diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-21 11:54:28 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-21 11:54:28 +0000 |
| commit | e6918187568dbd01842d8d1d2c808ce16a894239 (patch) | |
| tree | 64f88b554b444a49f656b6c656111a145cbbaa28 /src/spdk/dpdk/examples/ipsec-secgw/test | |
| parent | Initial commit. (diff) | |
| download | ceph-e6918187568dbd01842d8d1d2c808ce16a894239.tar.xz ceph-e6918187568dbd01842d8d1d2c808ce16a894239.zip | |
Adding upstream version 18.2.2.upstream/18.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/spdk/dpdk/examples/ipsec-secgw/test')
27 files changed, 3409 insertions, 0 deletions
diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/bypass_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/bypass_defs.sh new file mode 100644 index 000000000..e553635b9 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/bypass_defs.sh @@ -0,0 +1,46 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_null0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} + +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} + +SGW_CMD_XPRM='-w 300 -l' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/common_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/common_defs.sh new file mode 100644 index 000000000..df680805b --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/common_defs.sh @@ -0,0 +1,231 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +# check ETH_DEV +if [[ -z "${ETH_DEV}" ]]; then + echo "ETH_DEV is invalid" + exit 127 +fi + +# check that REMOTE_HOST is reachable +ssh ${REMOTE_HOST} echo +st=$? +if [[ $st -ne 0 ]]; then + echo "host ${REMOTE_HOST} is not reachable" + exit $st +fi + +# get ether addr of REMOTE_HOST +REMOTE_MAC=`ssh ${REMOTE_HOST} ip addr show dev ${REMOTE_IFACE}` +st=$? +REMOTE_MAC=`echo ${REMOTE_MAC} | sed -e 's/^.*ether //' -e 's/ brd.*$//'` +if [[ $st -ne 0 || -z "${REMOTE_MAC}" ]]; then + echo "coouldn't retrieve ether addr from ${REMOTE_IFACE}" + exit 127 +fi + +LOCAL_IFACE=dtap0 + +LOCAL_MAC="00:64:74:61:70:30" + +REMOTE_IPV4=192.168.31.14 +LOCAL_IPV4=192.168.31.92 + +REMOTE_IPV6=fd12:3456:789a:0031:0000:0000:0000:0014 +LOCAL_IPV6=fd12:3456:789a:0031:0000:0000:0000:0092 + +DPDK_PATH=${RTE_SDK:-${PWD}} +DPDK_BUILD=${RTE_TARGET:-x86_64-native-linux-gcc} +DPDK_VARS="" + +# by default ipsec-secgw can't deal with multi-segment packets +# make sure our local/remote host wouldn't generate fragmented packets +# if reassmebly option is not enabled +DEF_MTU_LEN=1400 +DEF_PING_LEN=1200 + +# set operation mode based on environment variables values +select_mode() +{ + echo "Test environment configuration:" + # check which mode to be enabled (library/legacy) + if [[ -n "${SGW_MODE}" && "${SGW_MODE}" == "library" ]]; then + DPDK_MODE="-w 300 -l" + echo "[enabled] library mode" + else + DPDK_MODE="" + echo "[enabled] legacy mode" + fi + + # check if esn is demanded + if [[ -n "${SGW_ESN}" && "${SGW_ESN}" == "esn-on" ]]; then + DPDK_VARS="${DPDK_VARS} -e" + XFRM_ESN="flag esn" + echo "[enabled] extended sequence number" + else + XFRM_ESN="" + echo "[disabled] extended sequence number" + fi + + # check if atom is demanded + if [[ -n "${SGW_ATOM}" && "${SGW_ATOM}" == "atom-on" ]]; then + DPDK_VARS="${DPDK_VARS} -a" + echo "[enabled] sequence number atomic behavior" + else + echo "[disabled] sequence number atomic behavior" + fi + + # check if inline should be enabled + if [[ -n "${SGW_CRYPTO}" && "${SGW_CRYPTO}" == "inline" ]]; then + CRYPTO_DEV='--vdev="crypto_null0"' + SGW_CFG_XPRM_IN="port_id 0 type inline-crypto-offload" + SGW_CFG_XPRM_OUT="port_id 0 type inline-crypto-offload" + echo "[enabled] inline crypto mode" + else + SGW_CFG_XPRM_IN="" + SGW_CFG_XPRM_OUT="" + echo "[disabled] inline crypto mode" + fi + + # check if fallback should be enabled + if [[ -n "${SGW_CRYPTO_FLBK}" ]] && [[ -n ${SGW_CFG_XPRM_IN} ]] \ + && [[ "${SGW_MODE}" == "library" ]] \ + && [[ "${SGW_CRYPTO_FLBK}" == "cpu-crypto" \ + || "${SGW_CRYPTO_FLBK}" == "lookaside-none" ]]; then + CRYPTO_DEV="" + SGW_CFG_XPRM_IN="${SGW_CFG_XPRM_IN} fallback ${SGW_CRYPTO_FLBK}" + SGW_CFG_XPRM_OUT="" + echo "[enabled] crypto fallback ${SGW_CRYPTO_FLBK} mode" + else + if [[ -n "${SGW_CRYPTO_FLBK}" \ + && "${SGW_CRYPTO}" != "inline" ]]; then + echo "SGW_CRYPTO variable needs to be set to \ +\"inline\" for ${SGW_CRYPTO_FLBK} fallback setting" + exit 127 + elif [[ -n "${SGW_CRYPTO_FLBK}" \ + && "${SGW_MODE}" != "library" ]]; then + echo "SGW_MODE variable needs to be set to \ +\"library\" for ${SGW_CRYPTO_FLBK} fallback setting" + exit 127 + fi + echo "[disabled] crypto fallback mode" + fi + + # select sync/async mode + if [[ -n "${CRYPTO_PRIM_TYPE}" && -n "${DPDK_MODE}" ]]; then + echo "[enabled] crypto primary type - ${CRYPTO_PRIM_TYPE}" + SGW_CFG_XPRM_IN="${SGW_CFG_XPRM_IN} type ${CRYPTO_PRIM_TYPE}" + SGW_CFG_XPRM_OUT="${SGW_CFG_XPRM_OUT} type ${CRYPTO_PRIM_TYPE}" + else + if [[ -n "${CRYPTO_PRIM_TYPE}" \ + && "${SGW_MODE}" != "library" ]]; then + echo "SGW_MODE variable needs to be set to \ +\"library\" for ${CRYPTO_PRIM_TYPE} crypto primary type setting" + exit 127 + fi + fi + + + # make linux to generate fragmented packets + if [[ -n "${SGW_MULTI_SEG}" && -n "${DPDK_MODE}" ]]; then + echo -e "[enabled] multi-segment test is enabled\n" + SGW_CMD_XPRM="--reassemble ${SGW_MULTI_SEG}" + PING_LEN=5000 + MTU_LEN=1500 + else + if [[ -z "${SGW_MULTI_SEG}" \ + && "${SGW_CFG_XPRM_IN}" == *fallback* ]]; then + echo "SGW_MULTI_SEG environment variable needs \ +to be set for ${SGW_CRYPTO_FLBK} fallback test" + exit 127 + elif [[ -n "${SGW_MULTI_SEG}" \ + && "${SGW_MODE}" != "library" ]]; then + echo "SGW_MODE variable needs to be set to \ +\"library\" for multiple segment reassemble setting" + exit 127 + fi + + echo -e "[disabled] multi-segment test\n" + PING_LEN=${DEF_PING_LEN} + MTU_LEN=${DEF_MTU_LEN} + fi +} + +# setup mtu on local iface +set_local_mtu() +{ + mtu=$1 + ifconfig ${LOCAL_IFACE} mtu ${mtu} + sysctl -w net.ipv6.conf.${LOCAL_IFACE}.mtu=${mtu} +} + +# configure local host/ifaces +config_local_iface() +{ + ifconfig ${LOCAL_IFACE} ${LOCAL_IPV4}/24 up + ifconfig ${LOCAL_IFACE} + + ip neigh flush dev ${LOCAL_IFACE} + ip neigh add ${REMOTE_IPV4} dev ${LOCAL_IFACE} lladdr ${REMOTE_MAC} + ip neigh show dev ${LOCAL_IFACE} +} + +config6_local_iface() +{ + config_local_iface + + sysctl -w net.ipv6.conf.${LOCAL_IFACE}.disable_ipv6=0 + ip addr add ${LOCAL_IPV6}/64 dev ${LOCAL_IFACE} + + ip -6 neigh add ${REMOTE_IPV6} dev ${LOCAL_IFACE} lladdr ${REMOTE_MAC} + ip neigh show dev ${LOCAL_IFACE} +} + +# configure remote host/iface +config_remote_iface() +{ + ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} down + ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} ${REMOTE_IPV4}/24 up + ssh ${REMOTE_HOST} ifconfig ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} ip neigh flush dev ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} ip neigh add ${LOCAL_IPV4} \ + dev ${REMOTE_IFACE} lladdr ${LOCAL_MAC} + ssh ${REMOTE_HOST} ip neigh show dev ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} iptables --flush +} + +config6_remote_iface() +{ + config_remote_iface + + ssh ${REMOTE_HOST} sysctl -w \ + net.ipv6.conf.