Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 5ebdd51c605fd64875e682ce7eab69ebda1518eb / . / src / vnet / ipsec / ipsec.api
blob: 68efe8f50f76020d83aeb56a91b6d93864058612 [file] [log] [blame]
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]1/* Hey Emacs use -*- mode: C -*- */
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]2/*
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]17option version = "5.0.2";
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]18
Prashant Maheshwaridbf68c92019-11-14 12:42:59 +0530[diff] [blame]19import "vnet/ipsec/ipsec_types.api";
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]20import "vnet/interface_types.api";
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]21import "vnet/ip/ip_types.api";
22import "vnet/interface_types.api";
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]23import "vnet/tunnel/tunnel_types.api";
Dave Barach0d056e52017-09-28 15:11:16 -0400[diff] [blame]24
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]25/** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
30*/
31
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]32autoreply define ipsec_spd_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]33{
34 u32 client_index;
35 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]36 bool is_add;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]37 u32 spd_id;
38};
39
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]40/** \brief IPsec: Add/delete SPD from interface
41
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
47*/
48
49
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]50autoreply define ipsec_interface_add_del_spd
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]51{
52 u32 client_index;
53 u32 context;
54
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]55 bool is_add;
56 vl_api_interface_index_t sw_if_index;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]57 u32 spd_id;
58};
59
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]60/** \brief IPsec: Add/delete Security Policy Database entry
61
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
66*/
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]67define ipsec_spd_entry_add_del
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]68{
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]69 option deprecated;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]70 u32 client_index;
71 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]72 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]73 vl_api_ipsec_spd_entry_t entry;
74};
75
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]76/** \brief IPsec: Add/delete Security Policy Database entry v2
77
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
82*/
83define ipsec_spd_entry_add_del_v2
84{
85 u32 client_index;
86 u32 context;
87 bool is_add;
88 vl_api_ipsec_spd_entry_v2_t entry;
89};
90
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]91/** \brief IPsec: Reply Add/delete Security Policy Database entry
92
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
96*/
97define ipsec_spd_entry_add_del_reply
98{
Vratko Polak520cde42022-11-25 17:10:10 +0100[diff] [blame]99 option deprecated;
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]100 u32 context;
101 i32 retval;
102 u32 stat_index;
103};
104
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]105/** \brief IPsec: Reply Add/delete Security Policy Database entry v2
106
107 @param context - sender context, to match reply w/ request
108 @param retval - success/fail rutrun code
109 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
110*/
111define ipsec_spd_entry_add_del_v2_reply
112{
113 u32 context;
114 i32 retval;
115 u32 stat_index;
116};
117
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]118/** \brief Dump IPsec all SPD IDs
119 @param client_index - opaque cookie to identify the sender
120 @param context - sender context, to match reply w/ request
121*/
122define ipsec_spds_dump {
123 u32 client_index;
124 u32 context;
125};
126
127/** \brief Dump IPsec all SPD IDs response
128 @param client_index - opaque cookie to identify the sender
129 @param spd_id - SPD instance id (control plane allocated)
130 @param npolicies - number of policies in SPD
131*/
132define ipsec_spds_details {
133 u32 context;
134 u32 spd_id;
135 u32 npolicies;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]136};
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]137
138/** \brief Dump ipsec policy database data
139 @param client_index - opaque cookie to identify the sender
140 @param context - sender context, to match reply w/ request
141 @param spd_id - SPD instance id
142 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
143*/
144define ipsec_spd_dump {
145 u32 client_index;
146 u32 context;
147 u32 spd_id;
148 u32 sa_id;
149};
150
151/** \brief IPsec policy database response
152 @param context - sender context which was passed in the request
153 €param entry - The SPD entry.
