5 # Part of NetDEF Topology Tests
7 # Copyright (c) 2020 by Volta Networks
9 # Permission to use, copy, modify, and/or distribute this software
10 # for any purpose with or without fee is hereby granted, provided
11 # that the above copyright notice and this permission notice appear
14 # THE SOFTWARE IS PROVIDED "AS IS" AND NETDEF DISCLAIMS ALL WARRANTIES
15 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
16 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NETDEF BE LIABLE FOR
17 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
18 # DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
19 # WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
20 # ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
25 test_bgp_auth.py: Test BGP Md5 Authentication
29 | +------| R1 |------+ |
35 | R2 |------------| R3 |
40 setup is 3 routers with 3 links between each each link in a different vrf
41 Default, blue and red respectively
42 Tests check various fiddling with passwords and checking that the peer
43 establishment is as expected and passwords are not leaked across sockets
46 # pylint: disable=C0413
52 from time
import sleep
55 from lib
import common_config
, topotest
56 from lib
.common_config
import (
57 save_initial_config_on_routers
,
58 reset_with_new_configs
,
60 from lib
.topogen
import Topogen
, TopoRouter
, get_topogen
62 pytestmark
= [pytest
.mark
.bgpd
, pytest
.mark
.ospfd
]
64 CWD
= os
.path
.dirname(os
.path
.realpath(__file__
))
72 tgen
.add_link(tgen
.gears
["R1"], tgen
.gears
["R2"])
73 tgen
.add_link(tgen
.gears
["R1"], tgen
.gears
["R3"])
74 tgen
.add_link(tgen
.gears
["R2"], tgen
.gears
["R3"])
75 tgen
.add_link(tgen
.gears
["R1"], tgen
.gears
["R2"])
76 tgen
.add_link(tgen
.gears
["R1"], tgen
.gears
["R3"])
77 tgen
.add_link(tgen
.gears
["R2"], tgen
.gears
["R3"])
78 tgen
.add_link(tgen
.gears
["R1"], tgen
.gears
["R2"])
79 tgen
.add_link(tgen
.gears
["R1"], tgen
.gears
["R3"])
80 tgen
.add_link(tgen
.gears
["R2"], tgen
.gears
["R3"])
83 def setup_module(mod
):
84 "Sets up the pytest environment"
85 # This function initiates the topology build with Topogen...
86 tgen
= Topogen(build_topo
, mod
.__name
__)
87 # ... and here it calls Mininet initialization functions.
95 r1
.cmd_raises("ip link add blue type vrf table 1001")
96 r1
.cmd_raises("ip link set up dev blue")
97 r2
.cmd_raises("ip link add blue type vrf table 1001")
98 r2
.cmd_raises("ip link set up dev blue")
99 r3
.cmd_raises("ip link add blue type vrf table 1001")
100 r3
.cmd_raises("ip link set up dev blue")
102 r1
.cmd_raises("ip link add lo1 type dummy")
103 r1
.cmd_raises("ip link set lo1 master blue")
104 r1
.cmd_raises("ip link set up dev lo1")
105 r2
.cmd_raises("ip link add lo1 type dummy")
106 r2
.cmd_raises("ip link set up dev lo1")
107 r2
.cmd_raises("ip link set lo1 master blue")
108 r3
.cmd_raises("ip link add lo1 type dummy")
109 r3
