Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 21922cec7339f48989f230248de36a98816c4b1b / . / src / vnet / ipsec / ipsec.api
blob: ad1d21618e6cb58f360b5b07e59969c1be9edf1e [file] [log] [blame]
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]1/* Hey Emacs use -*- mode: C -*- */
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]2/*
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]17option version = "5.0.2";
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]18
Prashant Maheshwaridbf68c92019-11-14 12:42:59 +0530[diff] [blame]19import "vnet/ipsec/ipsec_types.api";
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]20import "vnet/interface_types.api";
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]21import "vnet/ip/ip_types.api";
22import "vnet/interface_types.api";
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]23import "vnet/tunnel/tunnel_types.api";
Dave Barach0d056e52017-09-28 15:11:16 -0400[diff] [blame]24
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]25/** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
30*/
31
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]32autoreply define ipsec_spd_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]33{
34 u32 client_index;
35 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]36 bool is_add;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]37 u32 spd_id;
38};
39
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]40/** \brief IPsec: Add/delete SPD from interface
41
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
47*/
48
49
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]50autoreply define ipsec_interface_add_del_spd
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]51{
52 u32 client_index;
53 u32 context;
54
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]55 bool is_add;
56 vl_api_interface_index_t sw_if_index;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]57 u32 spd_id;
58};
59
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]60/** \brief IPsec: Add/delete Security Policy Database entry
61
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
66*/
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]67define ipsec_spd_entry_add_del
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]68{
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]69 option deprecated;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]70 u32 client_index;
71 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]72 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]73 vl_api_ipsec_spd_entry_t entry;
74};
75
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]76/** \brief IPsec: Add/delete Security Policy Database entry v2
77
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
82*/
83define ipsec_spd_entry_add_del_v2
84{
85 u32 client_index;
86 u32 context;
87 bool is_add;
88 vl_api_ipsec_spd_entry_v2_t entry;
89};
90
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]91/** \brief IPsec: Reply Add/delete Security Policy Database entry
92
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
96*/
97define ipsec_spd_entry_add_del_reply
98{
Vratko Polak520cde42022-11-25 17:10:10 +0100[diff] [blame]99 option deprecated;
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]100 u32 context;
101 i32 retval;
102 u32 stat_index;
103};
104
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]105/** \brief IPsec: Reply Add/delete Security Policy Database entry v2
106
107 @param context - sender context, to match reply w/ request
108 @param retval - success/fail rutrun code
109 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
110*/
111define ipsec_spd_entry_add_del_v2_reply
112{
113 u32 context;
114 i32 retval;
115 u32 stat_index;
116};
117
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]118/** \brief Dump IPsec all SPD IDs
119 @param client_index - opaque cookie to identify the sender
120 @param context - sender context, to match reply w/ request
121*/
122define ipsec_spds_dump {
123 u32 client_index;
124 u32 context;
125};
126
127/** \brief Dump IPsec all SPD IDs response
128 @param client_index - opaque cookie to identify the sender
129 @param spd_id - SPD instance id (control plane allocated)
130 @param npolicies - number of policies in SPD
131*/
132define ipsec_spds_details {
133 u32 context;
134 u32 spd_id;
135 u32 npolicies;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]136};
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]137
138/** \brief Dump ipsec policy database data
139 @param client_index - opaque cookie to identify the sender
140 @param context - sender context, to match reply w/ request
141 @param spd_id - SPD instance id
142 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
143*/
144define ipsec_spd_dump {
145 u32 client_index;
146 u32 context;
147 u32 spd_id;
148 u32 sa_id;
149};
150
151/** \brief IPsec policy database response
152 @param context - sender context which was passed in the request
153 €param entry - The SPD entry.
