def config_sa_tun(self, p): config_tun_params(p, self.encryption_type, self.tun_if) p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, self.tun_if.remote_addr[p.addr_type], self.tun_if.local_addr[p.addr_type], flags=p.flags) p.tun_sa_out.add_vpp_config() p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, self.tun_if.remote_addr[p.addr_type], self.tun_if.local_addr[p.addr_type], flags=p.flags) p.tun_sa_in.add_vpp_config()
def config_sa_tra(self, p): config_tun_params(p, self.encryption_type, self.tun_if) p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol) p.tun_sa_out.add_vpp_config() p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol) p.tun_sa_in.add_vpp_config()
def rekey(self, p): # # change the key and the SPI # p.crypt_key = 'X' + p.crypt_key[1:] p.scapy_tun_spi += 1 p.scapy_tun_sa_id += 1 p.vpp_tun_spi += 1 p.vpp_tun_sa_id += 1 p.tun_if.local_spi = p.vpp_tun_spi p.tun_if.remote_spi = p.scapy_tun_spi config_tun_params(p, self.encryption_type, self.tun_if) p.tun_sa_in = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, self.tun_if.local_addr[p.addr_type], self.tun_if.remote_addr[p.addr_type], flags=p.flags, salt=p.salt) p.tun_sa_out = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, self.tun_if.remote_addr[p.addr_type], self.tun_if.local_addr[p.addr_type], flags=p.flags, salt=p.salt) p.tun_sa_in.add_vpp_config() p.tun_sa_out.add_vpp_config() self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index, sa_id=p.tun_sa_in.id, is_outbound=1) self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index, sa_id=p.tun_sa_out.id, is_outbound=0) self.logger.info(self.vapi.cli("sh ipsec sa"))
def rekey(self, p): # # change the key and the SPI # p.crypt_key = 'X' + p.crypt_key[1:] p.scapy_tun_spi += 1 p.scapy_tun_sa_id += 1 p.vpp_tun_spi += 1 p.vpp_tun_sa_id += 1 p.tun_if.local_spi = p.vpp_tun_spi p.tun_if.remote_spi = p.scapy_tun_spi config_tun_params(p, self.encryption_type, self.tun_if) p.tun_sa_in = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, self.tun_if.local_addr[p.addr_type], self.tun_if.remote_addr[p.addr_type], flags=p.flags, salt=p.salt) p.tun_sa_out = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi, p.auth_algo_vpp_id, p.auth_key, p.crypt_algo_vpp_id, p.crypt_key, self.vpp_esp_protocol, self.tun_if.remote_addr[p.addr_type], self.tun_if.local_addr[p.addr_type], flags=p.flags, salt=p.salt) p.tun_sa_in.add_vpp_config() p.tun_sa_out.add_vpp_config() self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index, sa_id=p.tun_sa_in.id, is_outbound=1) self.vapi.ipsec_tunnel_if_set_sa(sw_if_index=p.tun_if.sw_if_index, sa_id=p.tun_sa_out.id, is_outbound=0) self.logger.info(self.vapi.cli("sh ipsec sa"))
def setUp(self): super(TestIpsec6MultiTunIfEsp, self).setUp() self.tun_if = self.pg0 self.multi_params = [] for ii in range(10): p = copy.copy(self.ipv6_params) p.remote_tun_if_host = "1111::%d" % (ii + 1) p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii p.scapy_tun_spi = p.scapy_tun_spi + ii p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii p.vpp_tun_spi = p.vpp_tun_spi + ii p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii p.scapy_tra_spi = p.scapy_tra_spi + ii p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii p.vpp_tra_spi = p.vpp_tra_spi + ii config_tun_params(p, self.encryption_type, self.tun_if) self.multi_params.append(p) p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi, p.scapy_tun_spi, p.crypt_algo_vpp_id, p.crypt_key, p.crypt_key, p.auth_algo_vpp_id, p.auth_key, p.auth_key, is_ip6=True) p.tun_if.add_vpp_config() p.tun_if.admin_up() p.tun_if.config_ip6() VppIpRoute(self, p.remote_tun_if_host, 128, [ VppRoutePath(p.tun_if.remote_ip6, 0xffffffff, proto=DpoProto.DPO_PROTO_IP6) ], is_ip6=1).add_vpp_config()
def config_network(self, p): config_tun_params(p, self.encryption_type, self.tun_if) p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi, p.scapy_tun_spi, p.crypt_algo_vpp_id, p.crypt_key, p.crypt_key, p.auth_algo_vpp_id, p.auth_key, p.auth_key) p.tun_if.add_vpp_config() p.tun_if.admin_up() p.tun_if.config_ip4() self.logger.info(self.vapi.cli("sh ipsec sa 0")) self.logger.info(self.vapi.cli("sh ipsec sa 1")) p.route = VppIpRoute(self, p.remote_tun_if_host, 32, [VppRoutePath(p.tun_if.remote_ip4, 0xffffffff)]) p.route.add_vpp_config()
def config_network(self, params): self.net_objs = [] self.tun_if = self.pg0 self.tra_if = self.pg2 self.logger.info(self.vapi.ppcli("show int addr")) self.tra_spd = VppIpsecSpd(self, self.tra_spd_id) self.tra_spd.add_vpp_config() self.net_objs.append(self.tra_spd) self.tun_spd = VppIpsecSpd(self, self.tun_spd_id) self.tun_spd.add_vpp_config() self.net_objs.append(self.tun_spd) b = VppIpsecSpdItfBinding(self, self.tra_spd, self.tra_if) b.add_vpp_config() self.net_objs.append(b) b = VppIpsecSpdItfBinding(self, self.tun_spd, self.tun_if) b.add_vpp_config() self.net_objs.append(b) for p in params: self.config_ah_tra(p) config_tra_params(p, self.encryption_type) for p in params: self.config_ah_tun(p) config_tun_params(p, self.encryption_type, self.tun_if) for p in params: d = DpoProto.DPO_PROTO_IP6 if p.is_ipv6 else DpoProto.DPO_PROTO_IP4 r = VppIpRoute( self, p.remote_tun_if_host, p.addr_len, [ VppRoutePath(self.tun_if.remote_addr[p.addr_type], 0xFFFFFFFF, proto=d) ], ) r.add_vpp_config() self.net_objs.append(r) self.logger.info(self.vapi.ppcli("show ipsec all"))
def config_network(self, p): config_tun_params(p, self.encryption_type, self.tun_if) p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi, p.scapy_tun_spi, p.crypt_algo_vpp_id, p.crypt_key, p.crypt_key, p.auth_algo_vpp_id, p.auth_key, p.auth_key, salt=p.salt) p.tun_if.add_vpp_config() p.tun_if.admin_up() p.tun_if.config_ip4() self.logger.info(self.vapi.cli("sh ipsec sa 0")) self.logger.info(self.vapi.cli("sh ipsec sa 1")) p.route = VppIpRoute(self, p.remote_tun_if_host, 32, [VppRoutePath(p.tun_if.remote_ip4, 0xffffffff)]) p.route.add_vpp_config()
def setUp(self): super(TestIpsec6MultiTunIfEsp, self).setUp() self.tun_if = self.pg0 self.multi_params = [] for ii in range(10): p = copy.copy(self.ipv6_params) p.remote_tun_if_host = "1111::%d" % (ii + 1) p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii p.scapy_tun_spi = p.scapy_tun_spi + ii p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii p.vpp_tun_spi = p.vpp_tun_spi + ii p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii p.scapy_tra_spi = p.scapy_tra_spi + ii p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii p.vpp_tra_spi = p.vpp_tra_spi + ii config_tun_params(p, self.encryption_type, self.tun_if) self.multi_params.append(p) p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi, p.scapy_tun_spi, p.crypt_algo_vpp_id, p.crypt_key, p.crypt_key, p.auth_algo_vpp_id, p.auth_key, p.auth_key, is_ip6=True) p.tun_if.add_vpp_config() p.tun_if.admin_up() p.tun_if.config_ip6() VppIpRoute(self, p.remote_tun_if_host, 128, [VppRoutePath(p.tun_if.remote_ip6, 0xffffffff, proto=DpoProto.DPO_PROTO_IP6)], is_ip6=1).add_vpp_config()
