Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / b325983a4461dd806e86a31abc47533b09482157 / . / test / test_ipsec_tun_if_esp.py
blob: 28854cefa9964f83b6e11d1e808f50088f5139bb [file] [log] [blame]
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]1import unittest
2import socket
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]3import copy
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]4
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]5from scapy.layers.ipsec import ESP
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]6from scapy.layers.l2 import Ether, Raw, GRE
7from scapy.layers.inet import IP, UDP
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]8from scapy.layers.inet6 import IPv6
juraj.linkes11057662019-07-08 10:22:55 +0200[diff] [blame]9from framework import VppTestRunner
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]10from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTun6Tests, \
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]11 IpsecTun4, IpsecTun6, IpsecTcpTests, config_tun_params
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]12from vpp_ipsec_tun_interface import VppIpsecTunInterface
13from vpp_gre_interface import VppGreInterface
14from vpp_ipip_tun_interface import VppIpIpTunInterface
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]15from vpp_ip_route import VppIpRoute, VppRoutePath, DpoProto
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]16from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]17from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort
18from util import ppp
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]19from vpp_papi import VppEnum
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]20
21
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]22class TemplateIpsec4TunIfEsp(TemplateIpsec):
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]23 """ IPsec tunnel interface tests """
24
25 encryption_type = ESP
26
Paul Vinciguerra7f9b7f92019-03-12 19:23:27 -0700[diff] [blame]27 @classmethod
28 def setUpClass(cls):
29 super(TemplateIpsec4TunIfEsp, cls).setUpClass()
30
31 @classmethod
32 def tearDownClass(cls):
33 super(TemplateIpsec4TunIfEsp, cls).tearDownClass()
34
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]35 def setUp(self):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]36 super(TemplateIpsec4TunIfEsp, self).setUp()
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800[diff] [blame]37
38 self.tun_if = self.pg0
39
Klement Sekera611864f2018-09-26 11:19:00 +0200[diff] [blame]40 p = self.ipv4_params
Neale Rannsd7603d92019-03-28 08:56:10 +0000[diff] [blame]41
42 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
43 p.scapy_tun_spi, p.crypt_algo_vpp_id,
44 p.crypt_key, p.crypt_key,
45 p.auth_algo_vpp_id, p.auth_key,
46 p.auth_key)
47 p.tun_if.add_vpp_config()
48 p.tun_if.admin_up()
49 p.tun_if.config_ip4()
50 p.tun_if.config_ip6()
Neale Ranns311124e2019-01-24 04:52:25 -0800[diff] [blame]51
Neale Ranns097fa662018-05-01 05:17:55 -0700[diff] [blame]52 r = VppIpRoute(self, p.remote_tun_if_host, 32,
53 [VppRoutePath(p.tun_if.remote_ip4,
54 0xffffffff)])
55 r.add_vpp_config()
56 r = VppIpRoute(self, p.remote_tun_if_host6, 128,
57 [VppRoutePath(p.tun_if.remote_ip6,
58 0xffffffff,
59 proto=DpoProto.DPO_PROTO_IP6)])
60 r.add_vpp_config()
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]61
62 def tearDown(self):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]63 super(TemplateIpsec4TunIfEsp, self).tearDown()
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]64
65
Neale Ranns41afb332019-07-16 06:19:35 -0700[diff] [blame]66class TemplateIpsec4TunIfEspUdp(TemplateIpsec):
67 """ IPsec UDP tunnel interface tests """
68
69 tun4_encrypt_node_name = "esp4-encrypt-tun"
70 tun4_decrypt_node_name = "esp4-decrypt"
71 encryption_type = ESP
72
73 @classmethod
74 def setUpClass(cls):
75 super(TemplateIpsec4TunIfEspUdp, cls).setUpClass()
76
77 @classmethod
78 def tearDownClass(cls):
79 super(TemplateIpsec4TunIfEspUdp, cls).tearDownClass()
80
81 def setUp(self):
82 super(TemplateIpsec4TunIfEspUdp, self).setUp()
83
84 self.tun_if = self.pg0
85
86 p = self.ipv4_params
87 p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
88 IPSEC_API_SAD_FLAG_UDP_ENCAP)
89 p.nat_header = UDP(sport=5454, dport=4500)
90
91 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
92 p.scapy_tun_spi, p.crypt_algo_vpp_id,
93 p.crypt_key, p.crypt_key,
94 p.auth_algo_vpp_id, p.auth_key,
95 p.auth_key, udp_encap=True)
96 p.tun_if.add_vpp_config()
97 p.tun_if.admin_up()
98 p.tun_if.config_ip4()
99 p.tun_if.config_ip6()
100
101 r = VppIpRoute(self, p.remote_tun_if_host, 32,
102 [VppRoutePath(p.tun_if.remote_ip4,
103 0xffffffff)])
104 r.add_vpp_config()
105 r = VppIpRoute(self, p.remote_tun_if_host6, 128,
106 [VppRoutePath(p.tun_if.remote_ip6,
107 0xffffffff,
108 proto=DpoProto.DPO_PROTO_IP6)])
109 r.add_vpp_config()
110
111 def tearDown(self):
112 super(TemplateIpsec4TunIfEspUdp, self).tearDown()
113
114
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]115class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]116 """ Ipsec ESP - TUN tests """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]117 tun4_encrypt_node_name = "esp4-encrypt-tun"
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]118 tun4_decrypt_node_name = "esp4-decrypt"
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]119
Neale Ranns987aea82019-03-27 13:40:35 +0000[diff] [blame]120 def test_tun_basic64(self):
121 """ ipsec 6o4 tunnel basic test """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]122 self.tun4_encrypt_node_name = "esp6-encrypt-tun"
123
Neale Ranns987aea82019-03-27 13:40:35 +0000[diff] [blame]124 self.verify_tun_64(self.params[socket.AF_INET], count=1)
125
126 def test_tun_burst64(self):
127 """ ipsec 6o4 tunnel basic test """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]128 self.tun4_encrypt_node_name = "esp6-encrypt-tun"
