
241 p.tun_if.remove_vpp_config()
242 p.route.remove_vpp_config()
245 super(TestIpsec4TunIfEspAll, self).setUp()
247 self.tun_if = self.pg0
250 super(TestIpsec4TunIfEspAll, self).tearDown()
254 # change the key and the SPI
256 p.crypt_key = 'X' + p.crypt_key[1:]
258 p.scapy_tun_sa_id += 1
261 p.tun_if.local_spi = p.vpp_tun_spi
262 p.tun_if.remote_spi = p.scapy_tun_spi
264 config_tun_params(p, self.encryption_type, self.tun_if)
266 p.tun_sa_in = VppIpsecSA(self,
273 self.vpp_esp_protocol,
274 self.tun_if.local_addr[p.addr_type],
275 self.tun_if.remote_addr[p.addr_type],
278 p.tun_sa_out = VppIpsecSA(self,
285 self.vpp_esp_protocol,
286 self.tun_if.remote_addr[p.addr_type],
287 self.tun_if.local_addr[p.addr_type],
290 p.tun_sa_in.add_vpp_config()
291 p.tun_sa_out.add_vpp_config()
293 self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
294 sa_id=p.tun_sa_in.id,
296 self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
297 sa_id=p.tun_sa_out.id,
299 self.logger.info(self.vapi.cli("sh ipsec sa"))
301 def test_tun_44(self):
302 """IPSEC tunnel all algos """
304 # foreach VPP crypto engine
305 engines = ["ia32", "ipsecmb", "openssl"]
307 # foreach crypto algorithm
308 algos = [{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
309 IPSEC_API_CRYPTO_ALG_AES_GCM_128),
310 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
311 IPSEC_API_INTEG_ALG_NONE),
312 'scapy-crypto': "AES-GCM",
313 'scapy-integ': "NULL",
314 'key': "JPjyOWBeVEQiMe7h",
316 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
317 IPSEC_API_CRYPTO_ALG_AES_GCM_192),
318 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
319 IPSEC_API_INTEG_ALG_NONE),
320 'scapy-crypto': "AES-GCM",
321 'scapy-integ': "NULL",
322 'key': "JPjyOWBeVEQiMe7hJPjyOWBe",
324 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
325 IPSEC_API_CRYPTO_ALG_AES_GCM_256),
326 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
327 IPSEC_API_INTEG_ALG_NONE),
328 'scapy-crypto': "AES-GCM",
329 'scapy-integ': "NULL",
330 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
332 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
333 IPSEC_API_CRYPTO_ALG_AES_CBC_128),
334 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
335 IPSEC_API_INTEG_ALG_SHA1_96),
336 'scapy-crypto': "AES-CBC",
337 'scapy-integ': "HMAC-SHA1-96",
339 'key': "JPjyOWBeVEQiMe7h"},
340 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
341 IPSEC_API_CRYPTO_ALG_AES_CBC_192),
342 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
343 IPSEC_API_INTEG_ALG_SHA1_96),
344 'scapy-crypto': "AES-CBC",
345 'scapy-integ': "HMAC-SHA1-96",
347 'key': "JPjyOWBeVEQiMe7hJPjyOWBe"},
348 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
349 IPSEC_API_CRYPTO_ALG_AES_CBC_256),
350 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
351 IPSEC_API_INTEG_ALG_SHA1_96),
352 'scapy-crypto': "AES-CBC",
353 'scapy-integ': "HMAC-SHA1-96",
355 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
357 for engine in engines:
358 self.vapi.cli("set crypto handler all %s" % engine)
361 # loop through each of the algorithms
364 # with self.subTest(algo=algo['scapy']):
366 p = copy.copy(self.ipv4_params)
367 p.auth_algo_vpp_id = algo['vpp-integ']
368 p.crypt_algo_vpp_id = algo['vpp-crypto']
369 p.crypt_algo = algo['scapy-crypto']
370 p.auth_algo = algo['scapy-integ']
371 p.crypt_key = algo['key']
372 p.salt = algo['salt']
374 self.config_network(p)
376 self.verify_tun_44(p, count=127)
377 c = p.tun_if.get_rx_stats()
378 self.assertEqual(c['packets'], 127)
379 c = p.tun_if.get_tx_stats()
380 self.assertEqual(c['packets'], 127)
386 self.verify_tun_44(p, count=127)
388 self.unconfig_network(p)
389 p.tun_sa_out.remove_vpp_config()
