Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 8feeaff56fa9a4fbdfc06131f28a1060ffd9645d / . / test / test_ipsec_esp.py
blob: d254ee76762bf4eb50ed5a70e83427e0da1cfa3f [file] [log] [blame]
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]1import socket
Klement Sekera28fb03f2018-04-17 11:36:55 +0200[diff] [blame]2import unittest
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]3from scapy.layers.ipsec import ESP
Neale Ranns53f526b2019-02-25 14:32:02 +0000[diff] [blame]4from scapy.layers.inet import UDP
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]5
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]6from framework import VppTestRunner
Neale Ranns53f526b2019-02-25 14:32:02 +0000[diff] [blame]7from template_ipsec import IpsecTra46Tests, IpsecTun46Tests, TemplateIpsec, \
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]8 IpsecTcpTests, IpsecTun4Tests, IpsecTra4Tests, config_tra_params
Klement Sekerabf613952019-01-29 11:38:08 +0100[diff] [blame]9from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSA,\
10 VppIpsecSpdItfBinding
Neale Ranns311124e2019-01-24 04:52:25 -0800[diff] [blame]11from vpp_ip_route import VppIpRoute, VppRoutePath
12from vpp_ip import DpoProto
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]13from vpp_papi import VppEnum
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]14
15
Neale Ranns53f526b2019-02-25 14:32:02 +0000[diff] [blame]16def config_esp_tun(test, params):
17 addr_type = params.addr_type
18 scapy_tun_sa_id = params.scapy_tun_sa_id
19 scapy_tun_spi = params.scapy_tun_spi
20 vpp_tun_sa_id = params.vpp_tun_sa_id
21 vpp_tun_spi = params.vpp_tun_spi
22 auth_algo_vpp_id = params.auth_algo_vpp_id
23 auth_key = params.auth_key
24 crypt_algo_vpp_id = params.crypt_algo_vpp_id
25 crypt_key = params.crypt_key
26 remote_tun_if_host = params.remote_tun_if_host
27 addr_any = params.addr_any
28 addr_bcast = params.addr_bcast
29 e = VppEnum.vl_api_ipsec_spd_action_t
30
31 params.tun_sa_in = VppIpsecSA(test, scapy_tun_sa_id, scapy_tun_spi,
32 auth_algo_vpp_id, auth_key,
33 crypt_algo_vpp_id, crypt_key,
34 test.vpp_esp_protocol,
35 test.tun_if.local_addr[addr_type],
36 test.tun_if.remote_addr[addr_type])
37 params.tun_sa_in.add_vpp_config()
38 params.tun_sa_out = VppIpsecSA(test, vpp_tun_sa_id, vpp_tun_spi,
39 auth_algo_vpp_id, auth_key,
40 crypt_algo_vpp_id, crypt_key,
41 test.vpp_esp_protocol,
42 test.tun_if.remote_addr[addr_type],
43 test.tun_if.local_addr[addr_type])
44 params.tun_sa_out.add_vpp_config()
45
46 params.spd_policy_in_any = VppIpsecSpdEntry(test, test.tun_spd,
47 scapy_tun_sa_id,
48 addr_any, addr_bcast,
49 addr_any, addr_bcast,
50 socket.IPPROTO_ESP)
51 params.spd_policy_in_any.add_vpp_config()
52 params.spd_policy_out_any = VppIpsecSpdEntry(test, test.tun_spd,
53 scapy_tun_sa_id,
54 addr_any, addr_bcast,
55 addr_any, addr_bcast,
56 socket.IPPROTO_ESP,
57 is_outbound=0)
58 params.spd_policy_out_any.add_vpp_config()
59
60 VppIpsecSpdEntry(test, test.tun_spd, vpp_tun_sa_id,
61 remote_tun_if_host, remote_tun_if_host,
62 test.pg1.remote_addr[addr_type],
63 test.pg1.remote_addr[addr_type],
64 0,
65 priority=10,
66 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
67 is_outbound=0).add_vpp_config()
68 VppIpsecSpdEntry(test, test.tun_spd, scapy_tun_sa_id,
69 test.pg1.remote_addr[addr_type],
70 test.pg1.remote_addr[addr_type],
71 remote_tun_if_host, remote_tun_if_host,
72 0,
73 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
74 priority=10).add_vpp_config()
75
76 VppIpsecSpdEntry(test, test.tun_spd, vpp_tun_sa_id,
77 remote_tun_if_host, remote_tun_if_host,
78 test.pg0.local_addr[addr_type],
79 test.pg0.local_addr[addr_type],
80 0,
81 priority=20,
82 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
83 is_outbound=0).add_vpp_config()
84 VppIpsecSpdEntry(test, test.tun_spd, scapy_tun_sa_id,
85 test.pg0.local_addr[addr_type],
86 test.pg0.local_addr[addr_type],
87 remote_tun_if_host, remote_tun_if_host,
88 0,
89 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
90 priority=20).add_vpp_config()
91
92
93def config_esp_tra(test, params):
94 addr_type = params.addr_type
95 scapy_tra_sa_id = params.scapy_tra_sa_id
96 scapy_tra_spi = params.scapy_tra_spi
97 vpp_tra_sa_id = params.vpp_tra_sa_id
98 vpp_tra_spi = params.vpp_tra_spi
99 auth_algo_vpp_id = params.auth_algo_vpp_id
100 auth_key = params.auth_key
101 crypt_algo_vpp_id = params.crypt_algo_vpp_id
102 crypt_key = params.crypt_key
103 addr_any = params.addr_any
104 addr_bcast = params.addr_bcast
105 flags = (VppEnum.vl_api_ipsec_sad_flags_t.
