blob: a722ce77bb1b87080a8bd67533302829dd16b259 [file] [log] [blame]
Klement Sekera31da2e32018-06-24 22:49:55 +02001import unittest
2import socket
Neale Ranns2ac885c2019-03-20 18:24:43 +00003import copy
Neale Ranns47feb112019-04-11 15:14:07 +00004
Neale Ranns12989b52019-09-26 16:20:19 +00005from scapy.layers.ipsec import SecurityAssociation, ESP
John Lo90430b62020-01-31 23:48:30 -05006from scapy.layers.l2 import Ether, GRE, Dot1Q
snaramre5d4b8912019-12-13 23:39:35 +00007from scapy.packet import Raw
Neale Rannsf05e7322019-03-29 20:23:58 +00008from scapy.layers.inet import IP, UDP
Neale Rannsc87b66c2019-02-07 07:26:12 -08009from scapy.layers.inet6 import IPv6
juraj.linkes11057662019-07-08 10:22:55 +020010from framework import VppTestRunner
Kingwel Xie1ba5bc82019-03-20 07:21:58 -040011from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTun6Tests, \
Neale Ranns4a56f4e2019-12-23 04:10:25 +000012 IpsecTun4, IpsecTun6, IpsecTcpTests, mk_scapy_crypt_key, \
Neale Rannsf3a66222020-01-02 05:04:00 +000013 IpsecTun6HandoffTests, IpsecTun4HandoffTests, config_tun_params
Neale Rannsc87b66c2019-02-07 07:26:12 -080014from vpp_ipsec_tun_interface import VppIpsecTunInterface
15from vpp_gre_interface import VppGreInterface
16from vpp_ipip_tun_interface import VppIpIpTunInterface
Kingwel Xie1ba5bc82019-03-20 07:21:58 -040017from vpp_ip_route import VppIpRoute, VppRoutePath, DpoProto
Neale Rannsdd4ccf22020-06-30 07:47:14 +000018from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect, VppIpsecInterface
Neale Rannsf05e7322019-03-29 20:23:58 +000019from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort
John Lo90430b62020-01-31 23:48:30 -050020from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint
Neale Ranns28287212019-12-16 00:53:11 +000021from vpp_teib import VppTeib
Neale Rannsf05e7322019-03-29 20:23:58 +000022from util import ppp
Neale Ranns47feb112019-04-11 15:14:07 +000023from vpp_papi import VppEnum
Neale Ranns5d0136f2020-05-12 08:51:02 +000024from vpp_acl import AclRule, VppAcl, VppAclInterface
Klement Sekera31da2e32018-06-24 22:49:55 +020025
26
Neale Rannsdd4ccf22020-06-30 07:47:14 +000027def config_tun_params(p, encryption_type, tun_if, src=None, dst=None):
Neale Ranns12989b52019-09-26 16:20:19 +000028 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
snaramre5d4b8912019-12-13 23:39:35 +000029 esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
30 IPSEC_API_SAD_FLAG_USE_ESN))
Neale Ranns12989b52019-09-26 16:20:19 +000031 crypt_key = mk_scapy_crypt_key(p)
Neale Rannsdd4ccf22020-06-30 07:47:14 +000032 if tun_if:
33 p.tun_dst = tun_if.remote_ip
34 p.tun_src = tun_if.local_ip
35 else:
36 p.tun_dst = dst
37 p.tun_src = src
38
Neale Ranns12989b52019-09-26 16:20:19 +000039 p.scapy_tun_sa = SecurityAssociation(
40 encryption_type, spi=p.vpp_tun_spi,
41 crypt_algo=p.crypt_algo,
42 crypt_key=crypt_key,
43 auth_algo=p.auth_algo, auth_key=p.auth_key,
44 tunnel_header=ip_class_by_addr_type[p.addr_type](
Neale Rannsf3a66222020-01-02 05:04:00 +000045 src=p.tun_dst,
46 dst=p.tun_src),
Neale Ranns12989b52019-09-26 16:20:19 +000047 nat_t_header=p.nat_header,
snaramre5d4b8912019-12-13 23:39:35 +000048 esn_en=esn_en)
Neale Ranns12989b52019-09-26 16:20:19 +000049 p.vpp_tun_sa = SecurityAssociation(
50 encryption_type, spi=p.scapy_tun_spi,
51 crypt_algo=p.crypt_algo,
52 crypt_key=crypt_key,
53 auth_algo=p.auth_algo, auth_key=p.auth_key,
54 tunnel_header=ip_class_by_addr_type[p.addr_type](
Neale Rannsf3a66222020-01-02 05:04:00 +000055 dst=p.tun_dst,
56 src=p.tun_src),
Neale Ranns12989b52019-09-26 16:20:19 +000057 nat_t_header=p.nat_header,
snaramre5d4b8912019-12-13 23:39:35 +000058 esn_en=esn_en)
Neale Ranns12989b52019-09-26 16:20:19 +000059
60
Neale Ranns568acbb2019-12-18 05:54:40 +000061def config_tra_params(p, encryption_type, tun_if):
62 ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
63 esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
64 IPSEC_API_SAD_FLAG_USE_ESN))
65 crypt_key = mk_scapy_crypt_key(p)
Neale Rannsf3a66222020-01-02 05:04:00 +000066 p.tun_dst = tun_if.remote_ip
67 p.tun_src = tun_if.local_ip
Neale Ranns568acbb2019-12-18 05:54:40 +000068 p.scapy_tun_sa = SecurityAssociation(
69 encryption_type, spi=p.vpp_tun_spi,
70 crypt_algo=p.crypt_algo,
71 crypt_key=crypt_key,
72 auth_algo=p.auth_algo, auth_key=p.auth_key,
Neale Rannsabc56602020-04-01 09:45:23 +000073 esn_en=esn_en,
74 nat_t_header=p.nat_header)
Neale Ranns568acbb2019-12-18 05:54:40 +000075 p.vpp_tun_sa = SecurityAssociation(
76 encryption_type, spi=p.scapy_tun_spi,
77 crypt_algo=p.crypt_algo,
78 crypt_key=crypt_key,
79 auth_algo=p.auth_algo, auth_key=p.auth_key,
Neale Rannsabc56602020-04-01 09:45:23 +000080 esn_en=esn_en,
81 nat_t_header=p.nat_header)
Neale Ranns568acbb2019-12-18 05:54:40 +000082
83
Kingwel Xie1ba5bc82019-03-20 07:21:58 -040084class TemplateIpsec4TunIfEsp(TemplateIpsec):
Klement Sekera31da2e32018-06-24 22:49:55 +020085 """ IPsec tunnel interface tests """
86
87 encryption_type = ESP
88
Paul Vinciguerra7f9b7f92019-03-12 19:23:27 -070089 @classmethod
90 def setUpClass(cls):
91 super(TemplateIpsec4TunIfEsp, cls).setUpClass()
92
93 @classmethod
94 def tearDownClass(cls):
95 super(TemplateIpsec4TunIfEsp, cls).tearDownClass()
96
Klement Sekera31da2e32018-06-24 22:49:55 +020097 def setUp(self):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -040098 super(TemplateIpsec4TunIfEsp, self).setUp()
Neale Ranns8e4a89b2019-01-23 08:16:17 -080099
100 self.tun_if = self.pg0
101
Klement Sekera611864f2018-09-26 11:19:00 +0200102 p = self.ipv4_params
Neale Rannsd7603d92019-03-28 08:56:10 +0000103
104 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
105 p.scapy_tun_spi, p.crypt_algo_vpp_id,
106 p.crypt_key, p.crypt_key,
107 p.auth_algo_vpp_id, p.auth_key,
108 p.auth_key)
109 p.tun_if.add_vpp_config()
110 p.tun_if.admin_up()
111 p.tun_if.config_ip4()
112 p.tun_if.config_ip6()
Neale Ranns12989b52019-09-26 16:20:19 +0000113 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Ranns311124e2019-01-24 04:52:25 -0800114
Neale Ranns097fa662018-05-01 05:17:55 -0700115 r = VppIpRoute(self, p.remote_tun_if_host, 32,
116 [VppRoutePath(p.tun_if.remote_ip4,
117 0xffffffff)])
118 r.add_vpp_config()
119 r = VppIpRoute(self, p.remote_tun_if_host6, 128,
120 [VppRoutePath(p.tun_if.remote_ip6,
121 0xffffffff,
122 proto=DpoProto.DPO_PROTO_IP6)])
123 r.add_vpp_config()
Klement Sekera31da2e32018-06-24 22:49:55 +0200124
125 def tearDown(self):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400126 super(TemplateIpsec4TunIfEsp, self).tearDown()
Klement Sekera31da2e32018-06-24 22:49:55 +0200127
128
Neale Ranns41afb332019-07-16 06:19:35 -0700129class TemplateIpsec4TunIfEspUdp(TemplateIpsec):
130 """ IPsec UDP tunnel interface tests """
131
132 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns12989b52019-09-26 16:20:19 +0000133 tun4_decrypt_node_name = "esp4-decrypt-tun"
Neale Ranns41afb332019-07-16 06:19:35 -0700134 encryption_type = ESP
135
136 @classmethod
137 def setUpClass(cls):
138 super(TemplateIpsec4TunIfEspUdp, cls).setUpClass()
139
140 @classmethod
141 def tearDownClass(cls):
142 super(TemplateIpsec4TunIfEspUdp, cls).tearDownClass()
143
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400144 def verify_encrypted(self, p, sa, rxs):
145 for rx in rxs:
146 try:
147 # ensure the UDP ports are correct before we decrypt
148 # which strips them
149 self.assertTrue(rx.haslayer(UDP))
150 self.assert_equal(rx[UDP].sport, 4500)
151 self.assert_equal(rx[UDP].dport, 4500)
152
153 pkt = sa.decrypt(rx[IP])
154 if not pkt.haslayer(IP):
155 pkt = IP(pkt[Raw].load)
156
157 self.assert_packet_checksums_valid(pkt)
158 self.assert_equal(pkt[IP].dst, "1.1.1.1")
159 self.assert_equal(pkt[IP].src, self.pg1.remote_ip4)
160 except (IndexError, AssertionError):
161 self.logger.debug(ppp("Unexpected packet:", rx))
162 try:
163 self.logger.debug(ppp("Decrypted packet:", pkt))
164 except:
165 pass
166 raise
167
Neale Ranns41afb332019-07-16 06:19:35 -0700168 def setUp(self):
169 super(TemplateIpsec4TunIfEspUdp, self).setUp()
170
Neale Ranns41afb332019-07-16 06:19:35 -0700171 p = self.ipv4_params
172 p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
173 IPSEC_API_SAD_FLAG_UDP_ENCAP)
174 p.nat_header = UDP(sport=5454, dport=4500)
175
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400176 def config_network(self):
177
178 self.tun_if = self.pg0
179 p = self.ipv4_params
Neale Ranns41afb332019-07-16 06:19:35 -0700180 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
181 p.scapy_tun_spi, p.crypt_algo_vpp_id,
182 p.crypt_key, p.crypt_key,
183 p.auth_algo_vpp_id, p.auth_key,
184 p.auth_key, udp_encap=True)
185 p.tun_if.add_vpp_config()
186 p.tun_if.admin_up()
187 p.tun_if.config_ip4()
188 p.tun_if.config_ip6()
Neale Ranns12989b52019-09-26 16:20:19 +0000189 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Ranns41afb332019-07-16 06:19:35 -0700190
191 r = VppIpRoute(self, p.remote_tun_if_host, 32,
192 [VppRoutePath(p.tun_if.remote_ip4,
193 0xffffffff)])
194 r.add_vpp_config()
195 r = VppIpRoute(self, p.remote_tun_if_host6, 128,
196 [VppRoutePath(p.tun_if.remote_ip6,
197 0xffffffff,
198 proto=DpoProto.DPO_PROTO_IP6)])
199 r.add_vpp_config()
200
201 def tearDown(self):
202 super(TemplateIpsec4TunIfEspUdp, self).tearDown()
203
204
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400205class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
Klement Sekera31da2e32018-06-24 22:49:55 +0200206 """ Ipsec ESP - TUN tests """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200207 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns12989b52019-09-26 16:20:19 +0000208 tun4_decrypt_node_name = "esp4-decrypt-tun"
Klement Sekera31da2e32018-06-24 22:49:55 +0200209
Neale Ranns987aea82019-03-27 13:40:35 +0000210 def test_tun_basic64(self):
211 """ ipsec 6o4 tunnel basic test """
Neale Ranns12989b52019-09-26 16:20:19 +0000212 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
Klement Sekera6aa58b72019-05-16 14:34:55 +0200213
Neale Ranns987aea82019-03-27 13:40:35 +0000214 self.verify_tun_64(self.params[socket.AF_INET], count=1)
215
216 def test_tun_burst64(self):
217 """ ipsec 6o4 tunnel basic test """
Neale Ranns12989b52019-09-26 16:20:19 +0000218 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
Klement Sekera6aa58b72019-05-16 14:34:55 +0200219
Neale Ranns987aea82019-03-27 13:40:35 +0000220 self.verify_tun_64(self.params[socket.AF_INET], count=257)
221
Neale Rannsd7603d92019-03-28 08:56:10 +0000222 def test_tun_basic_frag44(self):
223 """ ipsec 4o4 tunnel frag basic test """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200224 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
225
Neale Rannsd7603d92019-03-28 08:56:10 +0000226 p = self.ipv4_params
227
228 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index,
229 [1500, 0, 0, 0])
230 self.verify_tun_44(self.params[socket.AF_INET],
231 count=1, payload_size=1800, n_rx=2)
232 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index,
233 [9000, 0, 0, 0])
234
Klement Sekera31da2e32018-06-24 22:49:55 +0200235
Neale Ranns41afb332019-07-16 06:19:35 -0700236class TestIpsec4TunIfEspUdp(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
237 """ Ipsec ESP UDP tests """
238
Neale Ranns12989b52019-09-26 16:20:19 +0000239 tun4_input_node = "ipsec4-tun-input"
Neale Ranns41afb332019-07-16 06:19:35 -0700240
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400241 def setUp(self):
242 super(TemplateIpsec4TunIfEspUdp, self).setUp()
243 self.config_network()
244
Neale Ranns41afb332019-07-16 06:19:35 -0700245 def test_keepalive(self):
246 """ IPSEC NAT Keepalive """
247 self.verify_keepalive(self.ipv4_params)
248
249
Alexander Chernavinb0d2eda2020-03-25 10:56:52 -0400250class TestIpsec4TunIfEspUdpGCM(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
251 """ Ipsec ESP UDP GCM tests """
252
253 tun4_input_node = "ipsec4-tun-input"
254
255 def setUp(self):
256 super(TemplateIpsec4TunIfEspUdp, self).setUp()
257 p = self.ipv4_params
258 p.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
259 IPSEC_API_INTEG_ALG_NONE)
260 p.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
261 IPSEC_API_CRYPTO_ALG_AES_GCM_256)
262 p.crypt_algo = "AES-GCM"
263 p.auth_algo = "NULL"
264 p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"
265 p.salt = 0
266 self.config_network()
267
268
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400269class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
Klement Sekera31da2e32018-06-24 22:49:55 +0200270 """ Ipsec ESP - TCP tests """
271 pass
272
273
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400274class TemplateIpsec6TunIfEsp(TemplateIpsec):
275 """ IPsec tunnel interface tests """
276
277 encryption_type = ESP
278
279 def setUp(self):
280 super(TemplateIpsec6TunIfEsp, self).setUp()
281
282 self.tun_if = self.pg0
283
284 p = self.ipv6_params
Neale Ranns12989b52019-09-26 16:20:19 +0000285 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
