1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. (c) Ericsson AB
======================
VPN test specification
======================
.. toctree::
:maxdepth: 2
Scope
=====
The VPN test area evaluates the ability of the system under test to support VPN
networking for virtual workloads. The tests in this test area will evaluate
establishing VPN networks, publishing and communication between endpoints using
BGP and tear down of the networks.
References
==========
This test area evaluates the ability of the system to perform selected actions
defined in the following specifications. Details of specific features evaluated
are described in the test descriptions.
- RFC 4364 - BGP/MPLS IP Virtual Private Networks
- https://tools.ietf.org/html/rfc4364
- RFC 4659 - BGP-MPLS IP Virtual Private Network
- https://tools.ietf.org/html/rfc4659
- RFC 2547 - BGP/MPLS VPNs
- https://tools.ietf.org/html/rfc2547
Definitions and abbreviations
=============================
The following terms and abbreviations are used in conjunction with this test
area
- BGP - Border gateway protocol
- eRT - Export route target
- IETF - Internet Engineering Task Force
- iRT - Import route target
- NFVi - Network functions virtualization infrastructure
- Tenant - An isolated set of virtualized infrastructures
- VM - Virtual machine
- VPN - Virtual private network
- VLAN - Virtual local area network
System Under Test (SUT)
=======================
The system under test is assumed to be the NFVi and VIM in operation on a
Pharos compliant infrastructure.
Test Area Structure
===================
The test area is structured in four separate tests which are executed
sequentially. The order of the tests is arbitrary as there are no dependencies
across the tests. Specifially, every test performs clean-up operations which
return the system to the same state as before the test.
The test area evaluates the ability of the SUT to establish connectivity
between Virtual Machines using an appropriate route target configuration,
reconfigure the route targets to remove connectivity between the VMs, then
reestablish connectivity by re-association.
Test Descriptions
=================
----------------------------------------------------------------
Test Case 1 - VPN provides connectivity between Neutron subnets
----------------------------------------------------------------
Short name
----------
opnfv.sdnvpn.subnet_connectivity
Use case specification
----------------------
This test evaluates the use case where an NFVi tenant uses a BGPVPN to provide
connectivity between VMs on different Neutron networks and subnets that reside
on different hosts.
Test preconditions
------------------
2 compute nodes are available, denoted Node1 and Node2 in the following.
Basic test flow execution description and pass/fail criteria
------------------------------------------------------------
Methodology for verifying connectivity
''''''''''''''''''''''''''''''''''''''
Connectivity between VMs is tested by sending ICMP ping packets between
selected VMs. The target IPs are passed to the VMs sending pings by means of a
custom user data script. Whether or not a ping was successful is determined by
checking the console output of the source VMs.
Test execution
''''''''''''''
* Create Neutron network N1 and subnet SN1 with IP range 10.10.10.0/24
* Create Neutron network N2 and subnet SN2 with IP range 10.10.11.0/24
* Create VM1 on Node1 with a port in network N1
* Create VM2 on Node1 with a port in network N1
* Create VM3 on Node2 with a port in network N1
* Create VM4 on Node1 with a port in network N2
* Create VM5 on Node2 with a port in network N2
* Create VPN1 with eRT<>iRT
* Create network association between network N1 and VPN1
* VM1 sends ICMP packets to VM2 using ``ping``
* **Test assertion 1:** Ping from VM1 to VM2 succeeds: ``ping`` exits with return code 0
* VM1 sends ICMP packets to VM3 using ``ping``
* **Test assertion 2:** Ping from VM1 to VM3 succeeds: ``ping`` exits with return code 0
* VM1 sends ICMP packets to VM4 using ``ping``
* **Test assertion 3:** Ping from VM1 to VM4 fails: ``ping`` exits with a non-zero return code
* Create network association between network N2 and VPN1
