Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 1 | /* Hey Emacs use -*- mode: C -*- */ |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 2 | /* |
| 3 | * Copyright (c) 2015-2016 Cisco and/or its affiliates. |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at: |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 17 | option version = "3.0.0"; |
| 18 | |
| 19 | import "vnet/ip/ip_types.api"; |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 20 | import "vnet/interface_types.api"; |
Dave Barach | 0d056e5 | 2017-09-28 15:11:16 -0400 | [diff] [blame] | 21 | |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 22 | /** \brief IPsec: Add/delete Security Policy Database |
| 23 | @param client_index - opaque cookie to identify the sender |
| 24 | @param context - sender context, to match reply w/ request |
| 25 | @param is_add - add SPD if non-zero, else delete |
| 26 | @param spd_id - SPD instance id (control plane allocated) |
| 27 | */ |
| 28 | |
Dave Barach | 11b8dbf | 2017-04-24 10:46:54 -0400 | [diff] [blame] | 29 | autoreply define ipsec_spd_add_del |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 30 | { |
| 31 | u32 client_index; |
| 32 | u32 context; |
| 33 | u8 is_add; |
| 34 | u32 spd_id; |
| 35 | }; |
| 36 | |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 37 | /** \brief IPsec: Add/delete SPD from interface |
| 38 | |
| 39 | @param client_index - opaque cookie to identify the sender |
| 40 | @param context - sender context, to match reply w/ request |
| 41 | @param is_add - add security mode if non-zero, else delete |
| 42 | @param sw_if_index - index of the interface |
| 43 | @param spd_id - SPD instance id to use for lookups |
| 44 | */ |
| 45 | |
| 46 | |
Dave Barach | 11b8dbf | 2017-04-24 10:46:54 -0400 | [diff] [blame] | 47 | autoreply define ipsec_interface_add_del_spd |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 48 | { |
| 49 | u32 client_index; |
| 50 | u32 context; |
| 51 | |
| 52 | u8 is_add; |
| 53 | u32 sw_if_index; |
| 54 | u32 spd_id; |
| 55 | }; |
| 56 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 57 | |
| 58 | enum ipsec_spd_action |
| 59 | { |
| 60 | /* bypass - no IPsec processing */ |
| 61 | IPSEC_API_SPD_ACTION_BYPASS = 0, |
| 62 | /* discard - discard packet with ICMP processing */ |
| 63 | IPSEC_API_SPD_ACTION_DISCARD, |
| 64 | /* resolve - send request to control plane for SA resolving */ |
| 65 | IPSEC_API_SPD_ACTION_RESOLVE, |
| 66 | /* protect - apply IPsec policy using following parameters */ |
| 67 | IPSEC_API_SPD_ACTION_PROTECT, |
| 68 | }; |
| 69 | |
| 70 | /** \brief IPsec: Security Policy Database entry |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 71 | |
| 72 | See RFC 4301, 4.4.1.1 on how to match packet to selectors |
| 73 | |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 74 | @param spd_id - SPD instance id (control plane allocated) |
| 75 | @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower |
| 76 | @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 77 | @param remote_address_start - start of remote address range to match |
| 78 | @param remote_address_stop - end of remote address range to match |
| 79 | @param local_address_start - start of local address range to match |
| 80 | @param local_address_stop - end of local address range to match |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 81 | @param protocol - protocol type to match [0 means any] otherwise IANA value |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 82 | @param remote_port_start - start of remote port range to match ... |
| 83 | @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] |
| 84 | @param local_port_start - start of local port range to match ... |