286 p.scapy_tun_spi, p.crypt_algo_vpp_id,
287 p.crypt_key, p.crypt_key,
288 p.auth_algo_vpp_id, p.auth_key,
289 p.auth_key, is_ip6=True)
290 p.tun_if.add_vpp_config()
291 p.tun_if.admin_up()
292 p.tun_if.config_ip6()
293 p.tun_if.config_ip4()
294 config_tun_params(p, self.encryption_type, p.tun_if)
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400295
Neale Ranns097fa662018-05-01 05:17:55 -0700296 r = VppIpRoute(self, p.remote_tun_if_host, 128,
Neale Ranns12989b52019-09-26 16:20:19 +0000297 [VppRoutePath(p.tun_if.remote_ip6,
Neale Ranns097fa662018-05-01 05:17:55 -0700298 0xffffffff,
299 proto=DpoProto.DPO_PROTO_IP6)])
300 r.add_vpp_config()
301 r = VppIpRoute(self, p.remote_tun_if_host4, 32,
Neale Ranns12989b52019-09-26 16:20:19 +0000302 [VppRoutePath(p.tun_if.remote_ip4,
Neale Ranns097fa662018-05-01 05:17:55 -0700303 0xffffffff)])
304 r.add_vpp_config()
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400305
306 def tearDown(self):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400307 super(TemplateIpsec6TunIfEsp, self).tearDown()
308
309
Neale Ranns4a56f4e2019-12-23 04:10:25 +0000310class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp,
311 IpsecTun6Tests):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400312 """ Ipsec ESP - TUN tests """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200313 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns12989b52019-09-26 16:20:19 +0000314 tun6_decrypt_node_name = "esp6-decrypt-tun"
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400315
Neale Ranns987aea82019-03-27 13:40:35 +0000316 def test_tun_basic46(self):
317 """ ipsec 4o6 tunnel basic test """
Neale Ranns12989b52019-09-26 16:20:19 +0000318 self.tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns987aea82019-03-27 13:40:35 +0000319 self.verify_tun_46(self.params[socket.AF_INET6], count=1)
320
321 def test_tun_burst46(self):
322 """ ipsec 4o6 tunnel burst test """
Neale Ranns12989b52019-09-26 16:20:19 +0000323 self.tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns987aea82019-03-27 13:40:35 +0000324 self.verify_tun_46(self.params[socket.AF_INET6], count=257)
325
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400326
Neale Ranns4a56f4e2019-12-23 04:10:25 +0000327class TestIpsec6TunIfEspHandoff(TemplateIpsec6TunIfEsp,
328 IpsecTun6HandoffTests):
329 """ Ipsec ESP 6 Handoff tests """
330 tun6_encrypt_node_name = "esp6-encrypt-tun"
331 tun6_decrypt_node_name = "esp6-decrypt-tun"
332
333
334class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp,
335 IpsecTun4HandoffTests):
336 """ Ipsec ESP 4 Handoff tests """
337 tun4_encrypt_node_name = "esp4-encrypt-tun"
338 tun4_decrypt_node_name = "esp4-decrypt-tun"
339
340
Neale Ranns2ac885c2019-03-20 18:24:43 +0000341class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4):
342 """ IPsec IPv4 Multi Tunnel interface """
343
344 encryption_type = ESP
Klement Sekera6aa58b72019-05-16 14:34:55 +0200345 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns12989b52019-09-26 16:20:19 +0000346 tun4_decrypt_node_name = "esp4-decrypt-tun"
Neale Ranns2ac885c2019-03-20 18:24:43 +0000347
348 def setUp(self):
349 super(TestIpsec4MultiTunIfEsp, self).setUp()
350
351 self.tun_if = self.pg0
352
353 self.multi_params = []
Neale Ranns12989b52019-09-26 16:20:19 +0000354 self.pg0.generate_remote_hosts(10)
355 self.pg0.configure_ipv4_neighbors()
Neale Ranns2ac885c2019-03-20 18:24:43 +0000356
357 for ii in range(10):
358 p = copy.copy(self.ipv4_params)
359
360 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
361 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
362 p.scapy_tun_spi = p.scapy_tun_spi + ii
363 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
364 p.vpp_tun_spi = p.vpp_tun_spi + ii
365
366 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
367 p.scapy_tra_spi = p.scapy_tra_spi + ii
368 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
369 p.vpp_tra_spi = p.vpp_tra_spi + ii
Neale Ranns02950402019-12-20 00:54:57 +0000370 p.tun_dst = self.pg0.remote_hosts[ii].ip4
Neale Ranns2ac885c2019-03-20 18:24:43 +0000371
Neale Ranns2ac885c2019-03-20 18:24:43 +0000372 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
373 p.scapy_tun_spi,
374 p.crypt_algo_vpp_id,
375 p.crypt_key, p.crypt_key,
376 p.auth_algo_vpp_id, p.auth_key,
Neale Ranns12989b52019-09-26 16:20:19 +0000377 p.auth_key,
Neale Ranns02950402019-12-20 00:54:57 +0000378 dst=p.tun_dst)
Neale Ranns2ac885c2019-03-20 18:24:43 +0000379 p.tun_if.add_vpp_config()
380 p.tun_if.admin_up()
381 p.tun_if.config_ip4()
Neale Ranns12989b52019-09-26 16:20:19 +0000382 config_tun_params(p, self.encryption_type, p.tun_if)
383 self.multi_params.append(p)
Neale Ranns2ac885c2019-03-20 18:24:43 +0000384
385 VppIpRoute(self, p.remote_tun_if_host, 32,
386 [VppRoutePath(p.tun_if.remote_ip4,
387 0xffffffff)]).add_vpp_config()
388
389 def tearDown(self):
Neale Ranns2ac885c2019-03-20 18:24:43 +0000390 super(TestIpsec4MultiTunIfEsp, self).tearDown()
391
392 def test_tun_44(self):
393 """Multiple IPSEC tunnel interfaces """
394 for p in self.multi_params:
395 self.verify_tun_44(p, count=127)
396 c = p.tun_if.get_rx_stats()
397 self.assertEqual(c['packets'], 127)
398 c = p.tun_if.get_tx_stats()
399 self.assertEqual(c['packets'], 127)
400
Neale Ranns02950402019-12-20 00:54:57 +0000401 def test_tun_rr_44(self):
402 """ Round-robin packets acrros multiple interface """
403 tx = []
404 for p in self.multi_params:
Neale Ranns28287212019-12-16 00:53:11 +0000405 tx = tx + self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if,
Neale Ranns02950402019-12-20 00:54:57 +0000406 src=p.remote_tun_if_host,
407 dst=self.pg1.remote_ip4)
408 rxs = self.send_and_expect(self.tun_if, tx, self.pg1)
409
410 for rx, p in zip(rxs, self.multi_params):
411 self.verify_decrypted(p, [rx])
412
413 tx = []
414 for p in self.multi_params:
415 tx = tx + self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
416 dst=p.remote_tun_if_host)
417 rxs = self.send_and_expect(self.pg1, tx, self.tun_if)
418
419 for rx, p in zip(rxs, self.multi_params):
420 self.verify_encrypted(p, p.vpp_tun_sa, [rx])
421
Neale Ranns2ac885c2019-03-20 18:24:43 +0000422
Neale Ranns47feb112019-04-11 15:14:07 +0000423class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
424 """ IPsec IPv4 Tunnel interface all Algos """
425
426 encryption_type = ESP
Klement Sekera6aa58b72019-05-16 14:34:55 +0200427 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns12989b52019-09-26 16:20:19 +0000428 tun4_decrypt_node_name = "esp4-decrypt-tun"
Neale Ranns47feb112019-04-11 15:14:07 +0000429
430 def config_network(self, p):
Neale Ranns47feb112019-04-11 15:14:07 +0000431
432 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
433 p.scapy_tun_spi,
434 p.crypt_algo_vpp_id,
435 p.crypt_key, p.crypt_key,
436 p.auth_algo_vpp_id, p.auth_key,
Neale Ranns80f6fd52019-04-16 02:41:34 +0000437 p.auth_key,
438 salt=p.salt)
Neale Ranns47feb112019-04-11 15:14:07 +0000439 p.tun_if.add_vpp_config()
440 p.tun_if.admin_up()
441 p.tun_if.config_ip4()
Neale Ranns12989b52019-09-26 16:20:19 +0000442 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Ranns47feb112019-04-11 15:14:07 +0000443 self.logger.info(self.vapi.cli("sh ipsec sa 0"))
444 self.logger.info(self.vapi.cli("sh ipsec sa 1"))
445
446 p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
447 [VppRoutePath(p.tun_if.remote_ip4,
448 0xffffffff)])
449 p.route.add_vpp_config()
450
451 def unconfig_network(self, p):
452 p.tun_if.unconfig_ip4()
453 p.tun_if.remove_vpp_config()
454 p.route.remove_vpp_config()
455
456 def setUp(self):
457 super(TestIpsec4TunIfEspAll, self).setUp()
458
459 self.tun_if = self.pg0
460
461 def tearDown(self):
462 super(TestIpsec4TunIfEspAll, self).tearDown()
463
Neale Rannsd6c9e822019-04-17 16:29:00 -0700464 def rekey(self, p):
465 #
466 # change the key and the SPI
467 #
Ole Troan64e978b2019-10-17 21:40:36 +0200468 p.crypt_key = b'X' + p.crypt_key[1:]
Neale Rannsd6c9e822019-04-17 16:29:00 -0700469 p.scapy_tun_spi += 1
470 p.scapy_tun_sa_id += 1
471 p.vpp_tun_spi += 1
472 p.vpp_tun_sa_id += 1
473 p.tun_if.local_spi = p.vpp_tun_spi
474 p.tun_if.remote_spi = p.scapy_tun_spi
475
Neale Ranns12989b52019-09-26 16:20:19 +0000476 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsd6c9e822019-04-17 16:29:00 -0700477
478 p.tun_sa_in = VppIpsecSA(self,
479 p.scapy_tun_sa_id,
480 p.scapy_tun_spi,
481 p.auth_algo_vpp_id,
482 p.auth_key,
483 p.crypt_algo_vpp_id,
484 p.crypt_key,
485 self.vpp_esp_protocol,
Neale Rannsd6c9e822019-04-17 16:29:00 -0700486 flags=p.flags,
487 salt=p.salt)
488 p.tun_sa_out = VppIpsecSA(self,
489 p.vpp_tun_sa_id,
490 p.vpp_tun_spi,
491 p.auth_algo_vpp_id,
492 p.auth_key,
493 p.crypt_algo_vpp_id,
494 p.crypt_key,
495 self.vpp_esp_protocol,
Neale Rannsd6c9e822019-04-17 16:29:00 -0700496 flags=p.flags,
497 salt=p.salt)
498 p.tun_sa_in.add_vpp_config()
499 p.tun_sa_out.add_vpp_config()
500
501 self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
502 sa_id=p.tun_sa_in.id,
503 is_outbound=1)
504 self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
505 sa_id=p.tun_sa_out.id,
506 is_outbound=0)
507 self.logger.info(self.vapi.cli("sh ipsec sa"))
508
Neale Ranns47feb112019-04-11 15:14:07 +0000509 def test_tun_44(self):
510 """IPSEC tunnel all algos """
511
512 # foreach VPP crypto engine
513 engines = ["ia32", "ipsecmb", "openssl"]
514
515 # foreach crypto algorithm
516 algos = [{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
517 IPSEC_API_CRYPTO_ALG_AES_GCM_128),
518 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
519 IPSEC_API_INTEG_ALG_NONE),
520 'scapy-crypto': "AES-GCM",
521 'scapy-integ': "NULL",
Ole Troan64e978b2019-10-17 21:40:36 +0200522 'key': b"JPjyOWBeVEQiMe7h",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000523 'salt': 3333},
Neale Ranns47feb112019-04-11 15:14:07 +0000524 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
525 IPSEC_API_CRYPTO_ALG_AES_GCM_192),
526 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
527 IPSEC_API_INTEG_ALG_NONE),
528 'scapy-crypto': "AES-GCM",
529 'scapy-integ': "NULL",
Ole Troan64e978b2019-10-17 21:40:36 +0200530 'key': b"JPjyOWBeVEQiMe7hJPjyOWBe",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000531 'salt': 0},
Neale Ranns47feb112019-04-11 15:14:07 +0000532 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
533 IPSEC_API_CRYPTO_ALG_AES_GCM_256),
534 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
535 IPSEC_API_INTEG_ALG_NONE),
536 'scapy-crypto': "AES-GCM",
537 'scapy-integ': "NULL",
Ole Troan64e978b2019-10-17 21:40:36 +0200538 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000539 'salt': 9999},
Neale Ranns47feb112019-04-11 15:14:07 +0000540 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
541 IPSEC_API_CRYPTO_ALG_AES_CBC_128),
542 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
543 IPSEC_API_INTEG_ALG_SHA1_96),
544 'scapy-crypto': "AES-CBC",
545 'scapy-integ': "HMAC-SHA1-96",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000546 'salt': 0,
Ole Troan64e978b2019-10-17 21:40:36 +0200547 'key': b"JPjyOWBeVEQiMe7h"},
Neale Ranns47feb112019-04-11 15:14:07 +0000548 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
549 IPSEC_API_CRYPTO_ALG_AES_CBC_192),
550 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
Neale Ranns970187b2020-10-07 13:58:56 +0000551 IPSEC_API_INTEG_ALG_SHA_512_256),
Neale Ranns47feb112019-04-11 15:14:07 +0000552 'scapy-crypto': "AES-CBC",
Neale Ranns970187b2020-10-07 13:58:56 +0000553 'scapy-integ': "SHA2-512-256",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000554 'salt': 0,
Ole Troan64e978b2019-10-17 21:40:36 +0200555 'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"},
Neale Ranns47feb112019-04-11 15:14:07 +0000556 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
557 IPSEC_API_CRYPTO_ALG_AES_CBC_256),
558 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
Neale Ranns970187b2020-10-07 13:58:56 +0000559 IPSEC_API_INTEG_ALG_SHA_256_128),
Neale Ranns47feb112019-04-11 15:14:07 +0000560 'scapy-crypto': "AES-CBC",
Neale Ranns970187b2020-10-07 13:58:56 +0000561 'scapy-integ': "SHA2-256-128",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000562 'salt': 0,
Ole Troan64e978b2019-10-17 21:40:36 +0200563 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"},
Neale Ranns2cdcd0c2019-08-27 12:26:14 +0000564 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
565 IPSEC_API_CRYPTO_ALG_NONE),
566 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
567 IPSEC_API_INTEG_ALG_SHA1_96),
568 'scapy-crypto': "NULL",
569 'scapy-integ': "HMAC-SHA1-96",
570 'salt': 0,
Ole Troan64e978b2019-10-17 21:40:36 +0200571 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
Neale Ranns47feb112019-04-11 15:14:07 +0000572
573 for engine in engines:
574 self.vapi.cli("set crypto handler all %s" % engine)
575
576 #
577 # loop through each of the algorithms
578 #
579 for algo in algos:
