Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 1 | import unittest |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 2 | import socket |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 3 | import struct |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 4 | |
Neale Ranns | 53f526b | 2019-02-25 14:32:02 +0000 | [diff] [blame] | 5 | from scapy.layers.inet import IP, ICMP, TCP, UDP |
Damjan Marion | a829b13 | 2019-04-24 23:39:16 +0200 | [diff] [blame] | 6 | from scapy.layers.ipsec import SecurityAssociation, ESP |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 7 | from scapy.layers.l2 import Ether |
Paul Vinciguerra | 582eac5 | 2020-04-03 12:18:40 -0400 | [diff] [blame] | 8 | from scapy.packet import raw, Raw |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 9 | from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest, IPv6ExtHdrHopByHop, \ |
| 10 | IPv6ExtHdrFragment, IPv6ExtHdrDestOpt |
| 11 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 12 | |
| 13 | from framework import VppTestCase, VppTestRunner |
Neale Ranns | 1404698 | 2019-07-29 14:49:52 +0000 | [diff] [blame] | 14 | from util import ppp, reassemble4, fragment_rfc791, fragment_rfc8200 |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 15 | from vpp_papi import VppEnum |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 16 | |
| 17 | |
Paul Vinciguerra | e061dad | 2020-12-04 14:57:51 -0500 | [diff] [blame] | 18 | class IPsecIPv4Params: |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 19 | |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 20 | addr_type = socket.AF_INET |
| 21 | addr_any = "0.0.0.0" |
| 22 | addr_bcast = "255.255.255.255" |
| 23 | addr_len = 32 |
| 24 | is_ipv6 = 0 |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 25 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 26 | def __init__(self): |
| 27 | self.remote_tun_if_host = '1.1.1.1' |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 28 | self.remote_tun_if_host6 = '1111::1' |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 29 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 30 | self.scapy_tun_sa_id = 100 |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 31 | self.scapy_tun_spi = 1000 |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 32 | self.vpp_tun_sa_id = 200 |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 33 | self.vpp_tun_spi = 2000 |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 34 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 35 | self.scapy_tra_sa_id = 300 |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 36 | self.scapy_tra_spi = 3000 |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 37 | self.vpp_tra_sa_id = 400 |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 38 | self.vpp_tra_spi = 4000 |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 39 | |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 40 | self.outer_hop_limit = 64 |
| 41 | self.inner_hop_limit = 255 |
| 42 | self.outer_flow_label = 0 |
| 43 | self.inner_flow_label = 0x12345 |
| 44 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 45 | self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t. |
| 46 | IPSEC_API_INTEG_ALG_SHA1_96) |
| 47 | self.auth_algo = 'HMAC-SHA1-96' # scapy name |
Ole Troan | 64e978b | 2019-10-17 21:40:36 +0200 | [diff] [blame] | 48 | self.auth_key = b'C91KUR9GYMm5GfkEvNjX' |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 49 | |
| 50 | self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t. |
| 51 | IPSEC_API_CRYPTO_ALG_AES_CBC_128) |
| 52 | self.crypt_algo = 'AES-CBC' # scapy name |
Ole Troan | 64e978b | 2019-10-17 21:40:36 +0200 | [diff] [blame] | 53 | self.crypt_key = b'JPjyOWBeVEQiMe7h' |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 54 | self.salt = 0 |
Neale Ranns | 53f526b | 2019-02-25 14:32:02 +0000 | [diff] [blame] | 55 | self.flags = 0 |
| 56 | self.nat_header = None |
Neale Ranns | 041add7 | 2020-01-02 04:06:10 +0000 | [diff] [blame] | 57 | self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t. |
| 58 | TUNNEL_API_ENCAP_DECAP_FLAG_NONE) |
| 59 | self.dscp = 0 |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 60 | |
| 61 | |
Paul Vinciguerra | e061dad | 2020-12-04 14:57:51 -0500 | [diff] [blame] | 62 | class IPsecIPv6Params: |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 63 | |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 64 | addr_type = socket.AF_INET6 |
| 65 | addr_any = "0::0" |
| 66 | addr_bcast = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff" |
| 67 | addr_len = 128 |
| 68 | is_ipv6 = 1 |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 69 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 70 | def __init__(self): |
| 71 | self.remote_tun_if_host = '1111:1111:1111:1111:1111:1111:1111:1111' |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 72 | self.remote_tun_if_host4 = '1.1.1.1' |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 73 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 74 | self.scapy_tun_sa_id = 500 |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 75 | self.scapy_tun_spi = 3001 |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 76 | self.vpp_tun_sa_id = 600 |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 77 | self.vpp_tun_spi = 3000 |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 78 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 79 | self.scapy_tra_sa_id = 700 |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 80 | self.scapy_tra_spi = 4001 |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 81 | self.vpp_tra_sa_id = 800 |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 82 | self.vpp_tra_spi = 4000 |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 83 | |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 84 | self.outer_hop_limit = 64 |
| 85 | self.inner_hop_limit = 255 |
| 86 | self.outer_flow_label = 0 |
| 87 | self.inner_flow_label = 0x12345 |
| 88 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 89 | self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t. |
Neale Ranns | 1091c4a | 2019-04-08 14:48:23 +0000 | [diff] [blame] | 90 | IPSEC_API_INTEG_ALG_SHA1_96) |
| 91 | self.auth_algo = 'HMAC-SHA1-96' # scapy name |
Ole Troan | 64e978b | 2019-10-17 21:40:36 +0200 | [diff] [blame] | 92 | self.auth_key = b'C91KUR9GYMm5GfkEvNjX' |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 93 | |
| 94 | self.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t. |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 95 | IPSEC_API_CRYPTO_ALG_AES_CBC_128) |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 96 | self.crypt_algo = 'AES-CBC' # scapy name |
Ole Troan | 64e978b | 2019-10-17 21:40:36 +0200 | [diff] [blame] | 97 | self.crypt_key = b'JPjyOWBeVEQiMe7h' |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 98 | self.salt = 0 |
Neale Ranns | 53f526b | 2019-02-25 14:32:02 +0000 | [diff] [blame] | 99 | self.flags = 0 |
| 100 | self.nat_header = None |
Neale Ranns | 041add7 | 2020-01-02 04:06:10 +0000 | [diff] [blame] | 101 | self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t. |
| 102 | TUNNEL_API_ENCAP_DECAP_FLAG_NONE) |
| 103 | self.dscp = 0 |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 104 | |
| 105 | |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 106 | def mk_scapy_crypt_key(p): |
Benoît Ganne | 490b927 | 2021-01-22 18:03:09 +0100 | [diff] [blame] | 107 | if p.crypt_algo in ("AES-GCM", "AES-CTR"): |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 108 | return p.crypt_key + struct.pack("!I", p.salt) |
| 109 | else: |
| 110 | return p.crypt_key |
| 111 | |
| 112 | |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 113 | def config_tun_params(p, encryption_type, tun_if): |
| 114 | ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6} |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 115 | esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t. |
| 116 | IPSEC_API_SAD_FLAG_USE_ESN)) |
Neale Ranns | f3a6622 | 2020-01-02 05:04:00 +0000 | [diff] [blame] | 117 | p.tun_dst = tun_if.remote_addr[p.addr_type] |
| 118 | p.tun_src = tun_if.local_addr[p.addr_type] |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 119 | crypt_key = mk_scapy_crypt_key(p) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 120 | p.scapy_tun_sa = SecurityAssociation( |
| 121 | encryption_type, spi=p.vpp_tun_spi, |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 122 | crypt_algo=p.crypt_algo, |
| 123 | crypt_key=crypt_key, |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 124 | auth_algo=p.auth_algo, auth_key=p.auth_key, |
| 125 | tunnel_header=ip_class_by_addr_type[p.addr_type]( |
Neale Ranns | f3a6622 | 2020-01-02 05:04:00 +0000 | [diff] [blame] | 126 | src=p.tun_dst, |
| 127 | dst=p.tun_src), |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 128 | nat_t_header=p.nat_header, |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 129 | esn_en=esn_en) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 130 | p.vpp_tun_sa = SecurityAssociation( |
| 131 | encryption_type, spi=p.scapy_tun_spi, |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 132 | crypt_algo=p.crypt_algo, |