${REMOTE_IFACE}.disable_ipv6=0 + ssh ${REMOTE_HOST} ip addr add ${REMOTE_IPV6}/64 dev ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} ip -6 neigh add ${LOCAL_IPV6} \ + dev ${REMOTE_IFACE} lladdr ${LOCAL_MAC} + ssh ${REMOTE_HOST} ip neigh show dev ${REMOTE_IFACE} + + ssh ${REMOTE_HOST} ip6tables --flush +} + +# configure remote and local host/iface +config_iface() +{ + config_local_iface + config_remote_iface +} + +config6_iface() +{ + config6_local_iface + config6_remote_iface +} + +# secgw application parameters setup +SGW_PORT_CFG="--vdev=\"net_tap0,mac=fixed\" ${ETH_DEV}" +SGW_WAIT_DEV="${LOCAL_IFACE}" +. ${DIR}/common_defs_secgw.sh diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/common_defs_secgw.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/common_defs_secgw.sh new file mode 100644 index 000000000..e431c8ee3 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/common_defs_secgw.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +# check required parameters +SGW_REQ_VARS="SGW_PATH SGW_PORT_CFG SGW_WAIT_DEV" +for reqvar in ${SGW_REQ_VARS} +do + if [[ -z "${!reqvar}" ]]; then + echo "Required parameter ${reqvar} is empty" + exit 127 + fi +done + +# check if SGW_PATH point to an executable +if [[ ! -x ${SGW_PATH} ]]; then + echo "${SGW_PATH} is not executable" + exit 127 +fi + +# setup SGW_LCORE +SGW_LCORE=${SGW_LCORE:-0} + +# setup config and output filenames +SGW_OUT_FILE=./ipsec-secgw.out1 +SGW_CFG_FILE=$(mktemp) + +# setup secgw parameters +SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4" +SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" +SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" + +# start ipsec-secgw +secgw_start() +{ + SGW_EXEC_FILE=$(mktemp) + cat <<EOF > ${SGW_EXEC_FILE} +stdbuf -o0 ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ +${SGW_PORT_CFG} ${SGW_EAL_XPRM} \ +-- ${SGW_CMD_PRM} ${SGW_CMD_XPRM} -f ${SGW_CFG_FILE} > \ +${SGW_OUT_FILE} 2>&1 & +p=\$! +echo \$p +EOF + + cat ${SGW_EXEC_FILE} + cat ${SGW_CFG_FILE} + SGW_PID=`/bin/bash -x ${SGW_EXEC_FILE}` + + # wait till ipsec-secgw start properly + i=0 + st=1 + while [[ $i -ne 10 && $st -ne 0 ]]; do + sleep 1 + ifconfig ${SGW_WAIT_DEV} + st=$? + let i++ + done +} + +# stop ipsec-secgw and cleanup +secgw_stop() +{ + kill ${SGW_PID} + rm -f ${SGW_EXEC_FILE} + rm -f ${SGW_CFG_FILE} +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/data_rxtx.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/data_rxtx.sh new file mode 100644 index 000000000..05090e344 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/data_rxtx.sh @@ -0,0 +1,65 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +TCP_PORT=22222 + +ping_test1() +{ + dst=$1 + i=${2:-0} + end=${3:-1200} + + st=0 + while [[ $i -ne $end && $st -eq 0 ]]; + do + ping -c 1 -s ${i} -M dont ${dst} + st=$? + let i++ + done + + if [[ $st -ne 0 ]]; then + echo "ERROR: $0 failed for dst=${dst}, sz=${i}" + fi + return $st; +} + +ping6_test1() +{ + dst=$1 + i=${2:-0} + end=${3:-1200} + + st=0 + while [[ $i -ne $end && $st -eq 0 ]]; + do + ping6 -c 1 -s ${i} -M dont ${dst} + st=$? + let i++ + done + + if [[ $st -ne 0 ]]; then + echo "ERROR: $0 failed for dst=${dst}, sz=${i}" + fi + return $st; +} + +scp_test1() +{ + dst=$1 + + for sz in 1234 23456 345678 4567890 56789102 ; do + x=`basename $0`.${sz} + dd if=/dev/urandom of=${x} bs=${sz} count=1 + scp ${x} [${dst}]:${x} + scp [${dst}]:${x} ${x}.copy1 + diff -u ${x} ${x}.copy1 + st=$? + rm -f ${x} ${x}.copy1 + ssh ${REMOTE_HOST} rm -f ${x} + if [[ $st -ne 0 ]]; then + return $st + fi + done + + return 0; +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/linux_test.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/linux_test.sh new file mode 100644 index 000000000..85dbf7e8a --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/linux_test.sh @@ -0,0 +1,141 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +# Usage: /bin/bash linux_test.sh <ip_protocol> <ipsec_mode> +# <ip_protocol> can be set to: +# ipv4-ipv4 - only IPv4 traffic +# ipv4-ipv6 - IPv4 traffic over IPv6 ipsec tunnel (only for tunnel mode) +# ipv6-ipv4 - IPv6 traffic over IPv4 ipsec tunnel (only for tunnel mode) +# ipv6-ipv6 - only IPv6 traffic +# For list of available modes please refer to run_test.sh. +# +# Note that most of them require appropriate crypto PMD/device to be available. +# Also user has to setup properly the following environment variables: +# SGW_PATH - path to the ipsec-secgw binary to test +# REMOTE_HOST - ip/hostname of the DUT +# REMOTE_IFACE - iface name for the test-port on DUT +# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w <pci-id>') +# Also user can optionally setup: +# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) +# SGW_MODE - run ipsec-secgw in legacy mode or with use of library +# values: legacy/library (legacy on default) +# SGW_ESN - run ipsec-secgw with extended sequence number +# values: esn-on/esn-off (esn-off on default) +# SGW_ATOM - run ipsec-secgw with sequence number atomic behavior +# values: atom-on/atom-off (atom-off on default) +# SGW_CRYPTO - run ipsec-secgw with use of inline crypto +# values: inline (unset on default) +# SGW_CRYPTO_FLBK - run ipsec-secgw with crypto fallback configured +# values: cpu-crypto/lookaside-none (unset on default) +# CRYPTO_PRIM_TYPE - run ipsec-secgw with crypto primary type set +# values: cpu-crypto (unset on default) +# CRYPTO_DEV - crypto device to be used ('-w <pci-id>') +# if none specified appropriate vdevs will be created by the script +# SGW_MULTI_SEG - ipsec-secgw option to enable reassembly support and +# specify size of reassembly table (i.e. SGW_MULTI_SEG=128) +# +# The purpose of the script is to automate ipsec-secgw testing +# using another system running linux as a DUT. +# It expects that SUT and DUT are connected through at least 2 NICs. +# One NIC is expected to be managed by linux both machines, +# and will be used as a control path +# Make sure user from SUT can ssh to DUT without entering password. +# Second NIC (test-port) should be reserved for DPDK on SUT, +# and should be managed by linux on DUT. +# The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev. +# Then configures local tap iface and remote iface and ipsec policies +# in the following way: +# traffic going over test-port in both directions has to be +# protected by ipsec. +# Traffic going over TAP in both directions doesn't have to be protected. +# I.E: +# DUT OS(NIC1)--(ipsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS +# SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(ipsec)-->(NIC1)DUT OS +# Then tries