DPDK patches and discussions
 help / color / mirror / Atom feed
From: Fan Zhang <roy.fan.zhang@intel.com>
To: dev@dpdk.org
Cc: akhil.goyal@nxp.com, pablo.de.lara.guarch@intel.com,
	Fan Zhang <roy.fan.zhang@intel.com>
Subject: [dpdk-dev] [PATCH v6 2/2] examples/ipsec-secgw: support header reconstruction
Date: Mon,  1 Jul 2019 13:01:24 +0100	[thread overview]
Message-ID: <20190701120124.70418-3-roy.fan.zhang@intel.com> (raw)
In-Reply-To: <20190701120124.70418-1-roy.fan.zhang@intel.com>

This patch updates the ipsec-secgw application to support
header reconstruction. In addition a series of tests have
been added to prove the implementation's correctness.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 doc/guides/rel_notes/release_19_08.rst             |   6 +
 examples/ipsec-secgw/sa.c                          |   2 +
 examples/ipsec-secgw/test/run_test.sh              |   3 +-
 .../test/tun_null_header_reconstruct.py            | 477 +++++++++++++++++++++
 4 files changed, 487 insertions(+), 1 deletion(-)
 create mode 100755 examples/ipsec-secgw/test/tun_null_header_reconstruct.py

diff --git a/doc/guides/rel_notes/release_19_08.rst b/doc/guides/rel_notes/release_19_08.rst
index 7c0435a43..d949dbcfb 100644
--- a/doc/guides/rel_notes/release_19_08.rst
+++ b/doc/guides/rel_notes/release_19_08.rst
@@ -99,6 +99,12 @@ New Features
   Updated ``librte_telemetry`` to fetch the global metrics from the
   ``librte_metrics`` library.
 
+* **Updated IPSec library Header Reconstruction.**
+
+  Updated the IPSec library with ECN and DSCP field header reconstruction
+  feature followed by RFC4301. The IPSec-secgw sample application is also
+  updated to support this feature by default.
+
 
 Removed Items
 -------------
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 7262ccee8..447f9dbb4 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -991,6 +991,8 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss,
 	prm->ipsec_xform.mode = (ss->flags == TRANSPORT) ?
 		RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT :
 		RTE_SECURITY_IPSEC_SA_MODE_TUNNEL;
+	prm->ipsec_xform.options.ecn = 1;
+	prm->ipsec_xform.options.copy_dscp = 1;
 
 	if (ss->flags == IP4_TUNNEL) {
 		prm->ipsec_xform.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4;
diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 4969effdb..3f73545c9 100755
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -61,7 +61,8 @@ trs_3descbc_sha1_old \
 trs_3descbc_sha1_esn \
 trs_3descbc_sha1_esn_atom"
 
-PKT_TESTS="trs_ipv6opts"
+PKT_TESTS="trs_ipv6opts \
+tun_null_header_reconstruct"
 
 DIR=$(dirname $0)
 
diff --git a/examples/ipsec-secgw/test/tun_null_header_reconstruct.py b/examples/ipsec-secgw/test/tun_null_header_reconstruct.py
new file mode 100755
index 000000000..f2653b351
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_null_header_reconstruct.py
@@ -0,0 +1,477 @@
+#!/usr/bin/env python3
+
+from scapy.all import *
+import unittest
+import pkttest
+
+#{ipv4{ipv4}} test
+SRC_ADDR_IPV4_1 = "192.168.1.1"
+DST_ADDR_IPV4_1 = "192.168.2.1"
+
+#{ipv6{ipv6}} test
+SRC_ADDR_IPV6_1 = "1111:0000:0000:0000:0000:0000:0000:0001"
+DST_ADDR_IPV6_1 = "2222:0000:0000:0000:0000:0000:0000:0001"
+
+#{ipv4{ipv6}} test
+SRC_ADDR_IPV4_2 = "192.168.11.1"
+DST_ADDR_IPV4_2 = "192.168.12.1"
+SRC_ADDR_IPV6_2 = "1111:0000:0000:0000:0000:0000:0001:0001"
