def setUp(self):
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.ipv4_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF
self.ipv6_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11
super(TestIpsecEspTun2, self).setUp()
def setUp(self):
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.ipv4_params.dscp = 3
self.ipv6_params.dscp = 4
super(TestIpsecAhTun2, self).setUp()
def setup_params(self):
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.params = {self.ipv4_params.addr_type: self.ipv4_params,
self.ipv6_params.addr_type: self.ipv6_params}
for _, p in self.params.items():
p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
IPSEC_API_SAD_FLAG_USE_ESN)
def setUp(self):
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
c = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t.
TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
self.ipv4_params.tun_flags = c
self.ipv6_params.tun_flags = c1
super(TestIpsecAhTun, self).setUp()
def run_a_test(self, engine, flag, algo):
self.vapi.cli("set crypto handler all %s" % engine)
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.params = {self.ipv4_params.addr_type:
self.ipv4_params,
self.ipv6_params.addr_type:
self.ipv6_params}
for _, p in self.params.items():
p.auth_algo_vpp_id = algo['vpp-integ']
p.crypt_algo_vpp_id = algo['vpp-crypto']
p.crypt_algo = algo['scapy-crypto']
p.auth_algo = algo['scapy-integ']
p.crypt_key = algo['key']
p.salt = algo['salt']
p.flags = p.flags | flag
self.reporter.send_keep_alive(self)
#
# configure the SPDs. SAs, etc
#
self.config_network(self.params.values())
#
# run some traffic.
# An exhautsive 4o6, 6o4 is not necessary
# for each algo
#
self.verify_tra_basic6(count=NUM_PKTS)
self.verify_tra_basic4(count=NUM_PKTS)
self.verify_tun_66(self.params[socket.AF_INET6],
count=NUM_PKTS)
self.verify_tun_44(self.params[socket.AF_INET],
count=NUM_PKTS)
#
# remove the SPDs, SAs, etc
#
self.unconfig_network()
#
# reconfigure the network and SA to run the
# anti replay tests
#
self.config_network(self.params.values())
self.verify_tra_anti_replay()
self.unconfig_network()
def test_crypto_algs(self):
"""All engines AES-[CBC, GCM]-[128, 192, 256] 3DES-CBC w/ & w/o ESN"""
# foreach VPP crypto engine
engines = ["ia32", "ipsecmb", "openssl"]
# foreach crypto algorithm
algos = [{
'vpp-crypto':
(VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_128
),
'vpp-integ':
(VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE),
'scapy-crypto':
"AES-GCM",
'scapy-integ':
"NULL",
'key':
"JPjyOWBeVEQiMe7h",
'salt':
0
}, {
'vpp-crypto':
(VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_192
),
'vpp-integ':
(VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE),
'scapy-crypto':
"AES-GCM",
'scapy-integ':
"NULL",
'key':
"JPjyOWBeVEQiMe7h01234567",
'salt':
1010
}, {
'vpp-crypto':
(VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_GCM_256
),
'vpp-integ':
(VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE),
'scapy-crypto':
"AES-GCM",
'scapy-integ':
"NULL",
'key':
"JPjyOWBeVEQiMe7h0123456787654321",
'salt':
2020
}, {
'vpp-crypto':
(VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_128
),
'vpp-integ':
(VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto':
"AES-CBC",
'scapy-integ':
"HMAC-SHA1-96",
'salt':
0,
'key':
"JPjyOWBeVEQiMe7h"
}, {
'vpp-crypto':
(VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_192
),
'vpp-integ':
(VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto':
"AES-CBC",
'scapy-integ':
"HMAC-SHA1-96",
'salt':
0,
'key':
"JPjyOWBeVEQiMe7hJPjyOWBe"
}, {
'vpp-crypto':
(VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CBC_256
),
'vpp-integ':
(VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto':
"AES-CBC",
'scapy-integ':
"HMAC-SHA1-96",
'salt':
0,
'key':
"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"
}, {
'vpp-crypto':
(VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_3DES_CBC),
'vpp-integ':
(VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto':
"3DES",
'scapy-integ':
"HMAC-SHA1-96",
'salt':
0,
'key':
"JPjyOWBeVEQiMe7h00112233"
}]
# with and without ESN
flags = [
0, VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN
]
#
# loop through the VPP engines
#
for engine in engines:
self.vapi.cli("set crypto handler all %s" % engine)
#
# loop through each of the algorithms
#
for algo in algos:
# with self.subTest(algo=algo['scapy']):
for flag in flags:
#
# setup up the config paramters
#
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.params = {
self.ipv4_params.addr_type: self.ipv4_params,
self.ipv6_params.addr_type: self.ipv6_params
}
for _, p in self.params.items():
p.auth_algo_vpp_id = algo['vpp-integ']
p.crypt_algo_vpp_id = algo['vpp-crypto']
p.crypt_algo = algo['scapy-crypto']
p.auth_algo = algo['scapy-integ']
p.crypt_key = algo['key']
p.salt = algo['salt']
p.flags = p.flags | flag
self.reporter.send_keep_alive(self)
#
# configure the SPDs. SAs, etc
#
self.config_network(self.params.values())