154 @param bytes - byte count of packets matching this policy
155 @param packets - count of packets matching this policy
156*/
157define ipsec_spd_details {
158 u32 context;
159 vl_api_ipsec_spd_entry_t entry;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]160};
161
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]162/** \brief IPsec: Add/delete Security Association Database entry
163 @param client_index - opaque cookie to identify the sender
164 @param context - sender context, to match reply w/ request
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]165 @param entry - Entry to add or delete
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]166 */
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]167define ipsec_sad_entry_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]168{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]169 option deprecated;
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]170
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]171 u32 client_index;
172 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]173 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]174 vl_api_ipsec_sad_entry_t entry;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]175};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]176
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]177define ipsec_sad_entry_add_del_v2
178{
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]179 option deprecated;
180
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]181 u32 client_index;
182 u32 context;
183 bool is_add;
184 vl_api_ipsec_sad_entry_v2_t entry;
185};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]186
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]187define ipsec_sad_entry_add_del_v3
188{
189 u32 client_index;
190 u32 context;
191 bool is_add;
192 vl_api_ipsec_sad_entry_v3_t entry;
193};
Maxime Peim0e2f1882022-12-22 11:26:57 +0000[diff] [blame]194
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]195define ipsec_sad_entry_add
196{
197 u32 client_index;
198 u32 context;
199 vl_api_ipsec_sad_entry_v3_t entry;
200};
Maxime Peim0e2f1882022-12-22 11:26:57 +0000[diff] [blame]201
202define ipsec_sad_entry_add_v2
203{
204 u32 client_index;
205 u32 context;
206 vl_api_ipsec_sad_entry_v4_t entry;
207};
208
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]209autoreply define ipsec_sad_entry_del
210{
211 u32 client_index;
212 u32 context;
213 u32 id;
214};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]215
Maxime Peim1271e3a2023-03-20 14:13:56 +0000[diff] [blame]216
217/** \brief An API to bind an SAD entry to a specific worker
218
219 @param client_index - opaque cookie to identify the sender
220 @param context - sender context, to match reply w/ request
221 @param sa_id - the id of the SA to bind
222 @param worker - the worker's index to which the SA will be bound to
223 */
224autoreply define ipsec_sad_bind
225{
226 u32 client_index;
227 u32 context;
228 u32 sa_id;
229 u32 worker;
230};
231
232autoreply define ipsec_sad_unbind
233{
234 u32 client_index;
235 u32 context;
236 u32 sa_id;
237};
238
Arthur de Kerhor4117b242022-08-31 19:13:03 +0200[diff] [blame]239/** \brief An API to update the tunnel parameters and the ports associated with an SA
240
241 Used in the NAT-T case when the NAT data changes
242 @param client_index - opaque cookie to identify the sender
243 @param context - sender context, to match reply w/ request
244 @param sa_id - the id of the SA to update
245 @param is_tun - update the tunnel if non-zero, else update only the ports
246 @param tunnel - sender context, to match reply w/ request
247 @param udp_src_port - new src port for NAT-T. Used if different from 0xffff
248 @param udp_dst_port - new dst port for NAT-T. Used if different from 0xffff
249 */
250autoreply define ipsec_sad_entry_update
251{
252 u32 client_index;
253 u32 context;
254 u32 sad_id;
255 bool is_tun;
256 vl_api_tunnel_t tunnel;
257 u16 udp_src_port [default=0xffff];
258 u16 udp_dst_port [default=0xffff];
259};
260
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]261define ipsec_sad_entry_add_del_reply
262{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]263 option deprecated;
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]264
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]265 u32 context;
266 i32 retval;
267 u32 stat_index;
268};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]269
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]270define ipsec_sad_entry_add_del_v2_reply
271{
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]272 option deprecated;
273
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]274 u32 context;
275 i32 retval;
276 u32 stat_index;
277};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]278
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]279define ipsec_sad_entry_add_del_v3_reply
280{
281 u32 context;
282 i32 retval;
283 u32 stat_index;
284};
Maxime Peim0e2f1882022-12-22 11:26:57 +0000[diff] [blame]285
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]286define ipsec_sad_entry_add_reply
287{
288 u32 context;
289 i32 retval;
290 u32 stat_index;
291};
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]292
Maxime Peim0e2f1882022-12-22 11:26:57 +0000[diff] [blame]293define ipsec_sad_entry_add_v2_reply
294{
295 u32 context;
296 i32 retval;
297 u32 stat_index;
298};
299
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]300/** \brief Add or Update Protection for a tunnel with IPSEC
301
302 Tunnel protection directly associates an SA with all packets
303 ingress and egress on the tunnel. This could also be achieved by
304 assigning an SPD to the tunnel, but that would incur an unnessccary
305 SPD entry lookup.
306
307 For tunnels the ESP acts on the post-encapsulated packet. So if this
308 packet:
309 +---------+------+
310 | Payload | O-IP |
311 +---------+------+
312 where O-IP is the overlay IP addrees that was routed into the tunnel,
313 the resulting encapsulated packet will be:
314 +---------+------+------+
315 | Payload | O-IP | T-IP |
316 +---------+------+------+
317 where T-IP is the tunnel's src.dst IP addresses.
