def vpp_ipsec_add_sad_entries(node,
n_entries,
sad_id,
spi,
crypto_alg,
crypto_key,
integ_alg,
integ_key,
tunnel_src=None,
tunnel_dst=None):
"""Create multiple Security Association Database entries on VPP node.
:param node: VPP node to add SAD entry on.
:param n_entries: Number of SAD entries to be created.
:param sad_id: First SAD entry ID. All subsequent SAD entries will have
id incremented by 1.
:param spi: Security Parameter Index of first SAD entry. All subsequent
SAD entries will have spi incremented by 1.
:param crypto_alg: The encryption algorithm name.
:param crypto_key: The encryption key string.
:param integ_alg: The integrity algorithm name.
:param integ_key: The integrity key string.
:param tunnel_src: Tunnel header source IPv4 or IPv6 address. If not
specified ESP transport mode is used.
:param tunnel_dst: Tunnel header destination IPv4 or IPv6 address. If
not specified ESP transport mode is used.
:type node: dict
:type n_entries: int
:type sad_id: int
:type spi: int
:type crypto_alg: CryptoAlg
:type crypto_key: str
:type integ_alg: IntegAlg
:type integ_key: str
:type tunnel_src: str
:type tunnel_dst: str
"""
tmp_filename = '/tmp/ipsec_sad_{}_add_del_entry.vat'.format(sad_id)
ckey = crypto_key.encode('hex')
ikey = integ_key.encode('hex')
tunnel = 'tunnel_src {0} tunnel_dst {1}'.format(tunnel_src, tunnel_dst)\
if tunnel_src is not None and tunnel_dst is not None else ''
integ = 'integ_alg {0} integ_key {1}'.format(integ_alg.alg_name, ikey)\
if crypto_alg.alg_name != 'aes-gcm-128' else ''
with open(tmp_filename, 'w') as tmp_file:
for i in range(0, n_entries):
buf_str = 'ipsec_sad_add_del_entry esp sad_id {0} spi {1} ' \
'crypto_alg {2} crypto_key {3} {4} {5}\n'.format(
sad_id+i, spi+i, crypto_alg.alg_name, ckey, integ,
tunnel)
tmp_file.write(buf_str)
vat = VatExecutor()
vat.scp_and_execute_script(tmp_filename, node, 300)
os.remove(tmp_filename)
def vpp_ipsec_spd_add_entries(node, n_entries, spd_id, priority, inbound,
sa_id, raddr_ip, raddr_range):
"""Create multiple Security Policy Database entries on the VPP node.
:param node: VPP node to add SPD entries on.
:param n_entries: Number of SPD entries to be added.
:param spd_id: SPD ID to add entries on.
:param priority: SPD entries priority, higher number = higher priority.
:param inbound: If True policy is for inbound traffic, otherwise
outbound.
:param sa_id: SAD entry ID for first entry. Each subsequent entry will
SAD entry ID incremented by 1.
:param raddr_ip: Policy selector remote IPv4 start address for the first
entry. Remote IPv4 end address will be calculated depending on
raddr_range parameter. Each subsequent entry will have start address
next after IPv4 end address of previous entry.
:param raddr_range: Mask specifying range of Policy selector Remote IPv4
addresses. Valid values are from 1 to 32.
:type node: dict
:type n_entries: int
:type spd_id: int
:type priority: int
:type inbound: bool
:type sa_id: int
:type raddr_ip: string
:type raddr_range: int
"""
tmp_filename = '/tmp/ipsec_spd_{}_add_del_entry.vat'.format(sa_id)
direction = 'inbound' if inbound else 'outbound'
addr_incr = 1 << (32 - raddr_range)
addr_ip = int(ip_address(unicode(raddr_ip)))
start_str = 'ipsec_spd_add_del_entry spd_id {0} priority {1} {2} ' \
'action protect sa_id'.format(spd_id, priority, direction)
with open(tmp_filename, 'w') as tmp_file:
for i in range(0, n_entries):
r_ip_s = ip_address(addr_ip + addr_incr * i)
r_ip_e = ip_address(addr_ip + addr_incr * (i + 1) - 1)
buf_str = '{0} {1} raddr_start {2} raddr_stop {3}\n'.format(
start_str, sa_id + i, r_ip_s, r_ip_e)
tmp_file.write(buf_str)
vat = VatExecutor()
vat.scp_and_execute_script(tmp_filename, node, 300)
os.remove(tmp_filename)
