Signed-off-by: Robbie King <[email protected]> --- example/ipsec/README | 164 +++++++++++++++++++++++++++++++++++++++++ example/ipsec/run_ah_in.sh | 12 +++ example/ipsec/run_ah_out.sh | 12 +++ example/ipsec/run_both_in.sh | 14 ++++ example/ipsec/run_both_out.sh | 14 ++++ example/ipsec/run_esp_in.sh | 13 +++ example/ipsec/run_esp_out.sh | 13 +++ example/ipsec/run_live.sh | 17 ++++ example/ipsec/run_router.sh | 9 ++ example/ipsec/run_simple.sh | 10 +++ 10 files changed, 278 insertions(+), 0 deletions(-) create mode 100644 example/ipsec/README create mode 100644 example/ipsec/run_ah_in.sh create mode 100644 example/ipsec/run_ah_out.sh create mode 100644 example/ipsec/run_both_in.sh create mode 100644 example/ipsec/run_both_out.sh create mode 100644 example/ipsec/run_esp_in.sh create mode 100644 example/ipsec/run_esp_out.sh create mode 100644 example/ipsec/run_live.sh create mode 100644 example/ipsec/run_router.sh create mode 100644 example/ipsec/run_simple.sh
diff --git a/example/ipsec/README b/example/ipsec/README new file mode 100644 index 0000000..7b9dcc3 --- /dev/null +++ b/example/ipsec/README @@ -0,0 +1,164 @@ +1. Intro + +The IPsec example application "odp_ipsec" functions as a simple L3 IPv4 router +with support IPsec 3DES cipher and HMAC-MD5 authentication in both the transmit +and receive directions. Note that only IPsec "transport" mode is supported. + +2. Prerequisites + + 2.1 SSL development libraries + +Development has been done to this point with the openssl-devel libraries, +the makefile specifically links with "-lcrypto". + +3. Topology + +The following test topology was used for development. Each of the VMs +is running Fedora16. Sanity testing consists of pinging VM2 from VM0 +such that the packets traverse VM1. Packets between VM1 and VM2 are +IPsec AH and ESP encapsulated. + + VM0 VM1 (UUT) VM2 ++------------+ +--------------+ +------------+ +| | (clear) | | (crypto) | | +| | subnet | | subnet | | +| p7p1 |<---------------->| p7p1 p8p1 |<---------------->| p7p1 | +| .2 | 192.168.111.0 | .1 .1 | 192.168.222.0 | .2 | +| | | | | | ++------------+ +--------------+ +------------+ + +4. VM configurations + + 4.1 VM0 configuration + +VM0 has the follwing interface configuration: + + cat /etc/sysconfig/network-scripts/ifcfg-p7p1 + DEVICE=p7p1 + HWADDR=08:00:27:76:B5:E0 + BOOTPROTO=static + IPADDR=192.168.111.2 + NETMASK=255.255.255.0 + ONBOOT=yes + +In addition, static ARP and IPv4 routes must be added on VM0: + + sudo ip route add 192.168.222.0/24 via 192.168.111.1 + sudo ip route add 192.168.222.0/24 via 192.168.111.1 + + 4.2 VM1 configuration + +For the unit under test, IP forwarding and IP tables were disabled. + +VM1 has the follwing interface configurations: + + cat /etc/sysconfig/network-scripts/ifcfg-p7p1 + DEVICE=p7p1 + HWADDR=08:00:27:04:BF:8C + BOOTPROTO=static + IPADDR=192.168.111.1 + NETMASK=255.255.255.0 + ONBOOT=yes + + cat /etc/sysconfig/network-scripts/ifcfg-p8p1 + DEVICE=p8p1 + HWADDR=08:00:27:4C:55:CC + BOOTPROTO=static + IPADDR=192.168.222.1 + NETMASK=255.255.255.0 + ONBOOT=yes + +The application is launched on VM1 with the following command line +using a bash script: + + cat test/ipsec/run_test.sh + #!