Plugin examples: SR-ISIS TE with (attempted) MACsec encryption (#3)

Co-authored-by: Jeroen van Bemmel <[email protected]>

Author: jbemmel

routing/sr-isis-te/README.md

@@ -0,0 +1,25 @@
+# L2 example: ePipe service over SR-ISIS with Traffic Engineering and MACsec
+
+See [original use case by Derek Cheung](https://medium.com/r/?url=https%3A%2F%2Fderekcheung.medium.com%2Fsegment-routing-b69f6ea2e3f5)
+
+Netsim-Tools release 1.0.6 introduces support for [custom plugins](https://github.com/ipspace/netsim-tools/blob/master/docs/plugins.md).
+This example illustrates 3 of them:
+* An MPLS-TE plugin to define custom MPLS paths
+* An SDP ePipe plugin to build ePipe services
+* A MACSEC plugin to configure security parameters
+
+All plugins are relatively simple, by design; following the [Unix philosophy](https://en.wikipedia.org/wiki/Unix_philosophy):
+* Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new "features".
+* Expect the output of every program to become the input to another, as yet unknown, program. Don't clutter output with extraneous information. Avoid stringently columnar or binary input formats. Don't insist on interactive input.
+* Design and build software, even operating systems, to be tried early, ideally within weeks. Don't hesitate to throw away the clumsy parts and rebuild them.
+* Use tools in preference to unskilled help to lighten a programming task, even if you have to detour to build the tools and expect to throw some of them out after you've finished using them.
+
+## Modeling extended L2 segments
+This use case is different in that it models an extended L2 service: Host 1 and host 2 are both on the same subnet,
+separated by an MPLS network topology that features a traffic-engineered ePipe service over SR-ISIS.
+
+Netsim-Tools currently assumes 'atomic' links, i.e. different links are assigned different prefixes from a pool.
+This example uses custom manual addressing; including these concepts in Netsim-Tools is FFS.
+
+## MACsec: For Future Study / work in progress
+Note that the MACsec association doesn't currently work in this setup: MACsec is designed for hop-by-hop security, and this multi-hop MPLS scenario requires more thought/knobs.

routing/sr-isis-te/epipe.py

@@ -0,0 +1,19 @@
+from box import Box
+
+def post_transform(topo: Box) -> None:
+  """
+  Processes links with 'epipe' attribute, and resolves to the loopback IP of the peer
+  """
+  print( f"JvB epipe post_transform" )
+
+  # Need to modify node.links, not global topo.links
+  for node in topo.nodes.values():
+   for link in node.links: # topo.links:
+    if 'epipe' in link:
+       peer = topo.nodes[ link.epipe ].loopback.ipv4
+       print( f"JvB: Resolved {link.epipe} to {peer}" )
+       link.epipe_peer = peer
+
+  # Check consistency of models
+  # print( f"POST: nodes={topo.nodes}" )
+  # print( f"POST: links={topo.links}" )

routing/sr-isis-te/macsec.j2

@@ -0,0 +1,24 @@
+{# assumes addressing pools are extended with MACsec parameters #}
+updates:
+{% for l in links if l.type=='lan' and 'macsec' in pools['lan'] %}
+{% set macsec = pools['lan'].macsec %}
+{% set port_id = l.ifname + ('/1' if 'c' in l.ifname else '') %}
+{% set ca_name = "to-%s" | format( l.epipe|default('wherever') ) %}
+- path: configure/macsec/connectivity-association[ca-name={{ ca_name }}]
+  val:
+   admin-state: enable
+   macsec-encrypt: True
+   static-cak:
+    pre-shared-key:
+    - psk-id: 1
+      encryption-type: aes-128-cmac
+      cak: {{ macsec.cak }}
+      cak-name: {{ macsec.cak_name }}
+
+- path: configure/port[port-id={{port_id}}]/ethernet/dot1x/macsec/sub-port[sub-port-id=1]
+  val:
+   admin-state: disable # Disable for now, still missing some way to establish multi-hop MACsec
+   ca-name: "{{ ca_name }}"
+   max-peers: 1
+
+{% endfor %}

