Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums"
This reverts commit a98346f664aae148d26a8e158008b773d73db96f.
Change-Id: Iee5b3a5ddff0e8fd3a30fe5973cee24de434fe12
Signed-off-by: Ole Troan <ot@cisco.com>
diff --git a/test/bfd.py b/test/bfd.py
index d99bbf6..452a180 100644
--- a/test/bfd.py
+++ b/test/bfd.py
@@ -35,6 +35,9 @@
reverse_concatenated_path_down: "Reverse Concatenated Path Down",
}
+ def __init__(self, value):
+ NumericConstant.__init__(self, value)
+
class BFDState(NumericConstant):
""" BFD State """
@@ -50,6 +53,9 @@
up: "Up",
}
+ def __init__(self, value):
+ NumericConstant.__init__(self, value)
+
class BFDAuthType(NumericConstant):
""" BFD Authentication Type """
@@ -69,6 +75,9 @@
meticulous_keyed_sha1: "Meticulous Keyed SHA1",
}
+ def __init__(self, value):
+ NumericConstant.__init__(self, value)
+
def bfd_is_auth_used(pkt):
""" is packet authenticated? """
@@ -139,7 +148,6 @@
return self.sprintf("BFD(my_disc=%BFD.my_discriminator%,"
"your_disc=%BFD.your_discriminator%)")
-
# glue the BFD packet class to scapy parser
bind_layers(UDP, BFD, dport=BFD.udp_dport)
@@ -161,7 +169,6 @@
"BFD_VPP_ECHO(disc=%BFD_VPP_ECHO.discriminator%,"
"expire_time_clocks=%BFD_VPP_ECHO.expire_time_clocks%)")
-
# glue the BFD echo packet class to scapy parser
bind_layers(UDP, BFD_vpp_echo, dport=BFD_vpp_echo.udp_dport)
diff --git a/test/discover_tests.py b/test/discover_tests.py
index 99016e2..eea5941 100755
--- a/test/discover_tests.py
+++ b/test/discover_tests.py
@@ -30,7 +30,7 @@
continue
if not issubclass(cls, unittest.TestCase):
continue
- if name == "VppTestCase" or name.startswith("Template"):
+ if name == "VppTestCase":
continue
for method in dir(cls):
if not callable(getattr(cls, method)):
diff --git a/test/framework.py b/test/framework.py
index be8c209..f90197b 100644
--- a/test/framework.py
+++ b/test/framework.py
@@ -25,7 +25,6 @@
from log import RED, GREEN, YELLOW, double_line_delim, single_line_delim, \
getLogger, colorize
from vpp_object import VppObjectRegistry
-from util import ppp
from scapy.layers.inet import IPerror, TCPerror, UDPerror, ICMPerror
from scapy.layers.inet6 import ICMPv6DestUnreach, ICMPv6EchoRequest
from scapy.layers.inet6 import ICMPv6EchoReply
@@ -736,14 +735,11 @@
def assert_packet_checksums_valid(self, packet,
ignore_zero_udp_checksums=True):
- received = packet.__class__(str(packet))
- self.logger.debug(
- ppp("Verifying packet checksums for packet:", received))
udp_layers = ['UDP', 'UDPerror']
checksum_fields = ['cksum', 'chksum']
checksums = []
counter = 0
- temp = received.__class__(str(received))
+ temp = packet.__class__(str(packet))
while True:
layer = temp.getlayer(counter)
if layer:
@@ -758,17 +754,12 @@
else:
break
counter = counter + 1
- if 0 == len(checksums):
- return
temp = temp.__class__(str(temp))
for layer, cf in checksums:
- calc_sum = getattr(temp[layer], cf)
- self.assert_equal(
- getattr(received[layer], cf), calc_sum,
- "packet checksum on layer #%d: %s" % (layer, temp[layer].name))
- self.logger.debug(
- "Checksum field `%s` on `%s` layer has correct value `%s`" %
- (cf, temp[layer].name, calc_sum))
+ self.assert_equal(getattr(packet[layer], cf),
+ getattr(temp[layer], cf),
+ "packet checksum on layer #%d: %s" % (
+ layer, temp[layer].name))
def assert_checksum_valid(self, received_packet, layer,
field_name='chksum',
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
deleted file mode 100644
index 9d95185..0000000
--- a/test/template_ipsec.py
+++ /dev/null
@@ -1,208 +0,0 @@
-import unittest
-
-from scapy.layers.inet import IP, ICMP, TCP
-from scapy.layers.ipsec import SecurityAssociation
-from scapy.layers.l2 import Ether, Raw
-
-from framework import VppTestCase, VppTestRunner
-from util import ppp
-
-
-class TemplateIpsec(VppTestCase):
- """
- TRANSPORT MODE:
-
- ------ encrypt ---
- |tra_if| <-------> |VPP|
- ------ decrypt ---
-
- TUNNEL MODE:
-
- ------ encrypt --- plain ---
- |tun_if| <------- |VPP| <------ |pg1|
- ------ --- ---
-
- ------ decrypt --- plain ---
- |tun_if| -------> |VPP| ------> |pg1|
- ------ --- ---
- """
-
- remote_tun_if_host = '1.1.1.1'
- payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
-
- tun_spd_id = 1
- scapy_tun_sa_id = 10
- scapy_tun_spi = 1001
- vpp_tun_sa_id = 20
- vpp_tun_spi = 1000
-
- tra_spd_id = 2
- scapy_tra_sa_id = 30
- scapy_tra_spi = 2001
- vpp_tra_sa_id = 40
- vpp_tra_spi = 2000
-
- vpp_esp_protocol = 1
- vpp_ah_protocol = 0
-
- auth_algo_vpp_id = 2 # internal VPP enum value for SHA1_96
- auth_algo = 'HMAC-SHA1-96' # scapy name
- auth_key = 'C91KUR9GYMm5GfkEvNjX'
-
- crypt_algo_vpp_id = 1 # internal VPP enum value for AES_CBC_128
- crypt_algo = 'AES-CBC' # scapy name
- crypt_key = 'JPjyOWBeVEQiMe7h'
-
- @classmethod
- def setUpClass(cls):
- super(TemplateIpsec, cls).setUpClass()
- cls.create_pg_interfaces(range(3))
- cls.interfaces = list(cls.pg_interfaces)
- for i in cls.interfaces:
- i.admin_up()
- i.config_ip4()
- i.resolve_arp()
-
- def tearDown(self):
- super(TemplateIpsec, self).tearDown()
- if not self.vpp_dead:
- self.vapi.cli("show hardware")
-
- def send_and_expect(self, input, pkts, output, count=1):
- input.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- rx = output.get_capture(count)
- return rx
-
- def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1):
- return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
- sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload)
- for i in range(count)]
-
- def gen_pkts(self, sw_intf, src, dst, count=1):
- return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
- IP(src=src, dst=dst) / ICMP() / self.payload
- for i in range(count)]
-
- def configure_sa_tun(self):