106 IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
107 e = VppEnum.vl_api_ipsec_spd_action_t
108 flags = params.flags | flags
109
110 params.tra_sa_in = VppIpsecSA(test, scapy_tra_sa_id, scapy_tra_spi,
111 auth_algo_vpp_id, auth_key,
112 crypt_algo_vpp_id, crypt_key,
113 test.vpp_esp_protocol,
114 flags=flags)
115 params.tra_sa_in.add_vpp_config()
116 params.tra_sa_out = VppIpsecSA(test, vpp_tra_sa_id, vpp_tra_spi,
117 auth_algo_vpp_id, auth_key,
118 crypt_algo_vpp_id, crypt_key,
119 test.vpp_esp_protocol,
120 flags=flags)
121 params.tra_sa_out.add_vpp_config()
122
123 VppIpsecSpdEntry(test, test.tra_spd, vpp_tra_sa_id,
124 addr_any, addr_bcast,
125 addr_any, addr_bcast,
126 socket.IPPROTO_ESP).add_vpp_config()
127 VppIpsecSpdEntry(test, test.tra_spd, vpp_tra_sa_id,
128 addr_any, addr_bcast,
129 addr_any, addr_bcast,
130 socket.IPPROTO_ESP,
131 is_outbound=0).add_vpp_config()
132
133 VppIpsecSpdEntry(test, test.tra_spd, vpp_tra_sa_id,
134 test.tra_if.local_addr[addr_type],
135 test.tra_if.local_addr[addr_type],
136 test.tra_if.remote_addr[addr_type],
137 test.tra_if.remote_addr[addr_type],
138 0, priority=10,
139 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
140 is_outbound=0).add_vpp_config()
141 VppIpsecSpdEntry(test, test.tra_spd, scapy_tra_sa_id,
142 test.tra_if.local_addr[addr_type],
143 test.tra_if.local_addr[addr_type],
144 test.tra_if.remote_addr[addr_type],
145 test.tra_if.remote_addr[addr_type],
146 0, policy=e.IPSEC_API_SPD_ACTION_PROTECT,
147 priority=10).add_vpp_config()
148
149
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]150class TemplateIpsecEsp(TemplateIpsec):
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]151 """
152 Basic test for ipsec esp sanity - tunnel and transport modes.
153
154 Below 4 cases are covered as part of this test
155 1) ipsec esp v4 transport basic test - IPv4 Transport mode
Paul Vinciguerra8feeaff2019-03-27 11:25:48 -0700[diff] [blame^]156 scenario using HMAC-SHA1-96 integrity algo
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]157 2) ipsec esp v4 transport burst test
158 Above test for 257 pkts
159 3) ipsec esp 4o4 tunnel basic test - IPv4 Tunnel mode
Paul Vinciguerra8feeaff2019-03-27 11:25:48 -0700[diff] [blame^]160 scenario using HMAC-SHA1-96 integrity algo
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]161 4) ipsec esp 4o4 tunnel burst test
162 Above test for 257 pkts
163
164 TRANSPORT MODE:
165
166 --- encrypt ---
167 |pg2| <-------> |VPP|
168 --- decrypt ---
169
170 TUNNEL MODE:
171
172 --- encrypt --- plain ---
Klement Sekera4b089f22018-04-17 18:04:57 +0200[diff] [blame]173 |pg0| <------- |VPP| <------ |pg1|
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]174 --- --- ---
175
176 --- decrypt --- plain ---
Klement Sekera4b089f22018-04-17 18:04:57 +0200[diff] [blame]177 |pg0| -------> |VPP| ------> |pg1|
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]178 --- --- ---
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]179 """
180
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800[diff] [blame]181 def setUp(self):
182 super(TemplateIpsecEsp, self).setUp()
183 self.encryption_type = ESP
184 self.tun_if = self.pg0
185 self.tra_if = self.pg2
186 self.logger.info(self.vapi.ppcli("show int addr"))
Neale Ranns311124e2019-01-24 04:52:25 -0800[diff] [blame]187
188 self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
189 self.tra_spd.add_vpp_config()
190 VppIpsecSpdItfBinding(self, self.tra_spd,
191 self.tra_if).add_vpp_config()
192
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800[diff] [blame]193 for _, p in self.params.items():
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]194 config_esp_tra(self, p)
195 config_tra_params(p, self.encryption_type)
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800[diff] [blame]196 self.logger.info(self.vapi.ppcli("show ipsec"))
Neale Ranns311124e2019-01-24 04:52:25 -0800[diff] [blame]197
198 self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
199 self.tun_spd.add_vpp_config()
200 VppIpsecSpdItfBinding(self, self.tun_spd,
201 self.tun_if).add_vpp_config()
202
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800[diff] [blame]203 for _, p in self.params.items():