| 85 | @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 86 | @param policy - action to perform on match |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 87 | @param sa_id - SAD instance id (control plane allocated) |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 88 | */ |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 89 | typedef ipsec_spd_entry |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 90 | { |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 91 | u32 spd_id; |
| 92 | i32 priority; |
| 93 | u8 is_outbound; |
| 94 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 95 | u32 sa_id; |
| 96 | vl_api_ipsec_spd_action_t policy; |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 97 | u8 protocol; |
| 98 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 99 | // Selector |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 100 | vl_api_address_t remote_address_start; |
| 101 | vl_api_address_t remote_address_stop; |
| 102 | vl_api_address_t local_address_start; |
| 103 | vl_api_address_t local_address_stop; |
| 104 | |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 105 | u16 remote_port_start; |
| 106 | u16 remote_port_stop; |
| 107 | u16 local_port_start; |
| 108 | u16 local_port_stop; |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 109 | }; |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 110 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 111 | /** \brief IPsec: Add/delete Security Policy Database entry |
| 112 | |
| 113 | @param client_index - opaque cookie to identify the sender |
| 114 | @param context - sender context, to match reply w/ request |
| 115 | @param is_add - add SPD if non-zero, else delete |
| 116 | @param entry - Description of the entry to add/dell |
| 117 | */ |
Neale Ranns | a09c1ff | 2019-02-04 01:10:30 -0800 | [diff] [blame] | 118 | define ipsec_spd_entry_add_del |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 119 | { |
| 120 | u32 client_index; |
| 121 | u32 context; |
| 122 | u8 is_add; |
| 123 | vl_api_ipsec_spd_entry_t entry; |
| 124 | }; |
| 125 | |
Neale Ranns | a09c1ff | 2019-02-04 01:10:30 -0800 | [diff] [blame] | 126 | /** \brief IPsec: Reply Add/delete Security Policy Database entry |
| 127 | |
| 128 | @param context - sender context, to match reply w/ request |
| 129 | @param retval - success/fail rutrun code |
| 130 | @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy |
| 131 | */ |
| 132 | define ipsec_spd_entry_add_del_reply |
| 133 | { |
| 134 | u32 context; |
| 135 | i32 retval; |
| 136 | u32 stat_index; |
| 137 | }; |
| 138 | |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 139 | /** \brief Dump IPsec all SPD IDs |
| 140 | @param client_index - opaque cookie to identify the sender |
| 141 | @param context - sender context, to match reply w/ request |
| 142 | */ |
| 143 | define ipsec_spds_dump { |
| 144 | u32 client_index; |
| 145 | u32 context; |
| 146 | }; |
| 147 | |
| 148 | /** \brief Dump IPsec all SPD IDs response |
| 149 | @param client_index - opaque cookie to identify the sender |
| 150 | @param spd_id - SPD instance id (control plane allocated) |
| 151 | @param npolicies - number of policies in SPD |
| 152 | */ |
| 153 | define ipsec_spds_details { |
| 154 | u32 context; |
| 155 | u32 spd_id; |
| 156 | u32 npolicies; |
| 157 | }; |
| 158 | |
| 159 | /** \brief Dump ipsec policy database data |
| 160 | @param client_index - opaque cookie to identify the sender |
| 161 | @param context - sender context, to match reply w/ request |
| 162 | @param spd_id - SPD instance id |
| 163 | @param sa_id - SA id, optional, set to ~0 to see all policies in SPD |
| 164 | */ |
| 165 | define ipsec_spd_dump { |
| 166 | u32 client_index; |
| 167 | u32 context; |
| 168 | u32 spd_id; |
| 169 | u32 sa_id; |
| 170 | }; |
| 171 | |
| 172 | /** \brief IPsec policy database response |
