* [dts] [PATCH V1] add inline_ipsec test plan @ 2017-12-29 9:48 Peng Yuan 2017-12-29 9:48 ` [dts] [PATCH V1] add test suite inline_ipsec Peng Yuan 2017-12-29 9:55 ` [dts] [PATCH V1] add inline_ipsec test plan Xu, GangX 0 siblings, 2 replies; 6+ messages in thread From: Peng Yuan @ 2017-12-29 9:48 UTC (permalink / raw) To: dts; +Cc: Peng Yuan [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1: Type: text/plain; charset=a, Size: 14625 bytes --] Signed-off-by: Peng Yuan <yuan.peng@intel.com> --- test_plans/inline_ipsec_test_plan.rst | 355 ++++++++++++++++++++++++++++++++++ 1 file changed, 355 insertions(+) create mode 100644 test_plans/inline_ipsec_test_plan.rst diff --git a/test_plans/inline_ipsec_test_plan.rst b/test_plans/inline_ipsec_test_plan.rst new file mode 100644 index 0000000..bc10111 --- /dev/null +++ b/test_plans/inline_ipsec_test_plan.rst @@ -0,0 +1,355 @@ +.. Copyright (c) <2017>, Intel Corporation + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + - Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + - Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + - Neither the name of Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPR ESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================== +Inline IPsec Test Plan +====================== +This test plan describe the method of validation inline hardware acceleration +of symmetric crypto processing of IPsec flows on Intel® 82599 10 GbE +Controller (IXGBE) within the cryptodev framework. + +***Limitation: +AES-GCM 128 ESP Tunnel/Transport mode and Authentication only mode are +supported.*** + +Ref links: +https://tools.ietf.org/html/rfc4301 + +https://tools.ietf.org/html/rfc4302 + +https://tools.ietf.org/html/rfc4303 + +http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html + +Abbr: +ESP: Encapsulating Security Payload:: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---- + | Security Parameters Index (SPI) | ^Int. + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- + | Sequence Number | |ered + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ---- + | Payload Data* (variable) | | ^ + ~ ~ | | + | | |Conf. + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- + | | Padding (0-255 bytes) | |ered* + +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + | | Pad Length | Next Header | v v + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ + | Integrity Check Value-ICV (variable) | + ~ ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +SPI: Security Parameters Index + +The SPI is an arbitrary 32-bit value that is used by a receiver to identify +the SA to which an incoming packet is bound. + +Sequence Number: + +This unsigned 32-bit field contains a counter value that increases by +one for each packet sent + +AES: Advanced Encryption Standard + +GCM: Galois Counter Mode + +Prerequisites +============= +2 * 10Gb Ethernet ports of the DUT are directly connected in full-duplex to +different ports of the peer traffic generator. + +Bind two ports to vfio-pci. +modprobe vfio-pci + + +Test Case: Inline cfg parsing +============================= +Create inline ipsec configuration file like below:: + + #SP IPv4 rules + sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535 + + #SA rules + sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ + port_id 1 \ + type inline-crypto-offload \ + + sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ + port_id 1 \ + type inline-crypto-offload \ + + #Routing rules + rt ipv4 dst 172.16.2.5/32 port 1 + rt ipv4 dst 192.168.105.10/32 port 0 + +Starting ipsec-secgw sample and make sure SP/SA/RT rules loaded successfully. + +Check ipsec-secgw can detect invalid cipher algo. + +Check ipsec-secgw can detect invalid auth algo. + +Check ipsec-secgw can detect invalid key format. + + +Test Case: IPSec Encryption +================================= +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port +sudo python ./scapy_receive.py -i ens802f1 + +Send burst(32) normal packets with dst ip (192.168.105.0) to protected port. + sudo python ./scapy_send.py -i ens802f0 -s 32 -c 1 -e 0 + +Check burst esp packets received from unprotected port. +tcpdump -Xvvvi ens802f1 + +[root@dpdk98 scripts]# tcpdump -Xvvvi ens802f1 +tcpdump: listening on ens802f1, link-type EN10MB (Ethernet), capture size 262144 bytes +06:10:25.674233 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto ESP (50), length 108) + 172.16.1.5 > 172.16.2.5: ESP(spi=0x000003ed,seq=0x9), length 88 + 0x0000: 4500 006c 0000 0000 4032 1f36 ac10 0105 E..l....@2.6.... + 0x0010: ac10 0205 0000 03ed 0000 0009 0000 0000 ................ + 0x0020: 0000 0009 4468 a4af 5853 7545 b21d 977c ....Dh..XSuE...| + 0x0030: b911 7ec6 74a0 3349 b986 02d2 a322 d050 ..~.t.3I.....".P + 0x0040: 8a0d 4ffc ef4d 6246 86fe 26f0 9377 84b5 ..O..MbF..&..w.. + 0x0050: 8b06 c7e0 05d3 1ac5 1a30 1a93 8660 4292 .........0...`B. + 0x0060: 999a c84d 49ed ff95 89a1 6917 ...MI.....i. + + +Check esp packets' format is correct. + +See decrypted packets on scapy output +[root@dpdk98 scripts]# sudo python ./scapy_receive.py -i ens802f1 +###[ IP ]### + version = 4 + ihl = 5 + tos = 0x0 + len = 52 + id = 1 + flags = + frag = 0 + ttl = 63 + proto = ip + chksum = 0x2764 + src = 192.168.105.10 + dst = 192.168.105.10 + \options \ +###[ Raw ]### + load = '|->test-test-test-test-test-t<-|' + + +Test Case: IPSec Encryption with Jumboframe +============================================== +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port + +Default frame size is 1518, send burst(1000) packets with dst ip (192.168.105.0) to protected port. + +Check burst esp packets received from unprotected port. + +Check esp packets' format is correct. + +See decrypted packets on scapy output + +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected port. + +Check burst esp packets can't be received from unprotected port. + +Set jumbo frames size as 9000, start it with port 1 assigned to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 -j 9000 --config="(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port + +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected port. + +Check burst jumbo packets received from unprotected port. + +Check esp packets' format is correct. + +See decrypted packets on scapy output + +Send burst(9000) jumbo packets with dst ip (192.168.105.0) to protected port. + +Check burst jumbo packets can't be received from unprotected port. + + +Test Case: IPSec Encryption with RSS +================================== +Create configuration file with multiple SP/SA/RT rules for different ip address. + +Start ipsec-secgw with two queues enabled on each port and port 1 assigned to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./enc_rss.cfg + +Use scapy to listen on unprotected port +sudo python ./scapy_receive_enc_rss.py -i ens802f1 + +Send burst(32) packets with different dst ip to protected port. +sudo python ./scapy_send_enc_rss.py -i ens802f0 -s 32 -c 1 -e 0 + +Check burst esp packets received from queue 0 and queue 1 on unprotected port. +tcpdump -Xvvvi ens802f1 + +Check esp packets' format is correct. + +See decrypted packets on scapy output + + +Test Case: IPSec Decryption +================================= +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./dec.cfg + +Send two burst(32) esp packets to unprotected port. +sudo python ./scapy_send.py -i ens802f1 -s 32 -c 1 -e 1 + +First one will produce an error "IPSEC_ESP: failed crypto op" in the IPsec application, +but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst packets which have been decapsulated received from protected port +tcpdump -Xvvvi ens802f0 + +Test Case: IPSec Decryption with wrong key +=============================================== +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./dec.cfg + +Change dec.cfg key is not same with send packet encrypted key + +Send one burst(32) esp packets to unprotected port. + +IPsec application will produce an error "IPSEC_ESP: failed crypto op" , +but it will setup the SA. + +Send one burst(32) esp packets to unprotected port. + +Check burst packets which have been decapsulated can't be received from protected port, +IPsec application will produce error "IPSEC_ESP: failed crypto op". + + +Test Case: IPSec Decryption with Jumboframe +================================================= +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./dec.cfg +Default frame size is 1518, Send two burst(1000) esp packets to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the IPsec application, +but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst(1000) packets which have been decapsulated received from protected port. + +Send burst(8192) esp packets to unprotected port. + +Check burst(8192) packets which have been decapsulated can't be received from protected port. + +Set jumbo frames size as 9000, start it with port 1 assigned to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 -j 9000 --config="(0,0,20),(1,0,21)" -f ./dec.cfg + +Send two burst(8192) esp packets to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the IPsec application, +but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst(8192) packets which have been decapsulated received from protected port. + +Send burst(9000) esp packets to unprotected port. + +Check burst(9000) packets which have been decapsulated can't be received from protected port. + + +Test Case: IPSec Decryption with RSS +=========================================== +Create configuration file with multiple SA rule for different ip address. + +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 -config="(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./dec_rss.cfg + +Send two burst(32) esp packets with different ip to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the IPsec application, +but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst(32) packets which have been decapsulated received from queue 0 and +1 on protected port. + + +Test Case: IPSec Encryption/Decryption simultaneously +===================================================== +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 + --vdev "crypto_null" --log-level 8 --socket-mem 1024,1 + -- -p 0xf -P -u 0x2 --config="(0,0,20),(1,0,21)" -f ./enc_dec.cfg + +Send normal and esp packets to protected and unprotected ports simultaneously. + +Note when testing inbound IPSec, first one will produce an error "IPSEC_ESP: +invalid padding" in the IPsec application, but it will setup the SA. Second +one will decrypt and send back the decrypted packet. + +Check esp and normal packets received from unprotected and protected ports. -- 1.9.3 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dts] [PATCH V1] add test suite inline_ipsec 2017-12-29 9:48 [dts] [PATCH V1] add inline_ipsec test plan Peng Yuan @ 2017-12-29 9:48 ` Peng Yuan 2017-12-29 9:55 ` Xu, GangX 2017-12-29 9:55 ` [dts] [PATCH V1] add inline_ipsec test plan Xu, GangX 1 sibling, 1 reply; 6+ messages in thread From: Peng Yuan @ 2017-12-29 9:48 UTC (permalink / raw) To: dts; +Cc: Peng Yuan Signed-off-by: Peng Yuan <yuan.peng@intel.com> --- tests/TestSuite_inline_ipsec.py | 405 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 405 insertions(+) create mode 100644 tests/TestSuite_inline_ipsec.py diff --git a/tests/TestSuite_inline_ipsec.py b/tests/TestSuite_inline_ipsec.py new file mode 100644 index 0000000..ba90caf --- /dev/null +++ b/tests/TestSuite_inline_ipsec.py @@ -0,0 +1,405 @@ +# BSD LICENSE +# +# Copyright(c) 2010-2017 Intel Corporation. All rights reserved. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +""" +DPDK Test suite. +Test inline_ipsec. +""" + +import utils +import string +import time +import re +import threading +from test_case import TestCase +import getopt +from scapy.all import * + +ETHER_STANDARD_MTU = 1518 +ETHER_JUMBO_FRAME_MTU = 9000 + + +class TestInlineIpsec(TestCase): + + def set_up_all(self): + """ + Run at the start of each test suite. + """ + self.verify(self.nic in ["niantic"], "%s NIC not support" % self.nic) + self.dut_ports = self.dut.get_ports(self.nic) + self.verify(len(self.dut_ports) >= 2, "Insufficient ports") + cores = self.dut.get_core_list("1S/4C/1T") + self.coremask = utils.create_mask(cores) + + # get test port info + self.rxport = self.tester.get_local_port(1) + self.txport = self.tester.get_local_port(0) + self.rxItf = self.tester.get_interface(self.rxport) + self.txItf = self.tester.get_interface(self.txport) + # get dut port pci + self.portpci_0 = self.dut.get_port_pci(self.dut_ports[0]) + self.portpci_1 = self.dut.get_port_pci(self.dut_ports[1]) + + # enable tester mtu + self.rxnetobj = self.tester.ports_info[self.rxport]['port'] + self.rxnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + 100) + self.txnetobj = self.tester.ports_info[self.txport]['port'] + self.txnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + 100) + + self.path = "./examples/ipsec-secgw/build/ipsec-secgw" + # add print code in IPSEC app + sedcmd = r"""sed -i -e '/process_pkts(qconf, pkts, nb_rx, portid);/i\\printf("[debug]receive %hhu packet in rxqueueid=%hhu\\n",nb_rx, queueid);' examples/ipsec-secgw/ipsec-secgw.c""" + self.dut.send_expect(sedcmd, "#", 60) + + # build sample app + out = self.dut.build_dpdk_apps("./examples/ipsec-secgw") + self.verify("Error" not in out, "compilation error 1") + self.verify("No such file" not in out, "compilation error 2") + + self.cfg_prepare() + + def set_up(self): + """ + Run before each test case. + """ + pass + + def cfg_prepare(self): + """ + write the inline_ipsec configuration file + """ + enc = """ +#SP IPv4 rules +sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535 + +#SA rules +sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 172.16.2.5/32 port 1 +""" + dec = """ +#SA rules +sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 192.168.105.10/32 port 0 +""" + enc_rss = """ +#SP IPv4 rules +sp ipv4 out esp protect 1002 pri 1 dst 192.168.102.0/24 sport 0:65535 dport 0:65535 + +sa out 1002 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.31.35 dst 172.16.32.35 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 172.16.32.35/32 port 1 +""" + dec_rss = """ +#SA rules +sa in 3 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.21.25 dst 172.16.22.25 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 192.168.105.10/32 port 0 +""" + dec_wrong_key = """ +#SA rules +sa in 5 aead_algo aes-128-gcm aead_key 2f:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 192.168.105.10/32 port 0 +""" + enc_dec = """ +#SP IPv4 rules +sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535 + +#SA rules +sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 172.16.2.5/32 port 1 +rt ipv4 dst 192.168.105.10/32 port 0 +""" + self.set_cfg('enc.cfg', enc) + self.set_cfg('dec.cfg', dec) + self.set_cfg('enc_rss.cfg', enc_rss) + self.set_cfg('dec_rss.cfg', dec_rss) + self.set_cfg('enc_dec.cfg', enc_dec) + self.set_cfg('dec_wrong_key.cfg', dec_wrong_key) + + def set_cfg(self, filename, cfg): + """ + open file and write cfg, scp it to dut /root/dpdk/ + """ + with open(filename, 'w') as f: + f.write(cfg) + self.dut.session.copy_file_to(filename, '/root/dpdk/') + + def send_encryption_package(self, intface, paysize=64, do_encrypt=False, send_spi=5, count=1, mydst='192.168.105.10', sa_src='172.16.1.5', sa_dst='172.16.2.5'): + """ + make a package and send + """ + test = 'test-' * 2000 + payload = test[0:int(paysize)] + sa_gcm = SecurityAssociation(ESP, spi=send_spi, + crypt_algo='AES-GCM', + crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef', + auth_algo='NULL', auth_key=None, + tunnel_header=IP(src=sa_src, dst=sa_dst)) + sa_gcm.crypt_algo.icv_size = 16 + + p = IP(src='192.168.105.10', dst=mydst) + p /= "|->" + p /= payload + p /= "<-|" + p = IP(str(p)) + + if do_encrypt == True: + print "send encrypt package" + e = sa_gcm.encrypt(p) + else: + print "send normal package" + e = p + + eth_e = Ether() / e + eth_e.src = "52:54:00:21:68:1c" + eth_e.dst = "52:54:00:16:f6:b0" + session_send = self.tester.create_session( + name='send_encryption_package') + sendp(eth_e, iface=intface, count=count) + self.tester.destroy_session(session_send) + + return payload + + def Ipsec_Encryption(self, config, file_name, txItf, rxItf, paysize=32, jumboframe=1518, do_encrypt=False, verify=True, send_spi=5, receive_spi=1005, count=1, mydst='192.168.105.10', sa_src='172.16.1.5', sa_dst='172.16.2.5'): + """ + verify Ipsec receive package + """ + cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' -f %s" % ( + self.portpci_0, self.portpci_1, jumboframe, config, file_name) + self.dut.send_expect(cmd, "IPSEC", 60) + + session_receive = self.tester.create_session( + name='receive_encryption_package') + sa_gcm = r"sa_gcm=SecurityAssociation(ESP,spi=%s,crypt_algo='AES-GCM',crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef',auth_algo='NULL',auth_key=None,tunnel_header=IP(src='172.16.1.5',dst='172.16.2.5'))" % receive_spi + + session_receive.send_expect("scapy", "Welcome to Scapy", 10) + session_receive.send_expect( + "pkts=sniff(iface='%s',count=1,timeout=10)" % rxItf, "", 30) + send_package = self.send_encryption_package( + txItf, paysize, do_encrypt, send_spi, count, mydst, sa_src, sa_dst) + + time.sleep(10) + out = session_receive.send_expect("pkts", "", 30) + if do_encrypt: + out = session_receive.send_expect("pkts[0]['IP'] ", ">>>", 10) + else: + session_receive.send_expect(sa_gcm, ">>>", 10) + session_receive.send_expect( + "results=sa_gcm.decrypt(pkts[0]['IP'])", ">>>", 10) + out = session_receive.send_expect("results", ">>>", 10) + + if verify: + self.verify(send_package in out, + "Unreceived package or get other package") + else: + self.verify(send_package not in out, + "The function is not in effect") + session_receive.send_expect("quit()", "#", 10) + self.tester.destroy_session(session_receive) + + def test_Ipsec_Encryption(self): + """ + test Ipsec Encryption + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(1, ETHER_STANDARD_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg', + self.txItf, self.rxItf, paysize) + + def test_Ipsec_Encryption_Jumboframe(self): + """ + test Ipsec Encryption Jumboframe + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(ETHER_STANDARD_MTU, ETHER_JUMBO_FRAME_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg', + self.txItf, self.rxItf, paysize, ETHER_JUMBO_FRAME_MTU) + + def test_Ipsec_Encryption_Rss(self): + """ + test Ipsec Encryption Rss + """ + config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)' + self.Ipsec_Encryption(config, '/root/dpdk/enc_rss.cfg', self.txItf, + self.rxItf, send_spi=2, receive_spi=1002, mydst='192.168.102.10') + out = self.dut.get_session_output() + verifycode = "receive 1 packet in rxqueueid=1" + self.verify(verifycode in out, "rxqueueid error") + + def test_IPSec_Decryption(self): + """ + test IPSec Decryption + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(1, ETHER_STANDARD_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf, + self.txItf, paysize, do_encrypt=True, count=2) + + def test_IPSec_Decryption_Jumboframe(self): + """ + test IPSec Decryption Jumboframe + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(ETHER_STANDARD_MTU, ETHER_JUMBO_FRAME_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf, + self.txItf, paysize, ETHER_JUMBO_FRAME_MTU, do_encrypt=True, count=2) + + def test_Ipsec_Decryption_Rss(self): + """ + test Ipsec Decryption Rss + """ + config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)' + self.Ipsec_Encryption(config, '/root/dpdk/dec_rss.cfg', self.rxItf, self.txItf, do_encrypt=True, + send_spi=3, receive_spi=1003, count=2, sa_src='172.16.21.25', sa_dst='172.16.22.25') + out = self.dut.get_session_output() + verifycode = "receive 1 packet in rxqueueid=1" + self.verify(verifycode in out, "rxqueueid error") + + def test_Ipsec_Decryption_wrongkey(self): + """ + test Ipsec Decryption wrongkey + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(1, ETHER_STANDARD_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/dec_wrong_key.cfg', self.rxItf, + self.txItf, paysize, do_encrypt=True, verify=False, count=2) + out = self.dut.get_session_output() + verifycode = "IPSEC_ESP: failed crypto op" + self.verify(verifycode in out, "Ipsec Decryption wrongkey failed") + + def test_Ipsec_Encryption_Decryption(self): + """ + test Ipsec Encryption Decryption + """ + cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' -f %s" % ( + self.portpci_0, self.portpci_1, '1518', '(0,0,21),(1,0,21)', '/root/dpdk/enc_dec.cfg') + self.dut.send_expect(cmd, "IPSEC", 60) + session_receive = self.tester.create_session( + name='receive_encryption_package') + sa_gcm = r"sa_gcm=SecurityAssociation(ESP, spi=1005,crypt_algo='AES-GCM',crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef',auth_algo='NULL', auth_key=None,tunnel_header=IP(src='172.16.1.5', dst='172.16.2.5'))" + + session_receive.send_expect("scapy", "Welcome to Scapy", 60) + session_receive.send_expect(sa_gcm, ">>>", 60) + session_receive.send_expect( + "pkts=sniff(iface='%s',count=3)" % self.rxItf, "", 60) + session_receive2 = self.tester.create_session( + name='receive_encryption_package2') + + session_receive2.send_expect("scapy", "Welcome to Scapy", 60) + session_receive2.send_expect(sa_gcm, ">>>", 60) + session_receive2.send_expect( + "pkts=sniff(iface='%s',count=2)" % self.txItf, "", 60) + + payload = "test for Ipsec Encryption Decryption simultaneously" + sa_gcm = SecurityAssociation(ESP, spi=5, + crypt_algo='AES-GCM', + crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef', + auth_algo='NULL', auth_key=None, + tunnel_header=IP(src='172.16.1.5', dst='172.16.2.5')) + sa_gcm.crypt_algo.icv_size = 16 + + p = IP(src='192.168.105.10', dst='192.168.105.10') + p /= "|->" + p /= payload + p /= "<-|" + p = IP(str(p)) + + e1 = sa_gcm.encrypt(p) + e2 = p + + eth_e1 = Ether() / e1 + eth_e1.src = "52:54:00:21:68:1c" + eth_e1.dst = "52:54:00:16:f6:b0" + eth_e2 = Ether() / e2 + eth_e2.src = "52:54:00:21:68:1c" + eth_e2.dst = "52:54:00:16:f6:b0" + + t1 = threading.Thread(target=sendp(eth_e1, iface=self.rxItf, count=2)) + t1.start() + t2 = threading.Thread(target=sendp(eth_e2, iface=self.txItf, count=1)) + t2.start() + session_receive.send_expect("^C", ">>>", 60) + session_receive2.send_expect("^C", ">>>", 60) + session_receive.send_expect( + "results=sa_gcm.decrypt(pkts[2]['IP'])", ">>>", 60) + out = session_receive.send_expect("results", ">>>", 60) + self.verify(payload in out, "Get a error package") + out = session_receive2.send_expect("pkts[1]", ">>>", 60) + self.verify(payload in out, "Get a error package") + + def tear_down(self): + """ + Run after each test case. + """ + self.tester.send_expect("^C", "#", 5) + self.dut.kill_all() + time.sleep(2) + + def tear_down_all(self): + """ + Run after each test suite. + """ + self.rxnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU) + self.txnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU) -- 1.9.3 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dts] [PATCH V1] add test suite inline_ipsec 2017-12-29 9:48 ` [dts] [PATCH V1] add test suite inline_ipsec Peng Yuan @ 2017-12-29 9:55 ` Xu, GangX 0 siblings, 0 replies; 6+ messages in thread From: Xu, GangX @ 2017-12-29 9:55 UTC (permalink / raw) To: Peng, Yuan, dts; +Cc: Peng, Yuan Please Ignore this file -----Original Message----- From: dts [mailto:dts-bounces@dpdk.org] On Behalf Of Peng Yuan Sent: Friday, December 29, 2017 5:48 PM To: dts@dpdk.org Cc: Peng, Yuan <yuan.peng@intel.com> Subject: [dts] [PATCH V1] add test suite inline_ipsec Signed-off-by: Peng Yuan <yuan.peng@intel.com> --- tests/TestSuite_inline_ipsec.py | 405 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 405 insertions(+) create mode 100644 tests/TestSuite_inline_ipsec.py diff --git a/tests/TestSuite_inline_ipsec.py b/tests/TestSuite_inline_ipsec.py new file mode 100644 index 0000000..ba90caf --- /dev/null +++ b/tests/TestSuite_inline_ipsec.py @@ -0,0 +1,405 @@ +# BSD LICENSE +# +# Copyright(c) 2010-2017 Intel Corporation. All rights reserved. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without # +modification, are permitted provided that the following conditions # +are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR # +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT # +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +""" +DPDK Test suite. +Test inline_ipsec. +""" + +import utils +import string +import time +import re +import threading +from test_case import TestCase +import getopt +from scapy.all import * + +ETHER_STANDARD_MTU = 1518 +ETHER_JUMBO_FRAME_MTU = 9000 + + +class TestInlineIpsec(TestCase): + + def set_up_all(self): + """ + Run at the start of each test suite. + """ + self.verify(self.nic in ["niantic"], "%s NIC not support" % self.nic) + self.dut_ports = self.dut.get_ports(self.nic) + self.verify(len(self.dut_ports) >= 2, "Insufficient ports") + cores = self.dut.get_core_list("1S/4C/1T") + self.coremask = utils.create_mask(cores) + + # get test port info + self.rxport = self.tester.get_local_port(1) + self.txport = self.tester.get_local_port(0) + self.rxItf = self.tester.get_interface(self.rxport) + self.txItf = self.tester.get_interface(self.txport) + # get dut port pci + self.portpci_0 = self.dut.get_port_pci(self.dut_ports[0]) + self.portpci_1 = self.dut.get_port_pci(self.dut_ports[1]) + + # enable tester mtu + self.rxnetobj = self.tester.ports_info[self.rxport]['port'] + self.rxnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + 100) + self.txnetobj = self.tester.ports_info[self.txport]['port'] + self.txnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + + 100) + + self.path = "./examples/ipsec-secgw/build/ipsec-secgw" + # add print code in IPSEC app + sedcmd = r"""sed -i -e '/process_pkts(qconf, pkts, nb_rx, portid);/i\\printf("[debug]receive %hhu packet in rxqueueid=%hhu\\n",nb_rx, queueid);' examples/ipsec-secgw/ipsec-secgw.c""" + self.dut.send_expect(sedcmd, "#", 60) + + # build sample app + out = self.dut.build_dpdk_apps("./examples/ipsec-secgw") + self.verify("Error" not in out, "compilation error 1") + self.verify("No such file" not in out, "compilation error 2") + + self.cfg_prepare() + + def set_up(self): + """ + Run before each test case. + """ + pass + + def cfg_prepare(self): + """ + write the inline_ipsec configuration file + """ + enc = """ +#SP IPv4 rules +sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 +dport 0:65535 + +#SA rules +sa out 1005 aead_algo aes-128-gcm aead_key +2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ mode +ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ port_id 1 \ type +inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 172.16.2.5/32 port 1 +""" + dec = """ +#SA rules +sa in 5 aead_algo aes-128-gcm aead_key +2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ mode +ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ port_id 1 \ type +inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 192.168.105.10/32 port 0 +""" + enc_rss = """ +#SP IPv4 rules +sp ipv4 out esp protect 1002 pri 1 dst 192.168.102.0/24 sport 0:65535 +dport 0:65535 + +sa out 1002 aead_algo aes-128-gcm aead_key +2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ mode +ipv4-tunnel src 172.16.31.35 dst 172.16.32.35 \ port_id 1 \ type +inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 172.16.32.35/32 port 1 +""" + dec_rss = """ +#SA rules +sa in 3 aead_algo aes-128-gcm aead_key +2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ mode +ipv4-tunnel src 172.16.21.25 dst 172.16.22.25 \ port_id 1 \ type +inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 192.168.105.10/32 port 0 +""" + dec_wrong_key = """ +#SA rules +sa in 5 aead_algo aes-128-gcm aead_key +2f:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ mode +ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ port_id 1 \ type +inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 192.168.105.10/32 port 0 +""" + enc_dec = """ +#SP IPv4 rules +sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 +dport 0:65535 + +#SA rules +sa out 1005 aead_algo aes-128-gcm aead_key +2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ mode +ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ port_id 1 \ type +inline-crypto-offload \ + +sa in 5 aead_algo aes-128-gcm aead_key +2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ mode +ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ port_id 1 \ type +inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 172.16.2.5/32 port 1 +rt ipv4 dst 192.168.105.10/32 port 0 +""" + self.set_cfg('enc.cfg', enc) + self.set_cfg('dec.cfg', dec) + self.set_cfg('enc_rss.cfg', enc_rss) + self.set_cfg('dec_rss.cfg', dec_rss) + self.set_cfg('enc_dec.cfg', enc_dec) + self.set_cfg('dec_wrong_key.cfg', dec_wrong_key) + + def set_cfg(self, filename, cfg): + """ + open file and write cfg, scp it to dut /root/dpdk/ + """ + with open(filename, 'w') as f: + f.write(cfg) + self.dut.session.copy_file_to(filename, '/root/dpdk/') + + def send_encryption_package(self, intface, paysize=64, do_encrypt=False, send_spi=5, count=1, mydst='192.168.105.10', sa_src='172.16.1.5', sa_dst='172.16.2.5'): + """ + make a package and send + """ + test = 'test-' * 2000 + payload = test[0:int(paysize)] + sa_gcm = SecurityAssociation(ESP, spi=send_spi, + crypt_algo='AES-GCM', + crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef', + auth_algo='NULL', auth_key=None, + tunnel_header=IP(src=sa_src, dst=sa_dst)) + sa_gcm.crypt_algo.icv_size = 16 + + p = IP(src='192.168.105.10', dst=mydst) + p /= "|->" + p /= payload + p /= "<-|" + p = IP(str(p)) + + if do_encrypt == True: + print "send encrypt package" + e = sa_gcm.encrypt(p) + else: + print "send normal package" + e = p + + eth_e = Ether() / e + eth_e.src = "52:54:00:21:68:1c" + eth_e.dst = "52:54:00:16:f6:b0" + session_send = self.tester.create_session( + name='send_encryption_package') + sendp(eth_e, iface=intface, count=count) + self.tester.destroy_session(session_send) + + return payload + + def Ipsec_Encryption(self, config, file_name, txItf, rxItf, paysize=32, jumboframe=1518, do_encrypt=False, verify=True, send_spi=5, receive_spi=1005, count=1, mydst='192.168.105.10', sa_src='172.16.1.5', sa_dst='172.16.2.5'): + """ + verify Ipsec receive package + """ + cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' -f %s" % ( + self.portpci_0, self.portpci_1, jumboframe, config, file_name) + self.dut.send_expect(cmd, "IPSEC", 60) + + session_receive = self.tester.create_session( + name='receive_encryption_package') + sa_gcm = + r"sa_gcm=SecurityAssociation(ESP,spi=%s,crypt_algo='AES-GCM',crypt_key + ='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde + \xad\xbe\xef',auth_algo='NULL',auth_key=None,tunnel_header=IP(src='172 + .16.1.5',dst='172.16.2.5'))" % receive_spi + + session_receive.send_expect("scapy", "Welcome to Scapy", 10) + session_receive.send_expect( + "pkts=sniff(iface='%s',count=1,timeout=10)" % rxItf, "", 30) + send_package = self.send_encryption_package( + txItf, paysize, do_encrypt, send_spi, count, mydst, sa_src, + sa_dst) + + time.sleep(10) + out = session_receive.send_expect("pkts", "", 30) + if do_encrypt: + out = session_receive.send_expect("pkts[0]['IP'] ", ">>>", 10) + else: + session_receive.send_expect(sa_gcm, ">>>", 10) + session_receive.send_expect( + "results=sa_gcm.decrypt(pkts[0]['IP'])", ">>>", 10) + out = session_receive.send_expect("results", ">>>", 10) + + if verify: + self.verify(send_package in out, + "Unreceived package or get other package") + else: + self.verify(send_package not in out, + "The function is not in effect") + session_receive.send_expect("quit()", "#", 10) + self.tester.destroy_session(session_receive) + + def test_Ipsec_Encryption(self): + """ + test Ipsec Encryption + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(1, ETHER_STANDARD_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg', + self.txItf, self.rxItf, paysize) + + def test_Ipsec_Encryption_Jumboframe(self): + """ + test Ipsec Encryption Jumboframe + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(ETHER_STANDARD_MTU, ETHER_JUMBO_FRAME_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg', + self.txItf, self.rxItf, paysize, + ETHER_JUMBO_FRAME_MTU) + + def test_Ipsec_Encryption_Rss(self): + """ + test Ipsec Encryption Rss + """ + config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)' + self.Ipsec_Encryption(config, '/root/dpdk/enc_rss.cfg', self.txItf, + self.rxItf, send_spi=2, receive_spi=1002, mydst='192.168.102.10') + out = self.dut.get_session_output() + verifycode = "receive 1 packet in rxqueueid=1" + self.verify(verifycode in out, "rxqueueid error") + + def test_IPSec_Decryption(self): + """ + test IPSec Decryption + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(1, ETHER_STANDARD_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf, + self.txItf, paysize, do_encrypt=True, + count=2) + + def test_IPSec_Decryption_Jumboframe(self): + """ + test IPSec Decryption