- scapy_tun_sa = SecurityAssociation(self.encryption_type,
- spi=self.vpp_tun_spi,
- crypt_algo=self.crypt_algo,
- crypt_key=self.crypt_key,
- auth_algo=self.auth_algo,
- auth_key=self.auth_key,
- tunnel_header=IP(
- src=self.tun_if.remote_ip4,
- dst=self.tun_if.local_ip4))
- vpp_tun_sa = SecurityAssociation(self.encryption_type,
- spi=self.scapy_tun_spi,
- crypt_algo=self.crypt_algo,
- crypt_key=self.crypt_key,
- auth_algo=self.auth_algo,
- auth_key=self.auth_key,
- tunnel_header=IP(
- dst=self.tun_if.remote_ip4,
- src=self.tun_if.local_ip4))
- return vpp_tun_sa, scapy_tun_sa
-
- def configure_sa_tra(self):
- scapy_tra_sa = SecurityAssociation(self.encryption_type,
- spi=self.vpp_tra_spi,
- crypt_algo=self.crypt_algo,
- crypt_key=self.crypt_key,
- auth_algo=self.auth_algo,
- auth_key=self.auth_key)
- vpp_tra_sa = SecurityAssociation(self.encryption_type,
- spi=self.scapy_tra_spi,
- crypt_algo=self.crypt_algo,
- crypt_key=self.crypt_key,
- auth_algo=self.auth_algo,
- auth_key=self.auth_key)
- return vpp_tra_sa, scapy_tra_sa
-
-
-class IpsecTcpTests(object):
- def test_tcp_checksum(self):
- """ verify checksum correctness for vpp generated packets """
- self.vapi.cli("test http server")
- vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun()
- send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) /
- scapy_tun_sa.encrypt(IP(src=self.remote_tun_if_host,
- dst=self.tun_if.local_ip4) /
- TCP(flags='S', dport=80)))
- self.logger.debug(ppp("Sending packet:", send))
- recv = self.send_and_expect(self.tun_if, [send], self.tun_if, 1)
- recv = recv[0]
- decrypted = vpp_tun_sa.decrypt(recv[IP])
- self.assert_packet_checksums_valid(decrypted)
-
-
-class IpsecTraTests(object):
- def test_tra_basic(self, count=1):
- """ ipsec v4 transport basic test """
- try:
- vpp_tra_sa, scapy_tra_sa = self.configure_sa_tra()
- send_pkts = self.gen_encrypt_pkts(scapy_tra_sa, self.tra_if,
- src=self.tra_if.remote_ip4,
- dst=self.tra_if.local_ip4,
- count=count)
- recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
- self.tra_if, count=count)
- for p in recv_pkts:
- decrypted = vpp_tra_sa.decrypt(p[IP])
- self.assert_packet_checksums_valid(decrypted)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
- def test_tra_burst(self):
- """ ipsec v4 transport burst test """
- try:
- self.test_tra_basic(count=257)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
-
-class IpsecTunTests(object):
- def test_tun_basic(self, count=1):
- """ ipsec 4o4 tunnel basic test """
- try:
- vpp_tun_sa, scapy_tun_sa = self.configure_sa_tun()
- send_pkts = self.gen_encrypt_pkts(scapy_tun_sa, self.tun_if,
- src=self.remote_tun_if_host,
- dst=self.pg1.remote_ip4,
- count=count)
- recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1,
- count=count)
- for recv_pkt in recv_pkts:
- self.assert_equal(recv_pkt[IP].src, self.remote_tun_if_host)
- self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4)
- self.assert_packet_checksums_valid(recv_pkt)
- send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
- dst=self.remote_tun_if_host, count=count)
- recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if,
- count=count)
- for recv_pkt in recv_pkts:
- decrypt_pkt = vpp_tun_sa.decrypt(recv_pkt[IP])
- if not decrypt_pkt.haslayer(IP):
- decrypt_pkt = IP(decrypt_pkt[Raw].load)
- self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4)
- self.assert_equal(decrypt_pkt.dst, self.remote_tun_if_host)
- self.assert_packet_checksums_valid(decrypt_pkt)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
- def test_tun_burst(self):
- """ ipsec 4o4 tunnel burst test """
- try:
- self.test_tun_basic(count=257)
- finally:
- self.logger.info(self.vapi.ppcli("show error"))
- self.logger.info(self.vapi.ppcli("show ipsec"))
-
-
-if __name__ == '__main__':
- unittest.main(testRunner=VppTestRunner)
diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py
index 729f871..d173b2e 100644
--- a/test/test_ipsec_ah.py
+++ b/test/test_ipsec_ah.py
@@ -1,14 +1,14 @@
import socket
import unittest
-from scapy.layers.ipsec import AH
+from scapy.layers.inet import IP, ICMP
+from scapy.layers.l2 import Ether, Raw
+from scapy.layers.ipsec import SecurityAssociation, AH
-from framework import VppTestRunner
-from template_ipsec import TemplateIpsec, IpsecTraTests, IpsecTunTests
-from template_ipsec import IpsecTcpTests
+from framework import VppTestCase, VppTestRunner
-class TemplateIpsecAh(TemplateIpsec):
+class TestIpsecAh(VppTestCase):
"""
Basic test for IPSEC using AH transport and Tunnel mode
@@ -41,123 +41,214 @@
Note : IPv6 is not covered
"""
- encryption_type = AH
+ remote_pg0_lb_addr = '1.1.1.1'
+ remote_pg1_lb_addr = '2.2.2.2'
+ payload = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
@classmethod
def setUpClass(cls):
- super(TemplateIpsecAh, cls).setUpClass()
- cls.tun_if = cls.pg0
- cls.tra_if = cls.pg2
- cls.logger.info(cls.vapi.ppcli("show int addr"))
- cls.config_ah_tra()
- cls.logger.info(cls.vapi.ppcli("show ipsec"))
- cls.config_ah_tun()
- cls.logger.info(cls.vapi.ppcli("show ipsec"))
- src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host)
- cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n)
+ super(TestIpsecAh, cls).setUpClass()
+ try:
+ cls.create_pg_interfaces(range(3))
+ cls.interfaces = list(cls.pg_interfaces)
+ for i in cls.interfaces:
+ i.admin_up()
+ i.config_ip4()
+ i.resolve_arp()
+ cls.logger.info(cls.vapi.ppcli("show int addr"))
+ cls.config_ah_tra()
+ cls.logger.info(cls.vapi.ppcli("show ipsec"))
+ cls.config_ah_tun()
+ cls.logger.info(cls.vapi.ppcli("show ipsec"))
+ except Exception:
+ super(TestIpsecAh, cls).tearDownClass()
+ raise
@classmethod
def config_ah_tun(cls):
- cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id,
- cls.scapy_tun_spi,
- cls.auth_algo_vpp_id, cls.auth_key,
- cls.crypt_algo_vpp_id,
- cls.crypt_key, cls.vpp_ah_protocol,
- cls.tun_if.local_ip4n,
- cls.tun_if.remote_ip4n)
- cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id,
- cls.vpp_tun_spi,
- cls.auth_algo_vpp_id, cls.auth_key,
- cls.crypt_algo_vpp_id,
- cls.crypt_key, cls.vpp_ah_protocol,
- cls.tun_if.remote_ip4n,
- cls.tun_if.local_ip4n)
- cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
- cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
- cls.tun_if.sw_if_index)
+ spd_id = 1
+ remote_sa_id = 10
+ local_sa_id = 20
+ remote_tun_spi = 1001
+ local_tun_spi = 1000
+ src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr)
+ cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n)
+ dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr)
+ cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n)
+ cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tun_spi,
+ cls.pg0.local_ip4n,
+ cls.pg0.remote_ip4n,
+ integrity_key_length=20)
+ cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tun_spi,
+ cls.pg0.remote_ip4n,
+ cls.pg0.local_ip4n,
+ integrity_key_length=20)
+ cls.vapi.ipsec_spd_add_del(spd_id)
+ cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index)
l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0")
l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
"255.255.255.255")
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr,
+ cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
+ r_startaddr, r_stopaddr,
protocol=socket.IPPROTO_AH)
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, is_outbound=0,
- protocol=socket.IPPROTO_AH)
+ cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
+ r_startaddr, r_stopaddr,
+ protocol=socket.IPPROTO_AH,
+ is_outbound=0)
l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET,
- cls.remote_tun_if_host)
- r_startaddr = r_stopaddr = cls.pg1.remote_ip4n
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, priority=10, policy=3,
- is_outbound=0)
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
- r_startaddr, r_stopaddr, l_startaddr,
- l_stopaddr, priority=10, policy=3)
- r_startaddr = r_stopaddr = cls.pg0.local_ip4n
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, priority=20, policy=3,
- is_outbound=0)
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
- r_startaddr, r_stopaddr, l_startaddr,
- l_stopaddr, priority=20, policy=3)
+ cls.remote_pg0_lb_addr)
+ r_startaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
+ cls.remote_pg1_lb_addr)
+ cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
+ r_startaddr, r_stopaddr,
+ priority=10, policy=3,
+ is_outbound=0, sa_id=local_sa_id)
+ cls.vapi.ipsec_spd_add_del_entry(spd_id, r_startaddr, r_stopaddr,
+ l_startaddr, l_stopaddr, priority=10,
+ policy=3, sa_id=remote_sa_id)
@classmethod
def config_ah_tra(cls):
- cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id,
- cls.scapy_tra_spi,
- cls.auth_algo_vpp_id, cls.auth_key,
- cls.crypt_algo_vpp_id,
- cls.crypt_key, cls.vpp_ah_protocol,
- is_tunnel=0)
- cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id,
- cls.vpp_tra_spi,
- cls.auth_algo_vpp_id, cls.auth_key,
- cls.crypt_algo_vpp_id,
- cls.crypt_key, cls.vpp_ah_protocol,
- is_tunnel=0)
- cls.vapi.ipsec_spd_add_del(cls.tra_spd_id)
- cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id,
- cls.tra_if.sw_if_index)
+ spd_id = 2
+ remote_sa_id = 30
+ local_sa_id = 40
+ remote_tra_spi = 2001
+ local_tra_spi = 2000
+ cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tra_spi,
+ integrity_key_length=20, is_tunnel=0)
+ cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tra_spi,
+ integrity_key_length=20, is_tunnel=0)
+ cls.vapi.ipsec_spd_add_del(spd_id)
+ cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index)
l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET, "0.0.0.0")
l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
"255.255.255.255")
- cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr,
+ cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
+ r_startaddr, r_stopaddr,
protocol=socket.IPPROTO_AH)
- cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, is_outbound=0,
- protocol=socket.IPPROTO_AH)
- l_startaddr = l_stopaddr = cls.tra_if.local_ip4n
- r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n
- cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, priority=10, policy=3,
+ cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
+ r_startaddr, r_stopaddr,
+ protocol=socket.IPPROTO_AH,
is_outbound=0)
- cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, priority=10,
- policy=3)
+ l_startaddr = l_stopaddr = cls.pg2.local_ip4n
+ r_startaddr = r_stopaddr = cls.pg2.remote_ip4n
+ cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
+ r_startaddr, r_stopaddr,
+ priority=10, policy=3,
+ is_outbound=0, sa_id=local_sa_id)
+ cls.vapi.ipsec_spd_add_del_entry(spd_id, l_startaddr, l_stopaddr,
+ r_startaddr, r_stopaddr, priority=10,
+ policy=3, sa_id=remote_sa_id)
+
+ def configure_scapy_sa_tun(self):
+ remote_tun_sa = SecurityAssociation(AH, spi=0x000003e8,
+ auth_algo='HMAC-SHA1-96',
+ auth_key='C91KUR9GYMm5GfkEvNjX',
+ tunnel_header=IP(
+ src=self.pg0.remote_ip4,
+ dst=self.pg0.local_ip4))
+ local_tun_sa = SecurityAssociation(AH, spi=0x000003e9,
+ auth_algo='HMAC-SHA1-96',
+ auth_key='C91KUR9GYMm5GfkEvNjX',
+ tunnel_header=IP(
+ dst=self.pg0.remote_ip4,
+ src=self.pg0.local_ip4))
+ return local_tun_sa, remote_tun_sa
+
+ def configure_scapy_sa_tra(self):
+ remote_tra_sa = SecurityAssociation(AH, spi=0x000007d0,
+ auth_algo='HMAC-SHA1-96',