129
Neale Ranns987aea82019-03-27 13:40:35 +0000[diff] [blame]130 self.verify_tun_64(self.params[socket.AF_INET], count=257)
131
Neale Rannsd7603d92019-03-28 08:56:10 +0000[diff] [blame]132 def test_tun_basic_frag44(self):
133 """ ipsec 4o4 tunnel frag basic test """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]134 self.tun4_encrypt_node_name = "esp4-encrypt-tun"
135
Neale Rannsd7603d92019-03-28 08:56:10 +0000[diff] [blame]136 p = self.ipv4_params
137
138 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index,
139 [1500, 0, 0, 0])
140 self.verify_tun_44(self.params[socket.AF_INET],
141 count=1, payload_size=1800, n_rx=2)
142 self.vapi.sw_interface_set_mtu(p.tun_if.sw_if_index,
143 [9000, 0, 0, 0])
144
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]145
Neale Ranns41afb332019-07-16 06:19:35 -0700[diff] [blame]146class TestIpsec4TunIfEspUdp(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
147 """ Ipsec ESP UDP tests """
148
149 tun4_input_node = "ipsec4-if-input"
150
151 def test_keepalive(self):
152 """ IPSEC NAT Keepalive """
153 self.verify_keepalive(self.ipv4_params)
154
155
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]156class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]157 """ Ipsec ESP - TCP tests """
158 pass
159
160
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]161class TemplateIpsec6TunIfEsp(TemplateIpsec):
162 """ IPsec tunnel interface tests """
163
164 encryption_type = ESP
165
166 def setUp(self):
167 super(TemplateIpsec6TunIfEsp, self).setUp()
168
169 self.tun_if = self.pg0
170
171 p = self.ipv6_params
172 tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
173 p.scapy_tun_spi, p.crypt_algo_vpp_id,
174 p.crypt_key, p.crypt_key,
175 p.auth_algo_vpp_id, p.auth_key,
176 p.auth_key, is_ip6=True)
177 tun_if.add_vpp_config()
178 tun_if.admin_up()
179 tun_if.config_ip6()
Neale Ranns987aea82019-03-27 13:40:35 +0000[diff] [blame]180 tun_if.config_ip4()
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]181
Neale Ranns097fa662018-05-01 05:17:55 -0700[diff] [blame]182 r = VppIpRoute(self, p.remote_tun_if_host, 128,
183 [VppRoutePath(tun_if.remote_ip6,
184 0xffffffff,
185 proto=DpoProto.DPO_PROTO_IP6)])
186 r.add_vpp_config()
187 r = VppIpRoute(self, p.remote_tun_if_host4, 32,
188 [VppRoutePath(tun_if.remote_ip4,
189 0xffffffff)])
190 r.add_vpp_config()
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]191
192 def tearDown(self):
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]193 super(TemplateIpsec6TunIfEsp, self).tearDown()
194
195
196class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp, IpsecTun6Tests):
197 """ Ipsec ESP - TUN tests """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]198 tun6_encrypt_node_name = "esp6-encrypt-tun"
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]199 tun6_decrypt_node_name = "esp6-decrypt"
200
Neale Ranns987aea82019-03-27 13:40:35 +0000[diff] [blame]201 def test_tun_basic46(self):
202 """ ipsec 4o6 tunnel basic test """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]203 self.tun6_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns987aea82019-03-27 13:40:35 +0000[diff] [blame]204 self.verify_tun_46(self.params[socket.AF_INET6], count=1)
205
206 def test_tun_burst46(self):
207 """ ipsec 4o6 tunnel burst test """
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]208 self.tun6_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns987aea82019-03-27 13:40:35 +0000[diff] [blame]209 self.verify_tun_46(self.params[socket.AF_INET6], count=257)
210
Kingwel Xie1ba5bc82019-03-20 07:21:58 -0400[diff] [blame]211
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]212class TestIpsec4MultiTunIfEsp(TemplateIpsec, IpsecTun4):
213 """ IPsec IPv4 Multi Tunnel interface """
214
215 encryption_type = ESP
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]216 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]217 tun4_decrypt_node_name = "esp4-decrypt"
218
219 def setUp(self):
220 super(TestIpsec4MultiTunIfEsp, self).setUp()
221
222 self.tun_if = self.pg0
223
224 self.multi_params = []
225
226 for ii in range(10):
227 p = copy.copy(self.ipv4_params)
228
229 p.remote_tun_if_host = "1.1.1.%d" % (ii + 1)
230 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
231 p.scapy_tun_spi = p.scapy_tun_spi + ii
232 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
233 p.vpp_tun_spi = p.vpp_tun_spi + ii
234
235 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
236 p.scapy_tra_spi = p.scapy_tra_spi + ii
237 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
238 p.vpp_tra_spi = p.vpp_tra_spi + ii
239
240 config_tun_params(p, self.encryption_type, self.tun_if)
241 self.multi_params.append(p)
242
243 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
244 p.scapy_tun_spi,
245 p.crypt_algo_vpp_id,
246 p.crypt_key, p.crypt_key,
247 p.auth_algo_vpp_id, p.auth_key,
248 p.auth_key)
249 p.tun_if.add_vpp_config()
250 p.tun_if.admin_up()
251 p.tun_if.config_ip4()
252
253 VppIpRoute(self, p.remote_tun_if_host, 32,
254 [VppRoutePath(p.tun_if.remote_ip4,
255 0xffffffff)]).add_vpp_config()
256
257 def tearDown(self):
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]258 super(TestIpsec4MultiTunIfEsp, self).tearDown()
259
260 def test_tun_44(self):
261 """Multiple IPSEC tunnel interfaces """
262 for p in self.multi_params:
263 self.verify_tun_44(p, count=127)
264 c = p.tun_if.get_rx_stats()
265 self.assertEqual(c['packets'], 127)
266 c = p.tun_if.get_tx_stats()
267 self.assertEqual(c['packets'], 127)
268
269
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]270class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
271 """ IPsec IPv4 Tunnel interface all Algos """
272
273 encryption_type = ESP
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]274 tun4_encrypt_node_name = "esp4-encrypt-tun"
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]275 tun4_decrypt_node_name = "esp4-decrypt"
276
