blob: 1f3695acf739402d35ac3ffce294aa7757ddb310 [file] [log] [blame]
“mystarrocks”23f0c452017-12-11 07:11:51 -08001import socket
Klement Sekera28fb03f2018-04-17 11:36:55 +02002import unittest
“mystarrocks”23f0c452017-12-11 07:11:51 -08003
Klement Sekera31da2e32018-06-24 22:49:55 +02004from scapy.layers.ipsec import AH
Neale Ranns041add72020-01-02 04:06:10 +00005from scapy.layers.inet import IP, UDP
6from scapy.layers.inet6 import IPv6
7from scapy.layers.l2 import Ether
8from scapy.packet import Raw
“mystarrocks”23f0c452017-12-11 07:11:51 -08009
Dave Wallace8800f732023-08-31 00:47:44 -040010from asfframework import VppTestRunner
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020011from template_ipsec import (
12 TemplateIpsec,
13 IpsecTra46Tests,
14 IpsecTun46Tests,
15 config_tun_params,
16 config_tra_params,
17 IPsecIPv4Params,
18 IPsecIPv6Params,
19 IpsecTra4,
20 IpsecTun4,
21 IpsecTra6,
22 IpsecTun6,
23 IpsecTun6HandoffTests,
24 IpsecTun4HandoffTests,
25)
Klement Sekera31da2e32018-06-24 22:49:55 +020026from template_ipsec import IpsecTcpTests
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020027from vpp_ipsec import VppIpsecSA, VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSpdItfBinding
Neale Ranns311124e2019-01-24 04:52:25 -080028from vpp_ip_route import VppIpRoute, VppRoutePath
29from vpp_ip import DpoProto
Neale Ranns17dcec02019-01-09 21:22:20 -080030from vpp_papi import VppEnum
Dmitry Valter34fa0ce2024-03-11 10:38:46 +000031from config import config
“mystarrocks”23f0c452017-12-11 07:11:51 -080032
33
Neale Ranns4f33c802019-04-10 12:39:10 +000034class ConfigIpsecAH(TemplateIpsec):
“mystarrocks”23f0c452017-12-11 07:11:51 -080035 """
36 Basic test for IPSEC using AH transport and Tunnel mode
37
Dave Wallaced1706812021-08-12 18:36:02 -040038 TRANSPORT MODE::
“mystarrocks”23f0c452017-12-11 07:11:51 -080039
Dave Wallaced1706812021-08-12 18:36:02 -040040 --- encrypt ---
41 |pg2| <-------> |VPP|
42 --- decrypt ---
“mystarrocks”23f0c452017-12-11 07:11:51 -080043
Dave Wallaced1706812021-08-12 18:36:02 -040044 TUNNEL MODE::
“mystarrocks”23f0c452017-12-11 07:11:51 -080045
Dave Wallaced1706812021-08-12 18:36:02 -040046 --- encrypt --- plain ---
47 |pg0| <------- |VPP| <------ |pg1|
48 --- --- ---
“mystarrocks”23f0c452017-12-11 07:11:51 -080049
Dave Wallaced1706812021-08-12 18:36:02 -040050 --- decrypt --- plain ---
51 |pg0| -------> |VPP| ------> |pg1|
52 --- --- ---
53
“mystarrocks”23f0c452017-12-11 07:11:51 -080054 """
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020055
Neale Ranns4f33c802019-04-10 12:39:10 +000056 encryption_type = AH
57 net_objs = []
58 tra4_encrypt_node_name = "ah4-encrypt"
Neale Ranns8c609af2021-02-25 10:05:32 +000059 tra4_decrypt_node_name = ["ah4-decrypt", "ah4-decrypt"]
Neale Ranns4f33c802019-04-10 12:39:10 +000060 tra6_encrypt_node_name = "ah6-encrypt"
Neale Ranns8c609af2021-02-25 10:05:32 +000061 tra6_decrypt_node_name = ["ah6-decrypt", "ah6-decrypt"]
Neale Ranns4f33c802019-04-10 12:39:10 +000062 tun4_encrypt_node_name = "ah4-encrypt"
Neale Ranns8c609af2021-02-25 10:05:32 +000063 tun4_decrypt_node_name = ["ah4-decrypt", "ah4-decrypt"]
Neale Ranns4f33c802019-04-10 12:39:10 +000064 tun6_encrypt_node_name = "ah6-encrypt"
Neale Ranns8c609af2021-02-25 10:05:32 +000065 tun6_decrypt_node_name = ["ah6-decrypt", "ah6-decrypt"]
“mystarrocks”23f0c452017-12-11 07:11:51 -080066
Paul Vinciguerra7f9b7f92019-03-12 19:23:27 -070067 @classmethod
68 def setUpClass(cls):
Neale Ranns4f33c802019-04-10 12:39:10 +000069 super(ConfigIpsecAH, cls).setUpClass()
Paul Vinciguerra7f9b7f92019-03-12 19:23:27 -070070