routing/sr-isis-te/mpls-te-path.j2

@@ -0,0 +1,41 @@
+{# epipe modeled as a virtual link between r1-r4 #}
+updates:
+{% for l in links if 'te_path_ips' in l %}
+{% set lsp_name = "lsp_" + l.traffic_engineering_path|join('-') + "-TE" %}
+- path: configure/router[router-name=Base]/mpls
+  val:
+   admin-state: enable
+   path:
+   - path-name: "{{ l.traffic_engineering_path|join('-') }}-TE-strict"
+     admin-state: enable
+     hop:
+{%   for ip in l.te_path_ips %}
+     - hop-index: {{ loop.index }}
+       ip-address: "{{ ip|ipaddr('address') }}"
+       type: strict
+{%   endfor %}
+
+   lsp:
+   - lsp-name: "{{ lsp_name }}"
+     admin-state: enable
+     type: p2p-sr-te
+     to: "{{ l.te_path_ips[-1]|ipaddr('address') }}"
+     primary:
+     - path-name: "{{ l.traffic_engineering_path|join('-') }}-TE-strict"
+
+{# Activate the LSP path, disabling the SR-ISIS shortest IGP path #}
+- path: configure/service/sdp[sdp-id={{l.ifindex}}]
+  val:
+   sr-isis: False
+   lsp:
+   - lsp-name: "{{ lsp_name }}"
+
+{% endfor %}
+
+# RSVP must be present along with mpls, even though it is not used here
+- path: configure/router[router-name=Base]/rsvp
+  val: {}
+
+# Remove system interface from MPLS
+delete:
+- configure/router[router-name=Base]/mpls/interface[interface-name=system]

routing/sr-isis-te/mpls-te.py

@@ -0,0 +1,25 @@
+from box import Box
+from netsim import common
+
+def post_transform(topo: Box) -> None:
+  """
+  Processes links with 'traffic-engineering-path' attribute, and resolves
+  the loopback IPs of the peers included in the path
+  """
+  print( f"JvB mpls-te post_transform" )
+
+  # Need to modify node.links, not global topo.links
+  for node in topo.nodes.values():
+   for link in node.links: # topo.links:
+    if 'traffic_engineering_path' in link:
+       te_path_ips = []
+       for node in link.traffic_engineering_path:
+         if node not in topo.nodes:
+             common.error( f"Invalid node in TE-path: {node}", module='mpls-te')
+             continue
+         te_path_ips.append( topo.nodes[ node ].loopback.ipv4 )
+       link.te_path_ips = te_path_ips
+
+  # Check consistency of models
+  # print( f"POST: nodes={topo.nodes}" )
+  # print( f"POST: links={topo.links}" )

routing/sr-isis-te/sdp-epipe.j2

@@ -0,0 +1,36 @@
+{# epipe modeled as a virtual link between r1-r4 #}
+updates:
+{% for l in links if 'epipe_peer' in l %}
+{% set peer=l.epipe_peer|ipaddr('address') %}
+- path: configure/router[router-name=Base]/ldp
+  val:
+   admin-state: enable
+   targeted-session:
+    peer:
+    - ip-address: "{{ peer }}"
+
+- path: configure/service/sdp[sdp-id={{l.ifindex}}]
+  val:
+   admin-state: enable
+   delivery-type: mpls
+   sr-isis: True
+   far-end:
+    ip-address: "{{ peer }}"
+
+# Note: could set md-auto-id service range
+{% set svc_id = 100 + l.ifindex %}
+- path: configure/service/epipe[service-name=to-{{l.epipe}}]
+  val:
+   admin-state: enable
+   customer: "1"
+   service-id: {{ svc_id }}
+   spoke-sdp:
+   - sdp-bind-id: "{{ l.ifindex }}:{{ svc_id }}"
+     admin-state: enable
+     # Could enable BFD here too...
+   sap:
+   - sap-id: "{{ l.ifname }}{{ '/1' if 'c' in l.ifname else '' }}"
+     admin-state: enable
+{% endfor %}
+
+{# FFS: MACsec encryption #}

