srv6_end_dt6_l3vpn_test.sh (17615B)
1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# author: Andrea Mayer <andrea.mayer@uniroma2.it> 5# author: Paolo Lungaroni <paolo.lungaroni@cnit.it> 6 7# This test is designed for evaluating the new SRv6 End.DT6 behavior used for 8# implementing IPv6 L3 VPN use cases. 9# 10# Hereafter a network diagram is shown, where two different tenants (named 100 11# and 200) offer IPv6 L3 VPN services allowing hosts to communicate with each 12# other across an IPv6 network. 13# 14# Only hosts belonging to the same tenant (and to the same VPN) can communicate 15# with each other. Instead, the communication among hosts of different tenants 16# is forbidden. 17# In other words, hosts hs-t100-1 and hs-t100-2 are connected through the IPv6 18# L3 VPN of tenant 100 while hs-t200-3 and hs-t200-4 are connected using the 19# IPv6 L3 VPN of tenant 200. Cross connection between tenant 100 and tenant 200 20# is forbidden and thus, for example, hs-t100-1 cannot reach hs-t200-3 and vice 21# versa. 22# 23# Routers rt-1 and rt-2 implement IPv6 L3 VPN services leveraging the SRv6 24# architecture. The key components for such VPNs are: a) SRv6 Encap behavior, 25# b) SRv6 End.DT6 behavior and c) VRF. 26# 27# To explain how an IPv6 L3 VPN based on SRv6 works, let us briefly consider an 28# example where, within the same domain of tenant 100, the host hs-t100-1 pings 29# the host hs-t100-2. 30# 31# First of all, L2 reachability of the host hs-t100-2 is taken into account by 32# the router rt-1 which acts as a ndp proxy. 33# 34# When the host hs-t100-1 sends an IPv6 packet destined to hs-t100-2, the 35# router rt-1 receives the packet on the internal veth-t100 interface. Such 36# interface is enslaved to the VRF vrf-100 whose associated table contains the 37# SRv6 Encap route for encapsulating any IPv6 packet in a IPv6 plus the Segment 38# Routing Header (SRH) packet. This packet is sent through the (IPv6) core 39# network up to the router rt-2 that receives it on veth0 interface. 40# 41# The rt-2 router uses the 'localsid' routing table to process incoming 42# IPv6+SRH packets which belong to the VPN of the tenant 100. For each of these 43# packets, the SRv6 End.DT6 behavior removes the outer IPv6+SRH headers and 44# performs the lookup on the vrf-100 table using the destination address of 45# the decapsulated IPv6 packet. Afterwards, the packet is sent to the host 46# hs-t100-2 through the veth-t100 interface. 47# 48# The ping response follows the same processing but this time the role of rt-1 49# and rt-2 are swapped. 50# 51# Of course, the IPv6 L3 VPN for tenant 200 works exactly as the IPv6 L3 VPN 52# for tenant 100. In this case, only hosts hs-t200-3 and hs-t200-4 are able to 53# connect with each other. 54# 55# 56# +-------------------+ +-------------------+ 57# | | | | 58# | hs-t100-1 netns | | hs-t100-2 netns | 59# | | | | 60# | +-------------+ | | +-------------+ | 61# | | veth0 | | | | veth0 | | 62# | | cafe::1/64 | | | | cafe::2/64 | | 63# | +-------------+ | | +-------------+ | 64# | . | | . | 65# +-------------------+ +-------------------+ 66# . . 67# . . 68# . . 