selftests/net/srv6_end_dt6_l3vpn_test.sh

0001 #!/bin/bash
0002 # SPDX-License-Identifier: GPL-2.0
0003 #
0004 # author: Andrea Mayer <andrea.mayer@uniroma2.it>
0005 # author: Paolo Lungaroni <paolo.lungaroni@cnit.it>
0006
0007 # This test is designed for evaluating the new SRv6 End.DT6 behavior used for
0008 # implementing IPv6 L3 VPN use cases.
0009 #
0010 # Hereafter a network diagram is shown, where two different tenants (named 100
0011 # and 200) offer IPv6 L3 VPN services allowing hosts to communicate with each
0012 # other across an IPv6 network.
0013 #
0014 # Only hosts belonging to the same tenant (and to the same VPN) can communicate
0015 # with each other. Instead, the communication among hosts of different tenants
0016 # is forbidden.
0017 # In other words, hosts hs-t100-1 and hs-t100-2 are connected through the IPv6
0018 # L3 VPN of tenant 100 while hs-t200-3 and hs-t200-4 are connected using the
0019 # IPv6 L3 VPN of tenant 200. Cross connection between tenant 100 and tenant 200
0020 # is forbidden and thus, for example, hs-t100-1 cannot reach hs-t200-3 and vice
0021 # versa.
0022 #
0023 # Routers rt-1 and rt-2 implement IPv6 L3 VPN services leveraging the SRv6
0024 # architecture. The key components for such VPNs are: a) SRv6 Encap behavior,
0025 # b) SRv6 End.DT6 behavior and c) VRF.
0026 #
0027 # To explain how an IPv6 L3 VPN based on SRv6 works, let us briefly consider an
0028 # example where, within the same domain of tenant 100, the host hs-t100-1 pings
0029 # the host hs-t100-2.
0030 #
0031 # First of all, L2 reachability of the host hs-t100-2 is taken into account by
0032 # the router rt-1 which acts as a ndp proxy.
0033 #
0034 # When the host hs-t100-1 sends an IPv6 packet destined to hs-t100-2, the
0035 # router rt-1 receives the packet on the internal veth-t100 interface. Such
0036 # interface is enslaved to the VRF vrf-100 whose associated table contains the
0037 # SRv6 Encap route for encapsulating any IPv6 packet in a IPv6 plus the Segment
0038 # Routing Header (SRH) packet. This packet is sent through the (IPv6) core
0039 # network up to the router rt-2 that receives it on veth0 interface.
0040 #
0041 # The rt-2 router uses the 'localsid' routing table to process incoming
0042 # IPv6+SRH packets which belong to the VPN of the tenant 100. For each of these
0043 # packets, the SRv6 End.DT6 behavior removes the outer IPv6+SRH headers and
0044 # performs the lookup on the vrf-100 table using the destination address of
0045 # the decapsulated IPv6 packet. Afterwards, the packet is sent to the host
0046 # hs-t100-2 through the veth-t100 interface.
0047 #
0048 # The ping response follows the same processing but this time the role of rt-1
0049 # and rt-2 are swapped.
0050 #
0051 # Of course, the IPv6 L3 VPN for tenant 200 works exactly as the IPv6 L3 VPN
0052 # for tenant 100. In this case, only hosts hs-t200-3 and hs-t200-4 are able to
0053 # connect with each other.
0054 #
0055 #
0056 # +-------------------+                                   +-------------------+
0057 # |                   |                                   |                   |
0058 # |  hs-t100-1 netns  |                                   |  hs-t100-2 netns  |
0059 # |                   |                                   |                   |
0060 # |  +-------------+  |                                   |  +-------------+  |
0061 # |  |    veth0    |  |                                   |  |    veth0    |  |
0062 # |  |  cafe::1/64 |  |                                   |  |  cafe::2/64 |  |
0063 # |  +-------------+  |                                   |  +-------------+  |
0064 # |        .          |                                   |         .         |
0065 # +-------------------+                                   +-------------------+
0066 #          .                                                        .
0067 #          .                                                        .
0068 #          .                                                        .