| 173 | @param context - sender context which was passed in the request |
| 174 | €param entry - The SPD entry. |
| 175 | @param bytes - byte count of packets matching this policy |
| 176 | @param packets - count of packets matching this policy |
| 177 | */ |
| 178 | define ipsec_spd_details { |
| 179 | u32 context; |
| 180 | vl_api_ipsec_spd_entry_t entry; |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 181 | }; |
| 182 | |
| 183 | /* |
| 184 | * @brief Support cryptographic algorithms |
| 185 | */ |
| 186 | enum ipsec_crypto_alg |
| 187 | { |
| 188 | IPSEC_API_CRYPTO_ALG_NONE = 0, |
| 189 | IPSEC_API_CRYPTO_ALG_AES_CBC_128, |
| 190 | IPSEC_API_CRYPTO_ALG_AES_CBC_192, |
| 191 | IPSEC_API_CRYPTO_ALG_AES_CBC_256, |
| 192 | IPSEC_API_CRYPTO_ALG_AES_CTR_128, |
| 193 | IPSEC_API_CRYPTO_ALG_AES_CTR_192, |
| 194 | IPSEC_API_CRYPTO_ALG_AES_CTR_256, |
| 195 | IPSEC_API_CRYPTO_ALG_AES_GCM_128, |
| 196 | IPSEC_API_CRYPTO_ALG_AES_GCM_192, |
| 197 | IPSEC_API_CRYPTO_ALG_AES_GCM_256, |
| 198 | IPSEC_API_CRYPTO_ALG_DES_CBC, |
| 199 | IPSEC_API_CRYPTO_ALG_3DES_CBC, |
| 200 | }; |
| 201 | |
| 202 | /* |
| 203 | * @brief Supported Integrity Algorithms |
| 204 | */ |
| 205 | enum ipsec_integ_alg |
| 206 | { |
| 207 | IPSEC_API_INTEG_ALG_NONE = 0, |
| 208 | /* RFC2403 */ |
| 209 | IPSEC_API_INTEG_ALG_MD5_96, |
| 210 | /* RFC2404 */ |
| 211 | IPSEC_API_INTEG_ALG_SHA1_96, |
| 212 | /* draft-ietf-ipsec-ciph-sha-256-00 */ |
| 213 | IPSEC_API_INTEG_ALG_SHA_256_96, |
| 214 | /* RFC4868 */ |
| 215 | IPSEC_API_INTEG_ALG_SHA_256_128, |
| 216 | /* RFC4868 */ |
| 217 | IPSEC_API_INTEG_ALG_SHA_384_192, |
| 218 | /* RFC4868 */ |
| 219 | IPSEC_API_INTEG_ALG_SHA_512_256, |
| 220 | }; |
| 221 | |
| 222 | enum ipsec_sad_flags |
| 223 | { |
| 224 | IPSEC_API_SAD_FLAG_NONE = 0, |
| 225 | /* Enable extended sequence numbers */ |
Damjan Marion | 1e3aa5e | 2019-03-28 10:58:59 +0100 | [diff] [blame] | 226 | IPSEC_API_SAD_FLAG_USE_ESN = 0x01, |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 227 | /* Enable Anti-replay */ |
| 228 | IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02, |
| 229 | /* IPsec tunnel mode if non-zero, else transport mode */ |
| 230 | IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04, |
| 231 | /* IPsec tunnel mode is IPv6 if non-zero, |
| 232 | * else IPv4 tunnel only valid if is_tunnel is non-zero */ |
| 233 | IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08, |
| 234 | /* enable UDP encapsulation for NAT traversal */ |
| 235 | IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10, |
| 236 | }; |
| 237 | |
| 238 | enum ipsec_proto |
| 239 | { |
| 240 | IPSEC_API_PROTO_ESP, |
| 241 | IPSEC_API_PROTO_AH, |
| 242 | }; |
| 243 | |
| 244 | typedef key |
| 245 | { |
| 246 | /* the length of the key */ |
| 247 | u8 length; |
| 248 | /* The data for the key */ |
| 249 | u8 data[128]; |
| 250 | }; |
| 251 | |
| 252 | /** \brief IPsec: Security Association Database entry |
| 253 | @param client_index - opaque cookie to identify the sender |
| 254 | @param context - sender context, to match reply w/ request |
| 255 | @param is_add - add SAD entry if non-zero, else delete |
| 256 | @param sad_id - sad id |
| 257 | @param spi - security parameter index |
| 258 | @param protocol - 0 = AH, 1 = ESP |
| 259 | @param crypto_algorithm - a supported crypto algorithm |
| 260 | @param crypto_key - crypto keying material |
| 261 | @param integrity_algorithm - one of the supported algorithms |
| 262 | @param integrity_key - integrity keying material |
| 263 | @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero |
| 264 | @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero |
Neale Ranns | 8d7c502 | 2019-02-06 01:41:05 -0800 | [diff] [blame] | 265 | @param tx_table_id - the FIB id used for encapsulated packets |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 266 | @param salt - for use with counter mode ciphers |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 267 | */ |
