[strongSwan] [Strongswan test serie] new DSCP tests

LACROIX Jean-Marc jean-marc.lacroix at thalesgroup.com
Tue May 22 19:06:13 CEST 2012 

Hello,

Foremost we want you to know that we appreciate strongSwan a lot, and we congratulate you for this software.
This is very useful and we particularly appreciate your automated test suites.

As part of QoS measurement on Cisco routers, we decided to check on your testing environment the behavior of the DSCP field through IPSec hosts referring to the appropriate RFCs.
The DSCP values are totally arbitrary in our tests. In order to complete your test suites we share our own test scenarios hoping that they may interest you. We launched and passed them with strongSwan 4.6.2 and 4.6.3.

There are 7 test scenarios that we introduce you below. In order to simplify the explanations we call A and B the concerned hosts and G the gateway between them.

1°  It is a simple ping between A and B via G.
      No IPSec, no iptables rules.
      It checks that the value of the DSCP field is 0 (by default).

2°  It is a ping between A and B via G.
      No IPSec. Iptables rule for A : the DSCP field of its outbound ICMP packets is 1.
      It checks the ToS field of the ICMP packets between A and B is 4 : bits 7-2 of the IPv4 header ToS octet represent the DSCP field (RFC 2474) and bits 1-0 are 0 by default so we have the relation ToS=DSCP*4 with DSCP in decimal form.

3°  It is a ping from A to B through an IPSec tunnel between A and G. Tunnel mode is used.
      Iptables rule for A : the DSCP field of its outbound ICMP packets is 2.
      It checks :
                - the established tunnel ;
                - the ToS field of the ICMP packets is 8 ;
      - the DSCP field of the ESP packets is copied from their inner header : "IPv4 -- Header Construction for Tunnel Mode

                                         <-- How Outer Hdr Relates to Inner Hdr -->
                                         Outer Hdr at                 Inner Hdr at
   IPv4                             Encapsulator                 Decapsulator
     Header fields:     --------------------         ------------
       (...)
       TOS              copied from inner hdr (5)    no change " (RFC 2401, paragraph 5.1.2.1).

4°   Two IPSec tunnels are defined between A and G. Two traffics (ICMP and HTTP) are generated between A and B, with 2 different values for the DSCP field. Tunnel mode is used.
        Iptables rules for A : the DSCP field of its outbound ICMP packets is 3 and the one of its TCP-based HTTP packets is 1.
        It checks :
                - the established tunnel ;
                - the ToS fields of the packets are the one imposed previously (the DSCP field of the TCP-based HTTP packets sent by B are 0 since B entered no iptables rule) ;
                - the DSCP field of the ESP packets is taken from their inner header.

5°  Same as 4° but here the DSCP field of the ESP packets is forced to 2.

6°  Same as 4° but here B enters an iptables rule too : the DSCP field of its outbound TCP-based HTTP packets is 1 so that the goings and comings TCP-based http packets between A and B have the same DSCP field value.

7°  Same as 6° but in transport mode.

We want you to know that we also added a little modification in the script do-tests.in. This modification concerns only our tests dscp/*. In fact for these scenarios, verbose mode is necessary for the command tcpdump to check the ToS field. We also restricted the flow to ICMP, ESP, HTTP and we rejected the flow towards winnetou, in order to have moderate tcpdump captures .

The tarball of our git tree containing only the directory of our test scenarios (named "dscp") and the modified script do-tests.in is attached.

You just have to extract it with the command tar xvjf dscp_tests.tar.bz2, then the directory testing/tests/dscp and the script testing/do-tests.in will be installed. Finally you can launch the tests as usual.

Andreas, would it be  possible for you to integrate our tests in the main stream  test serie ?

Best regards,

Jean-Marc & Stephanie


--
Jean-Marc.LACROIX at fr.thalesgroup.com<mailto:Jean-Marc.LACROIX at fr.thalesgroup.com>
THALES Communications
160 Bd de Valmy, 92704 Colombes
DSC/FR/OPS/SAT/T&A
Tel : +33 (0)1 41 30 22 85
Gsm : +33 (0)6 82 29 98 66
Fax : +33 (0)1 41 30 31 71



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120522/d972f1bf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dscp_tests.tar.bz2
Type: application/octet-stream
Size: 10971 bytes
Desc: dscp_tests.tar.bz2
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120522/d972f1bf/attachment.obj>

More information about the Users mailing list