580 # with self.subTest(algo=algo['scapy']):
581
582 p = copy.copy(self.ipv4_params)
583 p.auth_algo_vpp_id = algo['vpp-integ']
584 p.crypt_algo_vpp_id = algo['vpp-crypto']
585 p.crypt_algo = algo['scapy-crypto']
586 p.auth_algo = algo['scapy-integ']
587 p.crypt_key = algo['key']
Neale Ranns80f6fd52019-04-16 02:41:34 +0000588 p.salt = algo['salt']
Neale Ranns47feb112019-04-11 15:14:07 +0000589
590 self.config_network(p)
591
592 self.verify_tun_44(p, count=127)
593 c = p.tun_if.get_rx_stats()
594 self.assertEqual(c['packets'], 127)
595 c = p.tun_if.get_tx_stats()
596 self.assertEqual(c['packets'], 127)
597
Neale Rannsd6c9e822019-04-17 16:29:00 -0700598 #
599 # rekey the tunnel
600 #
601 self.rekey(p)
602 self.verify_tun_44(p, count=127)
603
Neale Ranns47feb112019-04-11 15:14:07 +0000604 self.unconfig_network(p)
Neale Rannsd6c9e822019-04-17 16:29:00 -0700605 p.tun_sa_out.remove_vpp_config()
606 p.tun_sa_in.remove_vpp_config()
Neale Ranns47feb112019-04-11 15:14:07 +0000607
608
Neale Ranns02950402019-12-20 00:54:57 +0000609class TestIpsec4TunIfEspNoAlgo(TemplateIpsec, IpsecTun4):
Neale Ranns4ec36c52020-03-31 09:21:29 -0400610 """ IPsec IPv4 Tunnel interface no Algos """
Neale Ranns02950402019-12-20 00:54:57 +0000611
612 encryption_type = ESP
613 tun4_encrypt_node_name = "esp4-encrypt-tun"
614 tun4_decrypt_node_name = "esp4-decrypt-tun"
615
616 def config_network(self, p):
617
618 p.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
619 IPSEC_API_INTEG_ALG_NONE)
620 p.auth_algo = 'NULL'
621 p.auth_key = []
622
623 p.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
624 IPSEC_API_CRYPTO_ALG_NONE)
625 p.crypt_algo = 'NULL'
626 p.crypt_key = []
627
628 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
629 p.scapy_tun_spi,
630 p.crypt_algo_vpp_id,
631 p.crypt_key, p.crypt_key,
632 p.auth_algo_vpp_id, p.auth_key,
633 p.auth_key,
634 salt=p.salt)
635 p.tun_if.add_vpp_config()
636 p.tun_if.admin_up()
637 p.tun_if.config_ip4()
638 config_tun_params(p, self.encryption_type, p.tun_if)
639 self.logger.info(self.vapi.cli("sh ipsec sa 0"))
640 self.logger.info(self.vapi.cli("sh ipsec sa 1"))
641
642 p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
643 [VppRoutePath(p.tun_if.remote_ip4,
644 0xffffffff)])
645 p.route.add_vpp_config()
646
647 def unconfig_network(self, p):
648 p.tun_if.unconfig_ip4()
649 p.tun_if.remove_vpp_config()
650 p.route.remove_vpp_config()
651
652 def setUp(self):
653 super(TestIpsec4TunIfEspNoAlgo, self).setUp()
654
655 self.tun_if = self.pg0
656
657 def tearDown(self):
658 super(TestIpsec4TunIfEspNoAlgo, self).tearDown()
659
660 def test_tun_44(self):
Neale Ranns4ec36c52020-03-31 09:21:29 -0400661 """ IPSec SA with NULL algos """
Neale Ranns02950402019-12-20 00:54:57 +0000662 p = self.ipv4_params
663
664 self.config_network(p)
665
666 tx = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
667 dst=p.remote_tun_if_host)
668 self.send_and_assert_no_replies(self.pg1, tx)
669
670 self.unconfig_network(p)
671
672
Neale Ranns2ac885c2019-03-20 18:24:43 +0000673class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
Paul Vinciguerra8feeaff2019-03-27 11:25:48 -0700674 """ IPsec IPv6 Multi Tunnel interface """
Neale Ranns2ac885c2019-03-20 18:24:43 +0000675
676 encryption_type = ESP
Klement Sekera6aa58b72019-05-16 14:34:55 +0200677 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns12989b52019-09-26 16:20:19 +0000678 tun6_decrypt_node_name = "esp6-decrypt-tun"
Neale Ranns2ac885c2019-03-20 18:24:43 +0000679
680 def setUp(self):
681 super(TestIpsec6MultiTunIfEsp, self).setUp()
682
683 self.tun_if = self.pg0
684
685 self.multi_params = []
Neale Ranns12989b52019-09-26 16:20:19 +0000686 self.pg0.generate_remote_hosts(10)
687 self.pg0.configure_ipv6_neighbors()
Neale Ranns2ac885c2019-03-20 18:24:43 +0000688
689 for ii in range(10):
690 p = copy.copy(self.ipv6_params)
691
692 p.remote_tun_if_host = "1111::%d" % (ii + 1)
693 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
694 p.scapy_tun_spi = p.scapy_tun_spi + ii
695 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
696 p.vpp_tun_spi = p.vpp_tun_spi + ii
697
698 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
699 p.scapy_tra_spi = p.scapy_tra_spi + ii
700 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
701 p.vpp_tra_spi = p.vpp_tra_spi + ii
702
Neale Ranns2ac885c2019-03-20 18:24:43 +0000703 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
704 p.scapy_tun_spi,
705 p.crypt_algo_vpp_id,
706 p.crypt_key, p.crypt_key,
707 p.auth_algo_vpp_id, p.auth_key,
Neale Ranns12989b52019-09-26 16:20:19 +0000708 p.auth_key, is_ip6=True,
709 dst=self.pg0.remote_hosts[ii].ip6)
Neale Ranns2ac885c2019-03-20 18:24:43 +0000710 p.tun_if.add_vpp_config()
711 p.tun_if.admin_up()
712 p.tun_if.config_ip6()
Neale Ranns12989b52019-09-26 16:20:19 +0000713 config_tun_params(p, self.encryption_type, p.tun_if)
714 self.multi_params.append(p)
Neale Ranns2ac885c2019-03-20 18:24:43 +0000715
Neale Ranns097fa662018-05-01 05:17:55 -0700716 r = VppIpRoute(self, p.remote_tun_if_host, 128,
717 [VppRoutePath(p.tun_if.remote_ip6,
718 0xffffffff,
719 proto=DpoProto.DPO_PROTO_IP6)])
720 r.add_vpp_config()
Neale Ranns2ac885c2019-03-20 18:24:43 +0000721
722 def tearDown(self):
Neale Ranns2ac885c2019-03-20 18:24:43 +0000723 super(TestIpsec6MultiTunIfEsp, self).tearDown()
724
725 def test_tun_66(self):
726 """Multiple IPSEC tunnel interfaces """
727 for p in self.multi_params:
728 self.verify_tun_66(p, count=127)
729 c = p.tun_if.get_rx_stats()
730 self.assertEqual(c['packets'], 127)
731 c = p.tun_if.get_tx_stats()
732 self.assertEqual(c['packets'], 127)
733
734
Neale Rannsc87b66c2019-02-07 07:26:12 -0800735class TestIpsecGreTebIfEsp(TemplateIpsec,
736 IpsecTun4Tests):
737 """ Ipsec GRE TEB ESP - TUN tests """
738 tun4_encrypt_node_name = "esp4-encrypt-tun"
739 tun4_decrypt_node_name = "esp4-decrypt-tun"
Neale Rannsf05e7322019-03-29 20:23:58 +0000740 encryption_type = ESP
741 omac = "00:11:22:33:44:55"
742
Neale Ranns28287212019-12-16 00:53:11 +0000743 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
Neale Rannsf05e7322019-03-29 20:23:58 +0000744 payload_size=100):
745 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
746 sa.encrypt(IP(src=self.pg0.remote_ip4,
747 dst=self.pg0.local_ip4) /
748 GRE() /
749 Ether(dst=self.omac) /
750 IP(src="1.1.1.1", dst="1.1.1.2") /
751 UDP(sport=1144, dport=2233) /
Ole Troan770a0de2019-11-07 13:52:21 +0100752 Raw(b'X' * payload_size))
Neale Rannsf05e7322019-03-29 20:23:58 +0000753 for i in range(count)]
754
755 def gen_pkts(self, sw_intf, src, dst, count=1,
756 payload_size=100):
757 return [Ether(dst=self.omac) /
758 IP(src="1.1.1.1", dst="1.1.1.2") /
759 UDP(sport=1144, dport=2233) /
Ole Troan770a0de2019-11-07 13:52:21 +0100760 Raw(b'X' * payload_size)
Neale Rannsf05e7322019-03-29 20:23:58 +0000761 for i in range(count)]
762
763 def verify_decrypted(self, p, rxs):
764 for rx in rxs:
765 self.assert_equal(rx[Ether].dst, self.omac)
766 self.assert_equal(rx[IP].dst, "1.1.1.2")
767
768 def verify_encrypted(self, p, sa, rxs):
769 for rx in rxs:
770 try:
771 pkt = sa.decrypt(rx[IP])
772 if not pkt.haslayer(IP):
773 pkt = IP(pkt[Raw].load)
774 self.assert_packet_checksums_valid(pkt)
775 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
776 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
777 self.assertTrue(pkt.haslayer(GRE))
778 e = pkt[Ether]
779 self.assertEqual(e[Ether].dst, self.omac)
780 self.assertEqual(e[IP].dst, "1.1.1.2")
781 except (IndexError, AssertionError):
782 self.logger.debug(ppp("Unexpected packet:", rx))
783 try:
784 self.logger.debug(ppp("Decrypted packet:", pkt))
785 except:
786 pass
787 raise
788
789 def setUp(self):
Neale Rannsc87b66c2019-02-07 07:26:12 -0800790 super(TestIpsecGreTebIfEsp, self).setUp()
Neale Rannsf05e7322019-03-29 20:23:58 +0000791
792 self.tun_if = self.pg0
793
794 p = self.ipv4_params
795
796 bd1 = VppBridgeDomain(self, 1)
797 bd1.add_vpp_config()
798
799 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
800 p.auth_algo_vpp_id, p.auth_key,
801 p.crypt_algo_vpp_id, p.crypt_key,
802 self.vpp_esp_protocol,
803 self.pg0.local_ip4,
804 self.pg0.remote_ip4)
805 p.tun_sa_out.add_vpp_config()
806
807 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
808 p.auth_algo_vpp_id, p.auth_key,
809 p.crypt_algo_vpp_id, p.crypt_key,
810 self.vpp_esp_protocol,
811 self.pg0.remote_ip4,
812 self.pg0.local_ip4)
813 p.tun_sa_in.add_vpp_config()
814
Neale Ranns12989b52019-09-26 16:20:19 +0000815 p.tun_if = VppGreInterface(self,
Neale Rannsc87b66c2019-02-07 07:26:12 -0800816 self.pg0.local_ip4,
817 self.pg0.remote_ip4,
818 type=(VppEnum.vl_api_gre_tunnel_type_t.
819 GRE_API_TUNNEL_TYPE_TEB))
Neale Ranns12989b52019-09-26 16:20:19 +0000820 p.tun_if.add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -0800821
822 p.tun_protect = VppIpsecTunProtect(self,
Neale Ranns12989b52019-09-26 16:20:19 +0000823 p.tun_if,
Neale Rannsc87b66c2019-02-07 07:26:12 -0800824 p.tun_sa_out,
825 [p.tun_sa_in])
826
827 p.tun_protect.add_vpp_config()
828
Neale Ranns12989b52019-09-26 16:20:19 +0000829 p.tun_if.admin_up()
830 p.tun_if.config_ip4()
831 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsf05e7322019-03-29 20:23:58 +0000832
Neale Ranns12989b52019-09-26 16:20:19 +0000833 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
Neale Rannsf05e7322019-03-29 20:23:58 +0000834 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
835
Neale Rannsc87b66c2019-02-07 07:26:12 -0800836 self.vapi.cli("clear ipsec sa")
Neale Ranns28287212019-12-16 00:53:11 +0000837 self.vapi.cli("sh adj")
838 self.vapi.cli("sh ipsec tun")
Neale Rannsc87b66c2019-02-07 07:26:12 -0800839
Neale Rannsf05e7322019-03-29 20:23:58 +0000840 def tearDown(self):
Neale Ranns12989b52019-09-26 16:20:19 +0000841 p = self.ipv4_params
842 p.tun_if.unconfig_ip4()
Neale Rannsc87b66c2019-02-07 07:26:12 -0800843 super(TestIpsecGreTebIfEsp, self).tearDown()
Neale Rannsf05e7322019-03-29 20:23:58 +0000844
845
John Lo90430b62020-01-31 23:48:30 -0500846class TestIpsecGreTebVlanIfEsp(TemplateIpsec,
847 IpsecTun4Tests):
848 """ Ipsec GRE TEB ESP - TUN tests """
849 tun4_encrypt_node_name = "esp4-encrypt-tun"
850 tun4_decrypt_node_name = "esp4-decrypt-tun"
851 encryption_type = ESP
852 omac = "00:11:22:33:44:55"
853
Neale Ranns28287212019-12-16 00:53:11 +0000854 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
John Lo90430b62020-01-31 23:48:30 -0500855 payload_size=100):
856 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
857 sa.encrypt(IP(src=self.pg0.remote_ip4,
858 dst=self.pg0.local_ip4) /
859 GRE() /
860 Ether(dst=self.omac) /
861 IP(src="1.1.1.1", dst="1.1.1.2") /
862 UDP(sport=1144, dport=2233) /
863 Raw(b'X' * payload_size))
864 for i in range(count)]
865
866 def gen_pkts(self, sw_intf, src, dst, count=1,
867 payload_size=100):
868 return [Ether(dst=self.omac) /
869 Dot1Q(vlan=11) /
870 IP(src="1.1.1.1", dst="1.1.1.2") /
871 UDP(sport=1144, dport=2233) /
872 Raw(b'X' * payload_size)
873 for i in range(count)]
874
875 def verify_decrypted(self, p, rxs):
876 for rx in rxs:
877 self.assert_equal(rx[Ether].dst, self.omac)
878 self.assert_equal(rx[Dot1Q].vlan, 11)
879 self.assert_equal(rx[IP].dst, "1.1.1.2")
880
881 def verify_encrypted(self, p, sa, rxs):
882 for rx in rxs:
883 try:
884 pkt = sa.decrypt(rx[IP])
885 if not pkt.haslayer(IP):
886 pkt = IP(pkt[Raw].load)
887 self.assert_packet_checksums_valid(pkt)
888 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
889 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
890 self.assertTrue(pkt.haslayer(GRE))
891 e = pkt[Ether]
892 self.assertEqual(e[Ether].dst, self.omac)
893 self.assertFalse(e.haslayer(Dot1Q))
894 self.assertEqual(e[IP].dst, "1.1.1.2")
895 except (IndexError, AssertionError):
896 self.logger.debug(ppp("Unexpected packet:", rx))
897 try:
898 self.logger.debug(ppp("Decrypted packet:", pkt))
899 except:
900 pass
901 raise
902
903 def setUp(self):
904 super(TestIpsecGreTebVlanIfEsp, self).setUp()
905
906 self.tun_if = self.pg0
907
908 p = self.ipv4_params
909
910 bd1 = VppBridgeDomain(self, 1)
911 bd1.add_vpp_config()
912
913 self.pg1_11 = VppDot1QSubint(self, self.pg1, 11)
914 self.vapi.l2_interface_vlan_tag_rewrite(
915 sw_if_index=self.pg1_11.sw_if_index, vtr_op=L2_VTR_OP.L2_POP_1,
916 push_dot1q=11)
917 self.pg1_11.admin_up()
918
919 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
920 p.auth_algo_vpp_id, p.auth_key,
921 p.crypt_algo_vpp_id, p.crypt_key,
922 self.vpp_esp_protocol,
923 self.pg0.local_ip4,
924 self.pg0.remote_ip4)
925 p.tun_sa_out.add_vpp_config()
926
927 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
928 p.auth_algo_vpp_id, p.auth_key,
929 p.crypt_algo_vpp_id, p.crypt_key,
930 self.vpp_esp_protocol,
931 self.pg0.remote_ip4,
932 self.pg0.local_ip4)
933 p.tun_sa_in.add_vpp_config()
934
935 p.tun_if = VppGreInterface(self,
936 self.pg0.local_ip4,
937 self.pg0.remote_ip4,
938 type=(VppEnum.vl_api_gre_tunnel_type_t.