+ auth_key='C91KUR9GYMm5GfkEvNjX')
+ local_tra_sa = SecurityAssociation(AH, spi=0x000007d1,
+ auth_algo='HMAC-SHA1-96',
+ auth_key='C91KUR9GYMm5GfkEvNjX')
+ return local_tra_sa, remote_tra_sa
def tearDown(self):
- super(TemplateIpsecAh, self).tearDown()
+ super(TestIpsecAh, self).tearDown()
if not self.vpp_dead:
self.vapi.cli("show hardware")
+ def send_and_expect(self, input, pkts, output, count=1):
+ input.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ rx = output.get_capture(count)
+ return rx
-class TestIpsecAh1(TemplateIpsecAh, IpsecTraTests, IpsecTunTests):
- """ Ipsec AH - TUN & TRA tests """
- pass
+ def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1):
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ sa.encrypt(IP(src=src, dst=dst) / ICMP() / self.payload)
+ ] * count
+ def gen_pkts(self, sw_intf, src, dst, count=1):
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst) / ICMP() / self.payload
+ ] * count
-class TestIpsecAh2(TemplateIpsecAh, IpsecTcpTests):
- """ Ipsec AH - TCP tests """
- pass
+ def test_ipsec_ah_tra_basic(self, count=1):
+ """ ipsec ah v4 transport basic test """
+ try:
+ local_tra_sa, remote_tra_sa = self.configure_scapy_sa_tra()
+ send_pkts = self.gen_encrypt_pkts(remote_tra_sa, self.pg2,
+ src=self.pg2.remote_ip4,
+ dst=self.pg2.local_ip4,
+ count=count)
+ recv_pkts = self.send_and_expect(self.pg2, send_pkts, self.pg2,
+ count=count)
+ # ESP TRA VPP encryption/decryption verification
+ for Pkts in recv_pkts:
+ Pkts[AH].padding = Pkts[AH].icv[12:]
+ Pkts[AH].icv = Pkts[AH].icv[:12]
+ local_tra_sa.decrypt(Pkts[IP])
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+ def test_ipsec_ah_tra_burst(self):
+ """ ipsec ah v4 transport burst test """
+ try:
+ self.test_ipsec_ah_tra_basic(count=257)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+ def test_ipsec_ah_tun_basic(self, count=1):
+ """ ipsec ah 4o4 tunnel basic test """
+ try:
+ local_tun_sa, remote_tun_sa = self.configure_scapy_sa_tun()
+ send_pkts = self.gen_encrypt_pkts(remote_tun_sa, self.pg0,
+ src=self.remote_pg0_lb_addr,
+ dst=self.remote_pg1_lb_addr,
+ count=count)
+ recv_pkts = self.send_and_expect(self.pg0, send_pkts, self.pg1,
+ count=count)
+ # ESP TUN VPP decryption verification
+ for recv_pkt in recv_pkts:
+ self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr)
+ self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr)
+ send_pkts = self.gen_pkts(self.pg1, src=self.remote_pg1_lb_addr,
+ dst=self.remote_pg0_lb_addr,
+ count=count)
+ recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.pg0,
+ count=count)
+ # ESP TUN VPP encryption verification
+ for recv_pkt in recv_pkts:
+ decrypt_pkt = local_tun_sa.decrypt(recv_pkt[IP])
+ decrypt_pkt = IP(decrypt_pkt[Raw].load)
+ self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr)
+ self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+ def test_ipsec_ah_tun_burst(self):
+ """ ipsec ah 4o4 tunnel burst test """
+ try:
+ self.test_ipsec_ah_tun_basic(count=257)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
if __name__ == '__main__':
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 58d159a..15ce4a9 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -1,13 +1,14 @@
import socket
import unittest
-from scapy.layers.ipsec import ESP
-from framework import VppTestRunner
-from template_ipsec import IpsecTraTests, IpsecTunTests
-from template_ipsec import TemplateIpsec, IpsecTcpTests
+from scapy.layers.inet import IP, ICMP
+from scapy.layers.l2 import Ether
+from scapy.layers.ipsec import SecurityAssociation, ESP
+
+from framework import VppTestCase, VppTestRunner
-class TemplateIpsecEsp(TemplateIpsec):
+class TestIpsecEsp(VppTestCase):
"""
Basic test for ipsec esp sanity - tunnel and transport modes.
@@ -40,121 +41,298 @@
Note : IPv6 is not covered
"""
- encryption_type = ESP
+ remote_pg0_lb_addr = '1.1.1.1'
+ remote_pg1_lb_addr = '2.2.2.2'
@classmethod
def setUpClass(cls):
- super(TemplateIpsecEsp, cls).setUpClass()
- cls.tun_if = cls.pg0
- cls.tra_if = cls.pg2
- cls.logger.info(cls.vapi.ppcli("show int addr"))
- cls.config_esp_tra()
- cls.logger.info(cls.vapi.ppcli("show ipsec"))
- cls.config_esp_tun()
- cls.logger.info(cls.vapi.ppcli("show ipsec"))
- src4 = socket.inet_pton(socket.AF_INET, cls.remote_tun_if_host)
- cls.vapi.ip_add_del_route(src4, 32, cls.tun_if.remote_ip4n)
+ super(TestIpsecEsp, cls).setUpClass()
+ try:
+ cls.create_pg_interfaces(range(3))
+ cls.interfaces = list(cls.pg_interfaces)
+ for i in cls.interfaces:
+ i.admin_up()
+ i.config_ip4()
+ i.resolve_arp()
+ cls.logger.info(cls.vapi.ppcli("show int addr"))
+ cls.configEspTra()
+ cls.logger.info(cls.vapi.ppcli("show ipsec"))
+ cls.configEspTun()
+ cls.logger.info(cls.vapi.ppcli("show ipsec"))
+ except Exception:
+ super(TestIpsecEsp, cls).tearDownClass()
+ raise
@classmethod
- def config_esp_tun(cls):
- cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tun_sa_id,
- cls.scapy_tun_spi,
- cls.auth_algo_vpp_id, cls.auth_key,
- cls.crypt_algo_vpp_id,
- cls.crypt_key, cls.vpp_esp_protocol,
- cls.tun_if.local_ip4n,
- cls.tun_if.remote_ip4n)
- cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tun_sa_id,
- cls.vpp_tun_spi,
- cls.auth_algo_vpp_id, cls.auth_key,
- cls.crypt_algo_vpp_id,
- cls.crypt_key, cls.vpp_esp_protocol,
- cls.tun_if.remote_ip4n,
- cls.tun_if.local_ip4n)
- cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
- cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
- cls.tun_if.sw_if_index)
- l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET,
- "0.0.0.0")
- l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
- "255.255.255.255")
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr,