#
# run some traffic.
# An exhautsive 4o6, 6o4 is not necessary
# for each algo
#
self.verify_tra_basic6(count=NUM_PKTS)
self.verify_tra_basic4(count=NUM_PKTS)
self.verify_tun_66(self.params[socket.AF_INET6],
count=NUM_PKTS)
self.verify_tun_44(self.params[socket.AF_INET],
count=NUM_PKTS)
#
# remove the SPDs, SAs, etc
#
self.unconfig_network()
#
# reconfigure the network and SA to run the
# anti replay tests
#
self.config_network(self.params.values())
self.verify_tra_anti_replay()
self.unconfig_network()
def test_integ_algs(self):
"""All Engines SHA[1_96, 256, 384, 512] w/ & w/o ESN"""
# foreach VPP crypto engine
engines = ["ia32", "ipsecmb", "openssl"]
algos = [{
'vpp':
VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA1_96,
'scapy': "HMAC-SHA1-96"
}, {
'vpp':
VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_256_128,
'scapy': "SHA2-256-128"
}, {
'vpp':
VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_384_192,
'scapy': "SHA2-384-192"
}, {
'vpp':
VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_512_256,
'scapy': "SHA2-512-256"
}]
flags = [
0, (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN)
]
#
# loop through the VPP engines
#
for engine in engines:
self.vapi.cli("set crypto handler all %s" % engine)
#
# loop through each of the algorithms
#
for algo in algos:
# with self.subTest(algo=algo['scapy']):
for flag in flags:
#
# setup up the config paramters
#
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.params = {
self.ipv4_params.addr_type: self.ipv4_params,
self.ipv6_params.addr_type: self.ipv6_params
}
for _, p in self.params.items():
p.auth_algo_vpp_id = algo['vpp']
p.auth_algo = algo['scapy']
p.flags = p.flags | flag
#
# configure the SPDs. SAs, etc
#
self.config_network(self.params.values())
#
# run some traffic.
# An exhautsive 4o6, 6o4 is not necessary for each algo
#
self.verify_tra_basic6(count=17)
self.verify_tra_basic4(count=17)
self.verify_tun_66(self.params[socket.AF_INET6], count=17)
self.verify_tun_44(self.params[socket.AF_INET], count=17)
#
# remove the SPDs, SAs, etc
#
self.unconfig_network()
def test_crypto_algs(self):
"""All engines AES-CBC-[128, 192, 256] w/o ESN"""
# foreach VPP crypto engine
engines = ["ia32", "ipsecmb", "openssl"]
# foreach crypto algorithm
algos = [{'vpp': VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_128,
'scapy': "AES-CBC",
'key': "JPjyOWBeVEQiMe7h"},
{'vpp': VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_192,
'scapy': "AES-CBC",
'key': "JPjyOWBeVEQiMe7hJPjyOWBe"},
{'vpp': VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_256,
'scapy': "AES-CBC",
'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
# bug found in VPP needs fixing with flag
# (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN)
flags = [0]
#
# loop through the VPP engines
#
for engine in engines:
self.vapi.cli("set crypto engine all %s" % engine)
#
# loop through each of the algorithms
#
for algo in algos:
# with self.subTest(algo=algo['scapy']):
for flag in flags:
#
# setup up the config paramters
#
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.params = {self.ipv4_params.addr_type:
self.ipv4_params,
self.ipv6_params.addr_type:
self.ipv6_params}
for _, p in self.params.items():
p.crypt_algo_vpp_id = algo['vpp']
p.crypt_algo = algo['scapy']
p.crypt_key = algo['key']
p.flags = p.flags | flag
#
# configure the SPDs. SAs, etc
#
self.config_network(self.params.values())