71 @classmethod
72 def tearDownClass(cls):
Neale Ranns4f33c802019-04-10 12:39:10 +000073 super(ConfigIpsecAH, cls).tearDownClass()
Paul Vinciguerra7f9b7f92019-03-12 19:23:27 -070074
Neale Ranns8e4a89b2019-01-23 08:16:17 -080075 def setUp(self):
Neale Ranns4f33c802019-04-10 12:39:10 +000076 super(ConfigIpsecAH, self).setUp()
“mystarrocks”23f0c452017-12-11 07:11:51 -080077
Neale Ranns4f33c802019-04-10 12:39:10 +000078 def tearDown(self):
79 super(ConfigIpsecAH, self).tearDown()
80
81 def config_network(self, params):
82 self.net_objs = []
Neale Ranns8e4a89b2019-01-23 08:16:17 -080083 self.tun_if = self.pg0
84 self.tra_if = self.pg2
85 self.logger.info(self.vapi.ppcli("show int addr"))
Neale Ranns311124e2019-01-24 04:52:25 -080086
87 self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
88 self.tra_spd.add_vpp_config()
Neale Ranns4f33c802019-04-10 12:39:10 +000089 self.net_objs.append(self.tra_spd)
Neale Ranns311124e2019-01-24 04:52:25 -080090 self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
91 self.tun_spd.add_vpp_config()
Neale Ranns4f33c802019-04-10 12:39:10 +000092 self.net_objs.append(self.tun_spd)
Neale Ranns311124e2019-01-24 04:52:25 -080093
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020094 b = VppIpsecSpdItfBinding(self, self.tra_spd, self.tra_if)
Neale Ranns4f33c802019-04-10 12:39:10 +000095 b.add_vpp_config()
96 self.net_objs.append(b)
97
Klement Sekerad9b0c6f2022-04-26 19:02:15 +020098 b = VppIpsecSpdItfBinding(self, self.tun_spd, self.tun_if)
Neale Ranns4f33c802019-04-10 12:39:10 +000099 b.add_vpp_config()
100 self.net_objs.append(b)
101
102 for p in params:
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800103 self.config_ah_tra(p)
Neale Ranns2ac885c2019-03-20 18:24:43 +0000104 config_tra_params(p, self.encryption_type)
Neale Ranns4f33c802019-04-10 12:39:10 +0000105 for p in params:
Neale Ranns8e4a89b2019-01-23 08:16:17 -0800106 self.config_ah_tun(p)
Neale Ranns12989b52019-09-26 16:20:19 +0000107 config_tun_params(p, self.encryption_type, self.tun_if)
Neale Ranns4f33c802019-04-10 12:39:10 +0000108 for p in params:
Neale Ranns311124e2019-01-24 04:52:25 -0800109 d = DpoProto.DPO_PROTO_IP6 if p.is_ipv6 else DpoProto.DPO_PROTO_IP4
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200110 r = VppIpRoute(
111 self,
112 p.remote_tun_if_host,
113 p.addr_len,
114 [
115 VppRoutePath(
116 self.tun_if.remote_addr[p.addr_type], 0xFFFFFFFF, proto=d
117 )
118 ],
119 )
Neale Ranns4f33c802019-04-10 12:39:10 +0000120 r.add_vpp_config()
121 self.net_objs.append(r)
122 self.logger.info(self.vapi.ppcli("show ipsec all"))
“mystarrocks”23f0c452017-12-11 07:11:51 -0800123
Neale Ranns4f33c802019-04-10 12:39:10 +0000124 def unconfig_network(self):
125 for o in reversed(self.net_objs):
126 o.remove_vpp_config()
127 self.net_objs = []
“mystarrocks”23f0c452017-12-11 07:11:51 -0800128
Neale Ranns311124e2019-01-24 04:52:25 -0800129 def config_ah_tun(self, params):
130 addr_type = params.addr_type
131 scapy_tun_sa_id = params.scapy_tun_sa_id
132 scapy_tun_spi = params.scapy_tun_spi
133 vpp_tun_sa_id = params.vpp_tun_sa_id
134 vpp_tun_spi = params.vpp_tun_spi
135 auth_algo_vpp_id = params.auth_algo_vpp_id
136 auth_key = params.auth_key
137 crypt_algo_vpp_id = params.crypt_algo_vpp_id
138 crypt_key = params.crypt_key
139 remote_tun_if_host = params.remote_tun_if_host
140 addr_any = params.addr_any
141 addr_bcast = params.addr_bcast
Neale Ranns3833ffd2019-03-21 14:34:09 +0000142 flags = params.flags
Neale Ranns041add72020-01-02 04:06:10 +0000143 tun_flags = params.tun_flags
