FD.io VPP  v17.01.1-3-gc6833f8
Vector Packet Processing
ipsec.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #ifndef __IPSEC_H__
16 #define __IPSEC_H__
17 
18 #define IPSEC_FLAG_IPSEC_GRE_TUNNEL (1 << 0)
19 
20 #define foreach_ipsec_policy_action \
21  _(0, BYPASS, "bypass") \
22  _(1, DISCARD, "discard") \
23  _(2, RESOLVE, "resolve") \
24  _(3, PROTECT, "protect")
25 
26 typedef enum
27 {
28 #define _(v,f,s) IPSEC_POLICY_ACTION_##f = v,
30 #undef _
33 
34 #if DPDK_CRYPTO==1
35 #define foreach_ipsec_crypto_alg \
36  _(0, NONE, "none") \
37  _(1, AES_CBC_128, "aes-cbc-128") \
38  _(2, AES_CBC_192, "aes-cbc-192") \
39  _(3, AES_CBC_256, "aes-cbc-256") \
40  _(4, AES_GCM_128, "aes-gcm-128")
41 #else
42 #define foreach_ipsec_crypto_alg \
43  _(0, NONE, "none") \
44  _(1, AES_CBC_128, "aes-cbc-128") \
45  _(2, AES_CBC_192, "aes-cbc-192") \
46  _(3, AES_CBC_256, "aes-cbc-256")
47 #endif
48 
49 typedef enum
50 {
51 #define _(v,f,s) IPSEC_CRYPTO_ALG_##f = v,
53 #undef _
56 
57 #if DPDK_CRYPTO==1
58 #define foreach_ipsec_integ_alg \
59  _(0, NONE, "none") \
60  _(1, MD5_96, "md5-96") /* RFC2403 */ \
61  _(2, SHA1_96, "sha1-96") /* RFC2404 */ \
62  _(3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
63  _(4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
64  _(5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
65  _(6, SHA_512_256, "sha-512-256") /* RFC4868 */ \
66  _(7, AES_GCM_128, "aes-gcm-128")
67 #else
68 #define foreach_ipsec_integ_alg \
69  _(0, NONE, "none") \
70  _(1, MD5_96, "md5-96") /* RFC2403 */ \
71  _(2, SHA1_96, "sha1-96") /* RFC2404 */ \
72  _(3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
73  _(4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
74  _(5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
75  _(6, SHA_512_256, "sha-512-256") /* RFC4868 */
76 #endif
77 
78 typedef enum
79 {
80 #define _(v,f,s) IPSEC_INTEG_ALG_##f = v,
82 #undef _
85 
86 typedef enum
87 {
91 
92 typedef struct
93 {
97 
100  u8 crypto_key[128];
101 
104  u8 integ_key[128];
105 
108 
111  ip46_address_t tunnel_src_addr;
112  ip46_address_t tunnel_dst_addr;
113 
115 
116  /* runtime */
122 } ipsec_sa_t;
123 
124 typedef struct
125 {
126  ip46_address_t start, stop;
128 
129 typedef struct
130 {
131  u16 start, stop;
132 } port_range_t;
133 
134 typedef struct
135 {
144  u8 local_crypto_key[128];
146  u8 remote_crypto_key[128];
149  u8 local_integ_key[128];
151  u8 remote_integ_key[128];
153 
154 typedef struct
155 {
162 
163 typedef enum
164 {
171 
172 typedef struct
173 {
177 
178  // Selector
185 
186  // Policy
190 
191  // Counter
194 
195 typedef struct
196 {
198  /* pool of policies */
200  /* vectors of policy indices */
207 } ipsec_spd_t;
208 
209 typedef struct
210 {
213 
214 typedef struct
215 {
218 
219 typedef struct
220 {
225 
226 typedef struct
227 {
228  /* pool of tunnel instances */
231 
232  /* pool of tunnel interfaces */
235 
237 
239 
240  /* convenience */
243 
244  /* next node indices */
245  u32 feature_next_node_index[32];
246 
247  /* hashes */
252 
253  /* node indexes */
257 
258 } ipsec_main_t;
259 
261 
266 
267 
268 /*
269  * functions
270  */
271 int ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id,
272  int is_add);
273 int ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add);
275  int is_add);
276 int ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add);
277 int ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update);
278 
280 u8 *format_ipsec_if_output_trace (u8 * s, va_list * args);
281 u8 *format_ipsec_policy_action (u8 * s, va_list * args);
282 u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
283 u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
284 u8 *format_ipsec_replay_window (u8 * s, va_list * args);
285 uword unformat_ipsec_policy_action (unformat_input_t * input, va_list * args);
286 uword unformat_ipsec_crypto_alg (unformat_input_t * input, va_list * args);
287 uword unformat_ipsec_integ_alg (unformat_input_t * input, va_list * args);
288 
289 /*u32 ipsec_add_del_tunnel_if (vnet_main_t * vnm, ipsec_add_del_tunnel_args_t * args); */
293  args);
294 int ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
295  ipsec_if_set_key_type_t type, u8 alg, u8 * key);
296 
297 
298 /*
299  * inline functions
300  */
301 
302 always_inline void
304 {
305  u32 cpu_index = os_get_cpu_number ();
306  uword l = vec_len (im->empty_buffers[cpu_index]);