#
# run some traffic.
# An exhautsive 4o6, 6o4 is not necessary
# for each algo
#
self.verify_tra_basic6(count=17)
self.verify_tra_basic4(count=17)
self.verify_tun_66(self.params[socket.AF_INET6], 17)
self.verify_tun_44(self.params[socket.AF_INET], 17)
#
# remove the SPDs, SAs, etc
#
self.unconfig_network()
def run_a_test(self, engine, flag, algo, payload_size=None):
self.vapi.cli("set crypto handler all %s" % engine)
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.params = {
self.ipv4_params.addr_type: self.ipv4_params,
self.ipv6_params.addr_type: self.ipv6_params
}
for _, p in self.params.items():
p.auth_algo_vpp_id = algo['vpp-integ']
p.crypt_algo_vpp_id = algo['vpp-crypto']
p.crypt_algo = algo['scapy-crypto']
p.auth_algo = algo['scapy-integ']
p.crypt_key = algo['key']
p.salt = algo['salt']
p.flags = p.flags | flag
self.reporter.send_keep_alive(self)
#
# configure the SPDs. SAs, etc
#
self.config_network(self.params.values())
#
# run some traffic.
# An exhautsive 4o6, 6o4 is not necessary
# for each algo
#
self.verify_tra_basic6(count=NUM_PKTS)
self.verify_tra_basic4(count=NUM_PKTS)
self.verify_tun_66(self.params[socket.AF_INET6], count=NUM_PKTS)
self.verify_tun_44(self.params[socket.AF_INET], count=NUM_PKTS)
LARGE_PKT_SZ = [
1970, # results in 2 chained buffers entering decrypt node
# but leaving as simple buffer due to ICV removal (tra4)
4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
# for transport4; transport6 takes normal path
4020, # same as above but tra4 and tra6 are switched
]
if self.engine in engines_supporting_chain_bufs:
for sz in LARGE_PKT_SZ:
self.verify_tra_basic4(count=NUM_PKTS, payload_size=sz)
self.verify_tra_basic6(count=NUM_PKTS, payload_size=sz)
self.verify_tun_66(self.params[socket.AF_INET6],
count=NUM_PKTS,
payload_size=sz)
self.verify_tun_44(self.params[socket.AF_INET],
count=NUM_PKTS,
payload_size=sz)
#
# remove the SPDs, SAs, etc
#
self.unconfig_network()
#
# reconfigure the network and SA to run the
# anti replay tests
#
self.config_network(self.params.values())
self.verify_tra_anti_replay()
self.unconfig_network()
def run_a_test(self, engine, flag, algo, payload_size=None):
if engine == "ia32":
engine = "native"
self.vapi.cli("set crypto handler all %s" % engine)
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.params = {
self.ipv4_params.addr_type: self.ipv4_params,
self.ipv6_params.addr_type: self.ipv6_params
}
for _, p in self.params.items():
p.auth_algo_vpp_id = algo['vpp-integ']
p.crypt_algo_vpp_id = algo['vpp-crypto']
p.crypt_algo = algo['scapy-crypto']
p.auth_algo = algo['scapy-integ']
p.crypt_key = algo['key']
p.salt = algo['salt']
p.flags = p.flags | flag
self.reporter.send_keep_alive(self)
#
# configure the SPDs. SAs, etc
#
self.config_network(self.params.values())
