def packet_dst_in(dsts, p):
dsts = isinstance(dsts, list) and dsts or [dsts]
for d in dsts:
d = IPAddress.identify(d)
if d.version() == 4 and p.haslayer(IP) and IPAddress.identify(p.getlayer(IP).dst) == d:
return True
elif d.version() == 6 and p.haslayer(IPv6) and IPAddress.identify(p.getlayer(IPv6).dst) == d:
return True
return False
def packet_src_in(srcs, p):
srcs = isinstance(srcs, list) and srcs or [srcs]
for s in srcs:
s = IPAddress.identify(s)
if s.version() == 4 and p.haslayer(IP) and IPAddress.identify(p.getlayer(IP).src) == s:
return True
elif s.version() == 6 and p.haslayer(IPv6) and IPAddress.identify(p.getlayer(IPv6).src) == s:
return True
return False
def run(self):
# This relies on SEND - Ping it so it sends an NS
self.logger.info(
"Sending an ICMPv6 Echo Request to the UUT, to trigger a Secure Neighbor Solicitation..."
)
self.node(1).send(
IPv6(src=str(self.node(1).link_local_ip()),
dst=str(self.target(1).link_local_ip())) /
ICMPv6EchoRequest(seq=self.next_seq()))
self.logger.info("Checking for a signed CGA packet...")
cga_packets = self.node(1).received(src=self.target(1).link_local_ip(),
dst=self.node(1).link_local_ip(),
type=ICMPv6NDOptCGA,
timeout=120)
assertGreaterThanOrEqualTo(
1, len(cga_packets), "expect to receive one-or-more CGA packets")
self.logger.info("Receive a CGA packet. Verifying it:")
cga_layer = cga_packets[0][ICMPv6NDOptCGA]
self.logger.info("Checking Collision count is in range...")
assertTrue(cga_layer.collision in [0, 1, 2],
"expected Collision Count to be 0, 1 or 2")
iface_identifier = inet_pton(socket.AF_INET6,
IPAddress.identify(
cga_packets[0].src).ip)[8:]
prefix = IPAddress.identify(cga_packets[0].src).network()
# check the CGA subnet prefix(mask) is equal to the subnet prefix
self.logger.info("Checking the Subnet Prefix Mask...")
assertEqual(str(Network(cga_layer.mask)), prefix,
"expected the CGA Prefix to match the Address Prefix")
self.logger.info("Checking Hash One...")
hash1 = self.hash_one(cga_layer)
mask1 = '\x1c\xff\xff\xff\xff\xff\xff\xff' # RFC3972, Section 2
# Hash1 & Mask1 == Interface Identifier & Mask1, last 7 octets should match exactly
assertEqual(self.and_byte_strings(hash1, mask1),
self.and_byte_strings(iface_identifier, mask1),
"expected hash1 to match the interface identifier")
assertEqual(hash1[7:], iface_identifier[7:],
"expected hash1 to match the interface identifier")
self.logger.info("Checking Hash Two...")
hash2 = self.hash_two(cga_layer)
sec = (ord(iface_identifier[0]) >> 5) & 0x07
mask2 = '\xff\xff' * sec + '\x00\x00' * (
7 - sec) # 112bit mask as in RFC 3972, Section 2
# Hash2 & Mask2 == 0x0000000000000000000000000000
assertEqual(self.and_byte_strings(hash2, mask2), '\x00\x00' * 7,
"expected hash2 & mask2 to be zero")
def packet_src_in(srcs, p):
srcs = isinstance(srcs, list) and srcs or [srcs]
for s in srcs:
s = IPAddress.identify(s)
if s.version() == 4 and p.haslayer(IP) and IPAddress.identify(
p.getlayer(IP).src) == s:
return True
elif s.version() == 6 and p.haslayer(
IPv6) and IPAddress.identify(
p.getlayer(IPv6).src) == s:
return True
return False
def packet_dst_in(dsts, p):
dsts = isinstance(dsts, list) and dsts or [dsts]
for d in dsts:
d = IPAddress.identify(d)
if d.version() == 4 and p.haslayer(IP) and IPAddress.identify(
p.getlayer(IP).dst) == d:
return True
elif d.version() == 6 and p.haslayer(
IPv6) and IPAddress.identify(
p.getlayer(IPv6).dst) == d:
return True
