Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 1 | import unittest |
| 2 | import socket |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 3 | import copy |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 4 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 5 | from scapy.layers.ipsec import SecurityAssociation, ESP |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 6 | from scapy.layers.l2 import Ether, GRE, Dot1Q |
Arthur de Kerhor | ce04e3b | 2022-01-04 15:53:43 +0100 | [diff] [blame] | 7 | from scapy.packet import Raw, bind_layers |
Arthur de Kerhor | 8fce546 | 2023-06-16 09:48:52 +0200 | [diff] [blame] | 8 | from scapy.layers.inet import IP, UDP, ICMP |
| 9 | from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest |
Neale Ranns | 4a58e49 | 2020-12-21 13:19:10 +0000 | [diff] [blame] | 10 | from scapy.contrib.mpls import MPLS |
Dave Wallace | 8800f73 | 2023-08-31 00:47:44 -0400 | [diff] [blame] | 11 | from asfframework import VppTestRunner, tag_fixme_vpp_workers |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 12 | from template_ipsec import ( |
| 13 | TemplateIpsec, |
| 14 | IpsecTun4Tests, |
| 15 | IpsecTun6Tests, |
| 16 | IpsecTun4, |
| 17 | IpsecTun6, |
| 18 | IpsecTcpTests, |
| 19 | mk_scapy_crypt_key, |
| 20 | IpsecTun6HandoffTests, |
| 21 | IpsecTun4HandoffTests, |
| 22 | config_tun_params, |
| 23 | ) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 24 | from vpp_gre_interface import VppGreInterface |
| 25 | from vpp_ipip_tun_interface import VppIpIpTunInterface |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 26 | from vpp_ip_route import ( |
| 27 | VppIpRoute, |
| 28 | VppRoutePath, |
| 29 | DpoProto, |
| 30 | VppMplsLabel, |
| 31 | VppMplsTable, |
| 32 | VppMplsRoute, |
| 33 | FibPathProto, |
| 34 | ) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 35 | from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect, VppIpsecInterface |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 36 | from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 37 | from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 38 | from vpp_teib import VppTeib |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 39 | from util import ppp |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 40 | from vpp_papi import VppEnum |
Eric Kinzie | 609d579 | 2020-10-13 20:02:11 -0400 | [diff] [blame] | 41 | from vpp_papi_provider import CliFailedCommandError |
Neale Ranns | 5d0136f | 2020-05-12 08:51:02 +0000 | [diff] [blame] | 42 | from vpp_acl import AclRule, VppAcl, VppAclInterface |
Stanislav Zaikin | e5a3ae0 | 2022-04-05 19:23:12 +0200 | [diff] [blame] | 43 | from vpp_policer import PolicerAction, VppPolicer, Dir |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 44 | from config import config |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 45 | |
| 46 | |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 47 | def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 48 | ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6} |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 49 | esn_en = bool( |
| 50 | p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN) |
| 51 | ) |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 52 | crypt_key = mk_scapy_crypt_key(p) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 53 | if tun_if: |
| 54 | p.tun_dst = tun_if.remote_ip |
| 55 | p.tun_src = tun_if.local_ip |
| 56 | else: |
| 57 | p.tun_dst = dst |
| 58 | p.tun_src = src |
| 59 | |
Arthur de Kerhor | ce04e3b | 2022-01-04 15:53:43 +0100 | [diff] [blame] | 60 | if p.nat_header: |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 61 | is_default_port = p.nat_header.dport == 4500 |
Arthur de Kerhor | ce04e3b | 2022-01-04 15:53:43 +0100 | [diff] [blame] | 62 | else: |
| 63 | is_default_port = True |
| 64 | |
| 65 | if is_default_port: |
| 66 | outbound_nat_header = p.nat_header |
| 67 | else: |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 68 | outbound_nat_header = UDP(sport=p.nat_header.dport, dport=p.nat_header.sport) |
Arthur de Kerhor | ce04e3b | 2022-01-04 15:53:43 +0100 | [diff] [blame] | 69 | bind_layers(UDP, ESP, dport=p.nat_header.dport) |
| 70 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 71 | p.scapy_tun_sa = SecurityAssociation( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 72 | encryption_type, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 73 | spi=p.scapy_tun_spi, |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 74 | crypt_algo=p.crypt_algo, |
| 75 | crypt_key=crypt_key, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 76 | auth_algo=p.auth_algo, |
| 77 | auth_key=p.auth_key, |
| 78 | tunnel_header=ip_class_by_addr_type[p.addr_type](src=p.tun_dst, dst=p.tun_src), |
Arthur de Kerhor | ce04e3b | 2022-01-04 15:53:43 +0100 | [diff] [blame] | 79 | nat_t_header=outbound_nat_header, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 80 | esn_en=esn_en, |
| 81 | ) |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 82 | p.vpp_tun_sa = SecurityAssociation( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 83 | encryption_type, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 84 | spi=p.vpp_tun_spi, |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 85 | crypt_algo=p.crypt_algo, |
| 86 | crypt_key=crypt_key, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 87 | auth_algo=p.auth_algo, |
| 88 | auth_key=p.auth_key, |
| 89 | tunnel_header=ip_class_by_addr_type[p.addr_type](dst=p.tun_dst, src=p.tun_src), |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 90 | nat_t_header=p.nat_header, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 91 | esn_en=esn_en, |
| 92 | ) |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 93 | |
| 94 | |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 95 | def config_tra_params(p, encryption_type, tun_if): |
| 96 | ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6} |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 97 | esn_en = bool( |
| 98 | p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN) |
| 99 | ) |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 100 | crypt_key = mk_scapy_crypt_key(p) |
Neale Ranns | f3a6622 | 2020-01-02 05:04:00 +0000 | [diff] [blame] | 101 | p.tun_dst = tun_if.remote_ip |
| 102 | p.tun_src = tun_if.local_ip |
Arthur de Kerhor | ce04e3b | 2022-01-04 15:53:43 +0100 | [diff] [blame] | 103 | |
| 104 | if p.nat_header: |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 105 | is_default_port = p.nat_header.dport == 4500 |
Arthur de Kerhor | ce04e3b | 2022-01-04 15:53:43 +0100 | [diff] [blame] | 106 | else: |
| 107 | is_default_port = True |
| 108 | |
| 109 | if is_default_port: |
| 110 | outbound_nat_header = p.nat_header |
| 111 | else: |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 112 | outbound_nat_header = UDP(sport=p.nat_header.dport, dport=p.nat_header.sport) |
Arthur de Kerhor | ce04e3b | 2022-01-04 15:53:43 +0100 | [diff] [blame] | 113 | bind_layers(UDP, ESP, dport=p.nat_header.dport) |
| 114 | |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 115 | p.scapy_tun_sa = SecurityAssociation( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 116 | encryption_type, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 117 | spi=p.scapy_tun_spi, |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 118 | crypt_algo=p.crypt_algo, |
| 119 | crypt_key=crypt_key, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 120 | auth_algo=p.auth_algo, |
| 121 | auth_key=p.auth_key, |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 122 | esn_en=esn_en, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 123 | nat_t_header=outbound_nat_header, |
| 124 | ) |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 125 | p.vpp_tun_sa = SecurityAssociation( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 126 | encryption_type, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 127 | spi=p.vpp_tun_spi, |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 128 | crypt_algo=p.crypt_algo, |
| 129 | crypt_key=crypt_key, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 130 | auth_algo=p.auth_algo, |
| 131 | auth_key=p.auth_key, |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 132 | esn_en=esn_en, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 133 | nat_t_header=p.nat_header, |
| 134 | ) |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 135 | |
| 136 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 137 | class TemplateIpsec4TunProtect(object): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 138 | """IPsec IPv4 Tunnel protect""" |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 139 | |
| 140 | encryption_type = ESP |
| 141 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 142 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 143 | tun4_input_node = "ipsec4-tun-input" |
| 144 | |
| 145 | def config_sa_tra(self, p): |
| 146 | config_tun_params(p, self.encryption_type, p.tun_if) |
| 147 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 148 | p.tun_sa_out = VppIpsecSA( |
| 149 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 150 | p.vpp_tun_sa_id, |
| 151 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 152 | p.auth_algo_vpp_id, |
| 153 | p.auth_key, |
| 154 | p.crypt_algo_vpp_id, |
| 155 | p.crypt_key, |
| 156 | self.vpp_esp_protocol, |
| 157 | flags=p.flags, |
| 158 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 159 | p.tun_sa_out.add_vpp_config() |
| 160 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 161 | p.tun_sa_in = VppIpsecSA( |
| 162 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 163 | p.scapy_tun_sa_id, |
| 164 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 165 | p.auth_algo_vpp_id, |
| 166 | p.auth_key, |
| 167 | p.crypt_algo_vpp_id, |
| 168 | p.crypt_key, |
| 169 | self.vpp_esp_protocol, |
| 170 | flags=p.flags, |
| 171 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 172 | p.tun_sa_in.add_vpp_config() |
| 173 | |
| 174 | def config_sa_tun(self, p): |
| 175 | config_tun_params(p, self.encryption_type, p.tun_if) |
| 176 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 177 | p.tun_sa_out = VppIpsecSA( |
| 178 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 179 | p.vpp_tun_sa_id, |
| 180 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 181 | p.auth_algo_vpp_id, |
| 182 | p.auth_key, |
| 183 | p.crypt_algo_vpp_id, |
| 184 | p.crypt_key, |
| 185 | self.vpp_esp_protocol, |
| 186 | self.tun_if.local_addr[p.addr_type], |
| 187 | self.tun_if.remote_addr[p.addr_type], |
| 188 | flags=p.flags, |
| 189 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 190 | p.tun_sa_out.add_vpp_config() |
| 191 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 192 | p.tun_sa_in = VppIpsecSA( |
| 193 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 194 | p.scapy_tun_sa_id, |
| 195 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 196 | p.auth_algo_vpp_id, |
| 197 | p.auth_key, |
| 198 | p.crypt_algo_vpp_id, |
| 199 | p.crypt_key, |
| 200 | self.vpp_esp_protocol, |
| 201 | self.tun_if.remote_addr[p.addr_type], |
| 202 | self.tun_if.local_addr[p.addr_type], |
| 203 | flags=p.flags, |
| 204 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 205 | p.tun_sa_in.add_vpp_config() |
| 206 | |
| 207 | def config_protect(self, p): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 208 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 209 | p.tun_protect.add_vpp_config() |
| 210 | |
| 211 | def config_network(self, p): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 212 | if hasattr(p, "tun_dst"): |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 213 | tun_dst = p.tun_dst |
| 214 | else: |
| 215 | tun_dst = self.pg0.remote_ip4 |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 216 | p.tun_if = VppIpIpTunInterface(self, self.pg0, self.pg0.local_ip4, tun_dst) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 217 | p.tun_if.add_vpp_config() |
| 218 | p.tun_if.admin_up() |
| 219 | p.tun_if.config_ip4() |
| 220 | p.tun_if.config_ip6() |
| 221 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 222 | p.route = VppIpRoute( |
| 223 | self, |
| 224 | p.remote_tun_if_host, |
| 225 | 32, |
| 226 | [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)], |
| 227 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 228 | p.route.add_vpp_config() |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 229 | r = VppIpRoute( |
| 230 | self, |
| 231 | p.remote_tun_if_host6, |
| 232 | 128, |
| 233 | [ |
| 234 | VppRoutePath( |
| 235 | p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6 |
| 236 | ) |
| 237 | ], |
| 238 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 239 | r.add_vpp_config() |
| 240 | |
| 241 | def unconfig_network(self, p): |
| 242 | p.route.remove_vpp_config() |
| 243 | p.tun_if.remove_vpp_config() |
| 244 | |
| 245 | def unconfig_protect(self, p): |
| 246 | p.tun_protect.remove_vpp_config() |
| 247 | |
| 248 | def unconfig_sa(self, p): |
| 249 | p.tun_sa_out.remove_vpp_config() |
| 250 | p.tun_sa_in.remove_vpp_config() |
| 251 | |
| 252 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 253 | class TemplateIpsec4TunIfEsp(TemplateIpsec4TunProtect, TemplateIpsec): |
| 254 | """IPsec tunnel interface tests""" |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 255 | |
| 256 | encryption_type = ESP |
| 257 | |
Paul Vinciguerra | 7f9b7f9 | 2019-03-12 19:23:27 -0700 | [diff] [blame] | 258 | @classmethod |
| 259 | def setUpClass(cls): |
| 260 | super(TemplateIpsec4TunIfEsp, cls).setUpClass() |
| 261 | |
| 262 | @classmethod |
| 263 | def tearDownClass(cls): |
| 264 | super(TemplateIpsec4TunIfEsp, cls).tearDownClass() |
| 265 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 266 | def setUp(self): |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 267 | super(TemplateIpsec4TunIfEsp, self).setUp() |
Neale Ranns | 8e4a89b | 2019-01-23 08:16:17 -0800 | [diff] [blame] | 268 | |
| 269 | self.tun_if = self.pg0 |
| 270 | |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 271 | p = self.ipv4_params |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 272 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 273 | self.config_network(p) |
| 274 | self.config_sa_tra(p) |
| 275 | self.config_protect(p) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 276 | |
| 277 | def tearDown(self): |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 278 | super(TemplateIpsec4TunIfEsp, self).tearDown() |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 279 | |
| 280 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 281 | class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, TemplateIpsec): |
| 282 | """IPsec UDP tunnel interface tests""" |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 283 | |
| 284 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 285 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 286 | encryption_type = ESP |
| 287 | |
| 288 | @classmethod |
| 289 | def setUpClass(cls): |
| 290 | super(TemplateIpsec4TunIfEspUdp, cls).setUpClass() |
| 291 | |
| 292 | @classmethod |
| 293 | def tearDownClass(cls): |
| 294 | super(TemplateIpsec4TunIfEspUdp, cls).tearDownClass() |
| 295 | |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 296 | def verify_encrypted(self, p, sa, rxs): |
| 297 | for rx in rxs: |
| 298 | try: |
| 299 | # ensure the UDP ports are correct before we decrypt |
| 300 | # which strips them |
| 301 | self.assertTrue(rx.haslayer(UDP)) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 302 | self.assert_equal(rx[UDP].sport, p.nat_header.sport) |
Arthur de Kerhor | 4117b24 | 2022-08-31 19:13:03 +0200 | [diff] [blame] | 303 | self.assert_equal(rx[UDP].dport, p.nat_header.dport) |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 304 | |
| 305 | pkt = sa.decrypt(rx[IP]) |
| 306 | if not pkt.haslayer(IP): |
| 307 | pkt = IP(pkt[Raw].load) |
| 308 | |
| 309 | self.assert_packet_checksums_valid(pkt) |
| 310 | self.assert_equal(pkt[IP].dst, "1.1.1.1") |
| 311 | self.assert_equal(pkt[IP].src, self.pg1.remote_ip4) |
| 312 | except (IndexError, AssertionError): |
| 313 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 314 | try: |
| 315 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 316 | except: |
| 317 | pass |
| 318 | raise |
| 319 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 320 | def config_sa_tra(self, p): |
| 321 | config_tun_params(p, self.encryption_type, p.tun_if) |
| 322 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 323 | p.tun_sa_out = VppIpsecSA( |
| 324 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 325 | p.vpp_tun_sa_id, |
| 326 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 327 | p.auth_algo_vpp_id, |
| 328 | p.auth_key, |
| 329 | p.crypt_algo_vpp_id, |
| 330 | p.crypt_key, |
| 331 | self.vpp_esp_protocol, |
| 332 | flags=p.flags, |
| 333 | udp_src=p.nat_header.sport, |
| 334 | udp_dst=p.nat_header.dport, |
| 335 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 336 | p.tun_sa_out.add_vpp_config() |
| 337 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 338 | p.tun_sa_in = VppIpsecSA( |
| 339 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 340 | p.scapy_tun_sa_id, |
| 341 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 342 | p.auth_algo_vpp_id, |
| 343 | p.auth_key, |
| 344 | p.crypt_algo_vpp_id, |
| 345 | p.crypt_key, |
| 346 | self.vpp_esp_protocol, |
Arthur de Kerhor | 4117b24 | 2022-08-31 19:13:03 +0200 | [diff] [blame] | 347 | flags=p.flags |
| 348 | | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 349 | udp_src=p.nat_header.sport, |
| 350 | udp_dst=p.nat_header.dport, |
| 351 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 352 | p.tun_sa_in.add_vpp_config() |
| 353 | |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 354 | def setUp(self): |
| 355 | super(TemplateIpsec4TunIfEspUdp, self).setUp() |
| 356 | |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 357 | p = self.ipv4_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 358 | p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 359 | p.nat_header = UDP(sport=5454, dport=4500) |
| 360 | |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 361 | self.tun_if = self.pg0 |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 362 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 363 | self.config_network(p) |
| 364 | self.config_sa_tra(p) |
| 365 | self.config_protect(p) |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 366 | |
| 367 | def tearDown(self): |
| 368 | super(TemplateIpsec4TunIfEspUdp, self).tearDown() |
| 369 | |
| 370 | |
Arthur de Kerhor | 8fce546 | 2023-06-16 09:48:52 +0200 | [diff] [blame] | 371 | class TemplateIpsec4TunTfc: |
| 372 | """IPsec IPv4 tunnel with TFC""" |
| 373 | |
| 374 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=54): |
| 375 | pkt = ( |
| 376 | IP(src=src, dst=dst, len=28 + payload_size) |
| 377 | / ICMP() |
| 378 | / Raw(b"X" * payload_size) |
| 379 | / Padding(b"Y" * 100) |
| 380 | ) |
| 381 | return [ |
| 382 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / sa.encrypt(pkt) |
| 383 | for i in range(count) |
| 384 | ] |
| 385 | |
| 386 | def verify_decrypted(self, p, rxs): |
| 387 | for rx in rxs: |
| 388 | self.assert_equal(rx[IP].src, p.remote_tun_if_host) |
| 389 | self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) |
| 390 | self.assert_equal(rx[IP].len, len(rx[IP])) |
| 391 | self.assert_packet_checksums_valid(rx) |
| 392 | |
| 393 | |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 394 | class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 395 | """Ipsec ESP - TUN tests""" |
| 396 | |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 397 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 398 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 399 | |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 400 | def test_tun_basic64(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 401 | """ipsec 6o4 tunnel basic test""" |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 402 | self.tun4_encrypt_node_name = "esp4-encrypt-tun" |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 403 | |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 404 | self.verify_tun_64(self.params[socket.AF_INET], count=1) |
| 405 | |
| 406 | def test_tun_burst64(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 407 | """ipsec 6o4 tunnel basic test""" |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 408 | self.tun4_encrypt_node_name = "esp4-encrypt-tun" |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 409 | |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 410 | self.verify_tun_64(self.params[socket.AF_INET], count=257) |
| 411 | |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 412 | def test_tun_basic_frag44(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 413 | """ipsec 4o4 tunnel frag basic test""" |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 414 | self.tun4_encrypt_node_name = "esp4-encrypt-tun" |
| 415 | |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 416 | p = self.ipv4_params |
| 417 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 418 | self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index, [1500, 0, 0, 0]) |
| 419 | self.verify_tun_44( |
| 420 | self.params[socket.AF_INET], count=1, payload_size=1800, n_rx=2 |
| 421 | ) |
| 422 | self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index, [9000, 0, 0, 0]) |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 423 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 424 | |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 425 | class TestIpsec4TunIfEspUdp(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 426 | """Ipsec ESP UDP tests""" |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 427 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 428 | tun4_input_node = "ipsec4-tun-input" |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 429 | |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 430 | def setUp(self): |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 431 | super(TestIpsec4TunIfEspUdp, self).setUp() |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 432 | |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 433 | def test_keepalive(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 434 | """IPSEC NAT Keepalive""" |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 435 | self.verify_keepalive(self.ipv4_params) |