69# +-----------------------------------+ +-----------------------------------+ 70# | . | | . | 71# | +---------------+ | | +---------------- | 72# | | veth-t100 | | | | veth-t100 | | 73# | | cafe::254/64 | +----------+ | | +----------+ | cafe::254/64 | | 74# | +-------+-------+ | localsid | | | | localsid | +-------+-------- | 75# | | | table | | | | table | | | 76# | +----+----+ +----------+ | | +----------+ +----+----+ | 77# | | vrf-100 | | | | vrf-100 | | 78# | +---------+ +------------+ | | +------------+ +---------+ | 79# | | veth0 | | | | veth0 | | 80# | | fd00::1/64 |.|...|.| fd00::2/64 | | 81# | +---------+ +------------+ | | +------------+ +---------+ | 82# | | vrf-200 | | | | vrf-200 | | 83# | +----+----+ | | +----+----+ | 84# | | | | | | 85# | +-------+-------+ | | +-------+-------- | 86# | | veth-t200 | | | | veth-t200 | | 87# | | cafe::254/64 | | | | cafe::254/64 | | 88# | +---------------+ rt-1 netns | | rt-2 netns +---------------- | 89# | . | | . | 90# +-----------------------------------+ +-----------------------------------+ 91# . . 92# . . 93# . . 94# . . 95# +-------------------+ +-------------------+ 96# | . | | . | 97# | +-------------+ | | +-------------+ | 98# | | veth0 | | | | veth0 | | 99# | | cafe::3/64 | | | | cafe::4/64 | | 100# | +-------------+ | | +-------------+ | 101# | | | | 102# | hs-t200-3 netns | | hs-t200-4 netns | 103# | | | | 104# +-------------------+ +-------------------+ 105# 106# 107# ~~~~~~~~~~~~~~~~~~~~~~~~~ 108# | Network configuration | 109# ~~~~~~~~~~~~~~~~~~~~~~~~~ 110# 111# rt-1: localsid table (table 90) 112# +-------------------------------------------------+ 113# |SID |Action | 114# +-------------------------------------------------+ 115# |fc00:21:100::6006|apply SRv6 End.DT6 vrftable 100| 116# +-------------------------------------------------+ 117# |fc00:21:200::6006|apply SRv6 End.DT6 vrftable 200| 118# +-------------------------------------------------+ 119# 120# rt-1: VRF tenant 100 (table 100) 121# +---------------------------------------------------+ 122# |host |Action | 123# +---------------------------------------------------+ 124# |cafe::2 |apply seg6 encap segs fc00:12:100::6006| 125# +---------------------------------------------------+ 126# |cafe::/64 |forward to dev veth_t100 | 127# +---------------------------------------------------+ 128# 129# rt-1: VRF tenant 200 (table 200) 130# +---------------------------------------------------+ 131# |host |Action | 132# +---------------------------------------------------+ 133# |cafe::4 |apply seg6 encap segs fc00:12:200::6006| 134# +---------------------------------------------------+ 135# |cafe::/64 |forward to dev veth_t200 | 136# +---------------------------------------------------+ 137# 138# 139# rt-2: localsid table (table 90) 140# +-------------------------------------------------+ 141# |SID |Action | 142# +-------------------------------------------------+ 143# |fc00:12:100::6006|apply SRv6 End.DT6 vrftable 100| 144# +-------------------------------------------------+ 145# |fc00:12:200::6006|apply SRv6 End.DT6 vrftable 200| 146# +-------------------------------------------------+ 147# 148# rt-2: VRF tenant 100 (table 100) 149# +---------------------------------------------------+ 150# |host |Action | 151# +---------------------------------------------------+ 152# |cafe::1 |apply seg6 encap segs fc00:21:100::6006| 153# +---------------------------------------------------+ 154# |cafe::/64 |forward to