Neale Ranns17dcec02019-01-09 21:22:20 -0800144 e = VppEnum.vl_api_ipsec_spd_action_t
Neale Ranns4f33c802019-04-10 12:39:10 +0000145 objs = []
Neale Ranns9ec846c2021-02-09 14:04:02 +0000146 params.outer_hop_limit = 253
147 params.outer_flow_label = 0x12345
Neale Ranns17dcec02019-01-09 21:22:20 -0800148
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200149 params.tun_sa_in = VppIpsecSA(
150 self,
151 scapy_tun_sa_id,
152 scapy_tun_spi,
153 auth_algo_vpp_id,
154 auth_key,
155 crypt_algo_vpp_id,
156 crypt_key,
157 self.vpp_ah_protocol,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200158 self.tun_if.remote_addr[addr_type],
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100159 self.tun_if.local_addr[addr_type],
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200160 tun_flags=tun_flags,
161 flags=flags,
162 dscp=params.dscp,
163 )
Neale Ranns4f33c802019-04-10 12:39:10 +0000164
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200165 params.tun_sa_out = VppIpsecSA(
166 self,
167 vpp_tun_sa_id,
168 vpp_tun_spi,
169 auth_algo_vpp_id,
170 auth_key,
171 crypt_algo_vpp_id,
172 crypt_key,
173 self.vpp_ah_protocol,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200174 self.tun_if.local_addr[addr_type],
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100175 self.tun_if.remote_addr[addr_type],
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200176 tun_flags=tun_flags,
177 flags=flags,
178 dscp=params.dscp,
179 )
Neale Ranns4f33c802019-04-10 12:39:10 +0000180
181 objs.append(params.tun_sa_in)
182 objs.append(params.tun_sa_out)
Neale Ranns311124e2019-01-24 04:52:25 -0800183
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200184 params.spd_policy_in_any = VppIpsecSpdEntry(
185 self,
186 self.tun_spd,
187 vpp_tun_sa_id,
188 addr_any,
189 addr_bcast,
190 addr_any,
191 addr_bcast,
192 socket.IPPROTO_AH,
193 )
194 params.spd_policy_out_any = VppIpsecSpdEntry(
195 self,
196 self.tun_spd,
197 vpp_tun_sa_id,
198 addr_any,
199 addr_bcast,
200 addr_any,
201 addr_bcast,
202 socket.IPPROTO_AH,
203 is_outbound=0,
204 )
Neale Ranns311124e2019-01-24 04:52:25 -0800205
Neale Ranns4f33c802019-04-10 12:39:10 +0000206 objs.append(params.spd_policy_out_any)
207 objs.append(params.spd_policy_in_any)
Neale Ranns311124e2019-01-24 04:52:25 -0800208
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200209 e1 = VppIpsecSpdEntry(
210 self,
211 self.tun_spd,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100212 scapy_tun_sa_id,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200213 remote_tun_if_host,
214 remote_tun_if_host,
215 self.pg1.remote_addr[addr_type],
216 self.pg1.remote_addr[addr_type],
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000217 socket.IPPROTO_RAW,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200218 priority=10,
219 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
220 is_outbound=0,
221 )
222 e2 = VppIpsecSpdEntry(
223 self,
224 self.tun_spd,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100225 vpp_tun_sa_id,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200226 self.pg1.remote_addr[addr_type],
227 self.pg1.remote_addr[addr_type],
228 remote_tun_if_host,
229 remote_tun_if_host,
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000230 socket.IPPROTO_RAW,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200231 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
232 priority=10,
233 )
234 e3 = VppIpsecSpdEntry(
235 self,
236 self.tun_spd,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100237 scapy_tun_sa_id,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200238 remote_tun_if_host,