| 436 | |
| 437 | |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 438 | class TestIpsec4TunIfEspUdpGCM(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 439 | """Ipsec ESP UDP GCM tests""" |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 440 | |
| 441 | tun4_input_node = "ipsec4-tun-input" |
| 442 | |
| 443 | def setUp(self): |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 444 | super(TestIpsec4TunIfEspUdpGCM, self).setUp() |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 445 | p = self.ipv4_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 446 | p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE |
| 447 | p.crypt_algo_vpp_id = ( |
| 448 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256 |
| 449 | ) |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 450 | p.crypt_algo = "AES-GCM" |
| 451 | p.auth_algo = "NULL" |
| 452 | p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h" |
| 453 | p.salt = 0 |
Alexander Chernavin | b0d2eda | 2020-03-25 10:56:52 -0400 | [diff] [blame] | 454 | |
| 455 | |
Arthur de Kerhor | 4117b24 | 2022-08-31 19:13:03 +0200 | [diff] [blame] | 456 | class TestIpsec4TunIfEspUdpUpdate(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests): |
| 457 | """Ipsec ESP UDP update tests""" |
| 458 | |
| 459 | tun4_input_node = "ipsec4-tun-input" |
| 460 | |
| 461 | def setUp(self): |
| 462 | super(TestIpsec4TunIfEspUdpUpdate, self).setUp() |
| 463 | p = self.ipv4_params |
| 464 | p.nat_header = UDP(sport=6565, dport=7676) |
| 465 | config_tun_params(p, self.encryption_type, p.tun_if) |
| 466 | p.tun_sa_in.update_vpp_config( |
| 467 | udp_src=p.nat_header.dport, udp_dst=p.nat_header.sport |
| 468 | ) |
| 469 | p.tun_sa_out.update_vpp_config( |
| 470 | udp_src=p.nat_header.sport, udp_dst=p.nat_header.dport |
| 471 | ) |
| 472 | |
| 473 | |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 474 | class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 475 | """Ipsec ESP - TCP tests""" |
| 476 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 477 | pass |
| 478 | |
| 479 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 480 | class TemplateIpsec6TunProtect(object): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 481 | """IPsec IPv6 Tunnel protect""" |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 482 | |
| 483 | def config_sa_tra(self, p): |
| 484 | config_tun_params(p, self.encryption_type, p.tun_if) |
| 485 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 486 | p.tun_sa_out = VppIpsecSA( |
| 487 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 488 | p.vpp_tun_sa_id, |
| 489 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 490 | p.auth_algo_vpp_id, |
| 491 | p.auth_key, |
| 492 | p.crypt_algo_vpp_id, |
| 493 | p.crypt_key, |
| 494 | self.vpp_esp_protocol, |
| 495 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 496 | p.tun_sa_out.add_vpp_config() |
| 497 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 498 | p.tun_sa_in = VppIpsecSA( |
| 499 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 500 | p.scapy_tun_sa_id, |
| 501 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 502 | p.auth_algo_vpp_id, |
| 503 | p.auth_key, |
| 504 | p.crypt_algo_vpp_id, |
| 505 | p.crypt_key, |
| 506 | self.vpp_esp_protocol, |
| 507 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 508 | p.tun_sa_in.add_vpp_config() |
| 509 | |
| 510 | def config_sa_tun(self, p): |
| 511 | config_tun_params(p, self.encryption_type, p.tun_if) |
| 512 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 513 | p.tun_sa_out = VppIpsecSA( |
| 514 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 515 | p.vpp_tun_sa_id, |
| 516 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 517 | p.auth_algo_vpp_id, |
| 518 | p.auth_key, |
| 519 | p.crypt_algo_vpp_id, |
| 520 | p.crypt_key, |
| 521 | self.vpp_esp_protocol, |
| 522 | self.tun_if.local_addr[p.addr_type], |
| 523 | self.tun_if.remote_addr[p.addr_type], |
| 524 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 525 | p.tun_sa_out.add_vpp_config() |
| 526 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 527 | p.tun_sa_in = VppIpsecSA( |
| 528 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 529 | p.scapy_tun_sa_id, |
| 530 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 531 | p.auth_algo_vpp_id, |
| 532 | p.auth_key, |
| 533 | p.crypt_algo_vpp_id, |
| 534 | p.crypt_key, |
| 535 | self.vpp_esp_protocol, |
| 536 | self.tun_if.remote_addr[p.addr_type], |
| 537 | self.tun_if.local_addr[p.addr_type], |
| 538 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 539 | p.tun_sa_in.add_vpp_config() |
| 540 | |
| 541 | def config_protect(self, p): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 542 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 543 | p.tun_protect.add_vpp_config() |
| 544 | |
| 545 | def config_network(self, p): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 546 | if hasattr(p, "tun_dst"): |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 547 | tun_dst = p.tun_dst |
| 548 | else: |
| 549 | tun_dst = self.pg0.remote_ip6 |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 550 | p.tun_if = VppIpIpTunInterface(self, self.pg0, self.pg0.local_ip6, tun_dst) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 551 | p.tun_if.add_vpp_config() |
| 552 | p.tun_if.admin_up() |
| 553 | p.tun_if.config_ip6() |
| 554 | p.tun_if.config_ip4() |
| 555 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 556 | p.route = VppIpRoute( |
| 557 | self, |
| 558 | p.remote_tun_if_host, |
| 559 | 128, |
| 560 | [ |
| 561 | VppRoutePath( |
| 562 | p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6 |
| 563 | ) |
| 564 | ], |
| 565 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 566 | p.route.add_vpp_config() |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 567 | r = VppIpRoute( |
| 568 | self, |
| 569 | p.remote_tun_if_host4, |
| 570 | 32, |
| 571 | [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)], |
| 572 | ) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 573 | r.add_vpp_config() |
| 574 | |
| 575 | def unconfig_network(self, p): |
| 576 | p.route.remove_vpp_config() |
| 577 | p.tun_if.remove_vpp_config() |
| 578 | |
| 579 | def unconfig_protect(self, p): |
| 580 | p.tun_protect.remove_vpp_config() |
| 581 | |
| 582 | def unconfig_sa(self, p): |
| 583 | p.tun_sa_out.remove_vpp_config() |
| 584 | p.tun_sa_in.remove_vpp_config() |
| 585 | |
| 586 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 587 | class TemplateIpsec6TunIfEsp(TemplateIpsec6TunProtect, TemplateIpsec): |
| 588 | """IPsec tunnel interface tests""" |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 589 | |
| 590 | encryption_type = ESP |
| 591 | |
| 592 | def setUp(self): |
| 593 | super(TemplateIpsec6TunIfEsp, self).setUp() |
| 594 | |
| 595 | self.tun_if = self.pg0 |
| 596 | |
| 597 | p = self.ipv6_params |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 598 | self.config_network(p) |
| 599 | self.config_sa_tra(p) |
| 600 | self.config_protect(p) |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 601 | |
| 602 | def tearDown(self): |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 603 | super(TemplateIpsec6TunIfEsp, self).tearDown() |
| 604 | |
| 605 | |
Matthew Smith | 6f1eb48 | 2022-08-09 22:19:38 +0000 | [diff] [blame] | 606 | class TemplateIpsec6TunIfEspUdp(TemplateIpsec6TunProtect, TemplateIpsec): |
| 607 | """IPsec6 UDP tunnel interface tests""" |
| 608 | |
| 609 | tun4_encrypt_node_name = "esp6-encrypt-tun" |
| 610 | tun4_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
| 611 | encryption_type = ESP |
| 612 | |
| 613 | @classmethod |
| 614 | def setUpClass(cls): |
| 615 | super(TemplateIpsec6TunIfEspUdp, cls).setUpClass() |
| 616 | |
| 617 | @classmethod |
| 618 | def tearDownClass(cls): |
| 619 | super(TemplateIpsec6TunIfEspUdp, cls).tearDownClass() |
| 620 | |
| 621 | def verify_encrypted(self, p, sa, rxs): |
| 622 | for rx in rxs: |
| 623 | try: |
| 624 | # ensure the UDP ports are correct before we decrypt |
| 625 | # which strips them |
| 626 | self.assertTrue(rx.haslayer(UDP)) |
| 627 | self.assert_equal(rx[UDP].sport, p.nat_header.sport) |
Arthur de Kerhor | 4117b24 | 2022-08-31 19:13:03 +0200 | [diff] [blame] | 628 | self.assert_equal(rx[UDP].dport, p.nat_header.dport) |
Matthew Smith | 6f1eb48 | 2022-08-09 22:19:38 +0000 | [diff] [blame] | 629 | |
| 630 | pkt = sa.decrypt(rx[IP]) |
| 631 | if not pkt.haslayer(IP): |
| 632 | pkt = IP(pkt[Raw].load) |
| 633 | |
| 634 | self.assert_packet_checksums_valid(pkt) |
| 635 | self.assert_equal( |
| 636 | pkt[IP].dst, "1111:1111:1111:1111:1111:1111:1111:1111" |
| 637 | ) |
| 638 | self.assert_equal(pkt[IP].src, self.pg1.remote_ip6) |
| 639 | except (IndexError, AssertionError): |
| 640 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 641 | try: |
| 642 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 643 | except: |
| 644 | pass |
| 645 | raise |
| 646 | |
| 647 | def config_sa_tra(self, p): |
| 648 | config_tun_params(p, self.encryption_type, p.tun_if) |
| 649 | |
| 650 | p.tun_sa_out = VppIpsecSA( |
| 651 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 652 | p.vpp_tun_sa_id, |
| 653 | p.vpp_tun_spi, |
Matthew Smith | 6f1eb48 | 2022-08-09 22:19:38 +0000 | [diff] [blame] | 654 | p.auth_algo_vpp_id, |
| 655 | p.auth_key, |
| 656 | p.crypt_algo_vpp_id, |
| 657 | p.crypt_key, |
| 658 | self.vpp_esp_protocol, |
| 659 | flags=p.flags, |
| 660 | udp_src=p.nat_header.sport, |
| 661 | udp_dst=p.nat_header.dport, |
| 662 | ) |
| 663 | p.tun_sa_out.add_vpp_config() |
| 664 | |
| 665 | p.tun_sa_in = VppIpsecSA( |
| 666 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 667 | p.scapy_tun_sa_id, |
| 668 | p.scapy_tun_spi, |
Matthew Smith | 6f1eb48 | 2022-08-09 22:19:38 +0000 | [diff] [blame] | 669 | p.auth_algo_vpp_id, |
| 670 | p.auth_key, |
| 671 | p.crypt_algo_vpp_id, |
| 672 | p.crypt_key, |
| 673 | self.vpp_esp_protocol, |
Arthur de Kerhor | 4117b24 | 2022-08-31 19:13:03 +0200 | [diff] [blame] | 674 | flags=p.flags |
| 675 | | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND, |
Matthew Smith | 6f1eb48 | 2022-08-09 22:19:38 +0000 | [diff] [blame] | 676 | udp_src=p.nat_header.sport, |
| 677 | udp_dst=p.nat_header.dport, |
| 678 | ) |
| 679 | p.tun_sa_in.add_vpp_config() |
| 680 | |
| 681 | def setUp(self): |
| 682 | super(TemplateIpsec6TunIfEspUdp, self).setUp() |
| 683 | |
| 684 | p = self.ipv6_params |
| 685 | p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP |
| 686 | p.nat_header = UDP(sport=5454, dport=4500) |
| 687 | |
| 688 | self.tun_if = self.pg0 |
| 689 | |
| 690 | self.config_network(p) |
| 691 | self.config_sa_tra(p) |
| 692 | self.config_protect(p) |
| 693 | |
| 694 | def tearDown(self): |
| 695 | super(TemplateIpsec6TunIfEspUdp, self).tearDown() |
| 696 | |
| 697 | |
Arthur de Kerhor | 8fce546 | 2023-06-16 09:48:52 +0200 | [diff] [blame] | 698 | class TemplateIpsec6TunTfc: |
| 699 | """IPsec IPv6 tunnel with TFC""" |
| 700 | |
| 701 | def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=54): |
| 702 | return [ |
| 703 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 704 | / sa.encrypt( |
| 705 | IPv6(src=src, dst=dst, hlim=p.inner_hop_limit, fl=p.inner_flow_label) |
| 706 | / ICMPv6EchoRequest(id=0, seq=1, data="X" * payload_size) |
| 707 | / Padding(b"Y" * 100) |
| 708 | ) |
| 709 | for i in range(count) |
| 710 | ] |
| 711 | |
| 712 | def verify_decrypted6(self, p, rxs): |
| 713 | for rx in rxs: |
| 714 | self.assert_equal(rx[IPv6].src, p.remote_tun_if_host) |
| 715 | self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6) |
| 716 | self.assert_equal(rx[IPv6].plen, len(rx[IPv6].payload)) |
| 717 | self.assert_packet_checksums_valid(rx) |
| 718 | |
| 719 | |
Matthew Smith | 6f1eb48 | 2022-08-09 22:19:38 +0000 | [diff] [blame] | 720 | class TestIpsec6TunIfEspUdp(TemplateIpsec6TunIfEspUdp, IpsecTun6Tests): |
| 721 | """Ipsec ESP 6 UDP tests""" |
| 722 | |
| 723 | tun6_input_node = "ipsec6-tun-input" |
| 724 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
| 725 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
| 726 | |
| 727 | def setUp(self): |
| 728 | super(TestIpsec6TunIfEspUdp, self).setUp() |
| 729 | |
| 730 | def test_keepalive(self): |
| 731 | """IPSEC6 NAT Keepalive""" |
| 732 | self.verify_keepalive(self.ipv6_params) |
| 733 | |
| 734 | |
| 735 | class TestIpsec6TunIfEspUdpGCM(TemplateIpsec6TunIfEspUdp, IpsecTun6Tests): |
| 736 | """Ipsec ESP 6 UDP GCM tests""" |
| 737 | |
| 738 | tun6_input_node = "ipsec6-tun-input" |
| 739 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
| 740 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
| 741 | |
| 742 | def setUp(self): |
| 743 | super(TestIpsec6TunIfEspUdpGCM, self).setUp() |
| 744 | p = self.ipv6_params |
| 745 | p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE |
| 746 | p.crypt_algo_vpp_id = ( |
| 747 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256 |
| 748 | ) |
| 749 | p.crypt_algo = "AES-GCM" |
| 750 | p.auth_algo = "NULL" |
| 751 | p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h" |
| 752 | p.salt = 0 |
| 753 | |
| 754 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 755 | class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp, IpsecTun6Tests): |
| 756 | """Ipsec ESP - TUN tests""" |
| 757 | |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 758 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 759 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 760 | |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 761 | def test_tun_basic46(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 762 | """ipsec 4o6 tunnel basic test""" |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 763 | self.tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 764 | self.verify_tun_46(self.params[socket.AF_INET6], count=1) |
| 765 | |
| 766 | def test_tun_burst46(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 767 | """ipsec 4o6 tunnel burst test""" |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 768 | self.tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 769 | self.verify_tun_46(self.params[socket.AF_INET6], count=257) |
| 770 | |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 771 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 772 | class TestIpsec6TunIfEspHandoff(TemplateIpsec6TunIfEsp, IpsecTun6HandoffTests): |
| 773 | """Ipsec ESP 6 Handoff tests""" |
| 774 | |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 775 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 776 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 777 | |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 778 | def test_tun_handoff_66_police(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 779 | """ESP 6o6 tunnel with policer worker hand-off test""" |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 780 | self.vapi.cli("clear errors") |
| 781 | self.vapi.cli("clear ipsec sa") |
| 782 | |
| 783 | N_PKTS = 15 |
| 784 | p = self.params[socket.AF_INET6] |
| 785 | |
| 786 | action_tx = PolicerAction( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 787 | VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0 |
| 788 | ) |
| 789 | policer = VppPolicer( |
| 790 | self, |
| 791 | "pol1", |
| 792 | 80, |
| 793 | 0, |
| 794 | 1000, |
| 795 | 0, |
| 796 | conform_action=action_tx, |
| 797 | exceed_action=action_tx, |
| 798 | violate_action=action_tx, |
| 799 | ) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 800 | policer.add_vpp_config() |
| 801 | |
| 802 | # Start policing on tun |
Stanislav Zaikin | e5a3ae0 | 2022-04-05 19:23:12 +0200 | [diff] [blame] | 803 | policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 804 | |
| 805 | for pol_bind in [1, 0]: |
| 806 | policer.bind_vpp_config(pol_bind, True) |
| 807 | |
| 808 | # inject alternately on worker 0 and 1. |
| 809 | for worker in [0, 1, 0, 1]: |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 810 | send_pkts = self.gen_encrypt_pkts6( |
| 811 | p, |
| 812 | p.scapy_tun_sa, |
| 813 | self.tun_if, |
| 814 | src=p.remote_tun_if_host, |
| 815 | dst=self.pg1.remote_ip6, |
| 816 | count=N_PKTS, |
| 817 | ) |
| 818 | recv_pkts = self.send_and_expect( |
| 819 | self.tun_if, send_pkts, self.pg1, worker=worker |
| 820 | ) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 821 | self.verify_decrypted6(p, recv_pkts) |
| 822 | self.logger.debug(self.vapi.cli("show trace max 100")) |
| 823 | |
| 824 | stats = policer.get_stats() |
| 825 | stats0 = policer.get_stats(worker=0) |
| 826 | stats1 = policer.get_stats(worker=1) |
| 827 | |
Ole Troan | 4376ab2 | 2021-03-03 10:40:05 +0100 | [diff] [blame] | 828 | if pol_bind == 1: |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 829 | # First pass: Worker 1, should have done all the policing |
| 830 | self.assertEqual(stats, stats1) |
| 831 | |
| 832 | # Worker 0, should have handed everything off |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 833 | self.assertEqual(stats0["conform_packets"], 0) |
| 834 | self.assertEqual(stats0["exceed_packets"], 0) |
| 835 | self.assertEqual(stats0["violate_packets"], 0) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 836 | else: |
| 837 | # Second pass: both workers should have policed equal amounts |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 838 | self.assertGreater(stats1["conform_packets"], 0) |
| 839 | self.assertEqual(stats1["exceed_packets"], 0) |
| 840 | self.assertGreater(stats1["violate_packets"], 0) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 841 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 842 | self.assertGreater(stats0["conform_packets"], 0) |
| 843 | self.assertEqual(stats0["exceed_packets"], 0) |
| 844 | self.assertGreater(stats0["violate_packets"], 0) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 845 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 846 | self.assertEqual( |
| 847 | stats0["conform_packets"] + stats0["violate_packets"], |
| 848 | stats1["conform_packets"] + stats1["violate_packets"], |
| 849 | ) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 850 | |
Stanislav Zaikin | e5a3ae0 | 2022-04-05 19:23:12 +0200 | [diff] [blame] | 851 | policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 852 | policer.remove_vpp_config() |
| 853 | |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 854 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 855 | class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp, IpsecTun4HandoffTests): |
| 856 | """Ipsec ESP 4 Handoff tests""" |
| 857 | |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 858 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 859 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 860 | |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 861 | def test_tun_handoff_44_police(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 862 | """ESP 4o4 tunnel with policer worker hand-off test""" |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 863 | self.vapi.cli("clear errors") |
| 864 | self.vapi.cli("clear ipsec sa") |
| 865 | |
| 866 | N_PKTS = 15 |
| 867 | p = self.params[socket.AF_INET] |
| 868 | |
| 869 | action_tx = PolicerAction( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 870 | VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0 |
| 871 | ) |
| 872 | policer = VppPolicer( |
| 873 | self, |
| 874 | "pol1", |
| 875 | 80, |
| 876 | 0, |
| 877 | 1000, |
| 878 | 0, |
| 879 | conform_action=action_tx, |
| 880 | exceed_action=action_tx, |
| 881 | violate_action=action_tx, |
| 882 | ) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 883 | policer.add_vpp_config() |
| 884 | |
| 885 | # Start policing on tun |
Stanislav Zaikin | e5a3ae0 | 2022-04-05 19:23:12 +0200 | [diff] [blame] | 886 | policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 887 | |
| 888 | for pol_bind in [1, 0]: |
| 889 | policer.bind_vpp_config(pol_bind, True) |
| 890 | |
| 891 | # inject alternately on worker 0 and 1. |
| 892 | for worker in [0, 1, 0, 1]: |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 893 | send_pkts = self.gen_encrypt_pkts( |
| 894 | p, |
| 895 | p.scapy_tun_sa, |
| 896 | self.tun_if, |
| 897 | src=p.remote_tun_if_host, |
| 898 | dst=self.pg1.remote_ip4, |
| 899 | count=N_PKTS, |
| 900 | ) |
| 901 | recv_pkts = self.send_and_expect( |
| 902 | self.tun_if, send_pkts, self.pg1, worker=worker |
| 903 | ) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 904 | self.verify_decrypted(p, recv_pkts) |
| 905 | self.logger.debug(self.vapi.cli("show trace max 100")) |
| 906 | |
| 907 | stats = policer.get_stats() |
| 908 | stats0 = policer.get_stats(worker=0) |
| 909 | stats1 = policer.get_stats(worker=1) |
| 910 | |
Ole Troan | 4376ab2 | 2021-03-03 10:40:05 +0100 | [diff] [blame] | 911 | if pol_bind == 1: |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 912 | # First pass: Worker 1, should have done all the policing |
| 913 | self.assertEqual(stats, stats1) |
| 914 | |
| 915 | # Worker 0, should have handed everything off |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 916 | self.assertEqual(stats0["conform_packets"], 0) |
| 917 | self.assertEqual(stats0["exceed_packets"], 0) |
| 918 | self.assertEqual(stats0["violate_packets"], 0) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 919 | else: |
| 920 | # Second pass: both workers should have policed equal amounts |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 921 | self.assertGreater(stats1["conform_packets"], 0) |
| 922 | self.assertEqual(stats1["exceed_packets"], 0) |
| 923 | self.assertGreater(stats1["violate_packets"], 0) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 924 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 925 | self.assertGreater(stats0["conform_packets"], 0) |