dev veth_t100 | 155# +---------------------------------------------------+ 156# 157# rt-2: VRF tenant 200 (table 200) 158# +---------------------------------------------------+ 159# |host |Action | 160# +---------------------------------------------------+ 161# |cafe::3 |apply seg6 encap segs fc00:21:200::6006| 162# +---------------------------------------------------+ 163# |cafe::/64 |forward to dev veth_t200 | 164# +---------------------------------------------------+ 165# 166 167# Kselftest framework requirement - SKIP code is 4. 168ksft_skip=4 169 170readonly LOCALSID_TABLE_ID=90 171readonly IPv6_RT_NETWORK=fd00 172readonly IPv6_HS_NETWORK=cafe 173readonly VPN_LOCATOR_SERVICE=fc00 174PING_TIMEOUT_SEC=4 175 176ret=0 177 178PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no} 179 180log_test() 181{ 182 local rc=$1 183 local expected=$2 184 local msg="$3" 185 186 if [ ${rc} -eq ${expected} ]; then 187 nsuccess=$((nsuccess+1)) 188 printf "\n TEST: %-60s [ OK ]\n" "${msg}" 189 else 190 ret=1 191 nfail=$((nfail+1)) 192 printf "\n TEST: %-60s [FAIL]\n" "${msg}" 193 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 194 echo 195 echo "hit enter to continue, 'q' to quit" 196 read a 197 [ "$a" = "q" ] && exit 1 198 fi 199 fi 200} 201 202print_log_test_results() 203{ 204 if [ "$TESTS" != "none" ]; then 205 printf "\nTests passed: %3d\n" ${nsuccess} 206 printf "Tests failed: %3d\n" ${nfail} 207 fi 208} 209 210log_section() 211{ 212 echo 213 echo "################################################################################" 214 echo "TEST SECTION: $*" 215 echo "################################################################################" 216} 217 218cleanup() 219{ 220 ip link del veth-rt-1 2>/dev/null || true 221 ip link del veth-rt-2 2>/dev/null || true 222 223 # destroy routers rt-* and hosts hs-* 224 for ns in $(ip netns show | grep -E 'rt-*|hs-*'); do 225 ip netns del ${ns} || true 226 done 227} 228 229# Setup the basic networking for the routers 230setup_rt_networking() 231{ 232 local rt=$1 233 local nsname=rt-${rt} 234 235 ip netns add ${nsname} 236 ip link set veth-rt-${rt} netns ${nsname} 237 ip -netns ${nsname} link set veth-rt-${rt} name veth0 238 239 ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.accept_dad=0 240 ip netns exec ${nsname} sysctl -wq net.ipv6.conf.default.accept_dad=0 241 242 ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 nodad 243 ip -netns ${nsname} link set veth0 up 244 ip -netns ${nsname} link set lo up 245 246 ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.forwarding=1 247} 248 249setup_hs() 250{ 251 local hs=$1 252 local rt=$2 253 local tid=$3 254 local hsname=hs-t${tid}-${hs} 255 local rtname=rt-${rt} 256 local rtveth=veth-t${tid} 257 258 # set the networking for the host 259 ip netns add ${hsname} 260 261 ip netns exec ${hsname} sysctl -wq net.ipv6.conf.all.accept_dad=0 262 ip netns exec ${hsname} sysctl -wq net.ipv6.conf.default.accept_dad=0 263 264 ip -netns ${hsname} link add veth0 type veth peer name ${rtveth} 265 ip -netns ${hsname} link set ${rtveth} netns ${rtname} 266 ip -netns ${hsname} addr add ${IPv6_HS_NETWORK}::${hs}/64 dev veth0 nodad 267 ip -netns ${hsname} link set veth0 up 268 ip -netns ${hsname} link set lo up 269 270 # configure the VRF for the tenant X on the router which