FD.io VPP  v19.08.1-401-g8e4ed521a
Vector Packet Processing
ipsec.api
Go to the documentation of this file.
1 /* Hey Emacs use -*- mode: C -*- */
2 /*
3  * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 option version = "3.0.0";
18 
19 import "vnet/ip/ip_types.api";
20 import "vnet/interface_types.api";
21 
22 /** \brief IPsec: Add/delete Security Policy Database
23  @param client_index - opaque cookie to identify the sender
24  @param context - sender context, to match reply w/ request
25  @param is_add - add SPD if non-zero, else delete
26  @param spd_id - SPD instance id (control plane allocated)
27 */
28 
29 autoreply define ipsec_spd_add_del
30 {
35 };
36 
37 /** \brief IPsec: Add/delete SPD from interface
38 
39  @param client_index - opaque cookie to identify the sender
40  @param context - sender context, to match reply w/ request
41  @param is_add - add security mode if non-zero, else delete
42  @param sw_if_index - index of the interface
43  @param spd_id - SPD instance id to use for lookups
44 */
45 
46 
47 autoreply define ipsec_interface_add_del_spd
48 {
51 
55 };
56 
57 
59 {
60  /* bypass - no IPsec processing */
62  /* discard - discard packet with ICMP processing */
64  /* resolve - send request to control plane for SA resolving */
66  /* protect - apply IPsec policy using following parameters */
68 };
69 
70 /** \brief IPsec: Security Policy Database entry
71 
72  See RFC 4301, 4.4.1.1 on how to match packet to selectors
73 
74  @param spd_id - SPD instance id (control plane allocated)
75  @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
76  @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
77  @param remote_address_start - start of remote address range to match
78  @param remote_address_stop - end of remote address range to match
79  @param local_address_start - start of local address range to match
80  @param local_address_stop - end of local address range to match
81  @param protocol - protocol type to match [0 means any] otherwise IANA value
82  @param remote_port_start - start of remote port range to match ...
83  @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
84  @param local_port_start - start of local port range to match ...
85  @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
86  @param policy - action to perform on match
87  @param sa_id - SAD instance id (control plane allocated)
88 */
89 typedef ipsec_spd_entry
90 {
91  u32 spd_id;
94 
96  vl_api_ipsec_spd_action_t policy;
98 
99  // Selector
100  vl_api_address_t remote_address_start;
101  vl_api_address_t remote_address_stop;
102  vl_api_address_t local_address_start;
103  vl_api_address_t local_address_stop;
104 
109 };
110 
111 /** \brief IPsec: Add/delete Security Policy Database entry
112 
113  @param client_index - opaque cookie to identify the sender
114  @param context - sender context, to match reply w/ request
115  @param is_add - add SPD if non-zero, else delete
116  @param entry - Description of the entry to add/dell
117 */
118 define ipsec_spd_entry_add_del
119 {
123  vl_api_ipsec_spd_entry_t entry;
124 };
125 
126 /** \brief IPsec: Reply Add/delete Security Policy Database entry
127 
128  @param context - sender context, to match reply w/ request
129  @param retval - success/fail rutrun code
130  @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
131 */
132 define ipsec_spd_entry_add_del_reply
133 {
137 };
138 
139 /** \brief Dump IPsec all SPD IDs
140  @param client_index - opaque cookie to identify the sender
141  @param context - sender context, to match reply w/ request
142 */
143 define ipsec_spds_dump {
146 };
147 
148 /** \brief Dump IPsec all SPD IDs response
149  @param client_index - opaque cookie to identify the sender
150  @param spd_id - SPD instance id (control plane allocated)
151  @param npolicies - number of policies in SPD
152 */
153 define ipsec_spds_details {
157 };
158 
159 /** \brief Dump ipsec policy database data
160  @param client_index - opaque cookie to identify the sender
161  @param context - sender context, to match reply w/ request
162  @param spd_id - SPD instance id
163  @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
164 */
165 define ipsec_spd_dump {
170 };
171 
172 /** \brief IPsec policy database response
173  @param context - sender context which was passed in the request
174  €param entry - The SPD entry.