239 remote_tun_if_host,
240 self.pg0.local_addr[addr_type],
241 self.pg0.local_addr[addr_type],
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000242 socket.IPPROTO_RAW,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200243 priority=20,
244 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
245 is_outbound=0,
246 )
247 e4 = VppIpsecSpdEntry(
248 self,
249 self.tun_spd,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100250 vpp_tun_sa_id,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200251 self.pg0.local_addr[addr_type],
252 self.pg0.local_addr[addr_type],
253 remote_tun_if_host,
254 remote_tun_if_host,
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000255 socket.IPPROTO_RAW,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200256 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
257 priority=20,
258 )
Neale Ranns4f33c802019-04-10 12:39:10 +0000259
260 objs = objs + [e1, e2, e3, e4]
261
262 for o in objs:
263 o.add_vpp_config()
264
265 self.net_objs = self.net_objs + objs
Neale Ranns311124e2019-01-24 04:52:25 -0800266
267 def config_ah_tra(self, params):
268 addr_type = params.addr_type
269 scapy_tra_sa_id = params.scapy_tra_sa_id
270 scapy_tra_spi = params.scapy_tra_spi
271 vpp_tra_sa_id = params.vpp_tra_sa_id
272 vpp_tra_spi = params.vpp_tra_spi
273 auth_algo_vpp_id = params.auth_algo_vpp_id
274 auth_key = params.auth_key
275 crypt_algo_vpp_id = params.crypt_algo_vpp_id
276 crypt_key = params.crypt_key
277 addr_any = params.addr_any
278 addr_bcast = params.addr_bcast
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200279 flags = params.flags | (
280 VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
281 )
Neale Ranns17dcec02019-01-09 21:22:20 -0800282 e = VppEnum.vl_api_ipsec_spd_action_t
Neale Ranns4f33c802019-04-10 12:39:10 +0000283 objs = []
Neale Ranns311124e2019-01-24 04:52:25 -0800284
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200285 params.tra_sa_in = VppIpsecSA(
286 self,
287 scapy_tra_sa_id,
288 scapy_tra_spi,
289 auth_algo_vpp_id,
290 auth_key,
291 crypt_algo_vpp_id,
292 crypt_key,
293 self.vpp_ah_protocol,
294 flags=flags,
295 )
296 params.tra_sa_out = VppIpsecSA(
297 self,
298 vpp_tra_sa_id,
299 vpp_tra_spi,
300 auth_algo_vpp_id,
301 auth_key,
302 crypt_algo_vpp_id,
303 crypt_key,
304 self.vpp_ah_protocol,
305 flags=flags,
306 )
Neale Ranns311124e2019-01-24 04:52:25 -0800307
Neale Ranns4f33c802019-04-10 12:39:10 +0000308 objs.append(params.tra_sa_in)
309 objs.append(params.tra_sa_out)
Neale Ranns311124e2019-01-24 04:52:25 -0800310
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200311 objs.append(
312 VppIpsecSpdEntry(
313 self,
314 self.tra_spd,
315 vpp_tra_sa_id,
316 addr_any,
317 addr_bcast,
318 addr_any,
319 addr_bcast,
320 socket.IPPROTO_AH,
321 )
322 )
323 objs.append(
324 VppIpsecSpdEntry(
325 self,
326 self.tra_spd,
327 scapy_tra_sa_id,
328 addr_any,
329 addr_bcast,
330 addr_any,
331 addr_bcast,
332 socket.IPPROTO_AH,
333 is_outbound=0,
334 )
335 )
336 objs.append(
337 VppIpsecSpdEntry(
338 self,
339 self.tra_spd,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100340 scapy_tra_sa_id,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200341 self.tra_if.local_addr[addr_type],
342 self.tra_if.local_addr[addr_type],
343 self.tra_if.remote_addr[addr_type],
344 self.tra_if.remote_addr[addr_type],
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000345 socket.IPPROTO_RAW,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200346 priority=10,
347 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
348 is_outbound=0,
349 )
350 )
351 objs.append(