| 133 | crypt_key=crypt_key, |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 134 | auth_algo=p.auth_algo, auth_key=p.auth_key, |
| 135 | tunnel_header=ip_class_by_addr_type[p.addr_type]( |
Neale Ranns | f3a6622 | 2020-01-02 05:04:00 +0000 | [diff] [blame] | 136 | dst=p.tun_dst, |
| 137 | src=p.tun_src), |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 138 | nat_t_header=p.nat_header, |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 139 | esn_en=esn_en) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 140 | |
| 141 | |
| 142 | def config_tra_params(p, encryption_type): |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 143 | esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t. |
| 144 | IPSEC_API_SAD_FLAG_USE_ESN)) |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 145 | crypt_key = mk_scapy_crypt_key(p) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 146 | p.scapy_tra_sa = SecurityAssociation( |
| 147 | encryption_type, |
| 148 | spi=p.vpp_tra_spi, |
| 149 | crypt_algo=p.crypt_algo, |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 150 | crypt_key=crypt_key, |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 151 | auth_algo=p.auth_algo, |
| 152 | auth_key=p.auth_key, |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 153 | nat_t_header=p.nat_header, |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 154 | esn_en=esn_en) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 155 | p.vpp_tra_sa = SecurityAssociation( |
| 156 | encryption_type, |
| 157 | spi=p.scapy_tra_spi, |
| 158 | crypt_algo=p.crypt_algo, |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 159 | crypt_key=crypt_key, |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 160 | auth_algo=p.auth_algo, |
| 161 | auth_key=p.auth_key, |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 162 | nat_t_header=p.nat_header, |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 163 | esn_en=esn_en) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 164 | |
| 165 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 166 | class TemplateIpsec(VppTestCase): |
| 167 | """ |
| 168 | TRANSPORT MODE: |
| 169 | |
| 170 | ------ encrypt --- |
| 171 | |tra_if| <-------> |VPP| |
| 172 | ------ decrypt --- |
| 173 | |
| 174 | TUNNEL MODE: |
| 175 | |
| 176 | ------ encrypt --- plain --- |
| 177 | |tun_if| <------- |VPP| <------ |pg1| |
| 178 | ------ --- --- |
| 179 | |
| 180 | ------ decrypt --- plain --- |
| 181 | |tun_if| -------> |VPP| ------> |pg1| |
| 182 | ------ --- --- |
| 183 | """ |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 184 | tun_spd_id = 1 |
| 185 | tra_spd_id = 2 |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 186 | |
Neale Ranns | 8e4a89b | 2019-01-23 08:16:17 -0800 | [diff] [blame] | 187 | def ipsec_select_backend(self): |
Klement Sekera | b4d3053 | 2018-11-08 13:00:02 +0100 | [diff] [blame] | 188 | """ empty method to be overloaded when necessary """ |
| 189 | pass |
| 190 | |
Paul Vinciguerra | 7f9b7f9 | 2019-03-12 19:23:27 -0700 | [diff] [blame] | 191 | @classmethod |
| 192 | def setUpClass(cls): |
| 193 | super(TemplateIpsec, cls).setUpClass() |
| 194 | |
| 195 | @classmethod |
| 196 | def tearDownClass(cls): |
| 197 | super(TemplateIpsec, cls).tearDownClass() |
| 198 | |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 199 | def setup_params(self): |
Neale Ranns | 041add7 | 2020-01-02 04:06:10 +0000 | [diff] [blame] | 200 | if not hasattr(self, 'ipv4_params'): |
| 201 | self.ipv4_params = IPsecIPv4Params() |
| 202 | if not hasattr(self, 'ipv6_params'): |
| 203 | self.ipv6_params = IPsecIPv6Params() |
Neale Ranns | 8e4a89b | 2019-01-23 08:16:17 -0800 | [diff] [blame] | 204 | self.params = {self.ipv4_params.addr_type: self.ipv4_params, |
| 205 | self.ipv6_params.addr_type: self.ipv6_params} |
| 206 | |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 207 | def config_interfaces(self): |
Neale Ranns | 8e4a89b | 2019-01-23 08:16:17 -0800 | [diff] [blame] | 208 | self.create_pg_interfaces(range(3)) |
| 209 | self.interfaces = list(self.pg_interfaces) |
| 210 | for i in self.interfaces: |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 211 | i.admin_up() |
| 212 | i.config_ip4() |
| 213 | i.resolve_arp() |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 214 | i.config_ip6() |
| 215 | i.resolve_ndp() |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 216 | |
| 217 | def setUp(self): |
| 218 | super(TemplateIpsec, self).setUp() |
| 219 | |
| 220 | self.setup_params() |
| 221 | |
| 222 | self.vpp_esp_protocol = (VppEnum.vl_api_ipsec_proto_t. |
| 223 | IPSEC_API_PROTO_ESP) |
| 224 | self.vpp_ah_protocol = (VppEnum.vl_api_ipsec_proto_t. |
| 225 | IPSEC_API_PROTO_AH) |
| 226 | |
| 227 | self.config_interfaces() |
Paul Vinciguerra | 90cf21b | 2019-03-13 09:23:05 -0700 | [diff] [blame] | 228 | |
Neale Ranns | 8e4a89b | 2019-01-23 08:16:17 -0800 | [diff] [blame] | 229 | self.ipsec_select_backend() |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 230 | |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 231 | def unconfig_interfaces(self): |
Neale Ranns | 8e4a89b | 2019-01-23 08:16:17 -0800 | [diff] [blame] | 232 | for i in self.interfaces: |
| 233 | i.admin_down() |
| 234 | i.unconfig_ip4() |
| 235 | i.unconfig_ip6() |
| 236 | |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 237 | def tearDown(self): |
| 238 | super(TemplateIpsec, self).tearDown() |
| 239 | |
| 240 | self.unconfig_interfaces() |
| 241 | |
Paul Vinciguerra | 90cf21b | 2019-03-13 09:23:05 -0700 | [diff] [blame] | 242 | def show_commands_at_teardown(self): |
| 243 | self.logger.info(self.vapi.cli("show hardware")) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 244 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 245 | def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 246 | payload_size=54): |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 247 | return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 248 | sa.encrypt(IP(src=src, dst=dst) / |
Ole Troan | 8b76c23 | 2019-10-21 20:55:13 +0200 | [diff] [blame] | 249 | ICMP() / Raw(b'X' * payload_size)) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 250 | for i in range(count)] |
| 251 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 252 | def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 253 | payload_size=54): |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 254 | return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 255 | sa.encrypt(IPv6(src=src, dst=dst, |
| 256 | hlim=p.inner_hop_limit, |
| 257 | fl=p.inner_flow_label) / |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 258 | ICMPv6EchoRequest(id=0, seq=1, |
| 259 | data='X' * payload_size)) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 260 | for i in range(count)] |
| 261 | |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 262 | def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54): |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 263 | return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / |
Ole Troan | 8b76c23 | 2019-10-21 20:55:13 +0200 | [diff] [blame] | 264 | IP(src=src, dst=dst) / ICMP() / Raw(b'X' * payload_size) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 265 | for i in range(count)] |
| 266 | |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 267 | def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54): |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 268 | return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 269 | IPv6(src=src, dst=dst, |
| 270 | hlim=p.inner_hop_limit, fl=p.inner_flow_label) / |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 271 | ICMPv6EchoRequest(id=0, seq=1, data='X' * payload_size) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 272 | for i in range(count)] |
| 273 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 274 | |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 275 | class IpsecTcp(object): |
| 276 | def verify_tcp_checksum(self): |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 277 | self.vapi.cli("test http server") |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 278 | p = self.params[socket.AF_INET] |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 279 | send = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) / |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 280 | p.scapy_tun_sa.encrypt(IP(src=p.remote_tun_if_host, |
| 281 | dst=self.tun_if.local_ip4) / |
| 282 | TCP(flags='S', dport=80))) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 283 | self.logger.debug(ppp("Sending packet:", send)) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 284 | recv = self.send_and_expect(self.tun_if, [send], self.tun_if) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 285 | recv = recv[0] |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 286 | decrypted = p.vpp_tun_sa.decrypt(recv[IP]) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 287 | self.assert_packet_checksums_valid(decrypted) |
| 288 | |
| 289 | |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 290 | class IpsecTcpTests(IpsecTcp): |
| 291 | def test_tcp_checksum(self): |
