cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

srv6_end_dt6_l3vpn_test.sh (17615B)


      1#!/bin/bash
      2# SPDX-License-Identifier: GPL-2.0
      3#
      4# author: Andrea Mayer <andrea.mayer@uniroma2.it>
      5# author: Paolo Lungaroni <paolo.lungaroni@cnit.it>
      6
      7# This test is designed for evaluating the new SRv6 End.DT6 behavior used for
      8# implementing IPv6 L3 VPN use cases.
      9#
     10# Hereafter a network diagram is shown, where two different tenants (named 100
     11# and 200) offer IPv6 L3 VPN services allowing hosts to communicate with each
     12# other across an IPv6 network.
     13#
     14# Only hosts belonging to the same tenant (and to the same VPN) can communicate
     15# with each other. Instead, the communication among hosts of different tenants
     16# is forbidden.
     17# In other words, hosts hs-t100-1 and hs-t100-2 are connected through the IPv6
     18# L3 VPN of tenant 100 while hs-t200-3 and hs-t200-4 are connected using the
     19# IPv6 L3 VPN of tenant 200. Cross connection between tenant 100 and tenant 200
     20# is forbidden and thus, for example, hs-t100-1 cannot reach hs-t200-3 and vice
     21# versa.
     22#
     23# Routers rt-1 and rt-2 implement IPv6 L3 VPN services leveraging the SRv6
     24# architecture. The key components for such VPNs are: a) SRv6 Encap behavior,
     25# b) SRv6 End.DT6 behavior and c) VRF.
     26#
     27# To explain how an IPv6 L3 VPN based on SRv6 works, let us briefly consider an
     28# example where, within the same domain of tenant 100, the host hs-t100-1 pings
     29# the host hs-t100-2.
     30#
     31# First of all, L2 reachability of the host hs-t100-2 is taken into account by
     32# the router rt-1 which acts as a ndp proxy.
     33#
     34# When the host hs-t100-1 sends an IPv6 packet destined to hs-t100-2, the
     35# router rt-1 receives the packet on the internal veth-t100 interface. Such
     36# interface is enslaved to the VRF vrf-100 whose associated table contains the
     37# SRv6 Encap route for encapsulating any IPv6 packet in a IPv6 plus the Segment
     38# Routing Header (SRH) packet. This packet is sent through the (IPv6) core
     39# network up to the router rt-2 that receives it on veth0 interface.
     40#
     41# The rt-2 router uses the 'localsid' routing table to process incoming
     42# IPv6+SRH packets which belong to the VPN of the tenant 100. For each of these
     43# packets, the SRv6 End.DT6 behavior removes the outer IPv6+SRH headers and
     44# performs the lookup on the vrf-100 table using the destination address of
     45# the decapsulated IPv6 packet. Afterwards, the packet is sent to the host
     46# hs-t100-2 through the veth-t100 interface.
     47#
     48# The ping response follows the same processing but this time the role of rt-1
     49# and rt-2 are swapped.
     50#
     51# Of course, the IPv6 L3 VPN for tenant 200 works exactly as the IPv6 L3 VPN
     52# for tenant 100. In this case, only hosts hs-t200-3 and hs-t200-4 are able to
     53# connect with each other.
     54#
     55#
     56# +-------------------+                                   +-------------------+
     57# |                   |                                   |                   |
     58# |  hs-t100-1 netns  |                                   |  hs-t100-2 netns  |
     59# |                   |                                   |                   |
     60# |  +-------------+  |                                   |  +-------------+  |
     61# |  |    veth0    |  |                                   |  |    veth0    |  |
     62# |  |  cafe::1/64 |  |                                   |  |  cafe::2/64 |  |
     63# |  +-------------+  |                                   |  +-------------+  |
     64# |        .          |                                   |         .         |
     65# +-------------------+                                   +-------------------+
     66#          .                                                        .
     67#          .                                                        .
     68#          .                                                        .