0069 # +-----------------------------------+   +-----------------------------------+
0070 # |        .                          |   |                         .         |
0071 # | +---------------+                 |   |                 +---------------- |
0072 # | |   veth-t100   |                 |   |                 |   veth-t100   | |
0073 # | |  cafe::254/64 |    +----------+ |   | +----------+    |  cafe::254/64 | |
0074 # | +-------+-------+    | localsid | |   | | localsid |    +-------+-------- |
0075 # |         |            |   table  | |   | |   table  |            |         |
0076 # |    +----+----+       +----------+ |   | +----------+       +----+----+    |
0077 # |    | vrf-100 |                    |   |                    | vrf-100 |    |
0078 # |    +---------+     +------------+ |   | +------------+     +---------+    |
0079 # |                    |   veth0    | |   | |   veth0    |                    |
0080 # |                    | fd00::1/64 |.|...|.| fd00::2/64 |                    |
0081 # |    +---------+     +------------+ |   | +------------+     +---------+    |
0082 # |    | vrf-200 |                    |   |                    | vrf-200 |    |
0083 # |    +----+----+                    |   |                    +----+----+    |
0084 # |         |                         |   |                         |         |
0085 # | +-------+-------+                 |   |                 +-------+-------- |
0086 # | |   veth-t200   |                 |   |                 |   veth-t200   | |
0087 # | |  cafe::254/64 |                 |   |                 |  cafe::254/64 | |
0088 # | +---------------+      rt-1 netns |   | rt-2 netns      +---------------- |
0089 # |        .                          |   |                          .        |
0090 # +-----------------------------------+   +-----------------------------------+
0091 #          .                                                         .
0092 #          .                                                         .
0093 #          .                                                         .
0094 #          .                                                         .
0095 # +-------------------+                                   +-------------------+
0096 # |        .          |                                   |          .        |
0097 # |  +-------------+  |                                   |  +-------------+  |
0098 # |  |    veth0    |  |                                   |  |    veth0    |  |
0099 # |  |  cafe::3/64 |  |                                   |  |  cafe::4/64 |  |
0100 # |  +-------------+  |                                   |  +-------------+  |
0101 # |                   |                                   |                   |
0102 # |  hs-t200-3 netns  |                                   |  hs-t200-4 netns  |
0103 # |                   |                                   |                   |
0104 # +-------------------+                                   +-------------------+
0105 #
0106 #
0107 # ~~~~~~~~~~~~~~~~~~~~~~~~~
0108 # | Network configuration |
0109 # ~~~~~~~~~~~~~~~~~~~~~~~~~
0110 #
0111 # rt-1: localsid table (table 90)
0112 # +-------------------------------------------------+
0113 # |SID              |Action                         |
0114 # +-------------------------------------------------+
0115 # |fc00:21:100::6006|apply SRv6 End.DT6 vrftable 100|
0116 # +-------------------------------------------------+
0117 # |fc00:21:200::6006|apply SRv6 End.DT6 vrftable 200|
0118 # +-------------------------------------------------+
0119 #
0120 # rt-1: VRF tenant 100 (table 100)
0121 # +---------------------------------------------------+
0122 # |host       |Action                                 |
0123 # +---------------------------------------------------+
0124 # |cafe::2    |apply seg6 encap segs fc00:12:100::6006|
0125 # +---------------------------------------------------+
0126 # |cafe::/64  |forward to dev veth_t100               |
0127 # +---------------------------------------------------+
0128 #
0129 # rt-1: VRF tenant 200 (table 200)
0130 # +---------------------------------------------------+
0131 # |host       |Action                                 |
0132 # +---------------------------------------------------+
0133 # |cafe::4    |apply seg6 encap segs fc00:12:200::6006|
0134 # +---------------------------------------------------+
0135 # |cafe::/64  |forward to dev veth_t200               |
0136 # +---------------------------------------------------+
0137 #
0138 #
0139 # rt-2: localsid table (table 90)
0140 # +-------------------------------------------------+
0141 # |SID              |Action                         |
0142 # +-------------------------------------------------+
0143 # |fc00:12:100::6006|apply SRv6 End.DT6 vrftable 100|
0144 # +-------------------------------------------------+
0145 # |fc00:12:200::6006|apply SRv6 End.DT6 vrftable 200|
0146 # +-------------------------------------------------+
0147 #
0148 # rt-2: VRF tenant 100 (table 100)
0149 # +---------------------------------------------------+
0150 # |host       |Action                                 |
0151 # +---------------------------------------------------+
0152 # |cafe::1    |apply seg6 encap segs fc00:21:100::6006|
0153 # +---------------------------------------------------+
0154 # |cafe::/64  |forward to dev veth_t100               |
0155 # +---------------------------------------------------+
0156 #
0157 # rt-2: VRF tenant 200 (table 200)
0158 # +---------------------------------------------------+
0159 # |host       |Action                                 |
0160 # +---------------------------------------------------+
0161 # |cafe::3    |apply seg6 encap segs fc00:21:200::6006|
0162 # +---------------------------------------------------+
0163 # |cafe::/64  |forward to dev veth_t200               |
0164 # +---------------------------------------------------+
0165 #
0166
0167 # Kselftest framework requirement - SKIP code is 4.