390 p.tun_sa_in.remove_vpp_config()
393 class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
394 """ IPsec IPv6 Multi Tunnel interface """
396 encryption_type = ESP
397 tun6_encrypt_node_name = "esp6-encrypt-tun"
398 tun6_decrypt_node_name = "esp6-decrypt"
401 super(TestIpsec6MultiTunIfEsp, self).setUp()
403 self.tun_if = self.pg0
405 self.multi_params = []
408 p = copy.copy(self.ipv6_params)
410 p.remote_tun_if_host = "1111::%d" % (ii + 1)
411 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
412 p.scapy_tun_spi = p.scapy_tun_spi + ii
413 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
414 p.vpp_tun_spi = p.vpp_tun_spi + ii
416 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
417 p.scapy_tra_spi = p.scapy_tra_spi + ii
418 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
419 p.vpp_tra_spi = p.vpp_tra_spi + ii
421 config_tun_params(p, self.encryption_type, self.tun_if)
422 self.multi_params.append(p)
424 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
427 p.crypt_key, p.crypt_key,
428 p.auth_algo_vpp_id, p.auth_key,
429 p.auth_key, is_ip6=True)
430 p.tun_if.add_vpp_config()
432 p.tun_if.config_ip6()
434 r = VppIpRoute(self, p.remote_tun_if_host, 128,
435 [VppRoutePath(p.tun_if.remote_ip6,
437 proto=DpoProto.DPO_PROTO_IP6)])
441 super(TestIpsec6MultiTunIfEsp, self).tearDown()
443 def test_tun_66(self):
444 """Multiple IPSEC tunnel interfaces """
445 for p in self.multi_params:
446 self.verify_tun_66(p, count=127)
447 c = p.tun_if.get_rx_stats()
448 self.assertEqual(c['packets'], 127)
449 c = p.tun_if.get_tx_stats()
450 self.assertEqual(c['packets'], 127)
453 class TestIpsecGreTebIfEsp(TemplateIpsec,
455 """ Ipsec GRE TEB ESP - TUN tests """
456 tun4_encrypt_node_name = "esp4-encrypt-tun"
457 tun4_decrypt_node_name = "esp4-decrypt-tun"
458 encryption_type = ESP
459 omac = "00:11:22:33:44:55"
461 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
463 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
464 sa.encrypt(IP(src=self.pg0.remote_ip4,
465 dst=self.pg0.local_ip4) /
467 Ether(dst=self.omac) /
468 IP(src="1.1.1.1", dst="1.1.1.2") /
469 UDP(sport=1144, dport=2233) /
470 Raw('X' * payload_size))
471 for i in range(count)]
473 def gen_pkts(self, sw_intf, src, dst, count=1,
475 return [Ether(dst=self.omac) /
476 IP(src="1.1.1.1", dst="1.1.1.2") /
477 UDP(sport=1144, dport=2233) /
478 Raw('X' * payload_size)
479 for i in range(count)]
481 def verify_decrypted(self, p, rxs):
483 self.assert_equal(rx[Ether].dst, self.omac)
484 self.assert_equal(rx[IP].dst, "1.1.1.2")
486 def verify_encrypted(self, p, sa, rxs):
489 pkt = sa.decrypt(rx[IP])
490 if not pkt.haslayer(IP):
491 pkt = IP(pkt[Raw].load)
492 self.assert_packet_checksums_valid(pkt)
493 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
494 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
495 self.assertTrue(pkt.haslayer(GRE))
497 self.assertEqual(e[Ether].dst, self.omac)
498 self.assertEqual(e[IP].dst, "1.1.1.2")
499 except (IndexError, AssertionError):
500 self.logger.debug(ppp("Unexpected packet:", rx))
502 self.logger.debug(ppp("Decrypted packet:", pkt))
508 super(TestIpsecGreTebIfEsp, self).setUp()
510 self.tun_if = self.pg0
514 bd1 = VppBridgeDomain(self, 1)
517 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
518 p.auth_algo_vpp_id, p.auth_key,
519 p.crypt_algo_vpp_id, p.crypt_key,
520 self.vpp_esp_protocol,
523 p.tun_sa_out.add_vpp_config()
525 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
526 p.auth_algo_vpp_id, p.auth_key,
527 p.crypt_algo_vpp_id, p.crypt_key,
528 self.vpp_esp_protocol,
531 p.tun_sa_in.add_vpp_config()
533 self.tun = VppGreInterface(self,
536 type=(VppEnum.vl_api_gre_tunnel_type_t.