/bin/bash + sudo ./odp_ipsec -i p7p1,p8p1 \ + -r 192.168.111.2/32:p7p1:08.00.27.76.B5.E0 \ + -r 192.168.222.2/32:p8p1:08.00.27.F5.8B.DB \ + -p 192.168.111.0/24:192.168.222.0/24:out:both \ + -e 192.168.111.2:192.168.222.2:3des:201:656c8523255ccc23a66c1917aa0cf30991fce83532a4b224 \ + -a 192.168.111.2:192.168.222.2:md5:200:a731649644c5dee92cbd9c2e7e188ee6 \ + -p 192.168.222.0/24:192.168.111.0/24:in:both \ + -e 192.168.222.2:192.168.111.2:3des:301:c966199f24d095f3990a320d749056401e82b26570320292 \ + -a 192.168.222.2:192.168.111.2:md5:300:27f6d123d7077b361662fc6e451f65d8 \ + -c 2 -f 0 -m 0 + + 4.3 VM2 configuration + +VM2 must be setup with an IPsec configuration complementing +the configuration used by the "odp_ipsec" application running +on VM1. The configuration is applied using "setkey" + +VM2 has the following setkey configuration file applied: + + cat /media/sf_SharedVM2/setkey_vm2.txt + #!/sbin/setkey -f + + # Flush the SAD and SPD + flush; + spdflush; + + add 192.168.111.2 192.168.222.2 ah 0x200 -A hmac-md5 + 0xa731649644c5dee92cbd9c2e7e188ee6; + add 192.168.222.2 192.168.111.2 ah 0x300 -A hmac-md5 + 0x27f6d123d7077b361662fc6e451f65d8; + + add 192.168.111.2 192.168.222.2 esp 0x201 -E 3des-cbc + 0x656c8523255ccc23a66c1917aa0cf30991fce83532a4b224; + add 192.168.222.2 192.168.111.2 esp 0x301 -E 3des-cbc + 0xc966199f24d095f3990a320d749056401e82b26570320292; + + spdadd 192.168.111.2 192.168.222.2 any -P in ipsec + esp/transport//require + ah/transport//require; + + spdadd 192.168.222.2 192.168.111.2 any -P out ipsec + esp/transport//require + ah/transport//require; + +VM2 has the follwing interface configuration: + + cat /etc/sysconfig/network-scripts/ifcfg-p7p1 + DEVICE=p7p1 + HWADDR=08:00:27:F5:8B:DB + BOOTPROTO=static + IPADDR=192.168.222.2 + NETMASK=255.255.255.0 + ONBOOT=yes + +In addition, static ARP and IPv4 routes must be added on VM2: + + sudo ip route add 192.168.111.0/24 via 192.168.222.1 + sudo arp -s 192.168.222.1 08:00:27:4c:55:cc + +5. Sanity Test with Real Traffic + +Once all three VMs have been configured and static ARP and route +entries added, VM0 should be able to ping VM2 at the 192.168.222.2 +address. + +At VM0 console issue the ping to VM2's address: + + sudo ping -c 2 -i 0.1 192.168.222.2 + PING 192.168.222.2 (192.168.222.2) 56(84) bytes of data. + 64 bytes from 192.168.222.2: icmp_req=1 ttl=64 time=33.9 ms + 64 bytes from 192.168.222.2: icmp_req=2 ttl=64 time=23.3 ms + +At VM2 console use tcpdump to observe IPsec packets : + + sudo tcpdump -nt -i p7p1 + tcpdump: verbose output suppressed, use -v or -vv for full protocol decode + listening on p7p1, link-type EN10MB (Ethernet), capture size 65535 bytes + + IP 192.168.111.2 > 192.168.222.2: AH(spi=0x00000200,seq=0x6): ESP(spi=0x00000201,seq=0x6), length 88 + IP 192.168.222.2 > 192.168.111.2: AH(spi=0x00000300,seq=0x7a): ESP(spi=0x00000301,seq=0x7a), length 88 + IP 192.168.111.2 > 192.168.222.2: AH(spi=0x00000200,seq=0x7): ESP(spi=0x00000201,seq=0x7), length 88 + IP 192.168.222.2 > 192.168.111.2: AH(spi=0x00000300,seq=0x7b): ESP(spi=0x00000301,seq=0x7b), length 88 + +6. Standalone Loopback Tests + +BASH batch files are now included to run several simple loopback tests that +do not require any packet IO. The scripts create internal "loopback" (not +real Linux loopback interfaces but simply ODP queues) as opposed to packet +interfaces. diff --git a/example/ipsec/run_ah_in.sh b/example/ipsec/run_ah_in.sh new file mode 100644 index 0000000..0dfca9f --- /dev/null +++ b/example/ipsec/run_ah_in.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# +# Test input AH +# - 2 loop interfaces +# - 10 packets +# - Specify API mode on command line +./odp_ipsec -i loop1,loop2 \ +-r 192.168.111.2/32:loop1:08.00.27.76.B5.E0 \ +-p 192.168.222.0/24:192.168.111.0/24:in:ah \ +-a 192.168.222.2:192.168.111.2:md5:300:27f6d123d7077b361662fc6e451f65d8 \ +-s 192.168.222.2:192.168.111.2:loop2:loop1:10:100 \ +-c 2 -f 0 -m $1 diff --git a/example/ipsec/run_ah_out.sh b/example/ipsec/run_ah_out.sh new file mode 100644 index 0000000..995a6cb --- /dev/null +++ b/example/ipsec/run_ah_out.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# +# Test output AH +# - 2 loop interfaces +# - 10 packets +# - Specify API mode on command line + ./odp_ipsec -i loop1,loop2 \ +-r 192.168.222.2/32:loop2:08.00.27.F5.8B.DB \ +-p 192.168.111.0/24:192.168.222.0/24:out:ah \ +-a 192.168.111.2:192.168.222.2:md5:200:a731649644c5dee92cbd9c2e7e188ee6 \ +-s 192.168.111.2:192.168.222.2:loop1:loop2:10:100 \ +-c 2 -f 0 -m $1 diff --git a/example/ipsec/run_both_in.sh b/example/ipsec/run_both_in.sh new file mode 100644 index 0000000..6d24b08 --- /dev/null +++ b/example/ipsec/run_both_in.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# +# Test AH and ESP input +# - 2 loop interfaces +# - 10 packets +# - Specify API mode on command line +./odp_ipsec -i loop1,loop2 \ +-r 192.168.111.2/32:loop1:08.00.27.76.B5.E0 \ +-p 192.168.222.0/24:192.168.111.0/24:in:both \ +-a 192.168.222.2:192.168.111.2:md5:300:27f6d123d7077b361662fc6e451f65d8 \ +-e 192.168.222.2:192.168.111.2:\ +3des:301:c966199f24d095f3990a320d749056401e82b26570320292 \ +-s 192.168.222.2:192.168.111.2:loop2:loop1:10:100 \ +-c 2 -f 0 -m $1 diff --git a/example/ipsec/run_both_out.sh b/example/ipsec/run_both_out.sh new file mode 100644 index 0000000..c02f670 --- /dev/null +++ b/example/ipsec/run_both_out.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# +# Test AH and ESP output +# - 2 loop interfaces +# - 10 packets +# - Specify API mode on command line +./odp_ipsec -i loop1,loop2 \ +-r 192.168.222.2/32:loop2:08.00.27.F5.8B.DB \ +-p 192.168.111.0/24:192.168.222.0/24:out:both \ +-e 192.168.111.2:192.168.222.2:\ +3des:201:656c8523255ccc23a66c1917aa0cf30991fce83532a4b224 \ +-a 192.168.111.2:192.168.222.2:md5:200:a731649644c5dee92cbd9c2e7e188ee6 \ +-s 192.168.111.2:192.168.222.2:loop1:loop2:10:100 \ +-c 2 -f 0 -m $1 diff --git a/example/ipsec/run_esp_in.sh b/example/ipsec/run_esp_in.sh new file mode 100644 index 0000000..8868f8d --- /dev/null +++ b/example/ipsec/run_esp_in.