#
# run some traffic.
# An exhautsive 4o6, 6o4 is not necessary
# for each algo
#
self.verify_tra_basic6(count=NUM_PKTS)
self.verify_tra_basic4(count=NUM_PKTS)
self.verify_tun_66(self.params[socket.AF_INET6], count=NUM_PKTS)
#
# Use an odd-byte payload size to check for correct padding.
#
# 49 + 2 == 51 which should pad +1 to 52 for 4 byte alignment, +5
# to 56 for 8 byte alignment, and +13 to 64 for 64 byte alignment.
# This should catch bugs where the code is incorrectly over-padding
# for algorithms that don't require it
psz = 49 - len(IP() / ICMP()) if payload_size is None else payload_size
self.verify_tun_44(self.params[socket.AF_INET],
count=NUM_PKTS,
payload_size=psz)
LARGE_PKT_SZ = [
1970, # results in 2 chained buffers entering decrypt node
# but leaving as simple buffer due to ICV removal (tra4)
2004, # footer+ICV will be added to 2nd buffer (tun4)
4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
# for transport4; transport6 takes normal path
4020, # same as above but tra4 and tra6 are switched
]
if self.engine in engines_supporting_chain_bufs:
for sz in LARGE_PKT_SZ:
self.verify_tra_basic4(count=NUM_PKTS, payload_size=sz)
self.verify_tra_basic6(count=NUM_PKTS, payload_size=sz)
self.verify_tun_66(self.params[socket.AF_INET6],
count=NUM_PKTS,
payload_size=sz)
self.verify_tun_44(self.params[socket.AF_INET],
count=NUM_PKTS,
payload_size=sz)
#
# remove the SPDs, SAs, etc
#
self.unconfig_network()
#
# reconfigure the network and SA to run the
# anti replay tests
#
self.config_network(self.params.values())
self.verify_tra_anti_replay()
self.unconfig_network()
def test_gso_ipsec(self):
""" GSO IPSEC test """
#
# Send jumbo frame with gso enabled only on input interface and
# create IPIP tunnel on VPP pg0.
#
#
# enable ipip4
#
self.ipip4.add_vpp_config()
self.vapi.feature_gso_enable_disable(
sw_if_index=self.ipip4.sw_if_index, enable_disable=1)
# Add IPv4 routes via tunnel interface
self.ip4_via_ip4_tunnel = VppIpRoute(self, "172.16.10.0", 24, [
VppRoutePath("0.0.0.0",
self.ipip4.sw_if_index,
proto=FibPathProto.FIB_PATH_NH_PROTO_IP4)
])
self.ip4_via_ip4_tunnel.add_vpp_config()
# IPSec config
self.ipv4_params = IPsecIPv4Params()
self.encryption_type = ESP
config_tun_params(self.ipv4_params, self.encryption_type, self.ipip4)
self.tun_sa_in_v4 = VppIpsecSA(
self, self.ipv4_params.vpp_tun_sa_id, self.ipv4_params.vpp_tun_spi,
self.ipv4_params.auth_algo_vpp_id, self.ipv4_params.auth_key,
self.ipv4_params.crypt_algo_vpp_id, self.ipv4_params.crypt_key,
VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP)
self.tun_sa_in_v4.add_vpp_config()
self.tun_sa_out_v4 = VppIpsecSA(
self, self.ipv4_params.scapy_tun_sa_id,
self.ipv4_params.scapy_tun_spi, self.ipv4_params.auth_algo_vpp_id,
self.ipv4_params.auth_key, self.ipv4_params.crypt_algo_vpp_id,
self.ipv4_params.crypt_key,
VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP)
self.tun_sa_out_v4.add_vpp_config()
self.tun_protect_v4 = VppIpsecTunProtect(self, self.ipip4,