to perform some data transfer using the scheme described above. +# + +DIR=`dirname $0` +PROTO=$1 +MODE=$2 + + . ${DIR}/common_defs.sh + +select_mode + + . ${DIR}/${MODE}_defs.sh + +if [[ "${PROTO}" == "ipv4-ipv4" ]] || [[ "${PROTO}" == "ipv6-ipv6" ]]; then + config_secgw +else + config_secgw_mixed +fi + +secgw_start + + . ${DIR}/data_rxtx.sh + +if [[ "${PROTO}" == "ipv4-ipv4" ]]; then + config_iface + config_remote_xfrm_44 + set_local_mtu ${MTU_LEN} + ping_test1 ${REMOTE_IPV4} 0 ${PING_LEN} + + st=$? + if [[ $st -eq 0 ]]; then + set_local_mtu ${DEF_MTU_LEN} + scp_test1 ${REMOTE_IPV4} + st=$? + fi +elif [[ "${PROTO}" == "ipv4-ipv6" ]]; then + if [[ "${MODE}" == trs* ]]; then + echo "Cannot mix protocols in transport mode" + secgw_stop + exit 1 + fi + config6_iface + config_remote_xfrm_46 + set_local_mtu ${MTU_LEN} + ping_test1 ${REMOTE_IPV4} 0 ${PING_LEN} + + st=$? + if [[ $st -eq 0 ]]; then + set_local_mtu ${DEF_MTU_LEN} + scp_test1 ${REMOTE_IPV4} + st=$? + fi +elif [[ "${PROTO}" == "ipv6-ipv4" ]]; then + if [[ "${MODE}" == trs* ]]; then + echo "Cannot mix protocols in transport mode" + secgw_stop + exit 1 + fi + config6_iface + config_remote_xfrm_64 + + set_local_mtu ${MTU_LEN} + ping6_test1 ${REMOTE_IPV6} 0 ${PING_LEN} + st=$? + if [[ $st -eq 0 ]]; then + set_local_mtu ${DEF_MTU_LEN} + scp_test1 ${REMOTE_IPV6} + st=$? + fi +elif [[ "${PROTO}" == "ipv6-ipv6" ]]; then + config6_iface + config_remote_xfrm_66 + set_local_mtu ${MTU_LEN} + ping6_test1 ${REMOTE_IPV6} 0 ${PING_LEN} + + st=$? + if [[ $st -eq 0 ]]; then + set_local_mtu ${DEF_MTU_LEN} + scp_test1 ${REMOTE_IPV6} + st=$? + fi +else + echo "Invalid <proto>" + st=128 +fi + +secgw_stop +exit $st diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/load_env.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/load_env.sh new file mode 100644 index 000000000..fff9176fb --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/load_env.sh @@ -0,0 +1,121 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +DIR=`dirname $0` + +regular=0 +inline_on=0 +fallback_on=0 +legacy_only=0 +fallback_val="lookaside-none" +crypto_prim="" +multi_seg_val="" +while getopts ":iflsrc" opt +do + case $opt in + i) + inline_on=1 + ;; + f) + fallback_on=1 + ;; + l) + legacy_only=1 + ;; + s) + multi_seg_val="SGW_MULTI_SEG=128" + ;; + r) + regular=1 + ;; + c) + crypto_prim="CRYPTO_PRIM_TYPE=cpu-crypto" + fallback_val="cpu-crypto" + ;; + esac +done +shift $((OPTIND -1)) + +PROTO=$1 +MODE=$2 + +# test scenarios to set up for regular test +TEST_MODES_REGULAR="legacy \ +library \ +library_esn \ +library_esn_atom" + +# test scenarios to set up for inline test +TEST_MODES_INLINE="legacy_inline \ +library_inline" + +# test scenarios to set up for fallback test +TEST_MODES_FALLBACK="library_fallback" + +# env variables to export for specific test scenarios +default="SGW_MODE=legacy SGW_ESN=esn-off SGW_ATOM=atom-off SGW_CRYPTO=regular \ +SGW_CRYPTO_FLBK= ${multi_seg_val}" +legacy="${default} CRYPTO_PRIM_TYPE=" +library="${default} SGW_MODE=library ${crypto_prim}" +library_esn="${default} SGW_MODE=library SGW_ESN=esn-on ${crypto_prim}" +library_esn_atom="${default} SGW_MODE=library SGW_ESN=esn-on SGW_ATOM=atom-on \ +${crypto_prim}" +legacy_inline="${default} SGW_CRYPTO=inline CRYPTO_PRIM_TYPE=" +library_inline="${default} SGW_MODE=library SGW_CRYPTO=inline CRYPTO_PRIM_TYPE=" +library_fallback="${default} SGW_MODE=library SGW_CRYPTO=inline \ +SGW_CRYPTO_FLBK=${fallback_val} SGW_MULTI_SEG=128 CRYPTO_PRIM_TYPE=" + +# export needed env variables and run tests +if [[ ${regular} -eq 1 ]]; then + for i in ${TEST_MODES_REGULAR}; do + if [[ ${legacy_only} -eq 1 && "${i}" != *legacy* ]]; then + continue + elif [[ ${legacy_only} -eq 0 && "${i}" == *legacy* ]]; then + continue + fi + for x in ${!i}; do + export ${x} + done + + /bin/bash ${DIR}/linux_test.sh ${PROTO} ${MODE} + st=$? + if [[ ${st} -ne 0 ]]; then + exit ${st} + fi + done +elif [[ ${inline_on} -eq 1 || ${fallback_on} -eq 1 ]]; then + if [[ ${inline_on} -eq 1 ]]; then + for i in ${TEST_MODES_INLINE}; do + if [[ ${legacy_only} -eq 1 && "${i}" != *legacy* ]] + then + continue + elif [[ ${legacy_only} -eq 0 && "${i}" == *legacy* ]] + then + continue + fi + for x in ${!i}; do + export ${x} + done + + /bin/bash ${DIR}/linux_test.sh ${PROTO} ${MODE} + st=$? + if [[ ${st} -ne 0 ]]; then + exit ${st} + fi + done + fi + if [[ ${fallback_on} -eq 1 ]]; then + for i in ${TEST_MODES_FALLBACK}; do + for x in ${!i}; do + export ${x} + done + + /bin/bash ${DIR}/linux_test.sh ${PROTO} ${MODE} + st=$? + if [[ ${st} -ne 0 ]]; then + exit ${st} + fi + done + fi +fi +exit 0 diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/pkttest.py b/src/spdk/dpdk/examples/ipsec-secgw/test/pkttest.py new file mode 100755 index 000000000..785b2fb88 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/pkttest.py @@ -0,0 +1,128 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: BSD-3-Clause + +import fcntl +import pkg_resources +import socket +import struct +import sys +import unittest + + +if sys.version_info < (3, 0): + print("Python3 is required to run this script") + sys.exit(1) + + +try: + from scapy.all import Ether +except ImportError: + print("Scapy module is required") + sys.exit(1) + + +PKTTEST_REQ = [ + "scapy>=2.4.3", +] + + +def assert_requirements(req): + """ + assert requirement is met + req can hold a string or a list of strings + """ + try: + pkg_resources.require(req) + except (pkg_resources.DistributionNotFound, pkg_resources.VersionConflict) as e: + print("Requirement assertion: " + str(e)) + sys.exit(1) + + +TAP_UNPROTECTED = "dtap1" +TAP_PROTECTED = "dtap0" + + +class Interface(object): + ETH_P_ALL = 3 + MAX_PACKET_SIZE = 1280 + IOCTL_GET_INFO = 0x8927 + SOCKET_TIMEOUT = 0.5 + def __init__(self, ifname): + self.name = ifname + + # create and bind socket to specified interface + self.s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(Interface.ETH_P_ALL)) + self.s.settimeout(Interface.SOCKET_TIMEOUT) + self.s.bind((self.name, 0, socket.PACKET_OTHERHOST)) + + # get interface MAC address + info = fcntl.ioctl(self.s.fileno(), Interface.IOCTL_GET_INFO, struct.pack('256s', bytes(ifname[:15], encoding='ascii'))) + self.mac = ':'.join(['%02x' % i for i in info[18:24]]) + + def __del__(self): + self.s.close() + + def send_l3packet(self, pkt, mac): + e = Ether(src=self.mac, dst=mac) + self.send_packet(e/pkt) + + def send_packet(self, pkt): + self.send_bytes(bytes(pkt)) + + def send_bytes(self, bytedata): + self.s.send(bytedata) + + def recv_packet(self): + return Ether(self.recv_bytes()) + + def recv_bytes(self): + return self.s.recv(Interface.MAX_PACKET_SIZE) + + def get_mac(self): + return self.mac + + +class PacketXfer(object): + def __init__(self, protected_iface=TAP_PROTECTED, unprotected_iface=TAP_UNPROTECTED): + self.protected_port = Interface(protected_iface) + self.unprotected_port = Interface(unprotected_iface) + + def send_to_protected_port(self, pkt, remote_mac=None): + if remote_mac is None: + remote_mac = self.unprotected_port.get_mac() + self.protected_port.send_l3packet(pkt, remote_mac) + + def send_to_unprotected_port(self, pkt, remote_mac=None): + if remote_mac is None: + remote_mac = self.protected_port.get_mac() + self.unprotected_port.send_l3packet(pkt, remote_mac) + + def xfer_unprotected(self, pkt): + self.send_to_unprotected_port(pkt) + return self.protected_port.recv_packet() + + def xfer_protected(self, pkt): + self.send_to_protected_port(pkt) + return self.unprotected_port.recv_packet() + + +def pkttest(): + if len(sys.argv) == 1: + sys.exit(unittest.main(verbosity=2)) + elif len(sys.argv) == 2: + if sys.argv[1] == "config": + module = __import__('__main__') + try: + print(module.config()) + except AttributeError: + sys.stderr.write("Cannot find \"config()\" in a test") + sys.exit(1) + else: + sys.exit(1) + + +if __name__ == "__main__": + if len(sys.argv) == 2 and sys.argv[1] == "check_reqs": + assert_requirements(PKTTEST_REQ) + else: + print("Usage: " + sys.argv[0] + " check_reqs") diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/pkttest.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/pkttest.sh new file mode 100755 index 000000000..f19247254 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/pkttest.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +DIR=$(dirname $0) + +if [ $(id -u) -ne 0 ]; then + echo "Run as root" + exit 1 +fi + +# check python requirements +python3 ${DIR}/pkttest.py check_reqs +if [ $? -ne 0 ]; then + echo "Requirements for Python not met, exiting" + exit 1 +fi + +# secgw application parameters setup +CRYPTO_DEV="--vdev=crypto_null0" +SGW_PORT_CFG="--vdev=net_tap0,mac=fixed --vdev=net_tap1,mac=fixed" +SGW_EAL_XPRM="--no-pci" +SGW_CMD_XPRM=-l +SGW_WAIT_DEV="dtap0" +. ${DIR}/common_defs_secgw.sh + +echo "Running tests: $*" +for testcase in $* +do + # check test file presence + testfile="${DIR}/${testcase}.py" + if [ ! -f ${testfile} ]; then + echo "Invalid test ${testcase}" + continue + fi + + # prepare test config + python3 ${testfile} config > ${SGW_CFG_FILE} + if [ $? -ne 0 ]; then + rm -f ${SGW_CFG_FILE} + echo "Cannot get secgw configuration for test ${testcase}" + exit 1 + fi + + # start the application + secgw_start + + # setup interfaces + ifconfig dtap0 up + ifconfig dtap1 up + + # run the test + echo "Running test case: ${testcase}" + python3 ${testfile} + st=$? + + # stop the application + secgw_stop + + # report test result and exit on failure + if [ $st -eq 0 ]; then + echo "Test case ${testcase} succeeded" + else + echo "Test case ${testcase} failed!" + exit $st + fi +done diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/run_test.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/run_test.sh new file mode 100755 index 000000000..1222308bb --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/run_test.sh @@ -0,0 +1,242 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +# Usage: /bin/bash run_test.sh [-46miflscph] <ipsec_mode> +# Run all defined linux_test.sh test-cases one by one +# If <ipsec_mode> is specified, run only that test case +# User has to setup properly the following environment variables: +# SGW_PATH - path to the ipsec-secgw binary to test +# REMOTE_HOST - ip/hostname of the DUT +# REMOTE_IFACE - iface name for the test-port on DUT +# ETH_DEV - ethernet device to be used on SUT by DPDK ('-w <pci-id>') +# Also user can optionally setup: +# SGW_LCORE - lcore to run ipsec-secgw on (default value is 0) +# CRYPTO_DEV - crypto device to be used ('-w <pci-id>') +# if none specified appropriate vdevs will be created by the script +# SGW_MULTI_SEG - ipsec-secgw option to enable reassembly support and +# specify size of reassembly table (i.e. SGW_MULTI_SEG=128) +# Refer to linux_test.sh for more information + +# All supported modes to test: +# trs_3descbc_sha1 +# trs_aescbc_sha1 +# trs_aesctr_sha1 +# trs_aesgcm +# tun_3descbc_sha1 +# tun_aescbc_sha1 +# tun_aesctr_sha1 +# tun_aesgcm +# Naming convention: +# 'tun/trs' refer to tunnel/transport mode respectively + +usage() +{ + echo "Usage:" + echo -e "\t$0 -[46miflscph] <ipsec_mode>" + echo -e "\t\t-4 Perform Linux IPv4 network tests" + echo -e "\t\t-6 Perform Linux IPv6 network tests" + echo -e "\t\t-m Add mixed IP protocol tests to IPv4/IPv6 \ +(only with option [-46])" + echo -e "\t\t-i Run inline tests (only with option [-46])" + echo -e "\t\t-f Run fallback tests (only with option [-46])" + echo -e "\t\t-l Run tests in legacy mode" + echo -e "\t\t-s Run all tests with reassembly support \ +(on default only fallback tests use reassembly support)" + echo -e "\t\t-c Run tests with use of cpu-crypto \ +(on default lookaside-none is used)" + echo -e "\t\t-p Perform packet validation tests" + echo -e "\t\t-h Display this help" + echo -e "\t\t<ipsec_mode> Run only specified test case i.e. tun_aesgcm" +} + +LINUX_TEST="trs_3descbc_sha1 \ +trs_aescbc_sha1 \ +trs_aesctr_sha1 \ +trs_aesgcm \ +tun_3descbc_sha1 \ +tun_aescbc_sha1 \ +tun_aesctr_sha1 \ +tun_aesgcm" + +LINUX_TEST_INLINE_FALLBACK="trs_aesgcm \ +tun_aesgcm" + +LINUX_TEST_RUN="" + +PKT_TESTS="trs_ipv6opts \ +tun_null_header_reconstruct" + +DIR=$(dirname $0) + +# get input options +run4=0 +run6=0 +runpkt=0 +mixed=0 +inline=0 +fallback=0 +legacy=0 +multi_seg=0 +cpu_crypto=0 +options="" +while getopts ":46miflscph" opt +do + case $opt in + 4) + run4=1 + ;; + 6) + run6=1 + ;; + m) + mixed=1 + ;; + i) + inline=1 + ;; + f) + fallback=1 + ;; + l) + legacy=1 + options="${options} -l" + ;; + s) + multi_seg=1 + options="${options} -s" + ;; + c) + cpu_crypto=1 + options="${options} -c" + ;; + p) + runpkt=1 + ;; + h) + usage + exit 0 + ;; + ?) + echo "Invalid option" + usage + exit 127 + ;; + esac +done + +shift $((OPTIND -1)) +LINUX_TEST_RUN=$* + +# no test suite has been selected +if [[ ${run4} -eq 0 && ${run6} -eq 0 && ${runpkt} -eq 0 ]]; then + usage + exit 127 +fi + +# check parameters +if [[ ${legacy} -eq 1 ]] && [[ ${multi_seg} -eq 1 || ${fallback} -eq 1 \ + || ${cpu_crypto} -eq 1 ]]; then + echo "Fallback/reassembly/cpu-crypto cannot be used with legacy mode" + exit 127 +fi + +if [[ ${cpu_crypto} -eq 1 && ${inline} -eq 1 && ${fallback} -eq 0 ]]; then + echo "cpu-crypto cannot be used with inline mode" + exit 127 +fi + +# perform packet processing validation tests +st=0 +if [ $runpkt -eq 1 ]; then + echo "Performing packet validation tests" + /bin/bash ${DIR}/pkttest.sh ${PKT_TESTS} + st=$? + + echo "pkttests finished with status ${st}" + if [[ ${st} -ne 0 ]]; then + echo "ERROR pkttests FAILED" + exit ${st} + fi +fi + +desc="" + +# set inline/fallback tests if needed +if [[ ${inline} -eq 1 || ${fallback} -eq 1 ]]; then + + # add inline option if needed + if [[ ${inline} -eq 1 ]]; then + options="${options} -i" + desc="inline" + fi + # add fallback option if needed + if [[ ${fallback} -eq 1 ]]; then + options="${options} -f" + if [[ "${desc}" == "inline" ]]; then + desc="${desc} and fallback" + else + desc="fallback" + fi + fi + + # select tests to run + if [[ -z "${LINUX_TEST_RUN}" ]]; then + LINUX_TEST_RUN="${LINUX_TEST_INLINE_FALLBACK}" + fi +else + options="${options} -r" +fi + +# select tests to run +if [[ -z "${LINUX_TEST_RUN}" ]]; then + LINUX_TEST_RUN="${LINUX_TEST}" +fi + +# perform selected tests +if [[ ${run4} -eq 1 || ${run6} -eq 1 ]] ; then + + for i in ${LINUX_TEST_RUN}; do + + echo "starting ${desc} test ${i}" + + st4=0 + st4m=0 + if [[ ${run4} -ne 0 ]]; then + /bin/bash ${DIR}/load_env.sh ${options} ipv4-ipv4 ${i} + st4=$? + echo "${desc} test IPv4 ${i} finished with status \ +${st4}" + if [[ ${mixed} -ne 0 ]] && [[ "${i}" == tun* ]]; then + /bin/bash ${DIR}/load_env.sh ${options} \ + ipv4-ipv6 ${i} + st4m=$? + echo "${desc} test IPv4-IPv6 ${i} finished with\ + status ${st4m}" + fi + fi + + st6=0 + st6m=0 + if [[ ${run6} -ne 0 ]]; then + /bin/bash ${DIR}/load_env.sh ${options} ipv6-ipv6 ${i} + st6=$? + echo "${desc} test IPv6 ${i} finished with status \ +${st6}" + if [[ ${mixed} -ne 0 ]] && [[ "${i}" == tun* ]]; then + /bin/bash ${DIR}/load_env.sh ${options} \ + ipv6-ipv4 ${i} + st6m=$? + echo "${desc} test IPv6-IPv4 ${i} finished with\ + status ${st6m}" + fi + fi + + let "st = st4 + st6 + st4m + st6m" + if [[ $st -ne 0 ]]; then + echo "ERROR ${desc} test ${i} FAILED" + exit $st + fi + done +fi + +echo "All tests have ended successfully" diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..a66b0ec1e --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -0,0 +1,74 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_IN} + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_OUT} + +#SA out rules +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh new file mode 100644 index 000000000..bbee6a1da --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" + +config_remote_xfrm_44() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh new file mode 100644 index 000000000..d92292452 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_IN} + +sa in 9 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_OUT} + +#SA out rules +sa out 9 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh new file mode 100644 index 000000000..0665a0bc6 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aescbc_sha1_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +. ${DIR}/trs_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" + +config_remote_xfrm_44() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..7d2db073b --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_IN} + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_OUT} + +#SA out rules +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh new file mode 100644 index 000000000..3390055db --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" + +config_remote_xfrm_44() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh new file mode 100644 index 000000000..47eef4d9b --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesgcm_common_defs.sh @@ -0,0 +1,61 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_gcm0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_IN} + +sa in 9 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_OUT} + +sa out 9 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesgcm_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesgcm_defs.sh new file mode 100644 index 000000000..48c2687d0 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_aesgcm_defs.sh @@ -0,0 +1,68 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +. ${DIR}/trs_aesgcm_common_defs.sh + +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" + +config_remote_xfrm_44() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/trs_ipv6opts.py b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_ipv6opts.py new file mode 100755 index 000000000..95011861e --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/trs_ipv6opts.py @@ -0,0 +1,182 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: BSD-3-Clause + +from scapy.all import * +import unittest +import pkttest + + +SRC_ADDR = "1111:0000:0000:0000:0000:0000:0000:0001" +DST_ADDR = "2222:0000:0000:0000:0000:0000:0000:0001" +SRC_NET = "1111:0000:0000:0000:0000:0000:0000:0000/64" +DST_NET = "2222:0000:0000:0000:0000:0000:0000:0000/64" + + +def config(): + return """ +sp ipv6 out esp protect 5 pri 1 \\ +src {0} \\ +dst {1} \\ +sport 0:65535 dport 0:65535 + +sp ipv6 in esp protect 6 pri 1 \\ +src {1} \\ +dst {0} \\ +sport 0:65535 dport 0:65535 + +sa out 5 cipher_algo null auth_algo null mode transport +sa in 6 cipher_algo null auth_algo null mode transport + +rt ipv6 dst {0} port 1 +rt ipv6 dst {1} port 0 +""".format(SRC_NET, DST_NET) + + +class TestTransportWithIPv6Ext(unittest.TestCase): + # There is a bug in the IPsec Scapy implementation + # which causes invalid packet reconstruction after + # successful decryption. This method is a workaround. + @staticmethod + def decrypt(pkt, sa): + esp = pkt[ESP] + + # decrypt dummy packet with no extensions + d = sa.decrypt(IPv6()/esp) + + # fix 'next header' in the preceding header of the original + # packet and remove ESP + pkt[ESP].underlayer.nh = d[IPv6].nh + pkt[ESP].underlayer.remove_payload() + + # combine L3 header with decrypted payload + npkt = pkt/d[IPv6].payload + + # fix length + npkt[IPv6].plen = d[IPv6].plen + len(pkt[IPv6].payload) + + return npkt + + def setUp(self): + self.px = pkttest.PacketXfer() + self.outb_sa = SecurityAssociation(ESP, spi=5) + self.inb_sa = SecurityAssociation(ESP, spi=6) + + def test_outb_ipv6_noopt(self): + pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) + pkt /= UDP(sport=123,dport=456)/Raw(load="abc") + + # send and check response + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 5) + + # decrypt response, check packet after decryption + d = TestTransportWithIPv6Ext.decrypt(resp[IPv6], self.outb_sa) + self.assertEqual(d[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(d[UDP].sport, 123) + self.assertEqual(d[UDP].dport, 456) + self.assertEqual(bytes(d[UDP].payload), b'abc') + + def test_outb_ipv6_opt(self): + hoptions = [] + hoptions.append(RouterAlert(value=2)) + hoptions.append(Jumbo(jumboplen=5000)) + hoptions.append(Pad1()) + + doptions = [] + doptions.append(HAO(hoa="1234::4321")) + + pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) + pkt /= IPv6ExtHdrHopByHop(options=hoptions) + pkt /= IPv6ExtHdrRouting(addresses=["3333::3","4444::4"]) + pkt /= IPv6ExtHdrDestOpt(options=doptions) + pkt /= UDP(sport=123,dport=456)/Raw(load="abc") + + # send and check response + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_HOPOPTS) + + # check extensions + self.assertEqual(resp[IPv6ExtHdrHopByHop].nh, socket.IPPROTO_ROUTING) + self.assertEqual(resp[IPv6ExtHdrRouting].nh, socket.IPPROTO_DSTOPTS) + self.assertEqual(resp[IPv6ExtHdrDestOpt].nh, socket.IPPROTO_ESP) + + # check