[doc]: Macsec test plan #4885
Merged
[doc]: Macsec test plan #4885
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ze Gan <[email protected]> Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Pterosaur
force-pushed
the
macsec_platform
branch
2 times, most recently
from
5df2880 to
1a61439
Compare
Signed-off-by: Ze Gan <[email protected]>
Pterosaur
force-pushed
the
macsec_platform
branch
from
1a61439 to
d41f0a6
Compare
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
…o macsec_platform Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
sacnaik
reviewed
Feb 24, 2022
| ..... injected link | ||
| ***** protected link | ||
| VM<->DUT up link | ||
| PTF<->DUT down link |
There was a problem hiding this comment.
This is specific to T0 topology. Incase of T2 the downlink can go to another VM. Is there a plan to cover test that part? where unprotected traffic goes from T1 node to T2 and T2 sends encrypted traffic to T3 ?
There was a problem hiding this comment.
I have a test case that send a unprotected traffic from PTF, and DUT will forward the packets to VM0(MACsec enabled VM). Does this case cover that you mentioned?
I believe in the most time, the T2 is a larger scale topo than the current testbed topology(T0). We are truly working on building that larger topology that will be a hybrid mode(vSONiC mixed with cEOS) for lesser resource consumption.
sacnaik
reviewed
Feb 24, 2022
docs/testplan/MACsec-test-plan.md
Outdated
| | :-------------: | :-------------: | :------------: | :----------: | | ||
| | | | enable | true | | ||
| | cipher_suite | GCM-AES-128 | cipher_suite | GCM-AES-128 | | ||
| | cipher_suite | GCM-AES-256 | cipher_suite | GCM-AES-256 | |
There was a problem hiding this comment.
Need an update for XPN cipher suite in this table.
There was a problem hiding this comment.
Thanks for your suggestion, added it.
sacnaik
reviewed
Feb 24, 2022
| - Verify macsec packet flow where the Ingress and Egress ports are on different Linecards. | ||
| - TODO add expected behavior | ||
|
|
||
| ### Testcase : Scale tests |
There was a problem hiding this comment.
Can power consumption test be added when macsec enabled?
There was a problem hiding this comment.
I'm not familiar about the power consumption test, how can we test it? is it possible to monitor this index?
sacnaik
reviewed
Feb 24, 2022
|
|
||
| #### Macsec enabled on all interfaces and the DUT is rebooted | ||
|
|
||
| - Check the macsec docker comes up and macsec sessions are established. |
There was a problem hiding this comment.
Any test coverage for counters and stats?
There was a problem hiding this comment.
Yes, I needed it. I added a section for testing counters and stats and will fill it later.
sacnaik
reviewed
Feb 24, 2022
|
|
||
| 3. Send a set of above packet on the down link of DUT | ||
| 4. The target VM should receive at least one expected above packet | ||
| 5. In the injected port of PTF, we should get at least one expected packet encapsulated by MACsec |
There was a problem hiding this comment.
Can SA counters used to verify the encrypted packet?
There was a problem hiding this comment.
I think it's not easy to directly be used to verify the encrypted packet because there are many others traffic (BGP, LLDP and etc. )on the wire so that I don't know what the exact SA counters that should be.
sacnaik
reviewed
Feb 24, 2022
docs/testplan/MACsec-test-plan.md
Outdated
|
|
||
| - Check MKA session | ||
|
|
||
| 1. Get the MKA session by `ip macsec show` |
There was a problem hiding this comment.
ip macsec show works only for Linux based macsec. It would be good to mention macsec show SONiC CLI for hardware based macsec.
There was a problem hiding this comment.
Thanks for this suggestion, Rephrased it.
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
judyjoseph
reviewed
Mar 2, 2022
|
|
||
| #### Link flap on an interface with macsec configured | ||
|
|
||
| - MKA session can be recovered from the link flap if the port comes back up in < 6 secs (MKA lietime) |
There was a problem hiding this comment.
Test for both local and remote interface down/up.
judyjoseph
reviewed
Mar 2, 2022
| - Configure macsec on the member interface of a Portchannel which is already in oper UP state. There is only one member interface. | ||
| - Expect the portchannel to remain oper UP if the mka session establishment happens within 3*30sec, assuming LACP is in slow mode. | ||
| - Expect the portchannel to go down if time taken for mka session establishment is > 3*30sec. | ||
| - Portchannel interface goes oper UP after the MKA session is established |
There was a problem hiding this comment.