self.tun_sa_out_v4,
[self.tun_sa_in_v4])
self.tun_protect_v4.add_vpp_config()
# Set interface up and enable IP on it
self.ipip4.admin_up()
self.ipip4.set_unnumbered(self.pg0.sw_if_index)
#
# IPv4/IPv4 - IPSEC
#
ipsec44 = (Ether(src=self.pg2.remote_mac, dst="02:fe:60:1e:a2:79") /
IP(src=self.pg2.remote_ip4, dst="172.16.10.3", flags='DF') /
TCP(sport=1234, dport=1234) / Raw(b'\xa5' * 65200))
rxs = self.send_and_expect(self.pg2, [ipsec44], self.pg0, 45)
size = 0
for rx in rxs:
self.assertEqual(rx[Ether].src, self.pg0.local_mac)
self.assertEqual(rx[Ether].dst, self.pg0.remote_mac)
self.assertEqual(rx[IP].src, self.pg0.local_ip4)
self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
self.assertEqual(rx[IP].proto, 50) # ESP
self.assertEqual(rx[ESP].spi, self.ipv4_params.scapy_tun_spi)
inner = self.ipv4_params.vpp_tun_sa.decrypt(rx[IP])
self.assertEqual(inner[IP].src, self.pg2.remote_ip4)
self.assertEqual(inner[IP].dst, "172.16.10.3")
size += inner[IP].len - 20 - 20
self.assertEqual(size, 65200)
self.ip6_via_ip4_tunnel = VppIpRoute(self, "fd01:10::", 64, [
VppRoutePath("::",
self.ipip4.sw_if_index,
proto=FibPathProto.FIB_PATH_NH_PROTO_IP6)
])
self.ip6_via_ip4_tunnel.add_vpp_config()
#
# IPv4/IPv6 - IPSEC
#
ipsec46 = (Ether(src=self.pg2.remote_mac, dst="02:fe:60:1e:a2:79") /
IPv6(src=self.pg2.remote_ip6, dst="fd01:10::3") /
TCP(sport=1234, dport=1234) / Raw(b'\xa5' * 65200))
rxs = self.send_and_expect(self.pg2, [ipsec46], self.pg0, 45)
size = 0
for rx in rxs:
self.assertEqual(rx[Ether].src, self.pg0.local_mac)
self.assertEqual(rx[Ether].dst, self.pg0.remote_mac)
self.assertEqual(rx[IP].src, self.pg0.local_ip4)
self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
self.assertEqual(rx[IP].proto, 50) # ESP
self.assertEqual(rx[ESP].spi, self.ipv4_params.scapy_tun_spi)
inner = self.ipv4_params.vpp_tun_sa.decrypt(rx[IP])
self.assertEqual(inner[IPv6].src, self.pg2.remote_ip6)
self.assertEqual(inner[IPv6].dst, "fd01:10::3")
size += inner[IPv6].plen - 20
self.assertEqual(size, 65200)
# disable IPSec
self.tun_protect_v4.remove_vpp_config()
self.tun_sa_in_v4.remove_vpp_config()
self.tun_sa_out_v4.remove_vpp_config()
#
# disable ipip4
#
self.vapi.feature_gso_enable_disable(self.ipip4.sw_if_index,
enable_disable=0)
self.ip4_via_ip4_tunnel.remove_vpp_config()
self.ip6_via_ip4_tunnel.remove_vpp_config()
self.ipip4.remove_vpp_config()
#
# enable ipip6
#
self.ipip6.add_vpp_config()
self.vapi.feature_gso_enable_disable(self.ipip6.sw_if_index,
enable_disable=1)
# Set interface up and enable IP on it
self.ipip6.admin_up()
self.ipip6.set_unnumbered(self.pg0.sw_if_index)
# Add IPv4 routes via tunnel interface
self.ip4_via_ip6_tunnel = VppIpRoute(self, "172.16.10.0", 24, [
VppRoutePath("0.0.0.0",
self.ipip6.sw_if_index,
proto=FibPathProto.FIB_PATH_NH_PROTO_IP4)
])
self.ip4_via_ip6_tunnel.add_vpp_config()
# IPSec config
self.ipv6_params = IPsecIPv6Params()
self.encryption_type = ESP
config_tun_params(self.ipv6_params, self.encryption_type, self.ipip6)
