blob: a17e432ac51d7eec62aac76052dd70fbf912071c [file] [log] [blame]
Klement Sekera31da2e32018-06-24 22:49:55 +02001import unittest
2import socket
Neale Ranns2ac885c2019-03-20 18:24:43 +00003import copy
Neale Ranns47feb112019-04-11 15:14:07 +00004
Neale Ranns12989b52019-09-26 16:20:19 +00005from scapy.layers.ipsec import SecurityAssociation, ESP
John Lo90430b62020-01-31 23:48:30 -05006from scapy.layers.l2 import Ether, GRE, Dot1Q
Arthur de Kerhorce04e3b2022-01-04 15:53:43 +01007from scapy.packet import Raw, bind_layers
Arthur de Kerhor8fce5462023-06-16 09:48:52 +02008from scapy.layers.inet import IP, UDP, ICMP
9from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
Neale Ranns4a58e492020-12-21 13:19:10 +000010from scapy.contrib.mpls import MPLS
Dave Wallace8800f732023-08-31 00:47:44 -040011from asfframework import VppTestRunner, tag_fixme_vpp_workers
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020012from template_ipsec import (
13 TemplateIpsec,
14 IpsecTun4Tests,
15 IpsecTun6Tests,
16 IpsecTun4,
17 IpsecTun6,
18 IpsecTcpTests,
19 mk_scapy_crypt_key,
20 IpsecTun6HandoffTests,
21 IpsecTun4HandoffTests,
22 config_tun_params,
23)
Neale Rannsc87b66c2019-02-07 07:26:12 -080024from vpp_gre_interface import VppGreInterface
25from vpp_ipip_tun_interface import VppIpIpTunInterface
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020026from vpp_ip_route import (
27 VppIpRoute,
28 VppRoutePath,
29 DpoProto,
30 VppMplsLabel,
31 VppMplsTable,
32 VppMplsRoute,
33 FibPathProto,
34)
Neale Rannsdd4ccf22020-06-30 07:47:14 +000035from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect, VppIpsecInterface
Neale Rannsf05e7322019-03-29 20:23:58 +000036from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort
John Lo90430b62020-01-31 23:48:30 -050037from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint
Neale Ranns28287212019-12-16 00:53:11 +000038from vpp_teib import VppTeib
Neale Rannsf05e7322019-03-29 20:23:58 +000039from util import ppp
Neale Ranns47feb112019-04-11 15:14:07 +000040from vpp_papi import VppEnum
Eric Kinzie609d5792020-10-13 20:02:11 -040041from vpp_papi_provider import CliFailedCommandError
Neale Ranns5d0136f2020-05-12 08:51:02 +000042from vpp_acl import AclRule, VppAcl, VppAclInterface
Stanislav Zaikine5a3ae02022-04-05 19:23:12 +020043from vpp_policer import PolicerAction, VppPolicer, Dir
Dmitry Valter34fa0ce2024-03-11 10:38:46 +000044from config import config
Klement Sekera31da2e32018-06-24 22:49:55 +020045
46
Neale Rannsdd4ccf22020-06-30 07:47:14 +000047def config_tun_params(p, encryption_type, tun_if, src=None, dst=None):
Neale Ranns12989b52019-09-26 16:20:19 +000048 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020049 esn_en = bool(
50 p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN)
51 )
Neale Ranns12989b52019-09-26 16:20:19 +000052 crypt_key = mk_scapy_crypt_key(p)
Neale Rannsdd4ccf22020-06-30 07:47:14 +000053 if tun_if:
54 p.tun_dst = tun_if.remote_ip
55 p.tun_src = tun_if.local_ip
56 else:
57 p.tun_dst = dst
58 p.tun_src = src
59
Arthur de Kerhorce04e3b2022-01-04 15:53:43 +010060 if p.nat_header:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020061 is_default_port = p.nat_header.dport == 4500
Arthur de Kerhorce04e3b2022-01-04 15:53:43 +010062 else:
63 is_default_port = True
64
65 if is_default_port:
66 outbound_nat_header = p.nat_header
67 else:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020068 outbound_nat_header = UDP(sport=p.nat_header.dport, dport=p.nat_header.sport)
Arthur de Kerhorce04e3b2022-01-04 15:53:43 +010069 bind_layers(UDP, ESP, dport=p.nat_header.dport)
70
Neale Ranns12989b52019-09-26 16:20:19 +000071 p.scapy_tun_sa = SecurityAssociation(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020072 encryption_type,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +010073 spi=p.scapy_tun_spi,
Neale Ranns12989b52019-09-26 16:20:19 +000074 crypt_algo=p.crypt_algo,
75 crypt_key=crypt_key,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020076 auth_algo=p.auth_algo,
77 auth_key=p.auth_key,
78 tunnel_header=ip_class_by_addr_type[p.addr_type](src=p.tun_dst, dst=p.tun_src),
Arthur de Kerhorce04e3b2022-01-04 15:53:43 +010079 nat_t_header=outbound_nat_header,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020080 esn_en=esn_en,
81 )
Neale Ranns12989b52019-09-26 16:20:19 +000082 p.vpp_tun_sa = SecurityAssociation(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020083 encryption_type,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +010084 spi=p.vpp_tun_spi,
Neale Ranns12989b52019-09-26 16:20:19 +000085 crypt_algo=p.crypt_algo,
86 crypt_key=crypt_key,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020087 auth_algo=p.auth_algo,
88 auth_key=p.auth_key,
89 tunnel_header=ip_class_by_addr_type[p.addr_type](dst=p.tun_dst, src=p.tun_src),
Neale Ranns12989b52019-09-26 16:20:19 +000090 nat_t_header=p.nat_header,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020091 esn_en=esn_en,
92 )
Neale Ranns12989b52019-09-26 16:20:19 +000093
94
Neale Ranns568acbb2019-12-18 05:54:40 +000095def config_tra_params(p, encryption_type, tun_if):
96 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020097 esn_en = bool(
98 p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN)
99 )
Neale Ranns568acbb2019-12-18 05:54:40 +0000100 crypt_key = mk_scapy_crypt_key(p)
Neale Rannsf3a66222020-01-02 05:04:00 +0000101 p.tun_dst = tun_if.remote_ip
102 p.tun_src = tun_if.local_ip
Arthur de Kerhorce04e3b2022-01-04 15:53:43 +0100103
104 if p.nat_header:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200105 is_default_port = p.nat_header.dport == 4500
Arthur de Kerhorce04e3b2022-01-04 15:53:43 +0100106 else:
107 is_default_port = True
108
109 if is_default_port:
110 outbound_nat_header = p.nat_header
111 else:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200112 outbound_nat_header = UDP(sport=p.nat_header.dport, dport=p.nat_header.sport)
Arthur de Kerhorce04e3b2022-01-04 15:53:43 +0100113 bind_layers(UDP, ESP, dport=p.nat_header.dport)
114
Neale Ranns568acbb2019-12-18 05:54:40 +0000115 p.scapy_tun_sa = SecurityAssociation(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200116 encryption_type,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100117 spi=p.scapy_tun_spi,
Neale Ranns568acbb2019-12-18 05:54:40 +0000118 crypt_algo=p.crypt_algo,
119 crypt_key=crypt_key,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200120 auth_algo=p.auth_algo,
121 auth_key=p.auth_key,
Neale Rannsabc56602020-04-01 09:45:23 +0000122 esn_en=esn_en,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200123 nat_t_header=outbound_nat_header,
124 )
Neale Ranns568acbb2019-12-18 05:54:40 +0000125 p.vpp_tun_sa = SecurityAssociation(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200126 encryption_type,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100127 spi=p.vpp_tun_spi,
Neale Ranns568acbb2019-12-18 05:54:40 +0000128 crypt_algo=p.crypt_algo,
129 crypt_key=crypt_key,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200130 auth_algo=p.auth_algo,
131 auth_key=p.auth_key,
Neale Rannsabc56602020-04-01 09:45:23 +0000132 esn_en=esn_en,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200133 nat_t_header=p.nat_header,
134 )
Neale Ranns568acbb2019-12-18 05:54:40 +0000135
136
Neale Rannsa9e27742020-12-23 16:22:28 +0000137class TemplateIpsec4TunProtect(object):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200138 """IPsec IPv4 Tunnel protect"""
Neale Rannsa9e27742020-12-23 16:22:28 +0000139
140 encryption_type = ESP
141 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +0000142 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Rannsa9e27742020-12-23 16:22:28 +0000143 tun4_input_node = "ipsec4-tun-input"
144
145 def config_sa_tra(self, p):
146 config_tun_params(p, self.encryption_type, p.tun_if)
147
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200148 p.tun_sa_out = VppIpsecSA(
149 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100150 p.vpp_tun_sa_id,
151 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200152 p.auth_algo_vpp_id,
153 p.auth_key,
154 p.crypt_algo_vpp_id,
155 p.crypt_key,
156 self.vpp_esp_protocol,
157 flags=p.flags,
158 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000159 p.tun_sa_out.add_vpp_config()
160
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200161 p.tun_sa_in = VppIpsecSA(
162 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100163 p.scapy_tun_sa_id,
164 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200165 p.auth_algo_vpp_id,
166 p.auth_key,
167 p.crypt_algo_vpp_id,
168 p.crypt_key,
169 self.vpp_esp_protocol,
170 flags=p.flags,
171 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000172 p.tun_sa_in.add_vpp_config()
173
174 def config_sa_tun(self, p):
175 config_tun_params(p, self.encryption_type, p.tun_if)
176
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200177 p.tun_sa_out = VppIpsecSA(
178 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100179 p.vpp_tun_sa_id,
180 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200181 p.auth_algo_vpp_id,
182 p.auth_key,
183 p.crypt_algo_vpp_id,
184 p.crypt_key,
185 self.vpp_esp_protocol,
186 self.tun_if.local_addr[p.addr_type],
187 self.tun_if.remote_addr[p.addr_type],
188 flags=p.flags,
189 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000190 p.tun_sa_out.add_vpp_config()
191
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200192 p.tun_sa_in = VppIpsecSA(
193 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100194 p.scapy_tun_sa_id,
195 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200196 p.auth_algo_vpp_id,
197 p.auth_key,
198 p.crypt_algo_vpp_id,
199 p.crypt_key,
200 self.vpp_esp_protocol,
201 self.tun_if.remote_addr[p.addr_type],
202 self.tun_if.local_addr[p.addr_type],
203 flags=p.flags,
204 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000205 p.tun_sa_in.add_vpp_config()
206
207 def config_protect(self, p):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200208 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Rannsa9e27742020-12-23 16:22:28 +0000209 p.tun_protect.add_vpp_config()
210
211 def config_network(self, p):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200212 if hasattr(p, "tun_dst"):
Neale Rannsa9e27742020-12-23 16:22:28 +0000213 tun_dst = p.tun_dst
214 else:
215 tun_dst = self.pg0.remote_ip4
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200216 p.tun_if = VppIpIpTunInterface(self, self.pg0, self.pg0.local_ip4, tun_dst)
Neale Rannsa9e27742020-12-23 16:22:28 +0000217 p.tun_if.add_vpp_config()
218 p.tun_if.admin_up()
219 p.tun_if.config_ip4()
220 p.tun_if.config_ip6()
221
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200222 p.route = VppIpRoute(
223 self,
224 p.remote_tun_if_host,
225 32,
226 [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)],
227 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000228 p.route.add_vpp_config()
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200229 r = VppIpRoute(
230 self,
231 p.remote_tun_if_host6,
232 128,
233 [
234 VppRoutePath(
235 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
236 )
237 ],
238 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000239 r.add_vpp_config()
240
241 def unconfig_network(self, p):
242 p.route.remove_vpp_config()
243 p.tun_if.remove_vpp_config()
244
245 def unconfig_protect(self, p):
246 p.tun_protect.remove_vpp_config()
247
248 def unconfig_sa(self, p):
249 p.tun_sa_out.remove_vpp_config()
250 p.tun_sa_in.remove_vpp_config()
251
252
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200253class TemplateIpsec4TunIfEsp(TemplateIpsec4TunProtect, TemplateIpsec):
254 """IPsec tunnel interface tests"""
Klement Sekera31da2e32018-06-24 22:49:55 +0200255
256 encryption_type = ESP
257
Paul Vinciguerra7f9b7f92019-03-12 19:23:27 -0700258 @classmethod
259 def setUpClass(cls):
260 super(TemplateIpsec4TunIfEsp, cls).setUpClass()
261
262 @classmethod
263 def tearDownClass(cls):
264 super(TemplateIpsec4TunIfEsp, cls).tearDownClass()
265
Klement Sekera31da2e32018-06-24 22:49:55 +0200266 def setUp(self):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400267 super(TemplateIpsec4TunIfEsp, self).setUp()
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800268
269 self.tun_if = self.pg0
270
Klement Sekera611864f2018-09-26 11:19:00 +0200271 p = self.ipv4_params
Neale Rannsd7603d92019-03-28 08:56:10 +0000272
Neale Rannsa9e27742020-12-23 16:22:28 +0000273 self.config_network(p)
274 self.config_sa_tra(p)
275 self.config_protect(p)
Klement Sekera31da2e32018-06-24 22:49:55 +0200276
277 def tearDown(self):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400278 super(TemplateIpsec4TunIfEsp, self).tearDown()
Klement Sekera31da2e32018-06-24 22:49:55 +0200279
280
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200281class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, TemplateIpsec):
282 """IPsec UDP tunnel interface tests"""
Neale Ranns41afb332019-07-16 06:19:35 -0700283
284 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +0000285 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Ranns41afb332019-07-16 06:19:35 -0700286 encryption_type = ESP
287
288 @classmethod
289 def setUpClass(cls):
290 super(TemplateIpsec4TunIfEspUdp, cls).setUpClass()
291
292 @classmethod
293 def tearDownClass(cls):
294 super(TemplateIpsec4TunIfEspUdp, cls).tearDownClass()
295
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400296 def verify_encrypted(self, p, sa, rxs):
297 for rx in rxs:
298 try:
299 # ensure the UDP ports are correct before we decrypt
300 # which strips them
301 self.assertTrue(rx.haslayer(UDP))
Neale Rannsa9e27742020-12-23 16:22:28 +0000302 self.assert_equal(rx[UDP].sport, p.nat_header.sport)
Arthur de Kerhor4117b242022-08-31 19:13:03 +0200303 self.assert_equal(rx[UDP].dport, p.nat_header.dport)
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400304
305 pkt = sa.decrypt(rx[IP])
306 if not pkt.haslayer(IP):
307 pkt = IP(pkt[Raw].load)
308
309 self.assert_packet_checksums_valid(pkt)
310 self.assert_equal(pkt[IP].dst, "1.1.1.1")
311 self.assert_equal(pkt[IP].src, self.pg1.remote_ip4)
312 except (IndexError, AssertionError):
313 self.logger.debug(ppp("Unexpected packet:", rx))
314 try:
315 self.logger.debug(ppp("Decrypted packet:", pkt))
316 except:
317 pass
318 raise
319
Neale Rannsa9e27742020-12-23 16:22:28 +0000320 def config_sa_tra(self, p):
321 config_tun_params(p, self.encryption_type, p.tun_if)
322
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200323 p.tun_sa_out = VppIpsecSA(
324 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100325 p.vpp_tun_sa_id,
326 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200327 p.auth_algo_vpp_id,
328 p.auth_key,
329 p.crypt_algo_vpp_id,
330 p.crypt_key,
331 self.vpp_esp_protocol,
332 flags=p.flags,
333 udp_src=p.nat_header.sport,
334 udp_dst=p.nat_header.dport,
335 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000336 p.tun_sa_out.add_vpp_config()
337
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200338 p.tun_sa_in = VppIpsecSA(
339 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100340 p.scapy_tun_sa_id,
341 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200342 p.auth_algo_vpp_id,
343 p.auth_key,
344 p.crypt_algo_vpp_id,
345 p.crypt_key,
346 self.vpp_esp_protocol,
Arthur de Kerhor4117b242022-08-31 19:13:03 +0200347 flags=p.flags
348 | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200349 udp_src=p.nat_header.sport,
350 udp_dst=p.nat_header.dport,
351 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000352 p.tun_sa_in.add_vpp_config()
353
Neale Ranns41afb332019-07-16 06:19:35 -0700354 def setUp(self):
355 super(TemplateIpsec4TunIfEspUdp, self).setUp()
356
Neale Ranns41afb332019-07-16 06:19:35 -0700357 p = self.ipv4_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200358 p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
Neale Ranns41afb332019-07-16 06:19:35 -0700359 p.nat_header = UDP(sport=5454, dport=4500)
360
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400361 self.tun_if = self.pg0
Neale Ranns41afb332019-07-16 06:19:35 -0700362
Neale Rannsa9e27742020-12-23 16:22:28 +0000363 self.config_network(p)
364 self.config_sa_tra(p)
365 self.config_protect(p)
Neale Ranns41afb332019-07-16 06:19:35 -0700366
367 def tearDown(self):
368 super(TemplateIpsec4TunIfEspUdp, self).tearDown()
369
370
Arthur de Kerhor8fce5462023-06-16 09:48:52 +0200371class TemplateIpsec4TunTfc:
372 """IPsec IPv4 tunnel with TFC"""
373
374 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=54):
375 pkt = (
376 IP(src=src, dst=dst, len=28 + payload_size)
377 / ICMP()
378 / Raw(b"X" * payload_size)
379 / Padding(b"Y" * 100)
380 )
381 return [
382 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(pkt)
383 for i in range(count)
384 ]
385
386 def verify_decrypted(self, p, rxs):
387 for rx in rxs:
388 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
389 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
390 self.assert_equal(rx[IP].len, len(rx[IP]))
391 self.assert_packet_checksums_valid(rx)
392
393
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400394class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200395 """Ipsec ESP - TUN tests"""
396
Klement Sekera6aa58b72019-05-16 14:34:55 +0200397 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +0000398 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Klement Sekera31da2e32018-06-24 22:49:55 +0200399
Neale Ranns987aea82019-03-27 13:40:35 +0000400 def test_tun_basic64(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200401 """ipsec 6o4 tunnel basic test"""
Neale Ranns12989b52019-09-26 16:20:19 +0000402 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
Klement Sekera6aa58b72019-05-16 14:34:55 +0200403
Neale Ranns987aea82019-03-27 13:40:35 +0000404 self.verify_tun_64(self.params[socket.AF_INET], count=1)
405
406 def test_tun_burst64(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200407 """ipsec 6o4 tunnel basic test"""
Neale Ranns12989b52019-09-26 16:20:19 +0000408 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
Klement Sekera6aa58b72019-05-16 14:34:55 +0200409
Neale Ranns987aea82019-03-27 13:40:35 +0000410 self.verify_tun_64(self.params[socket.AF_INET], count=257)
411
Neale Rannsd7603d92019-03-28 08:56:10 +0000412 def test_tun_basic_frag44(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200413 """ipsec 4o4 tunnel frag basic test"""
Klement Sekera6aa58b72019-05-16 14:34:55 +0200414 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
415
Neale Rannsd7603d92019-03-28 08:56:10 +0000416 p = self.ipv4_params