- protocol=socket.IPPROTO_ESP)
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, is_outbound=0,
- protocol=socket.IPPROTO_ESP)
- l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET,
- cls.remote_tun_if_host)
- r_startaddr = r_stopaddr = cls.pg1.remote_ip4n
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, priority=10, policy=3,
- is_outbound=0)
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
- r_startaddr, r_stopaddr, l_startaddr,
- l_stopaddr, priority=10, policy=3)
- l_startaddr = l_stopaddr = socket.inet_pton(socket.AF_INET,
- cls.remote_tun_if_host)
- r_startaddr = r_stopaddr = cls.pg0.local_ip4n
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.vpp_tun_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, priority=20, policy=3,
- is_outbound=0)
- cls.vapi.ipsec_spd_add_del_entry(cls.tun_spd_id, cls.scapy_tun_sa_id,
- r_startaddr, r_stopaddr, l_startaddr,
- l_stopaddr, priority=20, policy=3)
+ def configEspTun(cls):
+ try:
+ spd_id = 1
+ remote_sa_id = 10
+ local_sa_id = 20
+ remote_tun_spi = 1001
+ local_tun_spi = 1000
+ src4 = socket.inet_pton(socket.AF_INET, cls.remote_pg0_lb_addr)
+ cls.vapi.ip_add_del_route(src4, 32, cls.pg0.remote_ip4n)
+ dst4 = socket.inet_pton(socket.AF_INET, cls.remote_pg1_lb_addr)
+ cls.vapi.ip_add_del_route(dst4, 32, cls.pg1.remote_ip4n)
+ cls.vapi.ipsec_sad_add_del_entry(
+ remote_sa_id,
+ remote_tun_spi,
+ cls.pg0.local_ip4n,
+ cls.pg0.remote_ip4n,
+ integrity_key_length=20,
+ crypto_key_length=16,
+ protocol=1)
+ cls.vapi.ipsec_sad_add_del_entry(
+ local_sa_id,
+ local_tun_spi,
+ cls.pg0.remote_ip4n,
+ cls.pg0.local_ip4n,
+ integrity_key_length=20,
+ crypto_key_length=16,
+ protocol=1)
+ cls.vapi.ipsec_spd_add_del(spd_id)
+ cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg0.sw_if_index)
+ l_startaddr = r_startaddr = socket.inet_pton(
+ socket.AF_INET, "0.0.0.0")
+ l_stopaddr = r_stopaddr = socket.inet_pton(
+ socket.AF_INET, "255.255.255.255")
+ cls.vapi.ipsec_spd_add_del_entry(
+ spd_id,
+ l_startaddr,
+ l_stopaddr,
+ r_startaddr,
+ r_stopaddr,
+ protocol=socket.IPPROTO_ESP)
+ cls.vapi.ipsec_spd_add_del_entry(
+ spd_id,
+ l_startaddr,
+ l_stopaddr,
+ r_startaddr,
+ r_stopaddr,
+ protocol=socket.IPPROTO_ESP,
+ is_outbound=0)
+ l_startaddr = l_stopaddr = socket.inet_pton(
+ socket.AF_INET, cls.remote_pg0_lb_addr)
+ r_startaddr = r_stopaddr = socket.inet_pton(
+ socket.AF_INET, cls.remote_pg1_lb_addr)
+ cls.vapi.ipsec_spd_add_del_entry(
+ spd_id,
+ l_startaddr,
+ l_stopaddr,
+ r_startaddr,
+ r_stopaddr,
+ priority=10,
+ policy=3,
+ is_outbound=0,
+ sa_id=local_sa_id)
+ cls.vapi.ipsec_spd_add_del_entry(
+ spd_id,
+ r_startaddr,
+ r_stopaddr,
+ l_startaddr,
+ l_stopaddr,
+ priority=10,
+ policy=3,
+ sa_id=remote_sa_id)
+ except Exception:
+ raise
@classmethod
- def config_esp_tra(cls):
- cls.vapi.ipsec_sad_add_del_entry(cls.scapy_tra_sa_id,
- cls.scapy_tra_spi,
- cls.auth_algo_vpp_id, cls.auth_key,
- cls.crypt_algo_vpp_id,
- cls.crypt_key, cls.vpp_esp_protocol,
- is_tunnel=0)
- cls.vapi.ipsec_sad_add_del_entry(cls.vpp_tra_sa_id,
- cls.vpp_tra_spi,
- cls.auth_algo_vpp_id, cls.auth_key,
- cls.crypt_algo_vpp_id,
- cls.crypt_key, cls.vpp_esp_protocol,
- is_tunnel=0)
- cls.vapi.ipsec_spd_add_del(cls.tra_spd_id)
- cls.vapi.ipsec_interface_add_del_spd(cls.tra_spd_id,
- cls.tra_if.sw_if_index)
- l_startaddr = r_startaddr = socket.inet_pton(socket.AF_INET,
- "0.0.0.0")
- l_stopaddr = r_stopaddr = socket.inet_pton(socket.AF_INET,
- "255.255.255.255")
- cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr,
- protocol=socket.IPPROTO_ESP)
- cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, is_outbound=0,
- protocol=socket.IPPROTO_ESP)
- l_startaddr = l_stopaddr = cls.tra_if.local_ip4n
- r_startaddr = r_stopaddr = cls.tra_if.remote_ip4n
- cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.vpp_tra_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, priority=10, policy=3,
- is_outbound=0)
- cls.vapi.ipsec_spd_add_del_entry(cls.tra_spd_id, cls.scapy_tra_sa_id,
- l_startaddr, l_stopaddr, r_startaddr,
- r_stopaddr, priority=10, policy=3)
+ def configEspTra(cls):
+ try:
+ spd_id = 2
+ remote_sa_id = 30
+ local_sa_id = 40
+ remote_tra_spi = 2001
+ local_tra_spi = 2000
+ cls.vapi.ipsec_sad_add_del_entry(
+ remote_sa_id,
+ remote_tra_spi,
+ integrity_key_length=20,
+ crypto_key_length=16,
+ protocol=1,
+ is_tunnel=0)
+ cls.vapi.ipsec_sad_add_del_entry(
+ local_sa_id,
+ local_tra_spi,
+ integrity_key_length=20,
+ crypto_key_length=16,
+ protocol=1,
+ is_tunnel=0)
+ cls.vapi.ipsec_spd_add_del(spd_id)
+ cls.vapi.ipsec_interface_add_del_spd(spd_id, cls.pg2.sw_if_index)
+ l_startaddr = r_startaddr = socket.inet_pton(
+ socket.AF_INET, "0.0.0.0")
+ l_stopaddr = r_stopaddr = socket.inet_pton(
+ socket.AF_INET, "255.255.255.255")
+ cls.vapi.ipsec_spd_add_del_entry(
+ spd_id,
+ l_startaddr,
+ l_stopaddr,
+ r_startaddr,
+ r_stopaddr,
+ protocol=socket.IPPROTO_ESP)
+ cls.vapi.ipsec_spd_add_del_entry(
+ spd_id,
+ l_startaddr,
+ l_stopaddr,
+ r_startaddr,
+ r_stopaddr,
+ protocol=socket.IPPROTO_ESP,
+ is_outbound=0)
+ l_startaddr = l_stopaddr = cls.pg2.local_ip4n
+ r_startaddr = r_stopaddr = cls.pg2.remote_ip4n
+ cls.vapi.ipsec_spd_add_del_entry(
+ spd_id,
+ l_startaddr,
+ l_stopaddr,
+ r_startaddr,
+ r_stopaddr,
+ priority=10,
+ policy=3,
+ is_outbound=0,
+ sa_id=local_sa_id)
+ cls.vapi.ipsec_spd_add_del_entry(
+ spd_id,
+ l_startaddr,
+ l_stopaddr,
+ r_startaddr,
+ r_stopaddr,
+ priority=10,
+ policy=3,
+ sa_id=remote_sa_id)
+ except Exception:
+ raise
+ def configScapySA(self, is_tun=False):
+ if is_tun:
+ self.remote_tun_sa = SecurityAssociation(
+ ESP,
+ spi=0x000003e8,
+ crypt_algo='AES-CBC',