| 268 | typedef ipsec_sad_entry |
| 269 | { |
| 270 | u32 sad_id; |
| 271 | |
| 272 | u32 spi; |
| 273 | |
| 274 | vl_api_ipsec_proto_t protocol; |
| 275 | |
| 276 | vl_api_ipsec_crypto_alg_t crypto_algorithm; |
| 277 | vl_api_key_t crypto_key; |
| 278 | |
| 279 | vl_api_ipsec_integ_alg_t integrity_algorithm; |
| 280 | vl_api_key_t integrity_key; |
| 281 | |
| 282 | vl_api_ipsec_sad_flags_t flags; |
| 283 | |
| 284 | vl_api_address_t tunnel_src; |
| 285 | vl_api_address_t tunnel_dst; |
Neale Ranns | 8d7c502 | 2019-02-06 01:41:05 -0800 | [diff] [blame] | 286 | u32 tx_table_id; |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 287 | u32 salt; |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 288 | }; |
| 289 | |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 290 | /** \brief IPsec: Add/delete Security Association Database entry |
| 291 | @param client_index - opaque cookie to identify the sender |
| 292 | @param context - sender context, to match reply w/ request |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 293 | @param entry - Entry to add or delete |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 294 | */ |
Neale Ranns | eba31ec | 2019-02-17 18:04:27 +0000 | [diff] [blame] | 295 | define ipsec_sad_entry_add_del |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 296 | { |
| 297 | u32 client_index; |
| 298 | u32 context; |
| 299 | u8 is_add; |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 300 | vl_api_ipsec_sad_entry_t entry; |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 301 | }; |
Neale Ranns | eba31ec | 2019-02-17 18:04:27 +0000 | [diff] [blame] | 302 | define ipsec_sad_entry_add_del_reply |
| 303 | { |
| 304 | u32 context; |
| 305 | i32 retval; |
| 306 | u32 stat_index; |
| 307 | }; |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 308 | |
Neale Ranns | c87b66c | 2019-02-07 07:26:12 -0800 | [diff] [blame] | 309 | /** \brief Add or Update Protection for a tunnel with IPSEC |
| 310 | |
| 311 | Tunnel protection directly associates an SA with all packets |
| 312 | ingress and egress on the tunnel. This could also be achieved by |
| 313 | assigning an SPD to the tunnel, but that would incur an unnessccary |
| 314 | SPD entry lookup. |
| 315 | |
| 316 | For tunnels the ESP acts on the post-encapsulated packet. So if this |
| 317 | packet: |
| 318 | +---------+------+ |
| 319 | | Payload | O-IP | |
| 320 | +---------+------+ |
| 321 | where O-IP is the overlay IP addrees that was routed into the tunnel, |
| 322 | the resulting encapsulated packet will be: |
| 323 | +---------+------+------+ |
| 324 | | Payload | O-IP | T-IP | |
| 325 | +---------+------+------+ |
| 326 | where T-IP is the tunnel's src.dst IP addresses. |
| 327 | If the SAs used for protection are in transport mode then the ESP is |
| 328 | inserted before T-IP, i.e.: |
| 329 | +---------+------+-----+------+ |
| 330 | | Payload | O-IP | ESP | T-IP | |
| 331 | +---------+------+-----+------+ |
| 332 | If the SAs used for protection are in tunnel mode then another |
| 333 | encapsulation occurs, i.e.: |
| 334 | +---------+------+------+-----+------+ |
| 335 | | Payload | O-IP | T-IP | ESP | C-IP | |
| 336 | +---------+------+------+-----+------+ |
| 337 | where C-IP are the crypto endpoint IP addresses defined as the tunnel |
| 338 | endpoints in the SA. |
| 339 | The mode for the inbound and outbound SA must be the same. |
| 340 | |
| 341 | @param client_index - opaque cookie to identify the sender |
| 342 | @param context - sender context, to match reply w/ request |
| 343 | @param sw_id_index - Tunnel interface to protect |
| 344 | @param sa_in - The ID [set] of inbound SAs |