352 VppIpsecSpdEntry(
353 self,
354 self.tra_spd,
Arthur de Kerhor0df06b62022-11-16 18:45:24 +0100355 vpp_tra_sa_id,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200356 self.tra_if.local_addr[addr_type],
357 self.tra_if.local_addr[addr_type],
358 self.tra_if.remote_addr[addr_type],
359 self.tra_if.remote_addr[addr_type],
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000360 socket.IPPROTO_RAW,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200361 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
362 priority=10,
363 )
364 )
Neale Ranns4f33c802019-04-10 12:39:10 +0000365
366 for o in objs:
367 o.add_vpp_config()
368 self.net_objs = self.net_objs + objs
369
370
371class TemplateIpsecAh(ConfigIpsecAH):
372 """
373 Basic test for IPSEC using AH transport and Tunnel mode
374
Dave Wallaced1706812021-08-12 18:36:02 -0400375 TRANSPORT MODE::
Neale Ranns4f33c802019-04-10 12:39:10 +0000376
Dave Wallaced1706812021-08-12 18:36:02 -0400377 --- encrypt ---
378 |pg2| <-------> |VPP|
379 --- decrypt ---
Neale Ranns4f33c802019-04-10 12:39:10 +0000380
Dave Wallaced1706812021-08-12 18:36:02 -0400381 TUNNEL MODE::
Neale Ranns4f33c802019-04-10 12:39:10 +0000382
Dave Wallaced1706812021-08-12 18:36:02 -0400383 --- encrypt --- plain ---
384 |pg0| <------- |VPP| <------ |pg1|
385 --- --- ---
Neale Ranns4f33c802019-04-10 12:39:10 +0000386
Dave Wallaced1706812021-08-12 18:36:02 -0400387 --- decrypt --- plain ---
388 |pg0| -------> |VPP| ------> |pg1|
389 --- --- ---
390
Neale Ranns4f33c802019-04-10 12:39:10 +0000391 """
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200392
Neale Ranns4f33c802019-04-10 12:39:10 +0000393 @classmethod
394 def setUpClass(cls):
395 super(TemplateIpsecAh, cls).setUpClass()
396
397 @classmethod
398 def tearDownClass(cls):
399 super(TemplateIpsecAh, cls).tearDownClass()
400
401 def setUp(self):
402 super(TemplateIpsecAh, self).setUp()
403 self.config_network(self.params.values())
404
405 def tearDown(self):
406 self.unconfig_network()
407 super(TemplateIpsecAh, self).tearDown()
Neale Ranns311124e2019-01-24 04:52:25 -0800408
“mystarrocks”23f0c452017-12-11 07:11:51 -0800409
Neale Ranns1091c4a2019-04-08 14:48:23 +0000410class TestIpsecAh1(TemplateIpsecAh, IpsecTcpTests):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200411 """Ipsec AH - TCP tests"""
412
Neale Ranns1091c4a2019-04-08 14:48:23 +0000413 pass
414
415
416class TestIpsecAh2(TemplateIpsecAh, IpsecTra46Tests, IpsecTun46Tests):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200417 """Ipsec AH w/ SHA1"""
418
Neale Ranns4f33c802019-04-10 12:39:10 +0000419 pass
“mystarrocks”23f0c452017-12-11 07:11:51 -0800420
“mystarrocks”23f0c452017-12-11 07:11:51 -0800421
Neale Ranns041add72020-01-02 04:06:10 +0000422class TestIpsecAhTun(TemplateIpsecAh, IpsecTun46Tests):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200423 """Ipsec AH - TUN encap tests"""
Neale Ranns041add72020-01-02 04:06:10 +0000424
425 def setUp(self):
426 self.ipv4_params = IPsecIPv4Params()
427 self.ipv6_params = IPsecIPv6Params()
428
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200429 c = (
430 VppEnum.vl_api_tunnel_encap_decap_flags_t.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP
431 )
432 c1 = c | (
433 VppEnum.vl_api_tunnel_encap_decap_flags_t.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN
434 )
Neale Ranns041add72020-01-02 04:06:10 +0000435
436 self.ipv4_params.tun_flags = c
437 self.ipv6_params.tun_flags = c1
438
439 super(TestIpsecAhTun, self).setUp()
440
441 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