154 @param bytes - byte count of packets matching this policy
155 @param packets - count of packets matching this policy
156*/
157define ipsec_spd_details {
158 u32 context;
159 vl_api_ipsec_spd_entry_t entry;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]160};
161
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]162/** \brief IPsec: Add/delete Security Association Database entry
163 @param client_index - opaque cookie to identify the sender
164 @param context - sender context, to match reply w/ request
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]165 @param entry - Entry to add or delete
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]166 */
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]167define ipsec_sad_entry_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]168{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]169 option deprecated;
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]170
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]171 u32 client_index;
172 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]173 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]174 vl_api_ipsec_sad_entry_t entry;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]175};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]176
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]177define ipsec_sad_entry_add_del_v2
178{
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]179 option deprecated;
180
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]181 u32 client_index;
182 u32 context;
183 bool is_add;
184 vl_api_ipsec_sad_entry_v2_t entry;
185};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]186
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]187define ipsec_sad_entry_add_del_v3
188{
189 u32 client_index;
190 u32 context;
191 bool is_add;
192 vl_api_ipsec_sad_entry_v3_t entry;
193};
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]194define ipsec_sad_entry_add
195{
196 u32 client_index;
197 u32 context;
198 vl_api_ipsec_sad_entry_v3_t entry;
199};
200autoreply define ipsec_sad_entry_del
201{
202 u32 client_index;
203 u32 context;
204 u32 id;
205};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]206
Maxime Peim1271e3a2023-03-20 14:13:56 +0000[diff] [blame]207
208/** \brief An API to bind an SAD entry to a specific worker
209
210 @param client_index - opaque cookie to identify the sender
211 @param context - sender context, to match reply w/ request
212 @param sa_id - the id of the SA to bind
213 @param worker - the worker's index to which the SA will be bound to
214 */
215autoreply define ipsec_sad_bind
216{
217 u32 client_index;
218 u32 context;
219 u32 sa_id;
220 u32 worker;
221};
222
223autoreply define ipsec_sad_unbind
224{
225 u32 client_index;
226 u32 context;
227 u32 sa_id;
228};
229
Arthur de Kerhor4117b242022-08-31 19:13:03 +0200[diff] [blame]230/** \brief An API to update the tunnel parameters and the ports associated with an SA
231
232 Used in the NAT-T case when the NAT data changes
233 @param client_index - opaque cookie to identify the sender
234 @param context - sender context, to match reply w/ request
235 @param sa_id - the id of the SA to update
236 @param is_tun - update the tunnel if non-zero, else update only the ports
237 @param tunnel - sender context, to match reply w/ request
238 @param udp_src_port - new src port for NAT-T. Used if different from 0xffff
239 @param udp_dst_port - new dst port for NAT-T. Used if different from 0xffff
240 */
241autoreply define ipsec_sad_entry_update
242{
243 u32 client_index;
244 u32 context;
245 u32 sad_id;
246 bool is_tun;
247 vl_api_tunnel_t tunnel;
248 u16 udp_src_port [default=0xffff];
249 u16 udp_dst_port [default=0xffff];
250};
251
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]252define ipsec_sad_entry_add_del_reply
253{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]254 option deprecated;
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]255
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]256 u32 context;
257 i32 retval;
258 u32 stat_index;
259};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]260
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]261define ipsec_sad_entry_add_del_v2_reply
262{
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]263 option deprecated;
264
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]265 u32 context;
266 i32 retval;
267 u32 stat_index;
268};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]269
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]270define ipsec_sad_entry_add_del_v3_reply
271{
272 u32 context;
273 i32 retval;
274 u32 stat_index;
275};
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]276define ipsec_sad_entry_add_reply
277{
278 u32 context;
279 i32 retval;
280 u32 stat_index;
281};
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]282
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]283/** \brief Add or Update Protection for a tunnel with IPSEC
284
285 Tunnel protection directly associates an SA with all packets
286 ingress and egress on the tunnel. This could also be achieved by
287 assigning an SPD to the tunnel, but that would incur an unnessccary
288 SPD entry lookup.
289
290 For tunnels the ESP acts on the post-encapsulated packet. So if this
291 packet:
292 +---------+------+
293 | Payload | O-IP |
294 +---------+------+
295 where O-IP is the overlay IP addrees that was routed into the tunnel,
296 the resulting encapsulated packet will be:
297 +---------+------+------+
298 | Payload | O-IP | T-IP |
299 +---------+------+------+
300 where T-IP is the tunnel's src.dst IP addresses.