+ crypt_key='JPjyOWBeVEQiMe7h',
+ auth_algo='HMAC-SHA1-96',
+ auth_key='C91KUR9GYMm5GfkEvNjX',
+ tunnel_header=IP(
+ src=self.pg0.remote_ip4,
+ dst=self.pg0.local_ip4))
+ self.local_tun_sa = SecurityAssociation(
+ ESP,
+ spi=0x000003e9,
+ crypt_algo='AES-CBC',
+ crypt_key='JPjyOWBeVEQiMe7h',
+ auth_algo='HMAC-SHA1-96',
+ auth_key='C91KUR9GYMm5GfkEvNjX',
+ tunnel_header=IP(
+ dst=self.pg0.remote_ip4,
+ src=self.pg0.local_ip4))
+ else:
+ self.remote_tra_sa = SecurityAssociation(
+ ESP,
+ spi=0x000007d0,
+ crypt_algo='AES-CBC',
+ crypt_key='JPjyOWBeVEQiMe7h',
+ auth_algo='HMAC-SHA1-96',
+ auth_key='C91KUR9GYMm5GfkEvNjX')
+ self.local_tra_sa = SecurityAssociation(
+ ESP,
+ spi=0x000007d1,
+ crypt_algo='AES-CBC',
+ crypt_key='JPjyOWBeVEQiMe7h',
+ auth_algo='HMAC-SHA1-96',
+ auth_key='C91KUR9GYMm5GfkEvNjX')
-class TestIpsecEsp1(TemplateIpsecEsp, IpsecTraTests, IpsecTunTests):
- """ Ipsec ESP - TUN & TRA tests """
- pass
+ def tearDown(self):
+ super(TestIpsecEsp, self).tearDown()
+ if not self.vpp_dead:
+ self.vapi.cli("show hardware")
+ def send_and_expect(self, input, pkts, output, count=1):
+ input.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ rx = output.get_capture(count)
+ return rx
-class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
- """ Ipsec ESP - TCP tests """
- pass
+ def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1):
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ sa.encrypt(IP(src=src, dst=dst) / ICMP() /
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX")
+ ] * count
+
+ def gen_pkts(self, sw_intf, src, dst, count=1):
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst) / ICMP() /
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ ] * count
+
+ def test_ipsec_esp_tra_basic(self, count=1):
+ """ ipsec esp v4 transport basic test """
+ try:
+ self.configScapySA()
+ send_pkts = self.gen_encrypt_pkts(
+ self.remote_tra_sa,
+ self.pg2,
+ src=self.pg2.remote_ip4,
+ dst=self.pg2.local_ip4,
+ count=count)
+ recv_pkts = self.send_and_expect(
+ self.pg2, send_pkts, self.pg2, count=count)
+ # ESP TRA VPP encryption/decryption verification
+ for Pkts in recv_pkts:
+ self.local_tra_sa.decrypt(Pkts[IP])
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+ def test_ipsec_esp_tra_burst(self):
+ """ ipsec esp v4 transport burst test """
+ try:
+ self.test_ipsec_esp_tra_basic(count=257)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+ def test_ipsec_esp_tun_basic(self, count=1):
+ """ ipsec esp 4o4 tunnel basic test """
+ try:
+ self.configScapySA(is_tun=True)
+ send_pkts = self.gen_encrypt_pkts(
+ self.remote_tun_sa,
+ self.pg0,
+ src=self.remote_pg0_lb_addr,
+ dst=self.remote_pg1_lb_addr,
+ count=count)
+ recv_pkts = self.send_and_expect(
+ self.pg0, send_pkts, self.pg1, count=count)
+ # ESP TUN VPP decryption verification
+ for recv_pkt in recv_pkts:
+ self.assert_equal(recv_pkt[IP].src, self.remote_pg0_lb_addr)
+ self.assert_equal(recv_pkt[IP].dst, self.remote_pg1_lb_addr)
+ send_pkts = self.gen_pkts(
+ self.pg1,
+ src=self.remote_pg1_lb_addr,
+ dst=self.remote_pg0_lb_addr,
+ count=count)
+ recv_pkts = self.send_and_expect(
+ self.pg1, send_pkts, self.pg0, count=count)
+ # ESP TUN VPP encryption verification
+ for recv_pkt in recv_pkts:
+ decrypt_pkt = self.local_tun_sa.decrypt(recv_pkt[IP])
+ self.assert_equal(decrypt_pkt.src, self.remote_pg1_lb_addr)
+ self.assert_equal(decrypt_pkt.dst, self.remote_pg0_lb_addr)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
+
+ def test_ipsec_esp_tun_burst(self):
+ """ ipsec esp 4o4 tunnel burst test """
+ try:
+ self.test_ipsec_esp_tun_basic(count=257)
+ finally:
+ self.logger.info(self.vapi.ppcli("show error"))
+ self.logger.info(self.vapi.ppcli("show ipsec"))
if __name__ == '__main__':
diff --git a/test/test_ipsec_nat.py b/test/test_ipsec_nat.py
index 7a5aca6..cebbfc8 100644
--- a/test/test_ipsec_nat.py
+++ b/test/test_ipsec_nat.py
@@ -141,17 +141,17 @@
spd_id = 1
remote_sa_id = 10
local_sa_id = 20
- scapy_tun_spi = 1001
- vpp_tun_spi = 1000
+ remote_tun_spi = 1001
+ local_tun_spi = 1000
client = socket.inet_pton(socket.AF_INET, cls.remote_pg0_client_addr)
cls.vapi.ip_add_del_route(client, 32, cls.pg0.remote_ip4n)
- cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, scapy_tun_spi,
+ cls.vapi.ipsec_sad_add_del_entry(remote_sa_id, remote_tun_spi,
cls.pg1.remote_ip4n,
cls.pg0.remote_ip4n,
integrity_key_length=20,
crypto_key_length=16,
protocol=1, udp_encap=1)
- cls.vapi.ipsec_sad_add_del_entry(local_sa_id, vpp_tun_spi,
+ cls.vapi.ipsec_sad_add_del_entry(local_sa_id, local_tun_spi,
cls.pg0.remote_ip4n,
cls.pg1.remote_ip4n,
integrity_key_length=20,
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
deleted file mode 100644
index c260f03..0000000
--- a/test/test_ipsec_tun_if_esp.py
+++ /dev/null
@@ -1,52 +0,0 @@
-import unittest
-import socket
-from scapy.layers.ipsec import ESP
-from framework import VppTestRunner
-from template_ipsec import TemplateIpsec, IpsecTunTests, IpsecTcpTests
-from vpp_ipsec_tun_interface import VppIpsecTunInterface
-
-
-class TemplateIpsecTunIfEsp(TemplateIpsec):
- """ IPsec tunnel interface tests """
-
- encryption_type = ESP
-
- @classmethod
- def setUpClass(cls):
- super(TemplateIpsecTunIfEsp, cls).setUpClass()
- cls.tun_if = cls.pg0
-
- def setUp(self):
- self.ipsec_tun_if = VppIpsecTunInterface(self, self.pg0,
- self.vpp_tun_spi,
- self.scapy_tun_spi,
- self.crypt_algo_vpp_id,
- self.crypt_key,
- self.crypt_key,
- self.auth_algo_vpp_id,
- self.auth_key,
- self.auth_key)
- self.ipsec_tun_if.add_vpp_config()
- self.ipsec_tun_if.admin_up()
- self.ipsec_tun_if.config_ip4()
- src4 = socket.inet_pton(socket.AF_INET, self.remote_tun_if_host)