self.tun_sa_in_v6 = VppIpsecSA(
self, self.ipv6_params.vpp_tun_sa_id, self.ipv6_params.vpp_tun_spi,
self.ipv6_params.auth_algo_vpp_id, self.ipv6_params.auth_key,
self.ipv6_params.crypt_algo_vpp_id, self.ipv6_params.crypt_key,
VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP)
self.tun_sa_in_v6.add_vpp_config()
self.tun_sa_out_v6 = VppIpsecSA(
self, self.ipv6_params.scapy_tun_sa_id,
self.ipv6_params.scapy_tun_spi, self.ipv6_params.auth_algo_vpp_id,
self.ipv6_params.auth_key, self.ipv6_params.crypt_algo_vpp_id,
self.ipv6_params.crypt_key,
VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP)
self.tun_sa_out_v6.add_vpp_config()
self.tun_protect_v6 = VppIpsecTunProtect(self, self.ipip6,
self.tun_sa_out_v6,
[self.tun_sa_in_v6])
self.tun_protect_v6.add_vpp_config()
#
# IPv6/IPv4 - IPSEC
#
ipsec64 = (Ether(src=self.pg2.remote_mac, dst="02:fe:60:1e:a2:79") /
IP(src=self.pg2.remote_ip4, dst="172.16.10.3", flags='DF') /
TCP(sport=1234, dport=1234) / Raw(b'\xa5' * 65200))
rxs = self.send_and_expect(self.pg2, [ipsec64], self.pg0, 45)
size = 0
for rx in rxs:
self.assertEqual(rx[Ether].src, self.pg0.local_mac)
self.assertEqual(rx[Ether].dst, self.pg0.remote_mac)
self.assertEqual(rx[IPv6].src, self.pg0.local_ip6)
self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6)
self.assertEqual(ipv6nh[rx[IPv6].nh], "ESP Header")
self.assertEqual(rx[ESP].spi, self.ipv6_params.scapy_tun_spi)
inner = self.ipv6_params.vpp_tun_sa.decrypt(rx[IPv6])
self.assertEqual(inner[IP].src, self.pg2.remote_ip4)
self.assertEqual(inner[IP].dst, "172.16.10.3")
size += inner[IP].len - 20 - 20
self.assertEqual(size, 65200)
self.ip6_via_ip6_tunnel = VppIpRoute(self, "fd01:10::", 64, [
VppRoutePath("::",
self.ipip6.sw_if_index,
proto=FibPathProto.FIB_PATH_NH_PROTO_IP6)
])
self.ip6_via_ip6_tunnel.add_vpp_config()
#
# IPv6/IPv6 - IPSEC
#
ipsec66 = (Ether(src=self.pg2.remote_mac, dst="02:fe:60:1e:a2:79") /
IPv6(src=self.pg2.remote_ip6, dst="fd01:10::3") /
TCP(sport=1234, dport=1234) / Raw(b'\xa5' * 65200))
rxs = self.send_and_expect(self.pg2, [ipsec66], self.pg0, 45)
size = 0
for rx in rxs:
self.assertEqual(rx[Ether].src, self.pg0.local_mac)
self.assertEqual(rx[Ether].dst, self.pg0.remote_mac)
self.assertEqual(rx[IPv6].src, self.pg0.local_ip6)
self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6)
self.assertEqual(ipv6nh[rx[IPv6].nh], "ESP Header")
self.assertEqual(rx[ESP].spi, self.ipv6_params.scapy_tun_spi)
inner = self.ipv6_params.vpp_tun_sa.decrypt(rx[IPv6])
self.assertEqual(inner[IPv6].src, self.pg2.remote_ip6)
self.assertEqual(inner[IPv6].dst, "fd01:10::3")
size += inner[IPv6].plen - 20
self.assertEqual(size, 65200)
# disable IPSec
self.tun_protect_v6.remove_vpp_config()
self.tun_sa_in_v6.remove_vpp_config()
self.tun_sa_out_v6.remove_vpp_config()
#
# disable ipip6
#
self.ip4_via_ip6_tunnel.remove_vpp_config()
self.ip6_via_ip6_tunnel.remove_vpp_config()
self.ipip6.remove_vpp_config()
self.vapi.feature_gso_enable_disable(self.pg0.sw_if_index,
enable_disable=0)