routing/sr-isis-te/topology.yml

@@ -0,0 +1,109 @@
+#
+# Inspired by https://derekcheung.medium.com/segment-routing-b69f6ea2e3f5
+# this topology demonstrates SR-ISIS between SROS devices,
+# including Loop-Free-Alternative and MPLS-TE use cases
+#
+# The goal: demonstrate the power of networking
+#
+
+provider: clab
+
+module: [ bfd, isis, sr ]
+
+plugin: [ epipe, mpls-te ]
+
+defaults:
+  # custom_link_types: [ epipe ]
+  device: sros
+  devices:
+   sros:
+     # interface_name: 1/1/%d # sr-a4 does not use connectors
+     interface_name: 1/x1/1/c%d # sr-1s use connectors and XIOM
+  providers:
+    clab:
+      devices:
+        srlinux:
+          provider_type: ixr6  # Need IXR for MPLS support
+        sros:
+          provider_type: sr-1s-macsec # Added to vrnetlab to support macsec
+
+isis.traffic_engineering: True
+isis.loop_free_alternate: True
+
+addressing:
+  lan:
+    ipv4: 192.168.1.0/24 # "Must be longer than /24"
+    macsec: # Custom parameters used by macsec plugin, ends up in group_vars
+     cak: "228ef255aa23ff6729ee664acb66e91f"
+     cak_name: "37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311"
+
+groups:
+  sros:
+    members: [ r1,r4 ]
+    config: [ sdp-epipe.j2, macsec.j2 ]
+  srlinux:
+    members: [ r2,r3 ]
+  hosts:
+    members: [ h1,h2 ]
+
+nodes:
+  # Edge router
+  r1:
+    device: sros
+    license: /Projects/SR_OS_VSR-SIM_license.txt
+    config: [ mpls-te-path.j2 ]
+
+  # Core routers (future SRL), need sros for SR-TE and Adj SIDs
+  r2:
+    device: sros
+    license: /Projects/SR_OS_VSR-SIM_license.txt
+  r3:
+    device: sros
+    license: /Projects/SR_OS_VSR-SIM_license.txt
+
+  r4:
+    device: sros
+    license: /Projects/SR_OS_VSR-SIM_license.txt
+
+  # Hosts connected via L2 ePipe
+  h1:
+    device: linux
+    module: []
+  h2:
+    device: linux
+    module: []
+
+links:
+# Core links
+- r1-r2
+- r1-r3
+- r2-r3
+- r2-r4
+- r3-r4
+
+- type: lan
+  # role: lan cannot use this, assigns different prefixes from pool
+  prefix: 192.168.1.0/24
+  r1:
+    ipv4: False
+    epipe: r4
+    traffic_engineering_path: [ r3, r2, r4 ]
+  h1:
+    ipv4: 1 # Relative IP addressing offset into prefix
+
+- type: lan
+  # role: lan
+  prefix: 192.168.1.0/24
+  r4:
+    ipv4: False
+    epipe: r1
+  h2:
+    ipv4: 2
+
+# Could model ePipe service as a special type of 'link', but custom types not allowed
+# Also, this does not make the association with the port on which h1/h2 are connected
+# - type: epipe
+#   r1:
+#     ipv4: 10.0.0.1/32 # TODO get from loopback.ipv4
+#   r4:
+#     ipv4: 10.0.0.4/32 # TODO get from loopback

routing/sr-mpls-bgp-srlinux/topology.yml

@@ -16,6 +16,14 @@ defaults:
         srlinux:
           provider_type: ixr6 # SR-MPLS only supported on 7250 IXR platform
 
+addressing:
+  unnumbered:
+    unnumbered: True
+  # p2p:
+  #   ipv6: 2001:db8:1234::/48 # Links need ipv6 in order to form ISIS adjacencies
+  # loopback:
+  #   ipv6: 2001:db8:cafe::/48
+
 # SR Global Block label range
 sr.srgb_range_start: 500000
 sr.srgb_range_size: 1000
@@ -66,7 +74,11 @@ links:
 - e1-c1
 - e1-c2
 - e2-c1
-- e2-c2
+
+- e2:
+  c2:
+  # unnumbered: True
+  role: unnumbered
 
 # External links
 - x1-e1

topology/LAN/topology.yml

@@ -0,0 +1,30 @@
+# Test multi-node links
+#
+provider: clab
+
+defaults:
+  device: srlinux
+
+nodes:
+- r1
+- r2
+- r3
+
+links:
+
+# P2P link
+- r1-r2
+
+# LAN link
+- [ r1, r2, r3 ]
+
+# Named P2P link
+- r1:
+  r2:
+  name: P2P link
+
+# Named LAN link
+- r1:
+  r2:
+  r3:
+  name: LAN link