| 292 | """ verify checksum correctness for vpp generated packets """ |
| 293 | self.verify_tcp_checksum() |
| 294 | |
| 295 | |
| 296 | class IpsecTra4(object): |
| 297 | """ verify methods for Transport v4 """ |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 298 | def verify_tra_anti_replay(self): |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 299 | p = self.params[socket.AF_INET] |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 300 | esn_en = p.vpp_tra_sa.esn_en |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 301 | |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 302 | seq_cycle_node_name = ('/err/%s/sequence number cycled' % |
| 303 | self.tra4_encrypt_node_name) |
| 304 | replay_node_name = ('/err/%s/SA replayed packet' % |
| 305 | self.tra4_decrypt_node_name) |
| 306 | if ESP == self.encryption_type and p.crypt_algo == "AES-GCM": |
| 307 | hash_failed_node_name = ('/err/%s/ESP decryption failed' % |
| 308 | self.tra4_decrypt_node_name) |
| 309 | else: |
| 310 | hash_failed_node_name = ('/err/%s/Integrity check failed' % |
| 311 | self.tra4_decrypt_node_name) |
| 312 | replay_count = self.statistics.get_err_counter(replay_node_name) |
| 313 | hash_failed_count = self.statistics.get_err_counter( |
| 314 | hash_failed_node_name) |
| 315 | seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name) |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 316 | |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 317 | if ESP == self.encryption_type: |
| 318 | undersize_node_name = ('/err/%s/undersized packet' % |
| 319 | self.tra4_decrypt_node_name) |
| 320 | undersize_count = self.statistics.get_err_counter( |
| 321 | undersize_node_name) |
| 322 | |
| 323 | # |
| 324 | # send packets with seq numbers 1->34 |
| 325 | # this means the window size is still in Case B (see RFC4303 |
| 326 | # Appendix A) |
| 327 | # |
| 328 | # for reasons i haven't investigated Scapy won't create a packet with |
| 329 | # seq_num=0 |
| 330 | # |
| 331 | pkts = [(Ether(src=self.tra_if.remote_mac, |
| 332 | dst=self.tra_if.local_mac) / |
| 333 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 334 | dst=self.tra_if.local_ip4) / |
| 335 | ICMP(), |
| 336 | seq_num=seq)) |
| 337 | for seq in range(1, 34)] |
| 338 | recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if) |
| 339 | |
| 340 | # replayed packets are dropped |
| 341 | self.send_and_assert_no_replies(self.tra_if, pkts) |
| 342 | replay_count += len(pkts) |
| 343 | self.assert_error_counter_equal(replay_node_name, replay_count) |
| 344 | |
| 345 | # |
Neale Ranns | 3b9374f | 2019-08-01 04:45:15 -0700 | [diff] [blame] | 346 | # now send a batch of packets all with the same sequence number |
| 347 | # the first packet in the batch is legitimate, the rest bogus |
| 348 | # |
| 349 | pkts = (Ether(src=self.tra_if.remote_mac, |
| 350 | dst=self.tra_if.local_mac) / |
| 351 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 352 | dst=self.tra_if.local_ip4) / |
| 353 | ICMP(), |
| 354 | seq_num=35)) |
| 355 | recv_pkts = self.send_and_expect(self.tra_if, pkts * 8, |
| 356 | self.tra_if, n_rx=1) |
| 357 | replay_count += 7 |
| 358 | self.assert_error_counter_equal(replay_node_name, replay_count) |
| 359 | |
| 360 | # |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 361 | # now move the window over to 257 (more than one byte) and into Case A |
| 362 | # |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 363 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 364 | dst=self.tra_if.local_mac) / |
| 365 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 366 | dst=self.tra_if.local_ip4) / |
| 367 | ICMP(), |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 368 | seq_num=257)) |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 369 | recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if) |
| 370 | |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 371 | # replayed packets are dropped |
| 372 | self.send_and_assert_no_replies(self.tra_if, pkt * 3) |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 373 | replay_count += 3 |
| 374 | self.assert_error_counter_equal(replay_node_name, replay_count) |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 375 | |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 376 | # the window size is 64 packets |
| 377 | # in window are still accepted |
| 378 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 379 | dst=self.tra_if.local_mac) / |
| 380 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 381 | dst=self.tra_if.local_ip4) / |
| 382 | ICMP(), |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 383 | seq_num=200)) |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 384 | recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if) |
| 385 | |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 386 | # a packet that does not decrypt does not move the window forward |
| 387 | bogus_sa = SecurityAssociation(self.encryption_type, |
Damjan Marion | a829b13 | 2019-04-24 23:39:16 +0200 | [diff] [blame] | 388 | p.vpp_tra_spi, |
| 389 | crypt_algo=p.crypt_algo, |
Neale Ranns | 12989b5 | 2019-09-26 16:20:19 +0000 | [diff] [blame] | 390 | crypt_key=mk_scapy_crypt_key(p)[::-1], |
Damjan Marion | a829b13 | 2019-04-24 23:39:16 +0200 | [diff] [blame] | 391 | auth_algo=p.auth_algo, |
| 392 | auth_key=p.auth_key[::-1]) |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 393 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 394 | dst=self.tra_if.local_mac) / |
| 395 | bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 396 | dst=self.tra_if.local_ip4) / |
| 397 | ICMP(), |
| 398 | seq_num=350)) |
| 399 | self.send_and_assert_no_replies(self.tra_if, pkt * 17) |
| 400 | |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 401 | hash_failed_count += 17 |
| 402 | self.assert_error_counter_equal(hash_failed_node_name, |
| 403 | hash_failed_count) |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 404 | |
Damjan Marion | a829b13 | 2019-04-24 23:39:16 +0200 | [diff] [blame] | 405 | # a malformed 'runt' packet |
| 406 | # created by a mis-constructed SA |
Neale Ranns | 2cdcd0c | 2019-08-27 12:26:14 +0000 | [diff] [blame] | 407 | if (ESP == self.encryption_type and p.crypt_algo != "NULL"): |
Damjan Marion | a829b13 | 2019-04-24 23:39:16 +0200 | [diff] [blame] | 408 | bogus_sa = SecurityAssociation(self.encryption_type, |
| 409 | p.vpp_tra_spi) |
| 410 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 411 | dst=self.tra_if.local_mac) / |
| 412 | bogus_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 413 | dst=self.tra_if.local_ip4) / |
| 414 | ICMP(), |
| 415 | seq_num=350)) |
| 416 | self.send_and_assert_no_replies(self.tra_if, pkt * 17) |
| 417 | |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 418 | undersize_count += 17 |
| 419 | self.assert_error_counter_equal(undersize_node_name, |
| 420 | undersize_count) |
Damjan Marion | a829b13 | 2019-04-24 23:39:16 +0200 | [diff] [blame] | 421 | |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 422 | # which we can determine since this packet is still in the window |
| 423 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 424 | dst=self.tra_if.local_mac) / |
| 425 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 426 | dst=self.tra_if.local_ip4) / |
| 427 | ICMP(), |
| 428 | seq_num=234)) |
Klement Sekera | 14d7e90 | 2018-12-10 13:46:09 +0100 | [diff] [blame] | 429 | self.send_and_expect(self.tra_if, [pkt], self.tra_if) |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 430 | |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 431 | # |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 432 | # out of window are dropped |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 433 | # this is Case B. So VPP will consider this to be a high seq num wrap |
| 434 | # and so the decrypt attempt will fail |
| 435 | # |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 436 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 437 | dst=self.tra_if.local_mac) / |
| 438 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 439 | dst=self.tra_if.local_ip4) / |
| 440 | ICMP(), |
| 441 | seq_num=17)) |
| 442 | self.send_and_assert_no_replies(self.tra_if, pkt * 17) |
Neale Ranns | 00a4420 | 2019-03-21 16:36:28 +0000 | [diff] [blame] | 443 | |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 444 | if esn_en: |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 445 | # an out of window error with ESN looks like a high sequence |
| 446 | # wrap. but since it isn't then the verify will fail. |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 447 | hash_failed_count += 17 |
| 448 | self.assert_error_counter_equal(hash_failed_node_name, |
| 449 | hash_failed_count) |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 450 | |
| 451 | else: |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 452 | replay_count += 17 |
| 453 | self.assert_error_counter_equal(replay_node_name, |
| 454 | replay_count) |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 455 | |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 456 | # valid packet moves the window over to 258 |
