Hello, Foremost we want you to know that we appreciate strongSwan a lot, and we congratulate you for this software. This is very useful and we particularly appreciate your automated test suites.
As part of QoS measurement on Cisco routers, we decided to check on your
testing environment the behavior of the DSCP field through IPSec hosts
referring to the appropriate RFCs.
The DSCP values are totally arbitrary in our tests. In order to complete your
test suites we share our own test scenarios hoping that they may interest you.
We launched and passed them with strongSwan 4.6.2 and 4.6.3.
There are 7 test scenarios that we introduce you below. In order to simplify
the explanations we call A and B the concerned hosts and G the gateway between
them.
1° It is a simple ping between A and B via G.
No IPSec, no iptables rules.
It checks that the value of the DSCP field is 0 (by default).
2° It is a ping between A and B via G.
No IPSec. Iptables rule for A : the DSCP field of its outbound ICMP
packets is 1.
It checks the ToS field of the ICMP packets between A and B is 4 : bits
7-2 of the IPv4 header ToS octet represent the DSCP field (RFC 2474) and bits
1-0 are 0 by default so we have the relation ToS=DSCP*4 with DSCP in decimal
form.
3° It is a ping from A to B through an IPSec tunnel between A and G. Tunnel
mode is used.
Iptables rule for A : the DSCP field of its outbound ICMP packets is 2.
It checks :
- the established tunnel ;
- the ToS field of the ICMP packets is 8 ;
- the DSCP field of the ESP packets is copied from their inner header :
"IPv4 -- Header Construction for Tunnel Mode
<-- How Outer Hdr Relates to Inner Hdr
-->
Outer Hdr at Inner Hdr
at
IPv4 Encapsulator Decapsulator
Header fields: -------------------- ------------
(...)
TOS copied from inner hdr (5) no change " (RFC 2401,
paragraph 5.1.2.1).
4° Two IPSec tunnels are defined between A and G. Two traffics (ICMP and
HTTP) are generated between A and B, with 2 different values for the DSCP
field. Tunnel mode is used.
Iptables rules for A : the DSCP field of its outbound ICMP packets is 3
and the one of its TCP-based HTTP packets is 1.
It checks :
- the established tunnel ;
- the ToS fields of the packets are the one imposed previously
(the DSCP field of the TCP-based HTTP packets sent by B are 0 since B entered
no iptables rule) ;
- the DSCP field of the ESP packets is taken from their inner
header.
5° Same as 4° but here the DSCP field of the ESP packets is forced to 2.
6° Same as 4° but here B enters an iptables rule too : the DSCP field of its
outbound TCP-based HTTP packets is 1 so that the goings and comings TCP-based
http packets between A and B have the same DSCP field value.
7° Same as 6° but in transport mode.
We want you to know that we also added a little modification in the script
do-tests.in. This modification concerns only our tests dscp/*. In fact for
these scenarios, verbose mode is necessary for the command tcpdump to check the
ToS field. We also restricted the flow to ICMP, ESP, HTTP and we rejected the
flow towards winnetou, in order to have moderate tcpdump captures .
The tarball of our git tree containing only the directory of our test scenarios
(named "dscp") and the modified script do-tests.in is attached.
You just have to extract it with the command tar xvjf dscp_tests.tar.bz2, then
the directory testing/tests/dscp and the script testing/do-tests.in will be
installed. Finally you can launch the tests as usual.
Andreas, would it be possible for you to integrate our tests in the main
stream test serie ?
Best regards,
Jean-Marc & Stephanie
--
[email protected]<mailto:[email protected]>
THALES Communications
160 Bd de Valmy, 92704 Colombes
DSC/FR/OPS/SAT/T&A
Tel : +33 (0)1 41 30 22 85
Gsm : +33 (0)6 82 29 98 66
Fax : +33 (0)1 41 30 31 71
dscp_tests.tar.bz2
Description: dscp_tests.tar.bz2
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