417
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200418 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index, [1500, 0, 0, 0])
419 self.verify_tun_44(
420 self.params[socket.AF_INET], count=1, payload_size=1800, n_rx=2
421 )
422 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index, [9000, 0, 0, 0])
Neale Rannsd7603d92019-03-28 08:56:10 +0000423
Klement Sekera31da2e32018-06-24 22:49:55 +0200424
Neale Ranns41afb332019-07-16 06:19:35 -0700425class TestIpsec4TunIfEspUdp(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200426 """Ipsec ESP UDP tests"""
Neale Ranns41afb332019-07-16 06:19:35 -0700427
Neale Ranns12989b52019-09-26 16:20:19 +0000428 tun4_input_node = "ipsec4-tun-input"
Neale Ranns41afb332019-07-16 06:19:35 -0700429
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400430 def setUp(self):
Neale Rannsa9e27742020-12-23 16:22:28 +0000431 super(TestIpsec4TunIfEspUdp, self).setUp()
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400432
Neale Ranns41afb332019-07-16 06:19:35 -0700433 def test_keepalive(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200434 """IPSEC NAT Keepalive"""
Neale Ranns41afb332019-07-16 06:19:35 -0700435 self.verify_keepalive(self.ipv4_params)
436
437
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400438class TestIpsec4TunIfEspUdpGCM(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200439 """Ipsec ESP UDP GCM tests"""
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400440
441 tun4_input_node = "ipsec4-tun-input"
442
443 def setUp(self):
Neale Rannsa9e27742020-12-23 16:22:28 +0000444 super(TestIpsec4TunIfEspUdpGCM, self).setUp()
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400445 p = self.ipv4_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200446 p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
447 p.crypt_algo_vpp_id = (
448 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256
449 )
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400450 p.crypt_algo = "AES-GCM"
451 p.auth_algo = "NULL"
452 p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"
453 p.salt = 0
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400454
455
Arthur de Kerhor4117b242022-08-31 19:13:03 +0200456class TestIpsec4TunIfEspUdpUpdate(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
457 """Ipsec ESP UDP update tests"""
458
459 tun4_input_node = "ipsec4-tun-input"
460
461 def setUp(self):
462 super(TestIpsec4TunIfEspUdpUpdate, self).setUp()
463 p = self.ipv4_params
464 p.nat_header = UDP(sport=6565, dport=7676)
465 config_tun_params(p, self.encryption_type, p.tun_if)
466 p.tun_sa_in.update_vpp_config(
467 udp_src=p.nat_header.dport, udp_dst=p.nat_header.sport
468 )
469 p.tun_sa_out.update_vpp_config(
470 udp_src=p.nat_header.sport, udp_dst=p.nat_header.dport
471 )
472
473
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400474class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200475 """Ipsec ESP - TCP tests"""
476
Klement Sekera31da2e32018-06-24 22:49:55 +0200477 pass
478
479
Neale Rannsa9e27742020-12-23 16:22:28 +0000480class TemplateIpsec6TunProtect(object):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200481 """IPsec IPv6 Tunnel protect"""
Neale Rannsa9e27742020-12-23 16:22:28 +0000482
483 def config_sa_tra(self, p):
484 config_tun_params(p, self.encryption_type, p.tun_if)
485
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200486 p.tun_sa_out = VppIpsecSA(
487 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100488 p.vpp_tun_sa_id,
489 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200490 p.auth_algo_vpp_id,
491 p.auth_key,
492 p.crypt_algo_vpp_id,
493 p.crypt_key,
494 self.vpp_esp_protocol,
495 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000496 p.tun_sa_out.add_vpp_config()
497
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200498 p.tun_sa_in = VppIpsecSA(
499 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100500 p.scapy_tun_sa_id,
501 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200502 p.auth_algo_vpp_id,
503 p.auth_key,
504 p.crypt_algo_vpp_id,
505 p.crypt_key,
506 self.vpp_esp_protocol,
507 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000508 p.tun_sa_in.add_vpp_config()
509
510 def config_sa_tun(self, p):
511 config_tun_params(p, self.encryption_type, p.tun_if)
512
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200513 p.tun_sa_out = VppIpsecSA(
514 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100515 p.vpp_tun_sa_id,
516 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200517 p.auth_algo_vpp_id,
518 p.auth_key,
519 p.crypt_algo_vpp_id,
520 p.crypt_key,
521 self.vpp_esp_protocol,
522 self.tun_if.local_addr[p.addr_type],
523 self.tun_if.remote_addr[p.addr_type],
524 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000525 p.tun_sa_out.add_vpp_config()
526
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200527 p.tun_sa_in = VppIpsecSA(
528 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100529 p.scapy_tun_sa_id,
530 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200531 p.auth_algo_vpp_id,
532 p.auth_key,
533 p.crypt_algo_vpp_id,
534 p.crypt_key,
535 self.vpp_esp_protocol,
536 self.tun_if.remote_addr[p.addr_type],
537 self.tun_if.local_addr[p.addr_type],
538 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000539 p.tun_sa_in.add_vpp_config()
540
541 def config_protect(self, p):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200542 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Rannsa9e27742020-12-23 16:22:28 +0000543 p.tun_protect.add_vpp_config()
544
545 def config_network(self, p):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200546 if hasattr(p, "tun_dst"):
Neale Rannsa9e27742020-12-23 16:22:28 +0000547 tun_dst = p.tun_dst
548 else:
549 tun_dst = self.pg0.remote_ip6
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200550 p.tun_if = VppIpIpTunInterface(self, self.pg0, self.pg0.local_ip6, tun_dst)
Neale Rannsa9e27742020-12-23 16:22:28 +0000551 p.tun_if.add_vpp_config()
552 p.tun_if.admin_up()
553 p.tun_if.config_ip6()
554 p.tun_if.config_ip4()
555
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200556 p.route = VppIpRoute(
557 self,
558 p.remote_tun_if_host,
559 128,
560 [
561 VppRoutePath(
562 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
563 )
564 ],
565 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000566 p.route.add_vpp_config()
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200567 r = VppIpRoute(
568 self,
569 p.remote_tun_if_host4,
570 32,
571 [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)],
572 )
Neale Rannsa9e27742020-12-23 16:22:28 +0000573 r.add_vpp_config()
574
575 def unconfig_network(self, p):
576 p.route.remove_vpp_config()
577 p.tun_if.remove_vpp_config()
578
579 def unconfig_protect(self, p):
580 p.tun_protect.remove_vpp_config()
581
582 def unconfig_sa(self, p):
583 p.tun_sa_out.remove_vpp_config()
584 p.tun_sa_in.remove_vpp_config()
585
586
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200587class TemplateIpsec6TunIfEsp(TemplateIpsec6TunProtect, TemplateIpsec):
588 """IPsec tunnel interface tests"""
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400589
590 encryption_type = ESP
591
592 def setUp(self):
593 super(TemplateIpsec6TunIfEsp, self).setUp()
594
595 self.tun_if = self.pg0
596
597 p = self.ipv6_params
Neale Rannsa9e27742020-12-23 16:22:28 +0000598 self.config_network(p)
599 self.config_sa_tra(p)
600 self.config_protect(p)
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400601
602 def tearDown(self):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400603 super(TemplateIpsec6TunIfEsp, self).tearDown()
604
605
Matthew Smith6f1eb482022-08-09 22:19:38 +0000606class TemplateIpsec6TunIfEspUdp(TemplateIpsec6TunProtect, TemplateIpsec):
607 """IPsec6 UDP tunnel interface tests"""
608
609 tun4_encrypt_node_name = "esp6-encrypt-tun"
610 tun4_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
611 encryption_type = ESP
612
613 @classmethod
614 def setUpClass(cls):
615 super(TemplateIpsec6TunIfEspUdp, cls).setUpClass()
616
617 @classmethod
618 def tearDownClass(cls):
619 super(TemplateIpsec6TunIfEspUdp, cls).tearDownClass()
620
621 def verify_encrypted(self, p, sa, rxs):
622 for rx in rxs:
623 try:
624 # ensure the UDP ports are correct before we decrypt
625 # which strips them
626 self.assertTrue(rx.haslayer(UDP))
627 self.assert_equal(rx[UDP].sport, p.nat_header.sport)
Arthur de Kerhor4117b242022-08-31 19:13:03 +0200628 self.assert_equal(rx[UDP].dport, p.nat_header.dport)
Matthew Smith6f1eb482022-08-09 22:19:38 +0000629
630 pkt = sa.decrypt(rx[IP])
631 if not pkt.haslayer(IP):
632 pkt = IP(pkt[Raw].load)
633
634 self.assert_packet_checksums_valid(pkt)
635 self.assert_equal(
636 pkt[IP].dst, "1111:1111:1111:1111:1111:1111:1111:1111"
637 )
638 self.assert_equal(pkt[IP].src, self.pg1.remote_ip6)
639 except (IndexError, AssertionError):
640 self.logger.debug(ppp("Unexpected packet:", rx))
641 try:
642 self.logger.debug(ppp("Decrypted packet:", pkt))
643 except:
644 pass
645 raise
646
647 def config_sa_tra(self, p):
648 config_tun_params(p, self.encryption_type, p.tun_if)
649
650 p.tun_sa_out = VppIpsecSA(
651 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100652 p.vpp_tun_sa_id,
653 p.vpp_tun_spi,
Matthew Smith6f1eb482022-08-09 22:19:38 +0000654 p.auth_algo_vpp_id,
655 p.auth_key,
656 p.crypt_algo_vpp_id,
657 p.crypt_key,
658 self.vpp_esp_protocol,
659 flags=p.flags,
660 udp_src=p.nat_header.sport,
661 udp_dst=p.nat_header.dport,
662 )
663 p.tun_sa_out.add_vpp_config()
664
665 p.tun_sa_in = VppIpsecSA(
666 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100667 p.scapy_tun_sa_id,
668 p.scapy_tun_spi,
Matthew Smith6f1eb482022-08-09 22:19:38 +0000669 p.auth_algo_vpp_id,
670 p.auth_key,
671 p.crypt_algo_vpp_id,
672 p.crypt_key,
673 self.vpp_esp_protocol,
Arthur de Kerhor4117b242022-08-31 19:13:03 +0200674 flags=p.flags
675 | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
Matthew Smith6f1eb482022-08-09 22:19:38 +0000676 udp_src=p.nat_header.sport,
677 udp_dst=p.nat_header.dport,
678 )
679 p.tun_sa_in.add_vpp_config()
680
681 def setUp(self):
682 super(TemplateIpsec6TunIfEspUdp, self).setUp()
683
684 p = self.ipv6_params
685 p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
686 p.nat_header = UDP(sport=5454, dport=4500)
687
688 self.tun_if = self.pg0
689
690 self.config_network(p)
691 self.config_sa_tra(p)
692 self.config_protect(p)
693
694 def tearDown(self):
695 super(TemplateIpsec6TunIfEspUdp, self).tearDown()
696
697
Arthur de Kerhor8fce5462023-06-16 09:48:52 +0200698class TemplateIpsec6TunTfc:
699 """IPsec IPv6 tunnel with TFC"""
700
701 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=54):
702 return [
703 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
704 / sa.encrypt(
705 IPv6(src=src, dst=dst, hlim=p.inner_hop_limit, fl=p.inner_flow_label)
706 / ICMPv6EchoRequest(id=0, seq=1, data="X" * payload_size)
707 / Padding(b"Y" * 100)
708 )
709 for i in range(count)
710 ]
711
712 def verify_decrypted6(self, p, rxs):
713 for rx in rxs:
714 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
715 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
716 self.assert_equal(rx[IPv6].plen, len(rx[IPv6].payload))
717 self.assert_packet_checksums_valid(rx)
718
719
Matthew Smith6f1eb482022-08-09 22:19:38 +0000720class TestIpsec6TunIfEspUdp(TemplateIpsec6TunIfEspUdp, IpsecTun6Tests):
721 """Ipsec ESP 6 UDP tests"""
722
723 tun6_input_node = "ipsec6-tun-input"
724 tun6_encrypt_node_name = "esp6-encrypt-tun"
725 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
726
727 def setUp(self):
728 super(TestIpsec6TunIfEspUdp, self).setUp()
729
730 def test_keepalive(self):
731 """IPSEC6 NAT Keepalive"""
732 self.verify_keepalive(self.ipv6_params)
733
734
735class TestIpsec6TunIfEspUdpGCM(TemplateIpsec6TunIfEspUdp, IpsecTun6Tests):
736 """Ipsec ESP 6 UDP GCM tests"""
737
738 tun6_input_node = "ipsec6-tun-input"
739 tun6_encrypt_node_name = "esp6-encrypt-tun"
740 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
741
742 def setUp(self):
743 super(TestIpsec6TunIfEspUdpGCM, self).setUp()
744 p = self.ipv6_params
745 p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
746 p.crypt_algo_vpp_id = (
747 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256
748 )
749 p.crypt_algo = "AES-GCM"
750 p.auth_algo = "NULL"
751 p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"
752 p.salt = 0
753
754
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200755class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp, IpsecTun6Tests):
756 """Ipsec ESP - TUN tests"""
757
Klement Sekera6aa58b72019-05-16 14:34:55 +0200758 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +0000759 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400760
Neale Ranns987aea82019-03-27 13:40:35 +0000761 def test_tun_basic46(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200762 """ipsec 4o6 tunnel basic test"""
Neale Ranns12989b52019-09-26 16:20:19 +0000763 self.tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns987aea82019-03-27 13:40:35 +0000764 self.verify_tun_46(self.params[socket.AF_INET6], count=1)
765
766 def test_tun_burst46(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200767 """ipsec 4o6 tunnel burst test"""
Neale Ranns12989b52019-09-26 16:20:19 +0000768 self.tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns987aea82019-03-27 13:40:35 +0000769 self.verify_tun_46(self.params[socket.AF_INET6], count=257)
770
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400771
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200772class TestIpsec6TunIfEspHandoff(TemplateIpsec6TunIfEsp, IpsecTun6HandoffTests):
773 """Ipsec ESP 6 Handoff tests"""
774
Neale Ranns4a56f4e2019-12-23 04:10:25 +0000775 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +0000776 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
Neale Ranns4a56f4e2019-12-23 04:10:25 +0000777
Brian Russell7a29a2d2021-02-22 18:42:24 +0000778 def test_tun_handoff_66_police(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200779 """ESP 6o6 tunnel with policer worker hand-off test"""
Brian Russell7a29a2d2021-02-22 18:42:24 +0000780 self.vapi.cli("clear errors")
781 self.vapi.cli("clear ipsec sa")
782
783 N_PKTS = 15
784 p = self.params[socket.AF_INET6]
785
786 action_tx = PolicerAction(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200787 VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0
788 )
789 policer = VppPolicer(
790 self,
791 "pol1",
792 80,
793 0,
794 1000,
795 0,
796 conform_action=action_tx,
797 exceed_action=action_tx,
798 violate_action=action_tx,
799 )
Brian Russell7a29a2d2021-02-22 18:42:24 +0000800 policer.add_vpp_config()
801
802 # Start policing on tun
Stanislav Zaikine5a3ae02022-04-05 19:23:12 +0200803 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000804
805 for pol_bind in [1, 0]:
806 policer.bind_vpp_config(pol_bind, True)
807
808 # inject alternately on worker 0 and 1.
809 for worker in [0, 1, 0, 1]:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200810 send_pkts = self.gen_encrypt_pkts6(
811 p,
812 p.scapy_tun_sa,
813 self.tun_if,
814 src=p.remote_tun_if_host,
815 dst=self.pg1.remote_ip6,
816 count=N_PKTS,
817 )
818 recv_pkts = self.send_and_expect(
819 self.tun_if, send_pkts, self.pg1, worker=worker
820 )
Brian Russell7a29a2d2021-02-22 18:42:24 +0000821 self.verify_decrypted6(p, recv_pkts)
822 self.logger.debug(self.vapi.cli("show trace max 100"))
823
824 stats = policer.get_stats()
825 stats0 = policer.get_stats(worker=0)
826 stats1 = policer.get_stats(worker=1)
827
Ole Troan4376ab22021-03-03 10:40:05 +0100828 if pol_bind == 1:
Brian Russell7a29a2d2021-02-22 18:42:24 +0000829 # First pass: Worker 1, should have done all the policing
830 self.assertEqual(stats, stats1)
831
832 # Worker 0, should have handed everything off
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200833 self.assertEqual(stats0["conform_packets"], 0)
834 self.assertEqual(stats0["exceed_packets"], 0)
835 self.assertEqual(stats0["violate_packets"], 0)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000836 else:
837 # Second pass: both workers should have policed equal amounts
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200838 self.assertGreater(stats1["conform_packets"], 0)
839 self.assertEqual(stats1["exceed_packets"], 0)
840 self.assertGreater(stats1["violate_packets"], 0)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000841
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200842 self.assertGreater(stats0["conform_packets"], 0)
843 self.assertEqual(stats0["exceed_packets"], 0)
844 self.assertGreater(stats0["violate_packets"], 0)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000845
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200846 self.assertEqual(
847 stats0["conform_packets"] + stats0["violate_packets"],
848 stats1["conform_packets"] + stats1["violate_packets"],
849 )
Brian Russell7a29a2d2021-02-22 18:42:24 +0000850
Stanislav Zaikine5a3ae02022-04-05 19:23:12 +0200851 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000852 policer.remove_vpp_config()
853
Neale Ranns4a56f4e2019-12-23 04:10:25 +0000854
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200855class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp, IpsecTun4HandoffTests):
856 """Ipsec ESP 4 Handoff tests"""
857
Neale Ranns4a56f4e2019-12-23 04:10:25 +0000858 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +0000859 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Ranns4a56f4e2019-12-23 04:10:25 +0000860
Brian Russell7a29a2d2021-02-22 18:42:24 +0000861 def test_tun_handoff_44_police(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200862 """ESP 4o4 tunnel with policer worker hand-off test"""
Brian Russell7a29a2d2021-02-22 18:42:24 +0000863 self.vapi.cli("clear errors")
864 self.vapi.cli("clear ipsec sa")
865
866 N_PKTS = 15
867 p = self.params[socket.AF_INET]
868
869 action_tx = PolicerAction(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200870 VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0
871 )
872 policer = VppPolicer(
873 self,
874 "pol1",
875 80,
876 0,
877 1000,
878 0,
879 conform_action=action_tx,
880 exceed_action=action_tx,
881 violate_action=action_tx,
882 )
Brian Russell7a29a2d2021-02-22 18:42:24 +0000883 policer.add_vpp_config()
884
885 # Start policing on tun
Stanislav Zaikine5a3ae02022-04-05 19:23:12 +0200886 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000887
888 for pol_bind in [1, 0]:
889 policer.bind_vpp_config(pol_bind, True)
890
891 # inject alternately on worker 0 and 1.