277 def config_network(self, p):
278 config_tun_params(p, self.encryption_type, self.tun_if)
279
280 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
281 p.scapy_tun_spi,
282 p.crypt_algo_vpp_id,
283 p.crypt_key, p.crypt_key,
284 p.auth_algo_vpp_id, p.auth_key,
Neale Ranns80f6fd52019-04-16 02:41:34 +0000[diff] [blame]285 p.auth_key,
286 salt=p.salt)
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]287 p.tun_if.add_vpp_config()
288 p.tun_if.admin_up()
289 p.tun_if.config_ip4()
290 self.logger.info(self.vapi.cli("sh ipsec sa 0"))
291 self.logger.info(self.vapi.cli("sh ipsec sa 1"))
292
293 p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
294 [VppRoutePath(p.tun_if.remote_ip4,
295 0xffffffff)])
296 p.route.add_vpp_config()
297
298 def unconfig_network(self, p):
299 p.tun_if.unconfig_ip4()
300 p.tun_if.remove_vpp_config()
301 p.route.remove_vpp_config()
302
303 def setUp(self):
304 super(TestIpsec4TunIfEspAll, self).setUp()
305
306 self.tun_if = self.pg0
307
308 def tearDown(self):
309 super(TestIpsec4TunIfEspAll, self).tearDown()
310
Neale Rannsd6c9e822019-04-17 16:29:00 -0700[diff] [blame]311 def rekey(self, p):
312 #
313 # change the key and the SPI
314 #
315 p.crypt_key = 'X' + p.crypt_key[1:]
316 p.scapy_tun_spi += 1
317 p.scapy_tun_sa_id += 1
318 p.vpp_tun_spi += 1
319 p.vpp_tun_sa_id += 1
320 p.tun_if.local_spi = p.vpp_tun_spi
321 p.tun_if.remote_spi = p.scapy_tun_spi
322
323 config_tun_params(p, self.encryption_type, self.tun_if)
324
325 p.tun_sa_in = VppIpsecSA(self,
326 p.scapy_tun_sa_id,
327 p.scapy_tun_spi,
328 p.auth_algo_vpp_id,
329 p.auth_key,
330 p.crypt_algo_vpp_id,
331 p.crypt_key,
332 self.vpp_esp_protocol,
333 self.tun_if.local_addr[p.addr_type],
334 self.tun_if.remote_addr[p.addr_type],
335 flags=p.flags,
336 salt=p.salt)
337 p.tun_sa_out = VppIpsecSA(self,
338 p.vpp_tun_sa_id,
339 p.vpp_tun_spi,
340 p.auth_algo_vpp_id,
341 p.auth_key,
342 p.crypt_algo_vpp_id,
343 p.crypt_key,
344 self.vpp_esp_protocol,
345 self.tun_if.remote_addr[p.addr_type],
346 self.tun_if.local_addr[p.addr_type],
347 flags=p.flags,
348 salt=p.salt)
349 p.tun_sa_in.add_vpp_config()
350 p.tun_sa_out.add_vpp_config()
351
352 self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
353 sa_id=p.tun_sa_in.id,
354 is_outbound=1)
355 self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index,
356 sa_id=p.tun_sa_out.id,
357 is_outbound=0)
358 self.logger.info(self.vapi.cli("sh ipsec sa"))
359
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]360 def test_tun_44(self):
361 """IPSEC tunnel all algos """
362
363 # foreach VPP crypto engine
364 engines = ["ia32", "ipsecmb", "openssl"]
365
366 # foreach crypto algorithm
367 algos = [{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
368 IPSEC_API_CRYPTO_ALG_AES_GCM_128),
369 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
370 IPSEC_API_INTEG_ALG_NONE),
371 'scapy-crypto': "AES-GCM",
372 'scapy-integ': "NULL",
373 'key': "JPjyOWBeVEQiMe7h",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000[diff] [blame]374 'salt': 3333},
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]375 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
376 IPSEC_API_CRYPTO_ALG_AES_GCM_192),
377 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
378 IPSEC_API_INTEG_ALG_NONE),
379 'scapy-crypto': "AES-GCM",
380 'scapy-integ': "NULL",
381 'key': "JPjyOWBeVEQiMe7hJPjyOWBe",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000[diff] [blame]382 'salt': 0},
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]383 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
384 IPSEC_API_CRYPTO_ALG_AES_GCM_256),
385 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
386 IPSEC_API_INTEG_ALG_NONE),
387 'scapy-crypto': "AES-GCM",
388 'scapy-integ': "NULL",
389 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000[diff] [blame]390 'salt': 9999},
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]391 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
392 IPSEC_API_CRYPTO_ALG_AES_CBC_128),
393 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
394 IPSEC_API_INTEG_ALG_SHA1_96),
395 'scapy-crypto': "AES-CBC",
396 'scapy-integ': "HMAC-SHA1-96",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000[diff] [blame]397 'salt': 0,
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]398 'key': "JPjyOWBeVEQiMe7h"},
399 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
400 IPSEC_API_CRYPTO_ALG_AES_CBC_192),
401 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
402 IPSEC_API_INTEG_ALG_SHA1_96),
403 'scapy-crypto': "AES-CBC",
404 'scapy-integ': "HMAC-SHA1-96",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000[diff] [blame]405 'salt': 0,
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]406 'key': "JPjyOWBeVEQiMe7hJPjyOWBe"},
407 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
408 IPSEC_API_CRYPTO_ALG_AES_CBC_256),
409 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
410 IPSEC_API_INTEG_ALG_SHA1_96),
411 'scapy-crypto': "AES-CBC",
412 'scapy-integ': "HMAC-SHA1-96",
Neale Ranns80f6fd52019-04-16 02:41:34 +0000[diff] [blame]413 'salt': 0,
Neale Ranns2cdcd0c2019-08-27 12:26:14 +0000[diff] [blame]414 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"},
415 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
416 IPSEC_API_CRYPTO_ALG_NONE),
417 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
418 IPSEC_API_INTEG_ALG_SHA1_96),
419 'scapy-crypto': "NULL",
420 'scapy-integ': "HMAC-SHA1-96",
421 'salt': 0,
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]422 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
423
424 for engine in engines:
425 self.vapi.cli("set crypto handler all %s" % engine)
426
427 #
428 # loop through each of the algorithms
429 #
430 for algo in algos:
431 # with self.subTest(algo=algo['scapy']):
432
433 p = copy.copy(self.ipv4_params)
434 p.auth_algo_vpp_id = algo['vpp-integ']
435 p.crypt_algo_vpp_id = algo['vpp-crypto']