939 GRE_API_TUNNEL_TYPE_TEB))
940 p.tun_if.add_vpp_config()
941
942 p.tun_protect = VppIpsecTunProtect(self,
943 p.tun_if,
944 p.tun_sa_out,
945 [p.tun_sa_in])
946
947 p.tun_protect.add_vpp_config()
948
949 p.tun_if.admin_up()
950 p.tun_if.config_ip4()
951 config_tun_params(p, self.encryption_type, p.tun_if)
952
953 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
954 VppBridgeDomainPort(self, bd1, self.pg1_11).add_vpp_config()
955
956 self.vapi.cli("clear ipsec sa")
957
958 def tearDown(self):
959 p = self.ipv4_params
960 p.tun_if.unconfig_ip4()
961 super(TestIpsecGreTebVlanIfEsp, self).tearDown()
962 self.pg1_11.admin_down()
963 self.pg1_11.remove_vpp_config()
964
965
Neale Ranns568acbb2019-12-18 05:54:40 +0000966class TestIpsecGreTebIfEspTra(TemplateIpsec,
967 IpsecTun4Tests):
968 """ Ipsec GRE TEB ESP - Tra tests """
969 tun4_encrypt_node_name = "esp4-encrypt-tun"
970 tun4_decrypt_node_name = "esp4-decrypt-tun"
971 encryption_type = ESP
972 omac = "00:11:22:33:44:55"
973
Neale Ranns28287212019-12-16 00:53:11 +0000974 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
Neale Ranns568acbb2019-12-18 05:54:40 +0000975 payload_size=100):
976 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
977 sa.encrypt(IP(src=self.pg0.remote_ip4,
978 dst=self.pg0.local_ip4) /
979 GRE() /
980 Ether(dst=self.omac) /
981 IP(src="1.1.1.1", dst="1.1.1.2") /
982 UDP(sport=1144, dport=2233) /
983 Raw(b'X' * payload_size))
984 for i in range(count)]
985
986 def gen_pkts(self, sw_intf, src, dst, count=1,
987 payload_size=100):
988 return [Ether(dst=self.omac) /
989 IP(src="1.1.1.1", dst="1.1.1.2") /
990 UDP(sport=1144, dport=2233) /
991 Raw(b'X' * payload_size)
992 for i in range(count)]
993
994 def verify_decrypted(self, p, rxs):
995 for rx in rxs:
996 self.assert_equal(rx[Ether].dst, self.omac)
997 self.assert_equal(rx[IP].dst, "1.1.1.2")
998
999 def verify_encrypted(self, p, sa, rxs):
1000 for rx in rxs:
1001 try:
1002 pkt = sa.decrypt(rx[IP])
1003 if not pkt.haslayer(IP):
1004 pkt = IP(pkt[Raw].load)
1005 self.assert_packet_checksums_valid(pkt)
1006 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1007 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1008 self.assertTrue(pkt.haslayer(GRE))
1009 e = pkt[Ether]
1010 self.assertEqual(e[Ether].dst, self.omac)
1011 self.assertEqual(e[IP].dst, "1.1.1.2")
1012 except (IndexError, AssertionError):
1013 self.logger.debug(ppp("Unexpected packet:", rx))
1014 try:
1015 self.logger.debug(ppp("Decrypted packet:", pkt))
1016 except:
1017 pass
1018 raise
1019
1020 def setUp(self):
1021 super(TestIpsecGreTebIfEspTra, self).setUp()
1022
1023 self.tun_if = self.pg0
1024
1025 p = self.ipv4_params
1026
1027 bd1 = VppBridgeDomain(self, 1)
1028 bd1.add_vpp_config()
1029
1030 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1031 p.auth_algo_vpp_id, p.auth_key,
1032 p.crypt_algo_vpp_id, p.crypt_key,
1033 self.vpp_esp_protocol)
1034 p.tun_sa_out.add_vpp_config()
1035
1036 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1037 p.auth_algo_vpp_id, p.auth_key,
1038 p.crypt_algo_vpp_id, p.crypt_key,
1039 self.vpp_esp_protocol)
1040 p.tun_sa_in.add_vpp_config()
1041
1042 p.tun_if = VppGreInterface(self,
1043 self.pg0.local_ip4,
1044 self.pg0.remote_ip4,
1045 type=(VppEnum.vl_api_gre_tunnel_type_t.
1046 GRE_API_TUNNEL_TYPE_TEB))
1047 p.tun_if.add_vpp_config()
1048
1049 p.tun_protect = VppIpsecTunProtect(self,
1050 p.tun_if,
1051 p.tun_sa_out,
1052 [p.tun_sa_in])
1053
1054 p.tun_protect.add_vpp_config()
1055
1056 p.tun_if.admin_up()
1057 p.tun_if.config_ip4()
1058 config_tra_params(p, self.encryption_type, p.tun_if)
1059
1060 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
1061 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
1062
1063 self.vapi.cli("clear ipsec sa")
1064
1065 def tearDown(self):
1066 p = self.ipv4_params
1067 p.tun_if.unconfig_ip4()
1068 super(TestIpsecGreTebIfEspTra, self).tearDown()
1069
1070
Neale Rannsabc56602020-04-01 09:45:23 +00001071class TestIpsecGreTebUdpIfEspTra(TemplateIpsec,
1072 IpsecTun4Tests):
1073 """ Ipsec GRE TEB UDP ESP - Tra tests """
1074 tun4_encrypt_node_name = "esp4-encrypt-tun"
1075 tun4_decrypt_node_name = "esp4-decrypt-tun"
1076 encryption_type = ESP
1077 omac = "00:11:22:33:44:55"
1078
1079 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
1080 payload_size=100):
1081 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1082 sa.encrypt(IP(src=self.pg0.remote_ip4,
1083 dst=self.pg0.local_ip4) /
1084 GRE() /
1085 Ether(dst=self.omac) /
1086 IP(src="1.1.1.1", dst="1.1.1.2") /
1087 UDP(sport=1144, dport=2233) /
1088 Raw(b'X' * payload_size))
1089 for i in range(count)]
1090
1091 def gen_pkts(self, sw_intf, src, dst, count=1,
1092 payload_size=100):
1093 return [Ether(dst=self.omac) /
1094 IP(src="1.1.1.1", dst="1.1.1.2") /
1095 UDP(sport=1144, dport=2233) /
1096 Raw(b'X' * payload_size)
1097 for i in range(count)]
1098
1099 def verify_decrypted(self, p, rxs):
1100 for rx in rxs:
1101 self.assert_equal(rx[Ether].dst, self.omac)
1102 self.assert_equal(rx[IP].dst, "1.1.1.2")
1103
1104 def verify_encrypted(self, p, sa, rxs):
1105 for rx in rxs:
1106 self.assertTrue(rx.haslayer(UDP))
1107 self.assertEqual(rx[UDP].dport, 4545)
1108 self.assertEqual(rx[UDP].sport, 5454)
1109 try:
1110 pkt = sa.decrypt(rx[IP])
1111 if not pkt.haslayer(IP):
1112 pkt = IP(pkt[Raw].load)
1113 self.assert_packet_checksums_valid(pkt)
1114 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1115 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1116 self.assertTrue(pkt.haslayer(GRE))
1117 e = pkt[Ether]
1118 self.assertEqual(e[Ether].dst, self.omac)
1119 self.assertEqual(e[IP].dst, "1.1.1.2")
1120 except (IndexError, AssertionError):
1121 self.logger.debug(ppp("Unexpected packet:", rx))
1122 try:
1123 self.logger.debug(ppp("Decrypted packet:", pkt))
1124 except:
1125 pass
1126 raise
1127
1128 def setUp(self):
1129 super(TestIpsecGreTebUdpIfEspTra, self).setUp()
1130
1131 self.tun_if = self.pg0
1132
1133 p = self.ipv4_params
1134 p = self.ipv4_params
1135 p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
1136 IPSEC_API_SAD_FLAG_UDP_ENCAP)
1137 p.nat_header = UDP(sport=5454, dport=4545)
1138
1139 bd1 = VppBridgeDomain(self, 1)
1140 bd1.add_vpp_config()
1141
1142 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1143 p.auth_algo_vpp_id, p.auth_key,
1144 p.crypt_algo_vpp_id, p.crypt_key,
1145 self.vpp_esp_protocol,
1146 flags=p.flags,
1147 udp_src=5454,
1148 udp_dst=4545)
1149 p.tun_sa_out.add_vpp_config()
1150
1151 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1152 p.auth_algo_vpp_id, p.auth_key,
1153 p.crypt_algo_vpp_id, p.crypt_key,
1154 self.vpp_esp_protocol,
1155 flags=(p.flags |
1156 VppEnum.vl_api_ipsec_sad_flags_t.
1157 IPSEC_API_SAD_FLAG_IS_INBOUND),
1158 udp_src=5454,
1159 udp_dst=4545)
1160 p.tun_sa_in.add_vpp_config()
1161
1162 p.tun_if = VppGreInterface(self,
1163 self.pg0.local_ip4,
1164 self.pg0.remote_ip4,
1165 type=(VppEnum.vl_api_gre_tunnel_type_t.
1166 GRE_API_TUNNEL_TYPE_TEB))
1167 p.tun_if.add_vpp_config()
1168
1169 p.tun_protect = VppIpsecTunProtect(self,
1170 p.tun_if,
1171 p.tun_sa_out,
1172 [p.tun_sa_in])
1173
1174 p.tun_protect.add_vpp_config()
1175
1176 p.tun_if.admin_up()
1177 p.tun_if.config_ip4()
1178 config_tra_params(p, self.encryption_type, p.tun_if)
1179
1180 VppBridgeDomainPort(self, bd1, p.tun_if).add_vpp_config()
1181 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
1182
1183 self.vapi.cli("clear ipsec sa")
1184 self.logger.info(self.vapi.cli("sh ipsec sa 0"))
1185
1186 def tearDown(self):
1187 p = self.ipv4_params
1188 p.tun_if.unconfig_ip4()
1189 super(TestIpsecGreTebUdpIfEspTra, self).tearDown()
1190
1191
Neale Rannsc87b66c2019-02-07 07:26:12 -08001192class TestIpsecGreIfEsp(TemplateIpsec,
1193 IpsecTun4Tests):
Neale Rannsf05e7322019-03-29 20:23:58 +00001194 """ Ipsec GRE ESP - TUN tests """
Neale Rannsc87b66c2019-02-07 07:26:12 -08001195 tun4_encrypt_node_name = "esp4-encrypt-tun"
1196 tun4_decrypt_node_name = "esp4-decrypt-tun"
1197 encryption_type = ESP
1198
Neale Ranns28287212019-12-16 00:53:11 +00001199 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
Neale Rannsc87b66c2019-02-07 07:26:12 -08001200 payload_size=100):
1201 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1202 sa.encrypt(IP(src=self.pg0.remote_ip4,
1203 dst=self.pg0.local_ip4) /
1204 GRE() /
1205 IP(src=self.pg1.local_ip4,
1206 dst=self.pg1.remote_ip4) /
1207 UDP(sport=1144, dport=2233) /
Ole Troan770a0de2019-11-07 13:52:21 +01001208 Raw(b'X' * payload_size))
Neale Rannsc87b66c2019-02-07 07:26:12 -08001209 for i in range(count)]
1210
1211 def gen_pkts(self, sw_intf, src, dst, count=1,
1212 payload_size=100):
1213 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1214 IP(src="1.1.1.1", dst="1.1.1.2") /
1215 UDP(sport=1144, dport=2233) /
Ole Troan770a0de2019-11-07 13:52:21 +01001216 Raw(b'X' * payload_size)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001217 for i in range(count)]
1218
1219 def verify_decrypted(self, p, rxs):
1220 for rx in rxs:
1221 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
1222 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
1223
1224 def verify_encrypted(self, p, sa, rxs):
1225 for rx in rxs:
1226 try:
1227 pkt = sa.decrypt(rx[IP])
1228 if not pkt.haslayer(IP):
1229 pkt = IP(pkt[Raw].load)
1230 self.assert_packet_checksums_valid(pkt)
1231 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
1232 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
1233 self.assertTrue(pkt.haslayer(GRE))
1234 e = pkt[GRE]
1235 self.assertEqual(e[IP].dst, "1.1.1.2")
1236 except (IndexError, AssertionError):
1237 self.logger.debug(ppp("Unexpected packet:", rx))
1238 try:
1239 self.logger.debug(ppp("Decrypted packet:", pkt))
1240 except:
1241 pass
1242 raise
1243
1244 def setUp(self):
1245 super(TestIpsecGreIfEsp, self).setUp()
1246
1247 self.tun_if = self.pg0
1248
1249 p = self.ipv4_params
1250
1251 bd1 = VppBridgeDomain(self, 1)
1252 bd1.add_vpp_config()
1253
1254 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1255 p.auth_algo_vpp_id, p.auth_key,
1256 p.crypt_algo_vpp_id, p.crypt_key,
1257 self.vpp_esp_protocol,
1258 self.pg0.local_ip4,
1259 self.pg0.remote_ip4)
1260 p.tun_sa_out.add_vpp_config()
1261
1262 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1263 p.auth_algo_vpp_id, p.auth_key,
1264 p.crypt_algo_vpp_id, p.crypt_key,
1265 self.vpp_esp_protocol,
1266 self.pg0.remote_ip4,
1267 self.pg0.local_ip4)
1268 p.tun_sa_in.add_vpp_config()
1269
Neale Ranns12989b52019-09-26 16:20:19 +00001270 p.tun_if = VppGreInterface(self,
Neale Rannsc87b66c2019-02-07 07:26:12 -08001271 self.pg0.local_ip4,
1272 self.pg0.remote_ip4)
Neale Ranns12989b52019-09-26 16:20:19 +00001273 p.tun_if.add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -08001274
1275 p.tun_protect = VppIpsecTunProtect(self,
Neale Ranns12989b52019-09-26 16:20:19 +00001276 p.tun_if,
Neale Rannsc87b66c2019-02-07 07:26:12 -08001277 p.tun_sa_out,
1278 [p.tun_sa_in])
1279 p.tun_protect.add_vpp_config()
1280
Neale Ranns12989b52019-09-26 16:20:19 +00001281 p.tun_if.admin_up()
1282 p.tun_if.config_ip4()
1283 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001284
1285 VppIpRoute(self, "1.1.1.2", 32,
Neale Ranns12989b52019-09-26 16:20:19 +00001286 [VppRoutePath(p.tun_if.remote_ip4,
Neale Rannsc87b66c2019-02-07 07:26:12 -08001287 0xffffffff)]).add_vpp_config()
1288
1289 def tearDown(self):
Neale Ranns12989b52019-09-26 16:20:19 +00001290 p = self.ipv4_params
1291 p.tun_if.unconfig_ip4()
Neale Rannsc87b66c2019-02-07 07:26:12 -08001292 super(TestIpsecGreIfEsp, self).tearDown()
1293
1294
Neale Rannsabde62f2019-12-02 22:32:05 +00001295class TestIpsecGreIfEspTra(TemplateIpsec,
1296 IpsecTun4Tests):
1297 """ Ipsec GRE ESP - TRA tests """
1298 tun4_encrypt_node_name = "esp4-encrypt-tun"
1299 tun4_decrypt_node_name = "esp4-decrypt-tun"
1300 encryption_type = ESP
1301
Neale Ranns28287212019-12-16 00:53:11 +00001302 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
Neale Rannsabde62f2019-12-02 22:32:05 +00001303 payload_size=100):
1304 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1305 sa.encrypt(IP(src=self.pg0.remote_ip4,
1306 dst=self.pg0.local_ip4) /
1307 GRE() /
1308 IP(src=self.pg1.local_ip4,
1309 dst=self.pg1.remote_ip4) /
1310 UDP(sport=1144, dport=2233) /
1311 Raw(b'X' * payload_size))
1312 for i in range(count)]
1313
Neale Ranns02950402019-12-20 00:54:57 +00001314 def gen_encrypt_non_ip_pkts(self, sa, sw_intf, src, dst, count=1,