.cmd_raises("ip link set up dev lo1")
110 r3
.cmd_raises("ip link set lo1 master blue")
112 r1
.cmd_raises("ip link set R1-eth2 master blue")
113 r1
.cmd_raises("ip link set R1-eth3 master blue")
114 r2
.cmd_raises("ip link set R2-eth2 master blue")
115 r2
.cmd_raises("ip link set R2-eth3 master blue")
116 r3
.cmd_raises("ip link set R3-eth2 master blue")
117 r3
.cmd_raises("ip link set R3-eth3 master blue")
119 r1
.cmd_raises("ip link set up dev R1-eth2")
120 r1
.cmd_raises("ip link set up dev R1-eth3")
121 r2
.cmd_raises("ip link set up dev R2-eth2")
122 r2
.cmd_raises("ip link set up dev R2-eth3")
123 r3
.cmd_raises("ip link set up dev R3-eth2")
124 r3
.cmd_raises("ip link set up dev R3-eth3")
127 r1
.cmd_raises("ip link add red type vrf table 1002")
128 r1
.cmd_raises("ip link set up dev red")
129 r2
.cmd_raises("ip link add red type vrf table 1002")
130 r2
.cmd_raises("ip link set up dev red")
131 r3
.cmd_raises("ip link add red type vrf table 1002")
132 r3
.cmd_raises("ip link set up dev red")
134 r1
.cmd_raises("ip link add lo2 type dummy")
135 r1
.cmd_raises("ip link set lo2 master red")
136 r1
.cmd_raises("ip link set up dev lo2")
137 r2
.cmd_raises("ip link add lo2 type dummy")
138 r2
.cmd_raises("ip link set up dev lo2")
139 r2
.cmd_raises("ip link set lo2 master red")
140 r3
.cmd_raises("ip link add lo2 type dummy")
141 r3
.cmd_raises("ip link set up dev lo2")
142 r3
.cmd_raises("ip link set lo2 master red")
144 r1
.cmd_raises("ip link set R1-eth4 master red")
145 r1
.cmd_raises("ip link set R1-eth5 master red")
146 r2
.cmd_raises("ip link set R2-eth4 master red")
147 r2
.cmd_raises("ip link set R2-eth5 master red")
148 r3
.cmd_raises("ip link set R3-eth4 master red")
149 r3
.cmd_raises("ip link set R3-eth5 master red")
151 r1
.cmd_raises("ip link set up dev R1-eth4")
152 r1
.cmd_raises("ip link set up dev R1-eth5")
153 r2
.cmd_raises("ip link set up dev R2-eth4")
154 r2
.cmd_raises("ip link set up dev R2-eth5")
155 r3
.cmd_raises("ip link set up dev R3-eth4")
156 r3
.cmd_raises("ip link set up dev R3-eth5")
158 r1
.cmd_raises("sysctl -w net.ipv4.tcp_l3mdev_accept=1")
159 r2
.cmd_raises("sysctl -w net.ipv4.tcp_l3mdev_accept=1")
160 r3
.cmd_raises("sysctl -w net.ipv4.tcp_l3mdev_accept=1")
162 # This is a sample of configuration loading.
163 router_list
= tgen
.routers()
165 # For all registered routers, load the zebra configuration file
166 for rname
, router
in router_list
.items():
167 router
.load_config(TopoRouter
.RD_ZEBRA
, "zebra.conf")
168 router
.load_config(TopoRouter
.RD_OSPF
)
169 router
.load_config(TopoRouter
.RD_BGP
)
171 # After copying the configurations, this function loads configured daemons.
174 # Save the initial router config. reset_config_on_routers will return to this config.
175 save_initial_config_on_routers(tgen
)
178 def teardown_module(mod
):
179 "Teardown the pytest environment"
182 # This function tears down the whole topology.
190 vrf_str
= "vrf {}".format(vrf
)
195 def peer_name(rtr
, prefix
, vrf
):
196 "generate VRF string for CLI"
204 return "TWO_GROUP" + vrf_str
206 return "THREE_GROUP" + vrf_str
215 "print failure disagnostics"
218 router_list
= tgen
.routers()
219 for rname
, router
in router_list
.items():
221 print(router
.vtysh_cmd("show run"))
222 print(router
.vtysh_cmd("show ip route {}".format(vrf_str(vrf
))))
223 print(router
.vtysh_cmd("show bgp {} neighbor".format(vrf_str(vrf
))))
226 @common_config.retry(retry_timeout
=190)
227 def _check_neigh_state(router
, peer
, state
, vrf
=""):
228 "check BGP neighbor state on a router"
230 neigh_output
= router
.vtysh_cmd(
231 "show bgp {} neighbors {} json".format(vrf_str(vrf
), peer
)
234 peer_state
= "Unknown"
235 neigh_output_json
= json
.loads(neigh_output
)
236 if peer
in neigh_output_json
:
237 peer_state
= neigh_output_json
[peer
]["bgpState"]
238 if peer_state
== state
:
240 return "{} peer with {} expected state {} got {} ".format(
241 router
.name
, peer
, state
, peer_state
245 def check_neigh_state(router
, peer
, state
, vrf
=""):
246 "check BGP neighbor state on a router"
248 assertmsg
= _check_neigh_state(router
, peer
, state
, vrf
)
249 assert assertmsg
is True, assertmsg
252 def check_all_peers_established(vrf
=""):
253 "standard check for extablished peers per vrf"
256 r1
= tgen
.gears
["R1"]
257 r2
= tgen
.gears
["R2"]
258 r3
= tgen
.gears
["R3"]
259 # do r1 last as he might be the dynamic one
260 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
261 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
262 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
263 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
264 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
265 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
268 def check_vrf_peer_remove_passwords(vrf
="", prefix
="no"):
269 "selectively remove passwords checking state"
272 r1
= tgen
.gears
["R1"]
273 r2
= tgen
.gears
["R2"]
274 r3
= tgen
.gears
["R3"]
276 check_all_peers_established(vrf
)
279 "conf t\nrouter bgp 65001 {}\nno neighbor {} password".format(
280 vrf_str(vrf
), peer_name("R2", prefix
, vrf
)
284 check_neigh_state(r2
, "1.1.1.1", "Connect", vrf
)
285 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
286 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
287 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
288 # don't check dynamic downed peers - they are removed
290 check_neigh_state(r1
, "2.2.2.2", "Connect", vrf
)
291 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
294 "conf t\nrouter bgp 65002 {}\nno neighbor 1.1.1.1 password".format(vrf_str(vrf
))
296 check_all_peers_established(vrf
)
299 "conf t\nrouter bgp 65001 {}\nno neighbor {} password".format(
300 vrf_str(vrf
), peer_name("R3", prefix
, vrf
)
303 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
304 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
305 check_neigh_state(r3
, "1.1.1.1", "Connect", vrf
)
306 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
307 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
308 # don't check dynamic downed peers - they are removed
310 check_neigh_state(r1
, "3.3.3.3", "Connect", vrf
)
313 "conf t\nrouter bgp 65003 {}\nno neighbor 1.1.1.1 password".format(vrf_str(vrf
))
315 check_all_peers_established(vrf
)
318 "conf t\nrouter bgp 65002 {}\nno neighbor 3.3.3.3 password".format(vrf_str(vrf
))
320 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
321 check_neigh_state(r2
, "3.3.3.3", "Connect", vrf
)
322 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
323 check_neigh_state(r3
, "2.2.2.2", "Connect", vrf
)
324 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
325 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
328 "conf t\nrouter bgp 65003 {}\nno neighbor 2.2.2.2 password".format(vrf_str(vrf
))
330 check_all_peers_established(vrf
)
333 def check_vrf_peer_change_passwords(vrf
="", prefix
="no"):
334 "selectively change passwords checking state"
337 r1
= tgen
.gears
["R1"]
338 r2
= tgen
.gears
["R2"]
339 r3
= tgen
.gears
["R3"]
340 check_all_peers_established(vrf
)
343 "conf t\nrouter bgp 65001 {}\nneighbor {} password change1".format(
344 vrf_str(vrf
), peer_name("R2", prefix
, vrf
)
347 check_neigh_state(r2
, "1.1.1.1", "Connect", vrf
)
348 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
349 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
350 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
351 # don't check dynamic downed peers - they are removed
353 check_neigh_state(r1
, "2.2.2.2", "Connect", vrf
)
354 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
357 "conf t\nrouter bgp 65002 {}\nneighbor 1.1.1.1 password change1".format(
361 check_all_peers_established(vrf
)
364 "conf t\nrouter bgp 65001 {}\nneighbor {} password change2".format(
365 vrf_str(vrf
), peer_name("R3", prefix
, vrf
)
368 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
369 check_neigh_state(r2
, "3.3.3.3", "Established", vrf
)
370 check_neigh_state(r3
, "1.1.1.1", "Connect", vrf
)
371 check_neigh_state(r3
, "2.2.2.2", "Established", vrf
)
372 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
373 # don't check dynamic downed peers - they are removed
375 check_neigh_state(r1
, "3.3.3.3", "Connect", vrf
)
378 "conf t\nrouter bgp 65003 {}\nneighbor 1.1.1.1 password change2".format(
382 check_all_peers_established(vrf
)
385 "conf t\nrouter bgp 65002 {}\nneighbor 3.3.3.3 password change3".format(
389 check_neigh_state(r2
, "1.1.1.1", "Established", vrf
)
390 check_neigh_state(r2
, "3.3.3.3", "Connect", vrf
)
391 check_neigh_state(r3
, "1.1.1.1", "Established", vrf
)
392 check_neigh_state(r3
, "2.2.2.2", "Connect", vrf
)
393 check_neigh_state(r1
, "2.2.2.2", "Established", vrf
)
394 check_neigh_state(r1
, "3.3.3.3", "Established", vrf
)
397 "conf t\nrouter bgp 65003 {}\nneighbor 2.2.2.2 password change3".format(
401 check_all_peers_established(vrf
)
404 def test_vrf_prefix_peer_established(tgen
):
405 "default vrf 3 peers same password with VRF prefix config"
407 # only supported in kernel > 5.3
408 if topotest
.version_cmp(platform
.release(), "5.3") < 0:
411 reset_with_new_configs(tgen
, "bgpd_vrf_prefix.conf", "ospfd_vrf.conf")
412 check_all_peers_established("blue")
415 def test_vrf_prefix_peer_remove_passwords(tgen
):
416 "selectively remove passwords checking state with VRF prefix config"
418 # only supported in kernel > 5.3
419 if topotest
.version_cmp(platform
.release(), "5.3") < 0:
422 reset_with_new_configs(tgen
, "bgpd_vrf_prefix.conf", "ospfd_vrf.conf")
423 check_vrf_peer_remove_passwords(vrf
="blue", prefix
="yes")
426 def test_vrf_prefix_peer_change_passwords(tgen
):
427 "selectively change passwords checking state with VRF prefix config"
429 # only supported in kernel > 5.3
430 if topotest
.version_cmp(platform
.release(), "5.3") < 0:
433 reset_with_new_configs(tgen
, "bgpd_vrf_prefix.conf", "ospfd_vrf.conf")
434 check_vrf_peer_change_passwords(vrf
="blue", prefix
="yes")
437 def test_multiple_vrf_peer_established(tgen
):
438 "default vrf 3 peers same password with multiple VRFs"
440 reset_with_new_configs(tgen
, "bgpd_multi_vrf.conf", "ospfd_multi_vrf.conf")
441 check_all_peers_established("blue")
442 check_all_peers_established("red")
445 def test_multiple_vrf_peer_remove_passwords(tgen
):
446 "selectively remove passwords checking state with multiple VRFs"
448 reset_with_new_configs(tgen
, "bgpd_multi_vrf.conf", "ospfd_multi_vrf.conf")
449 check_vrf_peer_remove_passwords("blue")
450 check_all_peers_established("red")
451 check_vrf_peer_remove_passwords("red")
452 check_all_peers_established("blue")
455 def test_memory_leak(tgen
):
456 "Run the memory leak test and report results."
457 if not tgen
.is_memleak_enabled():
458 pytest
.skip("Memory leak test/report is disabled")
460 tgen
.report_memory_leaks()
463 if __name__
== "__main__":
464 args
= ["-s"] + sys
.argv
[1:]
465 sys
.exit(pytest
.main(args
))