Neale Ranns | 00a4420 | 2019-03-21 16:36:28 +0000 | [diff] [blame] | 457 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 458 | dst=self.tra_if.local_mac) / |
| 459 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 460 | dst=self.tra_if.local_ip4) / |
| 461 | ICMP(), |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 462 | seq_num=258)) |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 463 | rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if) |
| 464 | decrypted = p.vpp_tra_sa.decrypt(rx[0][IP]) |
| 465 | |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 466 | # |
| 467 | # move VPP's SA TX seq-num to just before the seq-number wrap. |
| 468 | # then fire in a packet that VPP should drop on TX because it |
| 469 | # causes the TX seq number to wrap; unless we're using extened sequence |
| 470 | # numbers. |
| 471 | # |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 472 | self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id) |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 473 | self.logger.info(self.vapi.ppcli("show ipsec sa 0")) |
| 474 | self.logger.info(self.vapi.ppcli("show ipsec sa 1")) |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 475 | |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 476 | pkts = [(Ether(src=self.tra_if.remote_mac, |
| 477 | dst=self.tra_if.local_mac) / |
| 478 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 479 | dst=self.tra_if.local_ip4) / |
| 480 | ICMP(), |
| 481 | seq_num=seq)) |
| 482 | for seq in range(259, 280)] |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 483 | |
snaramre | 5d4b891 | 2019-12-13 23:39:35 +0000 | [diff] [blame] | 484 | if esn_en: |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 485 | rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if) |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 486 | |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 487 | # |
| 488 | # in order for scapy to decrypt its SA's high order number needs |
| 489 | # to wrap |
| 490 | # |
| 491 | p.vpp_tra_sa.seq_num = 0x100000000 |
| 492 | for rx in rxs: |
| 493 | decrypted = p.vpp_tra_sa.decrypt(rx[0][IP]) |
| 494 | |
| 495 | # |
| 496 | # wrap scapy's TX high sequence number. VPP is in case B, so it |
| 497 | # will consider this a high seq wrap also. |
| 498 | # The low seq num we set it to will place VPP's RX window in Case A |
| 499 | # |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 500 | p.scapy_tra_sa.seq_num = 0x100000005 |
| 501 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 502 | dst=self.tra_if.local_mac) / |
| 503 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 504 | dst=self.tra_if.local_ip4) / |
| 505 | ICMP(), |
| 506 | seq_num=0x100000005)) |
| 507 | rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if) |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 508 | decrypted = p.vpp_tra_sa.decrypt(rx[0][IP]) |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 509 | |
| 510 | # |
| 511 | # A packet that has seq num between (2^32-64) and 5 is within |
| 512 | # the window |
| 513 | # |
| 514 | p.scapy_tra_sa.seq_num = 0xfffffffd |
| 515 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 516 | dst=self.tra_if.local_mac) / |
| 517 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 518 | dst=self.tra_if.local_ip4) / |
| 519 | ICMP(), |
| 520 | seq_num=0xfffffffd)) |
| 521 | rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if) |
| 522 | decrypted = p.vpp_tra_sa.decrypt(rx[0][IP]) |
| 523 | |
| 524 | # |
| 525 | # While in case A we cannot wrap the high sequence number again |
| 526 | # becuase VPP will consider this packet to be one that moves the |
| 527 | # window forward |
| 528 | # |
| 529 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 530 | dst=self.tra_if.local_mac) / |
| 531 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 532 | dst=self.tra_if.local_ip4) / |
| 533 | ICMP(), |
| 534 | seq_num=0x200000999)) |
| 535 | self.send_and_assert_no_replies(self.tra_if, [pkt], self.tra_if) |
| 536 | |
| 537 | hash_failed_count += 1 |
| 538 | self.assert_error_counter_equal(hash_failed_node_name, |
| 539 | hash_failed_count) |
| 540 | |
| 541 | # |
| 542 | # but if we move the wondow forward to case B, then we can wrap |
| 543 | # again |
| 544 | # |
| 545 | p.scapy_tra_sa.seq_num = 0x100000555 |
| 546 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 547 | dst=self.tra_if.local_mac) / |
| 548 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 549 | dst=self.tra_if.local_ip4) / |
| 550 | ICMP(), |
| 551 | seq_num=0x100000555)) |
| 552 | rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if) |
| 553 | decrypted = p.vpp_tra_sa.decrypt(rx[0][IP]) |
| 554 | |
| 555 | p.scapy_tra_sa.seq_num = 0x200000444 |
| 556 | pkt = (Ether(src=self.tra_if.remote_mac, |
| 557 | dst=self.tra_if.local_mac) / |
| 558 | p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, |
| 559 | dst=self.tra_if.local_ip4) / |
| 560 | ICMP(), |
| 561 | seq_num=0x200000444)) |
| 562 | rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if) |
| 563 | decrypted = p.vpp_tra_sa.decrypt(rx[0][IP]) |
| 564 | |
Neale Ranns | 3833ffd | 2019-03-21 14:34:09 +0000 | [diff] [blame] | 565 | else: |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 566 | # |
| 567 | # without ESN TX sequence numbers can't wrap and packets are |
| 568 | # dropped from here on out. |
| 569 | # |
| 570 | self.send_and_assert_no_replies(self.tra_if, pkts) |
| 571 | seq_cycle_count += len(pkts) |
| 572 | self.assert_error_counter_equal(seq_cycle_node_name, |
| 573 | seq_cycle_count) |
Neale Ranns | 00a4420 | 2019-03-21 16:36:28 +0000 | [diff] [blame] | 574 | |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 575 | # move the security-associations seq number on to the last we used |
Neale Ranns | 00a4420 | 2019-03-21 16:36:28 +0000 | [diff] [blame] | 576 | self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id) |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 577 | p.scapy_tra_sa.seq_num = 351 |
| 578 | p.vpp_tra_sa.seq_num = 351 |
| 579 | |
Filip Tehlar | efcad1a | 2020-02-04 09:36:04 +0000 | [diff] [blame] | 580 | def verify_tra_basic4(self, count=1, payload_size=54): |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 581 | """ ipsec v4 transport basic test """ |
Klement Sekera | 10d066e | 2018-11-13 11:12:57 +0100 | [diff] [blame] | 582 | self.vapi.cli("clear errors") |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 583 | self.vapi.cli("clear ipsec sa") |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 584 | try: |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 585 | p = self.params[socket.AF_INET] |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 586 | send_pkts = self.gen_encrypt_pkts(p, p.scapy_tra_sa, self.tra_if, |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 587 | src=self.tra_if.remote_ip4, |
| 588 | dst=self.tra_if.local_ip4, |
Filip Tehlar | efcad1a | 2020-02-04 09:36:04 +0000 | [diff] [blame] | 589 | count=count, |
| 590 | payload_size=payload_size) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 591 | recv_pkts = self.send_and_expect(self.tra_if, send_pkts, |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 592 | self.tra_if) |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 593 | for rx in recv_pkts: |
Neale Ranns | 1b582b8 | 2019-04-18 19:49:13 -0700 | [diff] [blame] | 594 | self.assertEqual(len(rx) - len(Ether()), rx[IP].len) |
| 595 | self.assert_packet_checksums_valid(rx) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 596 | try: |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 597 | decrypted = p.vpp_tra_sa.decrypt(rx[IP]) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 598 | self.assert_packet_checksums_valid(decrypted) |
| 599 | except: |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 600 | self.logger.debug(ppp("Unexpected packet:", rx)) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 601 | raise |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 602 | finally: |
| 603 | self.logger.info(self.vapi.ppcli("show error")) |
Paul Vinciguerra | 9673e3e | 2019-05-10 20:41:08 -0400 | [diff] [blame] | 604 | self.logger.info(self.vapi.ppcli("show ipsec all")) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 605 | |
Neale Ranns | eba31ec | 2019-02-17 18:04:27 +0000 | [diff] [blame] | 606 | pkts = p.tra_sa_in.get_stats()['packets'] |
| 607 | self.assertEqual(pkts, count, |
| 608 | "incorrect SA in counts: expected %d != %d" % |
| 609 | (count, pkts)) |
| 610 | pkts = p.tra_sa_out.get_stats()['packets'] |
| 611 | self.assertEqual(pkts, count, |
| 612 | "incorrect SA out counts: expected %d != %d" % |
| 613 | (count, pkts)) |
| 614 | |
Klement Sekera | 10d066e | 2018-11-13 11:12:57 +0100 | [diff] [blame] | 615 | self.assert_packet_counter_equal(self.tra4_encrypt_node_name, count) |
| 616 | self.assert_packet_counter_equal(self.tra4_decrypt_node_name, count) |
| 617 | |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 618 | |
| 619 | class IpsecTra4Tests(IpsecTra4): |
| 620 | """ UT test methods for Transport v4 """ |
| 621 | def test_tra_anti_replay(self): |