| 926 | self.assertEqual(stats0["exceed_packets"], 0) |
| 927 | self.assertGreater(stats0["violate_packets"], 0) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 928 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 929 | self.assertEqual( |
| 930 | stats0["conform_packets"] + stats0["violate_packets"], |
| 931 | stats1["conform_packets"] + stats1["violate_packets"], |
| 932 | ) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 933 | |
Stanislav Zaikin | e5a3ae0 | 2022-04-05 19:23:12 +0200 | [diff] [blame] | 934 | policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 935 | policer.remove_vpp_config() |
| 936 | |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 937 | |
Andrew Yourtchenko | 8dc0d48 | 2021-01-29 13:17:19 +0000 | [diff] [blame] | 938 | @tag_fixme_vpp_workers |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 939 | class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4): |
| 940 | """IPsec IPv4 Multi Tunnel interface""" |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 941 | |
| 942 | encryption_type = ESP |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 943 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 944 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 945 | |
| 946 | def setUp(self): |
| 947 | super(TestIpsec4MultiTunIfEsp, self).setUp() |
| 948 | |
| 949 | self.tun_if = self.pg0 |
| 950 | |
| 951 | self.multi_params = [] |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 952 | self.pg0.generate_remote_hosts(10) |
| 953 | self.pg0.configure_ipv4_neighbors() |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 954 | |
| 955 | for ii in range(10): |
| 956 | p = copy.copy(self.ipv4_params) |
| 957 | |
| 958 | p.remote_tun_if_host = "1.1.1.%d" % (ii + 1) |
| 959 | p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii |
| 960 | p.scapy_tun_spi = p.scapy_tun_spi + ii |
| 961 | p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii |
| 962 | p.vpp_tun_spi = p.vpp_tun_spi + ii |
| 963 | |
| 964 | p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii |
| 965 | p.scapy_tra_spi = p.scapy_tra_spi + ii |
| 966 | p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii |
| 967 | p.vpp_tra_spi = p.vpp_tra_spi + ii |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 968 | p.tun_dst = self.pg0.remote_hosts[ii].ip4 |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 969 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 970 | self.multi_params.append(p) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 971 | self.config_network(p) |
| 972 | self.config_sa_tra(p) |
| 973 | self.config_protect(p) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 974 | |
| 975 | def tearDown(self): |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 976 | super(TestIpsec4MultiTunIfEsp, self).tearDown() |
| 977 | |
| 978 | def test_tun_44(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 979 | """Multiple IPSEC tunnel interfaces""" |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 980 | for p in self.multi_params: |
| 981 | self.verify_tun_44(p, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 982 | self.assertEqual(p.tun_if.get_rx_stats(), 127) |
| 983 | self.assertEqual(p.tun_if.get_tx_stats(), 127) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 984 | |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 985 | def test_tun_rr_44(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 986 | """Round-robin packets acrros multiple interface""" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 987 | tx = [] |
| 988 | for p in self.multi_params: |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 989 | tx = tx + self.gen_encrypt_pkts( |
| 990 | p, |
| 991 | p.scapy_tun_sa, |
| 992 | self.tun_if, |
| 993 | src=p.remote_tun_if_host, |
| 994 | dst=self.pg1.remote_ip4, |
| 995 | ) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 996 | rxs = self.send_and_expect(self.tun_if, tx, self.pg1) |
| 997 | |
| 998 | for rx, p in zip(rxs, self.multi_params): |
| 999 | self.verify_decrypted(p, [rx]) |
| 1000 | |
| 1001 | tx = [] |
| 1002 | for p in self.multi_params: |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1003 | tx = tx + self.gen_pkts( |
| 1004 | self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host |
| 1005 | ) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1006 | rxs = self.send_and_expect(self.pg1, tx, self.tun_if) |
| 1007 | |
| 1008 | for rx, p in zip(rxs, self.multi_params): |
| 1009 | self.verify_encrypted(p, p.vpp_tun_sa, [rx]) |
| 1010 | |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1011 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1012 | class TestIpsec4TunIfEspAll(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4): |
| 1013 | """IPsec IPv4 Tunnel interface all Algos""" |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1014 | |
| 1015 | encryption_type = ESP |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 1016 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 1017 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1018 | |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1019 | def setUp(self): |
| 1020 | super(TestIpsec4TunIfEspAll, self).setUp() |
| 1021 | |
| 1022 | self.tun_if = self.pg0 |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1023 | p = self.ipv4_params |
| 1024 | |
| 1025 | self.config_network(p) |
| 1026 | self.config_sa_tra(p) |
| 1027 | self.config_protect(p) |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1028 | |
| 1029 | def tearDown(self): |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1030 | p = self.ipv4_params |
| 1031 | self.unconfig_protect(p) |
| 1032 | self.unconfig_network(p) |
| 1033 | self.unconfig_sa(p) |
| 1034 | |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1035 | super(TestIpsec4TunIfEspAll, self).tearDown() |
| 1036 | |
Neale Ranns | d6c9e82 | 2019-04-17 16:29:00 -0700 | [diff] [blame] | 1037 | def rekey(self, p): |
| 1038 | # |
| 1039 | # change the key and the SPI |
| 1040 | # |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1041 | np = copy.copy(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1042 | p.crypt_key = b"X" + p.crypt_key[1:] |
Neale Ranns | d6c9e82 | 2019-04-17 16:29:00 -0700 | [diff] [blame] | 1043 | p.scapy_tun_spi += 1 |
| 1044 | p.scapy_tun_sa_id += 1 |
| 1045 | p.vpp_tun_spi += 1 |
| 1046 | p.vpp_tun_sa_id += 1 |
| 1047 | p.tun_if.local_spi = p.vpp_tun_spi |
| 1048 | p.tun_if.remote_spi = p.scapy_tun_spi |
| 1049 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1050 | config_tun_params(p, self.encryption_type, p.tun_if) |
Neale Ranns | d6c9e82 | 2019-04-17 16:29:00 -0700 | [diff] [blame] | 1051 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1052 | p.tun_sa_out = VppIpsecSA( |
| 1053 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1054 | p.vpp_tun_sa_id, |
| 1055 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1056 | p.auth_algo_vpp_id, |
| 1057 | p.auth_key, |
| 1058 | p.crypt_algo_vpp_id, |
| 1059 | p.crypt_key, |
| 1060 | self.vpp_esp_protocol, |
| 1061 | flags=p.flags, |
| 1062 | salt=p.salt, |
| 1063 | ) |
| 1064 | p.tun_sa_in = VppIpsecSA( |
| 1065 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1066 | p.scapy_tun_sa_id, |
| 1067 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1068 | p.auth_algo_vpp_id, |
| 1069 | p.auth_key, |
| 1070 | p.crypt_algo_vpp_id, |
| 1071 | p.crypt_key, |
| 1072 | self.vpp_esp_protocol, |
| 1073 | flags=p.flags, |
| 1074 | salt=p.salt, |
| 1075 | ) |
Neale Ranns | d6c9e82 | 2019-04-17 16:29:00 -0700 | [diff] [blame] | 1076 | p.tun_sa_in.add_vpp_config() |
| 1077 | p.tun_sa_out.add_vpp_config() |
| 1078 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1079 | self.config_protect(p) |
| 1080 | np.tun_sa_out.remove_vpp_config() |
| 1081 | np.tun_sa_in.remove_vpp_config() |
Neale Ranns | d6c9e82 | 2019-04-17 16:29:00 -0700 | [diff] [blame] | 1082 | self.logger.info(self.vapi.cli("sh ipsec sa")) |
| 1083 | |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1084 | def test_tun_44(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1085 | """IPSEC tunnel all algos""" |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1086 | |
| 1087 | # foreach VPP crypto engine |
| 1088 | engines = ["ia32", "ipsecmb", "openssl"] |
| 1089 | |
| 1090 | # foreach crypto algorithm |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1091 | algos = [ |
| 1092 | { |
| 1093 | "vpp-crypto": ( |
| 1094 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_128 |
| 1095 | ), |
| 1096 | "vpp-integ": ( |
| 1097 | VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE |
| 1098 | ), |
| 1099 | "scapy-crypto": "AES-GCM", |
| 1100 | "scapy-integ": "NULL", |
| 1101 | "key": b"JPjyOWBeVEQiMe7h", |
| 1102 | "salt": 3333, |
| 1103 | }, |
| 1104 | { |
| 1105 | "vpp-crypto": ( |
| 1106 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_192 |
| 1107 | ), |
| 1108 | "vpp-integ": ( |
| 1109 | VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE |
| 1110 | ), |
| 1111 | "scapy-crypto": "AES-GCM", |
| 1112 | "scapy-integ": "NULL", |
| 1113 | "key": b"JPjyOWBeVEQiMe7hJPjyOWBe", |
| 1114 | "salt": 0, |
| 1115 | }, |
| 1116 | { |
| 1117 | "vpp-crypto": ( |
| 1118 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256 |
| 1119 | ), |
| 1120 | "vpp-integ": ( |
| 1121 | VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE |
| 1122 | ), |
| 1123 | "scapy-crypto": "AES-GCM", |
| 1124 | "scapy-integ": "NULL", |
| 1125 | "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h", |
| 1126 | "salt": 9999, |
| 1127 | }, |
| 1128 | { |
| 1129 | "vpp-crypto": ( |
| 1130 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_128 |
| 1131 | ), |
| 1132 | "vpp-integ": ( |
| 1133 | VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96 |
| 1134 | ), |
| 1135 | "scapy-crypto": "AES-CBC", |
| 1136 | "scapy-integ": "HMAC-SHA1-96", |
| 1137 | "salt": 0, |
| 1138 | "key": b"JPjyOWBeVEQiMe7h", |
| 1139 | }, |
| 1140 | { |
| 1141 | "vpp-crypto": ( |
| 1142 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_192 |
| 1143 | ), |
| 1144 | "vpp-integ": ( |
| 1145 | VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_512_256 |
| 1146 | ), |
| 1147 | "scapy-crypto": "AES-CBC", |
| 1148 | "scapy-integ": "SHA2-512-256", |
| 1149 | "salt": 0, |
| 1150 | "key": b"JPjyOWBeVEQiMe7hJPjyOWBe", |
| 1151 | }, |
| 1152 | { |
| 1153 | "vpp-crypto": ( |
| 1154 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_256 |
| 1155 | ), |
| 1156 | "vpp-integ": ( |
| 1157 | VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_256_128 |
| 1158 | ), |
| 1159 | "scapy-crypto": "AES-CBC", |
| 1160 | "scapy-integ": "SHA2-256-128", |
| 1161 | "salt": 0, |
| 1162 | "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h", |
| 1163 | }, |
| 1164 | { |
| 1165 | "vpp-crypto": ( |
| 1166 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_NONE |
| 1167 | ), |
| 1168 | "vpp-integ": ( |
| 1169 | VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96 |
| 1170 | ), |
| 1171 | "scapy-crypto": "NULL", |
| 1172 | "scapy-integ": "HMAC-SHA1-96", |
| 1173 | "salt": 0, |
| 1174 | "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h", |
| 1175 | }, |
| 1176 | ] |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1177 | |
| 1178 | for engine in engines: |
| 1179 | self.vapi.cli("set crypto handler all %s" % engine) |
| 1180 | |
| 1181 | # |
| 1182 | # loop through each of the algorithms |
| 1183 | # |
| 1184 | for algo in algos: |
| 1185 | # with self.subTest(algo=algo['scapy']): |
| 1186 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1187 | p = self.ipv4_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1188 | p.auth_algo_vpp_id = algo["vpp-integ"] |
| 1189 | p.crypt_algo_vpp_id = algo["vpp-crypto"] |
| 1190 | p.crypt_algo = algo["scapy-crypto"] |
| 1191 | p.auth_algo = algo["scapy-integ"] |
| 1192 | p.crypt_key = algo["key"] |
| 1193 | p.salt = algo["salt"] |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1194 | |
Neale Ranns | d6c9e82 | 2019-04-17 16:29:00 -0700 | [diff] [blame] | 1195 | # |
| 1196 | # rekey the tunnel |
| 1197 | # |
| 1198 | self.rekey(p) |
| 1199 | self.verify_tun_44(p, count=127) |
| 1200 | |
Neale Ranns | 47feb11 | 2019-04-11 15:14:07 +0000 | [diff] [blame] | 1201 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1202 | class TestIpsec4TunIfEspNoAlgo(TemplateIpsec4TunProtect, TemplateIpsec, IpsecTun4): |
| 1203 | """IPsec IPv4 Tunnel interface no Algos""" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1204 | |
| 1205 | encryption_type = ESP |
| 1206 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 1207 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1208 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1209 | def setUp(self): |
| 1210 | super(TestIpsec4TunIfEspNoAlgo, self).setUp() |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1211 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1212 | self.tun_if = self.pg0 |
| 1213 | p = self.ipv4_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1214 | p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE |
| 1215 | p.auth_algo = "NULL" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1216 | p.auth_key = [] |
| 1217 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1218 | p.crypt_algo_vpp_id = ( |
| 1219 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_NONE |
| 1220 | ) |
| 1221 | p.crypt_algo = "NULL" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1222 | p.crypt_key = [] |
| 1223 | |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1224 | def tearDown(self): |
| 1225 | super(TestIpsec4TunIfEspNoAlgo, self).tearDown() |
| 1226 | |
| 1227 | def test_tun_44(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1228 | """IPSec SA with NULL algos""" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1229 | p = self.ipv4_params |
| 1230 | |
| 1231 | self.config_network(p) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1232 | self.config_sa_tra(p) |
| 1233 | self.config_protect(p) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1234 | |
Matthew Smith | ff71939 | 2024-02-12 18:39:21 +0000 | [diff] [blame] | 1235 | tx = self.gen_pkts( |
| 1236 | self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host, count=127 |
| 1237 | ) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1238 | self.send_and_assert_no_replies(self.pg1, tx) |
| 1239 | |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1240 | self.unconfig_protect(p) |
| 1241 | self.unconfig_sa(p) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1242 | self.unconfig_network(p) |
| 1243 | |
Matthew Smith | ff71939 | 2024-02-12 18:39:21 +0000 | [diff] [blame] | 1244 | def test_tun_44_async(self): |
| 1245 | """IPSec SA with NULL algos using async crypto""" |
| 1246 | p = self.ipv4_params |
| 1247 | |
| 1248 | self.vapi.ipsec_set_async_mode(async_enable=True) |
| 1249 | self.config_network(p) |
| 1250 | self.config_sa_tra(p) |
| 1251 | self.config_protect(p) |
| 1252 | |
| 1253 | tx = self.gen_pkts( |
| 1254 | self.pg1, src=self.pg1.remote_ip4, dst=p.remote_tun_if_host, count=127 |
| 1255 | ) |
| 1256 | self.send_and_assert_no_replies(self.pg1, tx) |
| 1257 | |
| 1258 | self.unconfig_protect(p) |
| 1259 | self.unconfig_sa(p) |
| 1260 | self.unconfig_network(p) |
| 1261 | |
| 1262 | self.vapi.ipsec_set_async_mode(async_enable=False) |
| 1263 | |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1264 | |
Andrew Yourtchenko | 8dc0d48 | 2021-01-29 13:17:19 +0000 | [diff] [blame] | 1265 | @tag_fixme_vpp_workers |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1266 | class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect, TemplateIpsec, IpsecTun6): |
| 1267 | """IPsec IPv6 Multi Tunnel interface""" |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1268 | |
| 1269 | encryption_type = ESP |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 1270 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 1271 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1272 | |
| 1273 | def setUp(self): |
| 1274 | super(TestIpsec6MultiTunIfEsp, self).setUp() |
| 1275 | |
| 1276 | self.tun_if = self.pg0 |
| 1277 | |
| 1278 | self.multi_params = [] |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1279 | self.pg0.generate_remote_hosts(10) |
| 1280 | self.pg0.configure_ipv6_neighbors() |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1281 | |
| 1282 | for ii in range(10): |
| 1283 | p = copy.copy(self.ipv6_params) |
| 1284 | |
| 1285 | p.remote_tun_if_host = "1111::%d" % (ii + 1) |
| 1286 | p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii |
| 1287 | p.scapy_tun_spi = p.scapy_tun_spi + ii |
| 1288 | p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii |
| 1289 | p.vpp_tun_spi = p.vpp_tun_spi + ii |
| 1290 | |
| 1291 | p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii |
| 1292 | p.scapy_tra_spi = p.scapy_tra_spi + ii |
| 1293 | p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii |
| 1294 | p.vpp_tra_spi = p.vpp_tra_spi + ii |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1295 | p.tun_dst = self.pg0.remote_hosts[ii].ip6 |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1296 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1297 | self.multi_params.append(p) |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 1298 | self.config_network(p) |
| 1299 | self.config_sa_tra(p) |
| 1300 | self.config_protect(p) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1301 | |
| 1302 | def tearDown(self): |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1303 | super(TestIpsec6MultiTunIfEsp, self).tearDown() |
| 1304 | |
| 1305 | def test_tun_66(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1306 | """Multiple IPSEC tunnel interfaces""" |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1307 | for p in self.multi_params: |
| 1308 | self.verify_tun_66(p, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 1309 | self.assertEqual(p.tun_if.get_rx_stats(), 127) |
| 1310 | self.assertEqual(p.tun_if.get_tx_stats(), 127) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1311 | |
| 1312 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 1313 | @unittest.skipIf( |
| 1314 | "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin" |
| 1315 | ) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1316 | class TestIpsecGreTebIfEsp(TemplateIpsec, IpsecTun4Tests): |
| 1317 | """Ipsec GRE TEB ESP - TUN tests""" |
| 1318 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1319 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 1320 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1321 | encryption_type = ESP |
| 1322 | omac = "00:11:22:33:44:55" |
| 1323 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1324 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 1325 | return [ |
| 1326 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 1327 | / sa.encrypt( |
| 1328 | IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4) |
| 1329 | / GRE() |
| 1330 | / Ether(dst=self.omac) |
| 1331 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1332 | / UDP(sport=1144, dport=2233) |
| 1333 | / Raw(b"X" * payload_size) |
| 1334 | ) |
| 1335 | for i in range(count) |
| 1336 | ] |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1337 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1338 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100): |
| 1339 | return [ |
| 1340 | Ether(dst=self.omac) |
| 1341 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1342 | / UDP(sport=1144, dport=2233) |
| 1343 | / Raw(b"X" * payload_size) |
| 1344 | for i in range(count) |
| 1345 | ] |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1346 | |
| 1347 | def verify_decrypted(self, p, rxs): |
| 1348 | for rx in rxs: |
| 1349 | self.assert_equal(rx[Ether].dst, self.omac) |
| 1350 | self.assert_equal(rx[IP].dst, "1.1.1.2") |
| 1351 | |
| 1352 | def verify_encrypted(self, p, sa, rxs): |
| 1353 | for rx in rxs: |
| 1354 | try: |
| 1355 | pkt = sa.decrypt(rx[IP]) |
| 1356 | if not pkt.haslayer(IP): |
| 1357 | pkt = IP(pkt[Raw].load) |
| 1358 | self.assert_packet_checksums_valid(pkt) |
| 1359 | self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4) |
| 1360 | self.assert_equal(pkt[IP].src, self.pg0.local_ip4) |
| 1361 | self.assertTrue(pkt.haslayer(GRE)) |
| 1362 | e = pkt[Ether] |
| 1363 | self.assertEqual(e[Ether].dst, self.omac) |
| 1364 | self.assertEqual(e[IP].dst, "1.1.1.2") |
| 1365 | except (IndexError, AssertionError): |
| 1366 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 1367 | try: |
| 1368 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 1369 | except: |
| 1370 | pass |
| 1371 | raise |
| 1372 | |
| 1373 | def setUp(self): |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1374 | super(TestIpsecGreTebIfEsp, self).setUp() |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1375 | |
| 1376 | self.tun_if = self.pg0 |
| 1377 | |
| 1378 | p = self.ipv4_params |
| 1379 | |
| 1380 | bd1 = VppBridgeDomain(self, 1) |
| 1381 | bd1.add_vpp_config() |
| 1382 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1383 | p.tun_sa_out = VppIpsecSA( |
| 1384 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1385 | p.vpp_tun_sa_id, |
| 1386 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1387 | p.auth_algo_vpp_id, |
| 1388 | p.auth_key, |
| 1389 | p.crypt_algo_vpp_id, |
| 1390 | p.crypt_key, |
| 1391 | self.vpp_esp_protocol, |
| 1392 | self.pg0.local_ip4, |
| 1393 | self.pg0.remote_ip4, |
| 1394 | ) |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1395 | p.tun_sa_out.add_vpp_config() |
| 1396 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1397 | p.tun_sa_in = VppIpsecSA( |
| 1398 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1399 | p.scapy_tun_sa_id, |
| 1400 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1401 | p.auth_algo_vpp_id, |
| 1402 | p.auth_key, |
| 1403 | p.crypt_algo_vpp_id, |
| 1404 | p.crypt_key, |
| 1405 | self.vpp_esp_protocol, |
| 1406 | self.pg0.remote_ip4, |
| 1407 | self.pg0.local_ip4, |
| 1408 | ) |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1409 | p.tun_sa_in.add_vpp_config() |
| 1410 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1411 | p.tun_if = VppGreInterface( |