537 GRE_API_TUNNEL_TYPE_TEB))
538 self.tun.add_vpp_config()
540 p.tun_protect = VppIpsecTunProtect(self,
545 p.tun_protect.add_vpp_config()
548 self.tun.config_ip4()
550 VppBridgeDomainPort(self, bd1, self.tun).add_vpp_config()
551 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
553 self.vapi.cli("clear ipsec sa")
556 self.tun.unconfig_ip4()
557 super(TestIpsecGreTebIfEsp, self).tearDown()
560 class TestIpsecGreIfEsp(TemplateIpsec,
562 """ Ipsec GRE ESP - TUN tests """
563 tun4_encrypt_node_name = "esp4-encrypt-tun"
564 tun4_decrypt_node_name = "esp4-decrypt-tun"
565 encryption_type = ESP
567 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
569 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
570 sa.encrypt(IP(src=self.pg0.remote_ip4,
571 dst=self.pg0.local_ip4) /
573 IP(src=self.pg1.local_ip4,
574 dst=self.pg1.remote_ip4) /
575 UDP(sport=1144, dport=2233) /
576 Raw('X' * payload_size))
577 for i in range(count)]
579 def gen_pkts(self, sw_intf, src, dst, count=1,
581 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
582 IP(src="1.1.1.1", dst="1.1.1.2") /
583 UDP(sport=1144, dport=2233) /
584 Raw('X' * payload_size)
585 for i in range(count)]
587 def verify_decrypted(self, p, rxs):
589 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
590 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
592 def verify_encrypted(self, p, sa, rxs):
595 pkt = sa.decrypt(rx[IP])
596 if not pkt.haslayer(IP):
597 pkt = IP(pkt[Raw].load)
598 self.assert_packet_checksums_valid(pkt)
599 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
600 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
601 self.assertTrue(pkt.haslayer(GRE))
603 self.assertEqual(e[IP].dst, "1.1.1.2")
604 except (IndexError, AssertionError):
605 self.logger.debug(ppp("Unexpected packet:", rx))
607 self.logger.debug(ppp("Decrypted packet:", pkt))
613 super(TestIpsecGreIfEsp, self).setUp()
615 self.tun_if = self.pg0
619 bd1 = VppBridgeDomain(self, 1)
622 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
623 p.auth_algo_vpp_id, p.auth_key,
624 p.crypt_algo_vpp_id, p.crypt_key,
625 self.vpp_esp_protocol,
628 p.tun_sa_out.add_vpp_config()
630 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
631 p.auth_algo_vpp_id, p.auth_key,
632 p.crypt_algo_vpp_id, p.crypt_key,
633 self.vpp_esp_protocol,
636 p.tun_sa_in.add_vpp_config()
638 self.tun = VppGreInterface(self,
641 self.tun.add_vpp_config()
643 p.tun_protect = VppIpsecTunProtect(self,
647 p.tun_protect.add_vpp_config()
650 self.tun.config_ip4()
652 VppIpRoute(self, "1.1.1.2", 32,
653 [VppRoutePath(self.tun.remote_ip4,
654 0xffffffff)]).add_vpp_config()
657 self.tun.unconfig_ip4()
658 super(TestIpsecGreIfEsp, self).tearDown()
661 class TemplateIpsec4TunProtect(object):
662 """ IPsec IPv4 Tunnel protect """
664 def config_sa_tra(self, p):
665 config_tun_params(p, self.encryption_type, self.tun_if)
667 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
668 p.auth_algo_vpp_id, p.auth_key,
669 p.crypt_algo_vpp_id, p.crypt_key,
670 self.vpp_esp_protocol)
671 p.tun_sa_out.add_vpp_config()