+DST_ADDR_IPV6_2 = "2222:0000:0000:0000:0000:0000:0001:0001"
+
+#{ipv6{ipv4}} test
+SRC_ADDR_IPV4_3 = "192.168.21.1"
+DST_ADDR_IPV4_3 = "192.168.22.1"
+SRC_ADDR_IPV6_3 = "1111:0000:0000:0000:0000:0001:0001:0001"
+DST_ADDR_IPV6_3 = "2222:0000:0000:0000:0000:0001:0001:0001"
+
+def config():
+    return """
+#outter-ipv4 inner-ipv4 tunnel mode test
+sp ipv4 out esp protect 5 pri 1 \\
+src {0}/32 \\
+dst {1}/32 \\
+sport 0:65535 dport 0:65535
+
+sp ipv4 in esp protect 6 pri 1 \\
+src {1}/32 \\
+dst {0}/32 \\
+sport 0:65535 dport 0:65535
+
+sa out 5 cipher_algo null auth_algo null mode ipv4-tunnel \\
+src {0} dst {1}
+sa in 6 cipher_algo null auth_algo null mode ipv4-tunnel \\
+src {1} dst {0}
+
+rt ipv4 dst {0}/32 port 1
+rt ipv4 dst {1}/32 port 0
+
+#outter-ipv6 inner-ipv6 tunnel mode test
+sp ipv6 out esp protect 7 pri 1 \\
+src {2}/128 \\
+dst {3}/128 \\
+sport 0:65535 dport 0:65535
+
+sp ipv6 in esp protect 8 pri 1 \\
+src {3}/128 \\
+dst {2}/128 \\
+sport 0:65535 dport 0:65535
+
+sa out 7 cipher_algo null auth_algo null mode ipv6-tunnel \\
+src {2} dst {3}
+sa in 8 cipher_algo null auth_algo null mode ipv6-tunnel \\
+src {3} dst {2}
+
+rt ipv6 dst {2}/128 port 1
+rt ipv6 dst {3}/128 port 0
+
+#outter-ipv4 inner-ipv6 tunnel mode test
+sp ipv6 out esp protect 9 pri 1 \\
+src {4}/128 \\
+dst {5}/128 \\
+sport 0:65535 dport 0:65535
+
+sp ipv6 in esp protect 10 pri 1 \\
+src {5}/128 \\
+dst {4}/128 \\
+sport 0:65535 dport 0:65535
+
+sa out 9 cipher_algo null auth_algo null mode ipv4-tunnel \\
+src {6} dst {7}
+sa in 10 cipher_algo null auth_algo null mode ipv4-tunnel \\
+src {7} dst {6}
+
+rt ipv6 dst {4}/128 port 1
+rt ipv4 dst {7}/32 port 0
+
+#outter-ipv6 inner-ipv4 tunnel mode test
+sp ipv4 out esp protect 11 pri 1 \\
+src {8}/32 \\
+dst {9}/32 \\
+sport 0:65535 dport 0:65535
+
+sp ipv4 in esp protect 12 pri 1 \\
+src {9}/32 \\
+dst {8}/32 \\
+sport 0:65535 dport 0:65535
+
+sa out 11 cipher_algo null auth_algo null mode ipv6-tunnel \\
+src {10} dst {11}
+sa in 12 cipher_algo null auth_algo null mode ipv6-tunnel \\
+src {11} dst {10}
+
+rt ipv4 dst {8}/32 port 1
+rt ipv6 dst {11}/128 port 0
+""".format(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1,
+           SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1,
+           SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2, SRC_ADDR_IPV4_2, DST_ADDR_IPV4_2,
+           SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3, SRC_ADDR_IPV6_3, DST_ADDR_IPV6_3)
+
+ECN_ECT0    = 0x02
+ECN_ECT1    = 0x01
+ECN_CE      = 0x03
+DSCP_1      = 0x04
+DSCP_3F     = 0xFC
+
+class TestTunnelHeaderReconstruct(unittest.TestCase):
+    def setUp(self):
+        self.px = pkttest.PacketXfer()
+        th = IP(src=DST_ADDR_IPV4_1, dst=SRC_ADDR_IPV4_1)
+        self.sa_ipv4v4 = SecurityAssociation(ESP, spi=6, tunnel_header = th)
+
+        th = IPv6(src=DST_ADDR_IPV6_1, dst=SRC_ADDR_IPV6_1)
+        self.sa_ipv6v6 = SecurityAssociation(ESP, spi=8, tunnel_header = th)
+
+        th = IP(src=DST_ADDR_IPV4_2, dst=SRC_ADDR_IPV4_2)
+        self.sa_ipv4v6 = SecurityAssociation(ESP, spi=10, tunnel_header = th)
+
+        th = IPv6(src=DST_ADDR_IPV6_3, dst=SRC_ADDR_IPV6_3)
+        self.sa_ipv6v4 = SecurityAssociation(ESP, spi=12, tunnel_header = th)
+
+    def gen_pkt_plain_ipv4(self, src, dst, tos):
+        pkt = IP(src=src, dst=dst, tos=tos)