| 1412 | self, |
| 1413 | self.pg0.local_ip4, |
| 1414 | self.pg0.remote_ip4, |
| 1415 | type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB), |
| 1416 | ) |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1417 | p.tun_if.add_vpp_config() |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1418 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1419 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1420 | |
| 1421 | p.tun_protect.add_vpp_config() |
| 1422 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1423 | p.tun_if.admin_up() |
| 1424 | p.tun_if.config_ip4() |
| 1425 | config_tun_params(p, self.encryption_type, p.tun_if) |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1426 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1427 | VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config() |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1428 | VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config() |
| 1429 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1430 | self.vapi.cli("clear ipsec sa") |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 1431 | self.vapi.cli("sh adj") |
| 1432 | self.vapi.cli("sh ipsec tun") |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1433 | |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1434 | def tearDown(self): |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1435 | p = self.ipv4_params |
| 1436 | p.tun_if.unconfig_ip4() |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1437 | super(TestIpsecGreTebIfEsp, self).tearDown() |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 1438 | |
| 1439 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 1440 | @unittest.skipIf( |
| 1441 | "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin" |
| 1442 | ) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1443 | class TestIpsecGreTebVlanIfEsp(TemplateIpsec, IpsecTun4Tests): |
| 1444 | """Ipsec GRE TEB ESP - TUN tests""" |
| 1445 | |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 1446 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 1447 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 1448 | encryption_type = ESP |
| 1449 | omac = "00:11:22:33:44:55" |
| 1450 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1451 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 1452 | return [ |
| 1453 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 1454 | / sa.encrypt( |
| 1455 | IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4) |
| 1456 | / GRE() |
| 1457 | / Ether(dst=self.omac) |
| 1458 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1459 | / UDP(sport=1144, dport=2233) |
| 1460 | / Raw(b"X" * payload_size) |
| 1461 | ) |
| 1462 | for i in range(count) |
| 1463 | ] |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 1464 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1465 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100): |
| 1466 | return [ |
| 1467 | Ether(dst=self.omac) |
| 1468 | / Dot1Q(vlan=11) |
| 1469 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1470 | / UDP(sport=1144, dport=2233) |
| 1471 | / Raw(b"X" * payload_size) |
| 1472 | for i in range(count) |
| 1473 | ] |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 1474 | |
| 1475 | def verify_decrypted(self, p, rxs): |
| 1476 | for rx in rxs: |
| 1477 | self.assert_equal(rx[Ether].dst, self.omac) |
| 1478 | self.assert_equal(rx[Dot1Q].vlan, 11) |
| 1479 | self.assert_equal(rx[IP].dst, "1.1.1.2") |
| 1480 | |
| 1481 | def verify_encrypted(self, p, sa, rxs): |
| 1482 | for rx in rxs: |
| 1483 | try: |
| 1484 | pkt = sa.decrypt(rx[IP]) |
| 1485 | if not pkt.haslayer(IP): |
| 1486 | pkt = IP(pkt[Raw].load) |
| 1487 | self.assert_packet_checksums_valid(pkt) |
| 1488 | self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4) |
| 1489 | self.assert_equal(pkt[IP].src, self.pg0.local_ip4) |
| 1490 | self.assertTrue(pkt.haslayer(GRE)) |
| 1491 | e = pkt[Ether] |
| 1492 | self.assertEqual(e[Ether].dst, self.omac) |
| 1493 | self.assertFalse(e.haslayer(Dot1Q)) |
| 1494 | self.assertEqual(e[IP].dst, "1.1.1.2") |
| 1495 | except (IndexError, AssertionError): |
| 1496 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 1497 | try: |
| 1498 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 1499 | except: |
| 1500 | pass |
| 1501 | raise |
| 1502 | |
| 1503 | def setUp(self): |
| 1504 | super(TestIpsecGreTebVlanIfEsp, self).setUp() |
| 1505 | |
| 1506 | self.tun_if = self.pg0 |
| 1507 | |
| 1508 | p = self.ipv4_params |
| 1509 | |
| 1510 | bd1 = VppBridgeDomain(self, 1) |
| 1511 | bd1.add_vpp_config() |
| 1512 | |
| 1513 | self.pg1_11 = VppDot1QSubint(self, self.pg1, 11) |
| 1514 | self.vapi.l2_interface_vlan_tag_rewrite( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1515 | sw_if_index=self.pg1_11.sw_if_index, |
| 1516 | vtr_op=L2_VTR_OP.L2_POP_1, |
| 1517 | push_dot1q=11, |
| 1518 | ) |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 1519 | self.pg1_11.admin_up() |
| 1520 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1521 | p.tun_sa_out = VppIpsecSA( |
| 1522 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1523 | p.vpp_tun_sa_id, |
| 1524 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1525 | p.auth_algo_vpp_id, |
| 1526 | p.auth_key, |
| 1527 | p.crypt_algo_vpp_id, |
| 1528 | p.crypt_key, |
| 1529 | self.vpp_esp_protocol, |
| 1530 | self.pg0.local_ip4, |
| 1531 | self.pg0.remote_ip4, |
| 1532 | ) |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 1533 | p.tun_sa_out.add_vpp_config() |
| 1534 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1535 | p.tun_sa_in = VppIpsecSA( |
| 1536 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1537 | p.scapy_tun_sa_id, |
| 1538 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1539 | p.auth_algo_vpp_id, |
| 1540 | p.auth_key, |
| 1541 | p.crypt_algo_vpp_id, |
| 1542 | p.crypt_key, |
| 1543 | self.vpp_esp_protocol, |
| 1544 | self.pg0.remote_ip4, |
| 1545 | self.pg0.local_ip4, |
| 1546 | ) |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 1547 | p.tun_sa_in.add_vpp_config() |
| 1548 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1549 | p.tun_if = VppGreInterface( |
| 1550 | self, |
| 1551 | self.pg0.local_ip4, |
| 1552 | self.pg0.remote_ip4, |
| 1553 | type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB), |
| 1554 | ) |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 1555 | p.tun_if.add_vpp_config() |
| 1556 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1557 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
John Lo | 90430b6 | 2020-01-31 23:48:30 -0500 | [diff] [blame] | 1558 | |
| 1559 | p.tun_protect.add_vpp_config() |
| 1560 | |
| 1561 | p.tun_if.admin_up() |
| 1562 | p.tun_if.config_ip4() |
| 1563 | config_tun_params(p, self.encryption_type, p.tun_if) |
| 1564 | |
| 1565 | VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config() |
| 1566 | VppBridgeDomainPort(self, bd1, self.pg1_11).add_vpp_config() |
| 1567 | |
| 1568 | self.vapi.cli("clear ipsec sa") |
| 1569 | |
| 1570 | def tearDown(self): |
| 1571 | p = self.ipv4_params |
| 1572 | p.tun_if.unconfig_ip4() |
| 1573 | super(TestIpsecGreTebVlanIfEsp, self).tearDown() |
| 1574 | self.pg1_11.admin_down() |
| 1575 | self.pg1_11.remove_vpp_config() |
| 1576 | |
| 1577 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 1578 | @unittest.skipIf( |
| 1579 | "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin" |
| 1580 | ) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1581 | class TestIpsecGreTebIfEspTra(TemplateIpsec, IpsecTun4Tests): |
| 1582 | """Ipsec GRE TEB ESP - Tra tests""" |
| 1583 | |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 1584 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 1585 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 1586 | encryption_type = ESP |
| 1587 | omac = "00:11:22:33:44:55" |
| 1588 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1589 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 1590 | return [ |
| 1591 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 1592 | / sa.encrypt( |
| 1593 | IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4) |
| 1594 | / GRE() |
| 1595 | / Ether(dst=self.omac) |
| 1596 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1597 | / UDP(sport=1144, dport=2233) |
| 1598 | / Raw(b"X" * payload_size) |
| 1599 | ) |
| 1600 | for i in range(count) |
| 1601 | ] |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 1602 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1603 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100): |
| 1604 | return [ |
| 1605 | Ether(dst=self.omac) |
| 1606 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1607 | / UDP(sport=1144, dport=2233) |
| 1608 | / Raw(b"X" * payload_size) |
| 1609 | for i in range(count) |
| 1610 | ] |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 1611 | |
| 1612 | def verify_decrypted(self, p, rxs): |
| 1613 | for rx in rxs: |
| 1614 | self.assert_equal(rx[Ether].dst, self.omac) |
| 1615 | self.assert_equal(rx[IP].dst, "1.1.1.2") |
| 1616 | |
| 1617 | def verify_encrypted(self, p, sa, rxs): |
| 1618 | for rx in rxs: |
| 1619 | try: |
| 1620 | pkt = sa.decrypt(rx[IP]) |
| 1621 | if not pkt.haslayer(IP): |
| 1622 | pkt = IP(pkt[Raw].load) |
| 1623 | self.assert_packet_checksums_valid(pkt) |
| 1624 | self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4) |
| 1625 | self.assert_equal(pkt[IP].src, self.pg0.local_ip4) |
| 1626 | self.assertTrue(pkt.haslayer(GRE)) |
| 1627 | e = pkt[Ether] |
| 1628 | self.assertEqual(e[Ether].dst, self.omac) |
| 1629 | self.assertEqual(e[IP].dst, "1.1.1.2") |
| 1630 | except (IndexError, AssertionError): |
| 1631 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 1632 | try: |
| 1633 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 1634 | except: |
| 1635 | pass |
| 1636 | raise |
| 1637 | |
| 1638 | def setUp(self): |
| 1639 | super(TestIpsecGreTebIfEspTra, self).setUp() |
| 1640 | |
| 1641 | self.tun_if = self.pg0 |
| 1642 | |
| 1643 | p = self.ipv4_params |
| 1644 | |
| 1645 | bd1 = VppBridgeDomain(self, 1) |
| 1646 | bd1.add_vpp_config() |
| 1647 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1648 | p.tun_sa_out = VppIpsecSA( |
| 1649 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1650 | p.vpp_tun_sa_id, |
| 1651 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1652 | p.auth_algo_vpp_id, |
| 1653 | p.auth_key, |
| 1654 | p.crypt_algo_vpp_id, |
| 1655 | p.crypt_key, |
| 1656 | self.vpp_esp_protocol, |
| 1657 | ) |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 1658 | p.tun_sa_out.add_vpp_config() |
| 1659 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1660 | p.tun_sa_in = VppIpsecSA( |
| 1661 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1662 | p.scapy_tun_sa_id, |
| 1663 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1664 | p.auth_algo_vpp_id, |
| 1665 | p.auth_key, |
| 1666 | p.crypt_algo_vpp_id, |
| 1667 | p.crypt_key, |
| 1668 | self.vpp_esp_protocol, |
| 1669 | ) |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 1670 | p.tun_sa_in.add_vpp_config() |
| 1671 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1672 | p.tun_if = VppGreInterface( |
| 1673 | self, |
| 1674 | self.pg0.local_ip4, |
| 1675 | self.pg0.remote_ip4, |
| 1676 | type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB), |
| 1677 | ) |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 1678 | p.tun_if.add_vpp_config() |
| 1679 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1680 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 1681 | |
| 1682 | p.tun_protect.add_vpp_config() |
| 1683 | |
| 1684 | p.tun_if.admin_up() |
| 1685 | p.tun_if.config_ip4() |
| 1686 | config_tra_params(p, self.encryption_type, p.tun_if) |
| 1687 | |
| 1688 | VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config() |
| 1689 | VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config() |
| 1690 | |
| 1691 | self.vapi.cli("clear ipsec sa") |
| 1692 | |
| 1693 | def tearDown(self): |
| 1694 | p = self.ipv4_params |
| 1695 | p.tun_if.unconfig_ip4() |
| 1696 | super(TestIpsecGreTebIfEspTra, self).tearDown() |
| 1697 | |
| 1698 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 1699 | @unittest.skipIf( |
| 1700 | "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin" |
| 1701 | ) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1702 | class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, IpsecTun4Tests): |
| 1703 | """Ipsec GRE TEB UDP ESP - Tra tests""" |
| 1704 | |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 1705 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 1706 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 1707 | encryption_type = ESP |
| 1708 | omac = "00:11:22:33:44:55" |
| 1709 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1710 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 1711 | return [ |
| 1712 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 1713 | / sa.encrypt( |
| 1714 | IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4) |
| 1715 | / GRE() |
| 1716 | / Ether(dst=self.omac) |
| 1717 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1718 | / UDP(sport=1144, dport=2233) |
| 1719 | / Raw(b"X" * payload_size) |
| 1720 | ) |
| 1721 | for i in range(count) |
| 1722 | ] |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 1723 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1724 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100): |
| 1725 | return [ |
| 1726 | Ether(dst=self.omac) |
| 1727 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1728 | / UDP(sport=1144, dport=2233) |
| 1729 | / Raw(b"X" * payload_size) |
| 1730 | for i in range(count) |
| 1731 | ] |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 1732 | |
| 1733 | def verify_decrypted(self, p, rxs): |
| 1734 | for rx in rxs: |
| 1735 | self.assert_equal(rx[Ether].dst, self.omac) |
| 1736 | self.assert_equal(rx[IP].dst, "1.1.1.2") |
| 1737 | |
| 1738 | def verify_encrypted(self, p, sa, rxs): |
| 1739 | for rx in rxs: |
| 1740 | self.assertTrue(rx.haslayer(UDP)) |
| 1741 | self.assertEqual(rx[UDP].dport, 4545) |
| 1742 | self.assertEqual(rx[UDP].sport, 5454) |
| 1743 | try: |
| 1744 | pkt = sa.decrypt(rx[IP]) |
| 1745 | if not pkt.haslayer(IP): |
| 1746 | pkt = IP(pkt[Raw].load) |
| 1747 | self.assert_packet_checksums_valid(pkt) |
| 1748 | self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4) |
| 1749 | self.assert_equal(pkt[IP].src, self.pg0.local_ip4) |
| 1750 | self.assertTrue(pkt.haslayer(GRE)) |
| 1751 | e = pkt[Ether] |
| 1752 | self.assertEqual(e[Ether].dst, self.omac) |
| 1753 | self.assertEqual(e[IP].dst, "1.1.1.2") |
| 1754 | except (IndexError, AssertionError): |
| 1755 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 1756 | try: |
| 1757 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 1758 | except: |
| 1759 | pass |
| 1760 | raise |
| 1761 | |
| 1762 | def setUp(self): |
| 1763 | super(TestIpsecGreTebUdpIfEspTra, self).setUp() |
| 1764 | |
| 1765 | self.tun_if = self.pg0 |
| 1766 | |
| 1767 | p = self.ipv4_params |
| 1768 | p = self.ipv4_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1769 | p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 1770 | p.nat_header = UDP(sport=5454, dport=4545) |
| 1771 | |
| 1772 | bd1 = VppBridgeDomain(self, 1) |
| 1773 | bd1.add_vpp_config() |
| 1774 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1775 | p.tun_sa_out = VppIpsecSA( |
| 1776 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1777 | p.vpp_tun_sa_id, |
| 1778 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1779 | p.auth_algo_vpp_id, |
| 1780 | p.auth_key, |
| 1781 | p.crypt_algo_vpp_id, |
| 1782 | p.crypt_key, |
| 1783 | self.vpp_esp_protocol, |
| 1784 | flags=p.flags, |
| 1785 | udp_src=5454, |
| 1786 | udp_dst=4545, |
| 1787 | ) |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 1788 | p.tun_sa_out.add_vpp_config() |
| 1789 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1790 | p.tun_sa_in = VppIpsecSA( |
| 1791 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1792 | p.scapy_tun_sa_id, |
| 1793 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1794 | p.auth_algo_vpp_id, |
| 1795 | p.auth_key, |
| 1796 | p.crypt_algo_vpp_id, |
| 1797 | p.crypt_key, |
| 1798 | self.vpp_esp_protocol, |
| 1799 | flags=( |
| 1800 | p.flags | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND |
| 1801 | ), |
| 1802 | udp_src=4545, |
| 1803 | udp_dst=5454, |
| 1804 | ) |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 1805 | p.tun_sa_in.add_vpp_config() |
| 1806 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1807 | p.tun_if = VppGreInterface( |
| 1808 | self, |
| 1809 | self.pg0.local_ip4, |
| 1810 | self.pg0.remote_ip4, |
| 1811 | type=(VppEnum.vl_api_gre_tunnel_type_t.GRE_API_TUNNEL_TYPE_TEB), |
| 1812 | ) |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 1813 | p.tun_if.add_vpp_config() |
| 1814 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1815 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 1816 | |
| 1817 | p.tun_protect.add_vpp_config() |
| 1818 | |
| 1819 | p.tun_if.admin_up() |
| 1820 | p.tun_if.config_ip4() |
| 1821 | config_tra_params(p, self.encryption_type, p.tun_if) |
| 1822 | |
| 1823 | VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config() |
| 1824 | VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config() |
| 1825 | |
| 1826 | self.vapi.cli("clear ipsec sa") |
| 1827 | self.logger.info(self.vapi.cli("sh ipsec sa 0")) |
| 1828 | |
| 1829 | def tearDown(self): |
| 1830 | p = self.ipv4_params |
| 1831 | p.tun_if.unconfig_ip4() |
| 1832 | super(TestIpsecGreTebUdpIfEspTra, self).tearDown() |
| 1833 | |
| 1834 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 1835 | @unittest.skipIf( |
| 1836 | "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin" |
| 1837 | ) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1838 | class TestIpsecGreIfEsp(TemplateIpsec, IpsecTun4Tests): |
| 1839 | """Ipsec GRE ESP - TUN tests""" |
| 1840 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1841 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 1842 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1843 | encryption_type = ESP |
| 1844 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1845 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 1846 | return [ |
| 1847 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 1848 | / sa.encrypt( |
| 1849 | IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4) |
| 1850 | / GRE() |
| 1851 | / IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4) |
| 1852 | / UDP(sport=1144, dport=2233) |
| 1853 | / Raw(b"X" * payload_size) |
| 1854 | ) |
| 1855 | for i in range(count) |
| 1856 | ] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1857 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1858 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100): |
| 1859 | return [ |
| 1860 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 1861 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1862 | / UDP(sport=1144, dport=2233) |
| 1863 | / Raw(b"X" * payload_size) |
| 1864 | for i in range(count) |
| 1865 | ] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1866 | |
| 1867 | def verify_decrypted(self, p, rxs): |
| 1868 | for rx in rxs: |
| 1869 | self.assert_equal(rx[Ether].dst, self.pg1.remote_mac) |
| 1870 | self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) |
| 1871 | |
| 1872 | def verify_encrypted(self, p, sa, rxs): |
| 1873 | for rx in rxs: |
| 1874 | try: |
| 1875 | pkt = sa.decrypt(rx[IP]) |
| 1876 | if not pkt.haslayer(IP): |
| 1877 | pkt = IP(pkt[Raw].load) |
| 1878 | self.assert_packet_checksums_valid(pkt) |
| 1879 | self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4) |
| 1880 | self.assert_equal(pkt[IP].src, self.pg0.local_ip4) |
| 1881 | self.assertTrue(pkt.haslayer(GRE)) |
| 1882 | e = pkt[GRE] |
| 1883 | self.assertEqual(e[IP].dst, "1.1.1.2") |
| 1884 | except (IndexError, AssertionError): |
| 1885 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 1886 | try: |
| 1887 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 1888 | except: |
| 1889 | pass |
| 1890 | raise |
| 1891 | |
| 1892 | def setUp(self): |
| 1893 | super(TestIpsecGreIfEsp, self).setUp() |
| 1894 | |
| 1895 | self.tun_if = self.pg0 |
| 1896 | |
| 1897 | p = self.ipv4_params |
| 1898 | |
| 1899 | bd1 = VppBridgeDomain(self, 1) |
| 1900 | bd1.add_vpp_config() |
| 1901 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1902 | p.tun_sa_out = VppIpsecSA( |
| 1903 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1904 | p.vpp_tun_sa_id, |
| 1905 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1906 | p.auth_algo_vpp_id, |
| 1907 | p.auth_key, |
| 1908 | p.crypt_algo_vpp_id, |
| 1909 | p.crypt_key, |
| 1910 | self.vpp_esp_protocol, |
| 1911 | self.pg0.local_ip4, |
| 1912 | self.pg0.remote_ip4, |
| 1913 | ) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1914 | p.tun_sa_out.add_vpp_config() |
| 1915 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1916 | p.tun_sa_in = VppIpsecSA( |
| 1917 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 1918 | p.scapy_tun_sa_id, |
| 1919 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1920 | p.auth_algo_vpp_id, |
| 1921 | p.auth_key, |
| 1922 | p.crypt_algo_vpp_id, |
| 1923 | p.crypt_key, |
| 1924 | self.vpp_esp_protocol, |
| 1925 | self.pg0.remote_ip4, |
| 1926 | self.pg0.local_ip4, |
| 1927 | ) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1928 | p.tun_sa_in.add_vpp_config() |
| 1929 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1930 | p.tun_if = VppGreInterface(self, self.pg0.local_ip4, self.pg0.remote_ip4) |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1931 | p.tun_if.add_vpp_config() |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1932 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1933 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1934 | p.tun_protect.add_vpp_config() |
| 1935 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1936 | p.tun_if.admin_up() |
| 1937 | p.tun_if.config_ip4() |