is directly 271 # connected to the source host. 272 ip -netns ${rtname} link add vrf-${tid} type vrf table ${tid} 273 ip -netns ${rtname} link set vrf-${tid} up 274 275 ip netns exec ${rtname} sysctl -wq net.ipv6.conf.all.accept_dad=0 276 ip netns exec ${rtname} sysctl -wq net.ipv6.conf.default.accept_dad=0 277 278 # enslave the veth-tX interface to the vrf-X in the access router 279 ip -netns ${rtname} link set ${rtveth} master vrf-${tid} 280 ip -netns ${rtname} addr add ${IPv6_HS_NETWORK}::254/64 dev ${rtveth} nodad 281 ip -netns ${rtname} link set ${rtveth} up 282 283 ip netns exec ${rtname} sysctl -wq net.ipv6.conf.${rtveth}.proxy_ndp=1 284 285 ip netns exec ${rtname} sh -c "echo 1 > /proc/sys/net/vrf/strict_mode" 286} 287 288setup_vpn_config() 289{ 290 local hssrc=$1 291 local rtsrc=$2 292 local hsdst=$3 293 local rtdst=$4 294 local tid=$5 295 296 local hssrc_name=hs-t${tid}-${hssrc} 297 local hsdst_name=hs-t${tid}-${hsdst} 298 local rtsrc_name=rt-${rtsrc} 299 local rtdst_name=rt-${rtdst} 300 local rtveth=veth-t${tid} 301 local vpn_sid=${VPN_LOCATOR_SERVICE}:${hssrc}${hsdst}:${tid}::6006 302 303 ip -netns ${rtsrc_name} -6 neigh add proxy ${IPv6_HS_NETWORK}::${hsdst} dev ${rtveth} 304 305 # set the encap route for encapsulating packets which arrive from the 306 # host hssrc and destined to the access router rtsrc. 307 ip -netns ${rtsrc_name} -6 route add ${IPv6_HS_NETWORK}::${hsdst}/128 vrf vrf-${tid} \ 308 encap seg6 mode encap segs ${vpn_sid} dev veth0 309 ip -netns ${rtsrc_name} -6 route add ${vpn_sid}/128 vrf vrf-${tid} \ 310 via fd00::${rtdst} dev veth0 311 312 # set the decap route for decapsulating packets which arrive from 313 # the rtdst router and destined to the hsdst host. 314 ip -netns ${rtdst_name} -6 route add ${vpn_sid}/128 table ${LOCALSID_TABLE_ID} \ 315 encap seg6local action End.DT6 vrftable ${tid} dev vrf-${tid} 316 317 # all sids for VPNs start with a common locator which is fc00::/16. 318 # Routes for handling the SRv6 End.DT6 behavior instances are grouped 319 # together in the 'localsid' table. 320 # 321 # NOTE: added only once 322 if [ -z "$(ip -netns ${rtdst_name} -6 rule show | \ 323 grep "to ${VPN_LOCATOR_SERVICE}::/16 lookup ${LOCALSID_TABLE_ID}")" ]; then 324 ip -netns ${rtdst_name} -6 rule add \ 325 to ${VPN_LOCATOR_SERVICE}::/16 \ 326 lookup ${LOCALSID_TABLE_ID} prio 999 327 fi 328} 329 330setup() 331{ 332 ip link add veth-rt-1 type veth peer name veth-rt-2 333 # setup the networking for router rt-1 and router rt-2 334 setup_rt_networking 1 335 setup_rt_networking 2 336 337 # setup two hosts for the tenant 100. 338 # - host hs-1 is directly connected to the router rt-1; 339 # - host hs-2 is directly connected to the router rt-2. 340 setup_hs 1 1 100 #args: host router tenant 341 setup_hs 2 2 100 342 343 # setup two hosts for the tenant 200 344 # - host hs-3 is directly connected to the router rt-1; 345 # - host hs-4 is directly connected to the router rt-2. 346 setup_hs 3 1 200 347 setup_hs 4 2 200 348 349 # setup the IPv6 L3 VPN which connects the host hs-t100-1 and host 350 # hs-t100-2 within the same tenant 100. 351 setup_vpn_config 1 1 2 2 100 #args: src_host src_router dst_host dst_router tenant 352 setup_vpn_config 2 2 1 1 100 353 354 # setup the IPv6 L3 VPN which connects the host hs-t200-3 and host 355 # hs-t200-4 within the same tenant 200. 