Paul Vinciguerra | 6e20e03 | 2019-12-27 00:19:23 -0500 | [diff] [blame] | 622 | """ ipsec v4 transport anti-replay test """ |
Neale Ranns | 6afaae1 | 2019-07-17 15:07:14 +0000 | [diff] [blame] | 623 | self.verify_tra_anti_replay() |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 624 | |
| 625 | def test_tra_basic(self, count=1): |
| 626 | """ ipsec v4 transport basic test """ |
| 627 | self.verify_tra_basic4(count=1) |
| 628 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 629 | def test_tra_burst(self): |
| 630 | """ ipsec v4 transport burst test """ |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 631 | self.verify_tra_basic4(count=257) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 632 | |
Neale Ranns | 53f526b | 2019-02-25 14:32:02 +0000 | [diff] [blame] | 633 | |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 634 | class IpsecTra6(object): |
| 635 | """ verify methods for Transport v6 """ |
Filip Tehlar | efcad1a | 2020-02-04 09:36:04 +0000 | [diff] [blame] | 636 | def verify_tra_basic6(self, count=1, payload_size=54): |
Klement Sekera | 10d066e | 2018-11-13 11:12:57 +0100 | [diff] [blame] | 637 | self.vapi.cli("clear errors") |
Filip Tehlar | efcad1a | 2020-02-04 09:36:04 +0000 | [diff] [blame] | 638 | self.vapi.cli("clear ipsec sa") |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 639 | try: |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 640 | p = self.params[socket.AF_INET6] |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 641 | send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tra_sa, self.tra_if, |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 642 | src=self.tra_if.remote_ip6, |
| 643 | dst=self.tra_if.local_ip6, |
Filip Tehlar | efcad1a | 2020-02-04 09:36:04 +0000 | [diff] [blame] | 644 | count=count, |
| 645 | payload_size=payload_size) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 646 | recv_pkts = self.send_and_expect(self.tra_if, send_pkts, |
| 647 | self.tra_if) |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 648 | for rx in recv_pkts: |
Neale Ranns | d207fd7 | 2019-04-18 17:18:12 -0700 | [diff] [blame] | 649 | self.assertEqual(len(rx) - len(Ether()) - len(IPv6()), |
| 650 | rx[IPv6].plen) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 651 | try: |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 652 | decrypted = p.vpp_tra_sa.decrypt(rx[IPv6]) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 653 | self.assert_packet_checksums_valid(decrypted) |
| 654 | except: |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 655 | self.logger.debug(ppp("Unexpected packet:", rx)) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 656 | raise |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 657 | finally: |
| 658 | self.logger.info(self.vapi.ppcli("show error")) |
Paul Vinciguerra | 9673e3e | 2019-05-10 20:41:08 -0400 | [diff] [blame] | 659 | self.logger.info(self.vapi.ppcli("show ipsec all")) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 660 | |
Neale Ranns | eba31ec | 2019-02-17 18:04:27 +0000 | [diff] [blame] | 661 | pkts = p.tra_sa_in.get_stats()['packets'] |
| 662 | self.assertEqual(pkts, count, |
| 663 | "incorrect SA in counts: expected %d != %d" % |
| 664 | (count, pkts)) |
| 665 | pkts = p.tra_sa_out.get_stats()['packets'] |
| 666 | self.assertEqual(pkts, count, |
| 667 | "incorrect SA out counts: expected %d != %d" % |
| 668 | (count, pkts)) |
Klement Sekera | 10d066e | 2018-11-13 11:12:57 +0100 | [diff] [blame] | 669 | self.assert_packet_counter_equal(self.tra6_encrypt_node_name, count) |
| 670 | self.assert_packet_counter_equal(self.tra6_decrypt_node_name, count) |
| 671 | |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 672 | def gen_encrypt_pkts_ext_hdrs6(self, sa, sw_intf, src, dst, count=1, |
| 673 | payload_size=54): |
| 674 | return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / |
| 675 | sa.encrypt(IPv6(src=src, dst=dst) / |
| 676 | ICMPv6EchoRequest(id=0, seq=1, |
| 677 | data='X' * payload_size)) |
| 678 | for i in range(count)] |
| 679 | |
| 680 | def gen_pkts_ext_hdrs6(self, sw_intf, src, dst, count=1, payload_size=54): |
| 681 | return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / |
| 682 | IPv6(src=src, dst=dst) / |
| 683 | IPv6ExtHdrHopByHop() / |
| 684 | IPv6ExtHdrFragment(id=2, offset=200) / |
| 685 | Raw(b'\xff' * 200) |
| 686 | for i in range(count)] |
| 687 | |
| 688 | def verify_tra_encrypted6(self, p, sa, rxs): |
| 689 | decrypted = [] |
| 690 | for rx in rxs: |
| 691 | self.assert_packet_checksums_valid(rx) |
| 692 | try: |
| 693 | decrypt_pkt = p.vpp_tra_sa.decrypt(rx[IPv6]) |
| 694 | decrypted.append(decrypt_pkt) |
| 695 | self.assert_equal(decrypt_pkt.src, self.tra_if.local_ip6) |
| 696 | self.assert_equal(decrypt_pkt.dst, self.tra_if.remote_ip6) |
| 697 | except: |
| 698 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 699 | try: |
| 700 | self.logger.debug(ppp("Decrypted packet:", decrypt_pkt)) |
| 701 | except: |
| 702 | pass |
| 703 | raise |
| 704 | return decrypted |
| 705 | |
| 706 | def verify_tra_66_ext_hdrs(self, p): |
| 707 | count = 63 |
| 708 | |
| 709 | # |
| 710 | # check we can decrypt with options |
| 711 | # |
| 712 | tx = self.gen_encrypt_pkts_ext_hdrs6(p.scapy_tra_sa, self.tra_if, |
| 713 | src=self.tra_if.remote_ip6, |
| 714 | dst=self.tra_if.local_ip6, |
| 715 | count=count) |
| 716 | self.send_and_expect(self.tra_if, tx, self.tra_if) |
| 717 | |
| 718 | # |
| 719 | # injecting a packet from ourselves to be routed of box is a hack |
| 720 | # but it matches an outbout policy, alors je ne regrette rien |
| 721 | # |
| 722 | |
| 723 | # one extension before ESP |
| 724 | tx = (Ether(src=self.pg2.remote_mac, dst=self.pg2.local_mac) / |
| 725 | IPv6(src=self.tra_if.local_ip6, |
| 726 | dst=self.tra_if.remote_ip6) / |
| 727 | IPv6ExtHdrFragment(id=2, offset=200) / |
| 728 | Raw(b'\xff' * 200)) |
| 729 | |
| 730 | rxs = self.send_and_expect(self.pg2, [tx], self.tra_if) |
| 731 | dcs = self.verify_tra_encrypted6(p, p.vpp_tra_sa, rxs) |
| 732 | |
| 733 | for dc in dcs: |
| 734 | # for reasons i'm not going to investigate scapy does not |
| 735 | # created the correct headers after decrypt. but reparsing |
| 736 | # the ipv6 packet fixes it |
| 737 | dc = IPv6(raw(dc[IPv6])) |
| 738 | self.assert_equal(dc[IPv6ExtHdrFragment].id, 2) |
| 739 | |
| 740 | # two extensions before ESP |
| 741 | tx = (Ether(src=self.pg2.remote_mac, dst=self.pg2.local_mac) / |
| 742 | IPv6(src=self.tra_if.local_ip6, |
| 743 | dst=self.tra_if.remote_ip6) / |
| 744 | IPv6ExtHdrHopByHop() / |
| 745 | IPv6ExtHdrFragment(id=2, offset=200) / |
| 746 | Raw(b'\xff' * 200)) |
| 747 | |
| 748 | rxs = self.send_and_expect(self.pg2, [tx], self.tra_if) |
| 749 | dcs = self.verify_tra_encrypted6(p, p.vpp_tra_sa, rxs) |
| 750 | |
| 751 | for dc in dcs: |
| 752 | dc = IPv6(raw(dc[IPv6])) |
| 753 | self.assertTrue(dc[IPv6ExtHdrHopByHop]) |
| 754 | self.assert_equal(dc[IPv6ExtHdrFragment].id, 2) |
| 755 | |
| 756 | # two extensions before ESP, one after |
| 757 | tx = (Ether(src=self.pg2.remote_mac, dst=self.pg2.local_mac) / |
| 758 | IPv6(src=self.tra_if.local_ip6, |
| 759 | dst=self.tra_if.remote_ip6) / |
| 760 | IPv6ExtHdrHopByHop() / |
| 761 | IPv6ExtHdrFragment(id=2, offset=200) / |
| 762 | IPv6ExtHdrDestOpt() / |
| 763 | Raw(b'\xff' * 200)) |
| 764 | |
| 765 | rxs = self.send_and_expect(self.pg2, [tx], self.tra_if) |
| 766 | dcs = self.verify_tra_encrypted6(p, p.vpp_tra_sa, rxs) |
| 767 | |
| 768 | for dc in dcs: |
| 769 | dc = IPv6(raw(dc[IPv6])) |
| 770 | self.assertTrue(dc[IPv6ExtHdrDestOpt]) |
| 771 | self.assertTrue(dc[IPv6ExtHdrHopByHop]) |
| 772 | self.assert_equal(dc[IPv6ExtHdrFragment].id, 2) |
| 773 | |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 774 | |
| 775 | class IpsecTra6Tests(IpsecTra6): |
| 776 | """ UT test methods for Transport v6 """ |
| 777 | def test_tra_basic6(self): |
| 778 | """ ipsec v6 transport basic test """ |
| 779 | self.verify_tra_basic6(count=1) |
| 780 | |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 781 | def test_tra_burst6(self): |
| 782 | """ ipsec v6 transport burst test """ |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 783 | self.verify_tra_basic6(count=257) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 784 | |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 785 | |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 786 | class IpsecTra6ExtTests(IpsecTra6): |
| 787 | def test_tra_ext_hdrs_66(self): |
| 788 | """ ipsec 6o6 tra extension headers test """ |
| 789 | self.verify_tra_66_ext_hdrs(self.params[socket.AF_INET6]) |
| 790 | |
| 791 | |
Neale Ranns | 53f526b | 2019-02-25 14:32:02 +0000 | [diff] [blame] | 792 | class IpsecTra46Tests(IpsecTra4Tests, IpsecTra6Tests): |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 793 | """ UT test methods for Transport v6 and v4""" |
Neale Ranns | 53f526b | 2019-02-25 14:32:02 +0000 | [diff] [blame] | 794 | pass |
| 795 | |
| 796 | |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 797 | class IpsecTun4(object): |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 798 | """ verify methods for Tunnel v4 """ |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 799 | def verify_counters4(self, p, count, n_frags=None, worker=None): |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 800 | if not n_frags: |