     69# +-----------------------------------+   +-----------------------------------+
     70# |        .                          |   |                         .         |
     71# | +---------------+                 |   |                 +---------------- |
     72# | |   veth-t100   |                 |   |                 |   veth-t100   | |
     73# | |  cafe::254/64 |    +----------+ |   | +----------+    |  cafe::254/64 | |
     74# | +-------+-------+    | localsid | |   | | localsid |    +-------+-------- |
     75# |         |            |   table  | |   | |   table  |            |         |
     76# |    +----+----+       +----------+ |   | +----------+       +----+----+    |
     77# |    | vrf-100 |                    |   |                    | vrf-100 |    |
     78# |    +---------+     +------------+ |   | +------------+     +---------+    |
     79# |                    |   veth0    | |   | |   veth0    |                    |
     80# |                    | fd00::1/64 |.|...|.| fd00::2/64 |                    |
     81# |    +---------+     +------------+ |   | +------------+     +---------+    |
     82# |    | vrf-200 |                    |   |                    | vrf-200 |    |
     83# |    +----+----+                    |   |                    +----+----+    |
     84# |         |                         |   |                         |         |
     85# | +-------+-------+                 |   |                 +-------+-------- |
     86# | |   veth-t200   |                 |   |                 |   veth-t200   | |
     87# | |  cafe::254/64 |                 |   |                 |  cafe::254/64 | |
     88# | +---------------+      rt-1 netns |   | rt-2 netns      +---------------- |
     89# |        .                          |   |                          .        |
     90# +-----------------------------------+   +-----------------------------------+
     91#          .                                                         .
     92#          .                                                         .
     93#          .                                                         .
     94#          .                                                         .
     95# +-------------------+                                   +-------------------+
     96# |        .          |                                   |          .        |
     97# |  +-------------+  |                                   |  +-------------+  |
     98# |  |    veth0    |  |                                   |  |    veth0    |  |
     99# |  |  cafe::3/64 |  |                                   |  |  cafe::4/64 |  |
    100# |  +-------------+  |                                   |  +-------------+  |
    101# |                   |                                   |                   |
    102# |  hs-t200-3 netns  |                                   |  hs-t200-4 netns  |
    103# |                   |                                   |                   |
    104# +-------------------+                                   +-------------------+
    105#
    106#
    107# ~~~~~~~~~~~~~~~~~~~~~~~~~
    108# | Network configuration |
    109# ~~~~~~~~~~~~~~~~~~~~~~~~~
    110#
    111# rt-1: localsid table (table 90)
    112# +-------------------------------------------------+
    113# |SID              |Action                         |
    114# +-------------------------------------------------+
    115# |fc00:21:100::6006|apply SRv6 End.DT6 vrftable 100|
    116# +-------------------------------------------------+
    117# |fc00:21:200::6006|apply SRv6 End.DT6 vrftable 200|
    118# +-------------------------------------------------+
    119#
    120# rt-1: VRF tenant 100 (table 100)
    121# +---------------------------------------------------+
    122# |host       |Action                                 |
    123# +---------------------------------------------------+
    124# |cafe::2    |apply seg6 encap segs fc00:12:100::6006|
    125# +---------------------------------------------------+
    126# |cafe::/64  |forward to dev veth_t100               |
    127# +---------------------------------------------------+
    128#
    129# rt-1: VRF tenant 200 (table 200)
    130# +---------------------------------------------------+
    131# |host       |Action                                 |
    132# +---------------------------------------------------+
    133# |cafe::4    |apply seg6 encap segs fc00:12:200::6006|
    134# +---------------------------------------------------+
    135# |cafe::/64  |forward to dev veth_t200               |
    136# +---------------------------------------------------+
    137#
    138#
    139# rt-2: localsid table (table 90)
    140# +-------------------------------------------------+
    141# |SID              |Action                         |
    142# +-------------------------------------------------+
    143# |fc00:12:100::6006|apply SRv6 End.DT6 vrftable 100|
    144# +-------------------------------------------------+
    145# |fc00:12:200::6006|apply SRv6 End.DT6 vrftable 200|
    146# +-------------------------------------------------+
    147#
    148# rt-2: VRF tenant 100 (table 100)
    149# +---------------------------------------------------+
    150# |host       |Action                                 |
    151# +---------------------------------------------------+
    152# |cafe::1    |apply seg6 encap segs fc00:21:100::6006|
    153# +---------------------------------------------------+
    154# |cafe::/64  |forward to dev veth_t100               |
    155# +---------------------------------------------------+
    156#
    157# rt-2: VRF tenant 200 (table 200)
    158# +---------------------------------------------------+
    159# |host       |Action                                 |
    160# +---------------------------------------------------+
    161# |cafe::3    |apply seg6 encap segs fc00:21:200::6006|
    162# +---------------------------------------------------+
    163# |cafe::/64  |forward to dev veth_t200               |
    164# +---------------------------------------------------+
    165#
    166
    167# Kselftest framework requirement - SKIP code is 4.