356 setup_vpn_config 3 1 4 2 200 357 setup_vpn_config 4 2 3 1 200 358} 359 360check_rt_connectivity() 361{ 362 local rtsrc=$1 363 local rtdst=$2 364 365 ip netns exec rt-${rtsrc} ping -c 1 -W 1 ${IPv6_RT_NETWORK}::${rtdst} \ 366 >/dev/null 2>&1 367} 368 369check_and_log_rt_connectivity() 370{ 371 local rtsrc=$1 372 local rtdst=$2 373 374 check_rt_connectivity ${rtsrc} ${rtdst} 375 log_test $? 0 "Routers connectivity: rt-${rtsrc} -> rt-${rtdst}" 376} 377 378check_hs_connectivity() 379{ 380 local hssrc=$1 381 local hsdst=$2 382 local tid=$3 383 384 ip netns exec hs-t${tid}-${hssrc} ping -c 1 -W ${PING_TIMEOUT_SEC} \ 385 ${IPv6_HS_NETWORK}::${hsdst} >/dev/null 2>&1 386} 387 388check_and_log_hs_connectivity() 389{ 390 local hssrc=$1 391 local hsdst=$2 392 local tid=$3 393 394 check_hs_connectivity ${hssrc} ${hsdst} ${tid} 395 log_test $? 0 "Hosts connectivity: hs-t${tid}-${hssrc} -> hs-t${tid}-${hsdst} (tenant ${tid})" 396} 397 398check_and_log_hs_isolation() 399{ 400 local hssrc=$1 401 local tidsrc=$2 402 local hsdst=$3 403 local tiddst=$4 404 405 check_hs_connectivity ${hssrc} ${hsdst} ${tidsrc} 406 # NOTE: ping should fail 407 log_test $? 1 "Hosts isolation: hs-t${tidsrc}-${hssrc} -X-> hs-t${tiddst}-${hsdst}" 408} 409 410 411check_and_log_hs2gw_connectivity() 412{ 413 local hssrc=$1 414 local tid=$2 415 416 check_hs_connectivity ${hssrc} 254 ${tid} 417 log_test $? 0 "Hosts connectivity: hs-t${tid}-${hssrc} -> gw (tenant ${tid})" 418} 419 420router_tests() 421{ 422 log_section "IPv6 routers connectivity test" 423 424 check_and_log_rt_connectivity 1 2 425 check_and_log_rt_connectivity 2 1 426} 427 428host2gateway_tests() 429{ 430 log_section "IPv6 connectivity test among hosts and gateway" 431 432 check_and_log_hs2gw_connectivity 1 100 433 check_and_log_hs2gw_connectivity 2 100 434 435 check_and_log_hs2gw_connectivity 3 200 436 check_and_log_hs2gw_connectivity 4 200 437} 438 439host_vpn_tests() 440{ 441 log_section "SRv6 VPN connectivity test among hosts in the same tenant" 442 443 check_and_log_hs_connectivity 1 2 100 444 check_and_log_hs_connectivity 2 1 100 445 446 check_and_log_hs_connectivity 3 4 200 447 check_and_log_hs_connectivity 4 3 200 448} 449 450host_vpn_isolation_tests() 451{ 452 local i 453 local j 454 local k 455 local tmp 456 local l1="1 2" 457 local l2="3 4" 458 local t1=100 459 local t2=200 460 461 log_section "SRv6 VPN isolation test among hosts in different tentants" 462 463 for k in 0 1; do 464 for i in ${l1}; do 465 for j in ${l2}; do 466 check_and_log_hs_isolation ${i} ${t1} ${j} ${t2} 467 done 468 done 469 470 # let us test the reverse path 471 tmp="${l1}"; l1="${l2}"; l2="${tmp}" 472 tmp=${t1}; t1=${t2}; t2=${tmp} 473 done 474} 475 476if [ "$(id -u)" -ne 0 ];then 477 echo "SKIP: Need root privileges" 478 exit $ksft_skip 479fi 480 481if [ ! -x "$(command -v ip)" ]; then 482 echo "SKIP: Could not run test without ip tool" 483 exit $ksft_skip 484fi 485 486modprobe vrf &>/dev/null 487if [ ! -e /proc/sys/net/vrf/strict_mode ]; then 488 echo "SKIP: vrf sysctl does not exist" 489 exit $ksft_skip 490fi 491 492cleanup &>/dev/null 493 494setup 495 496router_tests 497host2gateway_tests 498host_vpn_tests 499host_vpn_isolation_tests 500 501print_log_test_results 502 503cleanup &>/dev/null 504 505exit ${ret}