def setUp(self): super(TestIpsec4MultiTunIfEsp, self).setUp() self.tun_if = self.pg0 self.multi_params = [] for ii in range(10): p = copy.copy(self.ipv4_params) p.remote_tun_if_host = "1.1.1.%d" % (ii + 1) p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii p.scapy_tun_spi = p.scapy_tun_spi + ii p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii p.vpp_tun_spi = p.vpp_tun_spi + ii p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii p.scapy_tra_spi = p.scapy_tra_spi + ii p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii p.vpp_tra_spi = p.vpp_tra_spi + ii config_tun_params(p, self.encryption_type, self.tun_if) self.multi_params.append(p) p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi, p.scapy_tun_spi, p.crypt_algo_vpp_id, p.crypt_key, p.crypt_key, p.auth_algo_vpp_id, p.auth_key, p.auth_key) p.tun_if.add_vpp_config() p.tun_if.admin_up() p.tun_if.config_ip4() VppIpRoute(self, p.remote_tun_if_host, 32, [VppRoutePath(p.tun_if.remote_ip4, 0xffffffff)]).add_vpp_config()
def setUp(self): super(TestIpsec4MultiTunIfEsp, self).setUp() self.tun_if = self.pg0 self.multi_params = [] for ii in range(10): p = copy.copy(self.ipv4_params) p.remote_tun_if_host = "1.1.1.%d" % (ii + 1) p.scapy_tun_sa_id = p.scapy_tun_sa_id + ii p.scapy_tun_spi = p.scapy_tun_spi + ii p.vpp_tun_sa_id = p.vpp_tun_sa_id + ii p.vpp_tun_spi = p.vpp_tun_spi + ii p.scapy_tra_sa_id = p.scapy_tra_sa_id + ii p.scapy_tra_spi = p.scapy_tra_spi + ii p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii p.vpp_tra_spi = p.vpp_tra_spi + ii config_tun_params(p, self.encryption_type, self.tun_if) self.multi_params.append(p) p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi, p.scapy_tun_spi, p.crypt_algo_vpp_id, p.crypt_key, p.crypt_key, p.auth_algo_vpp_id, p.auth_key, p.auth_key) p.tun_if.add_vpp_config() p.tun_if.admin_up() p.tun_if.config_ip4() VppIpRoute(self, p.remote_tun_if_host, 32, [VppRoutePath(p.tun_if.remote_ip4, 0xffffffff)]).add_vpp_config()
def test_gso_ipsec(self): """ GSO IPSEC test """ # # Send jumbo frame with gso enabled only on input interface and # create IPIP tunnel on VPP pg0. # # # enable ipip4 # self.ipip4.add_vpp_config() self.vapi.feature_gso_enable_disable( sw_if_index=self.ipip4.sw_if_index, enable_disable=1) # Add IPv4 routes via tunnel interface self.ip4_via_ip4_tunnel = VppIpRoute(self, "172.16.10.0", 24, [ VppRoutePath("0.0.0.0", self.ipip4.sw_if_index, proto=FibPathProto.FIB_PATH_NH_PROTO_IP4) ]) self.ip4_via_ip4_tunnel.add_vpp_config() # IPSec config self.ipv4_params = IPsecIPv4Params() self.encryption_type = ESP config_tun_params(self.ipv4_params, self.encryption_type, self.ipip4) self.tun_sa_in_v4 = VppIpsecSA( self, self.ipv4_params.vpp_tun_sa_id, self.ipv4_params.vpp_tun_spi, self.ipv4_params.auth_algo_vpp_id, self.ipv4_params.auth_key, self.ipv4_params.crypt_algo_vpp_id, self.ipv4_params.crypt_key, VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP) self.tun_sa_in_v4.add_vpp_config() self.tun_sa_out_v4 = VppIpsecSA( self, self.ipv4_params.scapy_tun_sa_id, self.ipv4_params.scapy_tun_spi, self.ipv4_params.auth_algo_vpp_id, self.ipv4_params.auth_key, self.ipv4_params.crypt_algo_vpp_id, self.ipv4_params.crypt_key, VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP) self.tun_sa_out_v4.add_vpp_config() self.tun_protect_v4 = VppIpsecTunProtect(self, self.ipip4, self.tun_sa_out_v4, [self.tun_sa_in_v4]) self.tun_protect_v4.add_vpp_config() # Set interface up and enable IP on it self.ipip4.admin_up() self.ipip4.set_unnumbered(self.pg0.sw_if_index) # # IPv4/IPv4 - IPSEC # ipsec44 = (Ether(src=self.pg2.remote_mac, dst="02:fe:60:1e:a2:79") / IP(src=self.pg2.remote_ip4, dst="172.16.10.3", flags='DF') / TCP(sport=1234, dport=1234) / Raw(b'\xa5' * 65200)) rxs = self.send_and_expect(self.pg2, [ipsec44], self.pg0, 45) size = 0 for rx in rxs: self.assertEqual(rx[Ether].src, self.pg0.local_mac) self.assertEqual(rx[Ether].dst, self.pg0.remote_mac) self.assertEqual(rx[IP].src, self.pg0.local_ip4) self.assertEqual(rx[IP].dst, self.pg0.remote_ip4) self.assertEqual(rx[IP].proto, 50) # ESP self.assertEqual(rx[ESP].spi, self.ipv4_params.scapy_tun_spi) inner = self.ipv4_params.vpp_tun_sa.decrypt(rx[IP]) self.assertEqual(inner[IP].src, self.pg2.remote_ip4) self.assertEqual(inner[IP].dst, "172.16.10.3") size += inner[IP].len - 20 - 20 self.assertEqual(size, 65200) self.ip6_via_ip4_tunnel = VppIpRoute(self, "fd01:10::", 64, [ VppRoutePath("::", self.ipip4.sw_if_index, proto=FibPathProto.FIB_PATH_NH_PROTO_IP6) ]) self.ip6_via_ip4_tunnel.add_vpp_config() # # IPv4/IPv6 - IPSEC # ipsec46 = (Ether(src=self.pg2.remote_mac, dst="02:fe:60:1e:a2:79") / IPv6(src=self.pg2.remote_ip6, dst="fd01:10::3") / TCP(sport=1234, dport=1234) / Raw(b'\xa5' * 65200)) rxs = self.send_and_expect(self.pg2, [ipsec46], self.pg0, 45) size = 0 for rx in rxs: self.assertEqual(rx[Ether].src, self.pg0.local_mac) self.assertEqual(rx[Ether].dst, self.pg0.remote_mac) self.assertEqual(rx[IP].src, self.pg0.local_ip4) self.assertEqual(rx[IP].dst, self.pg0.remote_ip4) self.assertEqual(rx[IP].proto, 50) # ESP self.assertEqual(rx[ESP].spi, self.ipv4_params.scapy_tun_spi) inner = self.ipv4_params.vpp_tun_sa.decrypt(rx[IP]) self.assertEqual(inner[IPv6].src, self.pg2.remote_ip6) self.assertEqual(inner[IPv6].dst, "fd01:10::3") size += inner[IPv6].plen - 20 self.assertEqual(size, 65200) # disable IPSec self.tun_protect_v4.remove_vpp_config() self.tun_sa_in_v4.remove_vpp_config() self.tun_sa_out_v4.remove_vpp_config() # # disable ipip4 # self.vapi.feature_gso_enable_disable(self.ipip4.sw_if_index, enable_disable=0) self.ip4_via_ip4_tunnel.remove_vpp_config() self.ip6_via_ip4_tunnel.remove_vpp_config() self.ipip4.remove_vpp_config() # # enable ipip6 # self.ipip6.add_vpp_config() self.vapi.feature_gso_enable_disable(self.ipip6.sw_if_index, enable_disable=1) # Set interface up and enable IP on it self.ipip6.admin_up() self.ipip6.set_unnumbered(self.pg0.sw_if_index) # Add IPv4 routes via tunnel interface self.ip4_via_ip6_tunnel = VppIpRoute(self, "172.16.10.0", 24, [ VppRoutePath("0.0.0.0", self.ipip6.sw_if_index, proto=FibPathProto.FIB_PATH_NH_PROTO_IP4) ]) self.ip4_via_ip6_tunnel.add_vpp_config() # IPSec config self.ipv6_params = IPsecIPv6Params() self.encryption_type = ESP config_tun_params(self.ipv6_params, self.encryption_type, self.ipip6) self.tun_sa_in_v6 = VppIpsecSA( self, self.ipv6_params.vpp_tun_sa_id, self.ipv6_params.vpp_tun_spi, self.ipv6_params.auth_algo_vpp_id, self.ipv6_params.auth_key, self.ipv6_params.crypt_algo_vpp_id, self.ipv6_params.crypt_key, VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP) self.tun_sa_in_v6.add_vpp_config() self.tun_sa_out_v6 = VppIpsecSA( self, self.ipv6_params.scapy_tun_sa_id, self.ipv6_params.scapy_tun_spi, self.ipv6_params.auth_algo_vpp_id, self.ipv6_params.auth_key, self.ipv6_params.crypt_algo_vpp_id, self.ipv6_params.crypt_key, VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP) self.tun_sa_out_v6.add_vpp_config() self.tun_protect_v6 = VppIpsecTunProtect(self, self.ipip6, self.tun_sa_out_v6, [self.tun_sa_in_v6]) self.tun_protect_v6.add_vpp_config() # # IPv6/IPv4 - IPSEC # ipsec64 = (Ether(src=self.pg2.remote_mac, dst="02:fe:60:1e:a2:79") / IP(src=self.pg2.remote_ip4, dst="172.16.10.3", flags='DF') / TCP(sport=1234, dport=1234) / Raw(b'\xa5' * 65200)) rxs = self.send_and_expect(self.pg2, [ipsec64], self.pg0, 45) size = 0 for rx in rxs: self.assertEqual(rx[Ether].src, self.pg0.local_mac) self.assertEqual(rx[Ether].dst, self.pg0.remote_mac) self.assertEqual(rx[IPv6].src, self.pg0.local_ip6) self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6) self.assertEqual(ipv6nh[rx[IPv6].nh], "ESP Header") self.assertEqual(rx[ESP].spi, self.ipv6_params.scapy_tun_spi) inner = self.ipv6_params.vpp_tun_sa.decrypt(rx[IPv6]) self.assertEqual(inner[IP].src, self.pg2.remote_ip4) self.assertEqual(inner[IP].dst, "172.16.10.3") size += inner[IP].len - 20 - 20 self.assertEqual(size, 65200) self.ip6_via_ip6_tunnel = VppIpRoute(self, "fd01:10::", 64, [ VppRoutePath("::", self.ipip6.sw_if_index, proto=FibPathProto.FIB_PATH_NH_PROTO_IP6) ]) self.ip6_via_ip6_tunnel.add_vpp_config() # # IPv6/IPv6 - IPSEC # ipsec66 = (Ether(src=self.pg2.remote_mac, dst="02:fe:60:1e:a2:79") / IPv6(src=self.pg2.remote_ip6, dst="fd01:10::3") / TCP(sport=1234, dport=1234) / Raw(b'\xa5' * 65200)) rxs = self.send_and_expect(self.pg2, [ipsec66], self.pg0, 45) size = 0 for rx in rxs: self.assertEqual(rx[Ether].src, self.pg0.local_mac) self.assertEqual(rx[Ether].dst, self.pg0.remote_mac) self.assertEqual(rx[IPv6].src, self.pg0.local_ip6) self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6) self.assertEqual(ipv6nh[rx[IPv6].nh], "ESP Header") self.assertEqual(rx[ESP].spi, self.ipv6_params.scapy_tun_spi) inner = self.ipv6_params.vpp_tun_sa.decrypt(rx[IPv6]) self.assertEqual(inner[IPv6].src, self.pg2.remote_ip6) self.assertEqual(inner[IPv6].dst, "fd01:10::3") size += inner[IPv6].plen - 20 self.assertEqual(size, 65200) # disable IPSec self.tun_protect_v6.remove_vpp_config() self.tun_sa_in_v6.remove_vpp_config() self.tun_sa_out_v6.remove_vpp_config() # # disable ipip6 # self.ip4_via_ip6_tunnel.remove_vpp_config() self.ip6_via_ip6_tunnel.remove_vpp_config() self.ipip6.remove_vpp_config() self.vapi.feature_gso_enable_disable(self.pg0.sw_if_index, enable_disable=0)