175  @param bytes - byte count of packets matching this policy
176  @param packets - count of packets matching this policy
177 */
178 define ipsec_spd_details {
180  vl_api_ipsec_spd_entry_t entry;
181 };
182 
183 /*
184  * @brief Support cryptographic algorithms
185  */
187 {
200 };
201 
202 /*
203  * @brief Supported Integrity Algorithms
204  */
206 {
208  /* RFC2403 */
210  /* RFC2404 */
212  /* draft-ietf-ipsec-ciph-sha-256-00 */
214  /* RFC4868 */
216  /* RFC4868 */
218  /* RFC4868 */
220 };
221 
223 {
225  /* Enable extended sequence numbers */
227  /* Enable Anti-replay */
229  /* IPsec tunnel mode if non-zero, else transport mode */
231  /* IPsec tunnel mode is IPv6 if non-zero,
232  * else IPv4 tunnel only valid if is_tunnel is non-zero */
234  /* enable UDP encapsulation for NAT traversal */
236  /* IPsec SA is for inbound traffic */
238 };
239 
241 {
244 };
245 
246 typedef key
247 {
248  /* the length of the key */
249  u8 length;
250  /* The data for the key */
251  u8 data[128];
252 };
253 
254 /** \brief IPsec: Security Association Database entry
255  @param client_index - opaque cookie to identify the sender
256  @param context - sender context, to match reply w/ request
257  @param is_add - add SAD entry if non-zero, else delete
258  @param sad_id - sad id
259  @param spi - security parameter index
260  @param protocol - 0 = AH, 1 = ESP
261  @param crypto_algorithm - a supported crypto algorithm
262  @param crypto_key - crypto keying material
263  @param integrity_algorithm - one of the supported algorithms
264  @param integrity_key - integrity keying material
265  @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
266  @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
267  @param tx_table_id - the FIB id used for encapsulated packets
268  @param salt - for use with counter mode ciphers
269  */
270 typedef ipsec_sad_entry
271 {
272  u32 sad_id;
273 
275 
276  vl_api_ipsec_proto_t protocol;
277 
278  vl_api_ipsec_crypto_alg_t crypto_algorithm;
279  vl_api_key_t crypto_key;
280 
281  vl_api_ipsec_integ_alg_t integrity_algorithm;
282  vl_api_key_t integrity_key;
283 
284  vl_api_ipsec_sad_flags_t flags;
285 
286  vl_api_address_t tunnel_src;
287  vl_api_address_t tunnel_dst;
290 };
291 
292 /** \brief IPsec: Add/delete Security Association Database entry
293  @param client_index - opaque cookie to identify the sender
294  @param context - sender context, to match reply w/ request
295  @param entry - Entry to add or delete
296  */
297 define ipsec_sad_entry_add_del
298 {
302  vl_api_ipsec_sad_entry_t entry;
303 };
304 define ipsec_sad_entry_add_del_reply
305 {
309 };
310 
311 /** \brief Add or Update Protection for a tunnel with IPSEC
312 
313  Tunnel protection directly associates an SA with all packets
314  ingress and egress on the tunnel. This could also be achieved by
315  assigning an SPD to the tunnel, but that would incur an unnessccary
316  SPD entry lookup.
317 
318  For tunnels the ESP acts on the post-encapsulated packet. So if this
319  packet:
320  +---------+------+
321  | Payload | O-IP |
322  +---------+------+
323  where O-IP is the overlay IP addrees that was routed into the tunnel,
324  the resulting encapsulated packet will be:
325  +---------+------+------+
326  | Payload | O-IP | T-IP |
327  +---------+------+------+
328  where T-IP is the tunnel's src.dst IP addresses.
