IPSec flow and packet generator

[Tejas Kasundra]

Hi Experts,

I have one DUT which is IPsec supported and I want to generate high throughput using to test performance.

As I am new to TRex, I do not have any idea if it is supported by currently not.

I have open question in my mind is as below,

1. Is TRex can perform IKEv2 negotiation on it's own and generate Security association?

2. Is it possible to generate encrypted ESP traffic with specific ciphers any e.g. AES128-SHA2?

3. Is there any TRex documentation available for same ?

Thanks.

[hanoh haim]

Hi,

I’m more familiar with TLS

Let me ask a question on IPsec, let’s say you build a valid IPsec packet. 

Would sending the same packet in high rate or changing a field without running AES on the payload is a valid option?

Thanks,

Hanoh

--
You received this message because you are subscribed to the Google Groups "TRex Traffic Generator" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trex-tgn+u...@googlegroups.com.
To post to this group, send email to trex...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trex-tgn/f47dd8b4-6a4a-4d09-90b6-e1559a5a2a61%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Hanoh

Sent from my iPhone

[Tejas Kasundra]

No, I have to use different cipher key for different source/destination ip to encrypt packets. These encryption keys will be derived from IKEv2 security association. That way it will be useful.

On 9 Dec 2017 9:47 p.m., "hanoh haim" <hhaim...@gmail.com> wrote:

Hi,

I’m more familiar with TLS

Let me ask a question on IPsec, let’s say you build a valid IPsec packet. 

Would sending the same packet in high rate or changing a field without running AES on the payload is a valid option?

Thanks,

Hanoh

On Sat, 9 Dec 2017 at 15:36 Tejas Kasundra <tejashk...@gmail.com> wrote:

Hi Experts,

I have one DUT which is IPsec supported and I want to generate high throughput using to test performance.

As I am new to TRex, I do not have any idea if it is supported by currently not.

I have open question in my mind is as below,

1. Is TRex can perform IKEv2 negotiation on it's own and generate Security association?

2. Is it possible to generate encrypted ESP traffic with specific ciphers any e.g. AES128-SHA2?

3. Is there any TRex documentation available for same ?

Thanks.

--
You received this message because you are subscribed to the Google Groups "TRex Traffic Generator" group.

To unsubscribe from this group and stop receiving emails from it, send an email to trex-tgn+unsubscribe@googlegroups.com.

To post to this group, send email to trex...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trex-tgn/f47dd8b4-6a4a-4d09-90b6-e1559a5a2a61%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[hanoh haim]

Hi, 

Let's say it is possible to do the security IKEv2 negotiation betwean each src/dst IPs

My question is about the IPSec traffic after this negotiation.

Could you generate encrypted packets *off-line*  (using AES) and then repay it in high rate without doing the encryption again (by just changing fields)?

In TLS it is not possible. 

thanks

Hanoh

[Tejas Kasundra]

Hanoh thanks for prompt response.

Yes we can replay same packets again, but for sure we have to keep increasing ESP sequence field into packets.

[Tejas Kasundra]

Just to add to my previous conversation, I need to generate high stateless traffic for IPSec, I do not care about reply from DUT as i just want to check throughput processing in my device.

[hanoh haim]

Hi, 

In that case IPSec does not seems so secure if by changing one field the DUT can accept that. :-)

Back to your question:

In that case you can do it with a bit of work. there are some examples in the code. 

This is the high level of the solution:

1. You  are using service mode to get all the packets back to Python

2. Using scapy/openSSL-python binding you can do the IPsec negotiation for each pair of src/dst -- In the Wireless service plugin there is an example how we did DTLS stream using scapy/openSSL

3. After you have the keys, generate IPSec template packets (scapy/openSSL) for each pair and create a stream from it.

4. Create a stream Field Engine program to change the seq number (for all the streams)

5. Disable service mode

6. Start traffic @ high rate

 

It seems as a bit complex, but after you read the stateless manual it become more clear.