* VM4 sends ICMP packets to VM5 using ``ping``
* **Test assertion 4:** Ping from VM4 to VM5 succeeds: ``ping`` exits with return code 0
* Configure iRT=eRT in VPN1
* VM1 sends ICMP packets to VM4 using ``ping``
* **Test assertion 5:** Ping from VM1 to VM4 succeeds: ``ping`` exits with return code 0
* VM1 sends ICMP packets to VM5 using ``ping``
* **Test assertion 6:** Ping from VM1 to VM5 succeeds: ``ping`` exits with return code 0
* Delete all instances: VM1, VM2, VM3, VM4 and VM5
* Delete all networks and subnets: networks N1 and N2 including subnets SN1 and SN2
* Delete all network associations and VPN1
Pass / fail criteria
''''''''''''''''''''
This test evaluates the capability of the NFVi and VIM to provide routed IP
connectivity between VMs by means of BGP/MPLS VPNs. Specifically, the test
verifies that:
* VMs in the same Neutron subnet have IP connectivity regardless of BGP/MPLS
VPNs (test assertion 1, 2, 4)
* VMs in different Neutron subnets do not have IP connectivity by default - in
this case without associating VPNs with the same import and export route
targets to the Neutron networks (test assertion 3)
* VMs in different Neutron subnets have routed IP connectivity after
associating both networks with BGP/MPLS VPNs which have been configured with
the same import and export route targets (test assertion 5, 6). Hence,
adjusting the ingress and egress route targets enables as well as prohibits
routing.
In order to pass this test, all test assertions listed in the test execution
above need to pass.
Post conditions
---------------
N/A
------------------------------------------------------------
Test Case 2 - VPNs ensure traffic separation between tenants
------------------------------------------------------------
Short Name
----------
opnfv.sdnvpn.tenant_separation
Use case specification
----------------------
This test evaluates if VPNs provide separation of traffic such that overlapping
IP ranges can be used.
Test preconditions
------------------
2 compute nodes are available, denoted Node1 and Node2 in the following.
Basic test flow execution description and pass/fail criteria
------------------------------------------------------------
Methodology for verifying connectivity
''''''''''''''''''''''''''''''''''''''
Connectivity between VMs is tested by establishing an SSH connection. Moreover,
the command "hostname" is executed at the remote VM in order to retrieve the
hostname of the remote VM. The retrieved hostname is furthermore compared
against an expected value. This is used to verify tenant traffic separation,
i.e., despite overlapping IPs, a connection is made to the correct VM as
determined by means of the hostname of the target VM.
Test execution
''''''''''''''
* Create Neutron network N1
* Create subnet SN1a of network N1 with IP range 10.10.10.0/24
* Create subnet SN1b of network N1 with IP range 10.10.11.0/24
* Create Neutron network N2
* Create subnet SN2a of network N2 with IP range 10.10.10.0/24
* Create subnet SN2b of network N2 with IP range 10.10.11.0/24
* Create VM1 on Node1 with a port in network N1 and IP 10.10.10.11.
* Create VM2 on Node1 with a port in network N1 and IP 10.10.10.12.
* Create VM3 on Node2 with a port in network N1 and IP 10.10.11.13.
* Create VM4 on Node1 with a port in network N2 and IP 10.10.10.12.
* Create VM5 on Node2 with a port in network N2 and IP 10.10.11.13.
* Create VPN1 with iRT=eRT=RT1
* Create network association between network N1 and VPN1
* VM1 attempts to execute the command ``hostname`` on the VM with IP 10.10.10.12 via SSH.
* **Test assertion 1:** VM1 can successfully connect to the VM with IP
10.10.10.12. via SSH and execute the remote command ``hostname``. The
retrieved hostname equals the hostname of VM2.
* VM1 attempts to execute the command ``hostname`` on the VM with IP 10.10.11.13 via SSH.
* **Test assertion 2:** VM1 can successfully connect to the VM with IP
10.10.11.13 via SSH and execute the remote command ``hostname``. The
retrieved hostname equals the hostname of VM3.
* Create VPN2 with iRT=eRT=RT2
* Create network association between network N2 and VPN2
* VM4 attempts to execute the command ``hostname`` on the VM with IP 10.10.11.13 via SSH.