return False
def __forward_to_if1(self, packet_or_frame, iface):
if any(
map(
lambda n: (packet_or_frame.haslayer(
IP) or packet_or_frame.haslayer(IPv6)) and str(
IPAddress.identify(packet_or_frame.dst)) in n,
self.__forwards_to_1)):
self.__forward_from_to(0, 1, packet_or_frame)
def append(self, ip):
if not isinstance(ip, IPAddress):
ip = IPAddress.identify(ip)
if not str(ip) in self:
if ip.version() == 4:
self.__v4_ips.append(ip)
elif ip.version() == 6 and not ip.is_tunnel() and not ip.is_v4_mapped():
self.__v6_ips.append(ip)
elif ip.version() == 6 and ip.is_tunnel():
self.__v6_tunnel_ips.append(ip)
elif ip.version() == 6 and ip.is_v4_mapped():
self.__v4_mapped_ips.append(ip)
def append(self, ip):
if not isinstance(ip, IPAddress):
ip = IPAddress.identify(ip)
if not str(ip) in self:
if ip.version() == 4:
self.__v4_ips.append(ip)
elif ip.version(
) == 6 and not ip.is_tunnel() and not ip.is_v4_mapped():
self.__v6_ips.append(ip)
elif ip.version() == 6 and ip.is_tunnel():
self.__v6_tunnel_ips.append(ip)
elif ip.version() == 6 and ip.is_v4_mapped():
self.__v4_mapped_ips.append(ip)
def run(self):
# This relies on SEND - Ping it so it sends an NS
self.logger.info("Sending an ICMPv6 Echo Request to the UUT, to trigger a Secure Neighbor Solicitation...")
self.node(1).send(
IPv6(src=str(self.node(1).link_local_ip()), dst=str(self.target(1).link_local_ip()))/
ICMPv6EchoRequest(seq=self.next_seq()))
self.logger.info("Checking for a signed CGA packet...")
cga_packets = self.node(1).received(src=self.target(1).link_local_ip(), dst=self.node(1).link_local_ip(), type=ICMPv6NDOptCGA, timeout=120)
assertGreaterThanOrEqualTo(1, len(cga_packets), "expect to receive one-or-more CGA packets")
self.logger.info("Receive a CGA packet. Verifying it:")
cga_layer = cga_packets[0][ICMPv6NDOptCGA]
self.logger.info("Checking Collision count is in range...")
assertTrue(cga_layer.collision in [0,1,2], "expected Collision Count to be 0, 1 or 2")
iface_identifier = inet_pton(socket.AF_INET6, IPAddress.identify(cga_packets[0].src).ip)[8:]
prefix = IPAddress.identify(cga_packets[0].src).network()
# check the CGA subnet prefix(mask) is equal to the subnet prefix
self.logger.info("Checking the Subnet Prefix Mask...")
assertEqual(str(Network(cga_layer.mask)), prefix, "expected the CGA Prefix to match the Address Prefix")
self.logger.info("Checking Hash One...")
hash1 = self.hash_one(cga_layer)
mask1 = '\x1c\xff\xff\xff\xff\xff\xff\xff' # RFC3972, Section 2
# Hash1 & Mask1 == Interface Identifier & Mask1, last 7 octets should match exactly
assertEqual(self.and_byte_strings(hash1, mask1), self.and_byte_strings(iface_identifier, mask1), "expected hash1 to match the interface identifier")
assertEqual(hash1[7:], iface_identifier[7:], "expected hash1 to match the interface identifier")
self.logger.info("Checking Hash Two...")
hash2 = self.hash_two(cga_layer)
sec = (ord(iface_identifier[0]) >> 5) & 0x07
mask2 = '\xff\xff'*sec + '\x00\x00'*(7-sec) # 112bit mask as in RFC 3972, Section 2
# Hash2 & Mask2 == 0x0000000000000000000000000000
assertEqual(self.and_byte_strings(hash2, mask2), '\x00\x00'*7, "expected hash2 & mask2 to be zero")
def __forward_to_if1(self, packet_or_frame, iface):
if any(map(lambda n: (packet_or_frame.haslayer(IP) or packet_or_frame.haslayer(IPv6)) and str(IPAddress.identify(packet_or_frame.dst)) in n, self.__forwards_to_1)):
self.__forward_from_to(0, 1, packet_or_frame)