329  If the SAs used for protection are in transport mode then the ESP is
330  inserted before T-IP, i.e.:
331  +---------+------+-----+------+
332  | Payload | O-IP | ESP | T-IP |
333  +---------+------+-----+------+
334  If the SAs used for protection are in tunnel mode then another
335  encapsulation occurs, i.e.:
336  +---------+------+------+-----+------+
337  | Payload | O-IP | T-IP | ESP | C-IP |
338  +---------+------+------+-----+------+
339  where C-IP are the crypto endpoint IP addresses defined as the tunnel
340  endpoints in the SA.
341  The mode for the inbound and outbound SA must be the same.
342 
343  @param client_index - opaque cookie to identify the sender
344  @param context - sender context, to match reply w/ request
345  @param sw_id_index - Tunnel interface to protect
346  @param sa_in - The ID [set] of inbound SAs
347  @param sa_out - The ID of outbound SA
348 */
349 typedef ipsec_tunnel_protect
350 {
351  vl_api_interface_index_t sw_if_index;
355 };
356 
357 autoreply define ipsec_tunnel_protect_update
358 {
361 
362  vl_api_ipsec_tunnel_protect_t tunnel;
363 };
364 
365 autoreply define ipsec_tunnel_protect_del
366 {
369 
370  vl_api_interface_index_t sw_if_index;
371 };
372 
373 define ipsec_tunnel_protect_dump
374 {
377  vl_api_interface_index_t sw_if_index;
378 };
379 
380 define ipsec_tunnel_protect_details
381 {
383  vl_api_ipsec_tunnel_protect_t tun;
384 };
385 
386 /** \brief IPsec: Get SPD interfaces
387  @param client_index - opaque cookie to identify the sender
388  @param context - sender context, to match reply w/ request
389  @param spd_index - SPD index
390  @param spd_index_valid - if 1 spd_index is used to filter
391  spd_index's, if 0 no filtering is done
392 */
393 define ipsec_spd_interface_dump {
398 };
399 
400 /** \brief IPsec: SPD interface response
401  @param context - sender context which was passed in the request
402  @param spd_index - SPD index
403  @param sw_if_index - index of the interface
404 */
405 define ipsec_spd_interface_details {
409 };
410 
411 /** \brief Add or delete IPsec tunnel interface
412  @param client_index - opaque cookie to identify the sender
413  @param context - sender context, to match reply w/ request
414  @param is_add - add IPsec tunnel interface if nonzero, else delete
415  @param is_ip6 - tunnel v6 or v4
416  @param esn - enable extended sequence numbers if nonzero, else disable
417  @param anti_replay - enable anti replay check if nonzero, else disable
418  @param local_ip - local IP address
419  @param remote_ip - IP address of remote IPsec peer
420  @param local_spi - SPI of outbound IPsec SA
421  @param remote_spi - SPI of inbound IPsec SA
422  @param crypto_alg - encryption algorithm ID
423  @param local_crypto_key_len - length of local crypto key in bytes
424  @param local_crypto_key - crypto key for outbound IPsec SA
425  @param remote_crypto_key_len - length of remote crypto key in bytes
426  @param remote_crypto_key - crypto key for inbound IPsec SA
427  @param integ_alg - integrity algorithm ID
428  @param local_integ_key_len - length of local integrity key in bytes
429  @param local_integ_key - integrity key for outbound IPsec SA
430  @param remote_integ_key_len - length of remote integrity key in bytes
431  @param remote_integ_key - integrity key for inbound IPsec SA
432  @param renumber - intf display name uses a specified instance if != 0
433  @param show_instance - instance to display for intf if renumber is set
434  @param udp_encap - enable UDP encapsulation for NAT traversal
435  @param tx_table_id - the FIB id used after packet encap
436  @param salt - for use with counter mode ciphers
437 */
438 define ipsec_tunnel_if_add_del {
444  vl_api_address_t local_ip;
445  vl_api_address_t remote_ip;
450  u8 local_crypto_key[128];
452  u8 remote_crypto_key[128];