    168ksft_skip=4
    169
    170readonly LOCALSID_TABLE_ID=90
    171readonly IPv6_RT_NETWORK=fd00
    172readonly IPv6_HS_NETWORK=cafe
    173readonly VPN_LOCATOR_SERVICE=fc00
    174PING_TIMEOUT_SEC=4
    175
    176ret=0
    177
    178PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
    179
    180log_test()
    181{
    182	local rc=$1
    183	local expected=$2
    184	local msg="$3"
    185
    186	if [ ${rc} -eq ${expected} ]; then
    187		nsuccess=$((nsuccess+1))
    188		printf "\n    TEST: %-60s  [ OK ]\n" "${msg}"
    189	else
    190		ret=1
    191		nfail=$((nfail+1))
    192		printf "\n    TEST: %-60s  [FAIL]\n" "${msg}"
    193		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
    194			echo
    195			echo "hit enter to continue, 'q' to quit"
    196			read a
    197			[ "$a" = "q" ] && exit 1
    198		fi
    199	fi
    200}
    201
    202print_log_test_results()
    203{
    204	if [ "$TESTS" != "none" ]; then
    205		printf "\nTests passed: %3d\n" ${nsuccess}
    206		printf "Tests failed: %3d\n"   ${nfail}
    207	fi
    208}
    209
    210log_section()
    211{
    212	echo
    213	echo "################################################################################"
    214	echo "TEST SECTION: $*"
    215	echo "################################################################################"
    216}
    217
    218cleanup()
    219{
    220	ip link del veth-rt-1 2>/dev/null || true
    221	ip link del veth-rt-2 2>/dev/null || true
    222
    223	# destroy routers rt-* and hosts hs-*
    224	for ns in $(ip netns show | grep -E 'rt-*|hs-*'); do
    225		ip netns del ${ns} || true
    226	done
    227}
    228
    229# Setup the basic networking for the routers
    230setup_rt_networking()
    231{
    232	local rt=$1
    233	local nsname=rt-${rt}
    234
    235	ip netns add ${nsname}
    236	ip link set veth-rt-${rt} netns ${nsname}
    237	ip -netns ${nsname} link set veth-rt-${rt} name veth0
    238
    239	ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.accept_dad=0
    240	ip netns exec ${nsname} sysctl -wq net.ipv6.conf.default.accept_dad=0
    241
    242	ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 nodad
    243	ip -netns ${nsname} link set veth0 up
    244	ip -netns ${nsname} link set lo up
    245
    246	ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.forwarding=1
    247}
    248
    249setup_hs()
    250{
    251	local hs=$1
    252	local rt=$2
    253	local tid=$3
    254	local hsname=hs-t${tid}-${hs}
    255	local rtname=rt-${rt}
    256	local rtveth=veth-t${tid}
    257
    258	# set the networking for the host
    259	ip netns add ${hsname}
    260
    261	ip netns exec ${hsname} sysctl -wq net.ipv6.conf.all.accept_dad=0
    262	ip netns exec ${hsname} sysctl -wq net.ipv6.conf.default.accept_dad=0
    263
    264	ip -netns ${hsname} link add veth0 type veth peer name ${rtveth}
    265	ip -netns ${hsname} link set ${rtveth} netns ${rtname}
    266	ip -netns ${hsname} addr add ${IPv6_HS_NETWORK}::${hs}/64 dev veth0 nodad
    267	ip -netns ${hsname} link set veth0 up
    268	ip -netns ${hsname} link set lo up
    269
    270	# configure the VRF for the tenant X on the router which is directly
    271	# connected to the source host.