| 345 | @param sa_out - The ID of outbound SA |
| 346 | */ |
| 347 | typedef ipsec_tunnel_protect |
| 348 | { |
| 349 | vl_api_interface_index_t sw_if_index; |
| 350 | u32 sa_out; |
| 351 | u8 n_sa_in; |
| 352 | u32 sa_in[n_sa_in]; |
| 353 | }; |
| 354 | |
| 355 | autoreply define ipsec_tunnel_protect_update |
| 356 | { |
| 357 | u32 client_index; |
| 358 | u32 context; |
| 359 | |
| 360 | vl_api_ipsec_tunnel_protect_t tunnel; |
| 361 | }; |
| 362 | |
| 363 | autoreply define ipsec_tunnel_protect_del |
| 364 | { |
| 365 | u32 client_index; |
| 366 | u32 context; |
| 367 | |
| 368 | vl_api_interface_index_t sw_if_index; |
| 369 | }; |
| 370 | |
| 371 | define ipsec_tunnel_protect_dump |
| 372 | { |
| 373 | u32 client_index; |
| 374 | u32 context; |
| 375 | vl_api_interface_index_t sw_if_index; |
| 376 | }; |
| 377 | |
| 378 | define ipsec_tunnel_protect_details |
| 379 | { |
| 380 | u32 context; |
| 381 | vl_api_ipsec_tunnel_protect_t tun; |
| 382 | }; |
| 383 | |
Filip Varga | 871bca9 | 2018-11-02 13:51:44 +0100 | [diff] [blame] | 384 | /** \brief IPsec: Get SPD interfaces |
| 385 | @param client_index - opaque cookie to identify the sender |
| 386 | @param context - sender context, to match reply w/ request |
| 387 | @param spd_index - SPD index |
| 388 | @param spd_index_valid - if 1 spd_index is used to filter |
| 389 | spd_index's, if 0 no filtering is done |
| 390 | */ |
| 391 | define ipsec_spd_interface_dump { |
| 392 | u32 client_index; |
| 393 | u32 context; |
| 394 | u32 spd_index; |
| 395 | u8 spd_index_valid; |
| 396 | }; |
| 397 | |
| 398 | /** \brief IPsec: SPD interface response |
| 399 | @param context - sender context which was passed in the request |
| 400 | @param spd_index - SPD index |
| 401 | @param sw_if_index - index of the interface |
| 402 | */ |
| 403 | define ipsec_spd_interface_details { |
| 404 | u32 context; |
| 405 | u32 spd_index; |
| 406 | u32 sw_if_index; |
| 407 | }; |
| 408 | |
Matthew Smith | b0972cb | 2017-05-02 16:20:41 -0500 | [diff] [blame] | 409 | /** \brief Add or delete IPsec tunnel interface |
| 410 | @param client_index - opaque cookie to identify the sender |
| 411 | @param context - sender context, to match reply w/ request |
| 412 | @param is_add - add IPsec tunnel interface if nonzero, else delete |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 413 | @param is_ip6 - tunnel v6 or v4 |
Matthew Smith | b0972cb | 2017-05-02 16:20:41 -0500 | [diff] [blame] | 414 | @param esn - enable extended sequence numbers if nonzero, else disable |
| 415 | @param anti_replay - enable anti replay check if nonzero, else disable |
| 416 | @param local_ip - local IP address |
| 417 | @param remote_ip - IP address of remote IPsec peer |
| 418 | @param local_spi - SPI of outbound IPsec SA |
| 419 | @param remote_spi - SPI of inbound IPsec SA |
| 420 | @param crypto_alg - encryption algorithm ID |
| 421 | @param local_crypto_key_len - length of local crypto key in bytes |
| 422 | @param local_crypto_key - crypto key for outbound IPsec SA |
| 423 | @param remote_crypto_key_len - length of remote crypto key in bytes |
| 424 | @param remote_crypto_key - crypto key for inbound IPsec SA |
| 425 | @param integ_alg - integrity algorithm ID |
| 426 | @param local_integ_key_len - length of local integrity key in bytes |
| 427 | @param local_integ_key - integrity key for outbound IPsec SA |
| 428 | @param remote_integ_key_len - length of remote integrity key in bytes |
| 429 | @param remote_integ_key - integrity key for inbound IPsec SA |
Matthew Smith | 8e1039a | 2018-04-12 07:32:56 -0500 | [diff] [blame] | 430 | @param renumber - intf display name uses a specified instance if != 0 |
| 431 | @param show_instance - instance to display for intf if renumber is set |