0168 ksft_skip=4
0169
0170 readonly LOCALSID_TABLE_ID=90
0171 readonly IPv6_RT_NETWORK=fd00
0172 readonly IPv6_HS_NETWORK=cafe
0173 readonly VPN_LOCATOR_SERVICE=fc00
0174 PING_TIMEOUT_SEC=4
0175
0176 ret=0
0177
0178 PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
0179
0180 log_test()
0181 {
0182         local rc=$1
0183         local expected=$2
0184         local msg="$3"
0185
0186         if [ ${rc} -eq ${expected} ]; then
0187                 nsuccess=$((nsuccess+1))
0188                 printf "\n    TEST: %-60s  [ OK ]\n" "${msg}"
0189         else
0190                 ret=1
0191                 nfail=$((nfail+1))
0192                 printf "\n    TEST: %-60s  [FAIL]\n" "${msg}"
0193                 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
0194                         echo
0195                         echo "hit enter to continue, 'q' to quit"
0196                         read a
0197                         [ "$a" = "q" ] && exit 1
0198                 fi
0199         fi
0200 }
0201
0202 print_log_test_results()
0203 {
0204         if [ "$TESTS" != "none" ]; then
0205                 printf "\nTests passed: %3d\n" ${nsuccess}
0206                 printf "Tests failed: %3d\n"   ${nfail}
0207         fi
0208 }
0209
0210 log_section()
0211 {
0212         echo
0213         echo "################################################################################"
0214         echo "TEST SECTION: $*"
0215         echo "################################################################################"
0216 }
0217
0218 cleanup()
0219 {
0220         ip link del veth-rt-1 2>/dev/null || true
0221         ip link del veth-rt-2 2>/dev/null || true
0222
0223         # destroy routers rt-* and hosts hs-*
0224         for ns in $(ip netns show | grep -E 'rt-*|hs-*'); do
0225                 ip netns del ${ns} || true
0226         done
0227 }
0228
0229 # Setup the basic networking for the routers
0230 setup_rt_networking()
0231 {
0232         local rt=$1
0233         local nsname=rt-${rt}
0234
0235         ip netns add ${nsname}
0236         ip link set veth-rt-${rt} netns ${nsname}
0237         ip -netns ${nsname} link set veth-rt-${rt} name veth0
0238
0239         ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.accept_dad=0
0240         ip netns exec ${nsname} sysctl -wq net.ipv6.conf.default.accept_dad=0
0241
0242         ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 nodad
0243         ip -netns ${nsname} link set veth0 up
0244         ip -netns ${nsname} link set lo up
0245
0246         ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.forwarding=1
0247 }
0248
0249 setup_hs()
0250 {
0251         local hs=$1
0252         local rt=$2
0253         local tid=$3
0254         local hsname=hs-t${tid}-${hs}
0255         local rtname=rt-${rt}
0256         local rtveth=veth-t${tid}
0257
0258         # set the networking for the host
0259         ip netns add ${hsname}
0260
0261         ip netns exec ${hsname} sysctl -wq net.ipv6.conf.all.accept_dad=0
0262         ip netns exec ${hsname} sysctl -wq net.ipv6.conf.default.accept_dad=0
0263
0264         ip -netns ${hsname} link add veth0 type veth peer name ${rtveth}
0265         ip -netns ${hsname} link set ${rtveth} netns ${rtname}
0266         ip -netns ${hsname} addr add ${IPv6_HS_NETWORK}::${hs}/64 dev veth0 nodad
0267         ip -netns ${hsname} link set veth0 up
0268         ip -netns ${hsname} link set lo up
0269
0270         # configure the VRF for the tenant X on the router which is directly
0271         # connected to the source host.