673 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
674 p.auth_algo_vpp_id, p.auth_key,
675 p.crypt_algo_vpp_id, p.crypt_key,
676 self.vpp_esp_protocol)
677 p.tun_sa_in.add_vpp_config()
679 def config_sa_tun(self, p):
680 config_tun_params(p, self.encryption_type, self.tun_if)
682 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
683 p.auth_algo_vpp_id, p.auth_key,
684 p.crypt_algo_vpp_id, p.crypt_key,
685 self.vpp_esp_protocol,
686 self.tun_if.remote_addr[p.addr_type],
687 self.tun_if.local_addr[p.addr_type])
688 p.tun_sa_out.add_vpp_config()
690 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
691 p.auth_algo_vpp_id, p.auth_key,
692 p.crypt_algo_vpp_id, p.crypt_key,
693 self.vpp_esp_protocol,
694 self.tun_if.remote_addr[p.addr_type],
695 self.tun_if.local_addr[p.addr_type])
696 p.tun_sa_in.add_vpp_config()
698 def config_protect(self, p):
699 p.tun_protect = VppIpsecTunProtect(self,
703 p.tun_protect.add_vpp_config()
705 def config_network(self, p):
706 p.tun_if = VppIpIpTunInterface(self, self.pg0,
709 p.tun_if.add_vpp_config()
711 p.tun_if.config_ip4()
713 p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
714 [VppRoutePath(p.tun_if.remote_ip4,
716 p.route.add_vpp_config()
718 def unconfig_network(self, p):
719 p.route.remove_vpp_config()
720 p.tun_if.remove_vpp_config()
722 def unconfig_protect(self, p):
723 p.tun_protect.remove_vpp_config()
725 def unconfig_sa(self, p):
726 p.tun_sa_out.remove_vpp_config()
727 p.tun_sa_in.remove_vpp_config()
730 class TestIpsec4TunProtect(TemplateIpsec,
731 TemplateIpsec4TunProtect,
733 """ IPsec IPv4 Tunnel protect - transport mode"""
735 encryption_type = ESP
736 tun4_encrypt_node_name = "esp4-encrypt-tun"
737 tun4_decrypt_node_name = "esp4-decrypt-tun"
740 super(TestIpsec4TunProtect, self).setUp()
742 self.tun_if = self.pg0
745 super(TestIpsec4TunProtect, self).tearDown()
747 def test_tun_44(self):
748 """IPSEC tunnel protect"""
752 self.config_network(p)
753 self.config_sa_tra(p)
754 self.config_protect(p)
756 self.verify_tun_44(p, count=127)
757 c = p.tun_if.get_rx_stats()
758 self.assertEqual(c['packets'], 127)
759 c = p.tun_if.get_tx_stats()
760 self.assertEqual(c['packets'], 127)
762 # rekey - create new SAs and update the tunnel protection
764 np.crypt_key = 'X' + p.crypt_key[1:]
765 np.scapy_tun_spi += 100
766 np.scapy_tun_sa_id += 1
767 np.vpp_tun_spi += 100
768 np.vpp_tun_sa_id += 1
769 np.tun_if.local_spi = p.vpp_tun_spi
770 np.tun_if.remote_spi = p.scapy_tun_spi
772 self.config_sa_tra(np)
773 self.config_protect(np)
776 self.verify_tun_44(np, count=127)
777 c = p.tun_if.get_rx_stats()
778 self.assertEqual(c['packets'], 254)
779 c = p.tun_if.get_tx_stats()
780 self.assertEqual(c['packets'], 254)
783 self.unconfig_protect(np)
785 self.unconfig_network(p)
788 class TestIpsec4TunProtectTun(TemplateIpsec,
789 TemplateIpsec4TunProtect,
791 """ IPsec IPv4 Tunnel protect - tunnel mode"""
793 encryption_type = ESP
794 tun4_encrypt_node_name = "esp4-encrypt-tun"
795 tun4_decrypt_node_name = "esp4-decrypt-tun"
798 super(TestIpsec4TunProtectTun, self).setUp()
800 self.tun_if = self.pg0