Add a case where the portchannel member is removed from the portchannel, add/remove IP address. Add the interface back to portchannel with macsec enabled. Check the behaviour
Signed-off-by: Ze Gan <[email protected]>
Pterosaur
added a commit
that referenced
this pull request
Mar 2, 2022
<!-- Please make sure you've read and understood our contributing guidelines; https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md Please provide following information to help code review process a bit easier: --> <!-- - Please include a summary of the change and which issue is fixed. - Please also include relevant motivation and context. Where should reviewer start? background context? - List any dependencies that are required for this change. --> Summary: Fixes # (issue) Need the PR: sonic-net/sonic-buildimage#8554 <!-- - Fill x for your type of change. - e.g. - [x] Bug fix --> - [ ] Bug fix - [ ] Testbed and Framework(new/improvement) - [x] Test case(new/improvement) This PR includes the basic test, control plane and data plane, for MACsec. - Control plane 1. Check the control plane processes, wpa_supplicant, can running 2. Check the related entries in APP_DB 3. To virtual switch, Check the mka session by iproute2 - Data Plane 1. Check the traffic from down link to up link 2. Check the traffic from a neighbor device to others Build testbed of SONiC neighbor devices Please refer this document https://github.com/Azure/sonic-mgmt/blob/master/docs/testbed/README.testbed.VsSetup.md to 1setup your environment. the neighbor devices should be SONiC with the **latest image** and the vm_type should choose `vsonic` ``` ./testbed-cli.sh -m veos_vtb -n 4 -k vsonic start-vms server_1 password.txt ./testbed-cli.sh -t vtestbed.csv -m veos_vtb -k vsonic add-topo vms-kvm-t0 password.txt ./testbed-cli.sh -t vtestbed.csv -m veos_vtb deploy-mg vms-kvm-t0 veos_vtb password.txt ``` Verify health ``` ./run_tests.sh -u -n vms-kvm-t0 -d vlab-01 -c test_nbr_health.py -f vtestbed.csv -i veos_vtb -e "--neighbor_type=sonic --skip_sanity --disable_loganalyzer" ``` Run MACsec Test ``` ./run_tests.sh -u -n vms-kvm-t0 -d vlab-01 -c macsec/test_macsec.py -f vtestbed.csv -i veos_vtb -e "--neighbor_type=sonic --skip_sanity --disable_loganalyzer" ``` You should get ``` === Running tests in groups === /usr/local/lib/python2.7/dist-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. from cryptography.exceptions import InvalidSignature ============================================================================================= test session starts ============================================================================================== platform linux2 -- Python 2.7.17, pytest-4.6.5, py-1.11.0, pluggy-0.13.1 -- /usr/bin/python cachedir: .pytest_cache metadata: {'Python': '2.7.17', 'Platform': 'Linux-5.4.0-37-generic-x86_64-with-Ubuntu-18.04-bionic', 'Packages': {'py': '1.11.0', 'pytest': '4.6.5', 'pluggy': '0.13.1'}, 'Plugins': {u'repeat': u'0.9.1', u'ordering': u'0.6', u'ansible': u'2.2.2', u'xdist': u'1.28.0', u'al lure-pytest': u'2.8.22', u'html': u'1.22.1', u'forked': u'1.3.0', u'metadata': u'1.11.0'}} ansible: 2.8.12 rootdir: /data/sonic-mgmt_sonic_vm_topology/tests, inifile: pytest.ini plugins: forked-1.3.0, xdist-1.28.0, repeat-0.9.1, metadata-1.11.0, html-1.22.1, allure-pytest-2.8.22, ordering-0.6, ansible-2.2.2 collecting ... ['conf-name', 'group-name', 'topo', 'ptf_image_name', 'ptf', 'ptf_ip', 'ptf_ipv6', 'server', 'vm_base', 'dut', 'inv_name', 'auto_recover', 'comment'] Finished testbed info generating. /usr/local/lib/python2.7/dist-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. from cryptography.exceptions import InvalidSignature collecting 0 items ['conf-name', 'group-name', 'topo', 'ptf_image_name', 'ptf', 'pt f_ip', 'ptf_ipv6', 'server', 'vm_base', 'dut', 'inv_name', 'auto_recover', 'comment'] Finished testbed info generating. collected 40 items macsec/test_macsec.py::TestControlPlane::test_wpa_supplicant_processes[GCM-AES-128-security-true] PASSED [ 2%] macsec/test_macsec.py::TestControlPlane::test_appl_db[security-GCM-AES-128-true] PASSED [ 5%] macsec/test_macsec.py::TestControlPlane::test_mka_session[security-GCM-AES-128-true] PASSED [ 7%] macsec/test_macsec.py::TestDataPlane::test_server_to_neighbor[GCM-AES-128-security-true] PASSED [ 10%] macsec/test_macsec.py::TestDataPlane::test_neighbor_to_neighbor[GCM-AES-128-security-true] PASSED [ 