* **Test assertion 3:** VM4 can successfully connect to the VM with IP
10.10.11.13 via SSH and execute the remote command ``hostname``. The
retrieved hostname equals the hostname of VM5.
* VM4 attempts to execute the command ``hostname`` on the VM with IP 10.10.11.11 via SSH.
* **Test assertion 4:** VM4 cannot connect to the VM with IP 10.10.11.11 via SSH.
* Delete all instances: VM1, VM2, VM3, VM4 and VM5
* Delete all networks and subnets: networks N1 and N2 including subnets SN1a, SN1b, SN2a and SN2b
* Delete all network associations, VPN1 and VPN2
Pass / fail criteria
''''''''''''''''''''
This test evaluates the capability of the NFVi and VIM to provide routed IP
connectivity between VMs by means of BGP/MPLS VPNs. Specifically, the test
verifies that:
* VMs in the same Neutron subnet (still) have IP connectivity between each
other when a BGP/MPLS VPN is associated with the network (test assertion 1).
* VMs in different Neutron subnets have routed IP connectivity between each
other when BGP/MPLS VPNs with the same import and expert route targets are
associated with both networks (assertion 2).
* VMs in different Neutron networks and BGP/MPLS VPNs with different import and
export route targets can have overlapping IP ranges. The BGP/MPLS VPNs
provide traffic separation (assertion 3 and 4).
In order to pass this test, all test assertions listed in the test execution
above need to pass.
Post conditions
---------------
N/A
--------------------------------------------------------------------------------
Test Case 3 - VPN provides connectivity between subnets using router association
--------------------------------------------------------------------------------
Short Name
----------
opnfv.sdnvpn.router_association
Use case specification
----------------------
This test evaluates if a VPN provides connectivity between two subnets by
utilizing two different VPN association mechanisms: a router association and a
network association.
Specifically, the test network topology comprises two networks N1 and N2 with
corresponding subnets. Additionally, network N1 is connected to a router R1.
This test verifies that a VPN V1 provides connectivity between both networks
when applying a router association to router R1 and a network association to
network N2.
Test preconditions
------------------
2 compute nodes are available, denoted Node1 and Node2 in the following.
Basic test flow execution description and pass/fail criteria
------------------------------------------------------------
Methodology for verifying connectivity
''''''''''''''''''''''''''''''''''''''
Connectivity between VMs is tested by sending ICMP ping packets between
selected VMs. The target IPs are passed to the VMs sending pings by means of a
custom user data script. Whether or not a ping was successful is determined by
checking the console output of the source VMs.
Test execution
''''''''''''''
* Create a network N1, a subnet SN1 with IP range 10.10.10.0/24 and a connected router R1
* Create a network N2, a subnet SN2 with IP range 10.10.11.0/24
* Create VM1 on Node1 with a port in network N1
* Create VM2 on Node1 with a port in network N1
* Create VM3 on Node2 with a port in network N1
* Create VM4 on Node1 with a port in network N2
* Create VM5 on Node2 with a port in network N2
* Create VPN1 with eRT<>iRT so that connected subnets should not reach each other
* Create route association between router R1 and VPN1
* VM1 sends ICMP packets to VM2 using ``ping``
* **Test assertion 1:** Ping from VM1 to VM2 succeeds: ``ping`` exits with return code 0
* VM1 sends ICMP packets to VM3 using ``ping``
* **Test assertion 2:** Ping from VM1 to VM3 succeeds: ``ping`` exits with return code 0
* VM1 sends ICMP packets to VM4 using ``ping``
* **Test assertion 3:** Ping from VM1 to VM4 fails: ``ping`` exits with a non-zero return code
* Create network association between network N2 and VPN1
* VM4 sends ICMP packets to VM5 using ``ping``
* **Test assertion 4:** Ping from VM4 to VM5 succeeds: ``ping`` exits with return code 0
* Change VPN1 so that iRT=eRT
* VM1 sends ICMP packets to VM4 using ``ping``
* **Test assertion 5:** Ping from VM1 to VM4 succeeds: ``ping`` exits with return code 0
* VM1 sends ICMP packets to VM5 using ``ping``
* **Test assertion 6:** Ping from VM1 to VM5 succeeds: ``ping`` exits with return code 0
* Delete all instances: VM1, VM2, VM3, VM4 and VM5
* Delete all networks, subnets and routers: networks N1 and N2 including subnets SN1 and SN2, router R1
* Delete all network and router associations and VPN1
Pass / fail criteria
''''''''''''''''''''
This test evaluates the capability of the NFVi and VIM to provide routed IP
connectivity between VMs by means of BGP/MPLS VPNs. Specifically, the test
verifies that:
* VMs in the same Neutron subnet have IP connectivity regardless of the import
and export route target configuration of BGP/MPLS VPNs (test assertion 1, 2, 4)
* VMs in different Neutron subnets do not have IP connectivity by default - in
this case without associating VPNs with the same import and export route
targets to the Neutron networks or connected Neutron routers (test assertion 3).