892 for worker in [0, 1, 0, 1]:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200893 send_pkts = self.gen_encrypt_pkts(
894 p,
895 p.scapy_tun_sa,
896 self.tun_if,
897 src=p.remote_tun_if_host,
898 dst=self.pg1.remote_ip4,
899 count=N_PKTS,
900 )
901 recv_pkts = self.send_and_expect(
902 self.tun_if, send_pkts, self.pg1, worker=worker
903 )
Brian Russell7a29a2d2021-02-22 18:42:24 +0000904 self.verify_decrypted(p, recv_pkts)
905 self.logger.debug(self.vapi.cli("show trace max 100"))
906
907 stats = policer.get_stats()
908 stats0 = policer.get_stats(worker=0)
909 stats1 = policer.get_stats(worker=1)
910
Ole Troan4376ab22021-03-03 10:40:05 +0100911 if pol_bind == 1:
Brian Russell7a29a2d2021-02-22 18:42:24 +0000912 # First pass: Worker 1, should have done all the policing
913 self.assertEqual(stats, stats1)
914
915 # Worker 0, should have handed everything off
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200916 self.assertEqual(stats0["conform_packets"], 0)
917 self.assertEqual(stats0["exceed_packets"], 0)
918 self.assertEqual(stats0["violate_packets"], 0)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000919 else:
920 # Second pass: both workers should have policed equal amounts
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200921 self.assertGreater(stats1["conform_packets"], 0)
922 self.assertEqual(stats1["exceed_packets"], 0)
923 self.assertGreater(stats1["violate_packets"], 0)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000924
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200925 self.assertGreater(stats0["conform_packets"], 0)
926 self.assertEqual(stats0["exceed_packets"], 0)
927 self.assertGreater(stats0["violate_packets"], 0)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000928
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200929 self.assertEqual(
930 stats0["conform_packets"] + stats0["violate_packets"],
931 stats1["conform_packets"] + stats1["violate_packets"],
932 )
Brian Russell7a29a2d2021-02-22 18:42:24 +0000933
Stanislav Zaikine5a3ae02022-04-05 19:23:12 +0200934 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False)
Brian Russell7a29a2d2021-02-22 18:42:24 +0000935 policer.remove_vpp_config()
936
Neale Ranns4a56f4e2019-12-23 04:10:25 +0000937
Andrew Yourtchenko8dc0d482021-01-29 13:17:19 +0000938@tag_fixme_vpp_workers
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200939class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4):
940 """IPsec IPv4 Multi Tunnel interface"""
Neale Ranns2ac885c2019-03-20 18:24:43 +0000941
942 encryption_type = ESP
Klement Sekera6aa58b72019-05-16 14:34:55 +0200943 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +0000944 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Ranns2ac885c2019-03-20 18:24:43 +0000945
946 def setUp(self):
947 super(TestIpsec4MultiTunIfEsp, self).setUp()
948
949 self.tun_if = self.pg0
950
951 self.multi_params = []
Neale Ranns12989b52019-09-26 16:20:19 +0000952 self.pg0.generate_remote_hosts(10)
953 self.pg0.configure_ipv4_neighbors()
Neale Ranns2ac885c2019-03-20 18:24:43 +0000954
955 for ii in range(10):
956 p = copy.copy(self.ipv4_params)
957
958 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
959 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
960 p.scapy_tun_spi = p.scapy_tun_spi + ii
961 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
962 p.vpp_tun_spi = p.vpp_tun_spi + ii
963
964 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
965 p.scapy_tra_spi = p.scapy_tra_spi + ii
966 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
967 p.vpp_tra_spi = p.vpp_tra_spi + ii
Neale Ranns02950402019-12-20 00:54:57 +0000968 p.tun_dst = self.pg0.remote_hosts[ii].ip4
Neale Ranns2ac885c2019-03-20 18:24:43 +0000969
Neale Ranns12989b52019-09-26 16:20:19 +0000970 self.multi_params.append(p)
Neale Rannsa9e27742020-12-23 16:22:28 +0000971 self.config_network(p)
972 self.config_sa_tra(p)
973 self.config_protect(p)
Neale Ranns2ac885c2019-03-20 18:24:43 +0000974
975 def tearDown(self):
Neale Ranns2ac885c2019-03-20 18:24:43 +0000976 super(TestIpsec4MultiTunIfEsp, self).tearDown()
977
978 def test_tun_44(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200979 """Multiple IPSEC tunnel interfaces"""
Neale Ranns2ac885c2019-03-20 18:24:43 +0000980 for p in self.multi_params:
981 self.verify_tun_44(p, count=127)
Ole Troane66443c2021-03-18 11:12:01 +0100982 self.assertEqual(p.tun_if.get_rx_stats(), 127)
983 self.assertEqual(p.tun_if.get_tx_stats(), 127)
Neale Ranns2ac885c2019-03-20 18:24:43 +0000984
Neale Ranns02950402019-12-20 00:54:57 +0000985 def test_tun_rr_44(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200986 """Round-robin packets acrros multiple interface"""
Neale Ranns02950402019-12-20 00:54:57 +0000987 tx = []
988 for p in self.multi_params:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200989 tx = tx + self.gen_encrypt_pkts(
990 p,
991 p.scapy_tun_sa,
992 self.tun_if,
993 src=p.remote_tun_if_host,
994 dst=self.pg1.remote_ip4,
995 )
Neale Ranns02950402019-12-20 00:54:57 +0000996 rxs = self.send_and_expect(self.tun_if, tx, self.pg1)
997
998 for rx, p in zip(rxs, self.multi_params):
999 self.verify_decrypted(p, [rx])
1000
1001 tx = []
1002 for p in self.multi_params:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001003 tx = tx + self.gen_pkts(
1004 self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host
1005 )
Neale Ranns02950402019-12-20 00:54:57 +00001006 rxs = self.send_and_expect(self.pg1, tx, self.tun_if)
1007
1008 for rx, p in zip(rxs, self.multi_params):
1009 self.verify_encrypted(p, p.vpp_tun_sa, [rx])
1010
Neale Ranns2ac885c2019-03-20 18:24:43 +00001011
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001012class TestIpsec4TunIfEspAll(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4):
1013 """IPsec IPv4 Tunnel interface all Algos"""
Neale Ranns47feb112019-04-11 15:14:07 +00001014
1015 encryption_type = ESP
Klement Sekera6aa58b72019-05-16 14:34:55 +02001016 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00001017 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Ranns47feb112019-04-11 15:14:07 +00001018
Neale Ranns47feb112019-04-11 15:14:07 +00001019 def setUp(self):
1020 super(TestIpsec4TunIfEspAll, self).setUp()
1021
1022 self.tun_if = self.pg0
Neale Rannsa9e27742020-12-23 16:22:28 +00001023 p = self.ipv4_params
1024
1025 self.config_network(p)
1026 self.config_sa_tra(p)
1027 self.config_protect(p)
Neale Ranns47feb112019-04-11 15:14:07 +00001028
1029 def tearDown(self):
Neale Rannsa9e27742020-12-23 16:22:28 +00001030 p = self.ipv4_params
1031 self.unconfig_protect(p)
1032 self.unconfig_network(p)
1033 self.unconfig_sa(p)
1034
Neale Ranns47feb112019-04-11 15:14:07 +00001035 super(TestIpsec4TunIfEspAll, self).tearDown()
1036
Neale Rannsd6c9e822019-04-17 16:29:00 -07001037 def rekey(self, p):
1038 #
1039 # change the key and the SPI
1040 #
Neale Rannsa9e27742020-12-23 16:22:28 +00001041 np = copy.copy(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001042 p.crypt_key = b"X" + p.crypt_key[1:]
Neale Rannsd6c9e822019-04-17 16:29:00 -07001043 p.scapy_tun_spi += 1
1044 p.scapy_tun_sa_id += 1
1045 p.vpp_tun_spi += 1
1046 p.vpp_tun_sa_id += 1
1047 p.tun_if.local_spi = p.vpp_tun_spi
1048 p.tun_if.remote_spi = p.scapy_tun_spi
1049
Neale Ranns12989b52019-09-26 16:20:19 +00001050 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsd6c9e822019-04-17 16:29:00 -07001051
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001052 p.tun_sa_out = VppIpsecSA(
1053 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001054 p.vpp_tun_sa_id,
1055 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001056 p.auth_algo_vpp_id,
1057 p.auth_key,
1058 p.crypt_algo_vpp_id,
1059 p.crypt_key,
1060 self.vpp_esp_protocol,
1061 flags=p.flags,
1062 salt=p.salt,
1063 )
1064 p.tun_sa_in = VppIpsecSA(
1065 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001066 p.scapy_tun_sa_id,
1067 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001068 p.auth_algo_vpp_id,
1069 p.auth_key,
1070 p.crypt_algo_vpp_id,
1071 p.crypt_key,
1072 self.vpp_esp_protocol,
1073 flags=p.flags,
1074 salt=p.salt,
1075 )
Neale Rannsd6c9e822019-04-17 16:29:00 -07001076 p.tun_sa_in.add_vpp_config()
1077 p.tun_sa_out.add_vpp_config()
1078
Neale Rannsa9e27742020-12-23 16:22:28 +00001079 self.config_protect(p)
1080 np.tun_sa_out.remove_vpp_config()
1081 np.tun_sa_in.remove_vpp_config()
Neale Rannsd6c9e822019-04-17 16:29:00 -07001082 self.logger.info(self.vapi.cli("sh ipsec sa"))
1083
Neale Ranns47feb112019-04-11 15:14:07 +00001084 def test_tun_44(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001085 """IPSEC tunnel all algos"""
Neale Ranns47feb112019-04-11 15:14:07 +00001086
1087 # foreach VPP crypto engine
1088 engines = ["ia32", "ipsecmb", "openssl"]
1089
1090 # foreach crypto algorithm
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001091 algos = [
1092 {
1093 "vpp-crypto": (
1094 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_128
1095 ),
1096 "vpp-integ": (
1097 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
1098 ),
1099 "scapy-crypto": "AES-GCM",
1100 "scapy-integ": "NULL",
1101 "key": b"JPjyOWBeVEQiMe7h",
1102 "salt": 3333,
1103 },
1104 {
1105 "vpp-crypto": (
1106 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_192
1107 ),
1108 "vpp-integ": (
1109 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
1110 ),
1111 "scapy-crypto": "AES-GCM",
1112 "scapy-integ": "NULL",
1113 "key": b"JPjyOWBeVEQiMe7hJPjyOWBe",
1114 "salt": 0,
1115 },
1116 {
1117 "vpp-crypto": (
1118 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256
1119 ),
1120 "vpp-integ": (
1121 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
1122 ),
1123 "scapy-crypto": "AES-GCM",
1124 "scapy-integ": "NULL",
1125 "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
1126 "salt": 9999,
1127 },
1128 {
1129 "vpp-crypto": (
1130 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_128
1131 ),
1132 "vpp-integ": (
1133 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96
1134 ),
1135 "scapy-crypto": "AES-CBC",
1136 "scapy-integ": "HMAC-SHA1-96",
1137 "salt": 0,
1138 "key": b"JPjyOWBeVEQiMe7h",
1139 },
1140 {
1141 "vpp-crypto": (
1142 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_192
1143 ),
1144 "vpp-integ": (
1145 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_512_256
1146 ),
1147 "scapy-crypto": "AES-CBC",
1148 "scapy-integ": "SHA2-512-256",
1149 "salt": 0,
1150 "key": b"JPjyOWBeVEQiMe7hJPjyOWBe",
1151 },
1152 {
1153 "vpp-crypto": (
1154 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_256
1155 ),
1156 "vpp-integ": (
1157 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_256_128
1158 ),
1159 "scapy-crypto": "AES-CBC",
1160 "scapy-integ": "SHA2-256-128",
1161 "salt": 0,
1162 "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
1163 },
1164 {
1165 "vpp-crypto": (
1166 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_NONE
1167 ),
1168 "vpp-integ": (
1169 VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96
1170 ),
1171 "scapy-crypto": "NULL",
1172 "scapy-integ": "HMAC-SHA1-96",
1173 "salt": 0,
1174 "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
1175 },
1176 ]
Neale Ranns47feb112019-04-11 15:14:07 +00001177
1178 for engine in engines:
1179 self.vapi.cli("set crypto handler all %s" % engine)
1180
1181 #
1182 # loop through each of the algorithms
1183 #
1184 for algo in algos:
1185 # with self.subTest(algo=algo['scapy']):
1186
Neale Rannsa9e27742020-12-23 16:22:28 +00001187 p = self.ipv4_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001188 p.auth_algo_vpp_id = algo["vpp-integ"]
1189 p.crypt_algo_vpp_id = algo["vpp-crypto"]
1190 p.crypt_algo = algo["scapy-crypto"]
1191 p.auth_algo = algo["scapy-integ"]
1192 p.crypt_key = algo["key"]
1193 p.salt = algo["salt"]
Neale Ranns47feb112019-04-11 15:14:07 +00001194
Neale Rannsd6c9e822019-04-17 16:29:00 -07001195 #
1196 # rekey the tunnel
1197 #
1198 self.rekey(p)
1199 self.verify_tun_44(p, count=127)
1200
Neale Ranns47feb112019-04-11 15:14:07 +00001201
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001202class TestIpsec4TunIfEspNoAlgo(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4):
1203 """IPsec IPv4 Tunnel interface no Algos"""
Neale Ranns02950402019-12-20 00:54:57 +00001204
1205 encryption_type = ESP
1206 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00001207 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Ranns02950402019-12-20 00:54:57 +00001208
Neale Rannsa9e27742020-12-23 16:22:28 +00001209 def setUp(self):
1210 super(TestIpsec4TunIfEspNoAlgo, self).setUp()
Neale Ranns02950402019-12-20 00:54:57 +00001211
Neale Rannsa9e27742020-12-23 16:22:28 +00001212 self.tun_if = self.pg0
1213 p = self.ipv4_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001214 p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
1215 p.auth_algo = "NULL"
Neale Ranns02950402019-12-20 00:54:57 +00001216 p.auth_key = []
1217
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001218 p.crypt_algo_vpp_id = (
1219 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_NONE
1220 )
1221 p.crypt_algo = "NULL"
Neale Ranns02950402019-12-20 00:54:57 +00001222 p.crypt_key = []
1223
Neale Ranns02950402019-12-20 00:54:57 +00001224 def tearDown(self):
1225 super(TestIpsec4TunIfEspNoAlgo, self).tearDown()
1226
1227 def test_tun_44(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001228 """IPSec SA with NULL algos"""
Neale Ranns02950402019-12-20 00:54:57 +00001229 p = self.ipv4_params
1230
1231 self.config_network(p)
Neale Rannsa9e27742020-12-23 16:22:28 +00001232 self.config_sa_tra(p)
1233 self.config_protect(p)
Neale Ranns02950402019-12-20 00:54:57 +00001234
Matthew Smithff719392024-02-12 18:39:21 +00001235 tx = self.gen_pkts(
1236 self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host, count=127
1237 )
Neale Ranns02950402019-12-20 00:54:57 +00001238 self.send_and_assert_no_replies(self.pg1, tx)
1239
Neale Rannsa9e27742020-12-23 16:22:28 +00001240 self.unconfig_protect(p)
1241 self.unconfig_sa(p)
Neale Ranns02950402019-12-20 00:54:57 +00001242 self.unconfig_network(p)
1243
Matthew Smithff719392024-02-12 18:39:21 +00001244 def test_tun_44_async(self):
1245 """IPSec SA with NULL algos using async crypto"""
1246 p = self.ipv4_params
1247
1248 self.vapi.ipsec_set_async_mode(async_enable=True)
1249 self.config_network(p)
1250 self.config_sa_tra(p)
1251 self.config_protect(p)
1252
1253 tx = self.gen_pkts(
1254 self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host, count=127
1255 )
1256 self.send_and_assert_no_replies(self.pg1, tx)
1257
1258 self.unconfig_protect(p)
1259 self.unconfig_sa(p)
1260 self.unconfig_network(p)
1261
1262 self.vapi.ipsec_set_async_mode(async_enable=False)
1263
Neale Ranns02950402019-12-20 00:54:57 +00001264
Andrew Yourtchenko8dc0d482021-01-29 13:17:19 +00001265@tag_fixme_vpp_workers
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001266class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect, TemplateIpsec, IpsecTun6):
1267 """IPsec IPv6 Multi Tunnel interface"""
Neale Ranns2ac885c2019-03-20 18:24:43 +00001268
1269 encryption_type = ESP
Klement Sekera6aa58b72019-05-16 14:34:55 +02001270 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00001271 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
Neale Ranns2ac885c2019-03-20 18:24:43 +00001272
1273 def setUp(self):
1274 super(TestIpsec6MultiTunIfEsp, self).setUp()
1275
1276 self.tun_if = self.pg0
1277
1278 self.multi_params = []
Neale Ranns12989b52019-09-26 16:20:19 +00001279 self.pg0.generate_remote_hosts(10)
1280 self.pg0.configure_ipv6_neighbors()
Neale Ranns2ac885c2019-03-20 18:24:43 +00001281
1282 for ii in range(10):
1283 p = copy.copy(self.ipv6_params)
1284
1285 p.remote_tun_if_host = "1111::%d" % (ii + 1)
1286 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
1287 p.scapy_tun_spi = p.scapy_tun_spi + ii
1288 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
1289 p.vpp_tun_spi = p.vpp_tun_spi + ii
1290
1291 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
1292 p.scapy_tra_spi = p.scapy_tra_spi + ii
1293 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
1294 p.vpp_tra_spi = p.vpp_tra_spi + ii
Neale Rannsa9e27742020-12-23 16:22:28 +00001295 p.tun_dst = self.pg0.remote_hosts[ii].ip6
Neale Ranns2ac885c2019-03-20 18:24:43 +00001296
Neale Ranns12989b52019-09-26 16:20:19 +00001297 self.multi_params.append(p)
Neale Rannsa9e27742020-12-23 16:22:28 +00001298 self.config_network(p)
1299 self.config_sa_tra(p)
1300 self.config_protect(p)
Neale Ranns2ac885c2019-03-20 18:24:43 +00001301
1302 def tearDown(self):
Neale Ranns2ac885c2019-03-20 18:24:43 +00001303 super(TestIpsec6MultiTunIfEsp, self).tearDown()
1304
1305 def test_tun_66(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001306 """Multiple IPSEC tunnel interfaces"""
Neale Ranns2ac885c2019-03-20 18:24:43 +00001307 for p in self.multi_params:
1308 self.verify_tun_66(p, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01001309 self.assertEqual(p.tun_if.get_rx_stats(), 127)
1310 self.assertEqual(p.tun_if.get_tx_stats(), 127)
Neale Ranns2ac885c2019-03-20 18:24:43 +00001311
1312
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00001313@unittest.skipIf(
1314 "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin"
1315)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001316class TestIpsecGreTebIfEsp(TemplateIpsec, IpsecTun4Tests):
1317 """Ipsec GRE TEB ESP - TUN tests"""
1318
Neale Rannsc87b66c2019-02-07 07:26:12 -08001319 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00001320 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Rannsf05e7322019-03-29 20:23:58 +00001321 encryption_type = ESP
1322 omac = "00:11:22:33:44:55"
1323
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001324 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1325 return [
1326 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1327 / sa.encrypt(
1328 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1329 / GRE()
1330 / Ether(dst=self.omac)
1331 / IP(src="1.1.1.1", dst="1.1.1.2")
1332 / UDP(sport=1144, dport=2233)
1333 / Raw(b"X" * payload_size)
1334 )
1335 for i in range(count)
1336 ]
Neale Rannsf05e7322019-03-29 20:23:58 +00001337
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001338 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1339 return [
1340 Ether(dst=self.omac)
1341 / IP(src="1.1.1.1", dst="1.1.1.2")
1342 / UDP(sport=1144, dport=2233)
1343 / Raw(b"X" * payload_size)
1344 for i in range(count)
1345 ]
Neale Rannsf05e7322019-03-29 20:23:58 +00001346
1347 def verify_decrypted(self, p, rxs):
1348 for rx in rxs:
1349 self.assert_equal(rx[Ether].dst, self.omac)
1350 self.assert_equal(rx[IP].dst, "1.1.1.2")
1351
1352 def verify_encrypted(self, p, sa, rxs):
1353 for rx in rxs:
1354 try:
1355 pkt = sa.decrypt(rx[IP])
1356 if not pkt.haslayer(IP):
1357 pkt = IP(pkt[Raw].load)
1358 self.assert_packet_checksums_valid(pkt)
1359 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1360 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1361 self.assertTrue(pkt.haslayer(GRE))
1362 e = pkt[Ether]
1363 self.assertEqual(e[Ether].dst, self.omac)
1364 self.assertEqual(e[IP].dst, "1.1.1.2")
1365 except (IndexError, AssertionError):
1366 self.logger.debug(ppp("Unexpected packet:", rx))
1367 try:
1368 self.logger.debug(ppp("Decrypted packet:", pkt))
1369 except:
1370 pass
1371 raise
1372
1373 def setUp(self):