318 If the SAs used for protection are in transport mode then the ESP is
319 inserted before T-IP, i.e.:
320 +---------+------+-----+------+
321 | Payload | O-IP | ESP | T-IP |
322 +---------+------+-----+------+
323 If the SAs used for protection are in tunnel mode then another
324 encapsulation occurs, i.e.:
325 +---------+------+------+-----+------+
326 | Payload | O-IP | T-IP | ESP | C-IP |
327 +---------+------+------+-----+------+
328 where C-IP are the crypto endpoint IP addresses defined as the tunnel
329 endpoints in the SA.
330 The mode for the inbound and outbound SA must be the same.
331
332 @param client_index - opaque cookie to identify the sender
333 @param context - sender context, to match reply w/ request
334 @param sw_id_index - Tunnel interface to protect
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]335 @param nh - The peer/next-hop on the tunnel to which the traffic
336 should be protected. For a P2P interface set this to the
337 all 0s address.
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]338 @param sa_in - The ID [set] of inbound SAs
339 @param sa_out - The ID of outbound SA
340*/
341typedef ipsec_tunnel_protect
342{
343 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]344 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]345 u32 sa_out;
346 u8 n_sa_in;
347 u32 sa_in[n_sa_in];
348};
349
350autoreply define ipsec_tunnel_protect_update
351{
352 u32 client_index;
353 u32 context;
354
355 vl_api_ipsec_tunnel_protect_t tunnel;
356};
357
358autoreply define ipsec_tunnel_protect_del
359{
360 u32 client_index;
361 u32 context;
362
363 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]364 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]365};
366
Neale Ranns12989b52019-09-26 16:20:19 +0000[diff] [blame]367/**
368 * @brief Dump all tunnel protections
369 */
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]370define ipsec_tunnel_protect_dump
371{
372 u32 client_index;
373 u32 context;
374 vl_api_interface_index_t sw_if_index;
375};
376
377define ipsec_tunnel_protect_details
378{
379 u32 context;
380 vl_api_ipsec_tunnel_protect_t tun;
381};
382
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]383/** \brief IPsec: Get SPD interfaces
384 @param client_index - opaque cookie to identify the sender
385 @param context - sender context, to match reply w/ request
386 @param spd_index - SPD index
387 @param spd_index_valid - if 1 spd_index is used to filter
388 spd_index's, if 0 no filtering is done
389*/
390define ipsec_spd_interface_dump {
391 u32 client_index;
392 u32 context;
393 u32 spd_index;
394 u8 spd_index_valid;
395};
396
397/** \brief IPsec: SPD interface response
398 @param context - sender context which was passed in the request
399 @param spd_index - SPD index
400 @param sw_if_index - index of the interface
401*/
402define ipsec_spd_interface_details {
403 u32 context;
404 u32 spd_index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]405 vl_api_interface_index_t sw_if_index;
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]406};
407
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]408typedef ipsec_itf
409{
410 u32 user_instance [default=0xffffffff];
411 vl_api_tunnel_mode_t mode;
412 vl_api_interface_index_t sw_if_index;
413};
414
415/** \brief Create an IPSec interface
416 */
417define ipsec_itf_create {
418 u32 client_index;
419 u32 context;
420 vl_api_ipsec_itf_t itf;
421};
422
423/** \brief Add IPsec interface interface response
424 @param context - sender context, to match reply w/ request
425 @param retval - return status
426 @param sw_if_index - sw_if_index of new interface (for successful add)
427*/
428define ipsec_itf_create_reply
429{
430 u32 context;
431 i32 retval;
432 vl_api_interface_index_t sw_if_index;
433};
434
435autoreply define ipsec_itf_delete
436{
437 u32 client_index;
438 u32 context;
439 vl_api_interface_index_t sw_if_index;
440};
441
442define ipsec_itf_dump
443{
444 u32 client_index;
445 u32 context;
446 vl_api_interface_index_t sw_if_index;
447};
448
449define ipsec_itf_details
450{
451 u32 context;
452 vl_api_ipsec_itf_t itf;
453};
454
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]455/** \brief Dump IPsec security association
456 @param client_index - opaque cookie to identify the sender
457 @param context - sender context, to match reply w/ request