436 p.crypt_algo = algo['scapy-crypto']
437 p.auth_algo = algo['scapy-integ']
438 p.crypt_key = algo['key']
Neale Ranns80f6fd52019-04-16 02:41:34 +0000[diff] [blame]439 p.salt = algo['salt']
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]440
441 self.config_network(p)
442
443 self.verify_tun_44(p, count=127)
444 c = p.tun_if.get_rx_stats()
445 self.assertEqual(c['packets'], 127)
446 c = p.tun_if.get_tx_stats()
447 self.assertEqual(c['packets'], 127)
448
Neale Rannsd6c9e822019-04-17 16:29:00 -0700[diff] [blame]449 #
450 # rekey the tunnel
451 #
452 self.rekey(p)
453 self.verify_tun_44(p, count=127)
454
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]455 self.unconfig_network(p)
Neale Rannsd6c9e822019-04-17 16:29:00 -0700[diff] [blame]456 p.tun_sa_out.remove_vpp_config()
457 p.tun_sa_in.remove_vpp_config()
Neale Ranns47feb112019-04-11 15:14:07 +0000[diff] [blame]458
459
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]460class TestIpsec6MultiTunIfEsp(TemplateIpsec, IpsecTun6):
Paul Vinciguerra8feeaff2019-03-27 11:25:48 -0700[diff] [blame]461 """ IPsec IPv6 Multi Tunnel interface """
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]462
463 encryption_type = ESP
Klement Sekera6aa58b72019-05-16 14:34:55 +0200[diff] [blame]464 tun6_encrypt_node_name = "esp6-encrypt-tun"
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]465 tun6_decrypt_node_name = "esp6-decrypt"
466
467 def setUp(self):
468 super(TestIpsec6MultiTunIfEsp, self).setUp()
469
470 self.tun_if = self.pg0
471
472 self.multi_params = []
473
474 for ii in range(10):
475 p = copy.copy(self.ipv6_params)
476
477 p.remote_tun_if_host = "1111::%d" % (ii + 1)
478 p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii
479 p.scapy_tun_spi = p.scapy_tun_spi + ii
480 p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii
481 p.vpp_tun_spi = p.vpp_tun_spi + ii
482
483 p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii
484 p.scapy_tra_spi = p.scapy_tra_spi + ii
485 p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
486 p.vpp_tra_spi = p.vpp_tra_spi + ii
487
488 config_tun_params(p, self.encryption_type, self.tun_if)
489 self.multi_params.append(p)
490
491 p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
492 p.scapy_tun_spi,
493 p.crypt_algo_vpp_id,
494 p.crypt_key, p.crypt_key,
495 p.auth_algo_vpp_id, p.auth_key,
496 p.auth_key, is_ip6=True)
497 p.tun_if.add_vpp_config()
498 p.tun_if.admin_up()
499 p.tun_if.config_ip6()
500
Neale Ranns097fa662018-05-01 05:17:55 -0700[diff] [blame]501 r = VppIpRoute(self, p.remote_tun_if_host, 128,
502 [VppRoutePath(p.tun_if.remote_ip6,
503 0xffffffff,
504 proto=DpoProto.DPO_PROTO_IP6)])
505 r.add_vpp_config()
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]506
507 def tearDown(self):
Neale Ranns2ac885c2019-03-20 18:24:43 +0000[diff] [blame]508 super(TestIpsec6MultiTunIfEsp, self).tearDown()
509
510 def test_tun_66(self):
511 """Multiple IPSEC tunnel interfaces """
512 for p in self.multi_params:
513 self.verify_tun_66(p, count=127)
514 c = p.tun_if.get_rx_stats()
515 self.assertEqual(c['packets'], 127)
516 c = p.tun_if.get_tx_stats()
517 self.assertEqual(c['packets'], 127)
518
519
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]520class TestIpsecGreTebIfEsp(TemplateIpsec,
521 IpsecTun4Tests):
522 """ Ipsec GRE TEB ESP - TUN tests """
523 tun4_encrypt_node_name = "esp4-encrypt-tun"
524 tun4_decrypt_node_name = "esp4-decrypt-tun"
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]525 encryption_type = ESP
526 omac = "00:11:22:33:44:55"
527
528 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
529 payload_size=100):
530 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
531 sa.encrypt(IP(src=self.pg0.remote_ip4,
532 dst=self.pg0.local_ip4) /
533 GRE() /
534 Ether(dst=self.omac) /
535 IP(src="1.1.1.1", dst="1.1.1.2") /
536 UDP(sport=1144, dport=2233) /
537 Raw('X' * payload_size))
538 for i in range(count)]
539
540 def gen_pkts(self, sw_intf, src, dst, count=1,
541 payload_size=100):
542 return [Ether(dst=self.omac) /
543 IP(src="1.1.1.1", dst="1.1.1.2") /
544 UDP(sport=1144, dport=2233) /
545 Raw('X' * payload_size)
546 for i in range(count)]
547
548 def verify_decrypted(self, p, rxs):
549 for rx in rxs:
550 self.assert_equal(rx[Ether].dst, self.omac)
551 self.assert_equal(rx[IP].dst, "1.1.1.2")
552
553 def verify_encrypted(self, p, sa, rxs):
554 for rx in rxs:
555 try:
556 pkt = sa.decrypt(rx[IP])
557 if not pkt.haslayer(IP):
558 pkt = IP(pkt[Raw].load)
559 self.assert_packet_checksums_valid(pkt)
560 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
561 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
562 self.assertTrue(pkt.haslayer(GRE))
563 e = pkt[Ether]
564 self.assertEqual(e[Ether].dst, self.omac)
565 self.assertEqual(e[IP].dst, "1.1.1.2")
566 except (IndexError, AssertionError):
567 self.logger.debug(ppp("Unexpected packet:", rx))
568 try:
569 self.logger.debug(ppp("Decrypted packet:", pkt))
570 except:
571 pass
572 raise
573
574 def setUp(self):
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]575 super(TestIpsecGreTebIfEsp, self).setUp()
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]576
577 self.tun_if = self.pg0
578
579 p = self.ipv4_params
580
581 bd1 = VppBridgeDomain(self, 1)
582 bd1.add_vpp_config()
583
584 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
585 p.auth_algo_vpp_id, p.auth_key,
586 p.crypt_algo_vpp_id, p.crypt_key,
587 self.vpp_esp_protocol,
588 self.pg0.local_ip4,
589 self.pg0.remote_ip4)
590 p.tun_sa_out.add_vpp_config()
591
592 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
593 p.auth_algo_vpp_id, p.auth_key,
594 p.crypt_algo_vpp_id, p.crypt_key,
595 self.vpp_esp_protocol,
596 self.pg0.remote_ip4,
597 self.pg0.local_ip4)
598 p.tun_sa_in.add_vpp_config()
599
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]600 self.tun = VppGreInterface(self,
601 self.pg0.local_ip4,
602 self.pg0.remote_ip4,
603 type=(VppEnum.vl_api_gre_tunnel_type_t.