Neale Rannsc87b66c2019-02-07 07:26:12 -08001374 super(TestIpsecGreTebIfEsp, self).setUp()
Neale Rannsf05e7322019-03-29 20:23:58 +00001375
1376 self.tun_if = self.pg0
1377
1378 p = self.ipv4_params
1379
1380 bd1 = VppBridgeDomain(self, 1)
1381 bd1.add_vpp_config()
1382
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001383 p.tun_sa_out = VppIpsecSA(
1384 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001385 p.vpp_tun_sa_id,
1386 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001387 p.auth_algo_vpp_id,
1388 p.auth_key,
1389 p.crypt_algo_vpp_id,
1390 p.crypt_key,
1391 self.vpp_esp_protocol,
1392 self.pg0.local_ip4,
1393 self.pg0.remote_ip4,
1394 )
Neale Rannsf05e7322019-03-29 20:23:58 +00001395 p.tun_sa_out.add_vpp_config()
1396
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001397 p.tun_sa_in = VppIpsecSA(
1398 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001399 p.scapy_tun_sa_id,
1400 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001401 p.auth_algo_vpp_id,
1402 p.auth_key,
1403 p.crypt_algo_vpp_id,
1404 p.crypt_key,
1405 self.vpp_esp_protocol,
1406 self.pg0.remote_ip4,
1407 self.pg0.local_ip4,
1408 )
Neale Rannsf05e7322019-03-29 20:23:58 +00001409 p.tun_sa_in.add_vpp_config()
1410
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001411 p.tun_if = VppGreInterface(
1412 self,
1413 self.pg0.local_ip4,
1414 self.pg0.remote_ip4,
1415 type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB),
1416 )
Neale Ranns12989b52019-09-26 16:20:19 +00001417 p.tun_if.add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -08001418
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001419 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Rannsc87b66c2019-02-07 07:26:12 -08001420
1421 p.tun_protect.add_vpp_config()
1422
Neale Ranns12989b52019-09-26 16:20:19 +00001423 p.tun_if.admin_up()
1424 p.tun_if.config_ip4()
1425 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsf05e7322019-03-29 20:23:58 +00001426
Neale Ranns12989b52019-09-26 16:20:19 +00001427 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
Neale Rannsf05e7322019-03-29 20:23:58 +00001428 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
1429
Neale Rannsc87b66c2019-02-07 07:26:12 -08001430 self.vapi.cli("clear ipsec sa")
Neale Ranns28287212019-12-16 00:53:11 +00001431 self.vapi.cli("sh adj")
1432 self.vapi.cli("sh ipsec tun")
Neale Rannsc87b66c2019-02-07 07:26:12 -08001433
Neale Rannsf05e7322019-03-29 20:23:58 +00001434 def tearDown(self):
Neale Ranns12989b52019-09-26 16:20:19 +00001435 p = self.ipv4_params
1436 p.tun_if.unconfig_ip4()
Neale Rannsc87b66c2019-02-07 07:26:12 -08001437 super(TestIpsecGreTebIfEsp, self).tearDown()
Neale Rannsf05e7322019-03-29 20:23:58 +00001438
1439
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00001440@unittest.skipIf(
1441 "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin"
1442)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001443class TestIpsecGreTebVlanIfEsp(TemplateIpsec, IpsecTun4Tests):
1444 """Ipsec GRE TEB ESP - TUN tests"""
1445
John Lo90430b62020-01-31 23:48:30 -05001446 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00001447 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
John Lo90430b62020-01-31 23:48:30 -05001448 encryption_type = ESP
1449 omac = "00:11:22:33:44:55"
1450
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001451 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1452 return [
1453 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1454 / sa.encrypt(
1455 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1456 / GRE()
1457 / Ether(dst=self.omac)
1458 / IP(src="1.1.1.1", dst="1.1.1.2")
1459 / UDP(sport=1144, dport=2233)
1460 / Raw(b"X" * payload_size)
1461 )
1462 for i in range(count)
1463 ]
John Lo90430b62020-01-31 23:48:30 -05001464
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001465 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1466 return [
1467 Ether(dst=self.omac)
1468 / Dot1Q(vlan=11)
1469 / IP(src="1.1.1.1", dst="1.1.1.2")
1470 / UDP(sport=1144, dport=2233)
1471 / Raw(b"X" * payload_size)
1472 for i in range(count)
1473 ]
John Lo90430b62020-01-31 23:48:30 -05001474
1475 def verify_decrypted(self, p, rxs):
1476 for rx in rxs:
1477 self.assert_equal(rx[Ether].dst, self.omac)
1478 self.assert_equal(rx[Dot1Q].vlan, 11)
1479 self.assert_equal(rx[IP].dst, "1.1.1.2")
1480
1481 def verify_encrypted(self, p, sa, rxs):
1482 for rx in rxs:
1483 try:
1484 pkt = sa.decrypt(rx[IP])
1485 if not pkt.haslayer(IP):
1486 pkt = IP(pkt[Raw].load)
1487 self.assert_packet_checksums_valid(pkt)
1488 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1489 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1490 self.assertTrue(pkt.haslayer(GRE))
1491 e = pkt[Ether]
1492 self.assertEqual(e[Ether].dst, self.omac)
1493 self.assertFalse(e.haslayer(Dot1Q))
1494 self.assertEqual(e[IP].dst, "1.1.1.2")
1495 except (IndexError, AssertionError):
1496 self.logger.debug(ppp("Unexpected packet:", rx))
1497 try:
1498 self.logger.debug(ppp("Decrypted packet:", pkt))
1499 except:
1500 pass
1501 raise
1502
1503 def setUp(self):
1504 super(TestIpsecGreTebVlanIfEsp, self).setUp()
1505
1506 self.tun_if = self.pg0
1507
1508 p = self.ipv4_params
1509
1510 bd1 = VppBridgeDomain(self, 1)
1511 bd1.add_vpp_config()
1512
1513 self.pg1_11 = VppDot1QSubint(self, self.pg1, 11)
1514 self.vapi.l2_interface_vlan_tag_rewrite(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001515 sw_if_index=self.pg1_11.sw_if_index,
1516 vtr_op=L2_VTR_OP.L2_POP_1,
1517 push_dot1q=11,
1518 )
John Lo90430b62020-01-31 23:48:30 -05001519 self.pg1_11.admin_up()
1520
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001521 p.tun_sa_out = VppIpsecSA(
1522 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001523 p.vpp_tun_sa_id,
1524 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001525 p.auth_algo_vpp_id,
1526 p.auth_key,
1527 p.crypt_algo_vpp_id,
1528 p.crypt_key,
1529 self.vpp_esp_protocol,
1530 self.pg0.local_ip4,
1531 self.pg0.remote_ip4,
1532 )
John Lo90430b62020-01-31 23:48:30 -05001533 p.tun_sa_out.add_vpp_config()
1534
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001535 p.tun_sa_in = VppIpsecSA(
1536 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001537 p.scapy_tun_sa_id,
1538 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001539 p.auth_algo_vpp_id,
1540 p.auth_key,
1541 p.crypt_algo_vpp_id,
1542 p.crypt_key,
1543 self.vpp_esp_protocol,
1544 self.pg0.remote_ip4,
1545 self.pg0.local_ip4,
1546 )
John Lo90430b62020-01-31 23:48:30 -05001547 p.tun_sa_in.add_vpp_config()
1548
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001549 p.tun_if = VppGreInterface(
1550 self,
1551 self.pg0.local_ip4,
1552 self.pg0.remote_ip4,
1553 type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB),
1554 )
John Lo90430b62020-01-31 23:48:30 -05001555 p.tun_if.add_vpp_config()
1556
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001557 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
John Lo90430b62020-01-31 23:48:30 -05001558
1559 p.tun_protect.add_vpp_config()
1560
1561 p.tun_if.admin_up()
1562 p.tun_if.config_ip4()
1563 config_tun_params(p, self.encryption_type, p.tun_if)
1564
1565 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
1566 VppBridgeDomainPort(self, bd1, self.pg1_11).add_vpp_config()
1567
1568 self.vapi.cli("clear ipsec sa")
1569
1570 def tearDown(self):
1571 p = self.ipv4_params
1572 p.tun_if.unconfig_ip4()
1573 super(TestIpsecGreTebVlanIfEsp, self).tearDown()
1574 self.pg1_11.admin_down()
1575 self.pg1_11.remove_vpp_config()
1576
1577
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00001578@unittest.skipIf(
1579 "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin"
1580)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001581class TestIpsecGreTebIfEspTra(TemplateIpsec, IpsecTun4Tests):
1582 """Ipsec GRE TEB ESP - Tra tests"""
1583
Neale Ranns568acbb2019-12-18 05:54:40 +00001584 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00001585 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Ranns568acbb2019-12-18 05:54:40 +00001586 encryption_type = ESP
1587 omac = "00:11:22:33:44:55"
1588
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001589 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1590 return [
1591 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1592 / sa.encrypt(
1593 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1594 / GRE()
1595 / Ether(dst=self.omac)
1596 / IP(src="1.1.1.1", dst="1.1.1.2")
1597 / UDP(sport=1144, dport=2233)
1598 / Raw(b"X" * payload_size)
1599 )
1600 for i in range(count)
1601 ]
Neale Ranns568acbb2019-12-18 05:54:40 +00001602
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001603 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1604 return [
1605 Ether(dst=self.omac)
1606 / IP(src="1.1.1.1", dst="1.1.1.2")
1607 / UDP(sport=1144, dport=2233)
1608 / Raw(b"X" * payload_size)
1609 for i in range(count)
1610 ]
Neale Ranns568acbb2019-12-18 05:54:40 +00001611
1612 def verify_decrypted(self, p, rxs):
1613 for rx in rxs:
1614 self.assert_equal(rx[Ether].dst, self.omac)
1615 self.assert_equal(rx[IP].dst, "1.1.1.2")
1616
1617 def verify_encrypted(self, p, sa, rxs):
1618 for rx in rxs:
1619 try:
1620 pkt = sa.decrypt(rx[IP])
1621 if not pkt.haslayer(IP):
1622 pkt = IP(pkt[Raw].load)
1623 self.assert_packet_checksums_valid(pkt)
1624 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1625 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1626 self.assertTrue(pkt.haslayer(GRE))
1627 e = pkt[Ether]
1628 self.assertEqual(e[Ether].dst, self.omac)
1629 self.assertEqual(e[IP].dst, "1.1.1.2")
1630 except (IndexError, AssertionError):
1631 self.logger.debug(ppp("Unexpected packet:", rx))
1632 try:
1633 self.logger.debug(ppp("Decrypted packet:", pkt))
1634 except:
1635 pass
1636 raise
1637
1638 def setUp(self):
1639 super(TestIpsecGreTebIfEspTra, self).setUp()
1640
1641 self.tun_if = self.pg0
1642
1643 p = self.ipv4_params
1644
1645 bd1 = VppBridgeDomain(self, 1)
1646 bd1.add_vpp_config()
1647
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001648 p.tun_sa_out = VppIpsecSA(
1649 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001650 p.vpp_tun_sa_id,
1651 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001652 p.auth_algo_vpp_id,
1653 p.auth_key,
1654 p.crypt_algo_vpp_id,
1655 p.crypt_key,
1656 self.vpp_esp_protocol,
1657 )
Neale Ranns568acbb2019-12-18 05:54:40 +00001658 p.tun_sa_out.add_vpp_config()
1659
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001660 p.tun_sa_in = VppIpsecSA(
1661 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001662 p.scapy_tun_sa_id,
1663 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001664 p.auth_algo_vpp_id,
1665 p.auth_key,
1666 p.crypt_algo_vpp_id,
1667 p.crypt_key,
1668 self.vpp_esp_protocol,
1669 )
Neale Ranns568acbb2019-12-18 05:54:40 +00001670 p.tun_sa_in.add_vpp_config()
1671
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001672 p.tun_if = VppGreInterface(
1673 self,
1674 self.pg0.local_ip4,
1675 self.pg0.remote_ip4,
1676 type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB),
1677 )
Neale Ranns568acbb2019-12-18 05:54:40 +00001678 p.tun_if.add_vpp_config()
1679
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001680 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Ranns568acbb2019-12-18 05:54:40 +00001681
1682 p.tun_protect.add_vpp_config()
1683
1684 p.tun_if.admin_up()
1685 p.tun_if.config_ip4()
1686 config_tra_params(p, self.encryption_type, p.tun_if)
1687
1688 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
1689 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
1690
1691 self.vapi.cli("clear ipsec sa")
1692
1693 def tearDown(self):
1694 p = self.ipv4_params
1695 p.tun_if.unconfig_ip4()
1696 super(TestIpsecGreTebIfEspTra, self).tearDown()
1697
1698
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00001699@unittest.skipIf(
1700 "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin"
1701)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001702class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, IpsecTun4Tests):
1703 """Ipsec GRE TEB UDP ESP - Tra tests"""
1704
Neale Rannsabc56602020-04-01 09:45:23 +00001705 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00001706 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Rannsabc56602020-04-01 09:45:23 +00001707 encryption_type = ESP
1708 omac = "00:11:22:33:44:55"
1709
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001710 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1711 return [
1712 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1713 / sa.encrypt(
1714 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1715 / GRE()
1716 / Ether(dst=self.omac)
1717 / IP(src="1.1.1.1", dst="1.1.1.2")
1718 / UDP(sport=1144, dport=2233)
1719 / Raw(b"X" * payload_size)
1720 )
1721 for i in range(count)
1722 ]
Neale Rannsabc56602020-04-01 09:45:23 +00001723
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001724 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1725 return [
1726 Ether(dst=self.omac)
1727 / IP(src="1.1.1.1", dst="1.1.1.2")
1728 / UDP(sport=1144, dport=2233)
1729 / Raw(b"X" * payload_size)
1730 for i in range(count)
1731 ]
Neale Rannsabc56602020-04-01 09:45:23 +00001732
1733 def verify_decrypted(self, p, rxs):
1734 for rx in rxs:
1735 self.assert_equal(rx[Ether].dst, self.omac)
1736 self.assert_equal(rx[IP].dst, "1.1.1.2")
1737
1738 def verify_encrypted(self, p, sa, rxs):
1739 for rx in rxs:
1740 self.assertTrue(rx.haslayer(UDP))
1741 self.assertEqual(rx[UDP].dport, 4545)
1742 self.assertEqual(rx[UDP].sport, 5454)
1743 try:
1744 pkt = sa.decrypt(rx[IP])
1745 if not pkt.haslayer(IP):
1746 pkt = IP(pkt[Raw].load)
1747 self.assert_packet_checksums_valid(pkt)
1748 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1749 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1750 self.assertTrue(pkt.haslayer(GRE))
1751 e = pkt[Ether]
1752 self.assertEqual(e[Ether].dst, self.omac)
1753 self.assertEqual(e[IP].dst, "1.1.1.2")
1754 except (IndexError, AssertionError):
1755 self.logger.debug(ppp("Unexpected packet:", rx))
1756 try:
1757 self.logger.debug(ppp("Decrypted packet:", pkt))
1758 except:
1759 pass
1760 raise
1761
1762 def setUp(self):
1763 super(TestIpsecGreTebUdpIfEspTra, self).setUp()
1764
1765 self.tun_if = self.pg0
1766
1767 p = self.ipv4_params
1768 p = self.ipv4_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001769 p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
Neale Rannsabc56602020-04-01 09:45:23 +00001770 p.nat_header = UDP(sport=5454, dport=4545)
1771
1772 bd1 = VppBridgeDomain(self, 1)
1773 bd1.add_vpp_config()
1774
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001775 p.tun_sa_out = VppIpsecSA(
1776 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001777 p.vpp_tun_sa_id,
1778 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001779 p.auth_algo_vpp_id,
1780 p.auth_key,
1781 p.crypt_algo_vpp_id,
1782 p.crypt_key,
1783 self.vpp_esp_protocol,
1784 flags=p.flags,
1785 udp_src=5454,
1786 udp_dst=4545,
1787 )
Neale Rannsabc56602020-04-01 09:45:23 +00001788 p.tun_sa_out.add_vpp_config()
1789
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001790 p.tun_sa_in = VppIpsecSA(
1791 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001792 p.scapy_tun_sa_id,
1793 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001794 p.auth_algo_vpp_id,
1795 p.auth_key,
1796 p.crypt_algo_vpp_id,
1797 p.crypt_key,
1798 self.vpp_esp_protocol,
1799 flags=(
1800 p.flags | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND
1801 ),
1802 udp_src=4545,
1803 udp_dst=5454,
1804 )
Neale Rannsabc56602020-04-01 09:45:23 +00001805 p.tun_sa_in.add_vpp_config()
1806
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001807 p.tun_if = VppGreInterface(
1808 self,
1809 self.pg0.local_ip4,
1810 self.pg0.remote_ip4,
1811 type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB),
1812 )
Neale Rannsabc56602020-04-01 09:45:23 +00001813 p.tun_if.add_vpp_config()
1814
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001815 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Rannsabc56602020-04-01 09:45:23 +00001816
1817 p.tun_protect.add_vpp_config()
1818
1819 p.tun_if.admin_up()
1820 p.tun_if.config_ip4()
1821 config_tra_params(p, self.encryption_type, p.tun_if)
1822
1823 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
1824 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
1825
1826 self.vapi.cli("clear ipsec sa")
1827 self.logger.info(self.vapi.cli("sh ipsec sa 0"))
1828
1829 def tearDown(self):
1830 p = self.ipv4_params
1831 p.tun_if.unconfig_ip4()
1832 super(TestIpsecGreTebUdpIfEspTra, self).tearDown()
1833
1834
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00001835@unittest.skipIf(
1836 "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin"
1837)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001838class TestIpsecGreIfEsp(TemplateIpsec, IpsecTun4Tests):
1839 """Ipsec GRE ESP - TUN tests"""
1840
Neale Rannsc87b66c2019-02-07 07:26:12 -08001841 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00001842 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Rannsc87b66c2019-02-07 07:26:12 -08001843 encryption_type = ESP
1844
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001845 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1846 return [
1847 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1848 / sa.encrypt(
1849 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1850 / GRE()
1851 / IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4)
1852 / UDP(sport=1144, dport=2233)
1853 / Raw(b"X" * payload_size)
1854 )
1855 for i in range(count)
1856 ]
Neale Rannsc87b66c2019-02-07 07:26:12 -08001857
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001858 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1859 return [
1860 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1861 / IP(src="1.1.1.1", dst="1.1.1.2")
1862 / UDP(sport=1144, dport=2233)
1863 / Raw(b"X" * payload_size)
1864 for i in range(count)
1865 ]
Neale Rannsc87b66c2019-02-07 07:26:12 -08001866
1867 def verify_decrypted(self, p, rxs):
1868 for rx in rxs:
1869 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
1870 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
1871
1872 def verify_encrypted(self, p, sa, rxs):
1873 for rx in rxs:
1874 try:
1875 pkt = sa.decrypt(rx[IP])
1876 if not pkt.haslayer(IP):
1877 pkt = IP(pkt[Raw].load)
1878 self.assert_packet_checksums_valid(pkt)
1879 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1880 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1881 self.assertTrue(pkt.haslayer(GRE))
1882 e = pkt[GRE]
1883 self.assertEqual(e[IP].dst, "1.1.1.2")
1884 except (IndexError, AssertionError):
1885 self.logger.debug(ppp("Unexpected packet:", rx))
1886 try:
1887 self.logger.debug(ppp("Decrypted packet:", pkt))
1888 except:
1889 pass
1890 raise
1891
1892 def setUp(self):
1893 super(TestIpsecGreIfEsp, self).setUp()
1894
1895 self.tun_if = self.pg0
1896
1897 p = self.ipv4_params
1898
1899 bd1 = VppBridgeDomain(self, 1)
1900 bd1.add_vpp_config()
1901
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001902 p.tun_sa_out = VppIpsecSA(
1903 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001904 p.vpp_tun_sa_id,
1905 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001906 p.auth_algo_vpp_id,
1907 p.auth_key,
1908 p.crypt_algo_vpp_id,