+        pkt /= UDP(sport=123,dport=456)/Raw(load="abc")
+        return pkt
+
+    def gen_pkt_plain_ipv6(self, src, dst, tc):
+        pkt = IPv6(src=src, dst=dst, tc=tc)
+        pkt /= UDP(sport=123,dport=456)/Raw(load="abc")
+        return pkt
+
+    def gen_pkt_tun_ipv4v4(self, tos_outter, tos_inner):
+        pkt = self.gen_pkt_plain_ipv4(DST_ADDR_IPV4_1, SRC_ADDR_IPV4_1,
+                                      tos_inner)
+        pkt = self.sa_ipv4v4.encrypt(pkt)
+        self.assertEqual(pkt[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(pkt[ESP].spi, 6)
+        pkt[IP].tos = tos_outter
+        return pkt
+
+    def gen_pkt_tun_ipv6v6(self, tc_outter, tc_inner):
+        pkt = self.gen_pkt_plain_ipv6(DST_ADDR_IPV6_1, SRC_ADDR_IPV6_1,
+                                      tc_inner)
+        pkt = self.sa_ipv6v6.encrypt(pkt)
+        self.assertEqual(pkt[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(pkt[ESP].spi, 8)
+        pkt[IPv6].tc = tc_outter
+        return pkt
+
+    def gen_pkt_tun_ipv4v6(self, tos_outter, tc_inner):
+        pkt = self.gen_pkt_plain_ipv6(DST_ADDR_IPV6_2, SRC_ADDR_IPV6_2,
+                                      tc_inner)
+        pkt = self.sa_ipv4v6.encrypt(pkt)
+        self.assertEqual(pkt[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(pkt[ESP].spi, 10)
+        pkt[IP].tos = tos_outter
+        return pkt
+
+    def gen_pkt_tun_ipv6v4(self, tc_outter, tos_inner):
+        pkt = self.gen_pkt_plain_ipv4(DST_ADDR_IPV4_3, SRC_ADDR_IPV4_3,
+                                      tos_inner)
+        pkt = self.sa_ipv6v4.encrypt(pkt)
+        self.assertEqual(pkt[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(pkt[ESP].spi, 12)
+        pkt[IPv6].tc = tc_outter
+        return pkt
+
+#RFC4301 5.1.2.1 & 5.1.2.2, outbound packets shall be copied ECN field
+    def test_outb_ipv4v4_ecn(self):
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1,
+                                      ECN_ECT1)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 5)
+        self.assertEqual(resp[IP].tos, ECN_ECT1)
+
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1,
+                                      ECN_ECT0)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 5)
+        self.assertEqual(resp[IP].tos, ECN_ECT0)
+
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1,
+                                      ECN_CE)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 5)
+        self.assertEqual(resp[IP].tos, ECN_CE)
+
+    def test_outb_ipv6v6_ecn(self):
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1,
+                                      ECN_ECT1)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[IPv6].tc, ECN_ECT1)
+
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1,
+                                      ECN_ECT0)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 7)
+        self.assertEqual(resp[IPv6].tc, ECN_ECT0)
+
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1,
+                                      ECN_CE)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 7)
+        self.assertEqual(resp[IPv6].tc, ECN_CE)
+
+    def test_outb_ipv4v6_ecn(self):
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2,
+                                      ECN_ECT1)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[IP].tos, ECN_ECT1)