ESP + self.assertEqual(resp[ESP].spi, 5) + + # decrypt response, check packet after decryption + d = TestTransportWithIPv6Ext.decrypt(resp[IPv6], self.outb_sa) + self.assertEqual(d[IPv6].nh, socket.IPPROTO_HOPOPTS) + self.assertEqual(d[IPv6ExtHdrHopByHop].nh, socket.IPPROTO_ROUTING) + self.assertEqual(d[IPv6ExtHdrRouting].nh, socket.IPPROTO_DSTOPTS) + self.assertEqual(d[IPv6ExtHdrDestOpt].nh, socket.IPPROTO_UDP) + + # check UDP + self.assertEqual(d[UDP].sport, 123) + self.assertEqual(d[UDP].dport, 456) + self.assertEqual(bytes(d[UDP].payload), b'abc') + + def test_inb_ipv6_noopt(self): + # encrypt and send raw UDP packet + pkt = IPv6(src=DST_ADDR, dst=SRC_ADDR) + pkt /= UDP(sport=123,dport=456)/Raw(load="abc") + e = self.inb_sa.encrypt(pkt) + + # send and check response + resp = self.px.xfer_protected(e) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + + # check UDP packet + self.assertEqual(resp[UDP].sport, 123) + self.assertEqual(resp[UDP].dport, 456) + self.assertEqual(bytes(resp[UDP].payload), b'abc') + + def test_inb_ipv6_opt(self): + hoptions = [] + hoptions.append(RouterAlert(value=2)) + hoptions.append(Jumbo(jumboplen=5000)) + hoptions.append(Pad1()) + + doptions = [] + doptions.append(HAO(hoa="1234::4321")) + + # prepare packet with options + pkt = IPv6(src=DST_ADDR, dst=SRC_ADDR) + pkt /= IPv6ExtHdrHopByHop(options=hoptions) + pkt /= IPv6ExtHdrRouting(addresses=["3333::3","4444::4"]) + pkt /= IPv6ExtHdrDestOpt(options=doptions) + pkt /= UDP(sport=123,dport=456)/Raw(load="abc") + e = self.inb_sa.encrypt(pkt) + + # self encrypted packet and check response + resp = self.px.xfer_protected(e) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_HOPOPTS) + self.assertEqual(resp[IPv6ExtHdrHopByHop].nh, socket.IPPROTO_ROUTING) + self.assertEqual(resp[IPv6ExtHdrRouting].nh, socket.IPPROTO_DSTOPTS) + self.assertEqual(resp[IPv6ExtHdrDestOpt].nh, socket.IPPROTO_UDP) + + # check UDP + self.assertEqual(resp[UDP].sport, 123) + self.assertEqual(resp[UDP].dport, 456) + self.assertEqual(bytes(resp[UDP].payload), b'abc') + + def test_inb_ipv6_frag(self): + # prepare ESP payload + pkt = IPv6()/UDP(sport=123,dport=456)/Raw(load="abc") + e = self.inb_sa.encrypt(pkt) + + # craft and send inbound packet + e = IPv6(src=DST_ADDR, dst=SRC_ADDR)/IPv6ExtHdrFragment()/e[IPv6].payload + resp = self.px.xfer_protected(e) + + # check response + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_FRAGMENT) + self.assertEqual(resp[IPv6ExtHdrFragment].nh, socket.IPPROTO_UDP) + + # check UDP + self.assertEqual(resp[UDP].sport, 123) + self.assertEqual(resp[UDP].dport, 456) + self.assertEqual(bytes(resp[UDP].payload), b'abc') + + +pkttest.pkttest() diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..8804139df --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -0,0 +1,141 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} + +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} + +config_secgw_mixed() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 6 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 8 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 6 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh new file mode 100644 index 000000000..7c2d065ab --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -0,0 +1,142 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" + +config_remote_xfrm_44() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_46() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh new file mode 100644 index 000000000..9e2276997 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh @@ -0,0 +1,133 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} + +sa in 9 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 7 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} + +sa out 9 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} + +config_secgw_mixed() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 6 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 8 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 6 cipher_algo aes-128-cbc \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh new file mode 100644 index 000000000..b95d81458 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aescbc_sha1_defs.sh @@ -0,0 +1,142 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +. ${DIR}/tun_aescbc_sha1_common_defs.sh + +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" + +config_remote_xfrm_44() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_46() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc aes 0xdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..0f0111d84 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -0,0 +1,133 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} + +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} + +config_secgw_mixed() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 6 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 8 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 6 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh new file mode 100644 index 000000000..fd92f8769 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -0,0 +1,142 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" + +config_remote_xfrm_44() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_46() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 ${XFRM_ESN} \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh new file mode 100644 index 000000000..bf4956293 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesgcm_common_defs.sh @@ -0,0 +1,117 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_gcm0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} + +sa in 9 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 7 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} + +sa out 9 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} + +config_secgw_mixed() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 8 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} + +sa in 6 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} + +#SA out rules +sa out 8 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} + +sa out 6 aead_algo aes-128-gcm \ +aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesgcm_defs.sh b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesgcm_defs.sh new file mode 100644 index 000000000..2528d02c8 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_aesgcm_defs.sh @@ -0,0 +1,142 @@ +#! /bin/bash +# SPDX-License-Identifier: BSD-3-Clause + +. ${DIR}/tun_aesgcm_common_defs.sh + +SGW_CMD_XPRM="${DPDK_VARS} ${DPDK_MODE} ${SGW_CMD_XPRM}" + +config_remote_xfrm_44() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_46() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 6 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 6 