1909 p.crypt_key,
1910 self.vpp_esp_protocol,
1911 self.pg0.local_ip4,
1912 self.pg0.remote_ip4,
1913 )
Neale Rannsc87b66c2019-02-07 07:26:12 -08001914 p.tun_sa_out.add_vpp_config()
1915
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001916 p.tun_sa_in = VppIpsecSA(
1917 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01001918 p.scapy_tun_sa_id,
1919 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001920 p.auth_algo_vpp_id,
1921 p.auth_key,
1922 p.crypt_algo_vpp_id,
1923 p.crypt_key,
1924 self.vpp_esp_protocol,
1925 self.pg0.remote_ip4,
1926 self.pg0.local_ip4,
1927 )
Neale Rannsc87b66c2019-02-07 07:26:12 -08001928 p.tun_sa_in.add_vpp_config()
1929
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001930 p.tun_if = VppGreInterface(self, self.pg0.local_ip4, self.pg0.remote_ip4)
Neale Ranns12989b52019-09-26 16:20:19 +00001931 p.tun_if.add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -08001932
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001933 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Rannsc87b66c2019-02-07 07:26:12 -08001934 p.tun_protect.add_vpp_config()
1935
Neale Ranns12989b52019-09-26 16:20:19 +00001936 p.tun_if.admin_up()
1937 p.tun_if.config_ip4()
1938 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001939
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001940 VppIpRoute(
1941 self, "1.1.1.2", 32, [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)]
1942 ).add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -08001943
1944 def tearDown(self):
Neale Ranns12989b52019-09-26 16:20:19 +00001945 p = self.ipv4_params
1946 p.tun_if.unconfig_ip4()
Neale Rannsc87b66c2019-02-07 07:26:12 -08001947 super(TestIpsecGreIfEsp, self).tearDown()
1948
1949
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00001950@unittest.skipIf(
1951 "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin"
1952)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001953class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests):
1954 """Ipsec GRE ESP - TRA tests"""
1955
Neale Rannsabde62f2019-12-02 22:32:05 +00001956 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00001957 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Rannsabde62f2019-12-02 22:32:05 +00001958 encryption_type = ESP
1959
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001960 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
1961 return [
1962 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1963 / sa.encrypt(
1964 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1965 / GRE()
1966 / IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4)
1967 / UDP(sport=1144, dport=2233)
1968 / Raw(b"X" * payload_size)
1969 )
1970 for i in range(count)
1971 ]
Neale Rannsabde62f2019-12-02 22:32:05 +00001972
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001973 def gen_encrypt_non_ip_pkts(self, sa, sw_intf, src, dst, count=1, payload_size=100):
1974 return [
1975 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1976 / sa.encrypt(
1977 IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4)
1978 / GRE()
1979 / UDP(sport=1144, dport=2233)
1980 / Raw(b"X" * payload_size)
1981 )
1982 for i in range(count)
1983 ]
Neale Ranns02950402019-12-20 00:54:57 +00001984
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02001985 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
1986 return [
1987 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
1988 / IP(src="1.1.1.1", dst="1.1.1.2")
1989 / UDP(sport=1144, dport=2233)
1990 / Raw(b"X" * payload_size)
1991 for i in range(count)
1992 ]
Neale Rannsabde62f2019-12-02 22:32:05 +00001993
1994 def verify_decrypted(self, p, rxs):
1995 for rx in rxs:
1996 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
1997 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
1998
1999 def verify_encrypted(self, p, sa, rxs):
2000 for rx in rxs:
2001 try:
2002 pkt = sa.decrypt(rx[IP])
2003 if not pkt.haslayer(IP):
2004 pkt = IP(pkt[Raw].load)
2005 self.assert_packet_checksums_valid(pkt)
2006 self.assertTrue(pkt.haslayer(GRE))
2007 e = pkt[GRE]
2008 self.assertEqual(e[IP].dst, "1.1.1.2")
2009 except (IndexError, AssertionError):
2010 self.logger.debug(ppp("Unexpected packet:", rx))
2011 try:
2012 self.logger.debug(ppp("Decrypted packet:", pkt))
2013 except:
2014 pass
2015 raise
2016
2017 def setUp(self):
2018 super(TestIpsecGreIfEspTra, self).setUp()
2019
2020 self.tun_if = self.pg0
2021
2022 p = self.ipv4_params
2023
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002024 p.tun_sa_out = VppIpsecSA(
2025 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01002026 p.vpp_tun_sa_id,
2027 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002028 p.auth_algo_vpp_id,
2029 p.auth_key,
2030 p.crypt_algo_vpp_id,
2031 p.crypt_key,
2032 self.vpp_esp_protocol,
2033 )
Neale Rannsabde62f2019-12-02 22:32:05 +00002034 p.tun_sa_out.add_vpp_config()
2035
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002036 p.tun_sa_in = VppIpsecSA(
2037 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01002038 p.scapy_tun_sa_id,
2039 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002040 p.auth_algo_vpp_id,
2041 p.auth_key,
2042 p.crypt_algo_vpp_id,
2043 p.crypt_key,
2044 self.vpp_esp_protocol,
2045 )
Neale Rannsabde62f2019-12-02 22:32:05 +00002046 p.tun_sa_in.add_vpp_config()
2047
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002048 p.tun_if = VppGreInterface(self, self.pg0.local_ip4, self.pg0.remote_ip4)
Neale Rannsabde62f2019-12-02 22:32:05 +00002049 p.tun_if.add_vpp_config()
2050
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002051 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Rannsabde62f2019-12-02 22:32:05 +00002052 p.tun_protect.add_vpp_config()
2053
2054 p.tun_if.admin_up()
2055 p.tun_if.config_ip4()
Neale Ranns568acbb2019-12-18 05:54:40 +00002056 config_tra_params(p, self.encryption_type, p.tun_if)
Neale Rannsabde62f2019-12-02 22:32:05 +00002057
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002058 VppIpRoute(
2059 self, "1.1.1.2", 32, [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)]
2060 ).add_vpp_config()
Neale Rannsabde62f2019-12-02 22:32:05 +00002061
2062 def tearDown(self):
2063 p = self.ipv4_params
2064 p.tun_if.unconfig_ip4()
2065 super(TestIpsecGreIfEspTra, self).tearDown()
2066
Neale Ranns02950402019-12-20 00:54:57 +00002067 def test_gre_non_ip(self):
2068 p = self.ipv4_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002069 tx = self.gen_encrypt_non_ip_pkts(
2070 p.scapy_tun_sa,
2071 self.tun_if,
2072 src=p.remote_tun_if_host,
2073 dst=self.pg1.remote_ip6,
2074 )
Neale Ranns02950402019-12-20 00:54:57 +00002075 self.send_and_assert_no_replies(self.tun_if, tx)
Neale Ranns93688d72022-08-09 03:34:51 +00002076 node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0]
Neale Ranns02950402019-12-20 00:54:57 +00002077 self.assertEqual(1, self.statistics.get_err_counter(node_name))
Arthur de Kerhorad95b062022-11-16 19:12:05 +01002078 err = p.tun_sa_in.get_err("unsup_payload")
2079 self.assertEqual(err, 1)
Neale Ranns02950402019-12-20 00:54:57 +00002080
2081
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00002082@unittest.skipIf(
2083 "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin"
2084)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002085class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests):
2086 """Ipsec GRE ESP - TRA tests"""
2087
Neale Ranns02950402019-12-20 00:54:57 +00002088 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00002089 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
Neale Ranns02950402019-12-20 00:54:57 +00002090 encryption_type = ESP
2091
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002092 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2093 return [
2094 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2095 / sa.encrypt(
2096 IPv6(src=self.pg0.remote_ip6, dst=self.pg0.local_ip6)
2097 / GRE()
2098 / IPv6(src=self.pg1.local_ip6, dst=self.pg1.remote_ip6)
2099 / UDP(sport=1144, dport=2233)
2100 / Raw(b"X" * payload_size)
2101 )
2102 for i in range(count)
2103 ]
Neale Ranns02950402019-12-20 00:54:57 +00002104
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002105 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=100):
2106 return [
2107 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2108 / IPv6(src="1::1", dst="1::2")
2109 / UDP(sport=1144, dport=2233)
2110 / Raw(b"X" * payload_size)
2111 for i in range(count)
2112 ]
Neale Ranns02950402019-12-20 00:54:57 +00002113
2114 def verify_decrypted6(self, p, rxs):
2115 for rx in rxs:
2116 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
2117 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
2118
2119 def verify_encrypted6(self, p, sa, rxs):
2120 for rx in rxs:
2121 try:
2122 pkt = sa.decrypt(rx[IPv6])
2123 if not pkt.haslayer(IPv6):
2124 pkt = IPv6(pkt[Raw].load)
2125 self.assert_packet_checksums_valid(pkt)
2126 self.assertTrue(pkt.haslayer(GRE))
2127 e = pkt[GRE]
2128 self.assertEqual(e[IPv6].dst, "1::2")
2129 except (IndexError, AssertionError):
2130 self.logger.debug(ppp("Unexpected packet:", rx))
2131 try:
2132 self.logger.debug(ppp("Decrypted packet:", pkt))
2133 except:
2134 pass
2135 raise
2136
2137 def setUp(self):
2138 super(TestIpsecGre6IfEspTra, self).setUp()
2139
2140 self.tun_if = self.pg0
2141
2142 p = self.ipv6_params
2143
2144 bd1 = VppBridgeDomain(self, 1)
2145 bd1.add_vpp_config()
2146
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002147 p.tun_sa_out = VppIpsecSA(
2148 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01002149 p.vpp_tun_sa_id,
2150 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002151 p.auth_algo_vpp_id,
2152 p.auth_key,
2153 p.crypt_algo_vpp_id,
2154 p.crypt_key,
2155 self.vpp_esp_protocol,
2156 )
Neale Ranns02950402019-12-20 00:54:57 +00002157 p.tun_sa_out.add_vpp_config()
2158
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002159 p.tun_sa_in = VppIpsecSA(
2160 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01002161 p.scapy_tun_sa_id,
2162 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002163 p.auth_algo_vpp_id,
2164 p.auth_key,
2165 p.crypt_algo_vpp_id,
2166 p.crypt_key,
2167 self.vpp_esp_protocol,
2168 )
Neale Ranns02950402019-12-20 00:54:57 +00002169 p.tun_sa_in.add_vpp_config()
2170
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002171 p.tun_if = VppGreInterface(self, self.pg0.local_ip6, self.pg0.remote_ip6)
Neale Ranns02950402019-12-20 00:54:57 +00002172 p.tun_if.add_vpp_config()
2173
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002174 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Ranns02950402019-12-20 00:54:57 +00002175 p.tun_protect.add_vpp_config()
2176
2177 p.tun_if.admin_up()
2178 p.tun_if.config_ip6()
2179 config_tra_params(p, self.encryption_type, p.tun_if)
2180
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002181 r = VppIpRoute(
2182 self,
2183 "1::2",
2184 128,
2185 [
2186 VppRoutePath(
2187 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
2188 )
2189 ],
2190 )
Neale Ranns02950402019-12-20 00:54:57 +00002191 r.add_vpp_config()
2192
2193 def tearDown(self):
2194 p = self.ipv6_params
2195 p.tun_if.unconfig_ip6()
2196 super(TestIpsecGre6IfEspTra, self).tearDown()
2197
Neale Rannsabde62f2019-12-02 22:32:05 +00002198
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00002199@unittest.skipIf(
2200 "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin"
2201)
Neale Ranns28287212019-12-16 00:53:11 +00002202class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002203 """Ipsec mGRE ESP v4 TRA tests"""
2204
Neale Ranns28287212019-12-16 00:53:11 +00002205 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00002206 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Ranns28287212019-12-16 00:53:11 +00002207 encryption_type = ESP
2208
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002209 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2210 return [
2211 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2212 / sa.encrypt(
2213 IP(src=p.tun_dst, dst=self.pg0.local_ip4)
2214 / GRE()
2215 / IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4)
2216 / UDP(sport=1144, dport=2233)
2217 / Raw(b"X" * payload_size)
2218 )
2219 for i in range(count)
2220 ]
Neale Ranns28287212019-12-16 00:53:11 +00002221
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002222 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
2223 return [
2224 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2225 / IP(src="1.1.1.1", dst=dst)
2226 / UDP(sport=1144, dport=2233)
2227 / Raw(b"X" * payload_size)
2228 for i in range(count)
2229 ]
Neale Ranns28287212019-12-16 00:53:11 +00002230
2231 def verify_decrypted(self, p, rxs):
2232 for rx in rxs:
2233 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
2234 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
2235
2236 def verify_encrypted(self, p, sa, rxs):
2237 for rx in rxs:
2238 try:
2239 pkt = sa.decrypt(rx[IP])
2240 if not pkt.haslayer(IP):
2241 pkt = IP(pkt[Raw].load)
2242 self.assert_packet_checksums_valid(pkt)
2243 self.assertTrue(pkt.haslayer(GRE))
2244 e = pkt[GRE]
2245 self.assertEqual(e[IP].dst, p.remote_tun_if_host)
2246 except (IndexError, AssertionError):
2247 self.logger.debug(ppp("Unexpected packet:", rx))
2248 try:
2249 self.logger.debug(ppp("Decrypted packet:", pkt))
2250 except:
2251 pass
2252 raise
2253
2254 def setUp(self):
2255 super(TestIpsecMGreIfEspTra4, self).setUp()
2256
2257 N_NHS = 16
2258 self.tun_if = self.pg0
2259 p = self.ipv4_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002260 p.tun_if = VppGreInterface(
2261 self,
2262 self.pg0.local_ip4,
2263 "0.0.0.0",
2264 mode=(VppEnum.vl_api_tunnel_mode_t.TUNNEL_API_MODE_MP),
2265 )
Neale Ranns28287212019-12-16 00:53:11 +00002266 p.tun_if.add_vpp_config()
2267 p.tun_if.admin_up()
2268 p.tun_if.config_ip4()
2269 p.tun_if.generate_remote_hosts(N_NHS)
2270 self.pg0.generate_remote_hosts(N_NHS)
2271 self.pg0.configure_ipv4_neighbors()
2272
2273 # setup some SAs for several next-hops on the interface
2274 self.multi_params = []
2275
Neale Ranns6ba4e412020-10-19 09:59:41 +00002276 for ii in range(N_NHS):
Neale Ranns28287212019-12-16 00:53:11 +00002277 p = copy.copy(self.ipv4_params)
2278
2279 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
2280 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
2281 p.scapy_tun_spi = p.scapy_tun_spi + ii
2282 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
2283 p.vpp_tun_spi = p.vpp_tun_spi + ii
2284
2285 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
2286 p.scapy_tra_spi = p.scapy_tra_spi + ii
2287 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
2288 p.vpp_tra_spi = p.vpp_tra_spi + ii
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002289 p.tun_sa_out = VppIpsecSA(
2290 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01002291 p.vpp_tun_sa_id,
2292 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002293 p.auth_algo_vpp_id,
2294 p.auth_key,
2295 p.crypt_algo_vpp_id,
2296 p.crypt_key,
2297 self.vpp_esp_protocol,
2298 )
Neale Ranns28287212019-12-16 00:53:11 +00002299 p.tun_sa_out.add_vpp_config()
2300
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002301 p.tun_sa_in = VppIpsecSA(
2302 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01002303 p.scapy_tun_sa_id,
2304 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002305 p.auth_algo_vpp_id,
2306 p.auth_key,
2307 p.crypt_algo_vpp_id,
2308 p.crypt_key,
2309 self.vpp_esp_protocol,
2310 )
Neale Ranns28287212019-12-16 00:53:11 +00002311 p.tun_sa_in.add_vpp_config()
2312
2313 p.tun_protect = VppIpsecTunProtect(
2314 self,
2315 p.tun_if,
2316 p.tun_sa_out,
2317 [p.tun_sa_in],
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002318 nh=p.tun_if.remote_hosts[ii].ip4,
2319 )
Neale Ranns28287212019-12-16 00:53:11 +00002320 p.tun_protect.add_vpp_config()
2321 config_tra_params(p, self.encryption_type, p.tun_if)
2322 self.multi_params.append(p)
2323
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002324 VppIpRoute(
2325 self,
2326 p.remote_tun_if_host,
2327 32,
2328 [VppRoutePath(p.tun_if.remote_hosts[ii].ip4, p.tun_if.sw_if_index)],
2329 ).add_vpp_config()
Neale Ranns28287212019-12-16 00:53:11 +00002330
2331 # in this v4 variant add the teibs after the protect
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002332 p.teib = VppTeib(
2333 self,
2334 p.tun_if,
2335 p.tun_if.remote_hosts[ii].ip4,
2336 self.pg0.remote_hosts[ii].ip4,
2337 ).add_vpp_config()
Neale Ranns28287212019-12-16 00:53:11 +00002338 p.tun_dst = self.pg0.remote_hosts[ii].ip4
2339 self.logger.info(self.vapi.cli("sh ipsec protect-hash"))
2340
2341 def tearDown(self):
2342 p = self.ipv4_params
2343 p.tun_if.unconfig_ip4()
2344 super(TestIpsecMGreIfEspTra4, self).tearDown()
2345
2346 def test_tun_44(self):
2347 """mGRE IPSEC 44"""
2348 N_PKTS = 63
2349 for p in self.multi_params:
2350 self.verify_tun_44(p, count=N_PKTS)
2351 p.teib.remove_vpp_config()
2352 self.verify_tun_dropped_44(p, count=N_PKTS)
2353 p.teib.add_vpp_config()
2354 self.verify_tun_44(p, count=N_PKTS)
2355
2356
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00002357@unittest.skipIf(
2358 "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin"
2359)
Neale Ranns28287212019-12-16 00:53:11 +00002360class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002361 """Ipsec mGRE ESP v6 TRA tests"""
2362
Neale Ranns28287212019-12-16 00:53:11 +00002363 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00002364 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
Neale Ranns28287212019-12-16 00:53:11 +00002365 encryption_type = ESP
2366
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002367 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2368 return [
2369 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2370 / sa.encrypt(
2371 IPv6(src=p.tun_dst, dst=self.pg0.local_ip6)
2372 / GRE()
2373 / IPv6(src=self.pg1.local_ip6, dst=self.pg1.remote_ip6)
2374 / UDP(sport=1144, dport=2233)
2375 / Raw(b"X" * payload_size)
2376 )
2377 for i in range(count)
2378 ]
Neale Ranns28287212019-12-16 00:53:11 +00002379
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002380 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=100):
2381 return [
2382 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2383 / IPv6(src="1::1", dst=dst)
2384 / UDP(sport=1144, dport=2233)
2385 / Raw(b"X" * payload_size)
2386 for i in range(count)
2387 ]
Neale Ranns28287212019-12-16 00:53:11 +00002388
2389 def verify_decrypted6(self, p, rxs):
2390 for rx in rxs:
2391 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
2392 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
2393
2394 def verify_encrypted6(self, p, sa, rxs):
2395 for rx in rxs:
2396 try:
2397 pkt = sa.decrypt(rx[IPv6])
2398 if not pkt.haslayer(IPv6):
2399 pkt = IPv6(pkt[Raw].load)
2400 self.assert_packet_checksums_valid(pkt)
2401 self.assertTrue(pkt.haslayer(GRE))
2402 e = pkt[GRE]
2403 self.assertEqual(e[IPv6].dst, p.remote_tun_if_host)
2404 except (IndexError, AssertionError):
2405 self.logger.debug(ppp("Unexpected packet:", rx))
2406 try:
2407 self.logger.debug(ppp("Decrypted packet:", pkt))
2408 except:
2409 pass
2410 raise
2411
2412 def setUp(self):
2413 super(TestIpsecMGreIfEspTra6, self).setUp()
2414
2415 self.vapi.cli("set logging class ipsec level debug")
2416
2417 N_NHS = 16
2418 self.tun_if = self.pg0