458 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
459*/
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]460define ipsec_sa_dump
461{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]462 option deprecated;
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]463
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]464 u32 client_index;
465 u32 context;
466 u32 sa_id;
467};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]468define ipsec_sa_v2_dump
469{
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]470 option deprecated;
471
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]472 u32 client_index;
473 u32 context;
474 u32 sa_id;
475};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]476define ipsec_sa_v3_dump
477{
478 u32 client_index;
479 u32 context;
480 u32 sa_id;
481};
Maxime Peim1271e3a2023-03-20 14:13:56 +0000[diff] [blame]482define ipsec_sa_v4_dump
483{
484 u32 client_index;
485 u32 context;
486 u32 sa_id;
487};
Maxime Peim0e2f1882022-12-22 11:26:57 +0000[diff] [blame]488define ipsec_sa_v5_dump
489{
490 u32 client_index;
491 u32 context;
492 u32 sa_id;
493};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]494
495/** \brief IPsec security association database response
496 @param context - sender context which was passed in the request
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]497 @param entry - The SA details
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]498 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]499 @param salt - 4 byte salt
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]500 @param seq - current sequence number for outbound
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]501 @param seq_hi - high 32 bits of ESN for outbound
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]502 @param last_seq - highest sequence number received inbound
503 @param last_seq_hi - high 32 bits of highest ESN received inbound
504 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]505 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]506*/
507define ipsec_sa_details {
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]508 option deprecated;
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]509
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]510 u32 context;
Neale Ranns8d7c5022019-02-06 01:41:05 -0800[diff] [blame]511 vl_api_ipsec_sad_entry_t entry;
512
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]513 vl_api_interface_index_t sw_if_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]514 u32 salt;
515 u64 seq_outbound;
516 u64 last_seq_inbound;
517 u64 replay_window;
518
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]519 u32 stat_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]520};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]521define ipsec_sa_v2_details {
Ondrej Fabry63305842023-04-14 10:50:12 +0200[diff] [blame]522 option deprecated;
523
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]524 u32 context;
525 vl_api_ipsec_sad_entry_v2_t entry;
526
527 vl_api_interface_index_t sw_if_index;
528 u32 salt;
529 u64 seq_outbound;
530 u64 last_seq_inbound;
531 u64 replay_window;
532
533 u32 stat_index;
534};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]535define ipsec_sa_v3_details {
536 u32 context;
537 vl_api_ipsec_sad_entry_v3_t entry;
538
539 vl_api_interface_index_t sw_if_index;
540 u64 seq_outbound;
541 u64 last_seq_inbound;
542 u64 replay_window;
543
544 u32 stat_index;
545};
Maxime Peim1271e3a2023-03-20 14:13:56 +0000[diff] [blame]546define ipsec_sa_v4_details {
547 u32 context;
548 vl_api_ipsec_sad_entry_v3_t entry;
549
550 vl_api_interface_index_t sw_if_index;
551 u64 seq_outbound;
552 u64 last_seq_inbound;
553 u64 replay_window;
Maxime Peim0e2f1882022-12-22 11:26:57 +0000[diff] [blame]554 u32 thread_index;
555 u32 stat_index;
556};
557define ipsec_sa_v5_details {
558 u32 context;
559 vl_api_ipsec_sad_entry_v4_t entry;
Maxime Peim1271e3a2023-03-20 14:13:56 +0000[diff] [blame]560
Maxime Peim0e2f1882022-12-22 11:26:57 +0000[diff] [blame]561 vl_api_interface_index_t sw_if_index;
562 u64 seq_outbound;
563 u64 last_seq_inbound;
564 u64 replay_window;
Maxime Peim1271e3a2023-03-20 14:13:56 +0000[diff] [blame]565 u32 thread_index;
566 u32 stat_index;
