diff options
| -rw-r--r-- | kud/tests/vIPSec/README.md | 36 | ||||
| -rwxr-xr-x | kud/tests/vIPSec/ipsec | 163 | ||||
| -rwxr-xr-x | kud/tests/vIPSec/pktgen | 77 | ||||
| -rwxr-xr-x | kud/tests/vIPSec/remote_ipsec | 164 | ||||
| -rwxr-xr-x | kud/tests/vIPSec/sink | 48 |
5 files changed, 488 insertions, 0 deletions
diff --git a/kud/tests/vIPSec/README.md b/kud/tests/vIPSec/README.md new file mode 100644 index 00000000..3046db7a --- /dev/null +++ b/kud/tests/vIPSec/README.md @@ -0,0 +1,36 @@ +# vIPSec use case in ONAP +This use case is composed of four virtual functions (VFs) including two +IPSec gateways, a packet generator and a traffic sink, each running in +separate Ubuntu Virtual Machines: + + * [Packet generator][1]: Sends packets to the packet sink through the +tunnel constructed thru IPSec. This includes a script that installs the +packet generator based on packetgen[4]. + * [IPsec gateways][2]: Two IPSec gateways constructed the secure tunnel +for traffic transportation. This includes a script to install and configure +the IPSec gateways thru VPP. + * [Traffic sink][3]: Displays the traffic volume that lands at the sink +VM using the link http://192.168.80.250:667 through your browser +and enable automatic page refresh by clicking the "Off" button. You +can see the traffic volume in the charts. + +This set of scripts aims to construct the vIPSec use case in order to set +up a secure tunnel between peers and improve its performance along with +hardware acceleration technologies such as SRIOV and QAT. + +User can apply the helm chart named 'vipsec' inside the k8s/kud/demo folder +to set up the whole use case. A fully-functional Kubernetes cluster, Virtlet +as well as ovn4nfv-k8s[5] plugin need to be pre-installed for the usage. +*[Place needs improvements] After having the virtual machines ready, please +manually change the MAC address inside the ipsec.conf to enable the routing. +And also start up the packetgen to send packet with src and dst defined in +the templates/values.yaml inside the helm chart. Detail instructions will be +put inside the helm chart. + +If you'd like to test the performance with QAT/SRIOV involved, first get +these hardwares pre-configured. Then change the value of 'qat_enabled' and +'sriov_enabled' inside templates/values.yaml of the helm chart accordingly. +User could observe variance in throughput inside the traffic sink. + +[4] https://pktgen-dpdk.readthedocs.io/en/latest/ +[5] https://github.com/opnfv/ovn4nfv-k8s-plugin diff --git a/kud/tests/vIPSec/ipsec b/kud/tests/vIPSec/ipsec new file mode 100755 index 00000000..4b278574 --- /dev/null +++ b/kud/tests/vIPSec/ipsec @@ -0,0 +1,163 @@ +#!/bin/bash +# COPYRIGHT NOTICE STARTS HERE +# +# Copyright 2019 Intel Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COPYRIGHT NOTICE ENDS HERE + +# This script prepares the runtime environment +# for running vIPSec shell scripts on Ubuntu 18.04 + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + +function setup_dependencies { + apt-get update + apt-get install -y curl gnupg2 pciutils make gcc libnuma-dev python git linux-headers-`uname -r` module-init-tools libssl-dev + echo "deb [trusted=yes] https://packagecloud.io/fdio/release/ubuntu bionic main" >> /etc/apt/sources.list.d/99fd.io.list + curl -L https://packagecloud.io/fdio/master/gpgkey | apt-key add - +} + +function install_vpp { + apt-get update + apt-get install -y vpp vpp-plugin-core vpp-plugin-dpdk +} + +function install_dpdk { + cd /opt + git clone http://dpdk.org/git/dpdk + cd /opt/dpdk + export RTE_TARGET=x86_64-native-linux-gcc/ && export DESTDIR=/opt/dpdk && export RTE_SDK=/opt/dpdk && make install T=x86_64-native-linux-gcc + modprobe uio + insmod x86_64-native-linux-gcc/kmod/igb_uio.ko +} + +function ipsec_settings { +# Create vpp configuration file + cat > /opt/config/vpp.config << EOF + unix { + exec /opt/config/ipsec.conf + nodaemon + cli-listen /run/vpp/cli.sock + log /tmp/vpp.log + } + + cpu { + main-core 0 + corelist-workers 1 + } + + dpdk { + socket-mem 512 + log-level debug + no-tx-checksum-offload + dev default{ + num-tx-desc 512 + num-rx-desc 512 + } + dev interfaceABus + { + workers 0 + } + dev interfaceBBus + { + workers 0 + } + vdev crypto_aesni_mb0 + + no-multi-seg + + #enable_cryptodev + + } +EOF + +# Check if sriov and qat are enabled, bind the pci devices with igb_uio driver + if [ "$sriov_enabled" = true ]; then + export interfaceABus=$(lspci -D -nn | grep -m1 '8086:154c' | cut -d ' ' -f 1) + export interfaceBBus=$(lspci -D -nn | grep -m2 '8086:154c' | cut -d ' ' -f 1 | tail -n1) + else + export interfaceABus=$(ls -la /sys/class/net | grep 'eth1' | cut -d '/' -f 5) + export interfaceBBus=$(ls -la /sys/class/net | grep 'eth3' | cut -d '/' -f 5) + fi + sed -i -e "s/interfaceABus/${interfaceABus}/g" -e "s/interfaceBBus/${interfaceBBus}/g" /opt/config/vpp.config + python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $interfaceABus $interfaceBBus + export interfaceA=$(vppctl sh int | awk '$2 == "1"' | cut -d ' ' -f 1) + export interfaceB=$(vppctl sh int | awk '$2 == "2"' | cut -d ' ' -f 1) + + if [ "$qat_enabled" = true ]; then + export qatABus=$(lspci -D -nn | grep -m1 '8086:37c9' | cut -d ' ' -f 1) + export qatBBus=$(lspci -D -nn | grep -m2 '8086:37c9' | cut -d ' ' -f 1 | tail -n1) + python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $qatABus $qatBBus + sed -i "/#enable_cryptodev/a\n dev $qatABus\n dev $qatBBus\n" /opt/config/vpp.config + sed -i "/vdev crypto_aesni_mb0/d" /opt/config/vpp.config + fi + +# Create the sample ipsec configuration file + cat > /opt/config/ipsec.conf << EOF + set interface state VirtualFunctionEthernet0/5/0 up + set interface state VirtualFunctionEthernet0/6/0 up + + set interface ip address VirtualFunctionEthernet0/5/0 input_interface_ip/24 + set interface ip address VirtualFunctionEthernet0/6/0 output_interface_ip/24 + + set int promiscuous on VirtualFunctionEthernet0/5/0 + set int promiscuous on VirtualFunctionEthernet0/6/0 + + set ip arp VirtualFunctionEthernet0/6/0 remote_tunnel_ip fa:16:3e:a6:e4:c7 + set ip arp VirtualFunctionEthernet0/5/0 input_interface_ip fa:16:3e:f1:65:dc + + ip route add count 1 packet_dst/32 via route_interface VirtualFunctionEthernet0/6/0 + + ipsec spd add 1 + set interface ipsec spd VirtualFunctionEthernet0/6/0 1 + ipsec sa add 1 spi 1921681003 esp tunnel-src output_interface_ip tunnel-dst remote_tunnel_ip crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 + ipsec policy add spd 1 traffic_direction priority 100 action protect sa 1 local-ip-range packet_src-packet_src remote-ip-range packet_dst-packet_dst + ipsec policy add spd 1 traffic_direction priority 90 protocol 50 action bypass local-ip-range packet_src-255.255.255.255 remote-ip-range remote_tunnel_ip-remote_tunnel_ip +EOF + +# Replace all ip and interfaces inside the ipsec configuration file + sed -i -e "s/input_interface_ip/${input_interface_ip}/g" -e "s/output_interface_ip/${output_interface_ip}/g" -e "s/remote_tunnel_ip/${remote_tunnel_ip}/g" -e "s/route_interface/${route_interface}/g" -e "s#VirtualFunctionEthernet0/5/0#${interfaceA}#g" -e "s#VirtualFunctionEthernet0/6/0#${interfaceB}/g" -e "s/packet_src/${packet_src}/g" -e "s/packet_dst/${packet_dst}/g" -e "s/traffic_direction/${traffic_direction}/g" /opt/config/ipsec.conf + vpp -c /opt/config/vpp.config +} + + +mkdir /opt/config +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt +echo "$dcae_collector_ip" > /opt/config/dcae_collector_ip.txt +echo "$dcae_collector_port" > /opt/config/dcae_collector_port.txt +echo "$ipsec_private_net_gw" > /opt/config/ipsec_private_net_gw_ip.txt +echo "$ipsec_private_net_cidr" > /opt/config/ipsec_private_net_cidr.txt +echo "$ipsec_private_network_name" > /opt/config/ipsec_private_network_name.txt +echo "$packet_src" > /opt/config/packet_source_ip.txt +echo "$packet_dst" > /opt/config/packet_destination_ip.txt +echo "$remote_tunnel_ip" > /opt/config/remote_tunnel.txt +echo "$route_interface" > /opt/config/route_interface.txt +echo "$traffic_direction" > /opt/config/traffic_direction.txt +echo "$vipsecA_private_ip_0" > /opt/config/vipsecA_private_ip0.txt +echo "$vipsecA_private_ip_2" > /opt/config/vipsecA_private_ip2.txt +echo "$protected_clientA_network_name" > /opt/config/protected_clientA_network_name.txt +echo "$protected_clientA_net_gw" > /opt/config/protected_clientA_net_gw.txt +echo "$protected_clientA_net_cidr" > /opt/config/protected_clientA_net_cidr.txt + +echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf +sysctl -p + +setup_dependencies +install_vpp +install_dpdk +ipsec_settings diff --git a/kud/tests/vIPSec/pktgen b/kud/tests/vIPSec/pktgen new file mode 100755 index 00000000..14d7e6ca --- /dev/null +++ b/kud/tests/vIPSec/pktgen @@ -0,0 +1,77 @@ +#!/bin/bash + +# COPYRIGHT NOTICE STARTS HERE +# +# Copyright 2019 Intel Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COPYRIGHT NOTICE ENDS HERE + +# This script prepares the runtime environment +# for running vIPSec shell scripts on Ubuntu18.04 + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + + +DPDK_DIR=$PWD/dpdk +Pktgen_Dir=$PWD/pktgen-dpdk + +function setup_dependencies { + sudo apt-get update + git clone http://dpdk.org/git/dpdk + git clone http://dpdk.org/git/apps/pktgen-dpdk + KERNEL_VERSION=$(uname -r) + echo $KERNEL_VERSION + sudo apt-get install -y linux-headers-$KERNEL_VERSION libpcap-dev gcc make libnuma-dev liblua5.3-dev python +} + +function build_dpdk { + export RTE_SDK=$DPDK_DIR + export RTE_TARGET=x86_64-native-linux-gcc + export DESTDIR=$DPDK_DIR + cd $RTE_SDK + make install T=x86_64-native-linux-gcc + echo "DPDK install finished" + modprobe uio + insmod x86_64-native-linux-gcc/kmod/igb_uio.ko + export interface=$(lspci -nn | grep -m1 'Ethernet controller' | cut -d ' ' -f 1) + python ./usertools/dpdk-devbind.py -b igb_uio $interface +} + +function build_pktgen { + cd $Pktgen_Dir + export RTE_SDK=$DPDK_DIR + export RTE_TARGET=x86_64-native-linux-gcc + make +} + +mkdir /opt/config +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt +echo "$vpg_private_ip_0" > /opt/config/vpg_private_ip0.txt +echo "$ipsec_a_private_ip_0" > /opt/config/ipsec_a_private_ip0.txt +echo "$protected_clientA_network_name" > /opt/config/protected_clientA_network_name.txt +echo "$dcae_collector_ip" > /opt/config/dcae_collector_ip.txt +echo "$dcae_collector_port" > /opt/config/dcae_collector_port.txt +echo "$protected_clientA_net_gw" > /opt/config/protected_clientA_net_gw.txt +echo "$protected_clientA_net_cidr" > /opt/config/protected_clientA_net_cidr.txt + +echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf +sysctl -p + +setup_dependencies +build_dpdk +build_pktgen diff --git a/kud/tests/vIPSec/remote_ipsec b/kud/tests/vIPSec/remote_ipsec new file mode 100755 index 00000000..6a676c96 --- /dev/null +++ b/kud/tests/vIPSec/remote_ipsec @@ -0,0 +1,164 @@ +#!