| 1938 | config_tun_params(p, self.encryption_type, p.tun_if) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1939 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1940 | VppIpRoute( |
| 1941 | self, "1.1.1.2", 32, [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)] |
| 1942 | ).add_vpp_config() |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1943 | |
| 1944 | def tearDown(self): |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 1945 | p = self.ipv4_params |
| 1946 | p.tun_if.unconfig_ip4() |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1947 | super(TestIpsecGreIfEsp, self).tearDown() |
| 1948 | |
| 1949 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 1950 | @unittest.skipIf( |
| 1951 | "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin" |
| 1952 | ) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1953 | class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests): |
| 1954 | """Ipsec GRE ESP - TRA tests""" |
| 1955 | |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 1956 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 1957 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 1958 | encryption_type = ESP |
| 1959 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1960 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 1961 | return [ |
| 1962 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 1963 | / sa.encrypt( |
| 1964 | IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4) |
| 1965 | / GRE() |
| 1966 | / IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4) |
| 1967 | / UDP(sport=1144, dport=2233) |
| 1968 | / Raw(b"X" * payload_size) |
| 1969 | ) |
| 1970 | for i in range(count) |
| 1971 | ] |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 1972 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1973 | def gen_encrypt_non_ip_pkts(self, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 1974 | return [ |
| 1975 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 1976 | / sa.encrypt( |
| 1977 | IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4) |
| 1978 | / GRE() |
| 1979 | / UDP(sport=1144, dport=2233) |
| 1980 | / Raw(b"X" * payload_size) |
| 1981 | ) |
| 1982 | for i in range(count) |
| 1983 | ] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1984 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 1985 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100): |
| 1986 | return [ |
| 1987 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 1988 | / IP(src="1.1.1.1", dst="1.1.1.2") |
| 1989 | / UDP(sport=1144, dport=2233) |
| 1990 | / Raw(b"X" * payload_size) |
| 1991 | for i in range(count) |
| 1992 | ] |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 1993 | |
| 1994 | def verify_decrypted(self, p, rxs): |
| 1995 | for rx in rxs: |
| 1996 | self.assert_equal(rx[Ether].dst, self.pg1.remote_mac) |
| 1997 | self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) |
| 1998 | |
| 1999 | def verify_encrypted(self, p, sa, rxs): |
| 2000 | for rx in rxs: |
| 2001 | try: |
| 2002 | pkt = sa.decrypt(rx[IP]) |
| 2003 | if not pkt.haslayer(IP): |
| 2004 | pkt = IP(pkt[Raw].load) |
| 2005 | self.assert_packet_checksums_valid(pkt) |
| 2006 | self.assertTrue(pkt.haslayer(GRE)) |
| 2007 | e = pkt[GRE] |
| 2008 | self.assertEqual(e[IP].dst, "1.1.1.2") |
| 2009 | except (IndexError, AssertionError): |
| 2010 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 2011 | try: |
| 2012 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 2013 | except: |
| 2014 | pass |
| 2015 | raise |
| 2016 | |
| 2017 | def setUp(self): |
| 2018 | super(TestIpsecGreIfEspTra, self).setUp() |
| 2019 | |
| 2020 | self.tun_if = self.pg0 |
| 2021 | |
| 2022 | p = self.ipv4_params |
| 2023 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2024 | p.tun_sa_out = VppIpsecSA( |
| 2025 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 2026 | p.vpp_tun_sa_id, |
| 2027 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2028 | p.auth_algo_vpp_id, |
| 2029 | p.auth_key, |
| 2030 | p.crypt_algo_vpp_id, |
| 2031 | p.crypt_key, |
| 2032 | self.vpp_esp_protocol, |
| 2033 | ) |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 2034 | p.tun_sa_out.add_vpp_config() |
| 2035 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2036 | p.tun_sa_in = VppIpsecSA( |
| 2037 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 2038 | p.scapy_tun_sa_id, |
| 2039 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2040 | p.auth_algo_vpp_id, |
| 2041 | p.auth_key, |
| 2042 | p.crypt_algo_vpp_id, |
| 2043 | p.crypt_key, |
| 2044 | self.vpp_esp_protocol, |
| 2045 | ) |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 2046 | p.tun_sa_in.add_vpp_config() |
| 2047 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2048 | p.tun_if = VppGreInterface(self, self.pg0.local_ip4, self.pg0.remote_ip4) |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 2049 | p.tun_if.add_vpp_config() |
| 2050 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2051 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 2052 | p.tun_protect.add_vpp_config() |
| 2053 | |
| 2054 | p.tun_if.admin_up() |
| 2055 | p.tun_if.config_ip4() |
Neale Ranns | 568acbb | 2019-12-18 05:54:40 +0000 | [diff] [blame] | 2056 | config_tra_params(p, self.encryption_type, p.tun_if) |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 2057 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2058 | VppIpRoute( |
| 2059 | self, "1.1.1.2", 32, [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)] |
| 2060 | ).add_vpp_config() |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 2061 | |
| 2062 | def tearDown(self): |
| 2063 | p = self.ipv4_params |
| 2064 | p.tun_if.unconfig_ip4() |
| 2065 | super(TestIpsecGreIfEspTra, self).tearDown() |
| 2066 | |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2067 | def test_gre_non_ip(self): |
| 2068 | p = self.ipv4_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2069 | tx = self.gen_encrypt_non_ip_pkts( |
| 2070 | p.scapy_tun_sa, |
| 2071 | self.tun_if, |
| 2072 | src=p.remote_tun_if_host, |
| 2073 | dst=self.pg1.remote_ip6, |
| 2074 | ) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2075 | self.send_and_assert_no_replies(self.tun_if, tx) |
Neale Ranns | 93688d7 | 2022-08-09 03:34:51 +0000 | [diff] [blame] | 2076 | node_name = "/err/%s/unsup_payload" % self.tun4_decrypt_node_name[0] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2077 | self.assertEqual(1, self.statistics.get_err_counter(node_name)) |
Arthur de Kerhor | ad95b06 | 2022-11-16 19:12:05 +0100 | [diff] [blame] | 2078 | err = p.tun_sa_in.get_err("unsup_payload") |
| 2079 | self.assertEqual(err, 1) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2080 | |
| 2081 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 2082 | @unittest.skipIf( |
| 2083 | "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin" |
| 2084 | ) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2085 | class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests): |
| 2086 | """Ipsec GRE ESP - TRA tests""" |
| 2087 | |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2088 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 2089 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2090 | encryption_type = ESP |
| 2091 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2092 | def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 2093 | return [ |
| 2094 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2095 | / sa.encrypt( |
| 2096 | IPv6(src=self.pg0.remote_ip6, dst=self.pg0.local_ip6) |
| 2097 | / GRE() |
| 2098 | / IPv6(src=self.pg1.local_ip6, dst=self.pg1.remote_ip6) |
| 2099 | / UDP(sport=1144, dport=2233) |
| 2100 | / Raw(b"X" * payload_size) |
| 2101 | ) |
| 2102 | for i in range(count) |
| 2103 | ] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2104 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2105 | def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=100): |
| 2106 | return [ |
| 2107 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2108 | / IPv6(src="1::1", dst="1::2") |
| 2109 | / UDP(sport=1144, dport=2233) |
| 2110 | / Raw(b"X" * payload_size) |
| 2111 | for i in range(count) |
| 2112 | ] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2113 | |
| 2114 | def verify_decrypted6(self, p, rxs): |
| 2115 | for rx in rxs: |
| 2116 | self.assert_equal(rx[Ether].dst, self.pg1.remote_mac) |
| 2117 | self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6) |
| 2118 | |
| 2119 | def verify_encrypted6(self, p, sa, rxs): |
| 2120 | for rx in rxs: |
| 2121 | try: |
| 2122 | pkt = sa.decrypt(rx[IPv6]) |
| 2123 | if not pkt.haslayer(IPv6): |
| 2124 | pkt = IPv6(pkt[Raw].load) |
| 2125 | self.assert_packet_checksums_valid(pkt) |
| 2126 | self.assertTrue(pkt.haslayer(GRE)) |
| 2127 | e = pkt[GRE] |
| 2128 | self.assertEqual(e[IPv6].dst, "1::2") |
| 2129 | except (IndexError, AssertionError): |
| 2130 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 2131 | try: |
| 2132 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 2133 | except: |
| 2134 | pass |
| 2135 | raise |
| 2136 | |
| 2137 | def setUp(self): |
| 2138 | super(TestIpsecGre6IfEspTra, self).setUp() |
| 2139 | |
| 2140 | self.tun_if = self.pg0 |
| 2141 | |
| 2142 | p = self.ipv6_params |
| 2143 | |
| 2144 | bd1 = VppBridgeDomain(self, 1) |
| 2145 | bd1.add_vpp_config() |
| 2146 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2147 | p.tun_sa_out = VppIpsecSA( |
| 2148 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 2149 | p.vpp_tun_sa_id, |
| 2150 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2151 | p.auth_algo_vpp_id, |
| 2152 | p.auth_key, |
| 2153 | p.crypt_algo_vpp_id, |
| 2154 | p.crypt_key, |
| 2155 | self.vpp_esp_protocol, |
| 2156 | ) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2157 | p.tun_sa_out.add_vpp_config() |
| 2158 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2159 | p.tun_sa_in = VppIpsecSA( |
| 2160 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 2161 | p.scapy_tun_sa_id, |
| 2162 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2163 | p.auth_algo_vpp_id, |
| 2164 | p.auth_key, |
| 2165 | p.crypt_algo_vpp_id, |
| 2166 | p.crypt_key, |
| 2167 | self.vpp_esp_protocol, |
| 2168 | ) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2169 | p.tun_sa_in.add_vpp_config() |
| 2170 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2171 | p.tun_if = VppGreInterface(self, self.pg0.local_ip6, self.pg0.remote_ip6) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2172 | p.tun_if.add_vpp_config() |
| 2173 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2174 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2175 | p.tun_protect.add_vpp_config() |
| 2176 | |
| 2177 | p.tun_if.admin_up() |
| 2178 | p.tun_if.config_ip6() |
| 2179 | config_tra_params(p, self.encryption_type, p.tun_if) |
| 2180 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2181 | r = VppIpRoute( |
| 2182 | self, |
| 2183 | "1::2", |
| 2184 | 128, |
| 2185 | [ |
| 2186 | VppRoutePath( |
| 2187 | p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6 |
| 2188 | ) |
| 2189 | ], |
| 2190 | ) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2191 | r.add_vpp_config() |
| 2192 | |
| 2193 | def tearDown(self): |
| 2194 | p = self.ipv6_params |
| 2195 | p.tun_if.unconfig_ip6() |
| 2196 | super(TestIpsecGre6IfEspTra, self).tearDown() |
| 2197 | |
Neale Ranns | abde62f | 2019-12-02 22:32:05 +0000 | [diff] [blame] | 2198 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 2199 | @unittest.skipIf( |
| 2200 | "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin" |
| 2201 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2202 | class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2203 | """Ipsec mGRE ESP v4 TRA tests""" |
| 2204 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2205 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 2206 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2207 | encryption_type = ESP |
| 2208 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2209 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 2210 | return [ |
| 2211 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2212 | / sa.encrypt( |
| 2213 | IP(src=p.tun_dst, dst=self.pg0.local_ip4) |
| 2214 | / GRE() |
| 2215 | / IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4) |
| 2216 | / UDP(sport=1144, dport=2233) |
| 2217 | / Raw(b"X" * payload_size) |
| 2218 | ) |
| 2219 | for i in range(count) |
| 2220 | ] |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2221 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2222 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100): |
| 2223 | return [ |
| 2224 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2225 | / IP(src="1.1.1.1", dst=dst) |
| 2226 | / UDP(sport=1144, dport=2233) |
| 2227 | / Raw(b"X" * payload_size) |
| 2228 | for i in range(count) |
| 2229 | ] |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2230 | |
| 2231 | def verify_decrypted(self, p, rxs): |
| 2232 | for rx in rxs: |
| 2233 | self.assert_equal(rx[Ether].dst, self.pg1.remote_mac) |
| 2234 | self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) |
| 2235 | |
| 2236 | def verify_encrypted(self, p, sa, rxs): |
| 2237 | for rx in rxs: |
| 2238 | try: |
| 2239 | pkt = sa.decrypt(rx[IP]) |
| 2240 | if not pkt.haslayer(IP): |
| 2241 | pkt = IP(pkt[Raw].load) |
| 2242 | self.assert_packet_checksums_valid(pkt) |
| 2243 | self.assertTrue(pkt.haslayer(GRE)) |
| 2244 | e = pkt[GRE] |
| 2245 | self.assertEqual(e[IP].dst, p.remote_tun_if_host) |
| 2246 | except (IndexError, AssertionError): |
| 2247 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 2248 | try: |
| 2249 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 2250 | except: |
| 2251 | pass |
| 2252 | raise |
| 2253 | |
| 2254 | def setUp(self): |
| 2255 | super(TestIpsecMGreIfEspTra4, self).setUp() |
| 2256 | |
| 2257 | N_NHS = 16 |
| 2258 | self.tun_if = self.pg0 |
| 2259 | p = self.ipv4_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2260 | p.tun_if = VppGreInterface( |
| 2261 | self, |
| 2262 | self.pg0.local_ip4, |
| 2263 | "0.0.0.0", |
| 2264 | mode=(VppEnum.vl_api_tunnel_mode_t.TUNNEL_API_MODE_MP), |
| 2265 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2266 | p.tun_if.add_vpp_config() |
| 2267 | p.tun_if.admin_up() |
| 2268 | p.tun_if.config_ip4() |
| 2269 | p.tun_if.generate_remote_hosts(N_NHS) |
| 2270 | self.pg0.generate_remote_hosts(N_NHS) |
| 2271 | self.pg0.configure_ipv4_neighbors() |
| 2272 | |
| 2273 | # setup some SAs for several next-hops on the interface |
| 2274 | self.multi_params = [] |
| 2275 | |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 2276 | for ii in range(N_NHS): |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2277 | p = copy.copy(self.ipv4_params) |
| 2278 | |
| 2279 | p.remote_tun_if_host = "1.1.1.%d" % (ii + 1) |
| 2280 | p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii |
| 2281 | p.scapy_tun_spi = p.scapy_tun_spi + ii |
| 2282 | p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii |
| 2283 | p.vpp_tun_spi = p.vpp_tun_spi + ii |
| 2284 | |
| 2285 | p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii |
| 2286 | p.scapy_tra_spi = p.scapy_tra_spi + ii |
| 2287 | p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii |
| 2288 | p.vpp_tra_spi = p.vpp_tra_spi + ii |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2289 | p.tun_sa_out = VppIpsecSA( |
| 2290 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 2291 | p.vpp_tun_sa_id, |
| 2292 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2293 | p.auth_algo_vpp_id, |
| 2294 | p.auth_key, |
| 2295 | p.crypt_algo_vpp_id, |
| 2296 | p.crypt_key, |
| 2297 | self.vpp_esp_protocol, |
| 2298 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2299 | p.tun_sa_out.add_vpp_config() |
| 2300 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2301 | p.tun_sa_in = VppIpsecSA( |
| 2302 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 2303 | p.scapy_tun_sa_id, |
| 2304 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2305 | p.auth_algo_vpp_id, |
| 2306 | p.auth_key, |
| 2307 | p.crypt_algo_vpp_id, |
| 2308 | p.crypt_key, |
| 2309 | self.vpp_esp_protocol, |
| 2310 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2311 | p.tun_sa_in.add_vpp_config() |
| 2312 | |
| 2313 | p.tun_protect = VppIpsecTunProtect( |
| 2314 | self, |
| 2315 | p.tun_if, |
| 2316 | p.tun_sa_out, |
| 2317 | [p.tun_sa_in], |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2318 | nh=p.tun_if.remote_hosts[ii].ip4, |
| 2319 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2320 | p.tun_protect.add_vpp_config() |
| 2321 | config_tra_params(p, self.encryption_type, p.tun_if) |
| 2322 | self.multi_params.append(p) |
| 2323 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2324 | VppIpRoute( |
| 2325 | self, |
| 2326 | p.remote_tun_if_host, |
| 2327 | 32, |
| 2328 | [VppRoutePath(p.tun_if.remote_hosts[ii].ip4, p.tun_if.sw_if_index)], |
| 2329 | ).add_vpp_config() |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2330 | |
| 2331 | # in this v4 variant add the teibs after the protect |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2332 | p.teib = VppTeib( |
| 2333 | self, |
| 2334 | p.tun_if, |
| 2335 | p.tun_if.remote_hosts[ii].ip4, |
| 2336 | self.pg0.remote_hosts[ii].ip4, |
| 2337 | ).add_vpp_config() |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2338 | p.tun_dst = self.pg0.remote_hosts[ii].ip4 |
| 2339 | self.logger.info(self.vapi.cli("sh ipsec protect-hash")) |
| 2340 | |
| 2341 | def tearDown(self): |
| 2342 | p = self.ipv4_params |
| 2343 | p.tun_if.unconfig_ip4() |
| 2344 | super(TestIpsecMGreIfEspTra4, self).tearDown() |
| 2345 | |
| 2346 | def test_tun_44(self): |
| 2347 | """mGRE IPSEC 44""" |
| 2348 | N_PKTS = 63 |
| 2349 | for p in self.multi_params: |
| 2350 | self.verify_tun_44(p, count=N_PKTS) |
| 2351 | p.teib.remove_vpp_config() |
| 2352 | self.verify_tun_dropped_44(p, count=N_PKTS) |
| 2353 | p.teib.add_vpp_config() |
| 2354 | self.verify_tun_44(p, count=N_PKTS) |
| 2355 | |
| 2356 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 2357 | @unittest.skipIf( |
| 2358 | "gre" in config.excluded_plugins, "Exclude tests depending on GRE plugin" |
| 2359 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2360 | class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2361 | """Ipsec mGRE ESP v6 TRA tests""" |
| 2362 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2363 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 2364 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2365 | encryption_type = ESP |
| 2366 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2367 | def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 2368 | return [ |
| 2369 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2370 | / sa.encrypt( |
| 2371 | IPv6(src=p.tun_dst, dst=self.pg0.local_ip6) |
| 2372 | / GRE() |
| 2373 | / IPv6(src=self.pg1.local_ip6, dst=self.pg1.remote_ip6) |
| 2374 | / UDP(sport=1144, dport=2233) |
| 2375 | / Raw(b"X" * payload_size) |
| 2376 | ) |
| 2377 | for i in range(count) |
| 2378 | ] |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2379 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2380 | def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=100): |
| 2381 | return [ |
| 2382 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2383 | / IPv6(src="1::1", dst=dst) |
| 2384 | / UDP(sport=1144, dport=2233) |
| 2385 | / Raw(b"X" * payload_size) |
| 2386 | for i in range(count) |
| 2387 | ] |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2388 | |
| 2389 | def verify_decrypted6(self, p, rxs): |
| 2390 | for rx in rxs: |
| 2391 | self.assert_equal(rx[Ether].dst, self.pg1.remote_mac) |
| 2392 | self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6) |
| 2393 | |
| 2394 | def verify_encrypted6(self, p, sa, rxs): |
| 2395 | for rx in rxs: |
| 2396 | try: |
| 2397 | pkt = sa.decrypt(rx[IPv6]) |
| 2398 | if not pkt.haslayer(IPv6): |
| 2399 | pkt = IPv6(pkt[Raw].load) |
| 2400 | self.assert_packet_checksums_valid(pkt) |
| 2401 | self.assertTrue(pkt.haslayer(GRE)) |
| 2402 | e = pkt[GRE] |
| 2403 | self.assertEqual(e[IPv6].dst, p.remote_tun_if_host) |
| 2404 | except (IndexError, AssertionError): |
| 2405 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 2406 | try: |
| 2407 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 2408 | except: |
| 2409 | pass |
| 2410 | raise |
| 2411 | |
| 2412 | def setUp(self): |
| 2413 | super(TestIpsecMGreIfEspTra6, self).setUp() |
| 2414 | |
| 2415 | self.vapi.cli("set logging class ipsec level debug") |
| 2416 | |
| 2417 | N_NHS = 16 |
| 2418 | self.tun_if = self.pg0 |
| 2419 | p = self.ipv6_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2420 | p.tun_if = VppGreInterface( |
| 2421 | self, |
| 2422 | self.pg0.local_ip6, |
| 2423 | "::", |
| 2424 | mode=(VppEnum.vl_api_tunnel_mode_t.TUNNEL_API_MODE_MP), |
| 2425 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2426 | p.tun_if.add_vpp_config() |
| 2427 | p.tun_if.admin_up() |
| 2428 | p.tun_if.config_ip6() |
| 2429 | p.tun_if.generate_remote_hosts(N_NHS) |
| 2430 | self.pg0.generate_remote_hosts(N_NHS) |
| 2431 | self.pg0.configure_ipv6_neighbors() |
| 2432 | |
| 2433 | # setup some SAs for several next-hops on the interface |
| 2434 | self.multi_params = [] |
| 2435 | |
| 2436 | for ii in range(N_NHS): |
| 2437 | p = copy.copy(self.ipv6_params) |
| 2438 | |
| 2439 | p.remote_tun_if_host = "1::%d" % (ii + 1) |
| 2440 | p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii |
| 2441 | p.scapy_tun_spi = p.scapy_tun_spi + ii |
| 2442 | p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii |
| 2443 | p.vpp_tun_spi = p.vpp_tun_spi + ii |
| 2444 | |
| 2445 | p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii |
| 2446 | p.scapy_tra_spi = p.scapy_tra_spi + ii |
| 2447 | p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii |
| 2448 | p.vpp_tra_spi = p.vpp_tra_spi + ii |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2449 | p.tun_sa_out = VppIpsecSA( |
| 2450 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 2451 | p.vpp_tun_sa_id, |