455  u8 local_integ_key[128];
457  u8 remote_integ_key[128];
463 };
464 
465 /** \brief Add/delete IPsec tunnel interface response
466  @param context - sender context, to match reply w/ request
467  @param retval - return status
468  @param sw_if_index - sw_if_index of new interface (for successful add)
469 */
470 define ipsec_tunnel_if_add_del_reply {
474 };
475 
476 /** \brief Dump IPsec security association
477  @param client_index - opaque cookie to identify the sender
478  @param context - sender context, to match reply w/ request
479  @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
480 */
481 define ipsec_sa_dump {
485 };
486 
487 /** \brief IPsec security association database response
488  @param context - sender context which was passed in the request
489  @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0
490  @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
491  @param spi - security parameter index
492  @param protocol - IPsec protocol (value from ipsec_protocol_t)
493  @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t)
494  @param crypto_key_len - length of crypto_key in bytes
495  @param crypto_key - crypto keying material
496  @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t)
497  @param integ_key_len - length of integ_key in bytes
498  @param integ_key - integrity keying material
499  @param use_esn - using extended sequence numbers when non-zero
500  @param use_anti_replay - using anti-replay window when non-zero
501  @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode
502  @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6
503  @param tunnel_src_addr - Tunnel source address if using tunnel mode
504  @param tunnel_dst_addr - Tunnel destination address is using tunnel mode
505  @param salt - 4 byte salt
506  @param seq - current sequence number for outbound
507  @param seq_hi - high 32 bits of ESN for outbound
508  @param last_seq - highest sequence number received inbound
509  @param last_seq_hi - high 32 bits of highest ESN received inbound
510  @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
511  @param total_data_size - total bytes sent or received
512  @param udp_encap - 1 if UDP encap enabled, 0 otherwise
513 */
514 define ipsec_sa_details {
516  vl_api_ipsec_sad_entry_t entry;
517 
523 
525 };
526 
527 /** \brief Set new SA on IPsec interface
528  @param client_index - opaque cookie to identify the sender
529  @param context - sender context, to match reply w/ request
530  @param sw_if_index - index of tunnel interface
531  @param sa_id - ID of SA to use
532  @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
533 */
534 autoreply define ipsec_tunnel_if_set_sa {
540 };
541 
542 /** \brief Dump IPsec backends
543  @param client_index - opaque cookie to identify the sender
544  @param context - sender context, to match reply w/ request
545 */
546 define ipsec_backend_dump {
549 };
550 
551 /** \brief IPsec backend details
552  @param name - name of the backend
553  @param protocol - IPsec protocol (value from ipsec_protocol_t)
554  @param index - backend index
555  @param active - set to 1 if the backend is active, otherwise 0
556 */
557 define ipsec_backend_details {
559  u8 name[128];
560  vl_api_ipsec_proto_t protocol;
563 };
564 
565 /** \brief Select IPsec backend
566  @param client_index - opaque cookie to identify the sender
567  @param context - sender context, to match reply w/ request
568  @param protocol - IPsec protocol (value from ipsec_protocol_t)
569  @param index - backend index
570 */
571 autoreply define ipsec_select_backend {
574  vl_api_ipsec_proto_t protocol;
576 };
577 
578 /*
579  * Local Variables:
580  * eval: (c-set-style "gnu")
581  * End:
582  */
583 
u32 tx_table_id
Definition: ipsec.api:288
typedef ipsec_sad_entry
IPsec: Security Association Database entry.