/bin/bash + +# COPYRIGHT NOTICE STARTS HERE +# +# Copyright 2019 Intel Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COPYRIGHT NOTICE ENDS HERE + +# This script prepares the runtime environment +# for running vIPSec shell scripts on Ubuntu18.04 + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + +function setup_dependencies { + apt-get update + apt-get install -y curl gnupg2 pciutils make gcc libnuma-dev python git linux-headers-`uname -r` module-init-tools libssl-dev + echo "deb [trusted=yes] https://packagecloud.io/fdio/release/ubuntu bionic main" >> /etc/apt/sources.list.d/99fd.io.list + curl -L https://packagecloud.io/fdio/master/gpgkey | apt-key add - +} + +function install_vpp { + apt-get update + apt-get install -y vpp vpp-plugin-core vpp-plugin-dpdk +} + +function install_dpdk { + cd /opt + git clone http://dpdk.org/git/dpdk + cd /opt/dpdk + export RTE_TARGET=x86_64-native-linux-gcc/ && export DESTDIR=/opt/dpdk && export RTE_SDK=/opt/dpdk && make install T=x86_64-native-linux-gcc + modprobe uio + insmod x86_64-native-linux-gcc/kmod/igb_uio.ko +} + +function ipsec_settings { +# Create vpp configuration file + cat > /opt/config/vpp.config << EOF + unix { + exec /opt/config/ipsec.conf + nodaemon + cli-listen /run/vpp/cli.sock + log /tmp/vpp.log + } + + cpu { + main-core 0 + corelist-workers 1 + } + + dpdk { + socket-mem 512 + log-level debug + no-tx-checksum-offload + dev default{ + num-tx-desc 512 + num-rx-desc 512 + } + dev interfaceABus + { + workers 0 + } + dev interfaceBBus + { + workers 0 + } + vdev crypto_aesni_mb0 + + no-multi-seg + + #enable_cryptodev + + } +EOF + +# Check if sriov and qat are enabled, bind the pci devices with igb_uio driver + if [ "$sriov_enabled" = true ]; then + export interfaceABus=$(lspci -D -nn | grep -m1 '8086:154c' | cut -d ' ' -f 1) + export interfaceBBus=$(lspci -D -nn | grep -m2 '8086:154c' | cut -d ' ' -f 1 | tail -n1) + else + export interfaceABus=$(ls -la /sys/class/net | grep 'eth1' | cut -d '/' -f 5) + export interfaceBBus=$(ls -la /sys/class/net | grep 'eth3' | cut -d '/' -f 5) + fi + sed -i -e "s/interfaceABus/${interfaceABus}/g" -e "s/interfaceBBus/${interfaceBBus}/g" /opt/config/vpp.config + python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $interfaceABus $interfaceBBus + export interfaceA=$(vppctl sh int | awk '$2 == "1"' | cut -d ' ' -f 1) + export interfaceB=$(vppctl sh int | awk '$2 == "2"' | cut -d ' ' -f 1) + + if [ "$qat_enabled" = true ]; then + export qatABus=$(lspci -D -nn | grep -m1 '8086:37c9' | cut -d ' ' -f 1) + export qatBBus=$(lspci -D -nn | grep -m2 '8086:37c9' | cut -d ' ' -f 1 | tail -n1) + python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $qatABus $qatBBus + sed -i "/#enable_cryptodev/a\n dev $qatABus\n dev $qatBBus\n" /opt/config/vpp.config + sed -i "/vdev crypto_aesni_mb0/d" /opt/config/vpp.config + fi + +# Create ipsec configuration file + cat > /opt/config/ipsec.conf << EOF + set interface state VirtualFunctionEthernet0/5/0 up + set interface state VirtualFunctionEthernet0/6/0 up + + set interface ip address VirtualFunctionEthernet0/5/0 input_interface_ip/24 + set interface ip address VirtualFunctionEthernet0/6/0 output_interface_ip/24 + + set int promiscuous on VirtualFunctionEthernet0/5/0 + set int promiscuous on VirtualFunctionEthernet0/6/0 + + set ip arp VirtualFunctionEthernet0/6/0 remote_tunnel_ip fa:16:3e:a6:e4:c7 + set ip arp VirtualFunctionEthernet0/5/0 routing_ip fa:16:3e:f1:65:dc + + ip route add count 1 packet_dst/32 via route_interface VirtualFunctionEthernet0/6/0 + + ipsec spd add 1 + set interface ipsec spd VirtualFunctionEthernet0/6/0 1 + ipsec sa add 1 spi 1921681004 esp tunnel-src local_tunnel_ip tunnel-dst remote_tunnel_ip crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96 + ipsec policy add spd 1 traffic_direction priority 100 action protect sa 1 local-ip-range packet_src-packet_src remote-ip-range packet_dst-packet_dst + ipsec policy add spd 1 traffic_direction priority 90 protocol 50 action bypass local-ip-range packet_src-255.255.255.255 remote-ip-range remote_tunnel_ip-remote_tunnel_ip +EOF + +# Replace the actual ip and interfaces into the ipsec configuration + sed -i -e "s/input_interface_ip/${input_interface_ip}/g" -e "s/output_interface_ip/${output_interface_ip}/g" -e "s/routing_ip/${vsn_private_ip_0}/g" -e "s#VirtualFunctionEthernet0/5/0#${interfaceA}#g" -e "s#VirtualFunctionEthernet0/6/0#${interfaceB}#g" -e "s/local_tunnel_ip/${local_tunnel_ip}/g" -e "s/remote_tunnel_ip/${remote_tunnel_ip}/g" -e "s/route_interface/${route_interface}/g" -e "s/packet_src/${packet_src}/g" -e "s/packet_dst/${packet_dst}/g" -e "s/traffic_direction/${traffic_direction}/g" /opt/config/ipsec.conf + vpp -c /opt/config/vpp.config +} + + +mkdir /opt/config +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt +echo "$dcae_collector_ip" > /opt/config/dcae_collector_ip.txt +echo "$dcae_collector_port" > /opt/config/dcae_collector_port.txt +echo "$ipsec_private_net_gw" > /opt/config/ipsec_private_net_gw_ip.txt +echo "$ipsec_private_net_cidr" > /opt/config/ipsec_private_net_cidr.txt +echo "$ipsec_private_network_name" > /opt/config/ipsec_private_network_name.txt +echo "$packet_src" > /opt/config/packet_source_ip.txt +echo "$packet_dst" > /opt/config/packet_destination_ip.txt +echo "$remote_tunnel_ip" > /opt/config/remote_tunnel.txt +echo "$route_interface" > /opt/config/route_interface.txt +echo "$traffic_direction" > /opt/config/traffic_direction.txt +echo "$vipsecB_private_ip_0" > /opt/config/vipsecB_private_ip0.txt +echo "$vipsecB_private_ip_2" > /opt/config/vipsecB_private_ip2.txt +echo "$protected_clientB_network_name" > /opt/config/protected_clientB_network_name.txt +echo "$protected_clientB_net_gw" > /opt/config/protected_clientB_net_gw.txt +echo "$protected_clientB_net_cidr" > /opt/config/protected_clientB_net_cidr.txt + +echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf +sysctl -p + +setup_dependencies +install_vpp +install_dpdk +ipsec_settings diff --git a/kud/tests/vIPSec/sink b/kud/tests/vIPSec/sink new file mode 100755 index 00000000..c180d43c --- /dev/null +++ b/kud/tests/vIPSec/sink @@ -0,0 +1,48 @@ +#!/bin/bash + +# COPYRIGHT NOTICE STARTS HERE +# +# Copyright 2019 Intel Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COPYRIGHT NOTICE ENDS HERE + +# This script prepares the runtime environment +# for running vIPSec shell scripts on Ubuntu 18.04 + +set -o nounset +set -o pipefail +set -o xtrace +set -o errexit + +function setup_dependencies { + apt-get update + apt install -y wget darkstat net-tools unzip + + # Configure and run Darkstat + sed -i "s/START_DARKSTAT=.*/START_DARKSTAT=yes/g;s/INTERFACE=.*/INTERFACE=\"-i eth1\"/g" /etc/darkstat/init.cfg + + systemctl restart darkstat +} + +mkdir -p /opt/config/ +echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt +echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt +echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt +echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt +echo "$protected_net_gw" > /opt/config/protected_net_gw.txt +echo "$protected_private_net_cidr" > /opt/config/unprotected_net.txt + +setup_dependencies + |