2419 p = self.ipv6_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002420 p.tun_if = VppGreInterface(
2421 self,
2422 self.pg0.local_ip6,
2423 "::",
2424 mode=(VppEnum.vl_api_tunnel_mode_t.TUNNEL_API_MODE_MP),
2425 )
Neale Ranns28287212019-12-16 00:53:11 +00002426 p.tun_if.add_vpp_config()
2427 p.tun_if.admin_up()
2428 p.tun_if.config_ip6()
2429 p.tun_if.generate_remote_hosts(N_NHS)
2430 self.pg0.generate_remote_hosts(N_NHS)
2431 self.pg0.configure_ipv6_neighbors()
2432
2433 # setup some SAs for several next-hops on the interface
2434 self.multi_params = []
2435
2436 for ii in range(N_NHS):
2437 p = copy.copy(self.ipv6_params)
2438
2439 p.remote_tun_if_host = "1::%d" % (ii + 1)
2440 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
2441 p.scapy_tun_spi = p.scapy_tun_spi + ii
2442 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
2443 p.vpp_tun_spi = p.vpp_tun_spi + ii
2444
2445 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
2446 p.scapy_tra_spi = p.scapy_tra_spi + ii
2447 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
2448 p.vpp_tra_spi = p.vpp_tra_spi + ii
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002449 p.tun_sa_out = VppIpsecSA(
2450 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01002451 p.vpp_tun_sa_id,
2452 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002453 p.auth_algo_vpp_id,
2454 p.auth_key,
2455 p.crypt_algo_vpp_id,
2456 p.crypt_key,
2457 self.vpp_esp_protocol,
2458 )
Neale Ranns28287212019-12-16 00:53:11 +00002459 p.tun_sa_out.add_vpp_config()
2460
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002461 p.tun_sa_in = VppIpsecSA(
2462 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01002463 p.scapy_tun_sa_id,
2464 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002465 p.auth_algo_vpp_id,
2466 p.auth_key,
2467 p.crypt_algo_vpp_id,
2468 p.crypt_key,
2469 self.vpp_esp_protocol,
2470 )
Neale Ranns28287212019-12-16 00:53:11 +00002471 p.tun_sa_in.add_vpp_config()
2472
2473 # in this v6 variant add the teibs first then the protection
2474 p.tun_dst = self.pg0.remote_hosts[ii].ip6
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002475 VppTeib(
2476 self, p.tun_if, p.tun_if.remote_hosts[ii].ip6, p.tun_dst
2477 ).add_vpp_config()
Neale Ranns28287212019-12-16 00:53:11 +00002478
2479 p.tun_protect = VppIpsecTunProtect(
2480 self,
2481 p.tun_if,
2482 p.tun_sa_out,
2483 [p.tun_sa_in],
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002484 nh=p.tun_if.remote_hosts[ii].ip6,
2485 )
Neale Ranns28287212019-12-16 00:53:11 +00002486 p.tun_protect.add_vpp_config()
2487 config_tra_params(p, self.encryption_type, p.tun_if)
2488 self.multi_params.append(p)
2489
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002490 VppIpRoute(
2491 self,
2492 p.remote_tun_if_host,
2493 128,
2494 [VppRoutePath(p.tun_if.remote_hosts[ii].ip6, p.tun_if.sw_if_index)],
2495 ).add_vpp_config()
Neale Ranns28287212019-12-16 00:53:11 +00002496 p.tun_dst = self.pg0.remote_hosts[ii].ip6
2497
2498 self.logger.info(self.vapi.cli("sh log"))
2499 self.logger.info(self.vapi.cli("sh ipsec protect-hash"))
2500 self.logger.info(self.vapi.cli("sh adj 41"))
2501
2502 def tearDown(self):
2503 p = self.ipv6_params
2504 p.tun_if.unconfig_ip6()
2505 super(TestIpsecMGreIfEspTra6, self).tearDown()
2506
2507 def test_tun_66(self):
2508 """mGRE IPSec 66"""
2509 for p in self.multi_params:
2510 self.verify_tun_66(p, count=63)
2511
2512
Andrew Yourtchenko8dc0d482021-01-29 13:17:19 +00002513@tag_fixme_vpp_workers
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002514class TestIpsec4TunProtect(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
2515 """IPsec IPv4 Tunnel protect - transport mode"""
Neale Rannsc87b66c2019-02-07 07:26:12 -08002516
Neale Rannsc87b66c2019-02-07 07:26:12 -08002517 def setUp(self):
2518 super(TestIpsec4TunProtect, self).setUp()
2519
2520 self.tun_if = self.pg0
2521
2522 def tearDown(self):
2523 super(TestIpsec4TunProtect, self).tearDown()
2524
2525 def test_tun_44(self):
2526 """IPSEC tunnel protect"""
2527
2528 p = self.ipv4_params
2529
2530 self.config_network(p)
2531 self.config_sa_tra(p)
2532 self.config_protect(p)
2533
2534 self.verify_tun_44(p, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01002535 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2536 self.assertEqual(p.tun_if.get_tx_stats(), 127)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002537
Neale Rannsb3259832019-09-27 13:32:02 +00002538 self.vapi.cli("clear ipsec sa")
2539 self.verify_tun_64(p, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01002540 self.assertEqual(p.tun_if.get_rx_stats(), 254)
2541 self.assertEqual(p.tun_if.get_tx_stats(), 254)
Neale Rannsb3259832019-09-27 13:32:02 +00002542
Neale Rannsc87b66c2019-02-07 07:26:12 -08002543 # rekey - create new SAs and update the tunnel protection
2544 np = copy.copy(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002545 np.crypt_key = b"X" + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002546 np.scapy_tun_spi += 100
2547 np.scapy_tun_sa_id += 1
2548 np.vpp_tun_spi += 100
2549 np.vpp_tun_sa_id += 1
2550 np.tun_if.local_spi = p.vpp_tun_spi
2551 np.tun_if.remote_spi = p.scapy_tun_spi
2552
2553 self.config_sa_tra(np)
2554 self.config_protect(np)
2555 self.unconfig_sa(p)
2556
2557 self.verify_tun_44(np, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01002558 self.assertEqual(p.tun_if.get_rx_stats(), 381)
2559 self.assertEqual(p.tun_if.get_tx_stats(), 381)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002560
2561 # teardown
2562 self.unconfig_protect(np)
2563 self.unconfig_sa(np)
2564 self.unconfig_network(p)
2565
2566
Andrew Yourtchenko8dc0d482021-01-29 13:17:19 +00002567@tag_fixme_vpp_workers
Arthur de Kerhor8fce5462023-06-16 09:48:52 +02002568class TestIpsec4TunProtectTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtect):
2569 """IPsec IPv4 Tunnel protect with TFC - transport mode"""
2570
2571
2572@tag_fixme_vpp_workers
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002573class TestIpsec4TunProtectUdp(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
Arthur de Kerhor8fce5462023-06-16 09:48:52 +02002574 """IPsec IPv4 UDP Tunnel protect - transport mode"""
Neale Ranns41afb332019-07-16 06:19:35 -07002575
2576 def setUp(self):
2577 super(TestIpsec4TunProtectUdp, self).setUp()
2578
2579 self.tun_if = self.pg0
2580
2581 p = self.ipv4_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002582 p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
Neale Rannsabc56602020-04-01 09:45:23 +00002583 p.nat_header = UDP(sport=4500, dport=4500)
Neale Ranns41afb332019-07-16 06:19:35 -07002584 self.config_network(p)
2585 self.config_sa_tra(p)
2586 self.config_protect(p)
2587
2588 def tearDown(self):
2589 p = self.ipv4_params
2590 self.unconfig_protect(p)
2591 self.unconfig_sa(p)
2592 self.unconfig_network(p)
2593 super(TestIpsec4TunProtectUdp, self).tearDown()
2594
Neale Rannsabc56602020-04-01 09:45:23 +00002595 def verify_encrypted(self, p, sa, rxs):
2596 # ensure encrypted packets are recieved with the default UDP ports
2597 for rx in rxs:
2598 self.assertEqual(rx[UDP].sport, 4500)
2599 self.assertEqual(rx[UDP].dport, 4500)
2600 super(TestIpsec4TunProtectUdp, self).verify_encrypted(p, sa, rxs)
2601
Neale Ranns41afb332019-07-16 06:19:35 -07002602 def test_tun_44(self):
2603 """IPSEC UDP tunnel protect"""
2604
2605 p = self.ipv4_params
2606
2607 self.verify_tun_44(p, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01002608 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2609 self.assertEqual(p.tun_if.get_tx_stats(), 127)
Neale Ranns41afb332019-07-16 06:19:35 -07002610
2611 def test_keepalive(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002612 """IPSEC NAT Keepalive"""
Neale Ranns41afb332019-07-16 06:19:35 -07002613 self.verify_keepalive(self.ipv4_params)
2614
2615
Andrew Yourtchenko8dc0d482021-01-29 13:17:19 +00002616@tag_fixme_vpp_workers
Arthur de Kerhor8fce5462023-06-16 09:48:52 +02002617class TestIpsec4TunProtectUdpTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtectUdp):
2618 """IPsec IPv4 UDP Tunnel protect with TFC - transport mode"""
2619
2620
2621@tag_fixme_vpp_workers
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00002622@unittest.skipIf(
2623 "acl" in config.excluded_plugins, "Exclude tests depending on ACL plugin"
2624)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002625class TestIpsec4TunProtectTun(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
2626 """IPsec IPv4 Tunnel protect - tunnel mode"""
Neale Rannsc87b66c2019-02-07 07:26:12 -08002627
2628 encryption_type = ESP
2629 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00002630 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002631
2632 def setUp(self):
2633 super(TestIpsec4TunProtectTun, self).setUp()
2634
2635 self.tun_if = self.pg0
2636
2637 def tearDown(self):
2638 super(TestIpsec4TunProtectTun, self).tearDown()
2639
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002640 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2641 return [
2642 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2643 / sa.encrypt(
2644 IP(src=sw_intf.remote_ip4, dst=sw_intf.local_ip4)
2645 / IP(src=src, dst=dst)
2646 / UDP(sport=1144, dport=2233)
2647 / Raw(b"X" * payload_size)
2648 )
2649 for i in range(count)
2650 ]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002651
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002652 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
2653 return [
2654 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2655 / IP(src=src, dst=dst)
2656 / UDP(sport=1144, dport=2233)
2657 / Raw(b"X" * payload_size)
2658 for i in range(count)
2659 ]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002660
2661 def verify_decrypted(self, p, rxs):
2662 for rx in rxs:
2663 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
2664 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
2665 self.assert_packet_checksums_valid(rx)
2666
2667 def verify_encrypted(self, p, sa, rxs):
2668 for rx in rxs:
2669 try:
2670 pkt = sa.decrypt(rx[IP])
2671 if not pkt.haslayer(IP):
2672 pkt = IP(pkt[Raw].load)
2673 self.assert_packet_checksums_valid(pkt)
2674 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
2675 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
2676 inner = pkt[IP].payload
2677 self.assertEqual(inner[IP][IP].dst, p.remote_tun_if_host)
2678
2679 except (IndexError, AssertionError):
2680 self.logger.debug(ppp("Unexpected packet:", rx))
2681 try:
2682 self.logger.debug(ppp("Decrypted packet:", pkt))
2683 except:
2684 pass
2685 raise
2686
2687 def test_tun_44(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002688 """IPSEC tunnel protect"""
Neale Rannsc87b66c2019-02-07 07:26:12 -08002689
2690 p = self.ipv4_params
2691
2692 self.config_network(p)
2693 self.config_sa_tun(p)
2694 self.config_protect(p)
2695
Neale Ranns5d0136f2020-05-12 08:51:02 +00002696 # also add an output features on the tunnel and physical interface
2697 # so we test they still work
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002698 r_all = AclRule(True, src_prefix="0.0.0.0/0", dst_prefix="0.0.0.0/0", proto=0)
Neale Ranns5d0136f2020-05-12 08:51:02 +00002699 a = VppAcl(self, [r_all]).add_vpp_config()
2700
2701 VppAclInterface(self, self.pg0.sw_if_index, [a]).add_vpp_config()
2702 VppAclInterface(self, p.tun_if.sw_if_index, [a]).add_vpp_config()
2703
Neale Rannsc87b66c2019-02-07 07:26:12 -08002704 self.verify_tun_44(p, count=127)
2705
Ole Troane66443c2021-03-18 11:12:01 +01002706 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2707 self.assertEqual(p.tun_if.get_tx_stats(), 127)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002708
2709 # rekey - create new SAs and update the tunnel protection
2710 np = copy.copy(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002711 np.crypt_key = b"X" + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002712 np.scapy_tun_spi += 100
2713 np.scapy_tun_sa_id += 1
2714 np.vpp_tun_spi += 100
2715 np.vpp_tun_sa_id += 1
2716 np.tun_if.local_spi = p.vpp_tun_spi
2717 np.tun_if.remote_spi = p.scapy_tun_spi
2718
2719 self.config_sa_tun(np)
2720 self.config_protect(np)
2721 self.unconfig_sa(p)
2722
2723 self.verify_tun_44(np, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01002724 self.assertEqual(p.tun_if.get_rx_stats(), 254)
2725 self.assertEqual(p.tun_if.get_tx_stats(), 254)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002726
2727 # teardown
2728 self.unconfig_protect(np)
2729 self.unconfig_sa(np)
2730 self.unconfig_network(p)
2731
2732
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002733class TestIpsec4TunProtectTunDrop(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4):
2734 """IPsec IPv4 Tunnel protect - tunnel mode - drop"""
Neale Ranns02950402019-12-20 00:54:57 +00002735
2736 encryption_type = ESP
2737 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00002738 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Ranns02950402019-12-20 00:54:57 +00002739
2740 def setUp(self):
2741 super(TestIpsec4TunProtectTunDrop, self).setUp()
2742
2743 self.tun_if = self.pg0
2744
2745 def tearDown(self):
2746 super(TestIpsec4TunProtectTunDrop, self).tearDown()
2747
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002748 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2749 return [
2750 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2751 / sa.encrypt(
2752 IP(src=sw_intf.remote_ip4, dst="5.5.5.5")
2753 / IP(src=src, dst=dst)
2754 / UDP(sport=1144, dport=2233)
2755 / Raw(b"X" * payload_size)
2756 )
2757 for i in range(count)
2758 ]
Neale Ranns02950402019-12-20 00:54:57 +00002759
2760 def test_tun_drop_44(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002761 """IPSEC tunnel protect bogus tunnel header"""
Neale Ranns02950402019-12-20 00:54:57 +00002762
2763 p = self.ipv4_params
2764
2765 self.config_network(p)
2766 self.config_sa_tun(p)
2767 self.config_protect(p)
2768
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002769 tx = self.gen_encrypt_pkts(
2770 p,
2771 p.scapy_tun_sa,
2772 self.tun_if,
2773 src=p.remote_tun_if_host,
2774 dst=self.pg1.remote_ip4,
2775 count=63,
2776 )
Neale Ranns02950402019-12-20 00:54:57 +00002777 self.send_and_assert_no_replies(self.tun_if, tx)
2778
2779 # teardown
2780 self.unconfig_protect(p)
2781 self.unconfig_sa(p)
2782 self.unconfig_network(p)
2783
2784
Andrew Yourtchenko8dc0d482021-01-29 13:17:19 +00002785@tag_fixme_vpp_workers
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002786class TestIpsec6TunProtect(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6):
2787 """IPsec IPv6 Tunnel protect - transport mode"""
Neale Rannsc87b66c2019-02-07 07:26:12 -08002788
2789 encryption_type = ESP
2790 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00002791 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002792
2793 def setUp(self):
2794 super(TestIpsec6TunProtect, self).setUp()
2795
2796 self.tun_if = self.pg0
2797
2798 def tearDown(self):
2799 super(TestIpsec6TunProtect, self).tearDown()
2800
2801 def test_tun_66(self):
Neale Ranns02950402019-12-20 00:54:57 +00002802 """IPSEC tunnel protect 6o6"""
Neale Rannsc87b66c2019-02-07 07:26:12 -08002803
2804 p = self.ipv6_params
2805
2806 self.config_network(p)
2807 self.config_sa_tra(p)
2808 self.config_protect(p)
2809
2810 self.verify_tun_66(p, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01002811 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2812 self.assertEqual(p.tun_if.get_tx_stats(), 127)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002813
2814 # rekey - create new SAs and update the tunnel protection
2815 np = copy.copy(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002816 np.crypt_key = b"X" + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002817 np.scapy_tun_spi += 100
2818 np.scapy_tun_sa_id += 1
2819 np.vpp_tun_spi += 100
2820 np.vpp_tun_sa_id += 1
2821 np.tun_if.local_spi = p.vpp_tun_spi
2822 np.tun_if.remote_spi = p.scapy_tun_spi
2823
2824 self.config_sa_tra(np)
2825 self.config_protect(np)
2826 self.unconfig_sa(p)
2827
2828 self.verify_tun_66(np, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01002829 self.assertEqual(p.tun_if.get_rx_stats(), 254)
2830 self.assertEqual(p.tun_if.get_tx_stats(), 254)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002831
Neale Ranns02950402019-12-20 00:54:57 +00002832 # bounce the interface state
2833 p.tun_if.admin_down()
2834 self.verify_drop_tun_66(np, count=127)
Neale Ranns93688d72022-08-09 03:34:51 +00002835 node = "/err/ipsec6-tun-input/disabled"
Neale Ranns02950402019-12-20 00:54:57 +00002836 self.assertEqual(127, self.statistics.get_err_counter(node))
2837 p.tun_if.admin_up()
2838 self.verify_tun_66(np, count=127)
2839
Neale Rannsc87b66c2019-02-07 07:26:12 -08002840 # 3 phase rekey
2841 # 1) add two input SAs [old, new]
2842 # 2) swap output SA to [new]
2843 # 3) use only [new] input SA
2844 np3 = copy.copy(np)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002845 np3.crypt_key = b"Z" + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002846 np3.scapy_tun_spi += 100
2847 np3.scapy_tun_sa_id += 1
2848 np3.vpp_tun_spi += 100
2849 np3.vpp_tun_sa_id += 1
2850 np3.tun_if.local_spi = p.vpp_tun_spi
2851 np3.tun_if.remote_spi = p.scapy_tun_spi
2852
2853 self.config_sa_tra(np3)
2854
2855 # step 1;
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002856 p.tun_protect.update_vpp_config(np.tun_sa_out, [np.tun_sa_in, np3.tun_sa_in])
Neale Rannsc87b66c2019-02-07 07:26:12 -08002857 self.verify_tun_66(np, np, count=127)
2858 self.verify_tun_66(np3, np, count=127)
2859
2860 # step 2;
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002861 p.tun_protect.update_vpp_config(np3.tun_sa_out, [np.tun_sa_in, np3.tun_sa_in])
Neale Rannsc87b66c2019-02-07 07:26:12 -08002862 self.verify_tun_66(np, np3, count=127)
2863 self.verify_tun_66(np3, np3, count=127)
2864
2865 # step 1;
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002866 p.tun_protect.update_vpp_config(np3.tun_sa_out, [np3.tun_sa_in])
Neale Rannsc87b66c2019-02-07 07:26:12 -08002867 self.verify_tun_66(np3, np3, count=127)
Neale Ranns49378f22022-01-10 10:38:43 +00002868 self.verify_drop_tun_rx_66(np, count=127)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002869
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002870 self.assertEqual(p.tun_if.get_rx_stats(), 127 * 9)
2871 self.assertEqual(p.tun_if.get_tx_stats(), 127 * 8)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002872 self.unconfig_sa(np)
2873
2874 # teardown
2875 self.unconfig_protect(np3)
2876 self.unconfig_sa(np3)
2877 self.unconfig_network(p)
2878
Neale Rannsb3259832019-09-27 13:32:02 +00002879 def test_tun_46(self):
Neale Ranns02950402019-12-20 00:54:57 +00002880 """IPSEC tunnel protect 4o6"""
Neale Rannsb3259832019-09-27 13:32:02 +00002881
2882 p = self.ipv6_params
2883
2884 self.config_network(p)
2885 self.config_sa_tra(p)
2886 self.config_protect(p)
2887
2888 self.verify_tun_46(p, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01002889 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2890 self.assertEqual(p.tun_if.get_tx_stats(), 127)
Neale Rannsb3259832019-09-27 13:32:02 +00002891
2892 # teardown
2893 self.unconfig_protect(p)
2894 self.unconfig_sa(p)
2895 self.unconfig_network(p)
2896
Neale Rannsc87b66c2019-02-07 07:26:12 -08002897
Andrew Yourtchenko8dc0d482021-01-29 13:17:19 +00002898@tag_fixme_vpp_workers