Definition: ipsec.api:271
u8 n_sa_in
Definition: ipsec.api:353
unsigned long u64
Definition: types.h:89
u32 context
Definition: ipsec.api:306
vl_api_ipsec_proto_t protocol
Definition: ipsec.api:560
vl_api_address_t local_address_stop
Definition: ipsec.api:103
u16 local_port_stop
Definition: ipsec.api:108
vl_api_address_t local_address_start
Definition: ipsec.api:102
vl_api_ipsec_spd_action_t policy
Definition: ipsec.api:96
vl_api_ipsec_crypto_alg_t crypto_algorithm
Definition: ipsec.api:278
u8 data[128]
Definition: ipsec.api:251
vl_api_key_t integrity_key
Definition: ipsec.api:282
u8 is_add
Definition: ipsec.api:122
unsigned char u8
Definition: types.h:56
vl_api_interface_index_t sw_if_index
Definition: ipsec.api:377
vl_api_address_t remote_ip
Definition: ipsec.api:445
vl_api_interface_index_t sw_if_index
Definition: ipsec.api:370
typedef ipsec_tunnel_protect
Add or Update Protection for a tunnel with IPSEC.
Definition: ipsec.api:350
vl_api_key_t crypto_key
Definition: ipsec.api:279
vl_api_interface_index_t sw_if_index
Definition: gre.api:50
vl_api_address_t remote_address_start
Definition: ipsec.api:100
vl_api_address_t local_ip
Definition: ipsec.api:444
unsigned int u32
Definition: types.h:88
ipsec_spd_action
Definition: ipsec.api:58
u32 context
Definition: ipsec.api:134
vl_api_address_t remote_address_stop
Definition: ipsec.api:101
u32 sa_in[n_sa_in]
Definition: ipsec.api:354
u32 sa_out
Definition: ipsec.api:352
u32 sa_id
Definition: ipsec.api:95
vl_api_ipsec_tunnel_protect_t tun
Definition: ipsec.api:383
unsigned short u16
Definition: types.h:57
typedef ipsec_spd_entry
IPsec: Security Policy Database entry.
Definition: ipsec.api:90
vl_api_ipsec_integ_alg_t integrity_algorithm
Definition: ipsec.api:281
u16 remote_port_stop
Definition: ipsec.api:106
vl_api_ipsec_tunnel_protect_t tunnel
Definition: ipsec.api:362
vl_api_ipsec_sad_flags_t flags
Definition: ipsec.api:284
u8 name[64]
Definition: memclnt.api:152
i32 priority
Definition: ipsec.api:92
ipsec_proto
Definition: ipsec.api:240
u32 client_index
Definition: ipsec.api:299
vl_api_ipsec_sad_entry_t entry
Definition: ipsec.api:302
vl_api_ipsec_proto_t protocol
Definition: ipsec.api:574
u8 is_outbound
Definition: ipsec.api:93
ipsec_sad_flags
Definition: ipsec.api:222
vl_api_ipsec_sad_entry_t entry
Definition: ipsec.api:516
signed int i32
Definition: types.h:77
u32 spi
Definition: ipsec.api:274
option version
Definition: ipsec.api:17
u32 stat_index
Definition: ipsec.api:136
u32 client_index
Definition: ipsec.api:120
ipsec_crypto_alg
Definition: ipsec.api:186
vl_api_ipsec_spd_entry_t entry
Definition: ipsec.api:180
vl_api_ipsec_spd_entry_t entry
Definition: ipsec.api:123
vl_api_address_t tunnel_src
Definition: ipsec.api:286
ipsec_integ_alg
Definition: ipsec.api:205
u16 remote_port_start
Definition: ipsec.api:105
typedef key
Definition: ipsec.api:247
u8 is_add
Definition: ipsec.api:301
u32 context
Definition: ipsec.api:121
u32 salt
Definition: ipsec.api:289
i32 retval
Definition: ipsec.api:307
u16 local_port_start
Definition: ipsec.api:107
i32 retval
Definition: ipsec.api:135
vl_api_address_t tunnel_dst
Definition: ipsec.api:287
u8 protocol
Definition: ipsec.api:97
u32 context
Definition: ipsec.api:300
u32 stat_index
Definition: ipsec.api:308