803 super(TestIpsec4TunProtectTun, self).tearDown()
805 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
807 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
808 sa.encrypt(IP(src=sw_intf.remote_ip4,
809 dst=sw_intf.local_ip4) /
810 IP(src=src, dst=dst) /
811 UDP(sport=1144, dport=2233) /
812 Raw('X' * payload_size))
813 for i in range(count)]
815 def gen_pkts(self, sw_intf, src, dst, count=1,
817 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
818 IP(src=src, dst=dst) /
819 UDP(sport=1144, dport=2233) /
820 Raw('X' * payload_size)
821 for i in range(count)]
823 def verify_decrypted(self, p, rxs):
825 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
826 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
827 self.assert_packet_checksums_valid(rx)
829 def verify_encrypted(self, p, sa, rxs):
832 pkt = sa.decrypt(rx[IP])
833 if not pkt.haslayer(IP):
834 pkt = IP(pkt[Raw].load)
835 self.assert_packet_checksums_valid(pkt)
836 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
837 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
838 inner = pkt[IP].payload
839 self.assertEqual(inner[IP][IP].dst, p.remote_tun_if_host)
841 except (IndexError, AssertionError):
842 self.logger.debug(ppp("Unexpected packet:", rx))
844 self.logger.debug(ppp("Decrypted packet:", pkt))
849 def test_tun_44(self):
850 """IPSEC tunnel protect """
854 self.config_network(p)
855 self.config_sa_tun(p)
856 self.config_protect(p)
858 self.verify_tun_44(p, count=127)
860 c = p.tun_if.get_rx_stats()
861 self.assertEqual(c['packets'], 127)
862 c = p.tun_if.get_tx_stats()
863 self.assertEqual(c['packets'], 127)
865 # rekey - create new SAs and update the tunnel protection
867 np.crypt_key = 'X' + p.crypt_key[1:]
868 np.scapy_tun_spi += 100
869 np.scapy_tun_sa_id += 1
870 np.vpp_tun_spi += 100
871 np.vpp_tun_sa_id += 1
872 np.tun_if.local_spi = p.vpp_tun_spi
873 np.tun_if.remote_spi = p.scapy_tun_spi
875 self.config_sa_tun(np)
876 self.config_protect(np)
879 self.verify_tun_44(np, count=127)
880 c = p.tun_if.get_rx_stats()
881 self.assertEqual(c['packets'], 254)
882 c = p.tun_if.get_tx_stats()
883 self.assertEqual(c['packets'], 254)
886 self.unconfig_protect(np)
888 self.unconfig_network(p)
891 class TemplateIpsec6TunProtect(object):
892 """ IPsec IPv6 Tunnel protect """
894 def config_sa_tra(self, p):
895 config_tun_params(p, self.encryption_type, self.tun_if)
897 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
898 p.auth_algo_vpp_id, p.auth_key,
899 p.crypt_algo_vpp_id, p.crypt_key,
900 self.vpp_esp_protocol)
901 p.tun_sa_out.add_vpp_config()
903 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
904 p.auth_algo_vpp_id, p.auth_key,
905 p.crypt_algo_vpp_id, p.crypt_key,
906 self.vpp_esp_protocol)
907 p.tun_sa_in.add_vpp_config()
909 def config_sa_tun(self, p):
910 config_tun_params(p, self.encryption_type, self.tun_if)
912 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
913 p.auth_algo_vpp_id, p.auth_key,
914 p.crypt_algo_vpp_id, p.crypt_key,
915 self.vpp_esp_protocol,
916 self.tun_if.remote_addr[p.addr_type],
917 self.tun_if.local_addr[p.addr_type])