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]204 config_esp_tun(self, p)
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800[diff] [blame]205 self.logger.info(self.vapi.ppcli("show ipsec"))
Neale Ranns311124e2019-01-24 04:52:25 -0800[diff] [blame]206
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800[diff] [blame]207 for _, p in self.params.items():
Neale Ranns311124e2019-01-24 04:52:25 -0800[diff] [blame]208 d = DpoProto.DPO_PROTO_IP6 if p.is_ipv6 else DpoProto.DPO_PROTO_IP4
209 VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
210 [VppRoutePath(self.tun_if.remote_addr[p.addr_type],
211 0xffffffff,
212 proto=d)],
213 is_ip6=p.is_ipv6).add_vpp_config()
Klement Sekera611864f2018-09-26 11:19:00 +0200[diff] [blame]214
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800[diff] [blame]215 def tearDown(self):
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800[diff] [blame]216 super(TemplateIpsecEsp, self).tearDown()
217 if not self.vpp_dead:
218 self.vapi.cli("show hardware")
219
Klement Sekera611864f2018-09-26 11:19:00 +0200[diff] [blame]220
Neale Ranns53f526b2019-02-25 14:32:02 +0000[diff] [blame]221class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests, IpsecTun46Tests):
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]222 """ Ipsec ESP - TUN & TRA tests """
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]223 tra4_encrypt_node_name = "esp4-encrypt"
224 tra4_decrypt_node_name = "esp4-decrypt"
225 tra6_encrypt_node_name = "esp6-encrypt"
226 tra6_decrypt_node_name = "esp6-decrypt"
227 tun4_encrypt_node_name = "esp4-encrypt"
228 tun4_decrypt_node_name = "esp4-decrypt"
229 tun6_encrypt_node_name = "esp6-encrypt"
230 tun6_decrypt_node_name = "esp6-decrypt"
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]231
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]232
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]233class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
234 """ Ipsec ESP - TCP tests """
235 pass
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]236
237
Neale Ranns53f526b2019-02-25 14:32:02 +0000[diff] [blame]238class TemplateIpsecEspUdp(TemplateIpsec):
239 """
240 UDP encapped ESP
241 """
Neale Ranns53f526b2019-02-25 14:32:02 +0000[diff] [blame]242 def setUp(self):
243 super(TemplateIpsecEspUdp, self).setUp()
244 self.encryption_type = ESP
245 self.tun_if = self.pg0
246 self.tra_if = self.pg2
247 self.logger.info(self.vapi.ppcli("show int addr"))
248
249 p = self.ipv4_params
250 p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
251 IPSEC_API_SAD_FLAG_UDP_ENCAP)
252 p.nat_header = UDP(sport=5454, dport=4500)
253
254 self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
255 self.tra_spd.add_vpp_config()
256 VppIpsecSpdItfBinding(self, self.tra_spd,
257 self.tra_if).add_vpp_config()
258
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]259 config_esp_tra(self, p)
260 config_tra_params(p, self.encryption_type)
Neale Ranns53f526b2019-02-25 14:32:02 +0000[diff] [blame]261
262 self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
263 self.tun_spd.add_vpp_config()
264 VppIpsecSpdItfBinding(self, self.tun_spd,
265 self.tun_if).add_vpp_config()
266
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]267 config_esp_tun(self, p)
Neale Ranns53f526b2019-02-25 14:32:02 +0000[diff] [blame]268 self.logger.info(self.vapi.ppcli("show ipsec"))
269
270 d = DpoProto.DPO_PROTO_IP4
271 VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
272 [VppRoutePath(self.tun_if.remote_addr[p.addr_type],
273 0xffffffff,
274 proto=d)]).add_vpp_config()
275
276 def tearDown(self):
277 super(TemplateIpsecEspUdp, self).tearDown()
278 if not self.vpp_dead:
279 self.vapi.cli("show hardware")
280
281
282class TestIpsecEspUdp(TemplateIpsecEspUdp, IpsecTra4Tests, IpsecTun4Tests):
283 """ Ipsec NAT-T ESP UDP tests """
284 tra4_encrypt_node_name = "esp4-encrypt"
285 tra4_decrypt_node_name = "esp4-decrypt"
286 tun4_encrypt_node_name = "esp4-encrypt"
287 tun4_decrypt_node_name = "esp4-decrypt"
288 pass
289
290
“mystarrocks”23f0c452017-12-11 07:11:51 -0800[diff] [blame]291if __name__ == '__main__':
292 unittest.main(testRunner=VppTestRunner)