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_64() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 8 reqid 1 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 8 reqid 2 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 \ +sel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config_remote_xfrm_66() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 ${XFRM_ESN} \ +aead "rfc4106\(gcm\(aes\)\)" \ +0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef 128 + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/src/spdk/dpdk/examples/ipsec-secgw/test/tun_null_header_reconstruct.py b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_null_header_reconstruct.py new file mode 100755 index 000000000..d4f42dfc0 --- /dev/null +++ b/src/spdk/dpdk/examples/ipsec-secgw/test/tun_null_header_reconstruct.py @@ -0,0 +1,479 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: BSD-3-Clause +# Copyright(c) 2019 Intel Corporation + +from scapy.all import * +import unittest +import pkttest + +#{ipv4{ipv4}} test +SRC_ADDR_IPV4_1 = "192.168.1.1" +DST_ADDR_IPV4_1 = "192.168.2.1" + +#{ipv6{ipv6}} test +SRC_ADDR_IPV6_1 = "1111:0000:0000:0000:0000:0000:0000:0001" +DST_ADDR_IPV6_1 = "2222:0000:0000:0000:0000:0000:0000:0001" + +#{ipv4{ipv6}} test +SRC_ADDR_IPV4_2 = "192.168.11.1" +DST_ADDR_IPV4_2 = "192.168.12.1" +SRC_ADDR_IPV6_2 = "1111:0000:0000:0000:0000:0000:0001:0001" +DST_ADDR_IPV6_2 = "2222:0000:0000:0000:0000:0000:0001:0001" + +#{ipv6{ipv4}} test +SRC_ADDR_IPV4_3 = "192.168.21.1" +DST_ADDR_IPV4_3 = "192.168.22.1" +SRC_ADDR_IPV6_3 = "1111:0000:0000:0000:0000:0001:0001:0001" +DST_ADDR_IPV6_3 = "2222:0000:0000:0000:0000:0001:0001:0001" + +def config(): + return """ +#outter-ipv4 inner-ipv4 tunnel mode test +sp ipv4 out esp protect 5 pri 1 \\ +src {0}/32 \\ +dst {1}/32 \\ +sport 0:65535 dport 0:65535 + +sp ipv4 in esp protect 6 pri 1 \\ +src {1}/32 \\ +dst {0}/32 \\ +sport 0:65535 dport 0:65535 + +sa out 5 cipher_algo null auth_algo null mode ipv4-tunnel \\ +src {0} dst {1} +sa in 6 cipher_algo null auth_algo null mode ipv4-tunnel \\ +src {1} dst {0} + +rt ipv4 dst {0}/32 port 1 +rt ipv4 dst {1}/32 port 0 + +#outter-ipv6 inner-ipv6 tunnel mode test +sp ipv6 out esp protect 7 pri 1 \\ +src {2}/128 \\ +dst {3}/128 \\ +sport 0:65535 dport 0:65535 + +sp ipv6 in esp protect 8 pri 1 \\ +src {3}/128 \\ +dst {2}/128 \\ +sport 0:65535 dport 0:65535 + +sa out 7 cipher_algo null auth_algo null mode ipv6-tunnel \\ +src {2} dst {3} +sa in 8 cipher_algo null auth_algo null mode ipv6-tunnel \\ +src {3} dst {2} + +rt ipv6 dst {2}/128 port 1 +rt ipv6 dst {3}/128 port 0 + +#outter-ipv4 inner-ipv6 tunnel mode test +sp ipv6 out esp protect 9 pri 1 \\ +src {4}/128 \\ +dst {5}/128 \\ +sport 0:65535 dport 0:65535 + +sp ipv6 in esp protect 10 pri 1 \\ +src {5}/128 \\ +dst {4}/128 \\ +sport 0:65535 dport 0:65535 + +sa out 9 cipher_algo null auth_algo null mode ipv4-tunnel \\ +src {6} dst {7} +sa in 10 cipher_algo null auth_algo null mode ipv4-tunnel \\ +src {7} dst {6} + +rt ipv6 dst {4}/128 port 1 +rt ipv4 dst {7}/32 port 0 + +#outter-ipv6 inner-ipv4 tunnel mode test +sp ipv4 out esp protect 11 pri 1 \\ +src {8}/32 \\ +dst {9}/32 \\ +sport 0:65535 dport 0:65535 + +sp ipv4 in esp protect 12 pri 1 \\ +src {9}/32 \\ +dst {8}/32 \\ +sport 0:65535 dport 0:65535 + +sa out 11 cipher_algo null auth_algo null mode ipv6-tunnel \\ +src {10} dst {11} +sa in 12 cipher_algo null auth_algo null mode ipv6-tunnel \\ +src {11} dst {10} + +rt ipv4 dst {8}/32 port 1 +rt ipv6 dst {11}/128 port 0 +""".format(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1, + SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1, + SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2, SRC_ADDR_IPV4_2, DST_ADDR_IPV4_2, + SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3, SRC_ADDR_IPV6_3, DST_ADDR_IPV6_3) + +ECN_ECT0 = 0x02 +ECN_ECT1 = 0x01 +ECN_CE = 0x03 +DSCP_1 = 0x04 +DSCP_3F = 0xFC + +class TestTunnelHeaderReconstruct(unittest.TestCase): + def setUp(self): + self.px = pkttest.PacketXfer() + th = IP(src=DST_ADDR_IPV4_1, dst=SRC_ADDR_IPV4_1) + self.sa_ipv4v4 = SecurityAssociation(ESP, spi=6, tunnel_header = th) + + th = IPv6(src=DST_ADDR_IPV6_1, dst=SRC_ADDR_IPV6_1) + self.sa_ipv6v6 = SecurityAssociation(ESP, spi=8, tunnel_header = th) + + th = IP(src=DST_ADDR_IPV4_2, dst=SRC_ADDR_IPV4_2) + self.sa_ipv4v6 = SecurityAssociation(ESP, spi=10, tunnel_header = th) + + th = IPv6(src=DST_ADDR_IPV6_3, dst=SRC_ADDR_IPV6_3) + self.sa_ipv6v4 = SecurityAssociation(ESP, spi=12, tunnel_header = th) + + def gen_pkt_plain_ipv4(self, src, dst, tos): + pkt = IP(src=src, dst=dst, tos=tos) + pkt /= UDP(sport=123,dport=456)/Raw(load="abc") + return pkt + + def gen_pkt_plain_ipv6(self, src, dst, tc): + pkt = IPv6(src=src, dst=dst, tc=tc) + pkt /= UDP(sport=123,dport=456)/Raw(load="abc") + return pkt + + def gen_pkt_tun_ipv4v4(self, tos_outter, tos_inner): + pkt = self.gen_pkt_plain_ipv4(DST_ADDR_IPV4_1, SRC_ADDR_IPV4_1, + tos_inner) + pkt = self.sa_ipv4v4.encrypt(pkt) + self.assertEqual(pkt[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(pkt[ESP].spi, 6) + pkt[IP].tos = tos_outter + return pkt + + def gen_pkt_tun_ipv6v6(self, tc_outter, tc_inner): + pkt = self.gen_pkt_plain_ipv6(DST_ADDR_IPV6_1, SRC_ADDR_IPV6_1, + tc_inner) + pkt = self.sa_ipv6v6.encrypt(pkt) + self.assertEqual(pkt[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(pkt[ESP].spi, 8) + pkt[IPv6].tc = tc_outter + return pkt + + def gen_pkt_tun_ipv4v6(self, tos_outter, tc_inner): + pkt = self.gen_pkt_plain_ipv6(DST_ADDR_IPV6_2, SRC_ADDR_IPV6_2, + tc_inner) + pkt = self.sa_ipv4v6.encrypt(pkt) + self.assertEqual(pkt[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(pkt[ESP].spi, 10) + pkt[IP].tos = tos_outter + return pkt + + def gen_pkt_tun_ipv6v4(self, tc_outter, tos_inner): + pkt = self.gen_pkt_plain_ipv4(DST_ADDR_IPV4_3, SRC_ADDR_IPV4_3, + tos_inner) + pkt = self.sa_ipv6v4.encrypt(pkt) + self.assertEqual(pkt[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(pkt[ESP].spi, 12) + pkt[IPv6].tc = tc_outter + return pkt + +#RFC4301 5.1.2.1 & 5.1.2.2, outbound packets shall be copied ECN field + def test_outb_ipv4v4_ecn(self): + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1, + ECN_ECT1) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 5) + self.assertEqual(resp[IP].tos, ECN_ECT1) + + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1, + ECN_ECT0) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 5) + self.assertEqual(resp[IP].tos, ECN_ECT0) + + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1, + ECN_CE) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 5) + self.assertEqual(resp[IP].tos, ECN_CE) + + def test_outb_ipv6v6_ecn(self): + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1, + ECN_ECT1) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[IPv6].tc, ECN_ECT1) + + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1, + ECN_ECT0) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 