301 If the SAs used for protection are in transport mode then the ESP is
302 inserted before T-IP, i.e.:
303 +---------+------+-----+------+
304 | Payload | O-IP | ESP | T-IP |
305 +---------+------+-----+------+
306 If the SAs used for protection are in tunnel mode then another
307 encapsulation occurs, i.e.:
308 +---------+------+------+-----+------+
309 | Payload | O-IP | T-IP | ESP | C-IP |
310 +---------+------+------+-----+------+
311 where C-IP are the crypto endpoint IP addresses defined as the tunnel
312 endpoints in the SA.
313 The mode for the inbound and outbound SA must be the same.
314
315 @param client_index - opaque cookie to identify the sender
316 @param context - sender context, to match reply w/ request
317 @param sw_id_index - Tunnel interface to protect
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]318 @param nh - The peer/next-hop on the tunnel to which the traffic
319 should be protected. For a P2P interface set this to the
320 all 0s address.
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]321 @param sa_in - The ID [set] of inbound SAs
322 @param sa_out - The ID of outbound SA
323*/
324typedef ipsec_tunnel_protect
325{
326 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]327 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]328 u32 sa_out;
329 u8 n_sa_in;
330 u32 sa_in[n_sa_in];
331};
332
333autoreply define ipsec_tunnel_protect_update
334{
335 u32 client_index;
336 u32 context;
337
338 vl_api_ipsec_tunnel_protect_t tunnel;
339};
340
341autoreply define ipsec_tunnel_protect_del
342{
343 u32 client_index;
344 u32 context;
345
346 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]347 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]348};
349
Neale Ranns12989b52019-09-26 16:20:19 +0000[diff] [blame]350/**
351 * @brief Dump all tunnel protections
352 */
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]353define ipsec_tunnel_protect_dump
354{
355 u32 client_index;
356 u32 context;
357 vl_api_interface_index_t sw_if_index;
358};
359
360define ipsec_tunnel_protect_details
361{
362 u32 context;
363 vl_api_ipsec_tunnel_protect_t tun;
364};
365
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]366/** \brief IPsec: Get SPD interfaces
367 @param client_index - opaque cookie to identify the sender
368 @param context - sender context, to match reply w/ request
369 @param spd_index - SPD index
370 @param spd_index_valid - if 1 spd_index is used to filter
371 spd_index's, if 0 no filtering is done
372*/
373define ipsec_spd_interface_dump {
374 u32 client_index;
375 u32 context;
376 u32 spd_index;
377 u8 spd_index_valid;
378};
379
380/** \brief IPsec: SPD interface response
381 @param context - sender context which was passed in the request
382 @param spd_index - SPD index
383 @param sw_if_index - index of the interface
384*/
385define ipsec_spd_interface_details {
386 u32 context;
387 u32 spd_index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]388 vl_api_interface_index_t sw_if_index;
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]389};
390
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]391typedef ipsec_itf
392{
393 u32 user_instance [default=0xffffffff];
394 vl_api_tunnel_mode_t mode;
395 vl_api_interface_index_t sw_if_index;
396};
397
398/** \brief Create an IPSec interface
399 */
400define ipsec_itf_create {
401 u32 client_index;
402 u32 context;
403 vl_api_ipsec_itf_t itf;
404};
405
406/** \brief Add IPsec interface interface response
407 @param context - sender context, to match reply w/ request
408 @param retval - return status
409 @param sw_if_index - sw_if_index of new interface (for successful add)
410*/
411define ipsec_itf_create_reply
412{
413 u32 context;
414 i32 retval;
415 vl_api_interface_index_t sw_if_index;
416};
417
418autoreply define ipsec_itf_delete
419{
420 u32 client_index;
421 u32 context;
422 vl_api_interface_index_t sw_if_index;
423};
424
425define ipsec_itf_dump
426{
427 u32 client_index;
428 u32 context;
429 vl_api_interface_index_t sw_if_index;
430};
431
432define ipsec_itf_details
433{
434 u32 context;
435 vl_api_ipsec_itf_t itf;
436};
437