1315 payload_size=100):
1316 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1317 sa.encrypt(IP(src=self.pg0.remote_ip4,
1318 dst=self.pg0.local_ip4) /
1319 GRE() /
1320 UDP(sport=1144, dport=2233) /
1321 Raw(b'X' * payload_size))
1322 for i in range(count)]
1323
Neale Rannsabde62f2019-12-02 22:32:05 +00001324 def gen_pkts(self, sw_intf, src, dst, count=1,
1325 payload_size=100):
1326 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1327 IP(src="1.1.1.1", dst="1.1.1.2") /
1328 UDP(sport=1144, dport=2233) /
1329 Raw(b'X' * payload_size)
1330 for i in range(count)]
1331
1332 def verify_decrypted(self, p, rxs):
1333 for rx in rxs:
1334 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
1335 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
1336
1337 def verify_encrypted(self, p, sa, rxs):
1338 for rx in rxs:
1339 try:
1340 pkt = sa.decrypt(rx[IP])
1341 if not pkt.haslayer(IP):
1342 pkt = IP(pkt[Raw].load)
1343 self.assert_packet_checksums_valid(pkt)
1344 self.assertTrue(pkt.haslayer(GRE))
1345 e = pkt[GRE]
1346 self.assertEqual(e[IP].dst, "1.1.1.2")
1347 except (IndexError, AssertionError):
1348 self.logger.debug(ppp("Unexpected packet:", rx))
1349 try:
1350 self.logger.debug(ppp("Decrypted packet:", pkt))
1351 except:
1352 pass
1353 raise
1354
1355 def setUp(self):
1356 super(TestIpsecGreIfEspTra, self).setUp()
1357
1358 self.tun_if = self.pg0
1359
1360 p = self.ipv4_params
1361
Neale Rannsabde62f2019-12-02 22:32:05 +00001362 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1363 p.auth_algo_vpp_id, p.auth_key,
1364 p.crypt_algo_vpp_id, p.crypt_key,
1365 self.vpp_esp_protocol)
1366 p.tun_sa_out.add_vpp_config()
1367
1368 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1369 p.auth_algo_vpp_id, p.auth_key,
1370 p.crypt_algo_vpp_id, p.crypt_key,
1371 self.vpp_esp_protocol)
1372 p.tun_sa_in.add_vpp_config()
1373
1374 p.tun_if = VppGreInterface(self,
1375 self.pg0.local_ip4,
1376 self.pg0.remote_ip4)
1377 p.tun_if.add_vpp_config()
1378
1379 p.tun_protect = VppIpsecTunProtect(self,
1380 p.tun_if,
1381 p.tun_sa_out,
1382 [p.tun_sa_in])
1383 p.tun_protect.add_vpp_config()
1384
1385 p.tun_if.admin_up()
1386 p.tun_if.config_ip4()
Neale Ranns568acbb2019-12-18 05:54:40 +00001387 config_tra_params(p, self.encryption_type, p.tun_if)
Neale Rannsabde62f2019-12-02 22:32:05 +00001388
1389 VppIpRoute(self, "1.1.1.2", 32,
1390 [VppRoutePath(p.tun_if.remote_ip4,
1391 0xffffffff)]).add_vpp_config()
1392
1393 def tearDown(self):
1394 p = self.ipv4_params
1395 p.tun_if.unconfig_ip4()
1396 super(TestIpsecGreIfEspTra, self).tearDown()
1397
Neale Ranns02950402019-12-20 00:54:57 +00001398 def test_gre_non_ip(self):
1399 p = self.ipv4_params
1400 tx = self.gen_encrypt_non_ip_pkts(p.scapy_tun_sa, self.tun_if,
1401 src=p.remote_tun_if_host,
1402 dst=self.pg1.remote_ip6)
1403 self.send_and_assert_no_replies(self.tun_if, tx)
1404 node_name = ('/err/%s/unsupported payload' %
1405 self.tun4_decrypt_node_name)
1406 self.assertEqual(1, self.statistics.get_err_counter(node_name))
1407
1408
1409class TestIpsecGre6IfEspTra(TemplateIpsec,
1410 IpsecTun6Tests):
1411 """ Ipsec GRE ESP - TRA tests """
1412 tun6_encrypt_node_name = "esp6-encrypt-tun"
1413 tun6_decrypt_node_name = "esp6-decrypt-tun"
1414 encryption_type = ESP
1415
Neale Ranns28287212019-12-16 00:53:11 +00001416 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
Neale Ranns02950402019-12-20 00:54:57 +00001417 payload_size=100):
1418 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1419 sa.encrypt(IPv6(src=self.pg0.remote_ip6,
1420 dst=self.pg0.local_ip6) /
1421 GRE() /
1422 IPv6(src=self.pg1.local_ip6,
1423 dst=self.pg1.remote_ip6) /
1424 UDP(sport=1144, dport=2233) /
1425 Raw(b'X' * payload_size))
1426 for i in range(count)]
1427
1428 def gen_pkts6(self, sw_intf, src, dst, count=1,
1429 payload_size=100):
1430 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1431 IPv6(src="1::1", dst="1::2") /
1432 UDP(sport=1144, dport=2233) /
1433 Raw(b'X' * payload_size)
1434 for i in range(count)]
1435
1436 def verify_decrypted6(self, p, rxs):
1437 for rx in rxs:
1438 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
1439 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
1440
1441 def verify_encrypted6(self, p, sa, rxs):
1442 for rx in rxs:
1443 try:
1444 pkt = sa.decrypt(rx[IPv6])
1445 if not pkt.haslayer(IPv6):
1446 pkt = IPv6(pkt[Raw].load)
1447 self.assert_packet_checksums_valid(pkt)
1448 self.assertTrue(pkt.haslayer(GRE))
1449 e = pkt[GRE]
1450 self.assertEqual(e[IPv6].dst, "1::2")
1451 except (IndexError, AssertionError):
1452 self.logger.debug(ppp("Unexpected packet:", rx))
1453 try:
1454 self.logger.debug(ppp("Decrypted packet:", pkt))
1455 except:
1456 pass
1457 raise
1458
1459 def setUp(self):
1460 super(TestIpsecGre6IfEspTra, self).setUp()
1461
1462 self.tun_if = self.pg0
1463
1464 p = self.ipv6_params
1465
1466 bd1 = VppBridgeDomain(self, 1)
1467 bd1.add_vpp_config()
1468
1469 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1470 p.auth_algo_vpp_id, p.auth_key,
1471 p.crypt_algo_vpp_id, p.crypt_key,
1472 self.vpp_esp_protocol)
1473 p.tun_sa_out.add_vpp_config()
1474
1475 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1476 p.auth_algo_vpp_id, p.auth_key,
1477 p.crypt_algo_vpp_id, p.crypt_key,
1478 self.vpp_esp_protocol)
1479 p.tun_sa_in.add_vpp_config()
1480
1481 p.tun_if = VppGreInterface(self,
1482 self.pg0.local_ip6,
1483 self.pg0.remote_ip6)
1484 p.tun_if.add_vpp_config()
1485
1486 p.tun_protect = VppIpsecTunProtect(self,
1487 p.tun_if,
1488 p.tun_sa_out,
1489 [p.tun_sa_in])
1490 p.tun_protect.add_vpp_config()
1491
1492 p.tun_if.admin_up()
1493 p.tun_if.config_ip6()
1494 config_tra_params(p, self.encryption_type, p.tun_if)
1495
1496 r = VppIpRoute(self, "1::2", 128,
1497 [VppRoutePath(p.tun_if.remote_ip6,
1498 0xffffffff,
1499 proto=DpoProto.DPO_PROTO_IP6)])
1500 r.add_vpp_config()
1501
1502 def tearDown(self):
1503 p = self.ipv6_params
1504 p.tun_if.unconfig_ip6()
1505 super(TestIpsecGre6IfEspTra, self).tearDown()
1506
Neale Rannsabde62f2019-12-02 22:32:05 +00001507
Neale Ranns28287212019-12-16 00:53:11 +00001508class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4):
1509 """ Ipsec mGRE ESP v4 TRA tests """
1510 tun4_encrypt_node_name = "esp4-encrypt-tun"
1511 tun4_decrypt_node_name = "esp4-decrypt-tun"
1512 encryption_type = ESP
1513
1514 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
1515 payload_size=100):
1516 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1517 sa.encrypt(IP(src=p.tun_dst,
1518 dst=self.pg0.local_ip4) /
1519 GRE() /
1520 IP(src=self.pg1.local_ip4,
1521 dst=self.pg1.remote_ip4) /
1522 UDP(sport=1144, dport=2233) /
1523 Raw(b'X' * payload_size))
1524 for i in range(count)]
1525
1526 def gen_pkts(self, sw_intf, src, dst, count=1,
1527 payload_size=100):
1528 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1529 IP(src="1.1.1.1", dst=dst) /
1530 UDP(sport=1144, dport=2233) /
1531 Raw(b'X' * payload_size)
1532 for i in range(count)]
1533
1534 def verify_decrypted(self, p, rxs):
1535 for rx in rxs:
1536 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
1537 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
1538
1539 def verify_encrypted(self, p, sa, rxs):
1540 for rx in rxs:
1541 try:
1542 pkt = sa.decrypt(rx[IP])
1543 if not pkt.haslayer(IP):
1544 pkt = IP(pkt[Raw].load)
1545 self.assert_packet_checksums_valid(pkt)
1546 self.assertTrue(pkt.haslayer(GRE))
1547 e = pkt[GRE]
1548 self.assertEqual(e[IP].dst, p.remote_tun_if_host)
1549 except (IndexError, AssertionError):
1550 self.logger.debug(ppp("Unexpected packet:", rx))
1551 try:
1552 self.logger.debug(ppp("Decrypted packet:", pkt))
1553 except:
1554 pass
1555 raise
1556
1557 def setUp(self):
1558 super(TestIpsecMGreIfEspTra4, self).setUp()
1559
1560 N_NHS = 16
1561 self.tun_if = self.pg0
1562 p = self.ipv4_params
1563 p.tun_if = VppGreInterface(self,
1564 self.pg0.local_ip4,
1565 "0.0.0.0",
1566 mode=(VppEnum.vl_api_tunnel_mode_t.
1567 TUNNEL_API_MODE_MP))
1568 p.tun_if.add_vpp_config()
1569 p.tun_if.admin_up()
1570 p.tun_if.config_ip4()
1571 p.tun_if.generate_remote_hosts(N_NHS)
1572 self.pg0.generate_remote_hosts(N_NHS)
1573 self.pg0.configure_ipv4_neighbors()
1574
1575 # setup some SAs for several next-hops on the interface
1576 self.multi_params = []
1577
Neale Ranns4ec36c52020-03-31 09:21:29 -04001578 for ii in range(1):
Neale Ranns28287212019-12-16 00:53:11 +00001579 p = copy.copy(self.ipv4_params)
1580
1581 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
1582 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
1583 p.scapy_tun_spi = p.scapy_tun_spi + ii
1584 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
1585 p.vpp_tun_spi = p.vpp_tun_spi + ii
1586
1587 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
1588 p.scapy_tra_spi = p.scapy_tra_spi + ii
1589 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
1590 p.vpp_tra_spi = p.vpp_tra_spi + ii
1591 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1592 p.auth_algo_vpp_id, p.auth_key,
1593 p.crypt_algo_vpp_id, p.crypt_key,
1594 self.vpp_esp_protocol)
1595 p.tun_sa_out.add_vpp_config()
1596
1597 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1598 p.auth_algo_vpp_id, p.auth_key,
1599 p.crypt_algo_vpp_id, p.crypt_key,
1600 self.vpp_esp_protocol)
1601 p.tun_sa_in.add_vpp_config()
1602
1603 p.tun_protect = VppIpsecTunProtect(
1604 self,
1605 p.tun_if,
1606 p.tun_sa_out,
1607 [p.tun_sa_in],
1608 nh=p.tun_if.remote_hosts[ii].ip4)
1609 p.tun_protect.add_vpp_config()
1610 config_tra_params(p, self.encryption_type, p.tun_if)
1611 self.multi_params.append(p)
1612
1613 VppIpRoute(self, p.remote_tun_if_host, 32,
1614 [VppRoutePath(p.tun_if.remote_hosts[ii].ip4,
1615 p.tun_if.sw_if_index)]).add_vpp_config()
1616
1617 # in this v4 variant add the teibs after the protect
1618 p.teib = VppTeib(self, p.tun_if,
1619 p.tun_if.remote_hosts[ii].ip4,
1620 self.pg0.remote_hosts[ii].ip4).add_vpp_config()
1621 p.tun_dst = self.pg0.remote_hosts[ii].ip4
1622 self.logger.info(self.vapi.cli("sh ipsec protect-hash"))
1623
1624 def tearDown(self):
1625 p = self.ipv4_params
1626 p.tun_if.unconfig_ip4()
1627 super(TestIpsecMGreIfEspTra4, self).tearDown()
1628
1629 def test_tun_44(self):
1630 """mGRE IPSEC 44"""
1631 N_PKTS = 63
1632 for p in self.multi_params:
1633 self.verify_tun_44(p, count=N_PKTS)
1634 p.teib.remove_vpp_config()
1635 self.verify_tun_dropped_44(p, count=N_PKTS)
1636 p.teib.add_vpp_config()
1637 self.verify_tun_44(p, count=N_PKTS)
1638
1639
1640class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6):
1641 """ Ipsec mGRE ESP v6 TRA tests """
1642 tun6_encrypt_node_name = "esp6-encrypt-tun"
1643 tun6_decrypt_node_name = "esp6-decrypt-tun"
1644 encryption_type = ESP
1645
1646 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
1647 payload_size=100):
1648 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1649 sa.encrypt(IPv6(src=p.tun_dst,
1650 dst=self.pg0.local_ip6) /
1651 GRE() /
1652 IPv6(src=self.pg1.local_ip6,
1653 dst=self.pg1.remote_ip6) /
1654 UDP(sport=1144, dport=2233) /
1655 Raw(b'X' * payload_size))
1656 for i in range(count)]
1657
1658 def gen_pkts6(self, sw_intf, src, dst, count=1,
1659 payload_size=100):
1660 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1661 IPv6(src="1::1", dst=dst) /
1662 UDP(sport=1144, dport=2233) /
1663 Raw(b'X' * payload_size)
1664 for i in range(count)]
1665
1666 def verify_decrypted6(self, p, rxs):
1667 for rx in rxs:
1668 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
1669 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
1670
1671 def verify_encrypted6(self, p, sa, rxs):
1672 for rx in rxs:
1673 try:
1674 pkt = sa.decrypt(rx[IPv6])
1675 if not pkt.haslayer(IPv6):
1676 pkt = IPv6(pkt[Raw].load)
1677 self.assert_packet_checksums_valid(pkt)
1678 self.assertTrue(pkt.haslayer(GRE))
1679 e = pkt[GRE]
1680 self.assertEqual(e[IPv6].dst, p.remote_tun_if_host)
1681 except (IndexError, AssertionError):
1682 self.logger.debug(ppp("Unexpected packet:", rx))
1683 try:
1684 self.logger.debug(ppp("Decrypted packet:", pkt))
1685 except:
1686 pass
1687 raise
1688
1689 def setUp(self):
1690 super(TestIpsecMGreIfEspTra6, self).setUp()
1691
1692 self.vapi.cli("set logging class ipsec level debug")
1693
1694 N_NHS = 16
1695 self.tun_if = self.pg0
1696 p = self.ipv6_params
1697 p.tun_if = VppGreInterface(self,
1698 self.pg0.local_ip6,
1699 "::",
1700 mode=(VppEnum.vl_api_tunnel_mode_t.