604 GRE_API_TUNNEL_TYPE_TEB))
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]605 self.tun.add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]606
607 p.tun_protect = VppIpsecTunProtect(self,
608 self.tun,
609 p.tun_sa_out,
610 [p.tun_sa_in])
611
612 p.tun_protect.add_vpp_config()
613
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]614 self.tun.admin_up()
615 self.tun.config_ip4()
616
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]617 VppBridgeDomainPort(self, bd1, self.tun).add_vpp_config()
618 VppBridgeDomainPort(self, bd1, self.pg1).add_vpp_config()
619
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]620 self.vapi.cli("clear ipsec sa")
621
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]622 def tearDown(self):
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]623 self.tun.unconfig_ip4()
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]624 super(TestIpsecGreTebIfEsp, self).tearDown()
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]625
626
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]627class TestIpsecGreIfEsp(TemplateIpsec,
628 IpsecTun4Tests):
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]629 """ Ipsec GRE ESP - TUN tests """
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]630 tun4_encrypt_node_name = "esp4-encrypt-tun"
631 tun4_decrypt_node_name = "esp4-decrypt-tun"
632 encryption_type = ESP
633
634 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
635 payload_size=100):
636 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
637 sa.encrypt(IP(src=self.pg0.remote_ip4,
638 dst=self.pg0.local_ip4) /
639 GRE() /
640 IP(src=self.pg1.local_ip4,
641 dst=self.pg1.remote_ip4) /
642 UDP(sport=1144, dport=2233) /
643 Raw('X' * payload_size))
644 for i in range(count)]
645
646 def gen_pkts(self, sw_intf, src, dst, count=1,
647 payload_size=100):
648 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
649 IP(src="1.1.1.1", dst="1.1.1.2") /
650 UDP(sport=1144, dport=2233) /
651 Raw('X' * payload_size)
652 for i in range(count)]
653
654 def verify_decrypted(self, p, rxs):
655 for rx in rxs:
656 self.assert_equal(rx[Ether].dst, self.pg1.remote_mac)
657 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
658
659 def verify_encrypted(self, p, sa, rxs):
660 for rx in rxs:
661 try:
662 pkt = sa.decrypt(rx[IP])
663 if not pkt.haslayer(IP):
664 pkt = IP(pkt[Raw].load)
665 self.assert_packet_checksums_valid(pkt)
666 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
667 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
668 self.assertTrue(pkt.haslayer(GRE))
669 e = pkt[GRE]
670 self.assertEqual(e[IP].dst, "1.1.1.2")
671 except (IndexError, AssertionError):
672 self.logger.debug(ppp("Unexpected packet:", rx))
673 try:
674 self.logger.debug(ppp("Decrypted packet:", pkt))
675 except:
676 pass
677 raise
678
679 def setUp(self):
680 super(TestIpsecGreIfEsp, self).setUp()
681
682 self.tun_if = self.pg0
683
684 p = self.ipv4_params
685
686 bd1 = VppBridgeDomain(self, 1)
687 bd1.add_vpp_config()
688
689 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
690 p.auth_algo_vpp_id, p.auth_key,
691 p.crypt_algo_vpp_id, p.crypt_key,
692 self.vpp_esp_protocol,
693 self.pg0.local_ip4,
694 self.pg0.remote_ip4)
695 p.tun_sa_out.add_vpp_config()
696
697 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
698 p.auth_algo_vpp_id, p.auth_key,
699 p.crypt_algo_vpp_id, p.crypt_key,
700 self.vpp_esp_protocol,
701 self.pg0.remote_ip4,
702 self.pg0.local_ip4)
703 p.tun_sa_in.add_vpp_config()
704
705 self.tun = VppGreInterface(self,
706 self.pg0.local_ip4,
707 self.pg0.remote_ip4)
708 self.tun.add_vpp_config()
709
710 p.tun_protect = VppIpsecTunProtect(self,
711 self.tun,
712 p.tun_sa_out,
713 [p.tun_sa_in])
714 p.tun_protect.add_vpp_config()
715
716 self.tun.admin_up()
717 self.tun.config_ip4()
718
719 VppIpRoute(self, "1.1.1.2", 32,
720 [VppRoutePath(self.tun.remote_ip4,
721 0xffffffff)]).add_vpp_config()
722
723 def tearDown(self):
724 self.tun.unconfig_ip4()
725 super(TestIpsecGreIfEsp, self).tearDown()
726
727
728class TemplateIpsec4TunProtect(object):
729 """ IPsec IPv4 Tunnel protect """
730
Neale Ranns41afb332019-07-16 06:19:35 -0700[diff] [blame]731 encryption_type = ESP
732 tun4_encrypt_node_name = "esp4-encrypt-tun"
733 tun4_decrypt_node_name = "esp4-decrypt-tun"
734 tun4_input_node = "ipsec4-tun-input"
735
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]736 def config_sa_tra(self, p):
737 config_tun_params(p, self.encryption_type, self.tun_if)
738
739 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
740 p.auth_algo_vpp_id, p.auth_key,
741 p.crypt_algo_vpp_id, p.crypt_key,
Neale Ranns41afb332019-07-16 06:19:35 -0700[diff] [blame]742 self.vpp_esp_protocol,
743 flags=p.flags)
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]744 p.tun_sa_out.add_vpp_config()
745
746 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
747 p.auth_algo_vpp_id, p.auth_key,
748 p.crypt_algo_vpp_id, p.crypt_key,
Neale Ranns41afb332019-07-16 06:19:35 -0700[diff] [blame]749 self.vpp_esp_protocol,
750 flags=p.flags)
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]751 p.tun_sa_in.add_vpp_config()
752
753 def config_sa_tun(self, p):
754 config_tun_params(p, self.encryption_type, self.tun_if)
755
756 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
757 p.auth_algo_vpp_id, p.auth_key,
758 p.crypt_algo_vpp_id, p.crypt_key,
759 self.vpp_esp_protocol,
760 self.tun_if.remote_addr[p.addr_type],
Neale Ranns41afb332019-07-16 06:19:35 -0700[diff] [blame]761 self.tun_if.local_addr[p.addr_type],
762 flags=p.flags)
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]763 p.tun_sa_out.add_vpp_config()
764