+
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2,
+                                      ECN_ECT0)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[IP].tos, ECN_ECT0)
+
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2,
+                                      ECN_CE)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[IP].tos, ECN_CE)
+
+    def test_outb_ipv6v4_ecn(self):
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3,
+                                      ECN_ECT1)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[IPv6].tc, ECN_ECT1)
+
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3,
+                                      ECN_ECT0)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[IPv6].tc, ECN_ECT0)
+
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3,
+                                      ECN_CE)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[IPv6].tc, ECN_CE)
+
+#RFC4301 5.1.2.1 & 5.1.2.2, if outbound packets ECN is CE (0x3), inbound packets
+#ECN is overwritten to CE, otherwise no change
+
+#Outter header not CE, Inner header should be no change
+    def test_inb_ipv4v4_ecn_inner_no_change(self):
+        pkt = self.gen_pkt_tun_ipv4v4(ECN_ECT1, ECN_ECT0)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_ECT0)
+
+        pkt = self.gen_pkt_tun_ipv4v4(ECN_ECT0, ECN_ECT1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_ECT1)
+
+        pkt = self.gen_pkt_tun_ipv4v4(ECN_ECT1, ECN_CE)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_CE)
+
+    def test_inb_ipv6v6_ecn_inner_no_change(self):
+        pkt = self.gen_pkt_tun_ipv6v6(ECN_ECT1, ECN_ECT0)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_ECT0)
+
+        pkt = self.gen_pkt_tun_ipv6v6(ECN_ECT0, ECN_ECT1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_ECT1)
+
+        pkt = self.gen_pkt_tun_ipv6v6(ECN_ECT1, ECN_CE)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_CE)
+
+    def test_inb_ipv4v6_ecn_inner_no_change(self):
+        pkt = self.gen_pkt_tun_ipv4v6(ECN_ECT1, ECN_ECT0)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_ECT0)
+
+        pkt = self.gen_pkt_tun_ipv4v6(ECN_ECT0, ECN_ECT1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_ECT1)
+
+        pkt = self.gen_pkt_tun_ipv4v6(ECN_ECT1, ECN_CE)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_CE)
+
+    def test_inb_ipv6v4_ecn_inner_no_change(self):
+        pkt = self.gen_pkt_tun_ipv6v4(ECN_ECT1, ECN_ECT0)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_ECT0)
+
+        pkt = self.gen_pkt_tun_ipv6v4(ECN_ECT0, ECN_ECT1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_ECT1)
+
+        pkt = self.gen_pkt_tun_ipv6v4(ECN_ECT1, ECN_CE)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_CE)
+
+#Outter header CE, Inner header should be changed to CE
+    def test_inb_ipv4v4_ecn_inner_change(self):
+        pkt = self.gen_pkt_tun_ipv4v4(ECN_CE, ECN_ECT0)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_CE)
+
+        pkt = self.gen_pkt_tun_ipv4v4(ECN_CE, ECN_ECT1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_CE)
+
+    def test_inb_ipv6v6_ecn_inner_change(self):
+        pkt = self.gen_pkt_tun_ipv6v6(ECN_CE, ECN_ECT0)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_CE)
+
+        pkt = self.gen_pkt_tun_ipv6v6(ECN_CE, ECN_ECT1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_CE)