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# +# Test input ESP +# - 2 loop interfaces +# - 10 packets +# - Specify API mode on command line +./odp_ipsec -i loop1,loop2 \ +-r 192.168.111.2/32:loop1:08.00.27.76.B5.E0 \ +-p 192.168.222.0/24:192.168.111.0/24:in:esp \ +-e 192.168.222.2:192.168.111.2:\ +3des:301:c966199f24d095f3990a320d749056401e82b26570320292 \ +-s 192.168.222.2:192.168.111.2:loop2:loop1:10:100 \ +-c 2 -f 0 -m $1 diff --git a/example/ipsec/run_esp_out.sh b/example/ipsec/run_esp_out.sh new file mode 100644 index 0000000..5359fdd --- /dev/null +++ b/example/ipsec/run_esp_out.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# +# Test output ESP +# - 2 loop interfaces +# - 10 packets +# - Specify API mode on command line +./odp_ipsec -i loop1,loop2 \ +-r 192.168.222.2/32:loop2:08.00.27.F5.8B.DB \ +-p 192.168.111.0/24:192.168.222.0/24:out:esp \ +-e 192.168.111.2:192.168.222.2:\ +3des:201:656c8523255ccc23a66c1917aa0cf30991fce83532a4b224 \ +-s 192.168.111.2:192.168.222.2:loop1:loop2:10:100 \ +-c 2 -f 0 -m $1 diff --git a/example/ipsec/run_live.sh b/example/ipsec/run_live.sh new file mode 100644 index 0000000..5d72a1a --- /dev/null +++ b/example/ipsec/run_live.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# +# Live router test +# - 2 interfaces interfaces +# - Specify API mode on command line +sudo ./odp_ipsec -i p7p1,p8p1 \ +-r 192.168.111.2/32:p7p1:08.00.27.76.B5.E0 \ +-r 192.168.222.2/32:p8p1:08.00.27.F5.8B.DB \ +-p 192.168.111.0/24:192.168.222.0/24:out:both \ +-e 192.168.111.2:192.168.222.2:\ +3des:201:656c8523255ccc23a66c1917aa0cf30991fce83532a4b224 \ +-a 192.168.111.2:192.168.222.2:md5:200:a731649644c5dee92cbd9c2e7e188ee6 \ +-p 192.168.222.0/24:192.168.111.0/24:in:both \ +-e 192.168.222.2:192.168.111.2:\ +3des:301:c966199f24d095f3990a320d749056401e82b26570320292 \ +-a 192.168.222.2:192.168.111.2:md5:300:27f6d123d7077b361662fc6e451f65d8 \ +-c 2 -f 0 -t 3 -m $1 diff --git a/example/ipsec/run_router.sh b/example/ipsec/run_router.sh new file mode 100644 index 0000000..6aac5d2 --- /dev/null +++ b/example/ipsec/run_router.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# +# Live router test +# - 2 interfaces interfaces +# - Specify API mode on command line +sudo ./odp_ipsec -i p7p1,p8p1 \ +-r 192.168.111.2/32:p7p1:08.00.27.76.B5.E0 \ +-r 192.168.222.2/32:p8p1:08.00.27.F5.8B.DB \ +-c 1 -f 0 -t 3 -m $1 diff --git a/example/ipsec/run_simple.sh b/example/ipsec/run_simple.sh new file mode 100644 index 0000000..9b10b65 --- /dev/null +++ b/example/ipsec/run_simple.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# +# Simple router test +# - 2 loop interfaces +# - 10 packets +# - Specify API mode on command line +./odp_ipsec -i loop1,loop2 \ +-r 192.168.222.2/32:loop2:08.00.27.F5.8B.DB \ +-s 192.168.111.2:192.168.222.2:loop1:loop2:10:100 \ +-c 2 -f 0 -m $1 -- 1.7.7.6 _______________________________________________ lng-odp mailing list [email protected] http://lists.linaro.org/mailman/listinfo/lng-odp