765 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
766 p.auth_algo_vpp_id, p.auth_key,
767 p.crypt_algo_vpp_id, p.crypt_key,
768 self.vpp_esp_protocol,
769 self.tun_if.remote_addr[p.addr_type],
Neale Ranns41afb332019-07-16 06:19:35 -0700[diff] [blame]770 self.tun_if.local_addr[p.addr_type],
771 flags=p.flags)
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]772 p.tun_sa_in.add_vpp_config()
773
774 def config_protect(self, p):
775 p.tun_protect = VppIpsecTunProtect(self,
776 p.tun_if,
777 p.tun_sa_out,
778 [p.tun_sa_in])
779 p.tun_protect.add_vpp_config()
780
781 def config_network(self, p):
782 p.tun_if = VppIpIpTunInterface(self, self.pg0,
783 self.pg0.local_ip4,
784 self.pg0.remote_ip4)
785 p.tun_if.add_vpp_config()
786 p.tun_if.admin_up()
787 p.tun_if.config_ip4()
Neale Rannsb3259832019-09-27 13:32:02 +0000[diff] [blame^]788 p.tun_if.config_ip6()
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]789
790 p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
791 [VppRoutePath(p.tun_if.remote_ip4,
792 0xffffffff)])
793 p.route.add_vpp_config()
Neale Rannsb3259832019-09-27 13:32:02 +0000[diff] [blame^]794 r = VppIpRoute(self, p.remote_tun_if_host6, 128,
795 [VppRoutePath(p.tun_if.remote_ip6,
796 0xffffffff,
797 proto=DpoProto.DPO_PROTO_IP6)])
798 r.add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]799
800 def unconfig_network(self, p):
801 p.route.remove_vpp_config()
802 p.tun_if.remove_vpp_config()
803
804 def unconfig_protect(self, p):
805 p.tun_protect.remove_vpp_config()
806
807 def unconfig_sa(self, p):
808 p.tun_sa_out.remove_vpp_config()
809 p.tun_sa_in.remove_vpp_config()
810
811
812class TestIpsec4TunProtect(TemplateIpsec,
813 TemplateIpsec4TunProtect,
814 IpsecTun4):
815 """ IPsec IPv4 Tunnel protect - transport mode"""
816
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]817 def setUp(self):
818 super(TestIpsec4TunProtect, self).setUp()
819
820 self.tun_if = self.pg0
821
822 def tearDown(self):
823 super(TestIpsec4TunProtect, self).tearDown()
824
825 def test_tun_44(self):
826 """IPSEC tunnel protect"""
827
828 p = self.ipv4_params
829
830 self.config_network(p)
831 self.config_sa_tra(p)
832 self.config_protect(p)
833
834 self.verify_tun_44(p, count=127)
835 c = p.tun_if.get_rx_stats()
836 self.assertEqual(c['packets'], 127)
837 c = p.tun_if.get_tx_stats()
838 self.assertEqual(c['packets'], 127)
839
Neale Rannsb3259832019-09-27 13:32:02 +0000[diff] [blame^]840 self.vapi.cli("clear ipsec sa")
841 self.verify_tun_64(p, count=127)
842 c = p.tun_if.get_rx_stats()
843 self.assertEqual(c['packets'], 254)
844 c = p.tun_if.get_tx_stats()
845 self.assertEqual(c['packets'], 254)
846
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]847 # rekey - create new SAs and update the tunnel protection
848 np = copy.copy(p)
849 np.crypt_key = 'X' + p.crypt_key[1:]
850 np.scapy_tun_spi += 100
851 np.scapy_tun_sa_id += 1
852 np.vpp_tun_spi += 100
853 np.vpp_tun_sa_id += 1
854 np.tun_if.local_spi = p.vpp_tun_spi
855 np.tun_if.remote_spi = p.scapy_tun_spi
856
857 self.config_sa_tra(np)
858 self.config_protect(np)
859 self.unconfig_sa(p)
860
861 self.verify_tun_44(np, count=127)
862 c = p.tun_if.get_rx_stats()
Neale Rannsb3259832019-09-27 13:32:02 +0000[diff] [blame^]863 self.assertEqual(c['packets'], 381)
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]864 c = p.tun_if.get_tx_stats()
Neale Rannsb3259832019-09-27 13:32:02 +0000[diff] [blame^]865 self.assertEqual(c['packets'], 381)
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]866
867 # teardown
868 self.unconfig_protect(np)
869 self.unconfig_sa(np)
870 self.unconfig_network(p)
871
872
Neale Ranns41afb332019-07-16 06:19:35 -0700[diff] [blame]873class TestIpsec4TunProtectUdp(TemplateIpsec,
874 TemplateIpsec4TunProtect,
875 IpsecTun4):
876 """ IPsec IPv4 Tunnel protect - transport mode"""
877
878 def setUp(self):
879 super(TestIpsec4TunProtectUdp, self).setUp()
880
881 self.tun_if = self.pg0
882
883 p = self.ipv4_params
884 p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
885 IPSEC_API_SAD_FLAG_UDP_ENCAP)
886 p.nat_header = UDP(sport=5454, dport=4500)
887 self.config_network(p)
888 self.config_sa_tra(p)
889 self.config_protect(p)
890
891 def tearDown(self):
892 p = self.ipv4_params
893 self.unconfig_protect(p)
894 self.unconfig_sa(p)
895 self.unconfig_network(p)
896 super(TestIpsec4TunProtectUdp, self).tearDown()
897
898 def test_tun_44(self):
899 """IPSEC UDP tunnel protect"""
900
901 p = self.ipv4_params
902
903 self.verify_tun_44(p, count=127)
904 c = p.tun_if.get_rx_stats()
905 self.assertEqual(c['packets'], 127)
906 c = p.tun_if.get_tx_stats()
907 self.assertEqual(c['packets'], 127)
908
909 def test_keepalive(self):
910 """ IPSEC NAT Keepalive """
911 self.verify_keepalive(self.ipv4_params)
912
913
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]914class TestIpsec4TunProtectTun(TemplateIpsec,
915 TemplateIpsec4TunProtect,
916 IpsecTun4):
917 """ IPsec IPv4 Tunnel protect - tunnel mode"""
918
919 encryption_type = ESP
920 tun4_encrypt_node_name = "esp4-encrypt-tun"
921 tun4_decrypt_node_name = "esp4-decrypt-tun"
922
923 def setUp(self):
924 super(TestIpsec4TunProtectTun, self).setUp()
925
926 self.tun_if = self.pg0
927
928 def tearDown(self):
929 super(TestIpsec4TunProtectTun, self).tearDown()
930
931 def gen_encrypt_pkts(self, sa, sw_intf, src, dst, count=1,
932 payload_size=100):
933 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
934 sa.encrypt(IP(src=sw_intf.remote_ip4,
935 dst=sw_intf.local_ip4) /
936 IP(src=src, dst=dst) /
937 UDP(sport=1144, dport=2233) /
938 Raw('X' * payload_size))
939 for i in range(count)]
940
941 def gen_pkts(self, sw_intf, src, dst, count=1,
942 payload_size=100):