1701 TUNNEL_API_MODE_MP))
1702 p.tun_if.add_vpp_config()
1703 p.tun_if.admin_up()
1704 p.tun_if.config_ip6()
1705 p.tun_if.generate_remote_hosts(N_NHS)
1706 self.pg0.generate_remote_hosts(N_NHS)
1707 self.pg0.configure_ipv6_neighbors()
1708
1709 # setup some SAs for several next-hops on the interface
1710 self.multi_params = []
1711
1712 for ii in range(N_NHS):
1713 p = copy.copy(self.ipv6_params)
1714
1715 p.remote_tun_if_host = "1::%d" % (ii + 1)
1716 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
1717 p.scapy_tun_spi = p.scapy_tun_spi + ii
1718 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
1719 p.vpp_tun_spi = p.vpp_tun_spi + ii
1720
1721 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
1722 p.scapy_tra_spi = p.scapy_tra_spi + ii
1723 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
1724 p.vpp_tra_spi = p.vpp_tra_spi + ii
1725 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1726 p.auth_algo_vpp_id, p.auth_key,
1727 p.crypt_algo_vpp_id, p.crypt_key,
1728 self.vpp_esp_protocol)
1729 p.tun_sa_out.add_vpp_config()
1730
1731 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1732 p.auth_algo_vpp_id, p.auth_key,
1733 p.crypt_algo_vpp_id, p.crypt_key,
1734 self.vpp_esp_protocol)
1735 p.tun_sa_in.add_vpp_config()
1736
1737 # in this v6 variant add the teibs first then the protection
1738 p.tun_dst = self.pg0.remote_hosts[ii].ip6
1739 VppTeib(self, p.tun_if,
1740 p.tun_if.remote_hosts[ii].ip6,
1741 p.tun_dst).add_vpp_config()
1742
1743 p.tun_protect = VppIpsecTunProtect(
1744 self,
1745 p.tun_if,
1746 p.tun_sa_out,
1747 [p.tun_sa_in],
1748 nh=p.tun_if.remote_hosts[ii].ip6)
1749 p.tun_protect.add_vpp_config()
1750 config_tra_params(p, self.encryption_type, p.tun_if)
1751 self.multi_params.append(p)
1752
1753 VppIpRoute(self, p.remote_tun_if_host, 128,
1754 [VppRoutePath(p.tun_if.remote_hosts[ii].ip6,
1755 p.tun_if.sw_if_index)]).add_vpp_config()
1756 p.tun_dst = self.pg0.remote_hosts[ii].ip6
1757
1758 self.logger.info(self.vapi.cli("sh log"))
1759 self.logger.info(self.vapi.cli("sh ipsec protect-hash"))
1760 self.logger.info(self.vapi.cli("sh adj 41"))
1761
1762 def tearDown(self):
1763 p = self.ipv6_params
1764 p.tun_if.unconfig_ip6()
1765 super(TestIpsecMGreIfEspTra6, self).tearDown()
1766
1767 def test_tun_66(self):
1768 """mGRE IPSec 66"""
1769 for p in self.multi_params:
1770 self.verify_tun_66(p, count=63)
1771
1772
Neale Rannsc87b66c2019-02-07 07:26:12 -08001773class TemplateIpsec4TunProtect(object):
1774 """ IPsec IPv4 Tunnel protect """
1775
Neale Ranns41afb332019-07-16 06:19:35 -07001776 encryption_type = ESP
1777 tun4_encrypt_node_name = "esp4-encrypt-tun"
1778 tun4_decrypt_node_name = "esp4-decrypt-tun"
1779 tun4_input_node = "ipsec4-tun-input"
1780
Neale Rannsc87b66c2019-02-07 07:26:12 -08001781 def config_sa_tra(self, p):
Neale Ranns12989b52019-09-26 16:20:19 +00001782 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001783
1784 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1785 p.auth_algo_vpp_id, p.auth_key,
1786 p.crypt_algo_vpp_id, p.crypt_key,
Neale Ranns41afb332019-07-16 06:19:35 -07001787 self.vpp_esp_protocol,
1788 flags=p.flags)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001789 p.tun_sa_out.add_vpp_config()
1790
1791 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1792 p.auth_algo_vpp_id, p.auth_key,
1793 p.crypt_algo_vpp_id, p.crypt_key,
Neale Ranns41afb332019-07-16 06:19:35 -07001794 self.vpp_esp_protocol,
1795 flags=p.flags)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001796 p.tun_sa_in.add_vpp_config()
1797
1798 def config_sa_tun(self, p):
Neale Ranns12989b52019-09-26 16:20:19 +00001799 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001800
1801 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1802 p.auth_algo_vpp_id, p.auth_key,
1803 p.crypt_algo_vpp_id, p.crypt_key,
1804 self.vpp_esp_protocol,
Neale Ranns41afb332019-07-16 06:19:35 -07001805 self.tun_if.local_addr[p.addr_type],
Neale Rannsf3a66222020-01-02 05:04:00 +00001806 self.tun_if.remote_addr[p.addr_type],
Neale Ranns41afb332019-07-16 06:19:35 -07001807 flags=p.flags)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001808 p.tun_sa_out.add_vpp_config()
1809
1810 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1811 p.auth_algo_vpp_id, p.auth_key,
1812 p.crypt_algo_vpp_id, p.crypt_key,
1813 self.vpp_esp_protocol,
1814 self.tun_if.remote_addr[p.addr_type],
Neale Ranns41afb332019-07-16 06:19:35 -07001815 self.tun_if.local_addr[p.addr_type],
1816 flags=p.flags)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001817 p.tun_sa_in.add_vpp_config()
1818
1819 def config_protect(self, p):
1820 p.tun_protect = VppIpsecTunProtect(self,
1821 p.tun_if,
1822 p.tun_sa_out,
1823 [p.tun_sa_in])
1824 p.tun_protect.add_vpp_config()
1825
1826 def config_network(self, p):
1827 p.tun_if = VppIpIpTunInterface(self, self.pg0,
1828 self.pg0.local_ip4,
1829 self.pg0.remote_ip4)
1830 p.tun_if.add_vpp_config()
1831 p.tun_if.admin_up()
1832 p.tun_if.config_ip4()
Neale Rannsb3259832019-09-27 13:32:02 +00001833 p.tun_if.config_ip6()
Neale Rannsc87b66c2019-02-07 07:26:12 -08001834
1835 p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
1836 [VppRoutePath(p.tun_if.remote_ip4,
1837 0xffffffff)])
1838 p.route.add_vpp_config()
Neale Rannsb3259832019-09-27 13:32:02 +00001839 r = VppIpRoute(self, p.remote_tun_if_host6, 128,
1840 [VppRoutePath(p.tun_if.remote_ip6,
1841 0xffffffff,
1842 proto=DpoProto.DPO_PROTO_IP6)])
1843 r.add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -08001844
1845 def unconfig_network(self, p):
1846 p.route.remove_vpp_config()
1847 p.tun_if.remove_vpp_config()
1848
1849 def unconfig_protect(self, p):
1850 p.tun_protect.remove_vpp_config()
1851
1852 def unconfig_sa(self, p):
1853 p.tun_sa_out.remove_vpp_config()
1854 p.tun_sa_in.remove_vpp_config()
1855
1856
1857class TestIpsec4TunProtect(TemplateIpsec,
1858 TemplateIpsec4TunProtect,
1859 IpsecTun4):
1860 """ IPsec IPv4 Tunnel protect - transport mode"""
1861
Neale Rannsc87b66c2019-02-07 07:26:12 -08001862 def setUp(self):
1863 super(TestIpsec4TunProtect, self).setUp()
1864
1865 self.tun_if = self.pg0
1866
1867 def tearDown(self):
1868 super(TestIpsec4TunProtect, self).tearDown()
1869
1870 def test_tun_44(self):
1871 """IPSEC tunnel protect"""
1872
1873 p = self.ipv4_params
1874
1875 self.config_network(p)
1876 self.config_sa_tra(p)
1877 self.config_protect(p)
1878
1879 self.verify_tun_44(p, count=127)
1880 c = p.tun_if.get_rx_stats()
1881 self.assertEqual(c['packets'], 127)
1882 c = p.tun_if.get_tx_stats()
1883 self.assertEqual(c['packets'], 127)
1884
Neale Rannsb3259832019-09-27 13:32:02 +00001885 self.vapi.cli("clear ipsec sa")
1886 self.verify_tun_64(p, count=127)
1887 c = p.tun_if.get_rx_stats()
1888 self.assertEqual(c['packets'], 254)
1889 c = p.tun_if.get_tx_stats()
1890 self.assertEqual(c['packets'], 254)
1891
Neale Rannsc87b66c2019-02-07 07:26:12 -08001892 # rekey - create new SAs and update the tunnel protection
1893 np = copy.copy(p)
Ole Troan64e978b2019-10-17 21:40:36 +02001894 np.crypt_key = b'X' + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08001895 np.scapy_tun_spi += 100
1896 np.scapy_tun_sa_id += 1
1897 np.vpp_tun_spi += 100
1898 np.vpp_tun_sa_id += 1
1899 np.tun_if.local_spi = p.vpp_tun_spi
1900 np.tun_if.remote_spi = p.scapy_tun_spi
1901
1902 self.config_sa_tra(np)
1903 self.config_protect(np)
1904 self.unconfig_sa(p)
1905
1906 self.verify_tun_44(np, count=127)
1907 c = p.tun_if.get_rx_stats()
Neale Rannsb3259832019-09-27 13:32:02 +00001908 self.assertEqual(c['packets'], 381)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001909 c = p.tun_if.get_tx_stats()
Neale Rannsb3259832019-09-27 13:32:02 +00001910 self.assertEqual(c['packets'], 381)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001911
1912 # teardown
1913 self.unconfig_protect(np)
1914 self.unconfig_sa(np)
1915 self.unconfig_network(p)
1916
1917
Neale Ranns41afb332019-07-16 06:19:35 -07001918class TestIpsec4TunProtectUdp(TemplateIpsec,
1919 TemplateIpsec4TunProtect,
1920 IpsecTun4):
1921 """ IPsec IPv4 Tunnel protect - transport mode"""
1922
1923 def setUp(self):
1924 super(TestIpsec4TunProtectUdp, self).setUp()
1925
1926 self.tun_if = self.pg0
1927
1928 p = self.ipv4_params
1929 p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
1930 IPSEC_API_SAD_FLAG_UDP_ENCAP)
Neale Rannsabc56602020-04-01 09:45:23 +00001931 p.nat_header = UDP(sport=4500, dport=4500)
Neale Ranns41afb332019-07-16 06:19:35 -07001932 self.config_network(p)
1933 self.config_sa_tra(p)
1934 self.config_protect(p)
1935
1936 def tearDown(self):
1937 p = self.ipv4_params
1938 self.unconfig_protect(p)
1939 self.unconfig_sa(p)
1940 self.unconfig_network(p)
1941 super(TestIpsec4TunProtectUdp, self).tearDown()
1942
Neale Rannsabc56602020-04-01 09:45:23 +00001943 def verify_encrypted(self, p, sa, rxs):
1944 # ensure encrypted packets are recieved with the default UDP ports
1945 for rx in rxs:
1946 self.assertEqual(rx[UDP].sport, 4500)
1947 self.assertEqual(rx[UDP].dport, 4500)
1948 super(TestIpsec4TunProtectUdp, self).verify_encrypted(p, sa, rxs)
1949
Neale Ranns41afb332019-07-16 06:19:35 -07001950 def test_tun_44(self):
1951 """IPSEC UDP tunnel protect"""
1952
1953 p = self.ipv4_params
1954
1955 self.verify_tun_44(p, count=127)
1956 c = p.tun_if.get_rx_stats()
1957 self.assertEqual(c['packets'], 127)
1958 c = p.tun_if.get_tx_stats()
1959 self.assertEqual(c['packets'], 127)
1960
1961 def test_keepalive(self):
1962 """ IPSEC NAT Keepalive """
1963 self.verify_keepalive(self.ipv4_params)
1964
1965
Neale Rannsc87b66c2019-02-07 07:26:12 -08001966class TestIpsec4TunProtectTun(TemplateIpsec,
1967 TemplateIpsec4TunProtect,
1968 IpsecTun4):
1969 """ IPsec IPv4 Tunnel protect - tunnel mode"""
1970
1971 encryption_type = ESP
1972 tun4_encrypt_node_name = "esp4-encrypt-tun"
1973 tun4_decrypt_node_name = "esp4-decrypt-tun"
1974
1975 def setUp(self):
1976 super(TestIpsec4TunProtectTun, self).setUp()
1977
1978 self.tun_if = self.pg0
1979
1980 def tearDown(self):
1981 super(TestIpsec4TunProtectTun, self).tearDown()
1982
Neale Ranns28287212019-12-16 00:53:11 +00001983 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
Neale Rannsc87b66c2019-02-07 07:26:12 -08001984 payload_size=100):
1985 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1986 sa.encrypt(IP(src=sw_intf.remote_ip4,
1987 dst=sw_intf.local_ip4) /
1988 IP(src=src, dst=dst) /
1989 UDP(sport=1144, dport=2233) /
Ole Troan770a0de2019-11-07 13:52:21 +01001990 Raw(b'X' * payload_size))
Neale Rannsc87b66c2019-02-07 07:26:12 -08001991 for i in range(count)]
1992
1993 def gen_pkts(self, sw_intf, src, dst, count=1,
1994 payload_size=100):
1995 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1996 IP(src=src, dst=dst) /
1997 UDP(sport=1144, dport=2233) /
Ole Troan770a0de2019-11-07 13:52:21 +01001998 Raw(b'X' * payload_size)
Neale Rannsc87b66c2019-02-07 07:26:12 -08001999 for i in range(count)]
2000
2001 def verify_decrypted(self, p, rxs):
2002 for rx in rxs:
2003 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
2004 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
2005 self.assert_packet_checksums_valid(rx)
2006
2007 def verify_encrypted(self, p, sa, rxs):
2008 for rx in rxs:
2009 try:
2010 pkt = sa.decrypt(rx[IP])
2011 if not pkt.haslayer(IP):
2012 pkt = IP(pkt[Raw].load)
2013 self.assert_packet_checksums_valid(pkt)
2014 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
2015 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
2016 inner = pkt[IP].payload
2017 self.assertEqual(inner[IP][IP].dst, p.remote_tun_if_host)
2018
2019 except (IndexError, AssertionError):
2020 self.logger.debug(ppp("Unexpected packet:", rx))
2021 try:
2022 self.logger.debug(ppp("Decrypted packet:", pkt))
2023 except:
2024 pass
2025 raise
2026
2027 def test_tun_44(self):
2028 """IPSEC tunnel protect """
2029
2030 p = self.ipv4_params
2031
2032 self.config_network(p)
2033 self.config_sa_tun(p)
2034 self.config_protect(p)
2035
Neale Ranns5d0136f2020-05-12 08:51:02 +00002036 # also add an output features on the tunnel and physical interface