0272         ip -netns ${rtname} link add vrf-${tid} type vrf table ${tid}
0273         ip -netns ${rtname} link set vrf-${tid} up
0274
0275         ip netns exec ${rtname} sysctl -wq net.ipv6.conf.all.accept_dad=0
0276         ip netns exec ${rtname} sysctl -wq net.ipv6.conf.default.accept_dad=0
0277
0278         # enslave the veth-tX interface to the vrf-X in the access router
0279         ip -netns ${rtname} link set ${rtveth} master vrf-${tid}
0280         ip -netns ${rtname} addr add ${IPv6_HS_NETWORK}::254/64 dev ${rtveth} nodad
0281         ip -netns ${rtname} link set ${rtveth} up
0282
0283         ip netns exec ${rtname} sysctl -wq net.ipv6.conf.${rtveth}.proxy_ndp=1
0284
0285         ip netns exec ${rtname} sh -c "echo 1 > /proc/sys/net/vrf/strict_mode"
0286 }
0287
0288 setup_vpn_config()
0289 {
0290         local hssrc=$1
0291         local rtsrc=$2
0292         local hsdst=$3
0293         local rtdst=$4
0294         local tid=$5
0295
0296         local hssrc_name=hs-t${tid}-${hssrc}
0297         local hsdst_name=hs-t${tid}-${hsdst}
0298         local rtsrc_name=rt-${rtsrc}
0299         local rtdst_name=rt-${rtdst}
0300         local rtveth=veth-t${tid}
0301         local vpn_sid=${VPN_LOCATOR_SERVICE}:${hssrc}${hsdst}:${tid}::6006
0302
0303         ip -netns ${rtsrc_name} -6 neigh add proxy ${IPv6_HS_NETWORK}::${hsdst} dev ${rtveth}
0304
0305         # set the encap route for encapsulating packets which arrive from the
0306         # host hssrc and destined to the access router rtsrc.
0307         ip -netns ${rtsrc_name} -6 route add ${IPv6_HS_NETWORK}::${hsdst}/128 vrf vrf-${tid} \
0308                 encap seg6 mode encap segs ${vpn_sid} dev veth0
0309         ip -netns ${rtsrc_name} -6 route add ${vpn_sid}/128 vrf vrf-${tid} \
0310                 via fd00::${rtdst} dev veth0
0311
0312         # set the decap route for decapsulating packets which arrive from
0313         # the rtdst router and destined to the hsdst host.
0314         ip -netns ${rtdst_name} -6 route add ${vpn_sid}/128 table ${LOCALSID_TABLE_ID} \
0315                 encap seg6local action End.DT6 vrftable ${tid} dev vrf-${tid}
0316
0317         # all sids for VPNs start with a common locator which is fc00::/16.
0318         # Routes for handling the SRv6 End.DT6 behavior instances are grouped
0319         # together in the 'localsid' table.
0320         #
0321         # NOTE: added only once
0322         if [ -z "$(ip -netns ${rtdst_name} -6 rule show | \
0323             grep "to ${VPN_LOCATOR_SERVICE}::/16 lookup ${LOCALSID_TABLE_ID}")" ]; then
0324                 ip -netns ${rtdst_name} -6 rule add \
0325                         to ${VPN_LOCATOR_SERVICE}::/16 \
0326                         lookup ${LOCALSID_TABLE_ID} prio 999
0327         fi
0328 }
0329
0330 setup()
0331 {
0332         ip link add veth-rt-1 type veth peer name veth-rt-2
0333         # setup the networking for router rt-1 and router rt-2
0334         setup_rt_networking 1
0335         setup_rt_networking 2
0336
0337         # setup two hosts for the tenant 100.
0338         #  - host hs-1 is directly connected to the router rt-1;
0339         #  - host hs-2 is directly connected to the router rt-2.
0340         setup_hs 1 1 100  #args: host router tenant
0341         setup_hs 2 2 100
0342
0343         # setup two hosts for the tenant 200
0344         #  - host hs-3 is directly connected to the router rt-1;
0345         #  - host hs-4 is directly connected to the router rt-2.
0346         setup_hs 3 1 200
0347         setup_hs 4 2 200
0348
0349         # setup the IPv6 L3 VPN which connects the host hs-t100-1 and host
0350         # hs-t100-2 within the same tenant 100.
0351         setup_vpn_config 1 1 2 2 100  #args: src_host src_router dst_host dst_router tenant
0352         setup_vpn_config 2 2 1 1 100
0353
0354         # setup the IPv6 L3 VPN which connects the host hs-t200-3 and host
0355         # hs-t200-4 within the same tenant 200.