567};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]568
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]569/** \brief Dump IPsec backends
570 @param client_index - opaque cookie to identify the sender
571 @param context - sender context, to match reply w/ request
572*/
573define ipsec_backend_dump {
574 u32 client_index;
575 u32 context;
576};
577
578/** \brief IPsec backend details
579 @param name - name of the backend
580 @param protocol - IPsec protocol (value from ipsec_protocol_t)
581 @param index - backend index
582 @param active - set to 1 if the backend is active, otherwise 0
583*/
584define ipsec_backend_details {
585 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]586 string name[128];
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]587 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]588 u8 index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]589 bool active;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]590};
591
592/** \brief Select IPsec backend
593 @param client_index - opaque cookie to identify the sender
594 @param context - sender context, to match reply w/ request
595 @param protocol - IPsec protocol (value from ipsec_protocol_t)
596 @param index - backend index
597*/
598autoreply define ipsec_select_backend {
599 u32 client_index;
600 u32 context;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]601 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]602 u8 index;
603};
604
Yulong Pei2e84d662020-08-14 18:21:08 +0800[diff] [blame]605
606/** \brief IPsec Set Async mode
607 @param client_index - opaque cookie to identify the sender
608 @param context - sender context, to match reply w/ request
609 @param async_enable - ipsec async mode on or off
610*/
611autoreply define ipsec_set_async_mode {
612 u32 client_index;
613 u32 context;
614 bool async_enable;
615};
616
Neale Ranns93688d72022-08-09 03:34:51 +0000[diff] [blame]617counters esp_decrypt {
618 rx_pkts {
619 severity info;
620 type counter64;
621 units "packets";
622 description "ESP pkts received";
623 };
624 rx_post_pkts {
625 severity info;
626 type counter64;
627 units "packets";
628 description "ESP-POST pkts received";
629 };
630 handoff {
631 severity info;
632 type counter64;
633 units "packets";
634 description "hand-off";
635 };
636 decryption_failed {
637 severity error;
638 type counter64;
639 units "packets";
640 description "ESP decryption failed";
641 };
642 integ_error {
643 severity error;
644 type counter64;
645 units "packets";
646 description "integrity check failed";
647 };
648 crypto_engine_error {
649 severity error;
650 type counter64;
651 units "packets";
652 description "crypto engine error (packet dropped)";
653 };
654 replay {
655 severity error;
656 type counter64;
657 units "packets";
658 description "SA replayed packet";
659 };
660 runt {
661 severity error;
662 type counter64;
663 units "packets";
664 description "undersized packet";
665 };
666 no_buffers {
667 severity error;
668 type counter64;
669 units "packets";
670 description "no buffers (packet dropped)";
671 };
672 oversized_header {
673 severity error;
674 type counter64;
675 units "packets";
676 description "buffer with oversized header (dropped)";
677 };
678 no_tail_space {
679 severity error;
680 type counter64;
681 units "packets";
682 description "no enough buffer tail space (dropped)";
683 };
684 tun_no_proto {
685 severity error;
686 type counter64;
687 units "packets";
688 description "no tunnel protocol";
689 };
690 unsup_payload {
691 severity error;
692 type counter64;
693 units "packets";
694 description "unsupported payload";
695 };
gaoginskxf441b5d2021-06-07 12:07:01 +0100[diff] [blame]696 no_avail_frame {
697 severity error;
698 type counter64;
699 units "packets";
700 description "no available frame (packet dropped)";
701 };
Neale Ranns93688d72022-08-09 03:34:51 +0000[diff] [blame]702};
703
704counters esp_encrypt {
705 rx_pkts {
706 severity info;
707 type counter64;
708 units "packets";
709 description "ESP pkts received";
710 };
711 post_rx_pkts {
712 severity info;
713 type counter64;
714 units "packets";
715 description "ESP-post pkts received";
716 };
717 handoff {
718 severity info;
719 type counter64;
720 units "packets";
721 description "Hand-off";
722 };
723 seq_cycled {
724 severity error;
725 type counter64;