 The Wireless plugin that we have as an example is more complex than this.

thanks

Hanoh

[Tejas Kasundra]

Hi Hanoh,

My DUT is one GREoverIPSec concentrator for wireless access point(AP), so it will have only one Static IP and I want to simulate Wireless access points with different sources IPs which will send traffic to this concentrator and it has to process this traffic after decrypting packets and removing GRE headers.

Now just to make things clear, DUT will accept packets only after keys negotiation so I guess security does make sense in that way. Invalid or Traffic encrypted with wrong keys will not be accepted on DUT.

2. Using scapy/openSSL-python binding you can do the IPsec negotiation for each pair of src/dst -- In the Wireless service plugin there is an example how we did DTLS stream using scapy/openSSL 

Can you please let me know where can I find this example into which directory of trex installation?

Thanks for your quick help.

 

[hanoh haim]

Hi, 

the wireless example doc :

http://trex-tgn.cisco.com/trex/doc/trex_stateless_wlc_bench.html

Console plugin

https://github.com/cisco-system-traffic-generator/trex-core/blob/master/scripts/automation/trex_control_plane/stl/console/plugins/plugin_wlc.py

AP service 

https://github.com/cisco-system-traffic-generator/trex-core/blob/master/scripts/automation/trex_control_plane/stl/trex_stl_lib/services/trex_stl_ap.py

I wouldn't start with that as it is a bit complex 

start with this doc step by step: 

http://trex-tgn.cisco.com/trex/doc/trex_stateless.html

and have a look into services examples (DHCP/ARP)

Hanoh

[Tejas Kasundra]

Hi Hanoh, 

Thanks for your all help.

I simply trying to use Scapy's module SecurityAssociation, available in /scripts/external_libs/scapy-2.3.1/python3/scapy/layers/ipsec.py , with below scripts.

But every time I try to run this script it gives me error as below, although I have already import scapy into script.

Will be very helpful to me, if you can guide me to right direction.

File "stl/esp.py", line 6, in <module>
    sa = SecurityAssociation(ESP, spi = 0xdeadbeef, crypt_algo = 'AES-CBC', crypt_key = '0xced36ca65aaaedb2e9a7e73b4aa9039e')
NameError: name 'SecurityAssociation' is not defined

from trex_stl_lib.api import *
from scapy.all import *

class STLS1(object):

    def create_stream (self):
        a = Ether()/IP(src="16.0.0.1",dst="48.0.0.1")/UDP(dport=12,sport=1025)/(10*'x')
        sa = SecurityAssociation(ESP, spi = 0xdeadbeef, crypt_algo = 'AES-CBC', crypt_key = '0xced36ca65aaaedb2e9a7e73b4aa9039e')
        e = sa.ecrypt(a)
        return STLStream(
            packet =
                    STLPktBuilder(pkt = e ),
             mode = STLTXCont())

    def get_streams (self, direction = 0, **kwargs):
        # create 1 stream
        return [ self.create_stream() ]

# dynamic load - used for trex console or simulator
def register():
    return STLS1()

[hanoh haim]

by default we don't add all the modules see _all_.py

for _l in ['l2','inet','inet6']:

    log_loading.debug("Loading layer %s" % _l)

    #print "load  ",_l

    _import_star(_l)

try to load it explicitly, something like this

from scapy.layers.ipsec import * 

[Venumadhav Josyula]

Hi Hanoch,

Can we generate ipsec traffic using trex packet generator ?

Thanks,

Regards,

Venu

To unsubscribe from this group and stop receiving emails from it, send an email to trex-tgn+u...@googlegroups.com.

To post to this group, send email to trex...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/trex-tgn/f47dd8b4-6a4a-4d09-90b6-e1559a5a2a61%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Hanoh

Sent from my iPhone

--

Hanoh

Sent from my iPhone

--

Hanoh

Sent from my iPhone