943 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
944 IP(src=src, dst=dst) /
945 UDP(sport=1144, dport=2233) /
946 Raw('X' * payload_size)
947 for i in range(count)]
948
949 def verify_decrypted(self, p, rxs):
950 for rx in rxs:
951 self.assert_equal(rx[IP].dst, self.pg1.remote_ip4)
952 self.assert_equal(rx[IP].src, p.remote_tun_if_host)
953 self.assert_packet_checksums_valid(rx)
954
955 def verify_encrypted(self, p, sa, rxs):
956 for rx in rxs:
957 try:
958 pkt = sa.decrypt(rx[IP])
959 if not pkt.haslayer(IP):
960 pkt = IP(pkt[Raw].load)
961 self.assert_packet_checksums_valid(pkt)
962 self.assert_equal(pkt[IP].dst, self.pg0.remote_ip4)
963 self.assert_equal(pkt[IP].src, self.pg0.local_ip4)
964 inner = pkt[IP].payload
965 self.assertEqual(inner[IP][IP].dst, p.remote_tun_if_host)
966
967 except (IndexError, AssertionError):
968 self.logger.debug(ppp("Unexpected packet:", rx))
969 try:
970 self.logger.debug(ppp("Decrypted packet:", pkt))
971 except:
972 pass
973 raise
974
975 def test_tun_44(self):
976 """IPSEC tunnel protect """
977
978 p = self.ipv4_params
979
980 self.config_network(p)
981 self.config_sa_tun(p)
982 self.config_protect(p)
983
984 self.verify_tun_44(p, count=127)
985
986 c = p.tun_if.get_rx_stats()
987 self.assertEqual(c['packets'], 127)
988 c = p.tun_if.get_tx_stats()
989 self.assertEqual(c['packets'], 127)
990
991 # rekey - create new SAs and update the tunnel protection
992 np = copy.copy(p)
993 np.crypt_key = 'X' + p.crypt_key[1:]
994 np.scapy_tun_spi += 100
995 np.scapy_tun_sa_id += 1
996 np.vpp_tun_spi += 100
997 np.vpp_tun_sa_id += 1
998 np.tun_if.local_spi = p.vpp_tun_spi
999 np.tun_if.remote_spi = p.scapy_tun_spi
1000
1001 self.config_sa_tun(np)
1002 self.config_protect(np)
1003 self.unconfig_sa(p)
1004
1005 self.verify_tun_44(np, count=127)
1006 c = p.tun_if.get_rx_stats()
1007 self.assertEqual(c['packets'], 254)
1008 c = p.tun_if.get_tx_stats()
1009 self.assertEqual(c['packets'], 254)
1010
1011 # teardown
1012 self.unconfig_protect(np)
1013 self.unconfig_sa(np)
1014 self.unconfig_network(p)
1015
1016
1017class TemplateIpsec6TunProtect(object):
1018 """ IPsec IPv6 Tunnel protect """
1019
1020 def config_sa_tra(self, p):
1021 config_tun_params(p, self.encryption_type, self.tun_if)
1022
1023 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1024 p.auth_algo_vpp_id, p.auth_key,
1025 p.crypt_algo_vpp_id, p.crypt_key,
1026 self.vpp_esp_protocol)
1027 p.tun_sa_out.add_vpp_config()
1028
1029 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1030 p.auth_algo_vpp_id, p.auth_key,
1031 p.crypt_algo_vpp_id, p.crypt_key,
1032 self.vpp_esp_protocol)
1033 p.tun_sa_in.add_vpp_config()
1034
1035 def config_sa_tun(self, p):
1036 config_tun_params(p, self.encryption_type, self.tun_if)
1037
1038 p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
1039 p.auth_algo_vpp_id, p.auth_key,
1040 p.crypt_algo_vpp_id, p.crypt_key,
1041 self.vpp_esp_protocol,
1042 self.tun_if.remote_addr[p.addr_type],
1043 self.tun_if.local_addr[p.addr_type])
1044 p.tun_sa_out.add_vpp_config()
1045
1046 p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
1047 p.auth_algo_vpp_id, p.auth_key,
1048 p.crypt_algo_vpp_id, p.crypt_key,
1049 self.vpp_esp_protocol,
1050 self.tun_if.remote_addr[p.addr_type],
1051 self.tun_if.local_addr[p.addr_type])
1052 p.tun_sa_in.add_vpp_config()
1053
1054 def config_protect(self, p):
1055 p.tun_protect = VppIpsecTunProtect(self,
1056 p.tun_if,
1057 p.tun_sa_out,
1058 [p.tun_sa_in])
1059 p.tun_protect.add_vpp_config()
1060
1061 def config_network(self, p):
1062 p.tun_if = VppIpIpTunInterface(self, self.pg0,
1063 self.pg0.local_ip6,
1064 self.pg0.remote_ip6)
1065 p.tun_if.add_vpp_config()
1066 p.tun_if.admin_up()
1067 p.tun_if.config_ip6()
Neale Rannsb3259832019-09-27 13:32:02 +0000[diff] [blame^]1068 p.tun_if.config_ip4()
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]1069
1070 p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
1071 [VppRoutePath(p.tun_if.remote_ip6,
1072 0xffffffff,
Florin Corasb54a5992019-06-18 10:57:26 -0700[diff] [blame]1073 proto=DpoProto.DPO_PROTO_IP6)])
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]1074 p.route.add_vpp_config()
Neale Rannsb3259832019-09-27 13:32:02 +0000[diff] [blame^]1075 r = VppIpRoute(self, p.remote_tun_if_host4, 32,
1076 [VppRoutePath(p.tun_if.remote_ip4,
1077 0xffffffff)])
1078 r.add_vpp_config()
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]1079
1080 def unconfig_network(self, p):
1081 p.route.remove_vpp_config()
1082 p.tun_if.remove_vpp_config()
1083
1084 def unconfig_protect(self, p):
1085 p.tun_protect.remove_vpp_config()
1086
1087 def unconfig_sa(self, p):
1088 p.tun_sa_out.remove_vpp_config()
1089 p.tun_sa_in.remove_vpp_config()
1090
1091
1092class TestIpsec6TunProtect(TemplateIpsec,
1093 TemplateIpsec6TunProtect,
1094 IpsecTun6):
1095 """ IPsec IPv6 Tunnel protect - transport mode"""
1096
1097 encryption_type = ESP
1098 tun6_encrypt_node_name = "esp6-encrypt-tun"
1099 tun6_decrypt_node_name = "esp6-decrypt-tun"
1100
1101 def setUp(self):
1102 super(TestIpsec6TunProtect, self).setUp()
1103
1104 self.tun_if = self.pg0
1105
1106 def tearDown(self):
1107 super(TestIpsec6TunProtect, self).tearDown()
1108
1109 def test_tun_66(self):
1110 """IPSEC tunnel protect"""
1111
1112 p = self.ipv6_params
1113
1114 self.config_network(p)
1115 self.config_sa_tra(p)
1116 self.config_protect(p)
1117
1118 self.verify_tun_66(p, count=127)
1119 c = p.tun_if.get_rx_stats()
1120 self.assertEqual(c['packets'], 127)
1121 c = p.tun_if.get_tx_stats()
1122 self.assertEqual(c['packets'], 127)
1123
1124 # rekey - create new SAs and update the tunnel protection
1125 np = copy.copy(p)