726 units "packets";
727 description "sequence number cycled (packet dropped)";
728 };
729 crypto_engine_error {
730 severity error;
731 type counter64;
732 units "packets";
733 description "crypto engine error (packet dropped)";
734 };
735 crypto_queue_full {
736 severity error;
737 type counter64;
738 units "packets";
739 description "crypto queue full (packet dropped)";
740 };
741 no_buffers {
742 severity error;
743 type counter64;
744 units "packets";
745 description "no buffers (packet dropped)";
746 };
747 no_protection {
748 severity error;
749 type counter64;
750 units "packets";
751 description "no protecting SA (packet dropped)";
752 };
753 no_encryption {
754 severity error;
755 type counter64;
756 units "packets";
757 description "no Encrypting SA (packet dropped)";
758 };
gaoginskxf441b5d2021-06-07 12:07:01 +0100[diff] [blame]759 no_avail_frame {
760 severity error;
761 type counter64;
762 units "packets";
763 description "no available frame (packet dropped)";
764 };
Neale Ranns93688d72022-08-09 03:34:51 +0000[diff] [blame]765};
766
767counters ah_encrypt {
768 rx_pkts {
769 severity info;
770 type counter64;
771 units "packets";
772 description "AH pkts received";
773 };
774 crypto_engine_error {
775 severity error;
776 type counter64;
777 units "packets";
778 description "crypto engine error (packet dropped)";
779 };
780 seq_cycled {
781 severity error;
782 type counter64;
783 units "packets";
784 description "sequence number cycled (packet dropped)";
785 };
786};
787
788counters ah_decrypt {
789 rx_pkts {
790 severity info;
791 type counter64;
792 units "packets";
793 description "AH pkts received";
794 };
795 decryption_failed {
796 severity error;
797 type counter64;
798 units "packets";
799 description "AH decryption failed";
800 };
801 integ_error {
802 severity error;
803 type counter64;
804 units "packets";
805 description "Integrity check failed";
806 };
807 no_tail_space {
808 severity error;
809 type counter64;
810 units "packets";
811 description "not enough buffer tail space (dropped)";
812 };
813 drop_fragments {
814 severity error;
815 type counter64;
816 units "packets";
817 description "IP fragments drop";
818 };
819 replay {
820 severity error;
821 type counter64;
822 units "packets";
823 description "SA replayed packet";
824 };
825};
826
827counters ipsec_tun {
828 rx {
829 severity info;
830 type counter64;
831 units "packets";
832 description "good packets received";
833 };
834 disabled {
835 severity error;
836 type counter64;
837 units "packets";
838 description "ipsec packets received on disabled interface";
839 };
840 no_tunnel {
841 severity error;
842 type counter64;
843 units "packets";
844 description "no matching tunnel";
845 };
846 tunnel_mismatch {
847 severity error;
848 type counter64;
849 units "packets";
850 description "SPI-tunnel mismatch";
851 };
852 nat_keepalive {
853 severity info;
854 type counter64;
855 units "packets";
856 description "NAT Keepalive";
857 };
858 too_short {
859 severity error;
860 type counter64;
861 units "packets";
862 description "Too Short";
863 };
864 spi_0 {
865 severity info;
866 type counter64;
867 units "packets";
868 description "SPI 0";
869 };
870};
871
872paths {
873 "/err/esp4-encrypt" "esp_encrypt";
874 "/err/esp4-encrypt-post" "esp_encrypt";
875 "/err/esp4-encrypt-tun" "esp_encrypt";
876 "/err/esp4-encrypt-tun-post" "esp_encrypt";
877 "/err/esp6-encrypt" "esp_encrypt";
878 "/err/esp6-encrypt-post" "esp_encrypt";
879 "/err/esp6-encrypt-tun" "esp_encrypt";
880 "/err/esp6-encrypt-tun-post" "esp_encrypt";
881 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
882 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
883 "/err/esp4-decrypt" "esp_decrypt";
884 "/err/esp4-decrypt-post" "esp_decrypt";
885 "/err/esp4-decrypt-tun" "esp_decrypt";
886 "/err/esp4-decrypt-tun-post" "esp_decrypt";
887 "/err/esp6-decrypt" "esp_decrypt";
888 "/err/esp6-decrypt-post" "esp_decrypt";
889 "/err/esp6-decrypt-tun" "esp_decrypt";
890 "/err/esp6-decrypt-tun-post" "esp_decrypt";
891 "/err/ah4-encrypt" "ah_encrypt";
892 "/err/ah6-encrypt" "ah_encrypt";
893 "/err/ipsec4-tun-input" "ipsec_tun";
894 "/err/ipsec6-tun-input" "ipsec_tun";
895};
896
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]897/*
898 * Local Variables:
899 * eval: (c-set-style "gnu")
900 * End:
901 */