442 # set the DSCP + ECN - flags are set to copy only DSCP
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200443 return [
444 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
445 / IP(src=src, dst=dst, tos=5)
446 / UDP(sport=4444, dport=4444)
447 / Raw(b"X" * payload_size)
448 for i in range(count)
449 ]
Neale Ranns041add72020-01-02 04:06:10 +0000450
Neale Ranns9ec846c2021-02-09 14:04:02 +0000451 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
Neale Ranns041add72020-01-02 04:06:10 +0000452 # set the DSCP + ECN - flags are set to copy both
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200453 return [
454 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
455 / IPv6(src=src, dst=dst, tc=5)
456 / UDP(sport=4444, dport=4444)
457 / Raw(b"X" * payload_size)
458 for i in range(count)
459 ]
Neale Ranns041add72020-01-02 04:06:10 +0000460
461 def verify_encrypted(self, p, sa, rxs):
462 # just check that only the DSCP is copied
463 for rx in rxs:
464 self.assertEqual(rx[IP].tos, 4)
465
466 def verify_encrypted6(self, p, sa, rxs):
467 # just check that the DSCP & ECN are copied
468 for rx in rxs:
469 self.assertEqual(rx[IPv6].tc, 5)
470
471
472class TestIpsecAhTun2(TemplateIpsecAh, IpsecTun46Tests):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200473 """Ipsec AH - TUN encap tests"""
Neale Ranns041add72020-01-02 04:06:10 +0000474
475 def setUp(self):
476 self.ipv4_params = IPsecIPv4Params()
477 self.ipv6_params = IPsecIPv6Params()
478
479 self.ipv4_params.dscp = 3
480 self.ipv6_params.dscp = 4
481
482 super(TestIpsecAhTun2, self).setUp()
483
484 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
485 # set the DSCP + ECN - flags are set to copy only DSCP
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200486 return [
487 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
488 / IP(src=src, dst=dst, tos=0)
489 / UDP(sport=4444, dport=4444)
490 / Raw(b"X" * payload_size)
491 for i in range(count)
492 ]
Neale Ranns041add72020-01-02 04:06:10 +0000493
Neale Ranns9ec846c2021-02-09 14:04:02 +0000494 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
Neale Ranns041add72020-01-02 04:06:10 +0000495 # set the DSCP + ECN - flags are set to copy both
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200496 return [
497 Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac)
498 / IPv6(src=src, dst=dst, tc=0)
499 / UDP(sport=4444, dport=4444)
500 / Raw(b"X" * payload_size)
501 for i in range(count)
502 ]
Neale Ranns041add72020-01-02 04:06:10 +0000503
504 def verify_encrypted(self, p, sa, rxs):
505 # just check that only the DSCP is copied
506 for rx in rxs:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200507 self.assertEqual(rx[IP].tos, 0xC)
Neale Ranns041add72020-01-02 04:06:10 +0000508
509 def verify_encrypted6(self, p, sa, rxs):
510 # just check that the DSCP & ECN are copied
511 for rx in rxs:
512 self.assertEqual(rx[IPv6].tc, 0x10)
513
514
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200515class TestIpsecAhHandoff(TemplateIpsecAh, IpsecTun6HandoffTests, IpsecTun4HandoffTests):
516 """Ipsec AH Handoff"""
517
Neale Ranns4a56f4e2019-12-23 04:10:25 +0000518 pass
519
520
Dave Wallacecf9356d2024-07-23 01:28:19 -0400521@unittest.skipIf(True, "Temporarily skip test until Scapy-2.4.5 patch is available")
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200522class TestIpsecAhAll(ConfigIpsecAH, IpsecTra4, IpsecTra6, IpsecTun4, IpsecTun6):
523 """Ipsec AH all Algos"""
Neale Ranns3833ffd2019-03-21 14:34:09 +0000524
Neale Ranns4f33c802019-04-10 12:39:10 +0000525 def setUp(self):
526 super(TestIpsecAhAll, self).setUp()