2037 # so we test they still work
2038 r_all = AclRule(True,
2039 src_prefix="0.0.0.0/0",
2040 dst_prefix="0.0.0.0/0",
2041 proto=0)
2042 a = VppAcl(self, [r_all]).add_vpp_config()
2043
2044 VppAclInterface(self, self.pg0.sw_if_index, [a]).add_vpp_config()
2045 VppAclInterface(self, p.tun_if.sw_if_index, [a]).add_vpp_config()
2046
Neale Rannsc87b66c2019-02-07 07:26:12 -08002047 self.verify_tun_44(p, count=127)
2048
2049 c = p.tun_if.get_rx_stats()
2050 self.assertEqual(c['packets'], 127)
2051 c = p.tun_if.get_tx_stats()
2052 self.assertEqual(c['packets'], 127)
2053
2054 # rekey - create new SAs and update the tunnel protection
2055 np = copy.copy(p)
Ole Troan64e978b2019-10-17 21:40:36 +02002056 np.crypt_key = b'X' + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002057 np.scapy_tun_spi += 100
2058 np.scapy_tun_sa_id += 1
2059 np.vpp_tun_spi += 100
2060 np.vpp_tun_sa_id += 1
2061 np.tun_if.local_spi = p.vpp_tun_spi
2062 np.tun_if.remote_spi = p.scapy_tun_spi
2063
2064 self.config_sa_tun(np)
2065 self.config_protect(np)
2066 self.unconfig_sa(p)
2067
2068 self.verify_tun_44(np, count=127)
2069 c = p.tun_if.get_rx_stats()
2070 self.assertEqual(c['packets'], 254)
2071 c = p.tun_if.get_tx_stats()
2072 self.assertEqual(c['packets'], 254)
2073
2074 # teardown
2075 self.unconfig_protect(np)
2076 self.unconfig_sa(np)
2077 self.unconfig_network(p)
2078
2079
Neale Ranns02950402019-12-20 00:54:57 +00002080class TestIpsec4TunProtectTunDrop(TemplateIpsec,
2081 TemplateIpsec4TunProtect,
2082 IpsecTun4):
2083 """ IPsec IPv4 Tunnel protect - tunnel mode - drop"""
2084
2085 encryption_type = ESP
2086 tun4_encrypt_node_name = "esp4-encrypt-tun"
2087 tun4_decrypt_node_name = "esp4-decrypt-tun"
2088
2089 def setUp(self):
2090 super(TestIpsec4TunProtectTunDrop, self).setUp()
2091
2092 self.tun_if = self.pg0
2093
2094 def tearDown(self):
2095 super(TestIpsec4TunProtectTunDrop, self).tearDown()
2096
Neale Ranns28287212019-12-16 00:53:11 +00002097 def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
Neale Ranns02950402019-12-20 00:54:57 +00002098 payload_size=100):
2099 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
2100 sa.encrypt(IP(src=sw_intf.remote_ip4,
2101 dst="5.5.5.5") /
2102 IP(src=src, dst=dst) /
2103 UDP(sport=1144, dport=2233) /
2104 Raw(b'X' * payload_size))
2105 for i in range(count)]
2106
2107 def test_tun_drop_44(self):
2108 """IPSEC tunnel protect bogus tunnel header """
2109
2110 p = self.ipv4_params
2111
2112 self.config_network(p)
2113 self.config_sa_tun(p)
2114 self.config_protect(p)
2115
Neale Ranns28287212019-12-16 00:53:11 +00002116 tx = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if,
Neale Ranns02950402019-12-20 00:54:57 +00002117 src=p.remote_tun_if_host,
2118 dst=self.pg1.remote_ip4,
2119 count=63)
2120 self.send_and_assert_no_replies(self.tun_if, tx)
2121
2122 # teardown
2123 self.unconfig_protect(p)
2124 self.unconfig_sa(p)
2125 self.unconfig_network(p)
2126
2127
Neale Rannsc87b66c2019-02-07 07:26:12 -08002128class TemplateIpsec6TunProtect(object):
2129 """ IPsec IPv6 Tunnel protect """
2130
2131 def config_sa_tra(self, p):
Neale Ranns12989b52019-09-26 16:20:19 +00002132 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002133
2134 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
2135 p.auth_algo_vpp_id, p.auth_key,
2136 p.crypt_algo_vpp_id, p.crypt_key,
2137 self.vpp_esp_protocol)
2138 p.tun_sa_out.add_vpp_config()
2139
2140 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
2141 p.auth_algo_vpp_id, p.auth_key,
2142 p.crypt_algo_vpp_id, p.crypt_key,
2143 self.vpp_esp_protocol)
2144 p.tun_sa_in.add_vpp_config()
2145
2146 def config_sa_tun(self, p):
Neale Ranns12989b52019-09-26 16:20:19 +00002147 config_tun_params(p, self.encryption_type, p.tun_if)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002148
2149 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
2150 p.auth_algo_vpp_id, p.auth_key,
2151 p.crypt_algo_vpp_id, p.crypt_key,
2152 self.vpp_esp_protocol,
Neale Rannsf3a66222020-01-02 05:04:00 +00002153 self.tun_if.local_addr[p.addr_type],
2154 self.tun_if.remote_addr[p.addr_type])
Neale Rannsc87b66c2019-02-07 07:26:12 -08002155 p.tun_sa_out.add_vpp_config()
2156
2157 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
2158 p.auth_algo_vpp_id, p.auth_key,
2159 p.crypt_algo_vpp_id, p.crypt_key,
2160 self.vpp_esp_protocol,
2161 self.tun_if.remote_addr[p.addr_type],
2162 self.tun_if.local_addr[p.addr_type])
2163 p.tun_sa_in.add_vpp_config()
2164
2165 def config_protect(self, p):
2166 p.tun_protect = VppIpsecTunProtect(self,
2167 p.tun_if,
2168 p.tun_sa_out,
2169 [p.tun_sa_in])
2170 p.tun_protect.add_vpp_config()
2171
2172 def config_network(self, p):
2173 p.tun_if = VppIpIpTunInterface(self, self.pg0,
2174 self.pg0.local_ip6,
2175 self.pg0.remote_ip6)
2176 p.tun_if.add_vpp_config()
2177 p.tun_if.admin_up()
2178 p.tun_if.config_ip6()
Neale Rannsb3259832019-09-27 13:32:02 +00002179 p.tun_if.config_ip4()
Neale Rannsc87b66c2019-02-07 07:26:12 -08002180
2181 p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
2182 [VppRoutePath(p.tun_if.remote_ip6,
2183 0xffffffff,
Florin Corasb54a5992019-06-18 10:57:26 -07002184 proto=DpoProto.DPO_PROTO_IP6)])
Neale Rannsc87b66c2019-02-07 07:26:12 -08002185 p.route.add_vpp_config()
Neale Rannsb3259832019-09-27 13:32:02 +00002186 r = VppIpRoute(self, p.remote_tun_if_host4, 32,
2187 [VppRoutePath(p.tun_if.remote_ip4,
2188 0xffffffff)])
2189 r.add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -08002190
2191 def unconfig_network(self, p):
2192 p.route.remove_vpp_config()
2193 p.tun_if.remove_vpp_config()
2194
2195 def unconfig_protect(self, p):
2196 p.tun_protect.remove_vpp_config()
2197
2198 def unconfig_sa(self, p):
2199 p.tun_sa_out.remove_vpp_config()
2200 p.tun_sa_in.remove_vpp_config()
2201
2202
2203class TestIpsec6TunProtect(TemplateIpsec,
2204 TemplateIpsec6TunProtect,
2205 IpsecTun6):
2206 """ IPsec IPv6 Tunnel protect - transport mode"""
2207
2208 encryption_type = ESP
2209 tun6_encrypt_node_name = "esp6-encrypt-tun"
2210 tun6_decrypt_node_name = "esp6-decrypt-tun"
2211
2212 def setUp(self):
2213 super(TestIpsec6TunProtect, self).setUp()
2214
2215 self.tun_if = self.pg0
2216
2217 def tearDown(self):
2218 super(TestIpsec6TunProtect, self).tearDown()
2219
2220 def test_tun_66(self):
Neale Ranns02950402019-12-20 00:54:57 +00002221 """IPSEC tunnel protect 6o6"""
Neale Rannsc87b66c2019-02-07 07:26:12 -08002222
2223 p = self.ipv6_params
2224
2225 self.config_network(p)
2226 self.config_sa_tra(p)
2227 self.config_protect(p)
2228
2229 self.verify_tun_66(p, count=127)
2230 c = p.tun_if.get_rx_stats()
2231 self.assertEqual(c['packets'], 127)
2232 c = p.tun_if.get_tx_stats()
2233 self.assertEqual(c['packets'], 127)
2234
2235 # rekey - create new SAs and update the tunnel protection
2236 np = copy.copy(p)
Ole Troan64e978b2019-10-17 21:40:36 +02002237 np.crypt_key = b'X' + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002238 np.scapy_tun_spi += 100
2239 np.scapy_tun_sa_id += 1
2240 np.vpp_tun_spi += 100
2241 np.vpp_tun_sa_id += 1
2242 np.tun_if.local_spi = p.vpp_tun_spi
2243 np.tun_if.remote_spi = p.scapy_tun_spi
2244
2245 self.config_sa_tra(np)
2246 self.config_protect(np)
2247 self.unconfig_sa(p)
2248
2249 self.verify_tun_66(np, count=127)
2250 c = p.tun_if.get_rx_stats()
2251 self.assertEqual(c['packets'], 254)
2252 c = p.tun_if.get_tx_stats()
2253 self.assertEqual(c['packets'], 254)
2254
Neale Ranns02950402019-12-20 00:54:57 +00002255 # bounce the interface state
2256 p.tun_if.admin_down()
2257 self.verify_drop_tun_66(np, count=127)
2258 node = ('/err/ipsec6-tun-input/%s' %
2259 'ipsec packets received on disabled interface')
2260 self.assertEqual(127, self.statistics.get_err_counter(node))
2261 p.tun_if.admin_up()
2262 self.verify_tun_66(np, count=127)
2263
Neale Rannsc87b66c2019-02-07 07:26:12 -08002264 # 3 phase rekey
2265 # 1) add two input SAs [old, new]
2266 # 2) swap output SA to [new]
2267 # 3) use only [new] input SA
2268 np3 = copy.copy(np)
Ole Troan64e978b2019-10-17 21:40:36 +02002269 np3.crypt_key = b'Z' + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002270 np3.scapy_tun_spi += 100
2271 np3.scapy_tun_sa_id += 1
2272 np3.vpp_tun_spi += 100
2273 np3.vpp_tun_sa_id += 1
2274 np3.tun_if.local_spi = p.vpp_tun_spi
2275 np3.tun_if.remote_spi = p.scapy_tun_spi
2276
2277 self.config_sa_tra(np3)
2278
2279 # step 1;
2280 p.tun_protect.update_vpp_config(np.tun_sa_out,
2281 [np.tun_sa_in, np3.tun_sa_in])
2282 self.verify_tun_66(np, np, count=127)
2283 self.verify_tun_66(np3, np, count=127)
2284
2285 # step 2;
2286 p.tun_protect.update_vpp_config(np3.tun_sa_out,
2287 [np.tun_sa_in, np3.tun_sa_in])
2288 self.verify_tun_66(np, np3, count=127)
2289 self.verify_tun_66(np3, np3, count=127)
2290
2291 # step 1;
2292 p.tun_protect.update_vpp_config(np3.tun_sa_out,
2293 [np3.tun_sa_in])
2294 self.verify_tun_66(np3, np3, count=127)
2295 self.verify_drop_tun_66(np, count=127)
2296
2297 c = p.tun_if.get_rx_stats()
Neale Ranns02950402019-12-20 00:54:57 +00002298 self.assertEqual(c['packets'], 127*9)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002299 c = p.tun_if.get_tx_stats()
Neale Ranns02950402019-12-20 00:54:57 +00002300 self.assertEqual(c['packets'], 127*8)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002301 self.unconfig_sa(np)
2302
2303 # teardown
2304 self.unconfig_protect(np3)
2305 self.unconfig_sa(np3)
2306 self.unconfig_network(p)
2307
Neale Rannsb3259832019-09-27 13:32:02 +00002308 def test_tun_46(self):
Neale Ranns02950402019-12-20 00:54:57 +00002309 """IPSEC tunnel protect 4o6"""
Neale Rannsb3259832019-09-27 13:32:02 +00002310
2311 p = self.ipv6_params
2312
2313 self.config_network(p)
2314 self.config_sa_tra(p)
2315 self.config_protect(p)
2316
2317 self.verify_tun_46(p, count=127)
2318 c = p.tun_if.get_rx_stats()
2319 self.assertEqual(c['packets'], 127)
2320 c = p.tun_if.get_tx_stats()
2321 self.assertEqual(c['packets'], 127)
2322
2323 # teardown
2324 self.unconfig_protect(p)
2325 self.unconfig_sa(p)
2326 self.unconfig_network(p)
2327
Neale Rannsc87b66c2019-02-07 07:26:12 -08002328
2329class TestIpsec6TunProtectTun(TemplateIpsec,
2330 TemplateIpsec6TunProtect,
2331 IpsecTun6):
2332 """ IPsec IPv6 Tunnel protect - tunnel mode"""
2333
2334 encryption_type = ESP
2335 tun6_encrypt_node_name = "esp6-encrypt-tun"
2336 tun6_decrypt_node_name = "esp6-decrypt-tun"
2337
2338 def setUp(self):
2339 super(TestIpsec6TunProtectTun, self).setUp()
2340
2341 self.tun_if = self.pg0
2342
2343 def tearDown(self):
2344 super(TestIpsec6TunProtectTun, self).tearDown()
2345
Neale Ranns28287212019-12-16 00:53:11 +00002346 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
Neale Rannsc87b66c2019-02-07 07:26:12 -08002347 payload_size=100):
2348 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
2349 sa.encrypt(IPv6(src=sw_intf.remote_ip6,
2350 dst=sw_intf.local_ip6) /
2351 IPv6(src=src, dst=dst) /
2352 UDP(sport=1166, dport=2233) /
Ole Troan770a0de2019-11-07 13:52:21 +01002353 Raw(b'X' * payload_size))
Neale Rannsc87b66c2019-02-07 07:26:12 -08002354 for i in range(count)]
2355
2356 def gen_pkts6(self, sw_intf, src, dst, count=1,
2357 payload_size=100):
2358 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
2359 IPv6(src=src, dst=dst) /
2360 UDP(sport=1166, dport=2233) /
Ole Troan770a0de2019-11-07 13:52:21 +01002361 Raw(b'X' * payload_size)
Neale Rannsc87b66c2019-02-07 07:26:12 -08002362 for i in range(count)]
2363
2364 def verify_decrypted6(self, p, rxs):
2365 for rx in rxs:
2366 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
2367 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
2368 self.assert_packet_checksums_valid(rx)
2369
2370 def verify_encrypted6(self, p, sa, rxs):
2371 for rx in rxs:
2372 try:
2373 pkt = sa.decrypt(rx[IPv6])
2374 if not pkt.haslayer(IPv6):
2375 pkt = IPv6(pkt[Raw].load)
2376 self.assert_packet_checksums_valid(pkt)
2377 self.assert_equal(pkt[IPv6].dst, self.pg0.remote_ip6)
2378 self.assert_equal(pkt[IPv6].src, self.pg0.local_ip6)
2379 inner = pkt[IPv6].payload
2380 self.assertEqual(inner[IPv6][IPv6].dst, p.remote_tun_if_host)
2381
