def vpp_ipsec_add_sad_entries(node, n_entries, sad_id, spi, crypto_alg, crypto_key, integ_alg, integ_key, tunnel_src=None, tunnel_dst=None): """Create multiple Security Association Database entries on VPP node. :param node: VPP node to add SAD entry on. :param n_entries: Number of SAD entries to be created. :param sad_id: First SAD entry ID. All subsequent SAD entries will have id incremented by 1. :param spi: Security Parameter Index of first SAD entry. All subsequent SAD entries will have spi incremented by 1. :param crypto_alg: The encryption algorithm name. :param crypto_key: The encryption key string. :param integ_alg: The integrity algorithm name. :param integ_key: The integrity key string. :param tunnel_src: Tunnel header source IPv4 or IPv6 address. If not specified ESP transport mode is used. :param tunnel_dst: Tunnel header destination IPv4 or IPv6 address. If not specified ESP transport mode is used. :type node: dict :type n_entries: int :type sad_id: int :type spi: int :type crypto_alg: CryptoAlg :type crypto_key: str :type integ_alg: IntegAlg :type integ_key: str :type tunnel_src: str :type tunnel_dst: str """ tmp_filename = '/tmp/ipsec_sad_{}_add_del_entry.vat'.format(sad_id) ckey = crypto_key.encode('hex') ikey = integ_key.encode('hex') tunnel = 'tunnel_src {0} tunnel_dst {1}'.format(tunnel_src, tunnel_dst)\ if tunnel_src is not None and tunnel_dst is not None else '' integ = 'integ_alg {0} integ_key {1}'.format(integ_alg.alg_name, ikey)\ if crypto_alg.alg_name != 'aes-gcm-128' else '' with open(tmp_filename, 'w') as tmp_file: for i in range(0, n_entries): buf_str = 'ipsec_sad_add_del_entry esp sad_id {0} spi {1} ' \ 'crypto_alg {2} crypto_key {3} {4} {5}\n'.format( sad_id+i, spi+i, crypto_alg.alg_name, ckey, integ, tunnel) tmp_file.write(buf_str) vat = VatExecutor() vat.scp_and_execute_script(tmp_filename, node, 300) os.remove(tmp_filename)
def vpp_ipsec_spd_add_entries(node, n_entries, spd_id, priority, inbound, sa_id, raddr_ip, raddr_range): """Create multiple Security Policy Database entries on the VPP node. :param node: VPP node to add SPD entries on. :param n_entries: Number of SPD entries to be added. :param spd_id: SPD ID to add entries on. :param priority: SPD entries priority, higher number = higher priority. :param inbound: If True policy is for inbound traffic, otherwise outbound. :param sa_id: SAD entry ID for first entry. Each subsequent entry will SAD entry ID incremented by 1. :param raddr_ip: Policy selector remote IPv4 start address for the first entry. Remote IPv4 end address will be calculated depending on raddr_range parameter. Each subsequent entry will have start address next after IPv4 end address of previous entry. :param raddr_range: Mask specifying range of Policy selector Remote IPv4 addresses. Valid values are from 1 to 32. :type node: dict :type n_entries: int :type spd_id: int :type priority: int :type inbound: bool :type sa_id: int :type raddr_ip: string :type raddr_range: int """ tmp_filename = '/tmp/ipsec_spd_{}_add_del_entry.vat'.format(sa_id) direction = 'inbound' if inbound else 'outbound' addr_incr = 1 << (32 - raddr_range) addr_ip = int(ip_address(unicode(raddr_ip))) start_str = 'ipsec_spd_add_del_entry spd_id {0} priority {1} {2} ' \ 'action protect sa_id'.format(spd_id, priority, direction) with open(tmp_filename, 'w') as tmp_file: for i in range(0, n_entries): r_ip_s = ip_address(addr_ip + addr_incr * i) r_ip_e = ip_address(addr_ip + addr_incr * (i + 1) - 1) buf_str = '{0} {1} raddr_start {2} raddr_stop {3}\n'.format( start_str, sa_id + i, r_ip_s, r_ip_e) tmp_file.write(buf_str) vat = VatExecutor() vat.scp_and_execute_script(tmp_filename, node, 300) os.remove(tmp_filename)