| 801 | n_frags = count |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 802 | if (hasattr(p, "spd_policy_in_any")): |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 803 | pkts = p.spd_policy_in_any.get_stats(worker)['packets'] |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 804 | self.assertEqual(pkts, count, |
| 805 | "incorrect SPD any policy: expected %d != %d" % |
| 806 | (count, pkts)) |
| 807 | |
| 808 | if (hasattr(p, "tun_sa_in")): |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 809 | pkts = p.tun_sa_in.get_stats(worker)['packets'] |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 810 | self.assertEqual(pkts, count, |
| 811 | "incorrect SA in counts: expected %d != %d" % |
| 812 | (count, pkts)) |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 813 | pkts = p.tun_sa_out.get_stats(worker)['packets'] |
Neale Ranns | a9e2774 | 2020-12-23 16:22:28 +0000 | [diff] [blame] | 814 | self.assertEqual(pkts, n_frags, |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 815 | "incorrect SA out counts: expected %d != %d" % |
| 816 | (count, pkts)) |
| 817 | |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 818 | self.assert_packet_counter_equal(self.tun4_encrypt_node_name, n_frags) |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 819 | self.assert_packet_counter_equal(self.tun4_decrypt_node_name, count) |
| 820 | |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 821 | def verify_decrypted(self, p, rxs): |
| 822 | for rx in rxs: |
| 823 | self.assert_equal(rx[IP].src, p.remote_tun_if_host) |
| 824 | self.assert_equal(rx[IP].dst, self.pg1.remote_ip4) |
| 825 | self.assert_packet_checksums_valid(rx) |
| 826 | |
Christian Hopps | fb7e7ed | 2019-11-03 07:02:15 -0500 | [diff] [blame] | 827 | def verify_esp_padding(self, sa, esp_payload, decrypt_pkt): |
| 828 | align = sa.crypt_algo.block_size |
| 829 | if align < 4: |
| 830 | align = 4 |
| 831 | exp_len = (len(decrypt_pkt) + 2 + (align - 1)) & ~(align - 1) |
| 832 | exp_len += sa.crypt_algo.iv_size |
| 833 | exp_len += sa.crypt_algo.icv_size or sa.auth_algo.icv_size |
| 834 | self.assertEqual(exp_len, len(esp_payload)) |
| 835 | |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 836 | def verify_encrypted(self, p, sa, rxs): |
| 837 | decrypt_pkts = [] |
| 838 | for rx in rxs: |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 839 | if p.nat_header: |
| 840 | self.assertEqual(rx[UDP].dport, 4500) |
Neale Ranns | 1b582b8 | 2019-04-18 19:49:13 -0700 | [diff] [blame] | 841 | self.assert_packet_checksums_valid(rx) |
| 842 | self.assertEqual(len(rx) - len(Ether()), rx[IP].len) |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 843 | try: |
Christian Hopps | fb7e7ed | 2019-11-03 07:02:15 -0500 | [diff] [blame] | 844 | rx_ip = rx[IP] |
| 845 | decrypt_pkt = p.vpp_tun_sa.decrypt(rx_ip) |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 846 | if not decrypt_pkt.haslayer(IP): |
| 847 | decrypt_pkt = IP(decrypt_pkt[Raw].load) |
Christian Hopps | fb7e7ed | 2019-11-03 07:02:15 -0500 | [diff] [blame] | 848 | if rx_ip.proto == socket.IPPROTO_ESP: |
| 849 | self.verify_esp_padding(sa, rx_ip[ESP].data, decrypt_pkt) |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 850 | decrypt_pkts.append(decrypt_pkt) |
| 851 | self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4) |
| 852 | self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host) |
| 853 | except: |
| 854 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 855 | try: |
| 856 | self.logger.debug(ppp("Decrypted packet:", decrypt_pkt)) |
| 857 | except: |
| 858 | pass |
| 859 | raise |
| 860 | pkts = reassemble4(decrypt_pkts) |
| 861 | for pkt in pkts: |
| 862 | self.assert_packet_checksums_valid(pkt) |
| 863 | |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 864 | def verify_tun_44(self, p, count=1, payload_size=64, n_rx=None): |
Klement Sekera | 10d066e | 2018-11-13 11:12:57 +0100 | [diff] [blame] | 865 | self.vapi.cli("clear errors") |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 866 | self.vapi.cli("clear ipsec counters") |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 867 | self.vapi.cli("clear ipsec sa") |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 868 | if not n_rx: |
| 869 | n_rx = count |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 870 | try: |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 871 | send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 872 | src=p.remote_tun_if_host, |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 873 | dst=self.pg1.remote_ip4, |
Filip Tehlar | efcad1a | 2020-02-04 09:36:04 +0000 | [diff] [blame] | 874 | count=count, |
| 875 | payload_size=payload_size) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 876 | recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1) |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 877 | self.verify_decrypted(p, recv_pkts) |
| 878 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 879 | send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, |
Neale Ranns | d7603d9 | 2019-03-28 08:56:10 +0000 | [diff] [blame] | 880 | dst=p.remote_tun_if_host, count=count, |
| 881 | payload_size=payload_size) |
| 882 | recv_pkts = self.send_and_expect(self.pg1, send_pkts, |
| 883 | self.tun_if, n_rx) |
Neale Ranns | f05e732 | 2019-03-29 20:23:58 +0000 | [diff] [blame] | 884 | self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts) |
| 885 | |
Neale Ranns | f3a6622 | 2020-01-02 05:04:00 +0000 | [diff] [blame] | 886 | for rx in recv_pkts: |
| 887 | self.assertEqual(rx[IP].src, p.tun_src) |
| 888 | self.assertEqual(rx[IP].dst, p.tun_dst) |
| 889 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 890 | finally: |
| 891 | self.logger.info(self.vapi.ppcli("show error")) |
Paul Vinciguerra | 9673e3e | 2019-05-10 20:41:08 -0400 | [diff] [blame] | 892 | self.logger.info(self.vapi.ppcli("show ipsec all")) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 893 | |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 894 | self.logger.info(self.vapi.ppcli("show ipsec sa 0")) |
| 895 | self.logger.info(self.vapi.ppcli("show ipsec sa 4")) |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 896 | self.verify_counters4(p, count, n_rx) |
Neale Ranns | eba31ec | 2019-02-17 18:04:27 +0000 | [diff] [blame] | 897 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 898 | def verify_tun_dropped_44(self, p, count=1, payload_size=64, n_rx=None): |
| 899 | self.vapi.cli("clear errors") |
| 900 | if not n_rx: |
| 901 | n_rx = count |
| 902 | try: |
| 903 | send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, |
| 904 | src=p.remote_tun_if_host, |
| 905 | dst=self.pg1.remote_ip4, |
| 906 | count=count) |
| 907 | self.send_and_assert_no_replies(self.tun_if, send_pkts) |
| 908 | |
| 909 | send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, |
| 910 | dst=p.remote_tun_if_host, count=count, |
| 911 | payload_size=payload_size) |
| 912 | self.send_and_assert_no_replies(self.pg1, send_pkts) |
| 913 | |
| 914 | finally: |
| 915 | self.logger.info(self.vapi.ppcli("show error")) |
| 916 | self.logger.info(self.vapi.ppcli("show ipsec all")) |
| 917 | |
Neale Ranns | 1404698 | 2019-07-29 14:49:52 +0000 | [diff] [blame] | 918 | def verify_tun_reass_44(self, p): |
| 919 | self.vapi.cli("clear errors") |
| 920 | self.vapi.ip_reassembly_enable_disable( |
| 921 | sw_if_index=self.tun_if.sw_if_index, enable_ip4=True) |
| 922 | |
| 923 | try: |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 924 | send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, |
Neale Ranns | 1404698 | 2019-07-29 14:49:52 +0000 | [diff] [blame] | 925 | src=p.remote_tun_if_host, |
| 926 | dst=self.pg1.remote_ip4, |
| 927 | payload_size=1900, |
| 928 | count=1) |
| 929 | send_pkts = fragment_rfc791(send_pkts[0], 1400) |
| 930 | recv_pkts = self.send_and_expect(self.tun_if, send_pkts, |
| 931 | self.pg1, n_rx=1) |
| 932 | self.verify_decrypted(p, recv_pkts) |
| 933 | |
| 934 | send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, |
| 935 | dst=p.remote_tun_if_host, count=1) |
| 936 | recv_pkts = self.send_and_expect(self.pg1, send_pkts, |
| 937 | self.tun_if) |
| 938 | self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts) |
| 939 | |
| 940 | finally: |
| 941 | self.logger.info(self.vapi.ppcli("show error")) |
| 942 | self.logger.info(self.vapi.ppcli("show ipsec all")) |
| 943 | |
| 944 | self.verify_counters4(p, 1, 1) |
| 945 | self.vapi.ip_reassembly_enable_disable( |
| 946 | sw_if_index=self.tun_if.sw_if_index, enable_ip4=False) |
| 947 | |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 948 | def verify_tun_64(self, p, count=1): |
| 949 | self.vapi.cli("clear errors") |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 950 | self.vapi.cli("clear ipsec sa") |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 951 | try: |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 952 | send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if, |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 953 | src=p.remote_tun_if_host6, |