| 2452 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2453 | p.auth_algo_vpp_id, |
| 2454 | p.auth_key, |
| 2455 | p.crypt_algo_vpp_id, |
| 2456 | p.crypt_key, |
| 2457 | self.vpp_esp_protocol, |
| 2458 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2459 | p.tun_sa_out.add_vpp_config() |
| 2460 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2461 | p.tun_sa_in = VppIpsecSA( |
| 2462 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 2463 | p.scapy_tun_sa_id, |
| 2464 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2465 | p.auth_algo_vpp_id, |
| 2466 | p.auth_key, |
| 2467 | p.crypt_algo_vpp_id, |
| 2468 | p.crypt_key, |
| 2469 | self.vpp_esp_protocol, |
| 2470 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2471 | p.tun_sa_in.add_vpp_config() |
| 2472 | |
| 2473 | # in this v6 variant add the teibs first then the protection |
| 2474 | p.tun_dst = self.pg0.remote_hosts[ii].ip6 |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2475 | VppTeib( |
| 2476 | self, p.tun_if, p.tun_if.remote_hosts[ii].ip6, p.tun_dst |
| 2477 | ).add_vpp_config() |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2478 | |
| 2479 | p.tun_protect = VppIpsecTunProtect( |
| 2480 | self, |
| 2481 | p.tun_if, |
| 2482 | p.tun_sa_out, |
| 2483 | [p.tun_sa_in], |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2484 | nh=p.tun_if.remote_hosts[ii].ip6, |
| 2485 | ) |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2486 | p.tun_protect.add_vpp_config() |
| 2487 | config_tra_params(p, self.encryption_type, p.tun_if) |
| 2488 | self.multi_params.append(p) |
| 2489 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2490 | VppIpRoute( |
| 2491 | self, |
| 2492 | p.remote_tun_if_host, |
| 2493 | 128, |
| 2494 | [VppRoutePath(p.tun_if.remote_hosts[ii].ip6, p.tun_if.sw_if_index)], |
| 2495 | ).add_vpp_config() |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 2496 | p.tun_dst = self.pg0.remote_hosts[ii].ip6 |
| 2497 | |
| 2498 | self.logger.info(self.vapi.cli("sh log")) |
| 2499 | self.logger.info(self.vapi.cli("sh ipsec protect-hash")) |
| 2500 | self.logger.info(self.vapi.cli("sh adj 41")) |
| 2501 | |
| 2502 | def tearDown(self): |
| 2503 | p = self.ipv6_params |
| 2504 | p.tun_if.unconfig_ip6() |
| 2505 | super(TestIpsecMGreIfEspTra6, self).tearDown() |
| 2506 | |
| 2507 | def test_tun_66(self): |
| 2508 | """mGRE IPSec 66""" |
| 2509 | for p in self.multi_params: |
| 2510 | self.verify_tun_66(p, count=63) |
| 2511 | |
| 2512 | |
Andrew Yourtchenko | 8dc0d48 | 2021-01-29 13:17:19 +0000 | [diff] [blame] | 2513 | @tag_fixme_vpp_workers |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2514 | class TestIpsec4TunProtect(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): |
| 2515 | """IPsec IPv4 Tunnel protect - transport mode""" |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2516 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2517 | def setUp(self): |
| 2518 | super(TestIpsec4TunProtect, self).setUp() |
| 2519 | |
| 2520 | self.tun_if = self.pg0 |
| 2521 | |
| 2522 | def tearDown(self): |
| 2523 | super(TestIpsec4TunProtect, self).tearDown() |
| 2524 | |
| 2525 | def test_tun_44(self): |
| 2526 | """IPSEC tunnel protect""" |
| 2527 | |
| 2528 | p = self.ipv4_params |
| 2529 | |
| 2530 | self.config_network(p) |
| 2531 | self.config_sa_tra(p) |
| 2532 | self.config_protect(p) |
| 2533 | |
| 2534 | self.verify_tun_44(p, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2535 | self.assertEqual(p.tun_if.get_rx_stats(), 127) |
| 2536 | self.assertEqual(p.tun_if.get_tx_stats(), 127) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2537 | |
Neale Ranns | b325983 | 2019-09-27 13:32:02 +0000 | [diff] [blame] | 2538 | self.vapi.cli("clear ipsec sa") |
| 2539 | self.verify_tun_64(p, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2540 | self.assertEqual(p.tun_if.get_rx_stats(), 254) |
| 2541 | self.assertEqual(p.tun_if.get_tx_stats(), 254) |
Neale Ranns | b325983 | 2019-09-27 13:32:02 +0000 | [diff] [blame] | 2542 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2543 | # rekey - create new SAs and update the tunnel protection |
| 2544 | np = copy.copy(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2545 | np.crypt_key = b"X" + p.crypt_key[1:] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2546 | np.scapy_tun_spi += 100 |
| 2547 | np.scapy_tun_sa_id += 1 |
| 2548 | np.vpp_tun_spi += 100 |
| 2549 | np.vpp_tun_sa_id += 1 |
| 2550 | np.tun_if.local_spi = p.vpp_tun_spi |
| 2551 | np.tun_if.remote_spi = p.scapy_tun_spi |
| 2552 | |
| 2553 | self.config_sa_tra(np) |
| 2554 | self.config_protect(np) |
| 2555 | self.unconfig_sa(p) |
| 2556 | |
| 2557 | self.verify_tun_44(np, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2558 | self.assertEqual(p.tun_if.get_rx_stats(), 381) |
| 2559 | self.assertEqual(p.tun_if.get_tx_stats(), 381) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2560 | |
| 2561 | # teardown |
| 2562 | self.unconfig_protect(np) |
| 2563 | self.unconfig_sa(np) |
| 2564 | self.unconfig_network(p) |
| 2565 | |
| 2566 | |
Andrew Yourtchenko | 8dc0d48 | 2021-01-29 13:17:19 +0000 | [diff] [blame] | 2567 | @tag_fixme_vpp_workers |
Arthur de Kerhor | 8fce546 | 2023-06-16 09:48:52 +0200 | [diff] [blame] | 2568 | class TestIpsec4TunProtectTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtect): |
| 2569 | """IPsec IPv4 Tunnel protect with TFC - transport mode""" |
| 2570 | |
| 2571 | |
| 2572 | @tag_fixme_vpp_workers |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2573 | class TestIpsec4TunProtectUdp(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): |
Arthur de Kerhor | 8fce546 | 2023-06-16 09:48:52 +0200 | [diff] [blame] | 2574 | """IPsec IPv4 UDP Tunnel protect - transport mode""" |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 2575 | |
| 2576 | def setUp(self): |
| 2577 | super(TestIpsec4TunProtectUdp, self).setUp() |
| 2578 | |
| 2579 | self.tun_if = self.pg0 |
| 2580 | |
| 2581 | p = self.ipv4_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2582 | p.flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 2583 | p.nat_header = UDP(sport=4500, dport=4500) |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 2584 | self.config_network(p) |
| 2585 | self.config_sa_tra(p) |
| 2586 | self.config_protect(p) |
| 2587 | |
| 2588 | def tearDown(self): |
| 2589 | p = self.ipv4_params |
| 2590 | self.unconfig_protect(p) |
| 2591 | self.unconfig_sa(p) |
| 2592 | self.unconfig_network(p) |
| 2593 | super(TestIpsec4TunProtectUdp, self).tearDown() |
| 2594 | |
Neale Ranns | abc5660 | 2020-04-01 09:45:23 +0000 | [diff] [blame] | 2595 | def verify_encrypted(self, p, sa, rxs): |
| 2596 | # ensure encrypted packets are recieved with the default UDP ports |
| 2597 | for rx in rxs: |
| 2598 | self.assertEqual(rx[UDP].sport, 4500) |
| 2599 | self.assertEqual(rx[UDP].dport, 4500) |
| 2600 | super(TestIpsec4TunProtectUdp, self).verify_encrypted(p, sa, rxs) |
| 2601 | |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 2602 | def test_tun_44(self): |
| 2603 | """IPSEC UDP tunnel protect""" |
| 2604 | |
| 2605 | p = self.ipv4_params |
| 2606 | |
| 2607 | self.verify_tun_44(p, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2608 | self.assertEqual(p.tun_if.get_rx_stats(), 127) |
| 2609 | self.assertEqual(p.tun_if.get_tx_stats(), 127) |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 2610 | |
| 2611 | def test_keepalive(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2612 | """IPSEC NAT Keepalive""" |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 2613 | self.verify_keepalive(self.ipv4_params) |
| 2614 | |
| 2615 | |
Andrew Yourtchenko | 8dc0d48 | 2021-01-29 13:17:19 +0000 | [diff] [blame] | 2616 | @tag_fixme_vpp_workers |
Arthur de Kerhor | 8fce546 | 2023-06-16 09:48:52 +0200 | [diff] [blame] | 2617 | class TestIpsec4TunProtectUdpTfc(TemplateIpsec4TunTfc, TestIpsec4TunProtectUdp): |
| 2618 | """IPsec IPv4 UDP Tunnel protect with TFC - transport mode""" |
| 2619 | |
| 2620 | |
| 2621 | @tag_fixme_vpp_workers |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 2622 | @unittest.skipIf( |
| 2623 | "acl" in config.excluded_plugins, "Exclude tests depending on ACL plugin" |
| 2624 | ) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2625 | class TestIpsec4TunProtectTun(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): |
| 2626 | """IPsec IPv4 Tunnel protect - tunnel mode""" |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2627 | |
| 2628 | encryption_type = ESP |
| 2629 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 2630 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2631 | |
| 2632 | def setUp(self): |
| 2633 | super(TestIpsec4TunProtectTun, self).setUp() |
| 2634 | |
| 2635 | self.tun_if = self.pg0 |
| 2636 | |
| 2637 | def tearDown(self): |
| 2638 | super(TestIpsec4TunProtectTun, self).tearDown() |
| 2639 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2640 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 2641 | return [ |
| 2642 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2643 | / sa.encrypt( |
| 2644 | IP(src=sw_intf.remote_ip4, dst=sw_intf.local_ip4) |
| 2645 | / IP(src=src, dst=dst) |
| 2646 | / UDP(sport=1144, dport=2233) |
| 2647 | / Raw(b"X" * payload_size) |
| 2648 | ) |
| 2649 | for i in range(count) |
| 2650 | ] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2651 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2652 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100): |
| 2653 | return [ |
| 2654 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2655 | / IP(src=src, dst=dst) |
| 2656 | / UDP(sport=1144, dport=2233) |
| 2657 | / Raw(b"X" * payload_size) |
| 2658 | for i in range(count) |
| 2659 | ] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2660 | |
| 2661 | def verify_decrypted(self, p, rxs): |
| 2662 | for rx in rxs: |
| 2663 | self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) |
| 2664 | self.assert_equal(rx[IP].src, p.remote_tun_if_host) |
| 2665 | self.assert_packet_checksums_valid(rx) |
| 2666 | |
| 2667 | def verify_encrypted(self, p, sa, rxs): |
| 2668 | for rx in rxs: |
| 2669 | try: |
| 2670 | pkt = sa.decrypt(rx[IP]) |
| 2671 | if not pkt.haslayer(IP): |
| 2672 | pkt = IP(pkt[Raw].load) |
| 2673 | self.assert_packet_checksums_valid(pkt) |
| 2674 | self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4) |
| 2675 | self.assert_equal(pkt[IP].src, self.pg0.local_ip4) |
| 2676 | inner = pkt[IP].payload |
| 2677 | self.assertEqual(inner[IP][IP].dst, p.remote_tun_if_host) |
| 2678 | |
| 2679 | except (IndexError, AssertionError): |
| 2680 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 2681 | try: |
| 2682 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 2683 | except: |
| 2684 | pass |
| 2685 | raise |
| 2686 | |
| 2687 | def test_tun_44(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2688 | """IPSEC tunnel protect""" |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2689 | |
| 2690 | p = self.ipv4_params |
| 2691 | |
| 2692 | self.config_network(p) |
| 2693 | self.config_sa_tun(p) |
| 2694 | self.config_protect(p) |
| 2695 | |
Neale Ranns | 5d0136f | 2020-05-12 08:51:02 +0000 | [diff] [blame] | 2696 | # also add an output features on the tunnel and physical interface |
| 2697 | # so we test they still work |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2698 | r_all = AclRule(True, src_prefix="0.0.0.0/0", dst_prefix="0.0.0.0/0", proto=0) |
Neale Ranns | 5d0136f | 2020-05-12 08:51:02 +0000 | [diff] [blame] | 2699 | a = VppAcl(self, [r_all]).add_vpp_config() |
| 2700 | |
| 2701 | VppAclInterface(self, self.pg0.sw_if_index, [a]).add_vpp_config() |
| 2702 | VppAclInterface(self, p.tun_if.sw_if_index, [a]).add_vpp_config() |
| 2703 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2704 | self.verify_tun_44(p, count=127) |
| 2705 | |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2706 | self.assertEqual(p.tun_if.get_rx_stats(), 127) |
| 2707 | self.assertEqual(p.tun_if.get_tx_stats(), 127) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2708 | |
| 2709 | # rekey - create new SAs and update the tunnel protection |
| 2710 | np = copy.copy(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2711 | np.crypt_key = b"X" + p.crypt_key[1:] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2712 | np.scapy_tun_spi += 100 |
| 2713 | np.scapy_tun_sa_id += 1 |
| 2714 | np.vpp_tun_spi += 100 |
| 2715 | np.vpp_tun_sa_id += 1 |
| 2716 | np.tun_if.local_spi = p.vpp_tun_spi |
| 2717 | np.tun_if.remote_spi = p.scapy_tun_spi |
| 2718 | |
| 2719 | self.config_sa_tun(np) |
| 2720 | self.config_protect(np) |
| 2721 | self.unconfig_sa(p) |
| 2722 | |
| 2723 | self.verify_tun_44(np, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2724 | self.assertEqual(p.tun_if.get_rx_stats(), 254) |
| 2725 | self.assertEqual(p.tun_if.get_tx_stats(), 254) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2726 | |
| 2727 | # teardown |
| 2728 | self.unconfig_protect(np) |
| 2729 | self.unconfig_sa(np) |
| 2730 | self.unconfig_network(p) |
| 2731 | |
| 2732 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2733 | class TestIpsec4TunProtectTunDrop(TemplateIpsec, TemplateIpsec4TunProtect, IpsecTun4): |
| 2734 | """IPsec IPv4 Tunnel protect - tunnel mode - drop""" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2735 | |
| 2736 | encryption_type = ESP |
| 2737 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 2738 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2739 | |
| 2740 | def setUp(self): |
| 2741 | super(TestIpsec4TunProtectTunDrop, self).setUp() |
| 2742 | |
| 2743 | self.tun_if = self.pg0 |
| 2744 | |
| 2745 | def tearDown(self): |
| 2746 | super(TestIpsec4TunProtectTunDrop, self).tearDown() |
| 2747 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2748 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 2749 | return [ |
| 2750 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2751 | / sa.encrypt( |
| 2752 | IP(src=sw_intf.remote_ip4, dst="5.5.5.5") |
| 2753 | / IP(src=src, dst=dst) |
| 2754 | / UDP(sport=1144, dport=2233) |
| 2755 | / Raw(b"X" * payload_size) |
| 2756 | ) |
| 2757 | for i in range(count) |
| 2758 | ] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2759 | |
| 2760 | def test_tun_drop_44(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2761 | """IPSEC tunnel protect bogus tunnel header""" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2762 | |
| 2763 | p = self.ipv4_params |
| 2764 | |
| 2765 | self.config_network(p) |
| 2766 | self.config_sa_tun(p) |
| 2767 | self.config_protect(p) |
| 2768 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2769 | tx = self.gen_encrypt_pkts( |
| 2770 | p, |
| 2771 | p.scapy_tun_sa, |
| 2772 | self.tun_if, |
| 2773 | src=p.remote_tun_if_host, |
| 2774 | dst=self.pg1.remote_ip4, |
| 2775 | count=63, |
| 2776 | ) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2777 | self.send_and_assert_no_replies(self.tun_if, tx) |
| 2778 | |
| 2779 | # teardown |
| 2780 | self.unconfig_protect(p) |
| 2781 | self.unconfig_sa(p) |
| 2782 | self.unconfig_network(p) |
| 2783 | |
| 2784 | |
Andrew Yourtchenko | 8dc0d48 | 2021-01-29 13:17:19 +0000 | [diff] [blame] | 2785 | @tag_fixme_vpp_workers |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2786 | class TestIpsec6TunProtect(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6): |
| 2787 | """IPsec IPv6 Tunnel protect - transport mode""" |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2788 | |
| 2789 | encryption_type = ESP |
| 2790 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 2791 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2792 | |
| 2793 | def setUp(self): |
| 2794 | super(TestIpsec6TunProtect, self).setUp() |
| 2795 | |
| 2796 | self.tun_if = self.pg0 |
| 2797 | |
| 2798 | def tearDown(self): |
| 2799 | super(TestIpsec6TunProtect, self).tearDown() |
| 2800 | |
| 2801 | def test_tun_66(self): |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2802 | """IPSEC tunnel protect 6o6""" |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2803 | |
| 2804 | p = self.ipv6_params |
| 2805 | |
| 2806 | self.config_network(p) |
| 2807 | self.config_sa_tra(p) |
| 2808 | self.config_protect(p) |
| 2809 | |
| 2810 | self.verify_tun_66(p, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2811 | self.assertEqual(p.tun_if.get_rx_stats(), 127) |
| 2812 | self.assertEqual(p.tun_if.get_tx_stats(), 127) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2813 | |
| 2814 | # rekey - create new SAs and update the tunnel protection |
| 2815 | np = copy.copy(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2816 | np.crypt_key = b"X" + p.crypt_key[1:] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2817 | np.scapy_tun_spi += 100 |
| 2818 | np.scapy_tun_sa_id += 1 |
| 2819 | np.vpp_tun_spi += 100 |
| 2820 | np.vpp_tun_sa_id += 1 |
| 2821 | np.tun_if.local_spi = p.vpp_tun_spi |
| 2822 | np.tun_if.remote_spi = p.scapy_tun_spi |
| 2823 | |
| 2824 | self.config_sa_tra(np) |
| 2825 | self.config_protect(np) |
| 2826 | self.unconfig_sa(p) |
| 2827 | |
| 2828 | self.verify_tun_66(np, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2829 | self.assertEqual(p.tun_if.get_rx_stats(), 254) |
| 2830 | self.assertEqual(p.tun_if.get_tx_stats(), 254) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2831 | |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2832 | # bounce the interface state |
| 2833 | p.tun_if.admin_down() |
| 2834 | self.verify_drop_tun_66(np, count=127) |
Neale Ranns | 93688d7 | 2022-08-09 03:34:51 +0000 | [diff] [blame] | 2835 | node = "/err/ipsec6-tun-input/disabled" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2836 | self.assertEqual(127, self.statistics.get_err_counter(node)) |
| 2837 | p.tun_if.admin_up() |
| 2838 | self.verify_tun_66(np, count=127) |
| 2839 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2840 | # 3 phase rekey |
| 2841 | # 1) add two input SAs [old, new] |
| 2842 | # 2) swap output SA to [new] |
| 2843 | # 3) use only [new] input SA |
| 2844 | np3 = copy.copy(np) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2845 | np3.crypt_key = b"Z" + p.crypt_key[1:] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2846 | np3.scapy_tun_spi += 100 |
| 2847 | np3.scapy_tun_sa_id += 1 |
| 2848 | np3.vpp_tun_spi += 100 |
| 2849 | np3.vpp_tun_sa_id += 1 |
| 2850 | np3.tun_if.local_spi = p.vpp_tun_spi |
| 2851 | np3.tun_if.remote_spi = p.scapy_tun_spi |
| 2852 | |
| 2853 | self.config_sa_tra(np3) |
| 2854 | |
| 2855 | # step 1; |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2856 | p.tun_protect.update_vpp_config(np.tun_sa_out, [np.tun_sa_in, np3.tun_sa_in]) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2857 | self.verify_tun_66(np, np, count=127) |
| 2858 | self.verify_tun_66(np3, np, count=127) |
| 2859 | |
| 2860 | # step 2; |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2861 | p.tun_protect.update_vpp_config(np3.tun_sa_out, [np.tun_sa_in, np3.tun_sa_in]) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2862 | self.verify_tun_66(np, np3, count=127) |
| 2863 | self.verify_tun_66(np3, np3, count=127) |
| 2864 | |
| 2865 | # step 1; |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2866 | p.tun_protect.update_vpp_config(np3.tun_sa_out, [np3.tun_sa_in]) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2867 | self.verify_tun_66(np3, np3, count=127) |
Neale Ranns | 49378f2 | 2022-01-10 10:38:43 +0000 | [diff] [blame] | 2868 | self.verify_drop_tun_rx_66(np, count=127) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2869 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2870 | self.assertEqual(p.tun_if.get_rx_stats(), 127 * 9) |
| 2871 | self.assertEqual(p.tun_if.get_tx_stats(), 127 * 8) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2872 | self.unconfig_sa(np) |
| 2873 | |
| 2874 | # teardown |
| 2875 | self.unconfig_protect(np3) |
| 2876 | self.unconfig_sa(np3) |
| 2877 | self.unconfig_network(p) |
| 2878 | |
Neale Ranns | b325983 | 2019-09-27 13:32:02 +0000 | [diff] [blame] | 2879 | def test_tun_46(self): |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 2880 | """IPSEC tunnel protect 4o6""" |
Neale Ranns | b325983 | 2019-09-27 13:32:02 +0000 | [diff] [blame] | 2881 | |
| 2882 | p = self.ipv6_params |
| 2883 | |
| 2884 | self.config_network(p) |
| 2885 | self.config_sa_tra(p) |
| 2886 | self.config_protect(p) |
| 2887 | |
| 2888 | self.verify_tun_46(p, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2889 | self.assertEqual(p.tun_if.get_rx_stats(), 127) |
| 2890 | self.assertEqual(p.tun_if.get_tx_stats(), 127) |
Neale Ranns | b325983 | 2019-09-27 13:32:02 +0000 | [diff] [blame] | 2891 | |
| 2892 | # teardown |
| 2893 | self.unconfig_protect(p) |
| 2894 | self.unconfig_sa(p) |
| 2895 | self.unconfig_network(p) |
| 2896 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2897 | |
Andrew Yourtchenko | 8dc0d48 | 2021-01-29 13:17:19 +0000 | [diff] [blame] | 2898 | @tag_fixme_vpp_workers |
Arthur de Kerhor | 8fce546 | 2023-06-16 09:48:52 +0200 | [diff] [blame] | 2899 | class TestIpsec6TunProtectTfc(TemplateIpsec6TunTfc, TestIpsec6TunProtect): |
| 2900 | """IPsec IPv6 Tunnel protect with TFC - transport mode""" |
| 2901 | |
| 2902 | |
| 2903 | @tag_fixme_vpp_workers |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2904 | class TestIpsec6TunProtectTun(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6): |
| 2905 | """IPsec IPv6 Tunnel protect - tunnel mode""" |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2906 | |
| 2907 | encryption_type = ESP |
| 2908 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 2909 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2910 | |
| 2911 | def setUp(self): |
| 2912 | super(TestIpsec6TunProtectTun, self).setUp() |
| 2913 | |
| 2914 | self.tun_if = self.pg0 |
| 2915 | |
| 2916 | def tearDown(self): |
| 2917 | super(TestIpsec6TunProtectTun, self).tearDown() |
| 2918 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2919 | def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 2920 | return [ |
| 2921 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2922 | / sa.encrypt( |