918 p.tun_sa_out.add_vpp_config()
920 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
921 p.auth_algo_vpp_id, p.auth_key,
922 p.crypt_algo_vpp_id, p.crypt_key,
923 self.vpp_esp_protocol,
924 self.tun_if.remote_addr[p.addr_type],
925 self.tun_if.local_addr[p.addr_type])
926 p.tun_sa_in.add_vpp_config()
928 def config_protect(self, p):
929 p.tun_protect = VppIpsecTunProtect(self,
933 p.tun_protect.add_vpp_config()
935 def config_network(self, p):
936 p.tun_if = VppIpIpTunInterface(self, self.pg0,
939 p.tun_if.add_vpp_config()
941 p.tun_if.config_ip6()
943 p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
944 [VppRoutePath(p.tun_if.remote_ip6,
946 proto=DpoProto.DPO_PROTO_IP6)])
947 p.route.add_vpp_config()
949 def unconfig_network(self, p):
950 p.route.remove_vpp_config()
951 p.tun_if.remove_vpp_config()
953 def unconfig_protect(self, p):
954 p.tun_protect.remove_vpp_config()
956 def unconfig_sa(self, p):
957 p.tun_sa_out.remove_vpp_config()
958 p.tun_sa_in.remove_vpp_config()
961 class TestIpsec6TunProtect(TemplateIpsec,
962 TemplateIpsec6TunProtect,
964 """ IPsec IPv6 Tunnel protect - transport mode"""
966 encryption_type = ESP
967 tun6_encrypt_node_name = "esp6-encrypt-tun"
968 tun6_decrypt_node_name = "esp6-decrypt-tun"
971 super(TestIpsec6TunProtect, self).setUp()
973 self.tun_if = self.pg0
976 super(TestIpsec6TunProtect, self).tearDown()
978 def test_tun_66(self):
979 """IPSEC tunnel protect"""
983 self.config_network(p)
984 self.config_sa_tra(p)
985 self.config_protect(p)
987 self.verify_tun_66(p, count=127)
988 c = p.tun_if.get_rx_stats()
989 self.assertEqual(c['packets'], 127)
990 c = p.tun_if.get_tx_stats()
991 self.assertEqual(c['packets'], 127)
993 # rekey - create new SAs and update the tunnel protection
995 np.crypt_key = 'X' + p.crypt_key[1:]
996 np.scapy_tun_spi += 100
997 np.scapy_tun_sa_id += 1
998 np.vpp_tun_spi += 100
999 np.vpp_tun_sa_id += 1
1000 np.tun_if.local_spi = p.vpp_tun_spi
1001 np.tun_if.remote_spi = p.scapy_tun_spi
1003 self.config_sa_tra(np)
1004 self.config_protect(np)
1007 self.verify_tun_66(np, count=127)
1008 c = p.tun_if.get_rx_stats()
1009 self.assertEqual(c['packets'], 254)
1010 c = p.tun_if.get_tx_stats()
1011 self.assertEqual(c['packets'], 254)
1014 # 1) add two input SAs [old, new]
1015 # 2) swap output SA to [new]
1016 # 3) use only [new] input SA
1018 np3.crypt_key = 'Z' + p.crypt_key[1:]
1019 np3.scapy_tun_spi += 100
1020 np3.scapy_tun_sa_id += 1
1021 np3.vpp_tun_spi += 100
1022 np3.vpp_tun_sa_id += 1
1023 np3.tun_if.local_spi = p.vpp_tun_spi
1024 np3.tun_if.remote_spi = p.scapy_tun_spi
1026 self.config_sa_tra(np3)
1029 p.tun_protect.update_vpp_config(np.tun_sa_out,
1030 [np.tun_sa_in, np3.tun_sa_in])
1031 self.verify_tun_66(np, np, count=127)
1032 self.verify_tun_66(np3, np, count=127)
1035 p.tun_protect.update_vpp_config(np3.tun_sa_out,
1036 [np.tun_sa_in, np3.tun_sa_in])
1037 self.verify_tun_66(np, np3, count=127)
1038 self.verify_tun_66(np3, np3, count=127)
1041 p.tun_protect.update_vpp_config(np3.tun_sa_out,
1043 self.verify_tun_66(np3, np3, count=127)