7) + self.assertEqual(resp[IPv6].tc, ECN_ECT0) + + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1, + ECN_CE) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 7) + self.assertEqual(resp[IPv6].tc, ECN_CE) + + def test_outb_ipv4v6_ecn(self): + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2, + ECN_ECT1) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[IP].tos, ECN_ECT1) + + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2, + ECN_ECT0) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[IP].tos, ECN_ECT0) + + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2, + ECN_CE) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[IP].tos, ECN_CE) + + def test_outb_ipv6v4_ecn(self): + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3, + ECN_ECT1) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[IPv6].tc, ECN_ECT1) + + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3, + ECN_ECT0) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[IPv6].tc, ECN_ECT0) + + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3, + ECN_CE) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[IPv6].tc, ECN_CE) + +#RFC4301 5.1.2.1 & 5.1.2.2, if outbound packets ECN is CE (0x3), inbound packets +#ECN is overwritten to CE, otherwise no change + +#Outter header not CE, Inner header should be no change + def test_inb_ipv4v4_ecn_inner_no_change(self): + pkt = self.gen_pkt_tun_ipv4v4(ECN_ECT1, ECN_ECT0) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_ECT0) + + pkt = self.gen_pkt_tun_ipv4v4(ECN_ECT0, ECN_ECT1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_ECT1) + + pkt = self.gen_pkt_tun_ipv4v4(ECN_ECT1, ECN_CE) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_CE) + + def test_inb_ipv6v6_ecn_inner_no_change(self): + pkt = self.gen_pkt_tun_ipv6v6(ECN_ECT1, ECN_ECT0) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_ECT0) + + pkt = self.gen_pkt_tun_ipv6v6(ECN_ECT0, ECN_ECT1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_ECT1) + + pkt = self.gen_pkt_tun_ipv6v6(ECN_ECT1, ECN_CE) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_CE) + + def test_inb_ipv4v6_ecn_inner_no_change(self): + pkt = self.gen_pkt_tun_ipv4v6(ECN_ECT1, ECN_ECT0) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_ECT0) + + pkt = self.gen_pkt_tun_ipv4v6(ECN_ECT0, ECN_ECT1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_ECT1) + + pkt = self.gen_pkt_tun_ipv4v6(ECN_ECT1, ECN_CE) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_CE) + + def test_inb_ipv6v4_ecn_inner_no_change(self): + pkt = self.gen_pkt_tun_ipv6v4(ECN_ECT1, ECN_ECT0) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_ECT0) + + pkt = self.gen_pkt_tun_ipv6v4(ECN_ECT0, ECN_ECT1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_ECT1) + + pkt = self.gen_pkt_tun_ipv6v4(ECN_ECT1, ECN_CE) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_CE) + +#Outter header CE, Inner header should be changed to CE + def test_inb_ipv4v4_ecn_inner_change(self): + pkt = self.gen_pkt_tun_ipv4v4(ECN_CE, ECN_ECT0) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_CE) + + pkt = self.gen_pkt_tun_ipv4v4(ECN_CE, ECN_ECT1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_CE) + + def test_inb_ipv6v6_ecn_inner_change(self): + pkt = self.gen_pkt_tun_ipv6v6(ECN_CE, ECN_ECT0) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_CE) + + pkt = self.gen_pkt_tun_ipv6v6(ECN_CE, ECN_ECT1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_CE) + + def test_inb_ipv4v6_ecn_inner_change(self): + pkt = self.gen_pkt_tun_ipv4v6(ECN_CE, ECN_ECT0) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_CE) + + pkt = self.gen_pkt_tun_ipv4v6(ECN_CE, ECN_ECT1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, ECN_CE) + + def test_inb_ipv6v4_ecn_inner_change(self): + pkt = self.gen_pkt_tun_ipv6v4(ECN_CE, ECN_ECT0) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_CE) + + pkt = self.gen_pkt_tun_ipv6v4(ECN_CE, ECN_ECT1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, ECN_CE) + +#RFC4301 5.1.2.1.5 Outer DS field should be copied from Inner DS field + def test_outb_ipv4v4_dscp(self): + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1, + DSCP_1) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 5) + self.assertEqual(resp[IP].tos, DSCP_1) + + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1, + DSCP_3F) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 5) + self.assertEqual(resp[IP].tos, DSCP_3F) + + def test_outb_ipv6v6_dscp(self): + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1, + DSCP_1) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 7) + self.assertEqual(resp[IPv6].tc, DSCP_1) + + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1, + DSCP_3F) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 7) + self.assertEqual(resp[IPv6].tc, DSCP_3F) + + def test_outb_ipv4v6_dscp(self): + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2, + DSCP_1) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 9) + self.assertEqual(resp[IP].tos, DSCP_1) + + pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2, + DSCP_3F) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 9) + self.assertEqual(resp[IP].tos, DSCP_3F) + + def test_outb_ipv6v4_dscp(self): + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3, + DSCP_1) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 11) + self.assertEqual(resp[IPv6].tc, DSCP_1) + + pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3, + DSCP_3F) + resp = self.px.xfer_unprotected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP) + self.assertEqual(resp[ESP].spi, 11) + self.assertEqual(resp[IPv6].tc, DSCP_3F) + +#RFC4301 5.1.2.1.5 Inner DS field should not be affected by Outer DS field + def test_inb_ipv4v4_dscp(self): + pkt = self.gen_pkt_tun_ipv4v4(DSCP_3F, DSCP_1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, DSCP_1) + + pkt = self.gen_pkt_tun_ipv4v4(DSCP_1, DSCP_3F) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, DSCP_3F) + + def test_inb_ipv6v6_dscp(self): + pkt = self.gen_pkt_tun_ipv6v6(DSCP_3F, DSCP_1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, DSCP_1) + + pkt = self.gen_pkt_tun_ipv6v6(DSCP_1, DSCP_3F) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, DSCP_3F) + + def test_inb_ipv4v6_dscp(self): + pkt = self.gen_pkt_tun_ipv4v6(DSCP_3F, DSCP_1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, DSCP_1) + + pkt = self.gen_pkt_tun_ipv4v6(DSCP_1, DSCP_3F) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP) + self.assertEqual(resp[IPv6].tc, DSCP_3F) + + def test_inb_ipv6v4_dscp(self): + pkt = self.gen_pkt_tun_ipv6v4(DSCP_3F, DSCP_1) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, DSCP_1) + + pkt = self.gen_pkt_tun_ipv6v4(DSCP_1, DSCP_3F) + resp = self.px.xfer_protected(pkt) + self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP) + self.assertEqual(resp[IP].tos, DSCP_3F) + +pkttest.pkttest() |