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]438/** \brief Dump IPsec security association
439 @param client_index - opaque cookie to identify the sender
440 @param context - sender context, to match reply w/ request
441 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
442*/
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]443define ipsec_sa_dump
444{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]445 option deprecated;
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]446
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]447 u32 client_index;
448 u32 context;
449 u32 sa_id;
450};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]451define ipsec_sa_v2_dump
452{
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]453 option deprecated;
454
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]455 u32 client_index;
456 u32 context;
457 u32 sa_id;
458};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]459define ipsec_sa_v3_dump
460{
461 u32 client_index;
462 u32 context;
463 u32 sa_id;
464};
Maxime Peim1271e3a2023-03-20 14:13:56 +0000[diff] [blame]465define ipsec_sa_v4_dump
466{
467 u32 client_index;
468 u32 context;
469 u32 sa_id;
470};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]471
472/** \brief IPsec security association database response
473 @param context - sender context which was passed in the request
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]474 @param entry - The SA details
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]475 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]476 @param salt - 4 byte salt
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]477 @param seq - current sequence number for outbound
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]478 @param seq_hi - high 32 bits of ESN for outbound
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]479 @param last_seq - highest sequence number received inbound
480 @param last_seq_hi - high 32 bits of highest ESN received inbound
481 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]482 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]483*/
484define ipsec_sa_details {
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]485 option deprecated;
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]486
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]487 u32 context;
Neale Ranns8d7c5022019-02-06 01:41:05 -0800[diff] [blame]488 vl_api_ipsec_sad_entry_t entry;
489
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]490 vl_api_interface_index_t sw_if_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]491 u32 salt;
492 u64 seq_outbound;
493 u64 last_seq_inbound;
494 u64 replay_window;
495
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]496 u32 stat_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]497};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]498define ipsec_sa_v2_details {
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]499 option deprecated;
500
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]501 u32 context;
502 vl_api_ipsec_sad_entry_v2_t entry;
503
504 vl_api_interface_index_t sw_if_index;
505 u32 salt;
506 u64 seq_outbound;
507 u64 last_seq_inbound;
508 u64 replay_window;
509
510 u32 stat_index;
511};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]512define ipsec_sa_v3_details {
513 u32 context;
514 vl_api_ipsec_sad_entry_v3_t entry;
515
516 vl_api_interface_index_t sw_if_index;
517 u64 seq_outbound;
518 u64 last_seq_inbound;
519 u64 replay_window;
520
521 u32 stat_index;
522};
Maxime Peim1271e3a2023-03-20 14:13:56 +0000[diff] [blame]523define ipsec_sa_v4_details {
524 u32 context;
525 vl_api_ipsec_sad_entry_v3_t entry;
526
527 vl_api_interface_index_t sw_if_index;
528 u64 seq_outbound;
529 u64 last_seq_inbound;
530 u64 replay_window;
531
532 u32 thread_index;
533 u32 stat_index;
534};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]535
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]536/** \brief Dump IPsec backends
537 @param client_index - opaque cookie to identify the sender
538 @param context - sender context, to match reply w/ request
539*/
540define ipsec_backend_dump {
541 u32 client_index;