| 2923 | IPv6(src=sw_intf.remote_ip6, dst=sw_intf.local_ip6) |
| 2924 | / IPv6(src=src, dst=dst) |
| 2925 | / UDP(sport=1166, dport=2233) |
| 2926 | / Raw(b"X" * payload_size) |
| 2927 | ) |
| 2928 | for i in range(count) |
| 2929 | ] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2930 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2931 | def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=100): |
| 2932 | return [ |
| 2933 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 2934 | / IPv6(src=src, dst=dst) |
| 2935 | / UDP(sport=1166, dport=2233) |
| 2936 | / Raw(b"X" * payload_size) |
| 2937 | for i in range(count) |
| 2938 | ] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2939 | |
| 2940 | def verify_decrypted6(self, p, rxs): |
| 2941 | for rx in rxs: |
| 2942 | self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6) |
| 2943 | self.assert_equal(rx[IPv6].src, p.remote_tun_if_host) |
| 2944 | self.assert_packet_checksums_valid(rx) |
| 2945 | |
| 2946 | def verify_encrypted6(self, p, sa, rxs): |
| 2947 | for rx in rxs: |
| 2948 | try: |
| 2949 | pkt = sa.decrypt(rx[IPv6]) |
| 2950 | if not pkt.haslayer(IPv6): |
| 2951 | pkt = IPv6(pkt[Raw].load) |
| 2952 | self.assert_packet_checksums_valid(pkt) |
| 2953 | self.assert_equal(pkt[IPv6].dst, self.pg0.remote_ip6) |
| 2954 | self.assert_equal(pkt[IPv6].src, self.pg0.local_ip6) |
| 2955 | inner = pkt[IPv6].payload |
| 2956 | self.assertEqual(inner[IPv6][IPv6].dst, p.remote_tun_if_host) |
| 2957 | |
| 2958 | except (IndexError, AssertionError): |
| 2959 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 2960 | try: |
| 2961 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 2962 | except: |
| 2963 | pass |
| 2964 | raise |
| 2965 | |
| 2966 | def test_tun_66(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2967 | """IPSEC tunnel protect""" |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2968 | |
| 2969 | p = self.ipv6_params |
| 2970 | |
| 2971 | self.config_network(p) |
| 2972 | self.config_sa_tun(p) |
| 2973 | self.config_protect(p) |
| 2974 | |
| 2975 | self.verify_tun_66(p, count=127) |
| 2976 | |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2977 | self.assertEqual(p.tun_if.get_rx_stats(), 127) |
| 2978 | self.assertEqual(p.tun_if.get_tx_stats(), 127) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2979 | |
| 2980 | # rekey - create new SAs and update the tunnel protection |
| 2981 | np = copy.copy(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 2982 | np.crypt_key = b"X" + p.crypt_key[1:] |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2983 | np.scapy_tun_spi += 100 |
| 2984 | np.scapy_tun_sa_id += 1 |
| 2985 | np.vpp_tun_spi += 100 |
| 2986 | np.vpp_tun_sa_id += 1 |
| 2987 | np.tun_if.local_spi = p.vpp_tun_spi |
| 2988 | np.tun_if.remote_spi = p.scapy_tun_spi |
| 2989 | |
| 2990 | self.config_sa_tun(np) |
| 2991 | self.config_protect(np) |
| 2992 | self.unconfig_sa(p) |
| 2993 | |
| 2994 | self.verify_tun_66(np, count=127) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 2995 | self.assertEqual(p.tun_if.get_rx_stats(), 254) |
| 2996 | self.assertEqual(p.tun_if.get_tx_stats(), 254) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 2997 | |
| 2998 | # teardown |
| 2999 | self.unconfig_protect(np) |
| 3000 | self.unconfig_sa(np) |
| 3001 | self.unconfig_network(p) |
| 3002 | |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 3003 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3004 | class TestIpsec6TunProtectTunDrop(TemplateIpsec, TemplateIpsec6TunProtect, IpsecTun6): |
| 3005 | """IPsec IPv6 Tunnel protect - tunnel mode - drop""" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 3006 | |
| 3007 | encryption_type = ESP |
| 3008 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 3009 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 3010 | |
| 3011 | def setUp(self): |
| 3012 | super(TestIpsec6TunProtectTunDrop, self).setUp() |
| 3013 | |
| 3014 | self.tun_if = self.pg0 |
| 3015 | |
| 3016 | def tearDown(self): |
| 3017 | super(TestIpsec6TunProtectTunDrop, self).tearDown() |
| 3018 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3019 | def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 3020 | # the IP destination of the revelaed packet does not match |
| 3021 | # that assigned to the tunnel |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3022 | return [ |
| 3023 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 3024 | / sa.encrypt( |
| 3025 | IPv6(src=sw_intf.remote_ip6, dst="5::5") |
| 3026 | / IPv6(src=src, dst=dst) |
| 3027 | / UDP(sport=1144, dport=2233) |
| 3028 | / Raw(b"X" * payload_size) |
| 3029 | ) |
| 3030 | for i in range(count) |
| 3031 | ] |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 3032 | |
| 3033 | def test_tun_drop_66(self): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3034 | """IPSEC 6 tunnel protect bogus tunnel header""" |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 3035 | |
| 3036 | p = self.ipv6_params |
| 3037 | |
| 3038 | self.config_network(p) |
| 3039 | self.config_sa_tun(p) |
| 3040 | self.config_protect(p) |
| 3041 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3042 | tx = self.gen_encrypt_pkts6( |
| 3043 | p, |
| 3044 | p.scapy_tun_sa, |
| 3045 | self.tun_if, |
| 3046 | src=p.remote_tun_if_host, |
| 3047 | dst=self.pg1.remote_ip6, |
| 3048 | count=63, |
| 3049 | ) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 3050 | self.send_and_assert_no_replies(self.tun_if, tx) |
| 3051 | |
| 3052 | self.unconfig_protect(p) |
| 3053 | self.unconfig_sa(p) |
| 3054 | self.unconfig_network(p) |
| 3055 | |
| 3056 | |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3057 | class TemplateIpsecItf4(object): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3058 | """IPsec Interface IPv4""" |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3059 | |
| 3060 | encryption_type = ESP |
| 3061 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 3062 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3063 | tun4_input_node = "ipsec4-tun-input" |
| 3064 | |
| 3065 | def config_sa_tun(self, p, src, dst): |
| 3066 | config_tun_params(p, self.encryption_type, None, src, dst) |
| 3067 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3068 | p.tun_sa_out = VppIpsecSA( |
| 3069 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 3070 | p.vpp_tun_sa_id, |
| 3071 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3072 | p.auth_algo_vpp_id, |
| 3073 | p.auth_key, |
| 3074 | p.crypt_algo_vpp_id, |
| 3075 | p.crypt_key, |
| 3076 | self.vpp_esp_protocol, |
| 3077 | src, |
| 3078 | dst, |
| 3079 | flags=p.flags, |
| 3080 | ) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3081 | p.tun_sa_out.add_vpp_config() |
| 3082 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3083 | p.tun_sa_in = VppIpsecSA( |
| 3084 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 3085 | p.scapy_tun_sa_id, |
| 3086 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3087 | p.auth_algo_vpp_id, |
| 3088 | p.auth_key, |
| 3089 | p.crypt_algo_vpp_id, |
| 3090 | p.crypt_key, |
| 3091 | self.vpp_esp_protocol, |
| 3092 | dst, |
| 3093 | src, |
Arthur de Kerhor | 4117b24 | 2022-08-31 19:13:03 +0200 | [diff] [blame] | 3094 | flags=p.flags |
| 3095 | | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3096 | ) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3097 | p.tun_sa_in.add_vpp_config() |
| 3098 | |
| 3099 | def config_protect(self, p): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3100 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3101 | p.tun_protect.add_vpp_config() |
| 3102 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3103 | def config_network(self, p, instance=0xFFFFFFFF): |
Eric Kinzie | 609d579 | 2020-10-13 20:02:11 -0400 | [diff] [blame] | 3104 | p.tun_if = VppIpsecInterface(self, instance=instance) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3105 | |
| 3106 | p.tun_if.add_vpp_config() |
| 3107 | p.tun_if.admin_up() |
| 3108 | p.tun_if.config_ip4() |
| 3109 | p.tun_if.config_ip6() |
| 3110 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3111 | p.route = VppIpRoute( |
| 3112 | self, |
| 3113 | p.remote_tun_if_host, |
| 3114 | 32, |
| 3115 | [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)], |
| 3116 | ) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3117 | p.route.add_vpp_config() |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3118 | r = VppIpRoute( |
| 3119 | self, |
| 3120 | p.remote_tun_if_host6, |
| 3121 | 128, |
| 3122 | [ |
| 3123 | VppRoutePath( |
| 3124 | p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6 |
| 3125 | ) |
| 3126 | ], |
| 3127 | ) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3128 | r.add_vpp_config() |
| 3129 | |
| 3130 | def unconfig_network(self, p): |
| 3131 | p.route.remove_vpp_config() |
| 3132 | p.tun_if.remove_vpp_config() |
| 3133 | |
| 3134 | def unconfig_protect(self, p): |
| 3135 | p.tun_protect.remove_vpp_config() |
| 3136 | |
| 3137 | def unconfig_sa(self, p): |
| 3138 | p.tun_sa_out.remove_vpp_config() |
| 3139 | p.tun_sa_in.remove_vpp_config() |
| 3140 | |
| 3141 | |
Andrew Yourtchenko | 8dc0d48 | 2021-01-29 13:17:19 +0000 | [diff] [blame] | 3142 | @tag_fixme_vpp_workers |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3143 | class TestIpsecItf4(TemplateIpsec, TemplateIpsecItf4, IpsecTun4): |
| 3144 | """IPsec Interface IPv4""" |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3145 | |
| 3146 | def setUp(self): |
| 3147 | super(TestIpsecItf4, self).setUp() |
| 3148 | |
| 3149 | self.tun_if = self.pg0 |
| 3150 | |
| 3151 | def tearDown(self): |
| 3152 | super(TestIpsecItf4, self).tearDown() |
| 3153 | |
Eric Kinzie | 609d579 | 2020-10-13 20:02:11 -0400 | [diff] [blame] | 3154 | def test_tun_instance_44(self): |
| 3155 | p = self.ipv4_params |
| 3156 | self.config_network(p, instance=3) |
| 3157 | |
| 3158 | with self.assertRaises(CliFailedCommandError): |
| 3159 | self.vapi.cli("show interface ipsec0") |
| 3160 | |
| 3161 | output = self.vapi.cli("show interface ipsec3") |
| 3162 | self.assertTrue("unknown" not in output) |
| 3163 | |
| 3164 | self.unconfig_network(p) |
| 3165 | |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3166 | def test_tun_44(self): |
| 3167 | """IPSEC interface IPv4""" |
| 3168 | |
| 3169 | n_pkts = 127 |
| 3170 | p = self.ipv4_params |
| 3171 | |
| 3172 | self.config_network(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3173 | config_tun_params( |
| 3174 | p, self.encryption_type, None, self.pg0.local_ip4, self.pg0.remote_ip4 |
| 3175 | ) |
Neale Ranns | 49378f2 | 2022-01-10 10:38:43 +0000 | [diff] [blame] | 3176 | self.verify_tun_dropped_44(p, count=n_pkts) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3177 | self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3178 | self.config_protect(p) |
| 3179 | |
| 3180 | self.verify_tun_44(p, count=n_pkts) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 3181 | self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) |
| 3182 | self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3183 | |
| 3184 | p.tun_if.admin_down() |
| 3185 | self.verify_tun_dropped_44(p, count=n_pkts) |
| 3186 | p.tun_if.admin_up() |
| 3187 | self.verify_tun_44(p, count=n_pkts) |
| 3188 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3189 | self.assertEqual(p.tun_if.get_rx_stats(), 3 * n_pkts) |
| 3190 | self.assertEqual(p.tun_if.get_tx_stats(), 2 * n_pkts) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3191 | |
| 3192 | # it's a v6 packet when its encrypted |
| 3193 | self.tun4_encrypt_node_name = "esp6-encrypt-tun" |
| 3194 | |
| 3195 | self.verify_tun_64(p, count=n_pkts) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3196 | self.assertEqual(p.tun_if.get_rx_stats(), 4 * n_pkts) |
| 3197 | self.assertEqual(p.tun_if.get_tx_stats(), 3 * n_pkts) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3198 | |
| 3199 | self.tun4_encrypt_node_name = "esp4-encrypt-tun" |
| 3200 | |
Arthur de Kerhor | 4117b24 | 2022-08-31 19:13:03 +0200 | [diff] [blame] | 3201 | # update the SA tunnel |
| 3202 | config_tun_params( |
| 3203 | p, self.encryption_type, None, self.pg2.local_ip4, self.pg2.remote_ip4 |
| 3204 | ) |
| 3205 | p.tun_sa_in.update_vpp_config( |
| 3206 | is_tun=True, tun_src=self.pg2.remote_ip4, tun_dst=self.pg2.local_ip4 |
| 3207 | ) |
| 3208 | p.tun_sa_out.update_vpp_config( |
| 3209 | is_tun=True, tun_src=self.pg2.local_ip4, tun_dst=self.pg2.remote_ip4 |
| 3210 | ) |
| 3211 | self.verify_tun_44(p, count=n_pkts) |
| 3212 | self.assertEqual(p.tun_if.get_rx_stats(), 5 * n_pkts) |
| 3213 | self.assertEqual(p.tun_if.get_tx_stats(), 4 * n_pkts) |
| 3214 | |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3215 | self.vapi.cli("clear interfaces") |
| 3216 | |
| 3217 | # rekey - create new SAs and update the tunnel protection |
| 3218 | np = copy.copy(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3219 | np.crypt_key = b"X" + p.crypt_key[1:] |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3220 | np.scapy_tun_spi += 100 |
| 3221 | np.scapy_tun_sa_id += 1 |
| 3222 | np.vpp_tun_spi += 100 |
| 3223 | np.vpp_tun_sa_id += 1 |
| 3224 | np.tun_if.local_spi = p.vpp_tun_spi |
| 3225 | np.tun_if.remote_spi = p.scapy_tun_spi |
| 3226 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3227 | self.config_sa_tun(np, self.pg0.local_ip4, self.pg0.remote_ip4) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3228 | self.config_protect(np) |
| 3229 | self.unconfig_sa(p) |
| 3230 | |
| 3231 | self.verify_tun_44(np, count=n_pkts) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 3232 | self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) |
| 3233 | self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3234 | |
| 3235 | # teardown |
| 3236 | self.unconfig_protect(np) |
| 3237 | self.unconfig_sa(np) |
| 3238 | self.unconfig_network(p) |
| 3239 | |
Neale Ranns | 970187b | 2020-10-07 13:58:56 +0000 | [diff] [blame] | 3240 | def test_tun_44_null(self): |
| 3241 | """IPSEC interface IPv4 NULL auth/crypto""" |
| 3242 | |
| 3243 | n_pkts = 127 |
| 3244 | p = copy.copy(self.ipv4_params) |
| 3245 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3246 | p.auth_algo_vpp_id = VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE |
| 3247 | p.crypt_algo_vpp_id = ( |
| 3248 | VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_NONE |
| 3249 | ) |
Neale Ranns | 970187b | 2020-10-07 13:58:56 +0000 | [diff] [blame] | 3250 | p.crypt_algo = "NULL" |
| 3251 | p.auth_algo = "NULL" |
| 3252 | |
| 3253 | self.config_network(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3254 | self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4) |
Neale Ranns | 970187b | 2020-10-07 13:58:56 +0000 | [diff] [blame] | 3255 | self.config_protect(p) |
| 3256 | |
Neale Ranns | 49378f2 | 2022-01-10 10:38:43 +0000 | [diff] [blame] | 3257 | self.logger.info(self.vapi.cli("sh ipsec sa")) |
Neale Ranns | 970187b | 2020-10-07 13:58:56 +0000 | [diff] [blame] | 3258 | self.verify_tun_44(p, count=n_pkts) |
| 3259 | |
Eric Kinzie | 609d579 | 2020-10-13 20:02:11 -0400 | [diff] [blame] | 3260 | # teardown |
| 3261 | self.unconfig_protect(p) |
| 3262 | self.unconfig_sa(p) |
| 3263 | self.unconfig_network(p) |
| 3264 | |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3265 | def test_tun_44_police(self): |
| 3266 | """IPSEC interface IPv4 with input policer""" |
| 3267 | n_pkts = 127 |
| 3268 | p = self.ipv4_params |
| 3269 | |
| 3270 | self.config_network(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3271 | self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3272 | self.config_protect(p) |
| 3273 | |
| 3274 | action_tx = PolicerAction( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3275 | VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0 |
| 3276 | ) |
| 3277 | policer = VppPolicer( |
| 3278 | self, |
| 3279 | "pol1", |
| 3280 | 80, |
| 3281 | 0, |
| 3282 | 1000, |
| 3283 | 0, |
| 3284 | conform_action=action_tx, |
| 3285 | exceed_action=action_tx, |
| 3286 | violate_action=action_tx, |
| 3287 | ) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3288 | policer.add_vpp_config() |
| 3289 | |
| 3290 | # Start policing on tun |
Stanislav Zaikin | e5a3ae0 | 2022-04-05 19:23:12 +0200 | [diff] [blame] | 3291 | policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3292 | |
| 3293 | self.verify_tun_44(p, count=n_pkts) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 3294 | self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) |
| 3295 | self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3296 | |
| 3297 | stats = policer.get_stats() |
| 3298 | |
| 3299 | # Single rate, 2 colour policer - expect conform, violate but no exceed |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3300 | self.assertGreater(stats["conform_packets"], 0) |
| 3301 | self.assertEqual(stats["exceed_packets"], 0) |
| 3302 | self.assertGreater(stats["violate_packets"], 0) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3303 | |
| 3304 | # Stop policing on tun |
Stanislav Zaikin | e5a3ae0 | 2022-04-05 19:23:12 +0200 | [diff] [blame] | 3305 | policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3306 | self.verify_tun_44(p, count=n_pkts) |
| 3307 | |
| 3308 | # No new policer stats |
| 3309 | statsnew = policer.get_stats() |
| 3310 | self.assertEqual(stats, statsnew) |
| 3311 | |
| 3312 | # teardown |
| 3313 | policer.remove_vpp_config() |
| 3314 | self.unconfig_protect(p) |
| 3315 | self.unconfig_sa(p) |
| 3316 | self.unconfig_network(p) |
| 3317 | |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3318 | |
Arthur de Kerhor | 8fce546 | 2023-06-16 09:48:52 +0200 | [diff] [blame] | 3319 | @tag_fixme_vpp_workers |
| 3320 | class TestIpsecItf4Tfc(TemplateIpsec4TunTfc, TestIpsecItf4): |
| 3321 | """IPsec Interface IPv4 with TFC""" |
| 3322 | |
| 3323 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3324 | class TestIpsecItf4MPLS(TemplateIpsec, TemplateIpsecItf4, IpsecTun4): |
| 3325 | """IPsec Interface MPLSoIPv4""" |
Neale Ranns | 4a58e49 | 2020-12-21 13:19:10 +0000 | [diff] [blame] | 3326 | |
| 3327 | tun4_encrypt_node_name = "esp-mpls-encrypt-tun" |
| 3328 | |
| 3329 | def setUp(self): |
| 3330 | super(TestIpsecItf4MPLS, self).setUp() |
| 3331 | |
| 3332 | self.tun_if = self.pg0 |
| 3333 | |
| 3334 | def tearDown(self): |
| 3335 | super(TestIpsecItf4MPLS, self).tearDown() |
| 3336 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3337 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 3338 | return [ |
| 3339 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 3340 | / sa.encrypt( |
| 3341 | MPLS(label=44, ttl=3) |
| 3342 | / IP(src=src, dst=dst) |
| 3343 | / UDP(sport=1166, dport=2233) |
| 3344 | / Raw(b"X" * payload_size) |
| 3345 | ) |
| 3346 | for i in range(count) |
| 3347 | ] |
Neale Ranns | 4a58e49 | 2020-12-21 13:19:10 +0000 | [diff] [blame] | 3348 | |
| 3349 | def verify_encrypted(self, p, sa, rxs): |
| 3350 | for rx in rxs: |
| 3351 | try: |
| 3352 | pkt = sa.decrypt(rx[IP]) |
| 3353 | if not pkt.haslayer(IP): |
| 3354 | pkt = IP(pkt[Raw].load) |
| 3355 | self.assert_packet_checksums_valid(pkt) |
| 3356 | self.assert_equal(pkt[MPLS].label, 44) |
| 3357 | self.assert_equal(pkt[IP].dst, p.remote_tun_if_host) |
| 3358 | except (IndexError, AssertionError): |
| 3359 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 3360 | try: |
| 3361 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 3362 | except: |
| 3363 | pass |
| 3364 | raise |
| 3365 | |
| 3366 | def test_tun_mpls_o_ip4(self): |
| 3367 | """IPSEC interface MPLS over IPv4""" |
| 3368 | |
| 3369 | n_pkts = 127 |
| 3370 | p = self.ipv4_params |
| 3371 | f = FibPathProto |
| 3372 | |
| 3373 | tbl = VppMplsTable(self, 0) |
| 3374 | tbl.add_vpp_config() |
| 3375 | |
| 3376 | self.config_network(p) |
| 3377 | # deag MPLS routes from the tunnel |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3378 | r4 = VppMplsRoute( |
| 3379 | self, 44, 1, [VppRoutePath(self.pg1.remote_ip4, self.pg1.sw_if_index)] |
| 3380 | ).add_vpp_config() |
| 3381 | p.route.modify( |
| 3382 | [ |
| 3383 | VppRoutePath( |
| 3384 | p.tun_if.remote_ip4, p.tun_if.sw_if_index, labels=[VppMplsLabel(44)] |
| 3385 | ) |
| 3386 | ] |
| 3387 | ) |
Neale Ranns | 4a58e49 | 2020-12-21 13:19:10 +0000 | [diff] [blame] | 3388 | p.tun_if.enable_mpls() |
| 3389 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3390 | self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4) |
Neale Ranns | 4a58e49 | 2020-12-21 13:19:10 +0000 | [diff] [blame] | 3391 | self.config_protect(p) |
| 3392 | |
| 3393 | self.verify_tun_44(p, count=n_pkts) |
| 3394 | |
| 3395 | # cleanup |
| 3396 | p.tun_if.disable_mpls() |
| 3397 | self.unconfig_protect(p) |
| 3398 | self.unconfig_sa(p) |
| 3399 | self.unconfig_network(p) |
| 3400 | |
| 3401 | |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3402 | class TemplateIpsecItf6(object): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3403 | """IPsec Interface IPv6""" |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3404 | |
| 3405 | encryption_type = ESP |
| 3406 | tun6_encrypt_node_name = "esp6-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 3407 | tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3408 | tun6_input_node = "ipsec6-tun-input" |
| 3409 | |
| 3410 | def config_sa_tun(self, p, src, dst): |
| 3411 | config_tun_params(p, self.encryption_type, None, src, dst) |
| 3412 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3413 | if not hasattr(p, "tun_flags"): |
Neale Ranns | 9ec846c | 2021-02-09 14:04:02 +0000 | [diff] [blame] | 3414 | p.tun_flags = None |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3415 | if not hasattr(p, "hop_limit"): |
Neale Ranns | 9ec846c | 2021-02-09 14:04:02 +0000 | [diff] [blame] | 3416 | p.hop_limit = 255 |
| 3417 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3418 | p.tun_sa_out = VppIpsecSA( |
| 3419 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 3420 | p.vpp_tun_sa_id, |
| 3421 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3422 | p.auth_algo_vpp_id, |
| 3423 | p.auth_key, |
| 3424 | p.crypt_algo_vpp_id, |
| 3425 | p.crypt_key, |