12%] macsec/test_macsec.py::TestControlPlane::test_wpa_supplicant_processes[GCM-AES-128-security-false] PASSED [ 15%] macsec/test_macsec.py::TestControlPlane::test_appl_db[security-GCM-AES-128-false] PASSED [ 17%] macsec/test_macsec.py::TestControlPlane::test_mka_session[security-GCM-AES-128-false] PASSED [ 20%] macsec/test_macsec.py::TestDataPlane::test_server_to_neighbor[GCM-AES-128-security-false] PASSED [ 22%] macsec/test_macsec.py::TestDataPlane::test_neighbor_to_neighbor[GCM-AES-128-security-false] PASSED [ 25%] macsec/test_macsec.py::TestControlPlane::test_wpa_supplicant_processes[GCM-AES-256-security-false] PASSED [ 27%] macsec/test_macsec.py::TestControlPlane::test_appl_db[security-GCM-AES-256-false] PASSED [ 30%] macsec/test_macsec.py::TestControlPlane::test_mka_session[security-GCM-AES-256-false] PASSED [ 32%] macsec/test_macsec.py::TestDataPlane::test_server_to_neighbor[GCM-AES-256-security-false] PASSED [ 35%] macsec/test_macsec.py::TestDataPlane::test_neighbor_to_neighbor[GCM-AES-256-security-false] PASSED [ 37%] macsec/test_macsec.py::TestControlPlane::test_wpa_supplicant_processes[GCM-AES-256-security-true] PASSED [ 40%] macsec/test_macsec.py::TestControlPlane::test_appl_db[security-GCM-AES-256-true] PASSED [ 42%] macsec/test_macsec.py::TestControlPlane::test_mka_session[security-GCM-AES-256-true] PASSED [ 45%] macsec/test_macsec.py::TestDataPlane::test_server_to_neighbor[GCM-AES-256-security-true] PASSED [ 47%] macsec/test_macsec.py::TestDataPlane::test_neighbor_to_neighbor[GCM-AES-256-security-true] PASSED [ 50%] macsec/test_macsec.py::TestControlPlane::test_wpa_supplicant_processes[GCM-AES-XPN-128-security-false] PASSED [ 52%] macsec/test_macsec.py::TestControlPlane::test_appl_db[security-GCM-AES-XPN-128-false] PASSED [ 55%] macsec/test_macsec.py::TestControlPlane::test_mka_session[security-GCM-AES-XPN-128-false] PASSED [ 57%] macsec/test_macsec.py::TestDataPlane::test_server_to_neighbor[GCM-AES-XPN-128-security-false] PASSED [ 60%] macsec/test_macsec.py::TestDataPlane::test_neighbor_to_neighbor[GCM-AES-XPN-128-security-false] PASSED [ 62%] macsec/test_macsec.py::TestControlPlane::test_wpa_supplicant_processes[GCM-AES-XPN-128-security-true] PASSED [ 65%] macsec/test_macsec.py::TestControlPlane::test_appl_db[security-GCM-AES-XPN-128-true] PASSED [ 67%] macsec/test_macsec.py::TestControlPlane::test_mka_session[security-GCM-AES-XPN-128-true] PASSED [ 70%] macsec/test_macsec.py::TestDataPlane::test_server_to_neighbor[GCM-AES-XPN-128-security-true] PASSED [ 72%] macsec/test_macsec.py::TestDataPlane::test_neighbor_to_neighbor[GCM-AES-XPN-128-security-true] PASSED [ 75%] macsec/test_macsec.py::TestControlPlane::test_wpa_supplicant_processes[GCM-AES-XPN-256-security-false] PASSED [ 77%] macsec/test_macsec.py::TestControlPlane::test_appl_db[security-GCM-AES-XPN-256-false] PASSED [ 80%] macsec/test_macsec.py::TestControlPlane::test_mka_session[security-GCM-AES-XPN-256-false] PASSED [ 82%] macsec/test_macsec.py::TestDataPlane::test_server_to_neighbor[GCM-AES-XPN-256-security-false] PASSED [ 85%] macsec/test_macsec.py::TestDataPlane::test_neighbor_to_neighbor[GCM-AES-XPN-256-security-false] PASSED [ 87%] macsec/test_macsec.py::TestControlPlane::test_wpa_supplicant_processes[GCM-AES-XPN-256-security-true] PASSED [ 90%] macsec/test_macsec.py::TestControlPlane::test_appl_db[security-GCM-AES-XPN-256-true] PASSED [ 92%] macsec/test_macsec.py::TestControlPlane::test_mka_session[security-GCM-AES-XPN-256-true] PASSED [ 95%] macsec/test_macsec.py::TestDataPlane::test_server_to_neighbor[GCM-AES-XPN-256-security-true] PASSED [ 97%] macsec/test_macsec.py::TestDataPlane::test_neighbor_to_neighbor[GCM-AES-XPN-256-security-true] PASSED [100%] ``` Tested in Virtual Switch and Arista 7280 T0 #4885 <!-- (If it's a new feature, new test case) Did you update documentation/Wiki relevant to your implementation? Link to the wiki page? -->
Signed-off-by: Ze Gan <[email protected]>
Signed-off-by: Ze Gan <[email protected]>
Pterosaur
force-pushed
the
macsec_platform
branch
from
f2304e3 to
56a83a5
Compare
jimmyzhai
approved these changes
Jun 7, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of PR
Summary:
Fixes # (issue)
Type of change
Back port request
Approach
What is the motivation for this PR?
This is a doc for MACsec test plan
How did you do it?
How did you verify/test it?
Any platform specific information?
Supported testbed topology if it's a new test case?
Documentation