    272	ip -netns ${rtname} link add vrf-${tid} type vrf table ${tid}
    273	ip -netns ${rtname} link set vrf-${tid} up
    274
    275	ip netns exec ${rtname} sysctl -wq net.ipv6.conf.all.accept_dad=0
    276	ip netns exec ${rtname} sysctl -wq net.ipv6.conf.default.accept_dad=0
    277
    278	# enslave the veth-tX interface to the vrf-X in the access router
    279	ip -netns ${rtname} link set ${rtveth} master vrf-${tid}
    280	ip -netns ${rtname} addr add ${IPv6_HS_NETWORK}::254/64 dev ${rtveth} nodad
    281	ip -netns ${rtname} link set ${rtveth} up
    282
    283	ip netns exec ${rtname} sysctl -wq net.ipv6.conf.${rtveth}.proxy_ndp=1
    284
    285	ip netns exec ${rtname} sh -c "echo 1 > /proc/sys/net/vrf/strict_mode"
    286}
    287
    288setup_vpn_config()
    289{
    290	local hssrc=$1
    291	local rtsrc=$2
    292	local hsdst=$3
    293	local rtdst=$4
    294	local tid=$5
    295
    296	local hssrc_name=hs-t${tid}-${hssrc}
    297	local hsdst_name=hs-t${tid}-${hsdst}
    298	local rtsrc_name=rt-${rtsrc}
    299	local rtdst_name=rt-${rtdst}
    300	local rtveth=veth-t${tid}
    301	local vpn_sid=${VPN_LOCATOR_SERVICE}:${hssrc}${hsdst}:${tid}::6006
    302
    303	ip -netns ${rtsrc_name} -6 neigh add proxy ${IPv6_HS_NETWORK}::${hsdst} dev ${rtveth}
    304
    305	# set the encap route for encapsulating packets which arrive from the
    306	# host hssrc and destined to the access router rtsrc.
    307	ip -netns ${rtsrc_name} -6 route add ${IPv6_HS_NETWORK}::${hsdst}/128 vrf vrf-${tid} \
    308		encap seg6 mode encap segs ${vpn_sid} dev veth0
    309	ip -netns ${rtsrc_name} -6 route add ${vpn_sid}/128 vrf vrf-${tid} \
    310		via fd00::${rtdst} dev veth0
    311
    312	# set the decap route for decapsulating packets which arrive from
    313	# the rtdst router and destined to the hsdst host.
    314	ip -netns ${rtdst_name} -6 route add ${vpn_sid}/128 table ${LOCALSID_TABLE_ID} \
    315		encap seg6local action End.DT6 vrftable ${tid} dev vrf-${tid}
    316
    317	# all sids for VPNs start with a common locator which is fc00::/16.
    318	# Routes for handling the SRv6 End.DT6 behavior instances are grouped
    319	# together in the 'localsid' table.
    320	#
    321	# NOTE: added only once
    322	if [ -z "$(ip -netns ${rtdst_name} -6 rule show | \
    323	    grep "to ${VPN_LOCATOR_SERVICE}::/16 lookup ${LOCALSID_TABLE_ID}")" ]; then
    324		ip -netns ${rtdst_name} -6 rule add \
    325			to ${VPN_LOCATOR_SERVICE}::/16 \
    326			lookup ${LOCALSID_TABLE_ID} prio 999
    327	fi
    328}
    329
    330setup()
    331{
    332	ip link add veth-rt-1 type veth peer name veth-rt-2
    333	# setup the networking for router rt-1 and router rt-2
    334	setup_rt_networking 1
    335	setup_rt_networking 2
    336
    337	# setup two hosts for the tenant 100.
    338	#  - host hs-1 is directly connected to the router rt-1;
    339	#  - host hs-2 is directly connected to the router rt-2.
    340	setup_hs 1 1 100  #args: host router tenant
    341	setup_hs 2 2 100
    342
    343	# setup two hosts for the tenant 200
    344	#  - host hs-3 is directly connected to the router rt-1;
    345	#  - host hs-4 is directly connected to the router rt-2.
    346	setup_hs 3 1 200
    347	setup_hs 4 2 200
    348
    349	# setup the IPv6 L3 VPN which connects the host hs-t100-1 and host
    350	# hs-t100-2 within the same tenant 100.
    351	setup_vpn_config 1 1 2 2 100  #args: src_host src_router dst_host dst_router tenant
    352	setup_vpn_config 2 2 1 1 100
    353
    354	# setup the IPv6 L3 VPN which connects the host hs-t200-3 and host
    355	# hs-t200-4 within the same tenant 200.