Neale Ranns3833ffd2019-03-21 14:34:09 +0000527
Neale Ranns4f33c802019-04-10 12:39:10 +0000528 def tearDown(self):
529 super(TestIpsecAhAll, self).tearDown()
Neale Ranns3833ffd2019-03-21 14:34:09 +0000530
Dmitry Valter34fa0ce2024-03-11 10:38:46 +0000531 @unittest.skipIf(
532 "ping" in config.excluded_plugins, "Exclude tests requiring Ping plugin"
533 )
Neale Ranns4f33c802019-04-10 12:39:10 +0000534 def test_integ_algs(self):
Damjan Marion4cb83812019-04-24 17:32:01 +0200535 """All Engines SHA[1_96, 256, 384, 512] w/ & w/o ESN"""
Neale Ranns92e93842019-04-08 07:36:50 +0000536 # foreach VPP crypto engine
537 engines = ["ia32", "ipsecmb", "openssl"]
538
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200539 algos = [
540 {
541 "vpp": VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96,
542 "scapy": "HMAC-SHA1-96",
543 },
544 {
545 "vpp": VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_256_128,
546 "scapy": "SHA2-256-128",
547 },
548 {
549 "vpp": VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_384_192,
550 "scapy": "SHA2-384-192",
551 },
552 {
553 "vpp": VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_512_256,
554 "scapy": "SHA2-512-256",
555 },
556 ]
Neale Ranns1091c4a2019-04-08 14:48:23 +0000557
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200558 flags = [0, (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN)]
Neale Ranns1091c4a2019-04-08 14:48:23 +0000559
Neale Ranns4f33c802019-04-10 12:39:10 +0000560 #
Neale Ranns92e93842019-04-08 07:36:50 +0000561 # loop through the VPP engines
Neale Ranns4f33c802019-04-10 12:39:10 +0000562 #
Neale Ranns92e93842019-04-08 07:36:50 +0000563 for engine in engines:
Neale Ranns21ada3b2019-04-11 08:18:34 +0000564 self.vapi.cli("set crypto handler all %s" % engine)
Neale Ranns92e93842019-04-08 07:36:50 +0000565 #
566 # loop through each of the algorithms
567 #
568 for algo in algos:
569 # with self.subTest(algo=algo['scapy']):
570 for flag in flags:
571 #
572 # setup up the config paramters
573 #
574 self.ipv4_params = IPsecIPv4Params()
575 self.ipv6_params = IPsecIPv6Params()
Neale Ranns1091c4a2019-04-08 14:48:23 +0000576
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200577 self.params = {
578 self.ipv4_params.addr_type: self.ipv4_params,
579 self.ipv6_params.addr_type: self.ipv6_params,
580 }
Neale Ranns1091c4a2019-04-08 14:48:23 +0000581
Neale Ranns92e93842019-04-08 07:36:50 +0000582 for _, p in self.params.items():
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200583 p.auth_algo_vpp_id = algo["vpp"]
584 p.auth_algo = algo["scapy"]
Neale Ranns92e93842019-04-08 07:36:50 +0000585 p.flags = p.flags | flag
Neale Ranns1091c4a2019-04-08 14:48:23 +0000586
Neale Ranns92e93842019-04-08 07:36:50 +0000587 #
588 # configure the SPDs. SAs, etc
589 #
590 self.config_network(self.params.values())
Neale Ranns1091c4a2019-04-08 14:48:23 +0000591
Neale Ranns92e93842019-04-08 07:36:50 +0000592 #
593 # run some traffic.
594 # An exhautsive 4o6, 6o4 is not necessary for each algo
595 #
596 self.verify_tra_basic6(count=17)
597 self.verify_tra_basic4(count=17)
598 self.verify_tun_66(self.params[socket.AF_INET6], count=17)
599 self.verify_tun_44(self.params[socket.AF_INET], count=17)
Neale Ranns1091c4a2019-04-08 14:48:23 +0000600
Neale Ranns92e93842019-04-08 07:36:50 +0000601 #
602 # remove the SPDs, SAs, etc
603 #
604 self.unconfig_network()
Neale Ranns1091c4a2019-04-08 14:48:23 +0000605
606
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200607if __name__ == "__main__":
“mystarrocks”23f0c452017-12-11 07:11:51 -0800608 unittest.main(testRunner=VppTestRunner)