- self.vapi.ip_add_del_route(src4, 32, self.ipsec_tun_if.remote_ip4n)
-
- def tearDown(self):
- if not self.vpp_dead:
- self.vapi.cli("show hardware")
- super(TemplateIpsecTunIfEsp, self).tearDown()
-
-
-class TestIpsecTunIfEsp1(TemplateIpsecTunIfEsp, IpsecTunTests):
- """ Ipsec ESP - TUN tests """
- pass
-
-
-class TestIpsecTunIfEsp2(TemplateIpsecTunIfEsp, IpsecTcpTests):
- """ Ipsec ESP - TCP tests """
- pass
-
-
-if __name__ == '__main__':
- unittest.main(testRunner=VppTestRunner)
diff --git a/test/vpp_interface.py b/test/vpp_interface.py
index e14a31e..194a0c4 100644
--- a/test/vpp_interface.py
+++ b/test/vpp_interface.py
@@ -2,6 +2,7 @@
import socket
from util import Host, mk_ll_addr
+from vpp_neighbor import VppNeighbor
class VppInterface(object):
@@ -170,9 +171,6 @@
self._hosts_by_ip4 = {}
self._hosts_by_ip6 = {}
- def set_sw_if_index(self, sw_if_index):
- self._sw_if_index = sw_if_index
-
self.generate_remote_hosts()
self._local_ip4 = "172.16.%u.1" % self.sw_if_index
diff --git a/test/vpp_ipsec_tun_interface.py b/test/vpp_ipsec_tun_interface.py
deleted file mode 100644
index bd63541..0000000
--- a/test/vpp_ipsec_tun_interface.py
+++ /dev/null
@@ -1,43 +0,0 @@
-from vpp_tunnel_interface import VppTunnelInterface
-
-
-class VppIpsecTunInterface(VppTunnelInterface):
- """
- VPP IPsec Tunnel interface
- """
-
- def __init__(self, test, parent_if, local_spi,
- remote_spi, crypto_alg, local_crypto_key, remote_crypto_key,
- integ_alg, local_integ_key, remote_integ_key):
- super(VppIpsecTunInterface, self).__init__(test, parent_if)
- self.local_spi = local_spi
- self.remote_spi = remote_spi
- self.crypto_alg = crypto_alg
- self.local_crypto_key = local_crypto_key
- self.remote_crypto_key = remote_crypto_key
- self.integ_alg = integ_alg
- self.local_integ_key = local_integ_key
- self.remote_integ_key = remote_integ_key
-
- def add_vpp_config(self):
- r = self.test.vapi.ipsec_tunnel_if_add_del(
- self.parent_if.local_ip4n, self.parent_if.remote_ip4n,
- self.remote_spi, self.local_spi, self.crypto_alg,
- self.local_crypto_key, self.remote_crypto_key, self.integ_alg,
- self.local_integ_key, self.remote_integ_key)
- self.set_sw_if_index(r.sw_if_index)
- self.generate_remote_hosts()
- self.test.registry.register(self, self.test.logger)
-
- def remove_vpp_config(self):
- self.test.vapi.ipsec_tunnel_if_add_del(
- self.parent_if.local_ip4n, self.parent_if.remote_ip4n,
- self.remote_spi, self.local_spi, self.crypto_alg,
- self.local_crypto_key, self.remote_crypto_key, self.integ_alg,
- self.local_integ_key, self.remote_integ_key, is_add=0)
-
- def __str__(self):
- return self.object_id()
-
- def object_id(self):
- return "ipsec-tun-if-%d" % self._sw_if_index
diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py
index 32c8eeb..3130ad0 100644
--- a/test/vpp_papi_provider.py
+++ b/test/vpp_papi_provider.py
@@ -3163,28 +3163,53 @@
def ipsec_sad_add_del_entry(self,
sad_id,
spi,
- integrity_algorithm,
- integrity_key,
- crypto_algorithm,
- crypto_key,
- protocol,
tunnel_src_address='',
tunnel_dst_address='',
- is_tunnel=1,
+ protocol=0,
+ integrity_algorithm=2,
+ integrity_key_length=0,
+ integrity_key='C91KUR9GYMm5GfkEvNjX',
+ crypto_algorithm=1,
+ crypto_key_length=0,
+ crypto_key='JPjyOWBeVEQiMe7h',
is_add=1,
+ is_tunnel=1,
udp_encap=0):
""" IPSEC SA add/del
- :param sad_id: security association ID
- :param spi: security param index of the SA in decimal
- :param integrity_algorithm:
- :param integrity_key:
- :param crypto_algorithm:
- :param crypto_key:
- :param protocol: AH(0) or ESP(1) protocol
- :param tunnel_src_address: tunnel mode outer src address
- :param tunnel_dst_address: tunnel mode outer dst address
- :param is_add:
- :param is_tunnel:
+ Sample CLI : 'ipsec sa add 10 spi 1001 esp \
+ crypto-key 4a506a794f574265564551694d653768 \
+ crypto-alg aes-cbc-128 \
+ integ-key 4339314b55523947594d6d3547666b45764e6a58 \
+ integ-alg sha1-96 tunnel-src 192.168.100.3 \
+ tunnel-dst 192.168.100.2'
+ Sample CLI : 'ipsec sa add 20 spi 2001 \
+ integ-key 4339314b55523947594d6d3547666b45764e6a58 \
+ integ-alg sha1-96'
+
+ :param sad_id - Security Association ID to be \
+ created or deleted. mandatory
+ :param spi - security param index of the SA in decimal. mandatory
+ :param tunnel_src_address - incase of tunnel mode outer src address .\
+ mandatory for tunnel mode
+ :param tunnel_dst_address - incase of transport mode \
+ outer dst address. mandatory for tunnel mode
+ :param protocol - AH(0) or ESP(1) protocol (Default 0 - AH). optional
+ :param integrity_algorithm - value range 1-6 Default(2 - SHA1_96).\
+ optional **
+ :param integrity_key - value in string \
+ (Default C91KUR9GYMm5GfkEvNjX).optional
+ :param integrity_key_length - length of the key string in bytes\
+ (Default 0 - integrity disabled). optional
+ :param crypto_algorithm - value range 1-11 Default \
+ (1- AES_CBC_128).optional **
+ :param crypto_key - value in string(Default JPjyOWBeVEQiMe7h).optional
+ :param crypto_key_length - length of the key string in bytes\
+ (Default 0 - crypto disabled). optional
+ :param is_add - add(1) or del(0) ipsec SA entry(Default 1 - add) .\
+ optional
+ :param is_tunnel - tunnel mode (1) or transport mode(0) \
+ (Default 1 - tunnel). optional
+ :returns: reply from the API
:** reference /vpp/src/vnet/ipsec/ipsec.h file for enum values of
crypto and ipsec algorithms
"""
@@ -3196,11 +3221,10 @@
'tunnel_dst_address': tunnel_dst_address,
'protocol': protocol,
'integrity_algorithm': integrity_algorithm,
- 'integrity_key_length': len(integrity_key),
+ 'integrity_key_length': integrity_key_length,
'integrity_key': integrity_key,
'crypto_algorithm': crypto_algorithm,