* VMs in two different Neutron subnets have routed IP connectivity after
associating the first network and a router connected to the second network
with BGP/MPLS VPNs which have been configured with the same import and export
route targets (test assertion 5, 6). Hence, adjusting the ingress and egress
route targets enables as well as prohibits routing.
* Network and router associations are equivalent methods for binding Neutron networks
to VPN.
In order to pass this test, all test assertions listed in the test execution
above need to pass.
Post conditions
---------------
N/A
---------------------------------------------------------------------------------------------------
Test Case 4 - Verify interworking of router and network associations with floating IP functionality
---------------------------------------------------------------------------------------------------
Short Name
----------
opnfv.sdnvpn.router_association_floating_ip
Use case specification
----------------------
This test evaluates if both the router association and network association
mechanisms interwork with floating IP functionality.
Specifically, the test network topology comprises two networks N1 and N2 with
corresponding subnets. Additionally, network N1 is connected to a router R1.
This test verifies that i) a VPN V1 provides connectivity between both networks
when applying a router association to router R1 and a network association to
network N2 and ii) a VM in network N1 is reachable externally by means of a
floating IP.
Test preconditions
------------------
At least one compute node is available.
Basic test flow execution description and pass/fail criteria
------------------------------------------------------------
Methodology for verifying connectivity
''''''''''''''''''''''''''''''''''''''
Connectivity between VMs is tested by sending ICMP ping packets between
selected VMs. The target IPs are passed to the VMs sending pings by means of a
custom user data script. Whether or not a ping was successful is determined by
checking the console output of the source VMs.
Test execution
''''''''''''''
* Create a network N1, a subnet SN1 with IP range 10.10.10.0/24 and a connected router R1
* Create a network N2 with IP range 10.10.20.0/24
* Create VM1 with a port in network N1
* Create VM2 with a port in network N2
* Create VPN1
* Create a router association between router R1 and VPN1
* Create a network association between network N2 and VPN1
* VM1 sends ICMP packets to VM2 using ``ping``
* **Test assertion 1:** Ping from VM1 to VM2 succeeds: ``ping`` exits with return code 0
* Assign a floating IP to VM1
* The host running the test framework sends ICMP packets to VM1 using ``ping``
* **Test assertion 2:** Ping from the host running the test framework to the
floating IP of VM1 succeeds: ``ping`` exits with return code 0
* Delete floating IP assigned to VM1
* Delete all instances: VM1, VM2
* Delete all networks, subnets and routers: networks N1 and N2 including subnets SN1 and SN2, router R1
* Delete all network and router associations as well as VPN1
Pass / fail criteria
''''''''''''''''''''
This test evaluates the capability of the NFVi and VIM to provide routed IP
connectivity between VMs by means of BGP/MPLS VPNs. Specifically, the test
verifies that:
* VMs in the same Neutron subnet have IP connectivity regardless of the import
and export route target configuration of BGP/MPLS VPNs (test assertion 1)
* VMs connected to a network which has been associated with a BGP/MPLS VPN are
reachable through floating IPs.
In order to pass this test, all test assertions listed in the test execution
above need to pass.
Post conditions
---------------
N/A
|