Filip Tehlar | b4a7a7d | 2018-11-30 07:27:27 -0800 | [diff] [blame] | 432 | @param udp_encap - enable UDP encapsulation for NAT traversal |
Pierre Pfister | 4c422f9 | 2018-12-10 11:19:08 +0100 | [diff] [blame] | 433 | @param tx_table_id - the FIB id used after packet encap |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 434 | @param salt - for use with counter mode ciphers |
Matthew Smith | b0972cb | 2017-05-02 16:20:41 -0500 | [diff] [blame] | 435 | */ |
Matthew Smith | e04d09d | 2017-05-14 21:47:18 -0500 | [diff] [blame] | 436 | define ipsec_tunnel_if_add_del { |
Matthew Smith | b0972cb | 2017-05-02 16:20:41 -0500 | [diff] [blame] | 437 | u32 client_index; |
| 438 | u32 context; |
| 439 | u8 is_add; |
| 440 | u8 esn; |
| 441 | u8 anti_replay; |
Kingwel Xie | 1ba5bc8 | 2019-03-20 07:21:58 -0400 | [diff] [blame] | 442 | vl_api_address_t local_ip; |
| 443 | vl_api_address_t remote_ip; |
Matthew Smith | b0972cb | 2017-05-02 16:20:41 -0500 | [diff] [blame] | 444 | u32 local_spi; |
| 445 | u32 remote_spi; |
| 446 | u8 crypto_alg; |
| 447 | u8 local_crypto_key_len; |
| 448 | u8 local_crypto_key[128]; |
| 449 | u8 remote_crypto_key_len; |
| 450 | u8 remote_crypto_key[128]; |
| 451 | u8 integ_alg; |
| 452 | u8 local_integ_key_len; |
| 453 | u8 local_integ_key[128]; |
| 454 | u8 remote_integ_key_len; |
| 455 | u8 remote_integ_key[128]; |
Matthew Smith | 8e1039a | 2018-04-12 07:32:56 -0500 | [diff] [blame] | 456 | u8 renumber; |
| 457 | u32 show_instance; |
Filip Tehlar | b4a7a7d | 2018-11-30 07:27:27 -0800 | [diff] [blame] | 458 | u8 udp_encap; |
Pierre Pfister | 4c422f9 | 2018-12-10 11:19:08 +0100 | [diff] [blame] | 459 | u32 tx_table_id; |
Neale Ranns | 80f6fd5 | 2019-04-16 02:41:34 +0000 | [diff] [blame] | 460 | u32 salt; |
Matthew Smith | b0972cb | 2017-05-02 16:20:41 -0500 | [diff] [blame] | 461 | }; |
| 462 | |
Matthew Smith | e04d09d | 2017-05-14 21:47:18 -0500 | [diff] [blame] | 463 | /** \brief Add/delete IPsec tunnel interface response |
| 464 | @param context - sender context, to match reply w/ request |
| 465 | @param retval - return status |
| 466 | @param sw_if_index - sw_if_index of new interface (for successful add) |
| 467 | */ |
| 468 | define ipsec_tunnel_if_add_del_reply { |
| 469 | u32 context; |
| 470 | i32 retval; |
| 471 | u32 sw_if_index; |
| 472 | }; |
| 473 | |
Matthew Smith | 2802953 | 2017-09-26 13:33:44 -0500 | [diff] [blame] | 474 | /** \brief Dump IPsec security association |
| 475 | @param client_index - opaque cookie to identify the sender |
| 476 | @param context - sender context, to match reply w/ request |
| 477 | @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD |
| 478 | */ |
| 479 | define ipsec_sa_dump { |
| 480 | u32 client_index; |
| 481 | u32 context; |
| 482 | u32 sa_id; |
| 483 | }; |
| 484 | |
| 485 | /** \brief IPsec security association database response |
| 486 | @param context - sender context which was passed in the request |
| 487 | @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0 |
| 488 | @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0 |
| 489 | @param spi - security parameter index |
| 490 | @param protocol - IPsec protocol (value from ipsec_protocol_t) |
| 491 | @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t) |
| 492 | @param crypto_key_len - length of crypto_key in bytes |
| 493 | @param crypto_key - crypto keying material |
| 494 | @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t) |
| 495 | @param integ_key_len - length of integ_key in bytes |
| 496 | @param integ_key - integrity keying material |
| 497 | @param use_esn - using extended sequence numbers when non-zero |
| 498 | @param use_anti_replay - using anti-replay window when non-zero |
| 499 | @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode |
| 500 | @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6 |