0356         setup_vpn_config 3 1 4 2 200
0357         setup_vpn_config 4 2 3 1 200
0358 }
0359
0360 check_rt_connectivity()
0361 {
0362         local rtsrc=$1
0363         local rtdst=$2
0364
0365         ip netns exec rt-${rtsrc} ping -c 1 -W 1 ${IPv6_RT_NETWORK}::${rtdst} \
0366                 >/dev/null 2>&1
0367 }
0368
0369 check_and_log_rt_connectivity()
0370 {
0371         local rtsrc=$1
0372         local rtdst=$2
0373
0374         check_rt_connectivity ${rtsrc} ${rtdst}
0375         log_test $? 0 "Routers connectivity: rt-${rtsrc} -> rt-${rtdst}"
0376 }
0377
0378 check_hs_connectivity()
0379 {
0380         local hssrc=$1
0381         local hsdst=$2
0382         local tid=$3
0383
0384         ip netns exec hs-t${tid}-${hssrc} ping -c 1 -W ${PING_TIMEOUT_SEC} \
0385                 ${IPv6_HS_NETWORK}::${hsdst} >/dev/null 2>&1
0386 }
0387
0388 check_and_log_hs_connectivity()
0389 {
0390         local hssrc=$1
0391         local hsdst=$2
0392         local tid=$3
0393
0394         check_hs_connectivity ${hssrc} ${hsdst} ${tid}
0395         log_test $? 0 "Hosts connectivity: hs-t${tid}-${hssrc} -> hs-t${tid}-${hsdst} (tenant ${tid})"
0396 }
0397
0398 check_and_log_hs_isolation()
0399 {
0400         local hssrc=$1
0401         local tidsrc=$2
0402         local hsdst=$3
0403         local tiddst=$4
0404
0405         check_hs_connectivity ${hssrc} ${hsdst} ${tidsrc}
0406         # NOTE: ping should fail
0407         log_test $? 1 "Hosts isolation: hs-t${tidsrc}-${hssrc} -X-> hs-t${tiddst}-${hsdst}"
0408 }
0409
0410
0411 check_and_log_hs2gw_connectivity()
0412 {
0413         local hssrc=$1
0414         local tid=$2
0415
0416         check_hs_connectivity ${hssrc} 254 ${tid}
0417         log_test $? 0 "Hosts connectivity: hs-t${tid}-${hssrc} -> gw (tenant ${tid})"
0418 }
0419
0420 router_tests()
0421 {
0422         log_section "IPv6 routers connectivity test"
0423
0424         check_and_log_rt_connectivity 1 2
0425         check_and_log_rt_connectivity 2 1
0426 }
0427
0428 host2gateway_tests()
0429 {
0430         log_section "IPv6 connectivity test among hosts and gateway"
0431
0432         check_and_log_hs2gw_connectivity 1 100
0433         check_and_log_hs2gw_connectivity 2 100
0434
0435         check_and_log_hs2gw_connectivity 3 200
0436         check_and_log_hs2gw_connectivity 4 200
0437 }
0438
0439 host_vpn_tests()
0440 {
0441         log_section "SRv6 VPN connectivity test among hosts in the same tenant"
0442
0443         check_and_log_hs_connectivity 1 2 100
0444         check_and_log_hs_connectivity 2 1 100
0445
0446         check_and_log_hs_connectivity 3 4 200
0447         check_and_log_hs_connectivity 4 3 200
0448 }
0449
0450 host_vpn_isolation_tests()
0451 {
0452         local i
0453         local j
0454         local k
0455         local tmp
0456         local l1="1 2"
0457         local l2="3 4"
0458         local t1=100
0459         local t2=200
0460
0461         log_section "SRv6 VPN isolation test among hosts in different tentants"
0462
0463         for k in 0 1; do
0464                 for i in ${l1}; do
0465                         for j in ${l2}; do
0466                                 check_and_log_hs_isolation ${i} ${t1} ${j} ${t2}
0467                         done
0468                 done
0469
0470                 # let us test the reverse path
0471                 tmp="${l1}"; l1="${l2}"; l2="${tmp}"
0472                 tmp=${t1}; t1=${t2}; t2=${tmp}
0473         done
0474 }
0475
0476 if [ "$(id -u)" -ne 0 ];then
0477         echo "SKIP: Need root privileges"
0478         exit $ksft_skip
0479 fi
0480
0481 if [ ! -x "$(command -v ip)" ]; then
0482         echo "SKIP: Could not run test without ip tool"
0483         exit $ksft_skip
0484 fi
0485
0486 modprobe vrf &>/dev/null
0487 if [ ! -e /proc/sys/net/vrf/strict_mode ]; then
0488         echo "SKIP: vrf sysctl does not exist"
0489         exit $ksft_skip
0490 fi
0491
0492 cleanup &>/dev/null
0493
0494 setup
0495
0496 router_tests
0497 host2gateway_tests
0498 host_vpn_tests
0499 host_vpn_isolation_tests
0500
0501 print_log_test_results
0502
0503 cleanup &>/dev/null
0504
0505 exit ${ret}