+
+    def test_inb_ipv4v6_ecn_inner_change(self):
+        pkt = self.gen_pkt_tun_ipv4v6(ECN_CE, ECN_ECT0)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_CE)
+
+        pkt = self.gen_pkt_tun_ipv4v6(ECN_CE, ECN_ECT1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, ECN_CE)
+
+    def test_inb_ipv6v4_ecn_inner_change(self):
+        pkt = self.gen_pkt_tun_ipv6v4(ECN_CE, ECN_ECT0)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_CE)
+
+        pkt = self.gen_pkt_tun_ipv6v4(ECN_CE, ECN_ECT1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, ECN_CE)
+
+#RFC4301 5.1.2.1.5 Outer DS field should be copied from Inner DS field
+    def test_outb_ipv4v4_dscp(self):
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1,
+                                      DSCP_1)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 5)
+        self.assertEqual(resp[IP].tos, DSCP_1)
+
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_1, DST_ADDR_IPV4_1,
+                                      DSCP_3F)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 5)
+        self.assertEqual(resp[IP].tos, DSCP_3F)
+
+    def test_outb_ipv6v6_dscp(self):
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1,
+                                      DSCP_1)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 7)
+        self.assertEqual(resp[IPv6].tc, DSCP_1)
+
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_1, DST_ADDR_IPV6_1,
+                                      DSCP_3F)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 7)
+        self.assertEqual(resp[IPv6].tc, DSCP_3F)
+
+    def test_outb_ipv4v6_dscp(self):
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2,
+                                      DSCP_1)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 9)
+        self.assertEqual(resp[IP].tos, DSCP_1)
+
+        pkt = self.gen_pkt_plain_ipv6(SRC_ADDR_IPV6_2, DST_ADDR_IPV6_2,
+                                      DSCP_3F)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 9)
+        self.assertEqual(resp[IP].tos, DSCP_3F)
+
+    def test_outb_ipv6v4_dscp(self):
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3,
+                                      DSCP_1)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 11)
+        self.assertEqual(resp[IPv6].tc, DSCP_1)
+
+        pkt = self.gen_pkt_plain_ipv4(SRC_ADDR_IPV4_3, DST_ADDR_IPV4_3,
+                                      DSCP_3F)
+        resp = self.px.xfer_unprotected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_ESP)
+        self.assertEqual(resp[ESP].spi, 11)
+        self.assertEqual(resp[IPv6].tc, DSCP_3F)
+
+#RFC4301 5.1.2.1.5 Inner DS field should not be affected by Outer DS field
+    def test_inb_ipv4v4_dscp(self):
+        pkt = self.gen_pkt_tun_ipv4v4(DSCP_3F, DSCP_1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, DSCP_1)
+
+        pkt = self.gen_pkt_tun_ipv4v4(DSCP_1, DSCP_3F)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, DSCP_3F)
+
+    def test_inb_ipv6v6_dscp(self):
+        pkt = self.gen_pkt_tun_ipv6v6(DSCP_3F, DSCP_1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, DSCP_1)
+
+        pkt = self.gen_pkt_tun_ipv6v6(DSCP_1, DSCP_3F)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, DSCP_3F)
+
+    def test_inb_ipv4v6_dscp(self):