Jumboframe + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(ETHER_STANDARD_MTU, ETHER_JUMBO_FRAME_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf, + self.txItf, paysize, + ETHER_JUMBO_FRAME_MTU, do_encrypt=True, count=2) + + def test_Ipsec_Decryption_Rss(self): + """ + test Ipsec Decryption Rss + """ + config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)' + self.Ipsec_Encryption(config, '/root/dpdk/dec_rss.cfg', self.rxItf, self.txItf, do_encrypt=True, + send_spi=3, receive_spi=1003, count=2, sa_src='172.16.21.25', sa_dst='172.16.22.25') + out = self.dut.get_session_output() + verifycode = "receive 1 packet in rxqueueid=1" + self.verify(verifycode in out, "rxqueueid error") + + def test_Ipsec_Decryption_wrongkey(self): + """ + test Ipsec Decryption wrongkey + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(1, ETHER_STANDARD_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/dec_wrong_key.cfg', self.rxItf, + self.txItf, paysize, do_encrypt=True, verify=False, count=2) + out = self.dut.get_session_output() + verifycode = "IPSEC_ESP: failed crypto op" + self.verify(verifycode in out, "Ipsec Decryption wrongkey + failed") + + def test_Ipsec_Encryption_Decryption(self): + """ + test Ipsec Encryption Decryption + """ + cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' -f %s" % ( + self.portpci_0, self.portpci_1, '1518', '(0,0,21),(1,0,21)', '/root/dpdk/enc_dec.cfg') + self.dut.send_expect(cmd, "IPSEC", 60) + session_receive = self.tester.create_session( + name='receive_encryption_package') + sa_gcm = r"sa_gcm=SecurityAssociation(ESP, spi=1005,crypt_algo='AES-GCM',crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef',auth_algo='NULL', auth_key=None,tunnel_header=IP(src='172.16.1.5', dst='172.16.2.5'))" + + session_receive.send_expect("scapy", "Welcome to Scapy", 60) + session_receive.send_expect(sa_gcm, ">>>", 60) + session_receive.send_expect( + "pkts=sniff(iface='%s',count=3)" % self.rxItf, "", 60) + session_receive2 = self.tester.create_session( + name='receive_encryption_package2') + + session_receive2.send_expect("scapy", "Welcome to Scapy", 60) + session_receive2.send_expect(sa_gcm, ">>>", 60) + session_receive2.send_expect( + "pkts=sniff(iface='%s',count=2)" % self.txItf, "", 60) + + payload = "test for Ipsec Encryption Decryption simultaneously" + sa_gcm = SecurityAssociation(ESP, spi=5, + crypt_algo='AES-GCM', + crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef', + auth_algo='NULL', auth_key=None, + tunnel_header=IP(src='172.16.1.5', dst='172.16.2.5')) + sa_gcm.crypt_algo.icv_size = 16 + + p = IP(src='192.168.105.10', dst='192.168.105.10') + p /= "|->" + p /= payload + p /= "<-|" + p = IP(str(p)) + + e1 = sa_gcm.encrypt(p) + e2 = p + + eth_e1 = Ether() / e1 + eth_e1.src = "52:54:00:21:68:1c" + eth_e1.dst = "52:54:00:16:f6:b0" + eth_e2 = Ether() / e2 + eth_e2.src = "52:54:00:21:68:1c" + eth_e2.dst = "52:54:00:16:f6:b0" + + t1 = threading.Thread(target=sendp(eth_e1, iface=self.rxItf, count=2)) + t1.start() + t2 = threading.Thread(target=sendp(eth_e2, iface=self.txItf, count=1)) + t2.start() + session_receive.send_expect("^C", ">>>", 60) + session_receive2.send_expect("^C", ">>>", 60) + session_receive.send_expect( + "results=sa_gcm.decrypt(pkts[2]['IP'])", ">>>", 60) + out = session_receive.send_expect("results", ">>>", 60) + self.verify(payload in out, "Get a error package") + out = session_receive2.send_expect("pkts[1]", ">>>", 60) + self.verify(payload in out, "Get a error package") + + def tear_down(self): + """ + Run after each test case. + """ + self.tester.send_expect("^C", "#", 5) + self.dut.kill_all() + time.sleep(2) + + def tear_down_all(self): + """ + Run after each test suite. + """ + self.rxnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU) + self.txnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU) -- 1.9.3 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dts] [PATCH V1] add inline_ipsec test plan 2017-12-29 9:48 [dts] [PATCH V1] add inline_ipsec test plan Peng Yuan 2017-12-29 9:48 ` [dts] [PATCH V1] add test suite inline_ipsec Peng Yuan @ 2017-12-29 9:55 ` Xu, GangX 1 sibling, 0 replies; 6+ messages in thread From: Xu, GangX @ 2017-12-29 9:55 UTC (permalink / raw) To: Peng, Yuan, dts; +Cc: Peng, Yuan Please Ignore this file -----Original Message----- From: dts [mailto:dts-bounces@dpdk.org] On Behalf Of Peng Yuan Sent: Friday, December 29, 2017 5:48 PM To: dts@dpdk.org Cc: Peng, Yuan <yuan.peng@intel.com> Subject: [dts] [PATCH V1] add inline_ipsec test plan Signed-off-by: Peng Yuan <yuan.peng@intel.com> --- test_plans/inline_ipsec_test_plan.rst | 355 ++++++++++++++++++++++++++++++++++ 1 file changed, 355 insertions(+) create mode 100644 test_plans/inline_ipsec_test_plan.rst diff --git a/test_plans/inline_ipsec_test_plan.rst b/test_plans/inline_ipsec_test_plan.rst new file mode 100644 index 0000000..bc10111 --- /dev/null +++ b/test_plans/inline_ipsec_test_plan.rst @@ -0,0 +1,355 @@ +.. Copyright (c) <2017>, Intel Corporation + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + - Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + - Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + - Neither the name of Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPR ESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================== +Inline IPsec Test Plan +====================== +This test plan describe the method of validation inline hardware +acceleration of symmetric crypto processing of IPsec flows on Intel® +82599 10 GbE Controller (IXGBE) within the cryptodev framework. + +***Limitation: +AES-GCM 128 ESP Tunnel/Transport mode and Authentication only mode are +supported.*** + +Ref links: +https://tools.ietf.org/html/rfc4301 + +https://tools.ietf.org/html/rfc4302 + +https://tools.ietf.org/html/rfc4303 + +http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html + +Abbr: +ESP: Encapsulating Security Payload:: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---- + | Security Parameters Index (SPI) | ^Int. + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- + | Sequence Number | |ered + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ---- + | Payload Data* (variable) | | ^ + ~ ~ | | + | | |Conf. + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- + | | Padding (0-255 bytes) | |ered* + +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + | | Pad Length | Next Header | v v + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ + | Integrity Check Value-ICV (variable) | + ~ ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +SPI: Security Parameters Index + +The SPI is an arbitrary 32-bit value that is used by a receiver to +identify the SA to which an incoming packet is bound. + +Sequence Number: + +This unsigned 32-bit field contains a counter value that increases by +one for each packet sent + +AES: Advanced Encryption Standard + +GCM: Galois Counter Mode + +Prerequisites +============= +2 * 10Gb Ethernet ports of the DUT are directly connected in +full-duplex to different ports of the peer traffic generator. + +Bind two ports to vfio-pci. +modprobe vfio-pci + + +Test Case: Inline cfg parsing +============================= +Create inline ipsec configuration file like below:: + + #SP IPv4 rules + sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 +dport 0:65535 + + #SA rules + sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ + port_id 1 \ + type inline-crypto-offload \ + + sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ + port_id 1 \ + type inline-crypto-offload \ + + #Routing rules + rt ipv4 dst 172.16.2.5/32 port 1 + rt ipv4 dst 192.168.105.10/32 port 0 + +Starting ipsec-secgw sample and make sure SP/SA/RT rules loaded successfully. + +Check ipsec-secgw can detect invalid cipher algo. + +Check ipsec-secgw can detect invalid auth algo. + +Check ipsec-secgw can detect invalid key format. + + +Test Case: IPSec Encryption +================================= +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port sudo python ./scapy_receive.py +-i ens802f1 + +Send burst(32) normal packets with dst ip (192.168.105.0) to protected port. + sudo python ./scapy_send.py -i ens802f0 -s 32 -c 1 -e 0 + +Check burst esp packets received from unprotected port. +tcpdump -Xvvvi ens802f1 + +[root@dpdk98 scripts]# tcpdump -Xvvvi ens802f1 +tcpdump: listening on ens802f1, link-type EN10MB (Ethernet), capture +size 262144 bytes +06:10:25.674233 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto ESP (50), length 108) + 172.16.1.5 > 172.16.2.5: ESP(spi=0x000003ed,seq=0x9), length 88 + 0x0000: 4500 006c 0000 0000 4032 1f36 ac10 0105 E..l....@2.6.... + 0x0010: ac10 0205 0000 03ed 0000 0009 0000 0000 ................ + 0x0020: 0000 0009 4468 a4af 5853 7545 b21d 977c ....Dh..XSuE...| + 0x0030: b911 7ec6 74a0 3349 b986 02d2 a322 d050 ..~.t.3I.....".P + 0x0040: 8a0d 4ffc ef4d 6246 86fe 26f0 9377 84b5 ..O..MbF..&..w.. + 0x0050: 8b06 c7e0 05d3 1ac5 1a30 1a93 8660 4292 .........0...`B. + 0x0060: 999a c84d 49ed ff95 89a1 6917 ...MI.....i. + + +Check esp packets' format is correct. + +See decrypted packets on scapy output +[root@dpdk98 scripts]# sudo python ./scapy_receive.py -i ens802f1 ###[ +IP ]### + version = 4 + ihl = 5 + tos = 0x0 + len = 52 + id = 1 + flags = + frag = 0 + ttl = 63 + proto = ip + chksum = 0x2764 + src = 192.168.105.10 + dst = 192.168.105.10 + \options \ +###[ Raw ]### + load = '|->test-test-test-test-test-t<-|' + + +Test Case: IPSec Encryption with Jumboframe +============================================== +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port + +Default frame size is 1518, send burst(1000) packets with dst ip (192.168.105.0) to protected port. + +Check burst esp packets received from unprotected port. + +Check esp packets' format is correct. + +See decrypted packets on scapy output + +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected port. + +Check burst esp packets can't be received from unprotected port. + +Set jumbo frames size as 9000, start it with port 1 assigned to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 -j 9000 --config="(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port + +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected port. + +Check burst jumbo packets received from unprotected port. + +Check esp packets' format is correct. + +See decrypted packets on scapy output + +Send burst(9000) jumbo packets with dst ip (192.168.105.0) to protected port. + +Check burst jumbo packets can't be received from unprotected port. + + +Test Case: IPSec Encryption with RSS +================================== +Create configuration file with multiple SP/SA/RT rules for different ip address. + +Start ipsec-secgw with two queues enabled on each port and port 1 assigned to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./enc_rss.cfg + +Use scapy to listen on unprotected port sudo python +./scapy_receive_enc_rss.py -i ens802f1 + +Send burst(32) packets with different dst ip to protected port. +sudo python ./scapy_send_enc_rss.py -i ens802f0 -s 32 -c 1 -e 0 + +Check burst esp packets received from queue 0 and queue 1 on unprotected port. +tcpdump -Xvvvi ens802f1 + +Check esp packets' format is correct. + +See decrypted packets on scapy output + + +Test Case: IPSec Decryption +================================= +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./dec.cfg + +Send two burst(32) esp packets to unprotected port. +sudo python ./scapy_send.py -i ens802f1 -s 32 -c 1 -e 1 + +First one will produce an error "IPSEC_ESP: failed crypto op" in the +IPsec application, but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst packets which have been decapsulated received from +protected port tcpdump -Xvvvi ens802f0 + +Test Case: IPSec Decryption with wrong key +=============================================== +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./dec.cfg + +Change dec.cfg key is not same with send packet encrypted key + +Send one burst(32) esp packets to unprotected port. + +IPsec application will produce an error "IPSEC_ESP: failed crypto op" , +but it will setup the SA. + +Send one burst(32) esp packets to unprotected port. + +Check burst packets which have been decapsulated can't be received from +protected port, IPsec application will produce error "IPSEC_ESP: failed crypto op". + + +Test Case: IPSec Decryption with Jumboframe +================================================= +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./dec.cfg Default frame size is +1518, Send two burst(1000) esp packets to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the +IPsec application, but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst(1000) packets which have been decapsulated received from protected port. + +Send burst(8192) esp packets to unprotected port. + +Check burst(8192) packets which have been decapsulated can't be received from protected port. + +Set jumbo frames size as 9000, start it with port 1 assigned to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 -j 9000 --config="(0,0,20),(1,0,21)" -f ./dec.cfg + +Send two burst(8192) esp packets to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the +IPsec application, but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst(8192) packets which have been decapsulated received from protected port. + +Send burst(9000) esp packets to unprotected port. + +Check burst(9000) packets which have been decapsulated can't be received from protected port. + + +Test Case: IPSec Decryption with RSS +=========================================== +Create configuration file with multiple SA rule for different ip address. + +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 -config="(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./dec_rss.cfg + +Send two burst(32) esp packets with different ip to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the +IPsec application, but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst(32) packets which have been decapsulated received from +queue 0 and +1 on protected port. + + +Test Case: IPSec Encryption/Decryption simultaneously +===================================================== +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 + --vdev "crypto_null" --log-level 8 --socket-mem 1024,1 + -- -p 0xf -P -u 0x2 --config="(0,0,20),(1,0,21)" -f +./enc_dec.cfg + +Send normal and esp packets to protected and unprotected ports simultaneously. + +Note when testing inbound IPSec, first one will produce an error "IPSEC_ESP: +invalid padding" in the IPsec application, but it will setup the SA. +Second one will decrypt and send back the decrypted packet. + +Check esp and normal packets received from unprotected and protected ports. -- 1.9.3 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dts] [PATCH V1] add inline_ipsec test plan @ 2017-12-29 10:00 xu,gang 2017-12-29 10:00 ` [dts] [PATCH V1] add test suite inline_ipsec xu,gang 0 siblings, 1 reply; 6+ messages in thread From: xu,gang @ 2017-12-29 10:00 UTC (permalink / raw) To: dts; +Cc: xu,gang [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1: Type: text/plain; charset=a, Size: 14622 bytes --] Signed-off-by: xu,gang <gangx.xu@intel.com> --- test_plans/inline_ipsec_test_plan.rst | 355 ++++++++++++++++++++++++++++++++++ 1 file changed, 355 insertions(+) create mode 100644 test_plans/inline_ipsec_test_plan.rst diff --git a/test_plans/inline_ipsec_test_plan.rst b/test_plans/inline_ipsec_test_plan.rst new file mode 100644 index 0000000..bc10111 --- /dev/null +++ b/test_plans/inline_ipsec_test_plan.rst @@ -0,0 +1,355 @@ +.. Copyright (c) <2017>, Intel Corporation + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + - Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + - Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + - Neither the name of Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPR ESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================== +Inline IPsec Test Plan +====================== +This test plan describe the method of validation inline hardware acceleration +of symmetric crypto processing of IPsec flows on Intel® 82599 10 GbE +Controller (IXGBE) within the cryptodev framework. + +***Limitation: +AES-GCM 128 ESP Tunnel/Transport mode and Authentication only mode are +supported.*** + +Ref links: +https://tools.ietf.org/html/rfc4301 + +https://tools.ietf.org/html/rfc4302 + +https://tools.ietf.org/html/rfc4303 + +http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html + +Abbr: +ESP: Encapsulating Security Payload:: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---- + | Security Parameters Index (SPI) | ^Int. + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- + | Sequence Number | |ered + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ---- + | Payload Data* (variable) | | ^ + ~ ~ | | + | | |Conf. + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- + | | Padding (0-255 bytes) | |ered* + +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + | | Pad Length | Next Header | v v + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ + | Integrity Check Value-ICV (variable) | + ~ ~ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +SPI: Security Parameters Index + +The SPI is an arbitrary 32-bit value that is used by a receiver to identify +the SA to which an incoming packet is bound. + +Sequence Number: + +This unsigned 32-bit field contains a counter value that increases by +one for each packet sent + +AES: Advanced Encryption Standard + +GCM: Galois Counter Mode + +Prerequisites +============= +2 * 10Gb Ethernet ports of the DUT are directly connected in full-duplex to +different ports of the peer traffic generator. + +Bind two ports to vfio-pci. +modprobe vfio-pci + + +Test Case: Inline cfg parsing +============================= +Create inline ipsec configuration file like below:: + + #SP IPv4 rules + sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535 + + #SA rules + sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ + port_id 1 \ + type inline-crypto-offload \ + + sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ + mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ + port_id 1 \ + type inline-crypto-offload \ + + #Routing rules + rt ipv4 dst 172.16.2.5/32 port 1 + rt ipv4 dst 192.168.105.10/32 port 0 + +Starting ipsec-secgw sample and make sure SP/SA/RT rules loaded successfully. + +Check ipsec-secgw can detect invalid cipher algo. + +Check ipsec-secgw can detect invalid auth algo. + +Check ipsec-secgw can detect invalid key format. + + +Test Case: IPSec Encryption +================================= +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port +sudo python ./scapy_receive.py -i ens802f1 + +Send burst(32) normal packets with dst ip (192.168.105.0) to protected port. + sudo python ./scapy_send.py -i ens802f0 -s 32 -c 1 -e 0 + +Check burst esp packets received from unprotected port. +tcpdump -Xvvvi ens802f1 + +[root@dpdk98 scripts]# tcpdump -Xvvvi ens802f1 +tcpdump: listening on ens802f1, link-type EN10MB (Ethernet), capture size 262144 bytes +06:10:25.674233 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto ESP (50), length 108) + 172.16.1.5 > 172.16.2.5: ESP(spi=0x000003ed,seq=0x9), length 88 + 0x0000: 4500 006c 0000 0000 4032 1f36 ac10 0105 E..l....@2.6.... + 0x0010: ac10 0205 0000 03ed 0000 0009 0000 0000 ................ + 0x0020: 0000 0009 4468 a4af 5853 7545 b21d 977c ....Dh..XSuE...| + 0x0030: b911 7ec6 74a0 3349 b986 02d2 a322 d050 ..~.t.3I.....".P + 0x0040: 8a0d 4ffc ef4d 6246 86fe 26f0 9377 84b5 ..O..MbF..&..w.. + 0x0050: 8b06 c7e0 05d3 1ac5 1a30 1a93 8660 4292 .........0...`B. + 0x0060: 999a c84d 49ed ff95 89a1 6917 ...MI.....i. + + +Check esp packets' format is correct. + +See decrypted packets on scapy output +[root@dpdk98 scripts]# sudo python ./scapy_receive.py -i ens802f1 +###[ IP ]### + version = 4 + ihl = 5 + tos = 0x0 + len = 52 + id = 1 + flags = + frag = 0 + ttl = 63 + proto = ip + chksum = 0x2764 + src = 192.168.105.10 + dst = 192.168.105.10 + \options \ +###[ Raw ]### + load = '|->test-test-test-test-test-t<-|' + + +Test Case: IPSec Encryption with Jumboframe +============================================== +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port + +Default frame size is 1518, send burst(1000) packets with dst ip (192.168.105.0) to protected port. + +Check burst esp packets received from unprotected port. + +Check esp packets' format is correct. + +See decrypted packets on scapy output + +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected port. + +Check burst esp packets can't be received from unprotected port. + +Set jumbo frames size as 9000, start it with port 1 assigned to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 -j 9000 --config="(0,0,20),(1,0,21)" -f ./enc.cfg + +Use scapy to listen on unprotected port + +Send burst(8192) jumbo packets with dst ip (192.168.105.0) to protected port. + +Check burst jumbo packets received from unprotected port. + +Check esp packets' format is correct. + +See decrypted packets on scapy output + +Send burst(9000) jumbo packets with dst ip (192.168.105.0) to protected port. + +Check burst jumbo packets can't be received from unprotected port. + + +Test Case: IPSec Encryption with RSS +================================== +Create configuration file with multiple SP/SA/RT rules for different ip address. + +Start ipsec-secgw with two queues enabled on each port and port 1 assigned to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./enc_rss.cfg + +Use scapy to listen on unprotected port +sudo python ./scapy_receive_enc_rss.py -i ens802f1 + +Send burst(32) packets with different dst ip to protected port. +sudo python ./scapy_send_enc_rss.py -i ens802f0 -s 32 -c 1 -e 0 + +Check burst esp packets received from queue 0 and queue 1 on unprotected port. +tcpdump -Xvvvi ens802f1 + +Check esp packets' format is correct. + +See decrypted packets on scapy output + + +Test Case: IPSec Decryption +================================= +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./dec.cfg + +Send two burst(32) esp packets to unprotected port. +sudo python ./scapy_send.py -i ens802f1 -s 32 -c 1 -e 1 + +First one will produce an error "IPSEC_ESP: failed crypto op" in the IPsec application, +but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst packets which have been decapsulated received from protected port +tcpdump -Xvvvi ens802f0 + +Test Case: IPSec Decryption with wrong key +=============================================== +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./dec.cfg + +Change dec.cfg key is not same with send packet encrypted key + +Send one burst(32) esp packets to unprotected port. + +IPsec application will produce an error "IPSEC_ESP: failed crypto op" , +but it will setup the SA. + +Send one burst(32) esp packets to unprotected port. + +Check burst packets which have been decapsulated can't be received from protected port, +IPsec application will produce error "IPSEC_ESP: failed crypto op". + + +Test Case: IPSec Decryption with Jumboframe +================================================= +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 --config="(0,0,20),(1,0,21)" -f ./dec.cfg +Default frame size is 1518, Send two burst(1000) esp packets to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the IPsec application, +but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst(1000) packets which have been decapsulated received from protected port. + +Send burst(8192) esp packets to unprotected port. + +Check burst(8192) packets which have been decapsulated can't be received from protected port. + +Set jumbo frames size as 9000, start it with port 1 assigned to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 -j 9000 --config="(0,0,20),(1,0,21)" -f ./dec.cfg + +Send two burst(8192) esp packets to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the IPsec application, +but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst(8192) packets which have been decapsulated received from protected port. + +Send burst(9000) esp packets to unprotected port. + +Check burst(9000) packets which have been decapsulated can't be received from protected port. + + +Test Case: IPSec Decryption with RSS +=========================================== +Create configuration file with multiple SA rule for different ip address. + +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 --vdev + "crypto_null" --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u + 0x2 -config="(0,0,20),(0,1,20),(1,0,21),(1,1,21)" -f ./dec_rss.cfg + +Send two burst(32) esp packets with different ip to unprotected port. + +First one will produce an error "IPSEC_ESP: failed crypto op" in the IPsec application, +but it will setup the SA. Second one will decrypt and send back the decrypted packet. + +Check burst(32) packets which have been decapsulated received from queue 0 and +1 on protected port. + + +Test Case: IPSec Encryption/Decryption simultaneously +===================================================== +Start ipsec-secgw with two 82599 ports and assign port 1 to unprotected mode:: + + sudo ./build/ipsec-secgw -l 20,21 -w 83:00.0 -w 83:00.1 + --vdev "crypto_null" --log-level 8 --socket-mem 1024,1 + -- -p 0xf -P -u 0x2 --config="(0,0,20),(1,0,21)" -f ./enc_dec.cfg + +Send normal and esp packets to protected and unprotected ports simultaneously. + +Note when testing inbound IPSec, first one will produce an error "IPSEC_ESP: +invalid padding" in the IPsec application, but it will setup the SA. Second +one will decrypt and send back the decrypted packet. + +Check esp and normal packets received from unprotected and protected ports. -- 1.9.3 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [dts] [PATCH V1] add test suite inline_ipsec 2017-12-29 10:00 xu,gang @ 2017-12-29 10:00 ` xu,gang 2018-01-02 8:16 ` Liu, Yong 0 siblings, 1 reply; 6+ messages in thread From: xu,gang @ 2017-12-29 10:00 UTC (permalink / raw) To: dts; +Cc: xu,gang Signed-off-by: xu,gang <gangx.xu@intel.com> --- tests/TestSuite_inline_ipsec.py | 405 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 405 insertions(+) create mode 100644 tests/TestSuite_inline_ipsec.py diff --git a/tests/TestSuite_inline_ipsec.py b/tests/TestSuite_inline_ipsec.py new file mode 100644 index 0000000..ba90caf --- /dev/null +++ b/tests/TestSuite_inline_ipsec.py @@ -0,0 +1,405 @@ +# BSD LICENSE +# +# Copyright(c) 2010-2017 Intel Corporation. All rights reserved. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +""" +DPDK Test suite. +Test inline_ipsec. +""" + +import utils +import string +import time +import re +import threading +from test_case import TestCase +import getopt +from scapy.all import * + +ETHER_STANDARD_MTU = 1518 +ETHER_JUMBO_FRAME_MTU = 9000 + + +class TestInlineIpsec(TestCase): + + def set_up_all(self): + """ + Run at the start of each test suite. + """ + self.verify(self.nic in ["niantic"], "%s NIC not support" % self.nic) + self.dut_ports = self.dut.get_ports(self.nic) + self.verify(len(self.dut_ports) >= 2, "Insufficient ports") + cores = self.dut.get_core_list("1S/4C/1T") + self.coremask = utils.create_mask(cores) + + # get test port info + self.rxport = self.tester.get_local_port(1) + self.txport = self.tester.get_local_port(0) + self.rxItf = self.tester.get_interface(self.rxport) + self.txItf = self.tester.get_interface(self.txport) + # get dut port pci + self.portpci_0 = self.dut.get_port_pci(self.dut_ports[0]) + self.portpci_1 = self.dut.get_port_pci(self.dut_ports[1]) + + # enable tester mtu + self.rxnetobj = self.tester.ports_info[self.rxport]['port'] + self.rxnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + 100) + self.txnetobj = self.tester.ports_info[self.txport]['port'] + self.txnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + 100) + + self.path = "./examples/ipsec-secgw/build/ipsec-secgw" + # add print code in IPSEC app + sedcmd = r"""sed -i -e '/process_pkts(qconf, pkts, nb_rx, portid);/i\\printf("[debug]receive %hhu packet in rxqueueid=%hhu\\n",nb_rx, queueid);' examples/ipsec-secgw/ipsec-secgw.c""" + self.dut.send_expect(sedcmd, "#", 60) + + # build sample app + out = self.dut.build_dpdk_apps("./examples/ipsec-secgw") + self.verify("Error" not in out, "compilation error 1") + self.verify("No such file" not in out, "compilation error 2") + + self.cfg_prepare() + + def set_up(self): + """ + Run before each test case. + """ + pass + + def cfg_prepare(self): + """ + write the inline_ipsec configuration file + """ + enc = """ +#SP IPv4 rules +sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535 + +#SA rules +sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 172.16.2.5/32 port 1 +""" + dec = """ +#SA rules +sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 192.168.105.10/32 port 0 +""" + enc_rss = """ +#SP IPv4 rules +sp ipv4 out esp protect 1002 pri 1 dst 192.168.102.0/24 sport 0:65535 dport 0:65535 + +sa out 1002 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.31.35 dst 172.16.32.35 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 172.16.32.35/32 port 1 +""" + dec_rss = """ +#SA rules +sa in 3 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.21.25 dst 172.16.22.25 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 192.168.105.10/32 port 0 +""" + dec_wrong_key = """ +#SA rules +sa in 5 aead_algo aes-128-gcm aead_key 2f:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 192.168.105.10/32 port 0 +""" + enc_dec = """ +#SP IPv4 rules +sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535 + +#SA rules +sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +sa in 5 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ +port_id 1 \ +type inline-crypto-offload \ + +#Routing rules +rt ipv4 dst 172.16.2.5/32 port 1 +rt ipv4 dst 192.168.105.10/32 port 0 +""" + self.set_cfg('enc.cfg', enc) + self.set_cfg('dec.cfg', dec) + self.set_cfg('enc_rss.cfg', enc_rss) + self.set_cfg('dec_rss.cfg', dec_rss) + self.set_cfg('enc_dec.cfg', enc_dec) + self.set_cfg('dec_wrong_key.cfg', dec_wrong_key) + + def set_cfg(self, filename, cfg): + """ + open file and write cfg, scp it to dut /root/dpdk/ + """ + with open(filename, 'w') as f: + f.write(cfg) + self.dut.session.copy_file_to(filename, '/root/dpdk/') + + def send_encryption_package(self, intface, paysize=64, do_encrypt=False, send_spi=5, count=1, mydst='192.168.105.10', sa_src='172.16.1.5', sa_dst='172.16.2.5'): + """ + make a package and send + """ + test = 'test-' * 2000 + payload = test[0:int(paysize)] + sa_gcm = SecurityAssociation(ESP, spi=send_spi, + crypt_algo='AES-GCM', + crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef', + auth_algo='NULL', auth_key=None, + tunnel_header=IP(src=sa_src, dst=sa_dst)) + sa_gcm.crypt_algo.icv_size = 16 + + p = IP(src='192.168.105.10', dst=mydst) + p /= "|->" + p /= payload + p /= "<-|" + p = IP(str(p)) + + if do_encrypt == True: + print "send encrypt package" + e = sa_gcm.encrypt(p) + else: + print "send normal package" + e = p + + eth_e = Ether() / e + eth_e.src = "52:54:00:21:68:1c" + eth_e.dst = "52:54:00:16:f6:b0" + session_send = self.tester.create_session( + name='send_encryption_package') + sendp(eth_e, iface=intface, count=count) + self.tester.destroy_session(session_send) + + return payload + + def Ipsec_Encryption(self, config, file_name, txItf, rxItf, paysize=32, jumboframe=1518, do_encrypt=False, verify=True, send_spi=5, receive_spi=1005, count=1, mydst='192.168.105.10', sa_src='172.16.1.5', sa_dst='172.16.2.5'): + """ + verify Ipsec receive package + """ + cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' -f %s" % ( + self.portpci_0, self.portpci_1, jumboframe, config, file_name) + self.dut.send_expect(cmd, "IPSEC", 60) + + session_receive = self.tester.create_session( + name='receive_encryption_package') + sa_gcm = r"sa_gcm=SecurityAssociation(ESP,spi=%s,crypt_algo='AES-GCM',crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef',auth_algo='NULL',auth_key=None,tunnel_header=IP(src='172.16.1.5',dst='172.16.2.5'))" % receive_spi + + session_receive.send_expect("scapy", "Welcome to Scapy", 10) + session_receive.send_expect( + "pkts=sniff(iface='%s',count=1,timeout=10)" % rxItf, "", 30) + send_package = self.send_encryption_package( + txItf, paysize, do_encrypt, send_spi, count, mydst, sa_src, sa_dst) + + time.sleep(10) + out = session_receive.send_expect("pkts", "", 30) + if do_encrypt: + out = session_receive.send_expect("pkts[0]['IP'] ", ">>>", 10) + else: + session_receive.send_expect(sa_gcm, ">>>", 10) + session_receive.send_expect( + "results=sa_gcm.decrypt(pkts[0]['IP'])", ">>>", 10) + out = session_receive.send_expect("results", ">>>", 10) + + if verify: + self.verify(send_package in out, + "Unreceived package or get other package") + else: + self.verify(send_package not in out, + "The function is not in effect") + session_receive.send_expect("quit()", "#", 10) + self.tester.destroy_session(session_receive) + + def test_Ipsec_Encryption(self): + """ + test Ipsec Encryption + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(1, ETHER_STANDARD_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg', + self.txItf, self.rxItf, paysize) + + def test_Ipsec_Encryption_Jumboframe(self): + """ + test Ipsec Encryption Jumboframe + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(ETHER_STANDARD_MTU, ETHER_JUMBO_FRAME_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg', + self.txItf, self.rxItf, paysize, ETHER_JUMBO_FRAME_MTU) + + def test_Ipsec_Encryption_Rss(self): + """ + test Ipsec Encryption Rss + """ + config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)' + self.Ipsec_Encryption(config, '/root/dpdk/enc_rss.cfg', self.txItf, + self.rxItf, send_spi=2, receive_spi=1002, mydst='192.168.102.10') + out = self.dut.get_session_output() + verifycode = "receive 1 packet in rxqueueid=1" + self.verify(verifycode in out, "rxqueueid error") + + def test_IPSec_Decryption(self): + """ + test IPSec Decryption + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(1, ETHER_STANDARD_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf, + self.txItf, paysize, do_encrypt=True, count=2) + + def test_IPSec_Decryption_Jumboframe(self): + """ + test IPSec Decryption Jumboframe + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(ETHER_STANDARD_MTU, ETHER_JUMBO_FRAME_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf, + self.txItf, paysize, ETHER_JUMBO_FRAME_MTU, do_encrypt=True, count=2) + + def test_Ipsec_Decryption_Rss(self): + """ + test Ipsec Decryption Rss + """ + config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)' + self.Ipsec_Encryption(config, '/root/dpdk/dec_rss.cfg', self.rxItf, self.txItf, do_encrypt=True, + send_spi=3, receive_spi=1003, count=2, sa_src='172.16.21.25', sa_dst='172.16.22.25') + out = self.dut.get_session_output() + verifycode = "receive 1 packet in rxqueueid=1" + self.verify(verifycode in out, "rxqueueid error") + + def test_Ipsec_Decryption_wrongkey(self): + """ + test Ipsec Decryption wrongkey + """ + config = '(0,0,21),(1,0,21)' + paysize = random.randint(1, ETHER_STANDARD_MTU) + self.Ipsec_Encryption(config, '/root/dpdk/dec_wrong_key.cfg', self.rxItf, + self.txItf, paysize, do_encrypt=True, verify=False, count=2) + out = self.dut.get_session_output() + verifycode = "IPSEC_ESP: failed crypto op" + self.verify(verifycode in out, "Ipsec Decryption wrongkey failed") + + def test_Ipsec_Encryption_Decryption(self): + """ + test Ipsec Encryption Decryption + """ + cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' --log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' -f %s" % ( + self.portpci_0, self.portpci_1, '1518', '(0,0,21),(1,0,21)', '/root/dpdk/enc_dec.cfg') + self.dut.send_expect(cmd, "IPSEC", 60) + session_receive = self.tester.create_session( + name='receive_encryption_package') + sa_gcm = r"sa_gcm=SecurityAssociation(ESP, spi=1005,crypt_algo='AES-GCM',crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef',auth_algo='NULL', auth_key=None,tunnel_header=IP(src='172.16.1.5', dst='172.16.2.5'))" + + session_receive.send_expect("scapy", "Welcome to Scapy", 60) + session_receive.send_expect(sa_gcm, ">>>", 60) + session_receive.send_expect( + "pkts=sniff(iface='%s',count=3)" % self.rxItf, "", 60) + session_receive2 = self.tester.create_session( + name='receive_encryption_package2') + + session_receive2.send_expect("scapy", "Welcome to Scapy", 60) + session_receive2.send_expect(sa_gcm, ">>>", 60) + session_receive2.send_expect( + "pkts=sniff(iface='%s',count=2)" % self.txItf, "", 60) + + payload = "test for Ipsec Encryption Decryption simultaneously" + sa_gcm = SecurityAssociation(ESP, spi=5, + crypt_algo='AES-GCM', + crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3d\xde\xad\xbe\xef', + auth_algo='NULL', auth_key=None, + tunnel_header=IP(src='172.16.1.5', dst='172.16.2.5')) + sa_gcm.crypt_algo.icv_size = 16 + + p = IP(src='192.168.105.10', dst='192.168.105.10') + p /= "|->" + p /= payload + p /= "<-|" + p = IP(str(p)) + + e1 = sa_gcm.encrypt(p) + e2 = p + + eth_e1 = Ether() / e1 + eth_e1.src = "52:54:00:21:68:1c" + eth_e1.dst = "52:54:00:16:f6:b0" + eth_e2 = Ether() / e2 + eth_e2.src = "52:54:00:21:68:1c" + eth_e2.dst = "52:54:00:16:f6:b0" + + t1 = threading.Thread(target=sendp(eth_e1, iface=self.rxItf, count=2)) + t1.start() + t2 = threading.Thread(target=sendp(eth_e2, iface=self.txItf, count=1)) + t2.start() + session_receive.send_expect("^C", ">>>", 60) + session_receive2.send_expect("^C", ">>>", 60) + session_receive.send_expect( + "results=sa_gcm.decrypt(pkts[2]['IP'])", ">>>", 60) + out = session_receive.send_expect("results", ">>>", 60) + self.verify(payload in out, "Get a error package") + out = session_receive2.send_expect("pkts[1]", ">>>", 60) + self.verify(payload in out, "Get a error package") + + def tear_down(self): + """ + Run after each test case. + """ + self.tester.send_expect("^C", "#", 5) + self.dut.kill_all() + time.sleep(2) + + def tear_down_all(self): + """ + Run after each test suite. + """ + self.rxnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU) + self.txnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU) -- 1.9.3 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dts] [PATCH V1] add test suite inline_ipsec 2017-12-29 10:00 ` [dts] [PATCH V1] add test suite inline_ipsec xu,gang @ 2018-01-02 8:16 ` Liu, Yong 0 siblings, 0 replies; 6+ messages in thread From: Liu, Yong @ 2018-01-02 8:16 UTC (permalink / raw) To: Xu, GangX, dts; +Cc: Xu, GangX Gang, some comments are inline. Thanks, Marvin > -----Original Message----- > From: dts [mailto:dts-bounces@dpdk.org] On Behalf Of xu,gang > Sent: Friday, December 29, 2017 6:01 PM > To: dts@dpdk.org > Cc: Xu, GangX <gangx.xu@intel.com> > Subject: [dts] [PATCH V1] add test suite inline_ipsec > > Signed-off-by: xu,gang <gangx.xu@intel.com> > --- > tests/TestSuite_inline_ipsec.py | 405 > ++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 405 insertions(+) > create mode 100644 tests/TestSuite_inline_ipsec.py > > diff --git a/tests/TestSuite_inline_ipsec.py > b/tests/TestSuite_inline_ipsec.py > new file mode 100644 > index 0000000..ba90caf > --- /dev/null > +++ b/tests/TestSuite_inline_ipsec.py > @@ -0,0 +1,405 @@ > +# BSD LICENSE > +# > +# Copyright(c) 2010-2017 Intel Corporation. All rights reserved. > +# All rights reserved. > +# > +# Redistribution and use in source and binary forms, with or without > +# modification, are permitted provided that the following conditions > +# are met: > +# > +# * Redistributions of source code must retain the above copyright > +# notice, this list of conditions and the following disclaimer. > +# * Redistributions in binary form must reproduce the above copyright > +# notice, this list of conditions and the following disclaimer in > +# the documentation and/or other materials provided with the > +# distribution. > +# * Neither the name of Intel Corporation nor the names of its > +# contributors may be used to endorse or promote products derived > +# from this software without specific prior written permission. > +# > +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + > + > +""" > +DPDK Test suite. > +Test inline_ipsec. > +""" > + > +import utils > +import string > +import time > +import re > +import threading > +from test_case import TestCase > +import getopt > +from scapy.all import * > + > +ETHER_STANDARD_MTU = 1518 > +ETHER_JUMBO_FRAME_MTU = 9000 > + > + > +class TestInlineIpsec(TestCase): > + > + def set_up_all(self): > + """ > + Run at the start of each test suite. > + """ > + self.verify(self.nic in ["niantic"], "%s NIC not support" % > self.nic) > + self.dut_ports = self.dut.get_ports(self.nic) > + self.verify(len(self.dut_ports) >= 2, "Insufficient ports") > + cores = self.dut.get_core_list("1S/4C/1T") > + self.coremask = utils.create_mask(cores) > + > + # get test port info > + self.rxport = self.tester.get_local_port(1) > + self.txport = self.tester.get_local_port(0) > + self.rxItf = self.tester.get_interface(self.rxport) > + self.txItf = self.tester.get_interface(self.txport) > + # get dut port pci > + self.portpci_0 = self.dut.get_port_pci(self.dut_ports[0]) > + self.portpci_1 = self.dut.get_port_pci(self.dut_ports[1]) > + > + # enable tester mtu > + self.rxnetobj = self.tester.ports_info[self.rxport]['port'] > + self.rxnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + 100) > + self.txnetobj = self.tester.ports_info[self.txport]['port'] > + self.txnetobj.enable_jumbo(framesize=ETHER_JUMBO_FRAME_MTU + 100) > + > + self.path = "./examples/ipsec-secgw/build/ipsec-secgw" > + # add print code in IPSEC app > + sedcmd = r"""sed -i -e '/process_pkts(qconf, pkts, nb_rx, > portid);/i\\printf("[debug]receive %hhu packet in rxqueueid=%hhu\\n",nb_rx, > queueid);' examples/ipsec-secgw/ipsec-secgw.c""" > + self.dut.send_expect(sedcmd, "#", 60) > + > + # build sample app > + out = self.dut.build_dpdk_apps("./examples/ipsec-secgw") > + self.verify("Error" not in out, "compilation error 1") > + self.verify("No such file" not in out, "compilation error 2") > + > + self.cfg_prepare() > + > + def set_up(self): > + """ > + Run before each test case. > + """ > + pass > + > + def cfg_prepare(self): > + """ > + write the inline_ipsec configuration file > + """ > + enc = """ > +#SP IPv4 rules > +sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 > dport 0:65535 > + > +#SA rules > +sa out 1005 aead_algo aes-128-gcm aead_key > 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ > +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > +port_id 1 \ > +type inline-crypto-offload \ > + > +#Routing rules > +rt ipv4 dst 172.16.2.5/32 port 1 > +""" You can use parentheses which is more readable for multiple lines string. eg: enc = ("#SP IPv4 rules" "sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 dport 0:65535" "#SA rules" "sa out 1005 aead_algo aes-128-gcm aead_key 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 port_id 1 type inline-crypto-offload" ) > + dec = """ > +#SA rules > +sa in 5 aead_algo aes-128-gcm aead_key > 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ > +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > +port_id 1 \ > +type inline-crypto-offload \ > + > +#Routing rules > +rt ipv4 dst 192.168.105.10/32 port 0 > +""" > + enc_rss = """ > +#SP IPv4 rules > +sp ipv4 out esp protect 1002 pri 1 dst 192.168.102.0/24 sport 0:65535 > dport 0:65535 > + > +sa out 1002 aead_algo aes-128-gcm aead_key > 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ > +mode ipv4-tunnel src 172.16.31.35 dst 172.16.32.35 \ > +port_id 1 \ > +type inline-crypto-offload \ > + > +#Routing rules > +rt ipv4 dst 172.16.32.35/32 port 1 > +""" > + dec_rss = """ > +#SA rules > +sa in 3 aead_algo aes-128-gcm aead_key > 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ > +mode ipv4-tunnel src 172.16.21.25 dst 172.16.22.25 \ > +port_id 1 \ > +type inline-crypto-offload \ > + > +#Routing rules > +rt ipv4 dst 192.168.105.10/32 port 0 > +""" > + dec_wrong_key = """ > +#SA rules > +sa in 5 aead_algo aes-128-gcm aead_key > 