Conversation
Summary of ChangesHello @steve-goog, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request refines the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Pull Request Functional Test Report for #4837 / 678e1f2Virtual Devices
Hardware Devices
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request provides several useful clarifications to the MACsec test README. It updates the test procedure for bringing down MACsec sessions to be more specific, adds definitions for must-secure and should-secure policies, and refines several configuration details. The changes improve the clarity and accuracy of the test documentation. I have provided a couple of suggestions to improve consistency and readability within the document.
Pull Request Test Coverage Report for Build 20183581242Details
💛 - Coveralls |
| * Use 256 bit cipher GCM-AES-256-XPN and an associated 64 char CAK-CKN pair | ||
| * Set Key server priority: 15 | ||
| * Set Security association key rekey interval: 28800 seconds | ||
| * Set Security association key rekey interval: 30 seconds |
There was a problem hiding this comment.
Do we really want to keep the SAK rekey interval as 30 seconds. Is this value coming from some security requirements ?
There was a problem hiding this comment.
This is strictly for the tests so that the tests can validate rekeying (without requring the test to run for 28800 seconds to rekey)
There was a problem hiding this comment.
I am still trying to understand this. Once configured, 30 seconds will continue to be in the running configuration. So, SAK will continue to generate at that interval and if that is the intention.
There was a problem hiding this comment.
Perhaps to be very clear, we can test two values. One to ensure the re-key occurs in a short timeframe (30sec) and a second value which represents a more realistic production use case (28800sec). In this second scenario, we don't need the test to wait for a re-key in the second scenario but rather simply confirm that the value is accepted by the DUT
There was a problem hiding this comment.
sgtm, adding test for that
| * Define first Policy(1) to cover must-secure scenario, as defined below | ||
| * Define second Policy(2) to cover should-secure scenario, as defined below |
There was a problem hiding this comment.
The leaf for traffic policy isn't present in public openconfig model for Macsec. Can we please get them added.
|
There are still problems with curly braces and json key. try replacing the whole keychain stanza with: "keychains": {
"keychain": [
{
"config": {
"name": "keychain1"
},
"keys": {
"key": [
{
"config": {
"crypto-algorithm": "AES_256_CMAC",
"key-id": "keyid1",
"secret-key": "encrypted-secret-pwd-here"
},
"key-id": "keyid1",
"receive-lifetime": {
"config": {
"end-time": "1765242000",
"start-time": "1736298000"
}
},
"send-lifetime": {
"config": {
"end-time": "1765242000",
"start-time": "1736298000"
}
}
}
]
},
"name": "keychain1"
}
]
}
|
dplore
left a comment
dplore
left a comment
There was a problem hiding this comment.
removing the security-policy field from the JSON will fix this validation error:
E1209 22:52:41.231000 4717 validate_readme_canonicalocspec.go:145] file feature/policy_forwarding/otg_tests/mpls_gre_udp_macsec/README.md: parent container policy (type *oc.Macsec_Mka_Policy): JSON contains unexpected field security-policy
* Add gemini code assist styleguide config * add gemini code assist config * Update styleguide with accessor function comment requirement Added instruction to include a URL link in the accessor function comment for tracking deviations.
* Fix issues in CNTR-2 tests * fix context derivation and typo in log * Fix acl and remove fqdn metadata from test --------- Co-authored-by: Ali Al-Shabibi <alshabibi.ali@gmail.com>
* Add single topology deviation handling for ISIS. * Update ISIS deviation error message * Use SetBatch to configure ISIS single topology deviation. * Make handleSingleTopologyDeviation a private function. * Change Get -> GetOrCreate... --------- Co-authored-by: Suhasini Tiwari <tsuhasini@google.com>
* add atomic test * reformat atomic README * simplify AFT cache logic and remove erroneous fail case during wait * Use test IPs for ISIS routes * Fix import path for gosnappi package * include metadata * update metadata and remove deviation in bgp * verify one next hop for BGP * remove multipath config if deviation set * remove multipath deviation * use common bgp logic to afts_base * use common bgp logic to afts_base * use cfgplugin bgp configuration * configure ALLOW before use * remove unused dutAttrs * Configure ISIS on only one port for proper next-hop count. * Update ATE ISIS Area. * Advertise ISIS routes on both ports * Wait for BGP session-state and ISIS adjacencies on both ports. * Format ISIS system ID for gNMI query. * Add NOKIA metadata. * Only advertise ISIS routes from port1 to ensure single next-hop * Change neighboring ISIS System ID to be unique per port. Also leave a TODO to not spawn a goroutine in aftcache from a returned function. * Create AFT streaming session at beginning of test. To capture all notifications through the config pushes. * change AFT convergence time for delete / stale updates. * update ISIS IP addresses * Move all deviation handling into libraries. * Use cfgplugins.AdvertiseRoutes to advertise BGP routes. * Configure ATE Routes in cfgplugins. * Remove unused variables. Also build CIDR prefixes by hand. * Fix BGP multipath config. * Include port name in ATE Attributes. * fix formatting and comments * Use BGPNeighborsConfig. * Move single topology deviation handling into NewISIS. * Change Get -> GetOrCreate... * move to otg_config_helpers * wait for ISIS before BGP. * fix advertised routes * wait for any ISIS adjacency * update root with single topology in deviation handling. * only configure ISIS on dut Port 1 * advertise ISIS routes over all ports. * wait for single ISIS port. * use returned config * fix cisco KNE * remove vrf change * update metadata * use root instead of batch update for BGP multipath deviation. * move vrf deviation after network instance config * increase gNMI timeout * update cisco metadata * update cisco metadata * revert bgp change * fix set batch * run gofmt * add link-local deviation cisco * revert bgp change * revert bgp change * simplify extra verification * mark configureDUT as helper. * remove duplicate isis deviation --------- Co-authored-by: Suhasini Tiwari <tsuhasini@google.com>