| 3426 | self.vpp_esp_protocol, |
| 3427 | src, |
| 3428 | dst, |
| 3429 | flags=p.flags, |
| 3430 | tun_flags=p.tun_flags, |
| 3431 | hop_limit=p.hop_limit, |
| 3432 | ) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3433 | p.tun_sa_out.add_vpp_config() |
| 3434 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3435 | p.tun_sa_in = VppIpsecSA( |
| 3436 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 3437 | p.scapy_tun_sa_id, |
| 3438 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3439 | p.auth_algo_vpp_id, |
| 3440 | p.auth_key, |
| 3441 | p.crypt_algo_vpp_id, |
| 3442 | p.crypt_key, |
| 3443 | self.vpp_esp_protocol, |
| 3444 | dst, |
| 3445 | src, |
| 3446 | flags=p.flags, |
| 3447 | ) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3448 | p.tun_sa_in.add_vpp_config() |
| 3449 | |
| 3450 | def config_protect(self, p): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3451 | p.tun_protect = VppIpsecTunProtect(self, p.tun_if, p.tun_sa_out, [p.tun_sa_in]) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3452 | p.tun_protect.add_vpp_config() |
| 3453 | |
| 3454 | def config_network(self, p): |
| 3455 | p.tun_if = VppIpsecInterface(self) |
| 3456 | |
| 3457 | p.tun_if.add_vpp_config() |
| 3458 | p.tun_if.admin_up() |
| 3459 | p.tun_if.config_ip4() |
| 3460 | p.tun_if.config_ip6() |
| 3461 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3462 | r = VppIpRoute( |
| 3463 | self, |
| 3464 | p.remote_tun_if_host4, |
| 3465 | 32, |
| 3466 | [VppRoutePath(p.tun_if.remote_ip4, 0xFFFFFFFF)], |
| 3467 | ) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3468 | r.add_vpp_config() |
| 3469 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3470 | p.route = VppIpRoute( |
| 3471 | self, |
| 3472 | p.remote_tun_if_host, |
| 3473 | 128, |
| 3474 | [ |
| 3475 | VppRoutePath( |
| 3476 | p.tun_if.remote_ip6, 0xFFFFFFFF, proto=DpoProto.DPO_PROTO_IP6 |
| 3477 | ) |
| 3478 | ], |
| 3479 | ) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3480 | p.route.add_vpp_config() |
| 3481 | |
| 3482 | def unconfig_network(self, p): |
| 3483 | p.route.remove_vpp_config() |
| 3484 | p.tun_if.remove_vpp_config() |
| 3485 | |
| 3486 | def unconfig_protect(self, p): |
| 3487 | p.tun_protect.remove_vpp_config() |
| 3488 | |
| 3489 | def unconfig_sa(self, p): |
| 3490 | p.tun_sa_out.remove_vpp_config() |
| 3491 | p.tun_sa_in.remove_vpp_config() |
| 3492 | |
| 3493 | |
Andrew Yourtchenko | 8dc0d48 | 2021-01-29 13:17:19 +0000 | [diff] [blame] | 3494 | @tag_fixme_vpp_workers |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3495 | class TestIpsecItf6(TemplateIpsec, TemplateIpsecItf6, IpsecTun6): |
| 3496 | """IPsec Interface IPv6""" |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3497 | |
| 3498 | def setUp(self): |
| 3499 | super(TestIpsecItf6, self).setUp() |
| 3500 | |
| 3501 | self.tun_if = self.pg0 |
| 3502 | |
| 3503 | def tearDown(self): |
| 3504 | super(TestIpsecItf6, self).tearDown() |
| 3505 | |
Neale Ranns | 49378f2 | 2022-01-10 10:38:43 +0000 | [diff] [blame] | 3506 | def test_tun_66(self): |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3507 | """IPSEC interface IPv6""" |
| 3508 | |
Neale Ranns | 9ec846c | 2021-02-09 14:04:02 +0000 | [diff] [blame] | 3509 | tf = VppEnum.vl_api_tunnel_encap_decap_flags_t |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3510 | n_pkts = 127 |
| 3511 | p = self.ipv6_params |
Neale Ranns | 9ec846c | 2021-02-09 14:04:02 +0000 | [diff] [blame] | 3512 | p.inner_hop_limit = 24 |
| 3513 | p.outer_hop_limit = 23 |
| 3514 | p.outer_flow_label = 243224 |
| 3515 | p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3516 | |
| 3517 | self.config_network(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3518 | config_tun_params( |
| 3519 | p, self.encryption_type, None, self.pg0.local_ip6, self.pg0.remote_ip6 |
| 3520 | ) |
Neale Ranns | 49378f2 | 2022-01-10 10:38:43 +0000 | [diff] [blame] | 3521 | self.verify_drop_tun_66(p, count=n_pkts) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3522 | self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3523 | self.config_protect(p) |
| 3524 | |
| 3525 | self.verify_tun_66(p, count=n_pkts) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 3526 | self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) |
| 3527 | self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3528 | |
| 3529 | p.tun_if.admin_down() |
| 3530 | self.verify_drop_tun_66(p, count=n_pkts) |
| 3531 | p.tun_if.admin_up() |
| 3532 | self.verify_tun_66(p, count=n_pkts) |
| 3533 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3534 | self.assertEqual(p.tun_if.get_rx_stats(), 3 * n_pkts) |
| 3535 | self.assertEqual(p.tun_if.get_tx_stats(), 2 * n_pkts) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3536 | |
| 3537 | # it's a v4 packet when its encrypted |
| 3538 | self.tun6_encrypt_node_name = "esp4-encrypt-tun" |
| 3539 | |
| 3540 | self.verify_tun_46(p, count=n_pkts) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3541 | self.assertEqual(p.tun_if.get_rx_stats(), 4 * n_pkts) |
| 3542 | self.assertEqual(p.tun_if.get_tx_stats(), 3 * n_pkts) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3543 | |
| 3544 | self.tun6_encrypt_node_name = "esp6-encrypt-tun" |
| 3545 | |
| 3546 | self.vapi.cli("clear interfaces") |
| 3547 | |
| 3548 | # rekey - create new SAs and update the tunnel protection |
| 3549 | np = copy.copy(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3550 | np.crypt_key = b"X" + p.crypt_key[1:] |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3551 | np.scapy_tun_spi += 100 |
| 3552 | np.scapy_tun_sa_id += 1 |
| 3553 | np.vpp_tun_spi += 100 |
| 3554 | np.vpp_tun_sa_id += 1 |
| 3555 | np.tun_if.local_spi = p.vpp_tun_spi |
| 3556 | np.tun_if.remote_spi = p.scapy_tun_spi |
Neale Ranns | 9ec846c | 2021-02-09 14:04:02 +0000 | [diff] [blame] | 3557 | np.inner_hop_limit = 24 |
| 3558 | np.outer_hop_limit = 128 |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3559 | np.inner_flow_label = 0xABCDE |
| 3560 | np.outer_flow_label = 0xABCDE |
Neale Ranns | 9ec846c | 2021-02-09 14:04:02 +0000 | [diff] [blame] | 3561 | np.hop_limit = 128 |
| 3562 | np.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_FLOW_LABEL |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3563 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3564 | self.config_sa_tun(np, self.pg0.local_ip6, self.pg0.remote_ip6) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3565 | self.config_protect(np) |
| 3566 | self.unconfig_sa(p) |
| 3567 | |
| 3568 | self.verify_tun_66(np, count=n_pkts) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 3569 | self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) |
| 3570 | self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3571 | |
| 3572 | # teardown |
| 3573 | self.unconfig_protect(np) |
| 3574 | self.unconfig_sa(np) |
| 3575 | self.unconfig_network(p) |
| 3576 | |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3577 | def test_tun_66_police(self): |
| 3578 | """IPSEC interface IPv6 with input policer""" |
| 3579 | tf = VppEnum.vl_api_tunnel_encap_decap_flags_t |
| 3580 | n_pkts = 127 |
| 3581 | p = self.ipv6_params |
| 3582 | p.inner_hop_limit = 24 |
| 3583 | p.outer_hop_limit = 23 |
| 3584 | p.outer_flow_label = 243224 |
| 3585 | p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT |
| 3586 | |
| 3587 | self.config_network(p) |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3588 | self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3589 | self.config_protect(p) |
| 3590 | |
| 3591 | action_tx = PolicerAction( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3592 | VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, 0 |
| 3593 | ) |
| 3594 | policer = VppPolicer( |
| 3595 | self, |
| 3596 | "pol1", |
| 3597 | 80, |
| 3598 | 0, |
| 3599 | 1000, |
| 3600 | 0, |
| 3601 | conform_action=action_tx, |
| 3602 | exceed_action=action_tx, |
| 3603 | violate_action=action_tx, |
| 3604 | ) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3605 | policer.add_vpp_config() |
| 3606 | |
| 3607 | # Start policing on tun |
Stanislav Zaikin | e5a3ae0 | 2022-04-05 19:23:12 +0200 | [diff] [blame] | 3608 | policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, True) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3609 | |
| 3610 | self.verify_tun_66(p, count=n_pkts) |
Ole Troan | e66443c | 2021-03-18 11:12:01 +0100 | [diff] [blame] | 3611 | self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) |
| 3612 | self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3613 | |
| 3614 | stats = policer.get_stats() |
| 3615 | |
| 3616 | # Single rate, 2 colour policer - expect conform, violate but no exceed |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3617 | self.assertGreater(stats["conform_packets"], 0) |
| 3618 | self.assertEqual(stats["exceed_packets"], 0) |
| 3619 | self.assertGreater(stats["violate_packets"], 0) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3620 | |
| 3621 | # Stop policing on tun |
Stanislav Zaikin | e5a3ae0 | 2022-04-05 19:23:12 +0200 | [diff] [blame] | 3622 | policer.apply_vpp_config(p.tun_if.sw_if_index, Dir.RX, False) |
Brian Russell | 7a29a2d | 2021-02-22 18:42:24 +0000 | [diff] [blame] | 3623 | self.verify_tun_66(p, count=n_pkts) |
| 3624 | |
| 3625 | # No new policer stats |
| 3626 | statsnew = policer.get_stats() |
| 3627 | self.assertEqual(stats, statsnew) |
| 3628 | |
| 3629 | # teardown |
| 3630 | policer.remove_vpp_config() |
| 3631 | self.unconfig_protect(p) |
| 3632 | self.unconfig_sa(p) |
| 3633 | self.unconfig_network(p) |
| 3634 | |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 3635 | |
Arthur de Kerhor | 8fce546 | 2023-06-16 09:48:52 +0200 | [diff] [blame] | 3636 | @tag_fixme_vpp_workers |
| 3637 | class TestIpsecItf6Tfc(TemplateIpsec6TunTfc, TestIpsecItf6): |
| 3638 | """IPsec Interface IPv6 with TFC""" |
| 3639 | |
| 3640 | |
Dmitry Valter | 34fa0ce | 2024-03-11 10:38:46 +0000 | [diff] [blame] | 3641 | @unittest.skipIf( |
| 3642 | "acl" in config.excluded_plugins, "Exclude tests depending on ACL plugin" |
| 3643 | ) |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3644 | class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3645 | """Ipsec P2MP ESP v4 tests""" |
| 3646 | |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3647 | tun4_encrypt_node_name = "esp4-encrypt-tun" |
Neale Ranns | 8c609af | 2021-02-25 10:05:32 +0000 | [diff] [blame] | 3648 | tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3649 | encryption_type = ESP |
| 3650 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3651 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 3652 | return [ |
| 3653 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 3654 | / sa.encrypt( |
| 3655 | IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4) |
| 3656 | / UDP(sport=1144, dport=2233) |
| 3657 | / Raw(b"X" * payload_size) |
| 3658 | ) |
| 3659 | for i in range(count) |
| 3660 | ] |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3661 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3662 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=100): |
| 3663 | return [ |
| 3664 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 3665 | / IP(src="1.1.1.1", dst=dst) |
| 3666 | / UDP(sport=1144, dport=2233) |
| 3667 | / Raw(b"X" * payload_size) |
| 3668 | for i in range(count) |
| 3669 | ] |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3670 | |
| 3671 | def verify_decrypted(self, p, rxs): |
| 3672 | for rx in rxs: |
| 3673 | self.assert_equal(rx[Ether].dst, self.pg1.remote_mac) |
| 3674 | self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) |
| 3675 | |
| 3676 | def verify_encrypted(self, p, sa, rxs): |
| 3677 | for rx in rxs: |
| 3678 | try: |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3679 | self.assertEqual( |
| 3680 | rx[IP].tos, VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2 |
| 3681 | ) |
Neale Ranns | 9ec846c | 2021-02-09 14:04:02 +0000 | [diff] [blame] | 3682 | self.assertEqual(rx[IP].ttl, p.hop_limit) |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3683 | pkt = sa.decrypt(rx[IP]) |
| 3684 | if not pkt.haslayer(IP): |
| 3685 | pkt = IP(pkt[Raw].load) |
| 3686 | self.assert_packet_checksums_valid(pkt) |
| 3687 | e = pkt[IP] |
| 3688 | self.assertEqual(e[IP].dst, p.remote_tun_if_host) |
| 3689 | except (IndexError, AssertionError): |
| 3690 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 3691 | try: |
| 3692 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 3693 | except: |
| 3694 | pass |
| 3695 | raise |
| 3696 | |
| 3697 | def setUp(self): |
| 3698 | super(TestIpsecMIfEsp4, self).setUp() |
| 3699 | |
| 3700 | N_NHS = 16 |
| 3701 | self.tun_if = self.pg0 |
| 3702 | p = self.ipv4_params |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3703 | p.tun_if = VppIpsecInterface( |
| 3704 | self, mode=(VppEnum.vl_api_tunnel_mode_t.TUNNEL_API_MODE_MP) |
| 3705 | ) |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3706 | p.tun_if.add_vpp_config() |
| 3707 | p.tun_if.admin_up() |
| 3708 | p.tun_if.config_ip4() |
Neale Ranns | cfe949d | 2020-11-25 19:35:38 +0000 | [diff] [blame] | 3709 | p.tun_if.unconfig_ip4() |
| 3710 | p.tun_if.config_ip4() |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3711 | p.tun_if.generate_remote_hosts(N_NHS) |
| 3712 | self.pg0.generate_remote_hosts(N_NHS) |
| 3713 | self.pg0.configure_ipv4_neighbors() |
| 3714 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3715 | r_all = AclRule(True, src_prefix="0.0.0.0/0", dst_prefix="0.0.0.0/0", proto=0) |
Neale Ranns | 6fdcc3d | 2021-10-08 07:30:47 +0000 | [diff] [blame] | 3716 | a = VppAcl(self, [r_all]).add_vpp_config() |
| 3717 | |
| 3718 | VppAclInterface(self, self.pg0.sw_if_index, [a]).add_vpp_config() |
| 3719 | VppAclInterface(self, p.tun_if.sw_if_index, [a]).add_vpp_config() |
| 3720 | |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3721 | # setup some SAs for several next-hops on the interface |
| 3722 | self.multi_params = [] |
| 3723 | |
| 3724 | for ii in range(N_NHS): |
| 3725 | p = copy.copy(self.ipv4_params) |
| 3726 | |
| 3727 | p.remote_tun_if_host = "1.1.1.%d" % (ii + 1) |
| 3728 | p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii |
| 3729 | p.scapy_tun_spi = p.scapy_tun_spi + ii |
| 3730 | p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii |
| 3731 | p.vpp_tun_spi = p.vpp_tun_spi + ii |
| 3732 | |
| 3733 | p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii |
| 3734 | p.scapy_tra_spi = p.scapy_tra_spi + ii |
| 3735 | p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii |
| 3736 | p.vpp_tra_spi = p.vpp_tra_spi + ii |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3737 | p.hop_limit = ii + 10 |
Neale Ranns | 041add7 | 2020-01-02 04:06:10 +0000 | [diff] [blame] | 3738 | p.tun_sa_out = VppIpsecSA( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3739 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 3740 | p.vpp_tun_sa_id, |
| 3741 | p.vpp_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3742 | p.auth_algo_vpp_id, |
| 3743 | p.auth_key, |
| 3744 | p.crypt_algo_vpp_id, |
| 3745 | p.crypt_key, |
Neale Ranns | 041add7 | 2020-01-02 04:06:10 +0000 | [diff] [blame] | 3746 | self.vpp_esp_protocol, |
| 3747 | self.pg0.local_ip4, |
| 3748 | self.pg0.remote_hosts[ii].ip4, |
Neale Ranns | 9ec846c | 2021-02-09 14:04:02 +0000 | [diff] [blame] | 3749 | dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3750 | hop_limit=p.hop_limit, |
| 3751 | ) |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3752 | p.tun_sa_out.add_vpp_config() |
| 3753 | |
Neale Ranns | 041add7 | 2020-01-02 04:06:10 +0000 | [diff] [blame] | 3754 | p.tun_sa_in = VppIpsecSA( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3755 | self, |
Arthur de Kerhor | 0df06b6 | 2022-11-16 18:45:24 +0100 | [diff] [blame] | 3756 | p.scapy_tun_sa_id, |
| 3757 | p.scapy_tun_spi, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3758 | p.auth_algo_vpp_id, |
| 3759 | p.auth_key, |
| 3760 | p.crypt_algo_vpp_id, |
| 3761 | p.crypt_key, |
Neale Ranns | 041add7 | 2020-01-02 04:06:10 +0000 | [diff] [blame] | 3762 | self.vpp_esp_protocol, |
| 3763 | self.pg0.remote_hosts[ii].ip4, |
| 3764 | self.pg0.local_ip4, |
Neale Ranns | 9ec846c | 2021-02-09 14:04:02 +0000 | [diff] [blame] | 3765 | dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF, |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3766 | hop_limit=p.hop_limit, |
| 3767 | ) |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3768 | p.tun_sa_in.add_vpp_config() |
| 3769 | |
| 3770 | p.tun_protect = VppIpsecTunProtect( |
| 3771 | self, |
| 3772 | p.tun_if, |
| 3773 | p.tun_sa_out, |
| 3774 | [p.tun_sa_in], |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3775 | nh=p.tun_if.remote_hosts[ii].ip4, |
| 3776 | ) |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3777 | p.tun_protect.add_vpp_config() |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3778 | config_tun_params( |
| 3779 | p, |
| 3780 | self.encryption_type, |
| 3781 | None, |
| 3782 | self.pg0.local_ip4, |
| 3783 | self.pg0.remote_hosts[ii].ip4, |
| 3784 | ) |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3785 | self.multi_params.append(p) |
| 3786 | |
Neale Ranns | 6fdcc3d | 2021-10-08 07:30:47 +0000 | [diff] [blame] | 3787 | p.via_tun_route = VppIpRoute( |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3788 | self, |
| 3789 | p.remote_tun_if_host, |
| 3790 | 32, |
| 3791 | [VppRoutePath(p.tun_if.remote_hosts[ii].ip4, p.tun_if.sw_if_index)], |
| 3792 | ).add_vpp_config() |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3793 | |
| 3794 | p.tun_dst = self.pg0.remote_hosts[ii].ip4 |
| 3795 | |
| 3796 | def tearDown(self): |
| 3797 | p = self.ipv4_params |
| 3798 | p.tun_if.unconfig_ip4() |
| 3799 | super(TestIpsecMIfEsp4, self).tearDown() |
| 3800 | |
| 3801 | def test_tun_44(self): |
| 3802 | """P2MP IPSEC 44""" |
| 3803 | N_PKTS = 63 |
| 3804 | for p in self.multi_params: |
| 3805 | self.verify_tun_44(p, count=N_PKTS) |
| 3806 | |
Neale Ranns | 6fdcc3d | 2021-10-08 07:30:47 +0000 | [diff] [blame] | 3807 | # remove one tunnel protect, the rest should still work |
| 3808 | self.multi_params[0].tun_protect.remove_vpp_config() |
| 3809 | self.verify_tun_dropped_44(self.multi_params[0], count=N_PKTS) |
| 3810 | self.multi_params[0].via_tun_route.remove_vpp_config() |
| 3811 | self.verify_tun_dropped_44(self.multi_params[0], count=N_PKTS) |
| 3812 | |
| 3813 | for p in self.multi_params[1:]: |
| 3814 | self.verify_tun_44(p, count=N_PKTS) |
| 3815 | |
| 3816 | self.multi_params[0].tun_protect.add_vpp_config() |
| 3817 | self.multi_params[0].via_tun_route.add_vpp_config() |
| 3818 | |
| 3819 | for p in self.multi_params: |
| 3820 | self.verify_tun_44(p, count=N_PKTS) |
| 3821 | |
Neale Ranns | 6ba4e41 | 2020-10-19 09:59:41 +0000 | [diff] [blame] | 3822 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3823 | class TestIpsecItf6MPLS(TemplateIpsec, TemplateIpsecItf6, IpsecTun6): |
| 3824 | """IPsec Interface MPLSoIPv6""" |
Neale Ranns | 4a58e49 | 2020-12-21 13:19:10 +0000 | [diff] [blame] | 3825 | |
| 3826 | tun6_encrypt_node_name = "esp-mpls-encrypt-tun" |
| 3827 | |
| 3828 | def setUp(self): |
| 3829 | super(TestIpsecItf6MPLS, self).setUp() |
| 3830 | |
| 3831 | self.tun_if = self.pg0 |
| 3832 | |
| 3833 | def tearDown(self): |
| 3834 | super(TestIpsecItf6MPLS, self).tearDown() |
| 3835 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3836 | def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, payload_size=100): |
| 3837 | return [ |
| 3838 | Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) |
| 3839 | / sa.encrypt( |
| 3840 | MPLS(label=66, ttl=3) |
| 3841 | / IPv6(src=src, dst=dst) |
| 3842 | / UDP(sport=1166, dport=2233) |
| 3843 | / Raw(b"X" * payload_size) |
| 3844 | ) |
| 3845 | for i in range(count) |
| 3846 | ] |
Neale Ranns | 4a58e49 | 2020-12-21 13:19:10 +0000 | [diff] [blame] | 3847 | |
| 3848 | def verify_encrypted6(self, p, sa, rxs): |
| 3849 | for rx in rxs: |
| 3850 | try: |
| 3851 | pkt = sa.decrypt(rx[IPv6]) |
| 3852 | if not pkt.haslayer(IPv6): |
| 3853 | pkt = IP(pkt[Raw].load) |
| 3854 | self.assert_packet_checksums_valid(pkt) |
| 3855 | self.assert_equal(pkt[MPLS].label, 66) |
| 3856 | self.assert_equal(pkt[IPv6].dst, p.remote_tun_if_host) |
| 3857 | except (IndexError, AssertionError): |
| 3858 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 3859 | try: |
| 3860 | self.logger.debug(ppp("Decrypted packet:", pkt)) |
| 3861 | except: |
| 3862 | pass |
| 3863 | raise |
| 3864 | |
| 3865 | def test_tun_mpls_o_ip6(self): |
| 3866 | """IPSEC interface MPLS over IPv6""" |
| 3867 | |
| 3868 | n_pkts = 127 |
| 3869 | p = self.ipv6_params |
| 3870 | f = FibPathProto |
| 3871 | |
| 3872 | tbl = VppMplsTable(self, 0) |
| 3873 | tbl.add_vpp_config() |
| 3874 | |
| 3875 | self.config_network(p) |
| 3876 | # deag MPLS routes from the tunnel |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3877 | r6 = VppMplsRoute( |
| 3878 | self, |
| 3879 | 66, |
| 3880 | 1, |
| 3881 | [VppRoutePath(self.pg1.remote_ip6, self.pg1.sw_if_index)], |
| 3882 | eos_proto=f.FIB_PATH_NH_PROTO_IP6, |
| 3883 | ).add_vpp_config() |
| 3884 | p.route.modify( |
| 3885 | [ |
| 3886 | VppRoutePath( |
| 3887 | p.tun_if.remote_ip6, p.tun_if.sw_if_index, labels=[VppMplsLabel(66)] |
| 3888 | ) |
| 3889 | ] |
| 3890 | ) |
Neale Ranns | 4a58e49 | 2020-12-21 13:19:10 +0000 | [diff] [blame] | 3891 | p.tun_if.enable_mpls() |
| 3892 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3893 | self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6) |
Neale Ranns | 4a58e49 | 2020-12-21 13:19:10 +0000 | [diff] [blame] | 3894 | self.config_protect(p) |
| 3895 | |
| 3896 | self.verify_tun_66(p, count=n_pkts) |
| 3897 | |
| 3898 | # cleanup |
| 3899 | p.tun_if.disable_mpls() |
| 3900 | self.unconfig_protect(p) |
| 3901 | self.unconfig_sa(p) |
| 3902 | self.unconfig_network(p) |
| 3903 | |
| 3904 | |
Klement Sekera | d9b0c6f | 2022-04-26 19:02:15 +0200 | [diff] [blame] | 3905 | if __name__ == "__main__": |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 3906 | unittest.main(testRunner=VppTestRunner) |