542 u32 context;
543};
544
545/** \brief IPsec backend details
546 @param name - name of the backend
547 @param protocol - IPsec protocol (value from ipsec_protocol_t)
548 @param index - backend index
549 @param active - set to 1 if the backend is active, otherwise 0
550*/
551define ipsec_backend_details {
552 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]553 string name[128];
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]554 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]555 u8 index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]556 bool active;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]557};
558
559/** \brief Select IPsec backend
560 @param client_index - opaque cookie to identify the sender
561 @param context - sender context, to match reply w/ request
562 @param protocol - IPsec protocol (value from ipsec_protocol_t)
563 @param index - backend index
564*/
565autoreply define ipsec_select_backend {
566 u32 client_index;
567 u32 context;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]568 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]569 u8 index;
570};
571
Yulong Pei2e84d662020-08-14 18:21:08 +0800[diff] [blame]572
573/** \brief IPsec Set Async mode
574 @param client_index - opaque cookie to identify the sender
575 @param context - sender context, to match reply w/ request
576 @param async_enable - ipsec async mode on or off
577*/
578autoreply define ipsec_set_async_mode {
579 u32 client_index;
580 u32 context;
581 bool async_enable;
582};
583
Neale Ranns93688d72022-08-09 03:34:51 +0000[diff] [blame]584counters esp_decrypt {
585 rx_pkts {
586 severity info;
587 type counter64;
588 units "packets";
589 description "ESP pkts received";
590 };
591 rx_post_pkts {
592 severity info;
593 type counter64;
594 units "packets";
595 description "ESP-POST pkts received";
596 };
597 handoff {
598 severity info;
599 type counter64;
600 units "packets";
601 description "hand-off";
602 };
603 decryption_failed {
604 severity error;
605 type counter64;
606 units "packets";
607 description "ESP decryption failed";
608 };
609 integ_error {
610 severity error;
611 type counter64;
612 units "packets";
613 description "integrity check failed";
614 };
615 crypto_engine_error {
616 severity error;
617 type counter64;
618 units "packets";
619 description "crypto engine error (packet dropped)";
620 };
621 replay {
622 severity error;
623 type counter64;
624 units "packets";
625 description "SA replayed packet";
626 };
627 runt {
628 severity error;
629 type counter64;
630 units "packets";
631 description "undersized packet";
632 };
633 no_buffers {
634 severity error;
635 type counter64;
636 units "packets";
637 description "no buffers (packet dropped)";
638 };
639 oversized_header {
640 severity error;
641 type counter64;
642 units "packets";
643 description "buffer with oversized header (dropped)";
644 };
645 no_tail_space {
646 severity error;
647 type counter64;
648 units "packets";
649 description "no enough buffer tail space (dropped)";
650 };
651 tun_no_proto {
652 severity error;
653 type counter64;
654 units "packets";
655 description "no tunnel protocol";
656 };
657 unsup_payload {
658 severity error;
659 type counter64;
660 units "packets";
661 description "unsupported payload";
662 };
gaoginskxf441b5d2021-06-07 12:07:01 +0100[diff] [blame]663 no_avail_frame {
664 severity error;
665 type counter64;
666 units "packets";
667 description "no available frame (packet dropped)";
668 };
Neale Ranns93688d72022-08-09 03:34:51 +0000[diff] [blame]669};
670
671counters esp_encrypt {
672 rx_pkts {
673 severity info;
674 type counter64;
675 units "packets";
676 description "ESP pkts received";
677 };
678 post_rx_pkts {
679 severity info;
680 type counter64;
681 units "packets";
682 description "ESP-post pkts received";
683 };
684 handoff {
685 severity info;
686 type counter64;
687 units "packets";
688 description "Hand-off";
689 };
690 seq_cycled {
691 severity error;
692 type counter64;
693 units "packets";
694 description "sequence number cycled (packet dropped)";
695 };
696 crypto_engine_error {
697 severity error;
698 type counter64;
699 units "packets";