- 'crypto_key_length': len(crypto_key) if crypto_key is not None
- else 0,
+ 'crypto_key_length': crypto_key_length,
'crypto_key': crypto_key,
'is_add': is_add,
'is_tunnel': is_tunnel,
@@ -3208,7 +3232,6 @@
def ipsec_spd_add_del_entry(self,
spd_id,
- sa_id,
local_address_start,
local_address_stop,
remote_address_start,
@@ -3218,6 +3241,7 @@
remote_port_start=0,
remote_port_stop=65535,
protocol=0,
+ sa_id=10,
policy=0,
priority=100,
is_outbound=1,
@@ -3225,28 +3249,35 @@
is_ip_any=0):
""" IPSEC policy SPD add/del -
Wrapper to configure ipsec SPD policy entries in VPP
- :param spd_id: SPD ID for the policy
- :param local_address_start: local-ip-range start address
- :param local_address_stop : local-ip-range stop address
- :param remote_address_start: remote-ip-range start address
- :param remote_address_stop : remote-ip-range stop address
- :param local_port_start: (Default value = 0)
- :param local_port_stop: (Default value = 65535)
- :param remote_port_start: (Default value = 0)
- :param remote_port_stop: (Default value = 65535)
- :param protocol: Any(0), AH(51) & ESP(50) protocol (Default value = 0)
- :param sa_id: Security Association ID for mapping it to SPD
- :param policy: bypass(0), discard(1), resolve(2) or protect(3) action
- (Default value = 0)
- :param priority: value for the spd action (Default value = 100)
- :param is_outbound: flag for inbound(0) or outbound(1)
- (Default value = 1)
- :param is_add: (Default value = 1)
+ Sample CLI : 'ipsec policy add spd 1 inbound priority 10 action \
+ protect sa 20 local-ip-range 192.168.4.4 - 192.168.4.4 \
+ remote-ip-range 192.168.3.3 - 192.168.3.3'
+
+ :param spd_id - SPD ID for the policy . mandatory
+ :param local_address_start - local-ip-range start address . mandatory
+ :param local_address_stop - local-ip-range stop address . mandatory
+ :param remote_address_start - remote-ip-range start address . mandatory
+ :param remote_address_stop - remote-ip-range stop address . mandatory
+ :param local_port_start - (Default 0) . optional
+ :param local_port_stop - (Default 65535). optional
+ :param remote_port_start - (Default 0). optional
+ :param remote_port_stop - (Default 65535). optional
+ :param protocol - Any(0), AH(51) & ESP(50) protocol (Default 0 - Any).
+ optional
+ :param sa_id - Security Association ID for mapping it to SPD
+ (default 10). optional
+ :param policy - bypass(0), discard(1), resolve(2) or protect(3)action
+ (Default 0 - bypass). optional
+ :param priotity - value for the spd action (Default 100). optional
+ :param is_outbound - flag for inbound(0) or outbound(1)
+ (Default 1 - outbound). optional
+ :param is_add flag - for addition(1) or deletion(0) of the spd
+ (Default 1 - addtion). optional
+ :returns: reply from the API
"""
return self.api(
self.papi.ipsec_spd_add_del_entry,
{'spd_id': spd_id,
- 'sa_id': sa_id,
'local_address_start': local_address_start,
'local_address_stop': local_address_stop,
'remote_address_start': remote_address_start,
@@ -3260,30 +3291,9 @@
'policy': policy,
'priority': priority,
'is_outbound': is_outbound,
+ 'sa_id': sa_id,
'is_ip_any': is_ip_any})
- def ipsec_tunnel_if_add_del(self, local_ip, remote_ip, local_spi,
- remote_spi, crypto_alg, local_crypto_key,
- remote_crypto_key, integ_alg, local_integ_key,
- remote_integ_key, is_add=1, esn=0,
- anti_replay=1, renumber=0, show_instance=0):
- return self.api(
- self.papi.ipsec_tunnel_if_add_del,
- {'local_ip': local_ip, 'remote_ip': remote_ip,
- 'local_spi': local_spi, 'remote_spi': remote_spi,
- 'crypto_alg': crypto_alg,
- 'local_crypto_key_len': len(local_crypto_key),
- 'local_crypto_key': local_crypto_key,
- 'remote_crypto_key_len': len(remote_crypto_key),
- 'remote_crypto_key': remote_crypto_key, 'integ_alg': integ_alg,
- 'local_integ_key_len': len(local_integ_key),
- 'local_integ_key': local_integ_key,
- 'remote_integ_key_len': len(remote_integ_key),
- 'remote_integ_key': remote_integ_key, 'is_add': is_add,
- 'esn': esn, 'anti_replay': anti_replay, 'renumber': renumber,
- 'show_instance': show_instance
- })
-
def app_namespace_add(self,
namespace_id,
ip4_fib_id=0,
diff --git a/test/vpp_pg_interface.py b/test/vpp_pg_interface.py
index 1300f1f..81e9714 100644
--- a/test/vpp_pg_interface.py
+++ b/test/vpp_pg_interface.py
@@ -84,10 +84,10 @@
def __init__(self, test, pg_index):
""" Create VPP packet-generator interface """
- super(VppPGInterface, self).__init__(test)
-
r = test.vapi.pg_create_interface(pg_index)
- self.set_sw_if_index(r.sw_if_index)
+ self._sw_if_index = r.sw_if_index
+
+ super(VppPGInterface, self).__init__(test)
self._in_history_counter = 0
self._out_history_counter = 0
diff --git a/test/vpp_tunnel_interface.py b/test/vpp_tunnel_interface.py
deleted file mode 100644
index c74f585..0000000
--- a/test/vpp_tunnel_interface.py
+++ /dev/null
@@ -1,32 +0,0 @@
-from abc import abstractmethod, ABCMeta
-from vpp_pg_interface import is_ipv6_misc
-from vpp_interface import VppInterface
-
-
-class VppTunnelInterface(VppInterface):
- """ VPP tunnel interface abstration """
- __metaclass__ = ABCMeta
-
- @abstractmethod
- def __init__(self, test, parent_if):
- super(VppTunnelInterface, self).__init__(test)
- self.parent_if = parent_if
-
- @property
- def local_mac(self):
- return self.parent_if.local_mac
-
- @property
- def remote_mac(self):
- return self.parent_if.remote_mac
-
- def enable_capture(self):
- return self.parent_if.enable_capture()
-
- def add_stream(self, pkts):
- return self.parent_if.add_stream(pkts)
-
- def get_capture(self, expected_count=None, remark=None, timeout=1,
- filter_out_fn=is_ipv6_misc):
- return self.parent_if.get_capture(expected_count, remark, timeout,
- filter_out_fn)