* Added deviation to Nokia: isis_mpls_unsupported * RT-5.6 Use loopback mode TERMINAL ref:PR1155 * . * . * Update interface_loopback_aggregate_test.go * Update interface_loopback_aggregate_test.go * Add README: Feature: <Telemetry: Firewall High Availability> * . * . * . * Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Delete feature/gnmi/tests/telemetry_high_availability_test/metadata.textproto * Rename metadata.proto to metadata.textproto * Update metadata.textproto * Update README.md * Update README.md --------- Co-authored-by: Swetha-haridasula <haridasula@google.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Avnish Singh <singhavnish@google.com>
* Fix sshfs volume source path * Correct default image name in options --------- Co-authored-by: Ali Al-Shabibi <alshabibi.ali@gmail.com>
* Update metadata.textproto * Update breakout_test.go * Update breakout_base_test.go * Update breakout_test.go * Update breakout_test.go * gofmt
* implement carrier-transitions fnt * fix CI checks * add canonical oc spec * update README and use SAMPLE mode
* The isis scale multi adj test * Test folder rename * change of libraries from google to github * some changes * Small change * Update feature/isis/otg_tests/isis_scale_multi_adjacency_test/README.MD Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update feature/isis/otg_tests/isis_scale_multi_adjacency_test/README.MD Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update feature/isis/otg_tests/isis_scale_multi_adjacency_test/README.MD Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update feature/isis/otg_tests/isis_scale_multi_adjacency_test/README.MD Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update feature/isis/otg_tests/isis_scale_multi_adjacency_test/README.MD Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update feature/isis/otg_tests/isis_scale_multi_adjacency_test/README.MD Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * small change * remove source mac address * add ether header to the flow * Rollback the changes done in interface.go * Change of the wait timer of the admin state to 60 sec * minor change in the readme * read me change * readme change --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* add aft reboot test * add metadata to reboot test. * remove unused functions --------- Co-authored-by: Avnish Singh <singhavnish@google.com>
* Add disk space cleanup step in workflow Added a step to free disk space tailored for Go/JS builds in the GitHub Actions workflow. * Fix action reference in GitHub workflow * cleanup space for go test and go static_analysis Added disk space cleanup steps to test and static analysis jobs. * Update disk space management in GitHub Actions Replaced the disk space cleanup action with custom commands to free additional disk space. * Refactor Go setup in GitHub Actions workflow Removed duplicate setup steps for Go in build and test jobs. * Reorganize Go setup in GitHub Actions workflow * Check if cache directory exists before moving Add check for existence before moving cache directory. * Refactor cache handling in Go workflow Removed conditional cache move and added a separate step to move cache in the GitHub Actions workflow. * Refactor Go setup and cache management in workflow Reorganized steps in the GitHub Actions workflow to set up Go after freeing disk space and added a step to move cache.
…mand (#4854) * internal/cfgplugin/qos.go - issue with Arista configs using runCliCommand fixed using much simpler way * Addressing comments * fixing the ci/cd error * fixed comments
| * Set MACsec confidentiality offset: 0 | ||
| * Set Replay Protection Window size: 64 | ||
| * Set ICV enabled:True | ||
| * Set Replay Protection Window (out-of-sequence protection) size: 64 |
There was a problem hiding this comment.
Do we need to change it?
There was a problem hiding this comment.
In the offiline discussion, it was mentioned that the macsec peers are directly connected and there is no possibility of reordering.
There was a problem hiding this comment.
In the normal case, yes - we don't actually expect reordering. But we don't control the link (the far end does) and we are recommending to the far-end that they use 64, so if we don't also use 64 that may be unexpected by that end. (64 allows a tiny bit of reordering, but also works when there is no reordering at all...)
dplore
changed the title
| * Traffic equally load-balanced across bundle interfaces in both directions | ||
| * Header fields are as expected in both directions | ||
| * Traffic is dropped (100 percent) when the must-secure MACSec sessions are down by disabling MACsec on ATE ports | ||
| * Traffic is dropped (100 percent) when the must-secure MACSec sessions are down by changing a key on one side to a mismatch & forcing renegotiation on ATE ports |
There was a problem hiding this comment.
This comment doesn't take care of a scenario where due to connection issues - MKA session goes down. I think the comment should be generic to say that if there are no successful MKA session on the port, then all the traffic will be dropped.
| * Traffic equally load-balanced across bundle interfaces in both directions | ||
| * Header fields are as expected in both directions | ||
| * Traffic is not dropped when the should-secure MACSec sessions are down by disabling MACsec on ATE ports | ||
| * Traffic is not dropped when the should-secure MACSec sessions are down by changing a key on one side to a mismatch & forcing renegotiation on ATE ports |
There was a problem hiding this comment.
Unencrypted traffic is allowed when all the MKA sessions are down.
| "mka": { | ||
| "config": { | ||
| "key-chain": "keychain1", | ||
| "mka-policy": "must_secure" |
There was a problem hiding this comment.
It will be good if we can include mka policy definition as well here.
There was a problem hiding this comment.
This is policy name references the policy later in the JSON:
|
This PR was closed due to a code rebase with commits whose CLA checks failed. Please see #4926 for a new PR which continues this work. |
20 participants
MACsec updates for DUT to clarify test setup