700 description "crypto engine error (packet dropped)";
701 };
702 crypto_queue_full {
703 severity error;
704 type counter64;
705 units "packets";
706 description "crypto queue full (packet dropped)";
707 };
708 no_buffers {
709 severity error;
710 type counter64;
711 units "packets";
712 description "no buffers (packet dropped)";
713 };
714 no_protection {
715 severity error;
716 type counter64;
717 units "packets";
718 description "no protecting SA (packet dropped)";
719 };
720 no_encryption {
721 severity error;
722 type counter64;
723 units "packets";
724 description "no Encrypting SA (packet dropped)";
725 };
gaoginskxf441b5d2021-06-07 12:07:01 +0100[diff] [blame]726 no_avail_frame {
727 severity error;
728 type counter64;
729 units "packets";
730 description "no available frame (packet dropped)";
731 };
Neale Ranns93688d72022-08-09 03:34:51 +0000[diff] [blame]732};
733
734counters ah_encrypt {
735 rx_pkts {
736 severity info;
737 type counter64;
738 units "packets";
739 description "AH pkts received";
740 };
741 crypto_engine_error {
742 severity error;
743 type counter64;
744 units "packets";
745 description "crypto engine error (packet dropped)";
746 };
747 seq_cycled {
748 severity error;
749 type counter64;
750 units "packets";
751 description "sequence number cycled (packet dropped)";
752 };
753};
754
755counters ah_decrypt {
756 rx_pkts {
757 severity info;
758 type counter64;
759 units "packets";
760 description "AH pkts received";
761 };
762 decryption_failed {
763 severity error;
764 type counter64;
765 units "packets";
766 description "AH decryption failed";
767 };
768 integ_error {
769 severity error;
770 type counter64;
771 units "packets";
772 description "Integrity check failed";
773 };
774 no_tail_space {
775 severity error;
776 type counter64;
777 units "packets";
778 description "not enough buffer tail space (dropped)";
779 };
780 drop_fragments {
781 severity error;
782 type counter64;
783 units "packets";
784 description "IP fragments drop";
785 };
786 replay {
787 severity error;
788 type counter64;
789 units "packets";
790 description "SA replayed packet";
791 };
792};
793
794counters ipsec_tun {
795 rx {
796 severity info;
797 type counter64;
798 units "packets";
799 description "good packets received";
800 };
801 disabled {
802 severity error;
803 type counter64;
804 units "packets";
805 description "ipsec packets received on disabled interface";
806 };
807 no_tunnel {
808 severity error;
809 type counter64;
810 units "packets";
811 description "no matching tunnel";
812 };
813 tunnel_mismatch {
814 severity error;
815 type counter64;
816 units "packets";
817 description "SPI-tunnel mismatch";
818 };
819 nat_keepalive {
820 severity info;
821 type counter64;
822 units "packets";
823 description "NAT Keepalive";
824 };
825 too_short {
826 severity error;
827 type counter64;
828 units "packets";
829 description "Too Short";
830 };
831 spi_0 {
832 severity info;
833 type counter64;
834 units "packets";
835 description "SPI 0";
836 };
837};
838
839paths {
840 "/err/esp4-encrypt" "esp_encrypt";
841 "/err/esp4-encrypt-post" "esp_encrypt";
842 "/err/esp4-encrypt-tun" "esp_encrypt";
843 "/err/esp4-encrypt-tun-post" "esp_encrypt";
844 "/err/esp6-encrypt" "esp_encrypt";
845 "/err/esp6-encrypt-post" "esp_encrypt";
846 "/err/esp6-encrypt-tun" "esp_encrypt";
847 "/err/esp6-encrypt-tun-post" "esp_encrypt";
848 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
849 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
850 "/err/esp4-decrypt" "esp_decrypt";
851 "/err/esp4-decrypt-post" "esp_decrypt";
852 "/err/esp4-decrypt-tun" "esp_decrypt";
853 "/err/esp4-decrypt-tun-post" "esp_decrypt";
854 "/err/esp6-decrypt" "esp_decrypt";
855 "/err/esp6-decrypt-post" "esp_decrypt";
856 "/err/esp6-decrypt-tun" "esp_decrypt";
857 "/err/esp6-decrypt-tun-post" "esp_decrypt";
858 "/err/ah4-encrypt" "ah_encrypt";
859 "/err/ah6-encrypt" "ah_encrypt";
860 "/err/ipsec4-tun-input" "ipsec_tun";
861 "/err/ipsec6-tun-input" "ipsec_tun";
862};
863
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]864/*
865 * Local Variables:
866 * eval: (c-set-style "gnu")
867 * End:
868 */