1044 self.verify_drop_tun_66(np, count=127)
1046 c = p.tun_if.get_rx_stats()
1047 self.assertEqual(c['packets'], 127*7)
1048 c = p.tun_if.get_tx_stats()
1049 self.assertEqual(c['packets'], 127*7)
1050 self.unconfig_sa(np)
1053 self.unconfig_protect(np3)
1054 self.unconfig_sa(np3)
1055 self.unconfig_network(p)
1058 class TestIpsec6TunProtectTun(TemplateIpsec,
1059 TemplateIpsec6TunProtect,
1061 """ IPsec IPv6 Tunnel protect - tunnel mode"""
1063 encryption_type = ESP
1064 tun6_encrypt_node_name = "esp6-encrypt-tun"
1065 tun6_decrypt_node_name = "esp6-decrypt-tun"
1068 super(TestIpsec6TunProtectTun, self).setUp()
1070 self.tun_if = self.pg0
1073 super(TestIpsec6TunProtectTun, self).tearDown()
1075 def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1,
1077 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1078 sa.encrypt(IPv6(src=sw_intf.remote_ip6,
1079 dst=sw_intf.local_ip6) /
1080 IPv6(src=src, dst=dst) /
1081 UDP(sport=1166, dport=2233) /
1082 Raw('X' * payload_size))
1083 for i in range(count)]
1085 def gen_pkts6(self, sw_intf, src, dst, count=1,
1087 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1088 IPv6(src=src, dst=dst) /
1089 UDP(sport=1166, dport=2233) /
1090 Raw('X' * payload_size)
1091 for i in range(count)]
1093 def verify_decrypted6(self, p, rxs):
1095 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
1096 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
1097 self.assert_packet_checksums_valid(rx)
1099 def verify_encrypted6(self, p, sa, rxs):
1102 pkt = sa.decrypt(rx[IPv6])
1103 if not pkt.haslayer(IPv6):
1104 pkt = IPv6(pkt[Raw].load)
1105 self.assert_packet_checksums_valid(pkt)
1106 self.assert_equal(pkt[IPv6].dst, self.pg0.remote_ip6)
1107 self.assert_equal(pkt[IPv6].src, self.pg0.local_ip6)
1108 inner = pkt[IPv6].payload
1109 self.assertEqual(inner[IPv6][IPv6].dst, p.remote_tun_if_host)
1111 except (IndexError, AssertionError):
1112 self.logger.debug(ppp("Unexpected packet:", rx))
1114 self.logger.debug(ppp("Decrypted packet:", pkt))
1119 def test_tun_66(self):
1120 """IPSEC tunnel protect """
1122 p = self.ipv6_params
1124 self.config_network(p)
1125 self.config_sa_tun(p)
1126 self.config_protect(p)
1128 self.verify_tun_66(p, count=127)
1130 c = p.tun_if.get_rx_stats()
1131 self.assertEqual(c['packets'], 127)
1132 c = p.tun_if.get_tx_stats()
1133 self.assertEqual(c['packets'], 127)
1135 # rekey - create new SAs and update the tunnel protection
1137 np.crypt_key = 'X' + p.crypt_key[1:]
1138 np.scapy_tun_spi += 100
1139 np.scapy_tun_sa_id += 1
1140 np.vpp_tun_spi += 100
1141 np.vpp_tun_sa_id += 1
1142 np.tun_if.local_spi = p.vpp_tun_spi
1143 np.tun_if.remote_spi = p.scapy_tun_spi
1145 self.config_sa_tun(np)
1146 self.config_protect(np)
1149 self.verify_tun_66(np, count=127)
1150 c = p.tun_if.get_rx_stats()
1151 self.assertEqual(c['packets'], 254)
1152 c = p.tun_if.get_tx_stats()
1153 self.assertEqual(c['packets'], 254)
1156 self.unconfig_protect(np)
1157 self.unconfig_sa(np)
1158 self.unconfig_network(p)
1161 if __name__ == '__main__':
1162 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob