- Question regarding configuration for IPv6 stateful testing. Running version 2.27 using Mellanox Connect-X4 100Gps NICs
- Ran stateful tests against a firewall with IPv4 very successfully. The trex_cfg.yaml file contains:
- port_limit: 2
version: 2
interfaces: ['03:00.0', '03:00.1']
port_info:
- ip: 131.247.125.10
default_gw: 131.247.125.11
- ip: 131.247.126.10
default_gw: 131.247.126.11
platform:
master_thread_id: 0
latency_thread_id: 1
dual_if:
- socket: 0
threads: [2,4,6,8,10,12,14,16,18]
And using the stock cap2/sfr_agg_tcp14_udp11_http200msec_new_high_new_nir_profile_ipg_mix.yaml file with only the client and server addresses modified to:
| clients_start : "16.0.0.1" | |
| clients_end : "16.14.255.255" | |
| servers_start : "48.0.0.1" | |
| servers_end : "48.14.255.255" |
The cli used for the tests was:
# ./t-rex-64 -f cap2/sfr_agg_tcp14_udp11_http200msec_new_high_new_nir_profile_ipg_mix.yaml -m 55 -d 600 -e -c 9
For the tests involved IPv6, modified the cap2/sfr_agg_tcp14_udp11_http200msec_new_high_new_nir_profile_ipg_mix.yaml with these additional lines:
src_ipv6 : [0x2607,0xfe50,0x0000,0xf802,0x0000,0x0000]
dst_ipv6 : [0x2607,0xfe50,0x0000,0xf803,0x0000,0x0000]
And the cli used was:
# ./t-rex-64 -f cap2/sfr_agg_tcp14_udp11_http200msec_new_high_new_nir_profile_ipg_mix.yaml -m 55 -d 600 -e -c 9 --ipv6
set up the firewall DUT with static routes and NDP entries for the IPv6 prefixes so that traffic would be properly forwarded (which it is based on captures I've done of the traffic). Under v4 the '-e' flag made sure that the traffic sourced from NIC0 was from the client IP range and the traffic sourced from NIC1 was from the server range (so the firewall was happy with outside and inside addresses it saw).
But, for the v6 testing, the source v6 addresses are keeping the 16.0.0.0/12 IPv4 encoded addresses coming from NIC0 as you can see below, but showing a mix of v6 prefixes coming from that NIC instead of just the 2607:fe50:0:f802::/64 prefix. Have configured as the source (this is a capture of packets transmitted by NIC0):
62 0.205888089 2607:fe50:0:f802::1003:557a -> 2607:fe50:0:f803::3003:557a TCP 78 1025 > 443 [ACK] Seq=1 Ack=1 Win=32768 Len=0
63 0.205898872 2607:fe50:0:f803::1003:55b5 -> 2607:fe50:0:f802::3003:55b5 TCP 1538 [TCP segment of a reassembled PDU]
<-------Logs - Removed------------->
69 0.205926516 2607:fe50:0:f803::1008:55b1 -> 2607:fe50:0:f802::3008:55b1 TCP 1538 [TCP Previous segment not captured] [TCP segment of a reassem
Seems like the -e flag isn't using the src_ipv6 prefix for NIC0 for source addresses and flipping that to the dst_ipv6 prefix as the source addresses for NIC1 like it does for IPv4 testing.
Did you test without -e CLI. Are your profile include UDP one packet. -e should not be use anymore given our Stateless support.
Can you test it with out cap2/simple_http.yaml
Tried the original cap2/sfr_agg_tcp14_udp11_http200msec_new_high_new_nir_profile_ipg_mix.yaml config without the '-e' option and still saw the mixing of source prefixes coming from NIC0:
753 0.038209464 2607:fe50:0:f802::1006:32d3 -> 2607:fe50:0:f803::3006:32d3 UDP 76 Source port: 1032 Destination port: 10000 [ILLEGAL CHECKSUM (0)]
754 0.038220503 2607:fe50:0:f803::3006:232e -> 2607:fe50:0:f802::1006:232e TCP 98 1494 > 1039 [PSH, ACK] Seq=1 Ack=1 Win=32768 Len=20
Also seeing a mix of client (:1006:) and server (:3006:) IPv4 encoded hosts but that doesn't really matter since it's the host portion. The /64 prefix is the bigger issue since the firewall being tested sees the server-addressed prefix as a spoofed packet when coming from the client side of the firewall.
Couldn't find a cap2/simple_http.yaml, but did find http_simple.yaml and tried that one (with the addition of these lines):
src_ipv6 : [0x2607,0xfe50,0x0000,0xf802,0x0000,0x0000]
dst_ipv6 : [0x2607,0xfe50,0x0000,0xf803,0x0000,0x0000]
Using this CLI I'm still seeing mixed source prefixes:
# ./t-rex-64 -f cap2/http_simple.yaml -m 55 -d 600 --ipv6 -c 9
763 2.826488587 2607:fe50:0:f803::3000:aaa9 -> 2607:fe50:0:f802::1000:ab TCP 1538 [TCP segment of a reassembled PDU]
764 2.826489107 2607:fe50:0:f802::1000:1f -> 2607:fe50:0:f803::3000:1c74 TCP 74 1024 > 80 [ACK] Seq=250 Ack=17521 Win=32768 Len=0
So, still seeing the mixed prefixes as well as the mixed host addresses without the -e option.
As mentioned using a yaml file with UDP flows. So modified cap2/imix_fast_1g_100k_flows.yaml to include the v6 addresses and ran it with ./t-rex-64 -f cap2/imix_fast_1g_100k_flows.yaml -m 55 -d 600 --ipv6 -c 9. That seemed to work just fine:
49 6.381512150 2607:fe50:0:f802::100b:d04d -> 2607:fe50:0:f803::300b:d04d UDP 1534 Source port: 1024 Destination port: 2001 [ILLEGAL CHECKSUM (0)]
Both the prefix and the IPv4 encoded host portions were correct. So is there a way to make this work for the TCP flows
# ./t-rex-64 -v
Version : v2.27
DPDK version : DPDK 17.02.0-rc3
User : hhaim
Date : Jun 18 2017 , 10:54:07
Uuid : 37c1c20c-53fb-11e7-8930-0006f62b3e88
Git SHA : 7d0fb503142103a36968206bf9727e55144bef9c
This bug was fixed in v2.24 see here
Looking into the fix,
Could you do test
Try cap2/http_simple_ipv6.yaml and change default ipv6 src/dst in the file to your need.
This file is used in our unit-test so it must work
The captures weren't correct. Had left over source-interface statement in the monitor configuration which caused to see both sides of the traffic instead of just the traffic sourced from NIC0. Removing the '-e' from the cli was indeed the complete fix.
With that removed, NIC0 is sourcing only the 2607:fe50:0:f802 prefix and NIC1 is sourcing only the :f803 prefix. It of course works with the prefixes in the stock cap2/http_simple_ipv6.yaml file as well.
Just for information our forum
https://groups.google.com/forum/m/#!forum/trex-tgn
Is more active with much more registered users, so you will probably get answer faster there.
We are using the devNet mainly for jive blogs
Comments
0 comments
Please sign in to leave a comment.