2382 except (IndexError, AssertionError):
2383 self.logger.debug(ppp("Unexpected packet:", rx))
2384 try:
2385 self.logger.debug(ppp("Decrypted packet:", pkt))
2386 except:
2387 pass
2388 raise
2389
2390 def test_tun_66(self):
2391 """IPSEC tunnel protect """
2392
2393 p = self.ipv6_params
2394
2395 self.config_network(p)
2396 self.config_sa_tun(p)
2397 self.config_protect(p)
2398
2399 self.verify_tun_66(p, count=127)
2400
2401 c = p.tun_if.get_rx_stats()
2402 self.assertEqual(c['packets'], 127)
2403 c = p.tun_if.get_tx_stats()
2404 self.assertEqual(c['packets'], 127)
2405
2406 # rekey - create new SAs and update the tunnel protection
2407 np = copy.copy(p)
Ole Troan64e978b2019-10-17 21:40:36 +02002408 np.crypt_key = b'X' + p.crypt_key[1:]
Neale Rannsc87b66c2019-02-07 07:26:12 -08002409 np.scapy_tun_spi += 100
2410 np.scapy_tun_sa_id += 1
2411 np.vpp_tun_spi += 100
2412 np.vpp_tun_sa_id += 1
2413 np.tun_if.local_spi = p.vpp_tun_spi
2414 np.tun_if.remote_spi = p.scapy_tun_spi
2415
2416 self.config_sa_tun(np)
2417 self.config_protect(np)
2418 self.unconfig_sa(p)
2419
2420 self.verify_tun_66(np, count=127)
2421 c = p.tun_if.get_rx_stats()
2422 self.assertEqual(c['packets'], 254)
2423 c = p.tun_if.get_tx_stats()
2424 self.assertEqual(c['packets'], 254)
2425
2426 # teardown
2427 self.unconfig_protect(np)
2428 self.unconfig_sa(np)
2429 self.unconfig_network(p)
2430
Neale Rannsf05e7322019-03-29 20:23:58 +00002431
Neale Ranns02950402019-12-20 00:54:57 +00002432class TestIpsec6TunProtectTunDrop(TemplateIpsec,
2433 TemplateIpsec6TunProtect,
2434 IpsecTun6):
2435 """ IPsec IPv6 Tunnel protect - tunnel mode - drop"""
2436
2437 encryption_type = ESP
2438 tun6_encrypt_node_name = "esp6-encrypt-tun"
2439 tun6_decrypt_node_name = "esp6-decrypt-tun"
2440
2441 def setUp(self):
2442 super(TestIpsec6TunProtectTunDrop, self).setUp()
2443
2444 self.tun_if = self.pg0
2445
2446 def tearDown(self):
2447 super(TestIpsec6TunProtectTunDrop, self).tearDown()
2448
Neale Ranns28287212019-12-16 00:53:11 +00002449 def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
Neale Ranns02950402019-12-20 00:54:57 +00002450 payload_size=100):
2451 # the IP destination of the revelaed packet does not match
2452 # that assigned to the tunnel
2453 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
2454 sa.encrypt(IPv6(src=sw_intf.remote_ip6,
2455 dst="5::5") /
2456 IPv6(src=src, dst=dst) /
2457 UDP(sport=1144, dport=2233) /
2458 Raw(b'X' * payload_size))
2459 for i in range(count)]
2460
2461 def test_tun_drop_66(self):
2462 """IPSEC 6 tunnel protect bogus tunnel header """
2463
2464 p = self.ipv6_params
2465
2466 self.config_network(p)
2467 self.config_sa_tun(p)
2468 self.config_protect(p)
2469
Neale Ranns28287212019-12-16 00:53:11 +00002470 tx = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if,
Neale Ranns02950402019-12-20 00:54:57 +00002471 src=p.remote_tun_if_host,
2472 dst=self.pg1.remote_ip6,
2473 count=63)
2474 self.send_and_assert_no_replies(self.tun_if, tx)
2475
2476 self.unconfig_protect(p)
2477 self.unconfig_sa(p)
2478 self.unconfig_network(p)
2479
2480
Neale Rannsdd4ccf22020-06-30 07:47:14 +00002481class TemplateIpsecItf4(object):
2482 """ IPsec Interface IPv4 """
2483
2484 encryption_type = ESP
2485 tun4_encrypt_node_name = "esp4-encrypt-tun"
2486 tun4_decrypt_node_name = "esp4-decrypt-tun"
2487 tun4_input_node = "ipsec4-tun-input"
2488
2489 def config_sa_tun(self, p, src, dst):
2490 config_tun_params(p, self.encryption_type, None, src, dst)
2491
2492 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
2493 p.auth_algo_vpp_id, p.auth_key,
2494 p.crypt_algo_vpp_id, p.crypt_key,
2495 self.vpp_esp_protocol,
2496 src, dst,
2497 flags=p.flags)
2498 p.tun_sa_out.add_vpp_config()
2499
2500 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
2501 p.auth_algo_vpp_id, p.auth_key,
2502 p.crypt_algo_vpp_id, p.crypt_key,
2503 self.vpp_esp_protocol,
2504 dst, src,
2505 flags=p.flags)
2506 p.tun_sa_in.add_vpp_config()
2507
2508 def config_protect(self, p):
2509 p.tun_protect = VppIpsecTunProtect(self,
2510 p.tun_if,
2511 p.tun_sa_out,
2512 [p.tun_sa_in])
2513 p.tun_protect.add_vpp_config()
2514
2515 def config_network(self, p):
2516 p.tun_if = VppIpsecInterface(self)
2517
2518 p.tun_if.add_vpp_config()
2519 p.tun_if.admin_up()
2520 p.tun_if.config_ip4()
2521 p.tun_if.config_ip6()
2522
2523 p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
2524 [VppRoutePath(p.tun_if.remote_ip4,
2525 0xffffffff)])
2526 p.route.add_vpp_config()
2527 r = VppIpRoute(self, p.remote_tun_if_host6, 128,
2528 [VppRoutePath(p.tun_if.remote_ip6,
2529 0xffffffff,
2530 proto=DpoProto.DPO_PROTO_IP6)])
2531 r.add_vpp_config()
2532
2533 def unconfig_network(self, p):
2534 p.route.remove_vpp_config()
2535 p.tun_if.remove_vpp_config()
2536
2537 def unconfig_protect(self, p):
2538 p.tun_protect.remove_vpp_config()
2539
2540 def unconfig_sa(self, p):
2541 p.tun_sa_out.remove_vpp_config()
2542 p.tun_sa_in.remove_vpp_config()
2543
2544
2545class TestIpsecItf4(TemplateIpsec,
2546 TemplateIpsecItf4,
2547 IpsecTun4):
2548 """ IPsec Interface IPv4 """
2549
2550 def setUp(self):
2551 super(TestIpsecItf4, self).setUp()
2552
2553 self.tun_if = self.pg0
2554
2555 def tearDown(self):
2556 super(TestIpsecItf4, self).tearDown()
2557
2558 def test_tun_44(self):
2559 """IPSEC interface IPv4"""
2560
2561 n_pkts = 127
2562 p = self.ipv4_params
2563
2564 self.config_network(p)
2565 self.config_sa_tun(p,
2566 self.pg0.local_ip4,
2567 self.pg0.remote_ip4)
2568 self.config_protect(p)
2569
2570 self.verify_tun_44(p, count=n_pkts)
2571 c = p.tun_if.get_rx_stats()
2572 self.assertEqual(c['packets'], n_pkts)
2573 c = p.tun_if.get_tx_stats()
2574 self.assertEqual(c['packets'], n_pkts)
2575
2576 p.tun_if.admin_down()
2577 self.verify_tun_dropped_44(p, count=n_pkts)
2578 p.tun_if.admin_up()
2579 self.verify_tun_44(p, count=n_pkts)
2580
2581 c = p.tun_if.get_rx_stats()
2582 self.assertEqual(c['packets'], 3*n_pkts)
2583 c = p.tun_if.get_tx_stats()
2584 self.assertEqual(c['packets'], 2*n_pkts)
2585
2586 # it's a v6 packet when its encrypted
2587 self.tun4_encrypt_node_name = "esp6-encrypt-tun"
2588
2589 self.verify_tun_64(p, count=n_pkts)
2590 c = p.tun_if.get_rx_stats()
2591 self.assertEqual(c['packets'], 4*n_pkts)
2592 c = p.tun_if.get_tx_stats()
2593 self.assertEqual(c['packets'], 3*n_pkts)
2594
2595 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
2596
2597 self.vapi.cli("clear interfaces")
2598
2599 # rekey - create new SAs and update the tunnel protection
2600 np = copy.copy(p)
2601 np.crypt_key = b'X' + p.crypt_key[1:]
2602 np.scapy_tun_spi += 100
2603 np.scapy_tun_sa_id += 1
2604 np.vpp_tun_spi += 100
2605 np.vpp_tun_sa_id += 1
2606 np.tun_if.local_spi = p.vpp_tun_spi
2607 np.tun_if.remote_spi = p.scapy_tun_spi
2608
2609 self.config_sa_tun(np,
2610 self.pg0.local_ip4,
2611 self.pg0.remote_ip4)
2612 self.config_protect(np)
2613 self.unconfig_sa(p)
2614
2615 self.verify_tun_44(np, count=n_pkts)
2616 c = p.tun_if.get_rx_stats()
2617 self.assertEqual(c['packets'], n_pkts)
2618 c = p.tun_if.get_tx_stats()
2619 self.assertEqual(c['packets'], n_pkts)
2620
2621 # teardown
2622 self.unconfig_protect(np)
2623 self.unconfig_sa(np)
2624 self.unconfig_network(p)
2625
Neale Ranns970187b2020-10-07 13:58:56 +00002626 def test_tun_44_null(self):
2627 """IPSEC interface IPv4 NULL auth/crypto"""
2628
2629 n_pkts = 127
2630 p = copy.copy(self.ipv4_params)
2631
2632 p.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
2633 IPSEC_API_INTEG_ALG_NONE)
2634 p.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
2635 IPSEC_API_CRYPTO_ALG_NONE)
2636 p.crypt_algo = "NULL"
2637 p.auth_algo = "NULL"
2638
2639 self.config_network(p)
2640 self.config_sa_tun(p,
2641 self.pg0.local_ip4,
2642 self.pg0.remote_ip4)
2643 self.config_protect(p)
2644
2645 self.verify_tun_44(p, count=n_pkts)
2646
Neale Rannsdd4ccf22020-06-30 07:47:14 +00002647
2648class TemplateIpsecItf6(object):
2649 """ IPsec Interface IPv6 """
2650
2651 encryption_type = ESP
2652 tun6_encrypt_node_name = "esp6-encrypt-tun"
2653 tun6_decrypt_node_name = "esp6-decrypt-tun"
2654 tun6_input_node = "ipsec6-tun-input"
2655
2656 def config_sa_tun(self, p, src, dst):
2657 config_tun_params(p, self.encryption_type, None, src, dst)
2658
2659 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
2660 p.auth_algo_vpp_id, p.auth_key,
2661 p.crypt_algo_vpp_id, p.crypt_key,
2662 self.vpp_esp_protocol,
2663 src, dst,
2664 flags=p.flags)
2665 p.tun_sa_out.add_vpp_config()
2666
2667 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
2668 p.auth_algo_vpp_id, p.auth_key,
2669 p.crypt_algo_vpp_id, p.crypt_key,
2670 self.vpp_esp_protocol,
2671 dst, src,
2672 flags=p.flags)
2673 p.tun_sa_in.add_vpp_config()
2674
2675 def config_protect(self, p):
2676 p.tun_protect = VppIpsecTunProtect(self,
2677 p.tun_if,
2678 p.tun_sa_out,
2679 [p.tun_sa_in])
2680 p.tun_protect.add_vpp_config()
2681
2682 def config_network(self, p):
2683 p.tun_if = VppIpsecInterface(self)
2684
2685 p.tun_if.add_vpp_config()
2686 p.tun_if.admin_up()
2687 p.tun_if.config_ip4()
2688 p.tun_if.config_ip6()
2689
2690 r = VppIpRoute(self, p.remote_tun_if_host4, 32,
2691 [VppRoutePath(p.tun_if.remote_ip4,
2692 0xffffffff)])
2693 r.add_vpp_config()
2694
2695 p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
2696 [VppRoutePath(p.tun_if.remote_ip6,
2697 0xffffffff,
2698 proto=DpoProto.DPO_PROTO_IP6)])
2699 p.route.add_vpp_config()
2700
2701 def unconfig_network(self, p):
2702 p.route.remove_vpp_config()
2703 p.tun_if.remove_vpp_config()
2704
2705 def unconfig_protect(self, p):
2706 p.tun_protect.remove_vpp_config()
2707
2708 def unconfig_sa(self, p):
2709 p.tun_sa_out.remove_vpp_config()
2710 p.tun_sa_in.remove_vpp_config()
2711
2712
2713class TestIpsecItf6(TemplateIpsec,
2714 TemplateIpsecItf6,
2715 IpsecTun6):
2716 """ IPsec Interface IPv6 """
2717
2718 def setUp(self):
2719 super(TestIpsecItf6, self).setUp()
2720
2721 self.tun_if = self.pg0
2722
2723 def tearDown(self):
2724 super(TestIpsecItf6, self).tearDown()
2725
2726 def test_tun_44(self):
2727 """IPSEC interface IPv6"""
2728
2729 n_pkts = 127
2730 p = self.ipv6_params
2731
2732 self.config_network(p)
2733 self.config_sa_tun(p,
2734 self.pg0.local_ip6,
2735 self.pg0.remote_ip6)
2736 self.config_protect(p)
2737
2738 self.verify_tun_66(p, count=n_pkts)
2739 c = p.tun_if.get_rx_stats()
2740 self.assertEqual(c['packets'], n_pkts)
2741 c = p.tun_if.get_tx_stats()
2742 self.assertEqual(c['packets'], n_pkts)
2743
2744 p.tun_if.admin_down()
2745 self.verify_drop_tun_66(p, count=n_pkts)
2746 p.tun_if.admin_up()
2747 self.verify_tun_66(p, count=n_pkts)
2748
2749 c = p.tun_if.get_rx_stats()
2750 self.assertEqual(c['packets'], 3*n_pkts)
2751 c = p.tun_if.get_tx_stats()
2752 self.assertEqual(c['packets'], 2*n_pkts)
2753
2754 # it's a v4 packet when its encrypted
2755 self.tun6_encrypt_node_name = "esp4-encrypt-tun"
2756
2757 self.verify_tun_46(p, count=n_pkts)
2758 c = p.tun_if.get_rx_stats()
2759 self.assertEqual(c['packets'], 4*n_pkts)
2760 c = p.tun_if.get_tx_stats()
2761 self.assertEqual(c['packets'], 3*n_pkts)
2762
2763 self.tun6_encrypt_node_name = "esp6-encrypt-tun"
2764
2765 self.vapi.cli("clear interfaces")
2766
2767 # rekey - create new SAs and update the tunnel protection
2768 np = copy.copy(p)
2769 np.crypt_key = b'X' + p.crypt_key[1:]
2770 np.scapy_tun_spi += 100
2771 np.scapy_tun_sa_id += 1
2772 np.vpp_tun_spi += 100
2773 np.vpp_tun_sa_id += 1
2774 np.tun_if.local_spi = p.vpp_tun_spi
2775 np.tun_if.remote_spi = p.scapy_tun_spi
2776
2777 self.config_sa_tun(np,
2778 self.pg0.local_ip6,
2779 self.pg0.remote_ip6)
2780 self.config_protect(np)
2781 self.unconfig_sa(p)
2782
2783 self.verify_tun_66(np, count=n_pkts)
2784 c = p.tun_if.get_rx_stats()
2785 self.assertEqual(c['packets'], n_pkts)
2786 c = p.tun_if.get_tx_stats()
2787 self.assertEqual(c['packets'], n_pkts)
2788
2789 # teardown
2790 self.unconfig_protect(np)
2791 self.unconfig_sa(np)
2792 self.unconfig_network(p)
2793
2794
Klement Sekera31da2e32018-06-24 22:49:55 +02002795if __name__ == '__main__':
2796 unittest.main(testRunner=VppTestRunner)