| 954 | dst=self.pg1.remote_ip6, |
| 955 | count=count) |
| 956 | recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1) |
| 957 | for recv_pkt in recv_pkts: |
| 958 | self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host6) |
| 959 | self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6) |
| 960 | self.assert_packet_checksums_valid(recv_pkt) |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 961 | send_pkts = self.gen_pkts6(p, self.pg1, src=self.pg1.remote_ip6, |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 962 | dst=p.remote_tun_if_host6, count=count) |
| 963 | recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if) |
| 964 | for recv_pkt in recv_pkts: |
| 965 | try: |
| 966 | decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IP]) |
| 967 | if not decrypt_pkt.haslayer(IPv6): |
| 968 | decrypt_pkt = IPv6(decrypt_pkt[Raw].load) |
| 969 | self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6) |
| 970 | self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host6) |
| 971 | self.assert_packet_checksums_valid(decrypt_pkt) |
| 972 | except: |
| 973 | self.logger.error(ppp("Unexpected packet:", recv_pkt)) |
| 974 | try: |
| 975 | self.logger.debug( |
| 976 | ppp("Decrypted packet:", decrypt_pkt)) |
| 977 | except: |
| 978 | pass |
| 979 | raise |
| 980 | finally: |
| 981 | self.logger.info(self.vapi.ppcli("show error")) |
Paul Vinciguerra | 9673e3e | 2019-05-10 20:41:08 -0400 | [diff] [blame] | 982 | self.logger.info(self.vapi.ppcli("show ipsec all")) |
Neale Ranns | eba31ec | 2019-02-17 18:04:27 +0000 | [diff] [blame] | 983 | |
Klement Sekera | 6aa58b7 | 2019-05-16 14:34:55 +0200 | [diff] [blame] | 984 | self.verify_counters4(p, count) |
Klement Sekera | 10d066e | 2018-11-13 11:12:57 +0100 | [diff] [blame] | 985 | |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 986 | def verify_keepalive(self, p): |
| 987 | pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) / |
| 988 | IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) / |
| 989 | UDP(sport=333, dport=4500) / |
Ole Troan | 8b76c23 | 2019-10-21 20:55:13 +0200 | [diff] [blame] | 990 | Raw(b'\xff')) |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 991 | self.send_and_assert_no_replies(self.tun_if, pkt*31) |
| 992 | self.assert_error_counter_equal( |
| 993 | '/err/%s/NAT Keepalive' % self.tun4_input_node, 31) |
| 994 | |
| 995 | pkt = (Ether(src=self.tun_if.remote_mac, dst=self.tun_if.local_mac) / |
| 996 | IP(src=p.remote_tun_if_host, dst=self.tun_if.local_ip4) / |
| 997 | UDP(sport=333, dport=4500) / |
Ole Troan | 8b76c23 | 2019-10-21 20:55:13 +0200 | [diff] [blame] | 998 | Raw(b'\xfe')) |
Neale Ranns | 41afb33 | 2019-07-16 06:19:35 -0700 | [diff] [blame] | 999 | self.send_and_assert_no_replies(self.tun_if, pkt*31) |
| 1000 | self.assert_error_counter_equal( |
| 1001 | '/err/%s/Too Short' % self.tun4_input_node, 31) |
| 1002 | |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1003 | |
| 1004 | class IpsecTun4Tests(IpsecTun4): |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 1005 | """ UT test methods for Tunnel v4 """ |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1006 | def test_tun_basic44(self): |
| 1007 | """ ipsec 4o4 tunnel basic test """ |
| 1008 | self.verify_tun_44(self.params[socket.AF_INET], count=1) |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1009 | self.tun_if.admin_down() |
| 1010 | self.tun_if.resolve_arp() |
| 1011 | self.tun_if.admin_up() |
| 1012 | self.verify_tun_44(self.params[socket.AF_INET], count=1) |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1013 | |
Neale Ranns | 1404698 | 2019-07-29 14:49:52 +0000 | [diff] [blame] | 1014 | def test_tun_reass_basic44(self): |
| 1015 | """ ipsec 4o4 tunnel basic reassembly test """ |
| 1016 | self.verify_tun_reass_44(self.params[socket.AF_INET]) |
| 1017 | |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 1018 | def test_tun_burst44(self): |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 1019 | """ ipsec 4o4 tunnel burst test """ |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1020 | self.verify_tun_44(self.params[socket.AF_INET], count=127) |
| 1021 | |
| 1022 | |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1023 | class IpsecTun6(object): |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 1024 | """ verify methods for Tunnel v6 """ |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 1025 | def verify_counters6(self, p_in, p_out, count, worker=None): |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1026 | if (hasattr(p_in, "tun_sa_in")): |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 1027 | pkts = p_in.tun_sa_in.get_stats(worker)['packets'] |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 1028 | self.assertEqual(pkts, count, |
| 1029 | "incorrect SA in counts: expected %d != %d" % |
| 1030 | (count, pkts)) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1031 | if (hasattr(p_out, "tun_sa_out")): |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 1032 | pkts = p_out.tun_sa_out.get_stats(worker)['packets'] |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 1033 | self.assertEqual(pkts, count, |
| 1034 | "incorrect SA out counts: expected %d != %d" % |
| 1035 | (count, pkts)) |
| 1036 | self.assert_packet_counter_equal(self.tun6_encrypt_node_name, count) |
| 1037 | self.assert_packet_counter_equal(self.tun6_decrypt_node_name, count) |
| 1038 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1039 | def verify_decrypted6(self, p, rxs): |
| 1040 | for rx in rxs: |
| 1041 | self.assert_equal(rx[IPv6].src, p.remote_tun_if_host) |
| 1042 | self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6) |
| 1043 | self.assert_packet_checksums_valid(rx) |
| 1044 | |
| 1045 | def verify_encrypted6(self, p, sa, rxs): |
| 1046 | for rx in rxs: |
| 1047 | self.assert_packet_checksums_valid(rx) |
| 1048 | self.assertEqual(len(rx) - len(Ether()) - len(IPv6()), |
| 1049 | rx[IPv6].plen) |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 1050 | self.assert_equal(rx[IPv6].hlim, p.outer_hop_limit) |
| 1051 | if p.outer_flow_label: |
| 1052 | self.assert_equal(rx[IPv6].fl, p.outer_flow_label) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1053 | try: |
| 1054 | decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IPv6]) |
| 1055 | if not decrypt_pkt.haslayer(IPv6): |
| 1056 | decrypt_pkt = IPv6(decrypt_pkt[Raw].load) |
| 1057 | self.assert_packet_checksums_valid(decrypt_pkt) |
| 1058 | self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6) |
| 1059 | self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host) |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 1060 | self.assert_equal(decrypt_pkt.hlim, p.inner_hop_limit - 1) |
| 1061 | self.assert_equal(decrypt_pkt.fl, p.inner_flow_label) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1062 | except: |
| 1063 | self.logger.debug(ppp("Unexpected packet:", rx)) |
| 1064 | try: |
| 1065 | self.logger.debug(ppp("Decrypted packet:", decrypt_pkt)) |
| 1066 | except: |
| 1067 | pass |
| 1068 | raise |
| 1069 | |
| 1070 | def verify_drop_tun_66(self, p_in, count=1, payload_size=64): |
Klement Sekera | 10d066e | 2018-11-13 11:12:57 +0100 | [diff] [blame] | 1071 | self.vapi.cli("clear errors") |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1072 | self.vapi.cli("clear ipsec sa") |
| 1073 | |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 1074 | send_pkts = self.gen_encrypt_pkts6(p_in, p_in.scapy_tun_sa, |
| 1075 | self.tun_if, |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1076 | src=p_in.remote_tun_if_host, |
| 1077 | dst=self.pg1.remote_ip6, |
| 1078 | count=count) |
| 1079 | self.send_and_assert_no_replies(self.tun_if, send_pkts) |
| 1080 | self.logger.info(self.vapi.cli("sh punt stats")) |
| 1081 | |
| 1082 | def verify_tun_66(self, p_in, p_out=None, count=1, payload_size=64): |
| 1083 | self.vapi.cli("clear errors") |
| 1084 | self.vapi.cli("clear ipsec sa") |
| 1085 | if not p_out: |
| 1086 | p_out = p_in |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 1087 | try: |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 1088 | send_pkts = self.gen_encrypt_pkts6(p_in, p_in.scapy_tun_sa, |
| 1089 | self.tun_if, |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1090 | src=p_in.remote_tun_if_host, |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 1091 | dst=self.pg1.remote_ip6, |
Filip Tehlar | efcad1a | 2020-02-04 09:36:04 +0000 | [diff] [blame] | 1092 | count=count, |
| 1093 | payload_size=payload_size) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 1094 | recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1095 | self.verify_decrypted6(p_in, recv_pkts) |
| 1096 | |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 1097 | send_pkts = self.gen_pkts6(p_in, self.pg1, src=self.pg1.remote_ip6, |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1098 | dst=p_out.remote_tun_if_host, |
| 1099 | count=count, |
| 1100 | payload_size=payload_size) |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 1101 | recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1102 | self.verify_encrypted6(p_out, p_out.vpp_tun_sa, recv_pkts) |