Arthur de Kerhor8fce5462023-06-16 09:48:52 +02002899class TestIpsec6TunProtectTfc(TemplateIpsec6TunTfc, TestIpsec6TunProtect):
2900 """IPsec IPv6 Tunnel protect with TFC - transport mode"""
2901
2902
2903@tag_fixme_vpp_workers
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002904class TestIpsec6TunProtectTun(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6):
2905 """IPsec IPv6 Tunnel protect - tunnel mode"""
Neale Rannsc87b66c2019-02-07 07:26:12 -08002906
2907 encryption_type = ESP
2908 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00002909 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002910
2911 def setUp(self):
2912 super(TestIpsec6TunProtectTun, self).setUp()
2913
2914 self.tun_if = self.pg0
2915
2916 def tearDown(self):
2917 super(TestIpsec6TunProtectTun, self).tearDown()
2918
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002919 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
2920 return [
2921 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2922 / sa.encrypt(
2923 IPv6(src=sw_intf.remote_ip6, dst=sw_intf.local_ip6)
2924 / IPv6(src=src, dst=dst)
2925 / UDP(sport=1166, dport=2233)
2926 / Raw(b"X" * payload_size)
2927 )
2928 for i in range(count)
2929 ]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002930
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002931 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=100):
2932 return [
2933 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
2934 / IPv6(src=src, dst=dst)
2935 / UDP(sport=1166, dport=2233)
2936 / Raw(b"X" * payload_size)
2937 for i in range(count)
2938 ]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002939
2940 def verify_decrypted6(self, p, rxs):
2941 for rx in rxs:
2942 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
2943 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
2944 self.assert_packet_checksums_valid(rx)
2945
2946 def verify_encrypted6(self, p, sa, rxs):
2947 for rx in rxs:
2948 try:
2949 pkt = sa.decrypt(rx[IPv6])
2950 if not pkt.haslayer(IPv6):
2951 pkt = IPv6(pkt[Raw].load)
2952 self.assert_packet_checksums_valid(pkt)
2953 self.assert_equal(pkt[IPv6].dst, self.pg0.remote_ip6)
2954 self.assert_equal(pkt[IPv6].src, self.pg0.local_ip6)
2955 inner = pkt[IPv6].payload
2956 self.assertEqual(inner[IPv6][IPv6].dst, p.remote_tun_if_host)
2957
2958 except (IndexError, AssertionError):
2959 self.logger.debug(ppp("Unexpected packet:", rx))
2960 try:
2961 self.logger.debug(ppp("Decrypted packet:", pkt))
2962 except:
2963 pass
2964 raise
2965
2966 def test_tun_66(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002967 """IPSEC tunnel protect"""
Neale Rannsc87b66c2019-02-07 07:26:12 -08002968
2969 p = self.ipv6_params
2970
2971 self.config_network(p)
2972 self.config_sa_tun(p)
2973 self.config_protect(p)
2974
2975 self.verify_tun_66(p, count=127)
2976
Ole Troane66443c2021-03-18 11:12:01 +01002977 self.assertEqual(p.tun_if.get_rx_stats(), 127)
2978 self.assertEqual(p.tun_if.get_tx_stats(), 127)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002979
2980 # rekey - create new SAs and update the tunnel protection
2981 np = copy.copy(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02002982 np.crypt_key = b"X" + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002983 np.scapy_tun_spi += 100
2984 np.scapy_tun_sa_id += 1
2985 np.vpp_tun_spi += 100
2986 np.vpp_tun_sa_id += 1
2987 np.tun_if.local_spi = p.vpp_tun_spi
2988 np.tun_if.remote_spi = p.scapy_tun_spi
2989
2990 self.config_sa_tun(np)
2991 self.config_protect(np)
2992 self.unconfig_sa(p)
2993
2994 self.verify_tun_66(np, count=127)
Ole Troane66443c2021-03-18 11:12:01 +01002995 self.assertEqual(p.tun_if.get_rx_stats(), 254)
2996 self.assertEqual(p.tun_if.get_tx_stats(), 254)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002997
2998 # teardown
2999 self.unconfig_protect(np)
3000 self.unconfig_sa(np)
3001 self.unconfig_network(p)
3002
Neale Rannsf05e7322019-03-29 20:23:58 +00003003
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003004class TestIpsec6TunProtectTunDrop(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6):
3005 """IPsec IPv6 Tunnel protect - tunnel mode - drop"""
Neale Ranns02950402019-12-20 00:54:57 +00003006
3007 encryption_type = ESP
3008 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00003009 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
Neale Ranns02950402019-12-20 00:54:57 +00003010
3011 def setUp(self):
3012 super(TestIpsec6TunProtectTunDrop, self).setUp()
3013
3014 self.tun_if = self.pg0
3015
3016 def tearDown(self):
3017 super(TestIpsec6TunProtectTunDrop, self).tearDown()
3018
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003019 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
Neale Ranns02950402019-12-20 00:54:57 +00003020 # the IP destination of the revelaed packet does not match
3021 # that assigned to the tunnel
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003022 return [
3023 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
3024 / sa.encrypt(
3025 IPv6(src=sw_intf.remote_ip6, dst="5::5")
3026 / IPv6(src=src, dst=dst)
3027 / UDP(sport=1144, dport=2233)
3028 / Raw(b"X" * payload_size)
3029 )
3030 for i in range(count)
3031 ]
Neale Ranns02950402019-12-20 00:54:57 +00003032
3033 def test_tun_drop_66(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003034 """IPSEC 6 tunnel protect bogus tunnel header"""
Neale Ranns02950402019-12-20 00:54:57 +00003035
3036 p = self.ipv6_params
3037
3038 self.config_network(p)
3039 self.config_sa_tun(p)
3040 self.config_protect(p)
3041
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003042 tx = self.gen_encrypt_pkts6(
3043 p,
3044 p.scapy_tun_sa,
3045 self.tun_if,
3046 src=p.remote_tun_if_host,
3047 dst=self.pg1.remote_ip6,
3048 count=63,
3049 )
Neale Ranns02950402019-12-20 00:54:57 +00003050 self.send_and_assert_no_replies(self.tun_if, tx)
3051
3052 self.unconfig_protect(p)
3053 self.unconfig_sa(p)
3054 self.unconfig_network(p)
3055
3056
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003057class TemplateIpsecItf4(object):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003058 """IPsec Interface IPv4"""
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003059
3060 encryption_type = ESP
3061 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00003062 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003063 tun4_input_node = "ipsec4-tun-input"
3064
3065 def config_sa_tun(self, p, src, dst):
3066 config_tun_params(p, self.encryption_type, None, src, dst)
3067
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003068 p.tun_sa_out = VppIpsecSA(
3069 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01003070 p.vpp_tun_sa_id,
3071 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003072 p.auth_algo_vpp_id,
3073 p.auth_key,
3074 p.crypt_algo_vpp_id,
3075 p.crypt_key,
3076 self.vpp_esp_protocol,
3077 src,
3078 dst,
3079 flags=p.flags,
3080 )
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003081 p.tun_sa_out.add_vpp_config()
3082
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003083 p.tun_sa_in = VppIpsecSA(
3084 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01003085 p.scapy_tun_sa_id,
3086 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003087 p.auth_algo_vpp_id,
3088 p.auth_key,
3089 p.crypt_algo_vpp_id,
3090 p.crypt_key,
3091 self.vpp_esp_protocol,
3092 dst,
3093 src,
Arthur de Kerhor4117b242022-08-31 19:13:03 +02003094 flags=p.flags
3095 | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003096 )
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003097 p.tun_sa_in.add_vpp_config()
3098
3099 def config_protect(self, p):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003100 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003101 p.tun_protect.add_vpp_config()
3102
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003103 def config_network(self, p, instance=0xFFFFFFFF):
Eric Kinzie609d5792020-10-13 20:02:11 -04003104 p.tun_if = VppIpsecInterface(self, instance=instance)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003105
3106 p.tun_if.add_vpp_config()
3107 p.tun_if.admin_up()
3108 p.tun_if.config_ip4()
3109 p.tun_if.config_ip6()
3110
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003111 p.route = VppIpRoute(
3112 self,
3113 p.remote_tun_if_host,
3114 32,
3115 [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)],
3116 )
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003117 p.route.add_vpp_config()
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003118 r = VppIpRoute(
3119 self,
3120 p.remote_tun_if_host6,
3121 128,
3122 [
3123 VppRoutePath(
3124 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
3125 )
3126 ],
3127 )
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003128 r.add_vpp_config()
3129
3130 def unconfig_network(self, p):
3131 p.route.remove_vpp_config()
3132 p.tun_if.remove_vpp_config()
3133
3134 def unconfig_protect(self, p):
3135 p.tun_protect.remove_vpp_config()
3136
3137 def unconfig_sa(self, p):
3138 p.tun_sa_out.remove_vpp_config()
3139 p.tun_sa_in.remove_vpp_config()
3140
3141
Andrew Yourtchenko8dc0d482021-01-29 13:17:19 +00003142@tag_fixme_vpp_workers
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003143class TestIpsecItf4(TemplateIpsec, TemplateIpsecItf4, IpsecTun4):
3144 """IPsec Interface IPv4"""
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003145
3146 def setUp(self):
3147 super(TestIpsecItf4, self).setUp()
3148
3149 self.tun_if = self.pg0
3150
3151 def tearDown(self):
3152 super(TestIpsecItf4, self).tearDown()
3153
Eric Kinzie609d5792020-10-13 20:02:11 -04003154 def test_tun_instance_44(self):
3155 p = self.ipv4_params
3156 self.config_network(p, instance=3)
3157
3158 with self.assertRaises(CliFailedCommandError):
3159 self.vapi.cli("show interface ipsec0")
3160
3161 output = self.vapi.cli("show interface ipsec3")
3162 self.assertTrue("unknown" not in output)
3163
3164 self.unconfig_network(p)
3165
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003166 def test_tun_44(self):
3167 """IPSEC interface IPv4"""
3168
3169 n_pkts = 127
3170 p = self.ipv4_params
3171
3172 self.config_network(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003173 config_tun_params(
3174 p, self.encryption_type, None, self.pg0.local_ip4, self.pg0.remote_ip4
3175 )
Neale Ranns49378f22022-01-10 10:38:43 +00003176 self.verify_tun_dropped_44(p, count=n_pkts)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003177 self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003178 self.config_protect(p)
3179
3180 self.verify_tun_44(p, count=n_pkts)
Ole Troane66443c2021-03-18 11:12:01 +01003181 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3182 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003183
3184 p.tun_if.admin_down()
3185 self.verify_tun_dropped_44(p, count=n_pkts)
3186 p.tun_if.admin_up()
3187 self.verify_tun_44(p, count=n_pkts)
3188
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003189 self.assertEqual(p.tun_if.get_rx_stats(), 3 * n_pkts)
3190 self.assertEqual(p.tun_if.get_tx_stats(), 2 * n_pkts)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003191
3192 # it's a v6 packet when its encrypted
3193 self.tun4_encrypt_node_name = "esp6-encrypt-tun"
3194
3195 self.verify_tun_64(p, count=n_pkts)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003196 self.assertEqual(p.tun_if.get_rx_stats(), 4 * n_pkts)
3197 self.assertEqual(p.tun_if.get_tx_stats(), 3 * n_pkts)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003198
3199 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
3200
Arthur de Kerhor4117b242022-08-31 19:13:03 +02003201 # update the SA tunnel
3202 config_tun_params(
3203 p, self.encryption_type, None, self.pg2.local_ip4, self.pg2.remote_ip4
3204 )
3205 p.tun_sa_in.update_vpp_config(
3206 is_tun=True, tun_src=self.pg2.remote_ip4, tun_dst=self.pg2.local_ip4
3207 )
3208 p.tun_sa_out.update_vpp_config(
3209 is_tun=True, tun_src=self.pg2.local_ip4, tun_dst=self.pg2.remote_ip4
3210 )
3211 self.verify_tun_44(p, count=n_pkts)
3212 self.assertEqual(p.tun_if.get_rx_stats(), 5 * n_pkts)
3213 self.assertEqual(p.tun_if.get_tx_stats(), 4 * n_pkts)
3214
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003215 self.vapi.cli("clear interfaces")
3216
3217 # rekey - create new SAs and update the tunnel protection
3218 np = copy.copy(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003219 np.crypt_key = b"X" + p.crypt_key[1:]
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003220 np.scapy_tun_spi += 100
3221 np.scapy_tun_sa_id += 1
3222 np.vpp_tun_spi += 100
3223 np.vpp_tun_sa_id += 1
3224 np.tun_if.local_spi = p.vpp_tun_spi
3225 np.tun_if.remote_spi = p.scapy_tun_spi
3226
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003227 self.config_sa_tun(np, self.pg0.local_ip4, self.pg0.remote_ip4)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003228 self.config_protect(np)
3229 self.unconfig_sa(p)
3230
3231 self.verify_tun_44(np, count=n_pkts)
Ole Troane66443c2021-03-18 11:12:01 +01003232 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3233 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003234
3235 # teardown
3236 self.unconfig_protect(np)
3237 self.unconfig_sa(np)
3238 self.unconfig_network(p)
3239
Neale Ranns970187b2020-10-07 13:58:56 +00003240 def test_tun_44_null(self):
3241 """IPSEC interface IPv4 NULL auth/crypto"""
3242
3243 n_pkts = 127
3244 p = copy.copy(self.ipv4_params)
3245
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003246 p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
3247 p.crypt_algo_vpp_id = (
3248 VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_NONE
3249 )
Neale Ranns970187b2020-10-07 13:58:56 +00003250 p.crypt_algo = "NULL"
3251 p.auth_algo = "NULL"
3252
3253 self.config_network(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003254 self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4)
Neale Ranns970187b2020-10-07 13:58:56 +00003255 self.config_protect(p)
3256
Neale Ranns49378f22022-01-10 10:38:43 +00003257 self.logger.info(self.vapi.cli("sh ipsec sa"))
Neale Ranns970187b2020-10-07 13:58:56 +00003258 self.verify_tun_44(p, count=n_pkts)
3259
Eric Kinzie609d5792020-10-13 20:02:11 -04003260 # teardown
3261 self.unconfig_protect(p)
3262 self.unconfig_sa(p)
3263 self.unconfig_network(p)
3264
Brian Russell7a29a2d2021-02-22 18:42:24 +00003265 def test_tun_44_police(self):
3266 """IPSEC interface IPv4 with input policer"""
3267 n_pkts = 127
3268 p = self.ipv4_params
3269
3270 self.config_network(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003271 self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003272 self.config_protect(p)
3273
3274 action_tx = PolicerAction(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003275 VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0
3276 )
3277 policer = VppPolicer(
3278 self,
3279 "pol1",
3280 80,
3281 0,
3282 1000,
3283 0,
3284 conform_action=action_tx,
3285 exceed_action=action_tx,
3286 violate_action=action_tx,
3287 )
Brian Russell7a29a2d2021-02-22 18:42:24 +00003288 policer.add_vpp_config()
3289
3290 # Start policing on tun
Stanislav Zaikine5a3ae02022-04-05 19:23:12 +02003291 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003292
3293 self.verify_tun_44(p, count=n_pkts)
Ole Troane66443c2021-03-18 11:12:01 +01003294 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3295 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003296
3297 stats = policer.get_stats()
3298
3299 # Single rate, 2 colour policer - expect conform, violate but no exceed
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003300 self.assertGreater(stats["conform_packets"], 0)
3301 self.assertEqual(stats["exceed_packets"], 0)
3302 self.assertGreater(stats["violate_packets"], 0)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003303
3304 # Stop policing on tun
Stanislav Zaikine5a3ae02022-04-05 19:23:12 +02003305 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003306 self.verify_tun_44(p, count=n_pkts)
3307
3308 # No new policer stats
3309 statsnew = policer.get_stats()
3310 self.assertEqual(stats, statsnew)
3311
3312 # teardown
3313 policer.remove_vpp_config()
3314 self.unconfig_protect(p)
3315 self.unconfig_sa(p)
3316 self.unconfig_network(p)
3317
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003318
Arthur de Kerhor8fce5462023-06-16 09:48:52 +02003319@tag_fixme_vpp_workers
3320class TestIpsecItf4Tfc(TemplateIpsec4TunTfc, TestIpsecItf4):
3321 """IPsec Interface IPv4 with TFC"""
3322
3323
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003324class TestIpsecItf4MPLS(TemplateIpsec, TemplateIpsecItf4, IpsecTun4):
3325 """IPsec Interface MPLSoIPv4"""
Neale Ranns4a58e492020-12-21 13:19:10 +00003326
3327 tun4_encrypt_node_name = "esp-mpls-encrypt-tun"
3328
3329 def setUp(self):
3330 super(TestIpsecItf4MPLS, self).setUp()
3331
3332 self.tun_if = self.pg0
3333
3334 def tearDown(self):
3335 super(TestIpsecItf4MPLS, self).tearDown()
3336
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003337 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
3338 return [
3339 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
3340 / sa.encrypt(
3341 MPLS(label=44, ttl=3)
3342 / IP(src=src, dst=dst)
3343 / UDP(sport=1166, dport=2233)
3344 / Raw(b"X" * payload_size)
3345 )
3346 for i in range(count)
3347 ]
Neale Ranns4a58e492020-12-21 13:19:10 +00003348
3349 def verify_encrypted(self, p, sa, rxs):
3350 for rx in rxs:
3351 try:
3352 pkt = sa.decrypt(rx[IP])
3353 if not pkt.haslayer(IP):
3354 pkt = IP(pkt[Raw].load)
3355 self.assert_packet_checksums_valid(pkt)
3356 self.assert_equal(pkt[MPLS].label, 44)
3357 self.assert_equal(pkt[IP].dst, p.remote_tun_if_host)
3358 except (IndexError, AssertionError):
3359 self.logger.debug(ppp("Unexpected packet:", rx))
3360 try:
3361 self.logger.debug(ppp("Decrypted packet:", pkt))
3362 except:
3363 pass
3364 raise
3365
3366 def test_tun_mpls_o_ip4(self):
3367 """IPSEC interface MPLS over IPv4"""
3368
3369 n_pkts = 127
3370 p = self.ipv4_params
3371 f = FibPathProto
3372
3373 tbl = VppMplsTable(self, 0)
3374 tbl.add_vpp_config()
3375
3376 self.config_network(p)
3377 # deag MPLS routes from the tunnel
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003378 r4 = VppMplsRoute(
3379 self, 44, 1, [VppRoutePath(self.pg1.remote_ip4, self.pg1.sw_if_index)]
3380 ).add_vpp_config()
3381 p.route.modify(
3382 [
3383 VppRoutePath(
3384 p.tun_if.remote_ip4, p.tun_if.sw_if_index, labels=[VppMplsLabel(44)]
3385 )
3386 ]
3387 )
Neale Ranns4a58e492020-12-21 13:19:10 +00003388 p.tun_if.enable_mpls()
3389
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003390 self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4)
Neale Ranns4a58e492020-12-21 13:19:10 +00003391 self.config_protect(p)
3392
3393 self.verify_tun_44(p, count=n_pkts)
3394
3395 # cleanup
3396 p.tun_if.disable_mpls()
3397 self.unconfig_protect(p)
3398 self.unconfig_sa(p)
3399 self.unconfig_network(p)
3400
3401
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003402class TemplateIpsecItf6(object):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003403 """IPsec Interface IPv6"""
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003404
3405 encryption_type = ESP
3406 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00003407 tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003408 tun6_input_node = "ipsec6-tun-input"
3409