    356	setup_vpn_config 3 1 4 2 200
    357	setup_vpn_config 4 2 3 1 200
    358}
    359
    360check_rt_connectivity()
    361{
    362	local rtsrc=$1
    363	local rtdst=$2
    364
    365	ip netns exec rt-${rtsrc} ping -c 1 -W 1 ${IPv6_RT_NETWORK}::${rtdst} \
    366		>/dev/null 2>&1
    367}
    368
    369check_and_log_rt_connectivity()
    370{
    371	local rtsrc=$1
    372	local rtdst=$2
    373
    374	check_rt_connectivity ${rtsrc} ${rtdst}
    375	log_test $? 0 "Routers connectivity: rt-${rtsrc} -> rt-${rtdst}"
    376}
    377
    378check_hs_connectivity()
    379{
    380	local hssrc=$1
    381	local hsdst=$2
    382	local tid=$3
    383
    384	ip netns exec hs-t${tid}-${hssrc} ping -c 1 -W ${PING_TIMEOUT_SEC} \
    385		${IPv6_HS_NETWORK}::${hsdst} >/dev/null 2>&1
    386}
    387
    388check_and_log_hs_connectivity()
    389{
    390	local hssrc=$1
    391	local hsdst=$2
    392	local tid=$3
    393
    394	check_hs_connectivity ${hssrc} ${hsdst} ${tid}
    395	log_test $? 0 "Hosts connectivity: hs-t${tid}-${hssrc} -> hs-t${tid}-${hsdst} (tenant ${tid})"
    396}
    397
    398check_and_log_hs_isolation()
    399{
    400	local hssrc=$1
    401	local tidsrc=$2
    402	local hsdst=$3
    403	local tiddst=$4
    404
    405	check_hs_connectivity ${hssrc} ${hsdst} ${tidsrc}
    406	# NOTE: ping should fail
    407	log_test $? 1 "Hosts isolation: hs-t${tidsrc}-${hssrc} -X-> hs-t${tiddst}-${hsdst}"
    408}
    409
    410
    411check_and_log_hs2gw_connectivity()
    412{
    413	local hssrc=$1
    414	local tid=$2
    415
    416	check_hs_connectivity ${hssrc} 254 ${tid}
    417	log_test $? 0 "Hosts connectivity: hs-t${tid}-${hssrc} -> gw (tenant ${tid})"
    418}
    419
    420router_tests()
    421{
    422	log_section "IPv6 routers connectivity test"
    423
    424	check_and_log_rt_connectivity 1 2
    425	check_and_log_rt_connectivity 2 1
    426}
    427
    428host2gateway_tests()
    429{
    430	log_section "IPv6 connectivity test among hosts and gateway"
    431
    432	check_and_log_hs2gw_connectivity 1 100
    433	check_and_log_hs2gw_connectivity 2 100
    434
    435	check_and_log_hs2gw_connectivity 3 200
    436	check_and_log_hs2gw_connectivity 4 200
    437}
    438
    439host_vpn_tests()
    440{
    441	log_section "SRv6 VPN connectivity test among hosts in the same tenant"
    442
    443	check_and_log_hs_connectivity 1 2 100
    444	check_and_log_hs_connectivity 2 1 100
    445
    446	check_and_log_hs_connectivity 3 4 200
    447	check_and_log_hs_connectivity 4 3 200
    448}
    449
    450host_vpn_isolation_tests()
    451{
    452	local i
    453	local j
    454	local k
    455	local tmp
    456	local l1="1 2"
    457	local l2="3 4"
    458	local t1=100
    459	local t2=200
    460
    461	log_section "SRv6 VPN isolation test among hosts in different tentants"
    462
    463	for k in 0 1; do
    464		for i in ${l1}; do
    465			for j in ${l2}; do
    466				check_and_log_hs_isolation ${i} ${t1} ${j} ${t2}
    467			done
    468		done
    469
    470		# let us test the reverse path
    471		tmp="${l1}"; l1="${l2}"; l2="${tmp}"
    472		tmp=${t1}; t1=${t2}; t2=${tmp}
    473	done
    474}
    475
    476if [ "$(id -u)" -ne 0 ];then
    477	echo "SKIP: Need root privileges"
    478	exit $ksft_skip
    479fi
    480
    481if [ ! -x "$(command -v ip)" ]; then
    482	echo "SKIP: Could not run test without ip tool"
    483	exit $ksft_skip
    484fi
    485
    486modprobe vrf &>/dev/null
    487if [ ! -e /proc/sys/net/vrf/strict_mode ]; then
    488        echo "SKIP: vrf sysctl does not exist"
    489        exit $ksft_skip
    490fi
    491
    492cleanup &>/dev/null
    493
    494setup
    495
    496router_tests
    497host2gateway_tests
    498host_vpn_tests
    499host_vpn_isolation_tests
    500
    501print_log_test_results
    502
    503cleanup &>/dev/null
    504
    505exit ${ret}