| 501 | @param tunnel_src_addr - Tunnel source address if using tunnel mode |
| 502 | @param tunnel_dst_addr - Tunnel destination address is using tunnel mode |
| 503 | @param salt - 4 byte salt |
| 504 | @param seq - current sequence number for outbound |
| 505 | @param seq_hi - high 32 bits of ESN for outbound |
| 506 | @param last_seq - highest sequence number received inbound |
| 507 | @param last_seq_hi - high 32 bits of highest ESN received inbound |
| 508 | @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay |
| 509 | @param total_data_size - total bytes sent or received |
Klement Sekera | 4b089f2 | 2018-04-17 18:04:57 +0200 | [diff] [blame] | 510 | @param udp_encap - 1 if UDP encap enabled, 0 otherwise |
Matthew Smith | 2802953 | 2017-09-26 13:33:44 -0500 | [diff] [blame] | 511 | */ |
| 512 | define ipsec_sa_details { |
| 513 | u32 context; |
Neale Ranns | 8d7c502 | 2019-02-06 01:41:05 -0800 | [diff] [blame] | 514 | vl_api_ipsec_sad_entry_t entry; |
| 515 | |
Matthew Smith | 2802953 | 2017-09-26 13:33:44 -0500 | [diff] [blame] | 516 | u32 sw_if_index; |
Matthew Smith | 2802953 | 2017-09-26 13:33:44 -0500 | [diff] [blame] | 517 | u32 salt; |
| 518 | u64 seq_outbound; |
| 519 | u64 last_seq_inbound; |
| 520 | u64 replay_window; |
| 521 | |
| 522 | u64 total_data_size; |
| 523 | }; |
| 524 | |
Matthew Smith | ca514fd | 2017-10-12 12:06:59 -0500 | [diff] [blame] | 525 | /** \brief Set new SA on IPsec interface |
| 526 | @param client_index - opaque cookie to identify the sender |
| 527 | @param context - sender context, to match reply w/ request |
| 528 | @param sw_if_index - index of tunnel interface |
| 529 | @param sa_id - ID of SA to use |
| 530 | @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote) |
| 531 | */ |
| 532 | autoreply define ipsec_tunnel_if_set_sa { |
| 533 | u32 client_index; |
| 534 | u32 context; |
| 535 | u32 sw_if_index; |
| 536 | u32 sa_id; |
| 537 | u8 is_outbound; |
| 538 | }; |
| 539 | |
Klement Sekera | b4d3053 | 2018-11-08 13:00:02 +0100 | [diff] [blame] | 540 | /** \brief Dump IPsec backends |
| 541 | @param client_index - opaque cookie to identify the sender |
| 542 | @param context - sender context, to match reply w/ request |
| 543 | */ |
| 544 | define ipsec_backend_dump { |
| 545 | u32 client_index; |
| 546 | u32 context; |
| 547 | }; |
| 548 | |
| 549 | /** \brief IPsec backend details |
| 550 | @param name - name of the backend |
| 551 | @param protocol - IPsec protocol (value from ipsec_protocol_t) |
| 552 | @param index - backend index |
| 553 | @param active - set to 1 if the backend is active, otherwise 0 |
| 554 | */ |
| 555 | define ipsec_backend_details { |
| 556 | u32 context; |
| 557 | u8 name[128]; |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 558 | vl_api_ipsec_proto_t protocol; |
Klement Sekera | b4d3053 | 2018-11-08 13:00:02 +0100 | [diff] [blame] | 559 | u8 index; |
| 560 | u8 active; |
| 561 | }; |
| 562 | |
| 563 | /** \brief Select IPsec backend |
| 564 | @param client_index - opaque cookie to identify the sender |
| 565 | @param context - sender context, to match reply w/ request |
| 566 | @param protocol - IPsec protocol (value from ipsec_protocol_t) |
| 567 | @param index - backend index |
| 568 | */ |
| 569 | autoreply define ipsec_select_backend { |
| 570 | u32 client_index; |
| 571 | u32 context; |
Neale Ranns | 17dcec0 | 2019-01-09 21:22:20 -0800 | [diff] [blame] | 572 | vl_api_ipsec_proto_t protocol; |
Klement Sekera | b4d3053 | 2018-11-08 13:00:02 +0100 | [diff] [blame] | 573 | u8 index; |
| 574 | }; |
| 575 | |
Pavel Kotucek | 9c7ef03 | 2016-12-21 07:46:45 +0100 | [diff] [blame] | 576 | /* |
| 577 | * Local Variables: |
| 578 | * eval: (c-set-style "gnu") |
| 579 | * End: |
| 580 | */ |
Dave Barach | 11b8dbf | 2017-04-24 10:46:54 -0400 | [diff] [blame] | 581 | |