2f:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ > +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > +port_id 1 \ > +type inline-crypto-offload \ > + > +#Routing rules > +rt ipv4 dst 192.168.105.10/32 port 0 > +""" > + enc_dec = """ > +#SP IPv4 rules > +sp ipv4 out esp protect 1005 pri 1 dst 192.168.105.0/24 sport 0:65535 > dport 0:65535 > + > +#SA rules > +sa out 1005 aead_algo aes-128-gcm aead_key > 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ > +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > +port_id 1 \ > +type inline-crypto-offload \ > + > +sa in 5 aead_algo aes-128-gcm aead_key > 2b:7e:15:16:28:ae:d2:a6:ab:f7:15:88:09:cf:4f:3d:de:ad:be:ef \ > +mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \ > +port_id 1 \ > +type inline-crypto-offload \ > + > +#Routing rules > +rt ipv4 dst 172.16.2.5/32 port 1 > +rt ipv4 dst 192.168.105.10/32 port 0 > +""" > + self.set_cfg('enc.cfg', enc) > + self.set_cfg('dec.cfg', dec) > + self.set_cfg('enc_rss.cfg', enc_rss) > + self.set_cfg('dec_rss.cfg', dec_rss) > + self.set_cfg('enc_dec.cfg', enc_dec) > + self.set_cfg('dec_wrong_key.cfg', dec_wrong_key) > + > + def set_cfg(self, filename, cfg): > + """ > + open file and write cfg, scp it to dut /root/dpdk/ > + """ > + with open(filename, 'w') as f: > + f.write(cfg) > + self.dut.session.copy_file_to(filename, '/root/dpdk/') > + > + def send_encryption_package(self, intface, paysize=64, > do_encrypt=False, send_spi=5, count=1, mydst='192.168.105.10', > sa_src='172.16.1.5', sa_dst='172.16.2.5'): > + """ Please either use abbreviation "intf" or full word "interface". "mydst" should be "inner_dst" or "data_dst". > + make a package and send > + """ > + test = 'test-' * 2000 > + payload = test[0:int(paysize)] > + sa_gcm = SecurityAssociation(ESP, spi=send_spi, > + crypt_algo='AES-GCM', > + > crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3 > d\xde\xad\xbe\xef', > + auth_algo='NULL', auth_key=None, > + tunnel_header=IP(src=sa_src, > dst=sa_dst)) > + sa_gcm.crypt_algo.icv_size = 16 > + > + p = IP(src='192.168.105.10', dst=mydst) > + p /= "|->" > + p /= payload > + p /= "<-|" > + p = IP(str(p)) Why add "|->" and "<-|" in the payload? > + > + if do_encrypt == True: > + print "send encrypt package" > + e = sa_gcm.encrypt(p) > + else: > + print "send normal package" > + e = p > + > + eth_e = Ether() / e > + eth_e.src = "52:54:00:21:68:1c" > + eth_e.dst = "52:54:00:16:f6:b0" Please remove hard-coded mac, should be tester and DUT port's mac address. > + session_send = self.tester.create_session( > + name='send_encryption_package') > + sendp(eth_e, iface=intface, count=count) > + self.tester.destroy_session(session_send) > + > + return payload > + > + def Ipsec_Encryption(self, config, file_name, txItf, rxItf, > paysize=32, jumboframe=1518, do_encrypt=False, verify=True, send_spi=5, > receive_spi=1005, count=1, mydst='192.168.105.10', sa_src='172.16.1.5', > sa_dst='172.16.2.5'): > + """ > + verify Ipsec receive package > + """ > + cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' -- > log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' - > f %s" % ( > + self.portpci_0, self.portpci_1, jumboframe, config, file_name) > + self.dut.send_expect(cmd, "IPSEC", 60) > + > + session_receive = self.tester.create_session( > + name='receive_encryption_package') > + sa_gcm = r"sa_gcm=SecurityAssociation(ESP,spi=%s,crypt_algo='AES- > GCM',crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x > 4f\x3d\xde\xad\xbe\xef',auth_algo='NULL',auth_key=None,tunnel_header=IP(sr > c='172.16.1.5',dst='172.16.2.5'))" % receive_spi > + > + session_receive.send_expect("scapy", "Welcome to Scapy", 10) Should wait for ">>>" which is commonly used in scapy related command. > + session_receive.send_expect( > + "pkts=sniff(iface='%s',count=1,timeout=10)" % rxItf, "", 30) > + send_package = self.send_encryption_package( > + txItf, paysize, do_encrypt, send_spi, count, mydst, sa_src, > sa_dst) > + > + time.sleep(10) > + out = session_receive.send_expect("pkts", "", 30) > + if do_encrypt: > + out = session_receive.send_expect("pkts[0]['IP'] ", ">>>", 10) > + else: > + session_receive.send_expect(sa_gcm, ">>>", 10) > + session_receive.send_expect( > + "results=sa_gcm.decrypt(pkts[0]['IP'])", ">>>", 10) > + out = session_receive.send_expect("results", ">>>", 10) > + > + if verify: > + self.verify(send_package in out, > + "Unreceived package or get other package") > + else: > + self.verify(send_package not in out, > + "The function is not in effect") > + session_receive.send_expect("quit()", "#", 10) > + self.tester.destroy_session(session_receive) > + > + def test_Ipsec_Encryption(self): > + """ > + test Ipsec Encryption > + """ > + config = '(0,0,21),(1,0,21)' > + paysize = random.randint(1, ETHER_STANDARD_MTU) > + self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg', > + self.txItf, self.rxItf, paysize) > + > + def test_Ipsec_Encryption_Jumboframe(self): > + """ > + test Ipsec Encryption Jumboframe > + """ > + config = '(0,0,21),(1,0,21)' > + paysize = random.randint(ETHER_STANDARD_MTU, > ETHER_JUMBO_FRAME_MTU) > + self.Ipsec_Encryption(config, '/root/dpdk/enc.cfg', > + self.txItf, self.rxItf, paysize, > ETHER_JUMBO_FRAME_MTU) > + > + def test_Ipsec_Encryption_Rss(self): > + """ > + test Ipsec Encryption Rss > + """ > + config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)' > + self.Ipsec_Encryption(config, '/root/dpdk/enc_rss.cfg', > self.txItf, > + self.rxItf, send_spi=2, receive_spi=1002, > mydst='192.168.102.10') > + out = self.dut.get_session_output() > + verifycode = "receive 1 packet in rxqueueid=1" > + self.verify(verifycode in out, "rxqueueid error") > + > + def test_IPSec_Decryption(self): > + """ > + test IPSec Decryption > + """ > + config = '(0,0,21),(1,0,21)' > + paysize = random.randint(1, ETHER_STANDARD_MTU) > + self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf, > + self.txItf, paysize, do_encrypt=True, > count=2) > + > + def test_IPSec_Decryption_Jumboframe(self): > + """ > + test IPSec Decryption Jumboframe > + """ > + config = '(0,0,21),(1,0,21)' > + paysize = random.randint(ETHER_STANDARD_MTU, > ETHER_JUMBO_FRAME_MTU) > + self.Ipsec_Encryption(config, '/root/dpdk/dec.cfg', self.rxItf, > + self.txItf, paysize, ETHER_JUMBO_FRAME_MTU, > do_encrypt=True, count=2) > + > + def test_Ipsec_Decryption_Rss(self): > + """ > + test Ipsec Decryption Rss > + """ > + config = '(0,0,20),(0,1,20),(1,0,21),(1,1,21)' > + self.Ipsec_Encryption(config, '/root/dpdk/dec_rss.cfg', > self.rxItf, self.txItf, do_encrypt=True, > + send_spi=3, receive_spi=1003, count=2, > sa_src='172.16.21.25', sa_dst='172.16.22.25') > + out = self.dut.get_session_output() > + verifycode = "receive 1 packet in rxqueueid=1" > + self.verify(verifycode in out, "rxqueueid error") > + > + def test_Ipsec_Decryption_wrongkey(self): > + """ > + test Ipsec Decryption wrongkey > + """ > + config = '(0,0,21),(1,0,21)' > + paysize = random.randint(1, ETHER_STANDARD_MTU) > + self.Ipsec_Encryption(config, '/root/dpdk/dec_wrong_key.cfg', > self.rxItf, > + self.txItf, paysize, do_encrypt=True, > verify=False, count=2) > + out = self.dut.get_session_output() > + verifycode = "IPSEC_ESP: failed crypto op" > + self.verify(verifycode in out, "Ipsec Decryption wrongkey failed") > + > + def test_Ipsec_Encryption_Decryption(self): > + """ > + test Ipsec Encryption Decryption > + """ > + cmd = self.path + " -l 20,21 -w %s -w %s --vdev 'crypto_null' -- > log-level 8 --socket-mem 1024,1 -- -p 0xf -P -u 0x2 -j %s --config='%s' - > f %s" % ( > + self.portpci_0, self.portpci_1, '1518', '(0,0,21),(1,0,21)', > '/root/dpdk/enc_dec.cfg') > + self.dut.send_expect(cmd, "IPSEC", 60) > + session_receive = self.tester.create_session( > + name='receive_encryption_package') > + sa_gcm = r"sa_gcm=SecurityAssociation(ESP, > spi=1005,crypt_algo='AES- > GCM',crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x > 4f\x3d\xde\xad\xbe\xef',auth_algo='NULL', > auth_key=None,tunnel_header=IP(src='172.16.1.5', dst='172.16.2.5'))" > + > + session_receive.send_expect("scapy", "Welcome to Scapy", 60) > + session_receive.send_expect(sa_gcm, ">>>", 60) > + session_receive.send_expect( > + "pkts=sniff(iface='%s',count=3)" % self.rxItf, "", 60) > + session_receive2 = self.tester.create_session( > + name='receive_encryption_package2') > + > + session_receive2.send_expect("scapy", "Welcome to Scapy", 60) > + session_receive2.send_expect(sa_gcm, ">>>", 60) > + session_receive2.send_expect( > + "pkts=sniff(iface='%s',count=2)" % self.txItf, "", 60) > + > + payload = "test for Ipsec Encryption Decryption simultaneously" > + sa_gcm = SecurityAssociation(ESP, spi=5, > + crypt_algo='AES-GCM', > + > crypt_key='\x2b\x7e\x15\x16\x28\xae\xd2\xa6\xab\xf7\x15\x88\x09\xcf\x4f\x3 > d\xde\xad\xbe\xef', > + auth_algo='NULL', auth_key=None, > + tunnel_header=IP(src='172.16.1.5', > dst='172.16.2.5')) > + sa_gcm.crypt_algo.icv_size = 16 > + > + p = IP(src='192.168.105.10', dst='192.168.105.10') > + p /= "|->" > + p /= payload > + p /= "<-|" > + p = IP(str(p)) > + > + e1 = sa_gcm.encrypt(p) > + e2 = p > + > + eth_e1 = Ether() / e1 > + eth_e1.src = "52:54:00:21:68:1c" > + eth_e1.dst = "52:54:00:16:f6:b0" > + eth_e2 = Ether() / e2 > + eth_e2.src = "52:54:00:21:68:1c" > + eth_e2.dst = "52:54:00:16:f6:b0" > + > + t1 = threading.Thread(target=sendp(eth_e1, iface=self.rxItf, > count=2)) > + t1.start() > + t2 = threading.Thread(target=sendp(eth_e2, iface=self.txItf, > count=1)) > + t2.start() We'd like to enable threading support in the framework rather than the suite. If there is no special need for threading module, please remove it. > + session_receive.send_expect("^C", ">>>", 60) > + session_receive2.send_expect("^C", ">>>", 60) > + session_receive.send_expect( > + "results=sa_gcm.decrypt(pkts[2]['IP'])", ">>>", 60) > + out = session_receive.send_expect("results", ">>>", 60) > + self.verify(payload in out, "Get a error package") Please clear the error reason, not just an announcement. > + out = session_receive2.send_expect("pkts[1]", ">>>", 60) > + self.verify(payload in out, "Get a error package") > + > + def tear_down(self): > + """ > + Run after each test case. > + """ > + self.tester.send_expect("^C", "#", 5) > + self.dut.kill_all() > + time.sleep(2) > + > + def tear_down_all(self): > + """ > + Run after each test suite. > + """ > + self.rxnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU) > + self.txnetobj.enable_jumbo(framesize=ETHER_STANDARD_MTU) > -- > 1.9.3 ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-01-02 8:16 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-12-29 9:48 [dts] [PATCH V1] add inline_ipsec test plan Peng Yuan 2017-12-29 9:48 ` [dts] [PATCH V1] add test suite inline_ipsec Peng Yuan 2017-12-29 9:55 ` Xu, GangX 2017-12-29 9:55 ` [dts] [PATCH V1] add inline_ipsec test plan Xu, GangX 2017-12-29 10:00 xu,gang 2017-12-29 10:00 ` [dts] [PATCH V1] add test suite inline_ipsec xu,gang 2018-01-02 8:16 ` Liu, Yong
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).