1126 np.crypt_key = 'X' + p.crypt_key[1:]
1127 np.scapy_tun_spi += 100
1128 np.scapy_tun_sa_id += 1
1129 np.vpp_tun_spi += 100
1130 np.vpp_tun_sa_id += 1
1131 np.tun_if.local_spi = p.vpp_tun_spi
1132 np.tun_if.remote_spi = p.scapy_tun_spi
1133
1134 self.config_sa_tra(np)
1135 self.config_protect(np)
1136 self.unconfig_sa(p)
1137
1138 self.verify_tun_66(np, count=127)
1139 c = p.tun_if.get_rx_stats()
1140 self.assertEqual(c['packets'], 254)
1141 c = p.tun_if.get_tx_stats()
1142 self.assertEqual(c['packets'], 254)
1143
1144 # 3 phase rekey
1145 # 1) add two input SAs [old, new]
1146 # 2) swap output SA to [new]
1147 # 3) use only [new] input SA
1148 np3 = copy.copy(np)
1149 np3.crypt_key = 'Z' + p.crypt_key[1:]
1150 np3.scapy_tun_spi += 100
1151 np3.scapy_tun_sa_id += 1
1152 np3.vpp_tun_spi += 100
1153 np3.vpp_tun_sa_id += 1
1154 np3.tun_if.local_spi = p.vpp_tun_spi
1155 np3.tun_if.remote_spi = p.scapy_tun_spi
1156
1157 self.config_sa_tra(np3)
1158
1159 # step 1;
1160 p.tun_protect.update_vpp_config(np.tun_sa_out,
1161 [np.tun_sa_in, np3.tun_sa_in])
1162 self.verify_tun_66(np, np, count=127)
1163 self.verify_tun_66(np3, np, count=127)
1164
1165 # step 2;
1166 p.tun_protect.update_vpp_config(np3.tun_sa_out,
1167 [np.tun_sa_in, np3.tun_sa_in])
1168 self.verify_tun_66(np, np3, count=127)
1169 self.verify_tun_66(np3, np3, count=127)
1170
1171 # step 1;
1172 p.tun_protect.update_vpp_config(np3.tun_sa_out,
1173 [np3.tun_sa_in])
1174 self.verify_tun_66(np3, np3, count=127)
1175 self.verify_drop_tun_66(np, count=127)
1176
1177 c = p.tun_if.get_rx_stats()
1178 self.assertEqual(c['packets'], 127*7)
1179 c = p.tun_if.get_tx_stats()
1180 self.assertEqual(c['packets'], 127*7)
1181 self.unconfig_sa(np)
1182
1183 # teardown
1184 self.unconfig_protect(np3)
1185 self.unconfig_sa(np3)
1186 self.unconfig_network(p)
1187
Neale Rannsb3259832019-09-27 13:32:02 +0000[diff] [blame^]1188 def test_tun_46(self):
1189 """IPSEC tunnel protect"""
1190
1191 p = self.ipv6_params
1192
1193 self.config_network(p)
1194 self.config_sa_tra(p)
1195 self.config_protect(p)
1196
1197 self.verify_tun_46(p, count=127)
1198 c = p.tun_if.get_rx_stats()
1199 self.assertEqual(c['packets'], 127)
1200 c = p.tun_if.get_tx_stats()
1201 self.assertEqual(c['packets'], 127)
1202
1203 # teardown
1204 self.unconfig_protect(p)
1205 self.unconfig_sa(p)
1206 self.unconfig_network(p)
1207
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]1208
1209class TestIpsec6TunProtectTun(TemplateIpsec,
1210 TemplateIpsec6TunProtect,
1211 IpsecTun6):
1212 """ IPsec IPv6 Tunnel protect - tunnel mode"""
1213
1214 encryption_type = ESP
1215 tun6_encrypt_node_name = "esp6-encrypt-tun"
1216 tun6_decrypt_node_name = "esp6-decrypt-tun"
1217
1218 def setUp(self):
1219 super(TestIpsec6TunProtectTun, self).setUp()
1220
1221 self.tun_if = self.pg0
1222
1223 def tearDown(self):
1224 super(TestIpsec6TunProtectTun, self).tearDown()
1225
1226 def gen_encrypt_pkts6(self, sa, sw_intf, src, dst, count=1,
1227 payload_size=100):
1228 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1229 sa.encrypt(IPv6(src=sw_intf.remote_ip6,
1230 dst=sw_intf.local_ip6) /
1231 IPv6(src=src, dst=dst) /
1232 UDP(sport=1166, dport=2233) /
1233 Raw('X' * payload_size))
1234 for i in range(count)]
1235
1236 def gen_pkts6(self, sw_intf, src, dst, count=1,
1237 payload_size=100):
1238 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
1239 IPv6(src=src, dst=dst) /
1240 UDP(sport=1166, dport=2233) /
1241 Raw('X' * payload_size)
1242 for i in range(count)]
1243
1244 def verify_decrypted6(self, p, rxs):
1245 for rx in rxs:
1246 self.assert_equal(rx[IPv6].dst, self.pg1.remote_ip6)
1247 self.assert_equal(rx[IPv6].src, p.remote_tun_if_host)
1248 self.assert_packet_checksums_valid(rx)
1249
1250 def verify_encrypted6(self, p, sa, rxs):
1251 for rx in rxs:
1252 try:
1253 pkt = sa.decrypt(rx[IPv6])
1254 if not pkt.haslayer(IPv6):
1255 pkt = IPv6(pkt[Raw].load)
1256 self.assert_packet_checksums_valid(pkt)
1257 self.assert_equal(pkt[IPv6].dst, self.pg0.remote_ip6)
1258 self.assert_equal(pkt[IPv6].src, self.pg0.local_ip6)
1259 inner = pkt[IPv6].payload
1260 self.assertEqual(inner[IPv6][IPv6].dst, p.remote_tun_if_host)
1261
1262 except (IndexError, AssertionError):
1263 self.logger.debug(ppp("Unexpected packet:", rx))
1264 try:
1265 self.logger.debug(ppp("Decrypted packet:", pkt))
1266 except:
1267 pass
1268 raise
1269
1270 def test_tun_66(self):
1271 """IPSEC tunnel protect """
1272
1273 p = self.ipv6_params
1274
1275 self.config_network(p)
1276 self.config_sa_tun(p)
1277 self.config_protect(p)
1278
1279 self.verify_tun_66(p, count=127)
1280
1281 c = p.tun_if.get_rx_stats()
1282 self.assertEqual(c['packets'], 127)
1283 c = p.tun_if.get_tx_stats()
1284 self.assertEqual(c['packets'], 127)
1285
1286 # rekey - create new SAs and update the tunnel protection
1287 np = copy.copy(p)
1288 np.crypt_key = 'X' + p.crypt_key[1:]
1289 np.scapy_tun_spi += 100
1290 np.scapy_tun_sa_id += 1
1291 np.vpp_tun_spi += 100
1292 np.vpp_tun_sa_id += 1
1293 np.tun_if.local_spi = p.vpp_tun_spi
1294 np.tun_if.remote_spi = p.scapy_tun_spi
1295
1296 self.config_sa_tun(np)
1297 self.config_protect(np)
1298 self.unconfig_sa(p)
1299
1300 self.verify_tun_66(np, count=127)
1301 c = p.tun_if.get_rx_stats()
1302 self.assertEqual(c['packets'], 254)
1303 c = p.tun_if.get_tx_stats()
1304 self.assertEqual(c['packets'], 254)
1305
1306 # teardown
1307 self.unconfig_protect(np)
1308 self.unconfig_sa(np)
1309 self.unconfig_network(p)
1310
Neale Rannsf05e7322019-03-29 20:23:58 +0000[diff] [blame]1311
Klement Sekera31da2e32018-06-24 22:49:55 +0200[diff] [blame]1312if __name__ == '__main__':
1313 unittest.main(testRunner=VppTestRunner)