+        pkt = self.gen_pkt_tun_ipv4v6(DSCP_3F, DSCP_1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, DSCP_1)
+
+        pkt = self.gen_pkt_tun_ipv4v6(DSCP_1, DSCP_3F)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IPv6].nh, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IPv6].tc, DSCP_3F)
+
+    def test_inb_ipv6v4_dscp(self):
+        pkt = self.gen_pkt_tun_ipv6v4(DSCP_3F, DSCP_1)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, DSCP_1)
+
+        pkt = self.gen_pkt_tun_ipv6v4(DSCP_1, DSCP_3F)
+        resp = self.px.xfer_protected(pkt)
+        self.assertEqual(resp[IP].proto, socket.IPPROTO_UDP)
+        self.assertEqual(resp[IP].tos, DSCP_3F)
+
+pkttest.pkttest()
-- 
2.14.5


  parent reply	other threads:[~2019-07-01 12:07 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-17 16:03 [dpdk-dev] [PATCH v1] lib/ipsec: add support for header construction Marko Kovacevic
2019-05-19 16:26 ` Ananyev, Konstantin
2019-06-20 12:27   ` Akhil Goyal
2019-06-25 13:43 ` [dpdk-dev] [PATCH v2 0/2] ipsec: ECN and DSCP header reconstruction Fan Zhang
2019-06-25 13:43   ` [dpdk-dev] [PATCH v2 1/2] lib/ipsec: add support for header construction Fan Zhang
2019-06-25 13:43   ` [dpdk-dev] [PATCH v2 2/2] examples/ipsec-secgw: support header reconstruction Fan Zhang
2019-06-26 15:05   ` [dpdk-dev] [PATCH v3 0/2] ipsec: ECN and DSCP " Fan Zhang
2019-06-26 15:05     ` [dpdk-dev] [PATCH v3 1/2] lib/ipsec: add support for header construction Fan Zhang
2019-06-26 22:15       ` Ananyev, Konstantin
2019-06-26 15:05     ` [dpdk-dev] [PATCH v3 2/2] examples/ipsec-secgw: support header reconstruction Fan Zhang
2019-06-28 12:39     ` [dpdk-dev] [PATCH v4 0/2] ipsec: ECN and DSCP " Fan Zhang
2019-06-28 12:39       ` [dpdk-dev] [PATCH v4 1/2] lib/ipsec: add support for header construction Fan Zhang
2019-06-28 12:39       ` [dpdk-dev] [PATCH v4 2/2] examples/ipsec-secgw: support header reconstruction Fan Zhang
2019-06-28 13:22       ` [dpdk-dev] [PATCH v5 0/2] ipsec: ECN and DSCP " Fan Zhang
2019-06-28 13:22         ` [dpdk-dev] [PATCH v5 1/2] lib/ipsec: add support for header construction Fan Zhang
2019-07-01 10:40           ` Ananyev, Konstantin
2019-06-28 13:22         ` [dpdk-dev] [PATCH v5 2/2] examples/ipsec-secgw: support header reconstruction Fan Zhang
2019-07-01 10:41           ` Ananyev, Konstantin
2019-07-01 12:01     ` [dpdk-dev] [PATCH v6 0/2] ipsec: ECN and DSCP " Fan Zhang
2019-07-01 12:01       ` [dpdk-dev] [PATCH v6 1/2] lib/ipsec: add support for header construction Fan Zhang
2019-07-01 13:11         ` Olivier Matz
2019-07-01 12:01       ` Fan Zhang [this message]
2019-07-03 10:11       ` [dpdk-dev] [PATCH v6 0/2] ipsec: ECN and DSCP header reconstruction Akhil Goyal
2019-07-04 10:42       ` [dpdk-dev] [PATCH v7 " Fan Zhang
2019-07-04 10:42         ` [dpdk-dev] [PATCH v7 1/2] lib/ipsec: add support for header construction Fan Zhang
2019-07-04 10:42         ` [dpdk-dev] [PATCH v7 2/2] examples/ipsec-secgw: support header reconstruction Fan Zhang
2019-07-05 10:12         ` [dpdk-dev] [PATCH v7 0/2] ipsec: ECN and DSCP " Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190701120124.70418-3-roy.fan.zhang@intel.com \
    --to=roy.fan.zhang@intel.com \
    --cc=akhil.goyal@nxp.com \
    --cc=dev@dpdk.org \
    --cc=pablo.de.lara.guarch@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).