| 1103 | |
Neale Ranns | f3a6622 | 2020-01-02 05:04:00 +0000 | [diff] [blame] | 1104 | for rx in recv_pkts: |
| 1105 | self.assertEqual(rx[IPv6].src, p_out.tun_src) |
| 1106 | self.assertEqual(rx[IPv6].dst, p_out.tun_dst) |
| 1107 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 1108 | finally: |
| 1109 | self.logger.info(self.vapi.ppcli("show error")) |
Paul Vinciguerra | 9673e3e | 2019-05-10 20:41:08 -0400 | [diff] [blame] | 1110 | self.logger.info(self.vapi.ppcli("show ipsec all")) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1111 | self.verify_counters6(p_in, p_out, count) |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 1112 | |
Neale Ranns | 1404698 | 2019-07-29 14:49:52 +0000 | [diff] [blame] | 1113 | def verify_tun_reass_66(self, p): |
| 1114 | self.vapi.cli("clear errors") |
| 1115 | self.vapi.ip_reassembly_enable_disable( |
| 1116 | sw_if_index=self.tun_if.sw_if_index, enable_ip6=True) |
| 1117 | |
| 1118 | try: |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 1119 | send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if, |
Neale Ranns | 1404698 | 2019-07-29 14:49:52 +0000 | [diff] [blame] | 1120 | src=p.remote_tun_if_host, |
| 1121 | dst=self.pg1.remote_ip6, |
| 1122 | count=1, |
Neale Ranns | 0295040 | 2019-12-20 00:54:57 +0000 | [diff] [blame] | 1123 | payload_size=1850) |
Neale Ranns | 1404698 | 2019-07-29 14:49:52 +0000 | [diff] [blame] | 1124 | send_pkts = fragment_rfc8200(send_pkts[0], 1, 1400, self.logger) |
| 1125 | recv_pkts = self.send_and_expect(self.tun_if, send_pkts, |
| 1126 | self.pg1, n_rx=1) |
| 1127 | self.verify_decrypted6(p, recv_pkts) |
| 1128 | |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 1129 | send_pkts = self.gen_pkts6(p, self.pg1, src=self.pg1.remote_ip6, |
Neale Ranns | 1404698 | 2019-07-29 14:49:52 +0000 | [diff] [blame] | 1130 | dst=p.remote_tun_if_host, |
| 1131 | count=1, |
| 1132 | payload_size=64) |
| 1133 | recv_pkts = self.send_and_expect(self.pg1, send_pkts, |
| 1134 | self.tun_if) |
| 1135 | self.verify_encrypted6(p, p.vpp_tun_sa, recv_pkts) |
| 1136 | finally: |
| 1137 | self.logger.info(self.vapi.ppcli("show error")) |
| 1138 | self.logger.info(self.vapi.ppcli("show ipsec all")) |
| 1139 | self.verify_counters6(p, p, 1) |
| 1140 | self.vapi.ip_reassembly_enable_disable( |
| 1141 | sw_if_index=self.tun_if.sw_if_index, enable_ip6=False) |
| 1142 | |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 1143 | def verify_tun_46(self, p, count=1): |
| 1144 | """ ipsec 4o6 tunnel basic test """ |
| 1145 | self.vapi.cli("clear errors") |
Neale Ranns | dd4ccf2 | 2020-06-30 07:47:14 +0000 | [diff] [blame] | 1146 | self.vapi.cli("clear ipsec sa") |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 1147 | try: |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 1148 | send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, |
Neale Ranns | 987aea8 | 2019-03-27 13:40:35 +0000 | [diff] [blame] | 1149 | src=p.remote_tun_if_host4, |
| 1150 | dst=self.pg1.remote_ip4, |
| 1151 | count=count) |
| 1152 | recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1) |
| 1153 | for recv_pkt in recv_pkts: |
| 1154 | self.assert_equal(recv_pkt[IP].src, p.remote_tun_if_host4) |
| 1155 | self.assert_equal(recv_pkt[IP].dst, self.pg1.remote_ip4) |
| 1156 | self.assert_packet_checksums_valid(recv_pkt) |
| 1157 | send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, |
| 1158 | dst=p.remote_tun_if_host4, |
| 1159 | count=count) |
| 1160 | recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if) |
| 1161 | for recv_pkt in recv_pkts: |
| 1162 | try: |
| 1163 | decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6]) |
| 1164 | if not decrypt_pkt.haslayer(IP): |
| 1165 | decrypt_pkt = IP(decrypt_pkt[Raw].load) |
| 1166 | self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip4) |
| 1167 | self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host4) |
| 1168 | self.assert_packet_checksums_valid(decrypt_pkt) |
| 1169 | except: |
| 1170 | self.logger.debug(ppp("Unexpected packet:", recv_pkt)) |
| 1171 | try: |
| 1172 | self.logger.debug(ppp("Decrypted packet:", |
| 1173 | decrypt_pkt)) |
| 1174 | except: |
| 1175 | pass |
| 1176 | raise |
| 1177 | finally: |
| 1178 | self.logger.info(self.vapi.ppcli("show error")) |
Paul Vinciguerra | 9673e3e | 2019-05-10 20:41:08 -0400 | [diff] [blame] | 1179 | self.logger.info(self.vapi.ppcli("show ipsec all")) |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 1180 | self.verify_counters6(p, p, count) |
Klement Sekera | 10d066e | 2018-11-13 11:12:57 +0100 | [diff] [blame] | 1181 | |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1182 | |
| 1183 | class IpsecTun6Tests(IpsecTun6): |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 1184 | """ UT test methods for Tunnel v6 """ |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1185 | |
| 1186 | def test_tun_basic66(self): |
| 1187 | """ ipsec 6o6 tunnel basic test """ |
| 1188 | self.verify_tun_66(self.params[socket.AF_INET6], count=1) |
| 1189 | |
Neale Ranns | 1404698 | 2019-07-29 14:49:52 +0000 | [diff] [blame] | 1190 | def test_tun_reass_basic66(self): |
| 1191 | """ ipsec 6o6 tunnel basic reassembly test """ |
| 1192 | self.verify_tun_reass_66(self.params[socket.AF_INET6]) |
| 1193 | |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 1194 | def test_tun_burst66(self): |
| 1195 | """ ipsec 6o6 tunnel burst test """ |
Neale Ranns | 2ac885c | 2019-03-20 18:24:43 +0000 | [diff] [blame] | 1196 | self.verify_tun_66(self.params[socket.AF_INET6], count=257) |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 1197 | |
| 1198 | |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 1199 | class IpsecTun6HandoffTests(IpsecTun6): |
| 1200 | """ UT test methods for Tunnel v6 with multiple workers """ |
| 1201 | worker_config = "workers 2" |
| 1202 | |
| 1203 | def test_tun_handoff_66(self): |
| 1204 | """ ipsec 6o6 tunnel worker hand-off test """ |
| 1205 | N_PKTS = 15 |
| 1206 | p = self.params[socket.AF_INET6] |
| 1207 | |
| 1208 | # inject alternately on worker 0 and 1. all counts on the SA |
| 1209 | # should be against worker 0 |
| 1210 | for worker in [0, 1, 0, 1]: |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 1211 | send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, self.tun_if, |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 1212 | src=p.remote_tun_if_host, |
| 1213 | dst=self.pg1.remote_ip6, |
| 1214 | count=N_PKTS) |
| 1215 | recv_pkts = self.send_and_expect(self.tun_if, send_pkts, |
| 1216 | self.pg1, worker=worker) |
| 1217 | self.verify_decrypted6(p, recv_pkts) |
| 1218 | |
Neale Ranns | c7eaa71 | 2021-02-04 11:09:33 +0000 | [diff] [blame] | 1219 | send_pkts = self.gen_pkts6(p, self.pg1, src=self.pg1.remote_ip6, |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 1220 | dst=p.remote_tun_if_host, |
| 1221 | count=N_PKTS) |
| 1222 | recv_pkts = self.send_and_expect(self.pg1, send_pkts, |
| 1223 | self.tun_if, worker=worker) |
| 1224 | self.verify_encrypted6(p, p.vpp_tun_sa, recv_pkts) |
| 1225 | |
| 1226 | # all counts against the first worker that was used |
| 1227 | self.verify_counters6(p, p, 4*N_PKTS, worker=0) |
| 1228 | |
| 1229 | |
| 1230 | class IpsecTun4HandoffTests(IpsecTun4): |
| 1231 | """ UT test methods for Tunnel v4 with multiple workers """ |
| 1232 | worker_config = "workers 2" |
| 1233 | |
| 1234 | def test_tun_handooff_44(self): |
| 1235 | """ ipsec 4o4 tunnel worker hand-off test """ |
| 1236 | N_PKTS = 15 |
| 1237 | p = self.params[socket.AF_INET] |
| 1238 | |
| 1239 | # inject alternately on worker 0 and 1. all counts on the SA |
| 1240 | # should be against worker 0 |
| 1241 | for worker in [0, 1, 0, 1]: |
Neale Ranns | 2828721 | 2019-12-16 00:53:11 +0000 | [diff] [blame] | 1242 | send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, self.tun_if, |
Neale Ranns | 4a56f4e | 2019-12-23 04:10:25 +0000 | [diff] [blame] | 1243 | src=p.remote_tun_if_host, |
| 1244 | dst=self.pg1.remote_ip4, |
| 1245 | count=N_PKTS) |
| 1246 | recv_pkts = self.send_and_expect(self.tun_if, send_pkts, |
| 1247 | self.pg1, worker=worker) |
| 1248 | self.verify_decrypted(p, recv_pkts) |
| 1249 | |
| 1250 | send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4, |
| 1251 | dst=p.remote_tun_if_host, |
| 1252 | count=N_PKTS) |
| 1253 | recv_pkts = self.send_and_expect(self.pg1, send_pkts, |
| 1254 | self.tun_if, worker=worker) |
| 1255 | self.verify_encrypted(p, p.vpp_tun_sa, recv_pkts) |
| 1256 | |
| 1257 | # all counts against the first worker that was used |
| 1258 | self.verify_counters4(p, 4*N_PKTS, worker=0) |
| 1259 | |
| 1260 | |
Neale Ranns | 53f526b | 2019-02-25 14:32:02 +0000 | [diff] [blame] | 1261 | class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests): |
Neale Ranns | 4f33c80 | 2019-04-10 12:39:10 +0000 | [diff] [blame] | 1262 | """ UT test methods for Tunnel v6 & v4 """ |
Klement Sekera | 611864f | 2018-09-26 11:19:00 +0200 | [diff] [blame] | 1263 | pass |
| 1264 | |
Klement Sekera | 31da2e3 | 2018-06-24 22:49:55 +0200 | [diff] [blame] | 1265 | |
| 1266 | if __name__ == '__main__': |
| 1267 | unittest.main(testRunner=VppTestRunner) |