3410 def config_sa_tun(self, p, src, dst):
3411 config_tun_params(p, self.encryption_type, None, src, dst)
3412
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003413 if not hasattr(p, "tun_flags"):
Neale Ranns9ec846c2021-02-09 14:04:02 +00003414 p.tun_flags = None
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003415 if not hasattr(p, "hop_limit"):
Neale Ranns9ec846c2021-02-09 14:04:02 +00003416 p.hop_limit = 255
3417
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003418 p.tun_sa_out = VppIpsecSA(
3419 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01003420 p.vpp_tun_sa_id,
3421 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003422 p.auth_algo_vpp_id,
3423 p.auth_key,
3424 p.crypt_algo_vpp_id,
3425 p.crypt_key,
3426 self.vpp_esp_protocol,
3427 src,
3428 dst,
3429 flags=p.flags,
3430 tun_flags=p.tun_flags,
3431 hop_limit=p.hop_limit,
3432 )
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003433 p.tun_sa_out.add_vpp_config()
3434
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003435 p.tun_sa_in = VppIpsecSA(
3436 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01003437 p.scapy_tun_sa_id,
3438 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003439 p.auth_algo_vpp_id,
3440 p.auth_key,
3441 p.crypt_algo_vpp_id,
3442 p.crypt_key,
3443 self.vpp_esp_protocol,
3444 dst,
3445 src,
3446 flags=p.flags,
3447 )
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003448 p.tun_sa_in.add_vpp_config()
3449
3450 def config_protect(self, p):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003451 p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in])
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003452 p.tun_protect.add_vpp_config()
3453
3454 def config_network(self, p):
3455 p.tun_if = VppIpsecInterface(self)
3456
3457 p.tun_if.add_vpp_config()
3458 p.tun_if.admin_up()
3459 p.tun_if.config_ip4()
3460 p.tun_if.config_ip6()
3461
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003462 r = VppIpRoute(
3463 self,
3464 p.remote_tun_if_host4,
3465 32,
3466 [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)],
3467 )
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003468 r.add_vpp_config()
3469
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003470 p.route = VppIpRoute(
3471 self,
3472 p.remote_tun_if_host,
3473 128,
3474 [
3475 VppRoutePath(
3476 p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6
3477 )
3478 ],
3479 )
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003480 p.route.add_vpp_config()
3481
3482 def unconfig_network(self, p):
3483 p.route.remove_vpp_config()
3484 p.tun_if.remove_vpp_config()
3485
3486 def unconfig_protect(self, p):
3487 p.tun_protect.remove_vpp_config()
3488
3489 def unconfig_sa(self, p):
3490 p.tun_sa_out.remove_vpp_config()
3491 p.tun_sa_in.remove_vpp_config()
3492
3493
Andrew Yourtchenko8dc0d482021-01-29 13:17:19 +00003494@tag_fixme_vpp_workers
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003495class TestIpsecItf6(TemplateIpsec, TemplateIpsecItf6, IpsecTun6):
3496 """IPsec Interface IPv6"""
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003497
3498 def setUp(self):
3499 super(TestIpsecItf6, self).setUp()
3500
3501 self.tun_if = self.pg0
3502
3503 def tearDown(self):
3504 super(TestIpsecItf6, self).tearDown()
3505
Neale Ranns49378f22022-01-10 10:38:43 +00003506 def test_tun_66(self):
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003507 """IPSEC interface IPv6"""
3508
Neale Ranns9ec846c2021-02-09 14:04:02 +00003509 tf = VppEnum.vl_api_tunnel_encap_decap_flags_t
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003510 n_pkts = 127
3511 p = self.ipv6_params
Neale Ranns9ec846c2021-02-09 14:04:02 +00003512 p.inner_hop_limit = 24
3513 p.outer_hop_limit = 23
3514 p.outer_flow_label = 243224
3515 p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003516
3517 self.config_network(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003518 config_tun_params(
3519 p, self.encryption_type, None, self.pg0.local_ip6, self.pg0.remote_ip6
3520 )
Neale Ranns49378f22022-01-10 10:38:43 +00003521 self.verify_drop_tun_66(p, count=n_pkts)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003522 self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003523 self.config_protect(p)
3524
3525 self.verify_tun_66(p, count=n_pkts)
Ole Troane66443c2021-03-18 11:12:01 +01003526 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3527 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003528
3529 p.tun_if.admin_down()
3530 self.verify_drop_tun_66(p, count=n_pkts)
3531 p.tun_if.admin_up()
3532 self.verify_tun_66(p, count=n_pkts)
3533
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003534 self.assertEqual(p.tun_if.get_rx_stats(), 3 * n_pkts)
3535 self.assertEqual(p.tun_if.get_tx_stats(), 2 * n_pkts)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003536
3537 # it's a v4 packet when its encrypted
3538 self.tun6_encrypt_node_name = "esp4-encrypt-tun"
3539
3540 self.verify_tun_46(p, count=n_pkts)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003541 self.assertEqual(p.tun_if.get_rx_stats(), 4 * n_pkts)
3542 self.assertEqual(p.tun_if.get_tx_stats(), 3 * n_pkts)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003543
3544 self.tun6_encrypt_node_name = "esp6-encrypt-tun"
3545
3546 self.vapi.cli("clear interfaces")
3547
3548 # rekey - create new SAs and update the tunnel protection
3549 np = copy.copy(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003550 np.crypt_key = b"X" + p.crypt_key[1:]
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003551 np.scapy_tun_spi += 100
3552 np.scapy_tun_sa_id += 1
3553 np.vpp_tun_spi += 100
3554 np.vpp_tun_sa_id += 1
3555 np.tun_if.local_spi = p.vpp_tun_spi
3556 np.tun_if.remote_spi = p.scapy_tun_spi
Neale Ranns9ec846c2021-02-09 14:04:02 +00003557 np.inner_hop_limit = 24
3558 np.outer_hop_limit = 128
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003559 np.inner_flow_label = 0xABCDE
3560 np.outer_flow_label = 0xABCDE
Neale Ranns9ec846c2021-02-09 14:04:02 +00003561 np.hop_limit = 128
3562 np.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_FLOW_LABEL
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003563
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003564 self.config_sa_tun(np, self.pg0.local_ip6, self.pg0.remote_ip6)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003565 self.config_protect(np)
3566 self.unconfig_sa(p)
3567
3568 self.verify_tun_66(np, count=n_pkts)
Ole Troane66443c2021-03-18 11:12:01 +01003569 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3570 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003571
3572 # teardown
3573 self.unconfig_protect(np)
3574 self.unconfig_sa(np)
3575 self.unconfig_network(p)
3576
Brian Russell7a29a2d2021-02-22 18:42:24 +00003577 def test_tun_66_police(self):
3578 """IPSEC interface IPv6 with input policer"""
3579 tf = VppEnum.vl_api_tunnel_encap_decap_flags_t
3580 n_pkts = 127
3581 p = self.ipv6_params
3582 p.inner_hop_limit = 24
3583 p.outer_hop_limit = 23
3584 p.outer_flow_label = 243224
3585 p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT
3586
3587 self.config_network(p)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003588 self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003589 self.config_protect(p)
3590
3591 action_tx = PolicerAction(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003592 VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0
3593 )
3594 policer = VppPolicer(
3595 self,
3596 "pol1",
3597 80,
3598 0,
3599 1000,
3600 0,
3601 conform_action=action_tx,
3602 exceed_action=action_tx,
3603 violate_action=action_tx,
3604 )
Brian Russell7a29a2d2021-02-22 18:42:24 +00003605 policer.add_vpp_config()
3606
3607 # Start policing on tun
Stanislav Zaikine5a3ae02022-04-05 19:23:12 +02003608 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003609
3610 self.verify_tun_66(p, count=n_pkts)
Ole Troane66443c2021-03-18 11:12:01 +01003611 self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
3612 self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003613
3614 stats = policer.get_stats()
3615
3616 # Single rate, 2 colour policer - expect conform, violate but no exceed
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003617 self.assertGreater(stats["conform_packets"], 0)
3618 self.assertEqual(stats["exceed_packets"], 0)
3619 self.assertGreater(stats["violate_packets"], 0)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003620
3621 # Stop policing on tun
Stanislav Zaikine5a3ae02022-04-05 19:23:12 +02003622 policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False)
Brian Russell7a29a2d2021-02-22 18:42:24 +00003623 self.verify_tun_66(p, count=n_pkts)
3624
3625 # No new policer stats
3626 statsnew = policer.get_stats()
3627 self.assertEqual(stats, statsnew)
3628
3629 # teardown
3630 policer.remove_vpp_config()
3631 self.unconfig_protect(p)
3632 self.unconfig_sa(p)
3633 self.unconfig_network(p)
3634
Neale Rannsdd4ccf22020-06-30 07:47:14 +00003635
Arthur de Kerhor8fce5462023-06-16 09:48:52 +02003636@tag_fixme_vpp_workers
3637class TestIpsecItf6Tfc(TemplateIpsec6TunTfc, TestIpsecItf6):
3638 """IPsec Interface IPv6 with TFC"""
3639
3640
Dmitry Valter34fa0ce2024-03-11 10:38:46 +00003641@unittest.skipIf(
3642 "acl" in config.excluded_plugins, "Exclude tests depending on ACL plugin"
3643)
Neale Ranns6ba4e412020-10-19 09:59:41 +00003644class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003645 """Ipsec P2MP ESP v4 tests"""
3646
Neale Ranns6ba4e412020-10-19 09:59:41 +00003647 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns8c609af2021-02-25 10:05:32 +00003648 tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
Neale Ranns6ba4e412020-10-19 09:59:41 +00003649 encryption_type = ESP
3650
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003651 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
3652 return [
3653 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
3654 / sa.encrypt(
3655 IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4)
3656 / UDP(sport=1144, dport=2233)
3657 / Raw(b"X" * payload_size)
3658 )
3659 for i in range(count)
3660 ]
Neale Ranns6ba4e412020-10-19 09:59:41 +00003661
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003662 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100):
3663 return [
3664 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
3665 / IP(src="1.1.1.1", dst=dst)
3666 / UDP(sport=1144, dport=2233)
3667 / Raw(b"X" * payload_size)
3668 for i in range(count)
3669 ]
Neale Ranns6ba4e412020-10-19 09:59:41 +00003670
3671 def verify_decrypted(self, p, rxs):
3672 for rx in rxs:
3673 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
3674 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
3675
3676 def verify_encrypted(self, p, sa, rxs):
3677 for rx in rxs:
3678 try:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003679 self.assertEqual(
3680 rx[IP].tos, VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2
3681 )
Neale Ranns9ec846c2021-02-09 14:04:02 +00003682 self.assertEqual(rx[IP].ttl, p.hop_limit)
Neale Ranns6ba4e412020-10-19 09:59:41 +00003683 pkt = sa.decrypt(rx[IP])
3684 if not pkt.haslayer(IP):
3685 pkt = IP(pkt[Raw].load)
3686 self.assert_packet_checksums_valid(pkt)
3687 e = pkt[IP]
3688 self.assertEqual(e[IP].dst, p.remote_tun_if_host)
3689 except (IndexError, AssertionError):
3690 self.logger.debug(ppp("Unexpected packet:", rx))
3691 try:
3692 self.logger.debug(ppp("Decrypted packet:", pkt))
3693 except:
3694 pass
3695 raise
3696
3697 def setUp(self):
3698 super(TestIpsecMIfEsp4, self).setUp()
3699
3700 N_NHS = 16
3701 self.tun_if = self.pg0
3702 p = self.ipv4_params
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003703 p.tun_if = VppIpsecInterface(
3704 self, mode=(VppEnum.vl_api_tunnel_mode_t.TUNNEL_API_MODE_MP)
3705 )
Neale Ranns6ba4e412020-10-19 09:59:41 +00003706 p.tun_if.add_vpp_config()
3707 p.tun_if.admin_up()
3708 p.tun_if.config_ip4()
Neale Rannscfe949d2020-11-25 19:35:38 +00003709 p.tun_if.unconfig_ip4()
3710 p.tun_if.config_ip4()
Neale Ranns6ba4e412020-10-19 09:59:41 +00003711 p.tun_if.generate_remote_hosts(N_NHS)
3712 self.pg0.generate_remote_hosts(N_NHS)
3713 self.pg0.configure_ipv4_neighbors()
3714
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003715 r_all = AclRule(True, src_prefix="0.0.0.0/0", dst_prefix="0.0.0.0/0", proto=0)
Neale Ranns6fdcc3d2021-10-08 07:30:47 +00003716 a = VppAcl(self, [r_all]).add_vpp_config()
3717
3718 VppAclInterface(self, self.pg0.sw_if_index, [a]).add_vpp_config()
3719 VppAclInterface(self, p.tun_if.sw_if_index, [a]).add_vpp_config()
3720
Neale Ranns6ba4e412020-10-19 09:59:41 +00003721 # setup some SAs for several next-hops on the interface
3722 self.multi_params = []
3723
3724 for ii in range(N_NHS):
3725 p = copy.copy(self.ipv4_params)
3726
3727 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
3728 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
3729 p.scapy_tun_spi = p.scapy_tun_spi + ii
3730 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
3731 p.vpp_tun_spi = p.vpp_tun_spi + ii
3732
3733 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
3734 p.scapy_tra_spi = p.scapy_tra_spi + ii
3735 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
3736 p.vpp_tra_spi = p.vpp_tra_spi + ii
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003737 p.hop_limit = ii + 10
Neale Ranns041add72020-01-02 04:06:10 +00003738 p.tun_sa_out = VppIpsecSA(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003739 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01003740 p.vpp_tun_sa_id,
3741 p.vpp_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003742 p.auth_algo_vpp_id,
3743 p.auth_key,
3744 p.crypt_algo_vpp_id,
3745 p.crypt_key,
Neale Ranns041add72020-01-02 04:06:10 +00003746 self.vpp_esp_protocol,
3747 self.pg0.local_ip4,
3748 self.pg0.remote_hosts[ii].ip4,
Neale Ranns9ec846c2021-02-09 14:04:02 +00003749 dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003750 hop_limit=p.hop_limit,
3751 )
Neale Ranns6ba4e412020-10-19 09:59:41 +00003752 p.tun_sa_out.add_vpp_config()
3753
Neale Ranns041add72020-01-02 04:06:10 +00003754 p.tun_sa_in = VppIpsecSA(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003755 self,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +01003756 p.scapy_tun_sa_id,
3757 p.scapy_tun_spi,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003758 p.auth_algo_vpp_id,
3759 p.auth_key,
3760 p.crypt_algo_vpp_id,
3761 p.crypt_key,
Neale Ranns041add72020-01-02 04:06:10 +00003762 self.vpp_esp_protocol,
3763 self.pg0.remote_hosts[ii].ip4,
3764 self.pg0.local_ip4,
Neale Ranns9ec846c2021-02-09 14:04:02 +00003765 dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003766 hop_limit=p.hop_limit,
3767 )
Neale Ranns6ba4e412020-10-19 09:59:41 +00003768 p.tun_sa_in.add_vpp_config()
3769
3770 p.tun_protect = VppIpsecTunProtect(
3771 self,
3772 p.tun_if,
3773 p.tun_sa_out,
3774 [p.tun_sa_in],
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003775 nh=p.tun_if.remote_hosts[ii].ip4,
3776 )
Neale Ranns6ba4e412020-10-19 09:59:41 +00003777 p.tun_protect.add_vpp_config()
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003778 config_tun_params(
3779 p,
3780 self.encryption_type,
3781 None,
3782 self.pg0.local_ip4,
3783 self.pg0.remote_hosts[ii].ip4,
3784 )
Neale Ranns6ba4e412020-10-19 09:59:41 +00003785 self.multi_params.append(p)
3786
Neale Ranns6fdcc3d2021-10-08 07:30:47 +00003787 p.via_tun_route = VppIpRoute(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003788 self,
3789 p.remote_tun_if_host,
3790 32,
3791 [VppRoutePath(p.tun_if.remote_hosts[ii].ip4, p.tun_if.sw_if_index)],
3792 ).add_vpp_config()
Neale Ranns6ba4e412020-10-19 09:59:41 +00003793
3794 p.tun_dst = self.pg0.remote_hosts[ii].ip4
3795
3796 def tearDown(self):
3797 p = self.ipv4_params
3798 p.tun_if.unconfig_ip4()
3799 super(TestIpsecMIfEsp4, self).tearDown()
3800
3801 def test_tun_44(self):
3802 """P2MP IPSEC 44"""
3803 N_PKTS = 63
3804 for p in self.multi_params:
3805 self.verify_tun_44(p, count=N_PKTS)
3806
Neale Ranns6fdcc3d2021-10-08 07:30:47 +00003807 # remove one tunnel protect, the rest should still work
3808 self.multi_params[0].tun_protect.remove_vpp_config()
3809 self.verify_tun_dropped_44(self.multi_params[0], count=N_PKTS)
3810 self.multi_params[0].via_tun_route.remove_vpp_config()
3811 self.verify_tun_dropped_44(self.multi_params[0], count=N_PKTS)
3812
3813 for p in self.multi_params[1:]:
3814 self.verify_tun_44(p, count=N_PKTS)
3815
3816 self.multi_params[0].tun_protect.add_vpp_config()
3817 self.multi_params[0].via_tun_route.add_vpp_config()
3818
3819 for p in self.multi_params:
3820 self.verify_tun_44(p, count=N_PKTS)
3821
Neale Ranns6ba4e412020-10-19 09:59:41 +00003822
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003823class TestIpsecItf6MPLS(TemplateIpsec, TemplateIpsecItf6, IpsecTun6):
3824 """IPsec Interface MPLSoIPv6"""
Neale Ranns4a58e492020-12-21 13:19:10 +00003825
3826 tun6_encrypt_node_name = "esp-mpls-encrypt-tun"
3827
3828 def setUp(self):
3829 super(TestIpsecItf6MPLS, self).setUp()
3830
3831 self.tun_if = self.pg0
3832
3833 def tearDown(self):
3834 super(TestIpsecItf6MPLS, self).tearDown()
3835
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003836 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100):
3837 return [
3838 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
3839 / sa.encrypt(
3840 MPLS(label=66, ttl=3)
3841 / IPv6(src=src, dst=dst)
3842 / UDP(sport=1166, dport=2233)
3843 / Raw(b"X" * payload_size)
3844 )
3845 for i in range(count)
3846 ]
Neale Ranns4a58e492020-12-21 13:19:10 +00003847
3848 def verify_encrypted6(self, p, sa, rxs):
3849 for rx in rxs:
3850 try:
3851 pkt = sa.decrypt(rx[IPv6])
3852 if not pkt.haslayer(IPv6):
3853 pkt = IP(pkt[Raw].load)
3854 self.assert_packet_checksums_valid(pkt)
3855 self.assert_equal(pkt[MPLS].label, 66)
3856 self.assert_equal(pkt[IPv6].dst, p.remote_tun_if_host)
3857 except (IndexError, AssertionError):
3858 self.logger.debug(ppp("Unexpected packet:", rx))
3859 try:
3860 self.logger.debug(ppp("Decrypted packet:", pkt))
3861 except:
3862 pass
3863 raise
3864
3865 def test_tun_mpls_o_ip6(self):
3866 """IPSEC interface MPLS over IPv6"""
3867
3868 n_pkts = 127
3869 p = self.ipv6_params
3870 f = FibPathProto
3871
3872 tbl = VppMplsTable(self, 0)
3873 tbl.add_vpp_config()
3874
3875 self.config_network(p)
3876 # deag MPLS routes from the tunnel
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003877 r6 = VppMplsRoute(
3878 self,
3879 66,
3880 1,
3881 [VppRoutePath(self.pg1.remote_ip6, self.pg1.sw_if_index)],
3882 eos_proto=f.FIB_PATH_NH_PROTO_IP6,
3883 ).add_vpp_config()
3884 p.route.modify(
3885 [
3886 VppRoutePath(
3887 p.tun_if.remote_ip6, p.tun_if.sw_if_index, labels=[VppMplsLabel(66)]
3888 )
3889 ]
3890 )
Neale Ranns4a58e492020-12-21 13:19:10 +00003891 p.tun_if.enable_mpls()
3892
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003893 self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6)
Neale Ranns4a58e492020-12-21 13:19:10 +00003894 self.config_protect(p)
3895
3896 self.verify_tun_66(p, count=n_pkts)
3897
3898 # cleanup
3899 p.tun_if.disable_mpls()
3900 self.unconfig_protect(p)
3901 self.unconfig_sa(p)
3902 self.unconfig_network(p)
3903
3904
Klement Sekerad9b0c6f2022-04-26 19:02:15 +02003905if __name__ == "__main__":
Klement Sekera31da2e32018-06-24 22:49:55 +02003906 unittest.main(testRunner=VppTestRunner)