307  uword n_alloc = 0;
308 
309  if (PREDICT_FALSE (l < VLIB_FRAME_SIZE))
310  {
311  if (!im->empty_buffers[cpu_index])
312  {
313  vec_alloc (im->empty_buffers[cpu_index], 2 * VLIB_FRAME_SIZE);
314  }
315 
316  n_alloc = vlib_buffer_alloc (vm, im->empty_buffers[cpu_index] + l,
317  2 * VLIB_FRAME_SIZE - l);
318 
319  _vec_len (im->empty_buffers[cpu_index]) = l + n_alloc;
320  }
321 }
322 
325  vlib_node_runtime_t * nr)
326 {
327  u32 next;
328  u32 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_TX];
329  vlib_main_t *vm = vlib_get_main ();
330  vlib_node_t *node = vlib_get_node (vm, nr->node_index);
331 
332  vnet_feature_next (sw_if_index, &next, b);
333  return node->next_nodes[next];
334 }
335 
336 #endif /* __IPSEC_H__ */
337 
338 /*
339  * fd.io coding-style-patch-verification: ON
340  *
341  * Local Variables:
342  * eval: (c-set-style "gnu")
343  * End:
344  */
u32 * next_nodes
Definition: node.h:288
ip46_address_t stop
Definition: ipsec.h:126
u32 * ipv6_inbound_protect_policy_indices
Definition: ipsec.h:205
ipsec_spd_t * spds
Definition: ipsec.h:229
u32 * ipv4_inbound_protect_policy_indices
Definition: ipsec.h:203
ipsec_tunnel_if_t * tunnel_interfaces
Definition: ipsec.h:233
u16 stop
Definition: ipsec.h:131
ip46_address_t tunnel_src_addr
Definition: ipsec.h:111
uword * tunnel_index_by_key
Definition: ipsec.h:238
u32 id
Definition: ipsec.h:94
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
bad routing header type(not 4)") sr_error (NO_MORE_SEGMENTS
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add)
Definition: ipsec.c:168
u32 ipsec_get_sa_index_by_sa_id(u32 sa_id)
Definition: ipsec.c:44
i32 priority
Definition: ipsec.h:175
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:102
u8 * format_ipsec_if_output_trace(u8 *s, va_list *args)
Definition: ipsec_if_out.c:63
Combined counter to hold both packets and byte differences.
Definition: counter.h:164
u8 is_tunnel
Definition: ipsec.h:109
struct _vlib_node_registration vlib_node_registration_t
u32 * ipv4_outbound_policies
Definition: ipsec.h:201
vlib_node_registration_t ipsec_if_input_node
(constructor) VLIB_REGISTER_NODE (ipsec_if_input_node)
Definition: ipsec_if_in.c:149
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:108
uword * ipsec_if_pool_index_by_key
Definition: ipsec.h:251
int ipsec_add_del_ipsec_gre_tunnel(vnet_main_t *vnm, ipsec_add_del_ipsec_gre_tunnel_args_t *args)
Definition: ipsec_if.c:233
#define vec_alloc(V, N)
Allocate space for N more elements (no header, unspecified alignment)
Definition: vec.h:239
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:76
static void ipsec_alloc_empty_buffers(vlib_main_t *vm, ipsec_main_t *im)
Definition: ipsec.h:303
#define always_inline
Definition: ipsec.h:25
u32 spi
Definition: ipsec.h:95
port_range_t lport
Definition: ipsec.h:183
u32 seq_hi
Definition: ipsec.h:118
uword * spd_index_by_sw_if_index
Definition: ipsec.h:249
ipsec_protocol_t
Definition: ipsec.h:86
u64 replay_window
Definition: ipsec.h:121
#define static_always_inline
Definition: clib.h:85
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
Definition: ipsec_if.c:295
u8 use_esn
Definition: ipsec.h:106
int i32
Definition: types.h:81
ip4_address_t remote_ip
Definition: ipsec.h:139
unsigned long u64
Definition: types.h:89
ipsec_integ_alg_t
Definition: ipsec.h:78
#define foreach_ipsec_policy_action
Definition: ipsec.h:20
ipsec_policy_t * policies
Definition: ipsec.h:199
u32 ip4_lookup_node_index
Definition: ipsec.h:255
u32 last_seq
Definition: ipsec.h:119
u8 * format_ipsec_replay_window(u8 *s, va_list *args)
Definition: ipsec_format.c:122
u32 error_drop_node_index
Definition: ipsec.h:254
u8 is_tunnel_ip6
Definition: ipsec.h:110
u32 salt
Definition: ipsec.h:114
vnet_main_t * vnet_main
Definition: ipsec.h:242
static_always_inline u32 get_next_output_feature_node_index(vlib_buffer_t *b, vlib_node_runtime_t *nr)
Definition: ipsec.h:324
uword os_get_cpu_number(void)
Definition: unix-misc.c:224
u32 last_seq_hi
Definition: ipsec.h:120
ipsec_if_set_key_type_t
Definition: ipsec.h:163
#define PREDICT_FALSE(x)
Definition: clib.h:97
#define VLIB_FRAME_SIZE
Definition: node.h:328
ip46_address_range_t laddr
Definition: ipsec.h:180
static_always_inline void vnet_feature_next(u32 sw_if_index, u32 *next0, vlib_buffer_t *b0)
Definition: feature.h:223
ipsec_crypto_alg_t
Definition: ipsec.h:49
uword * spd_index_by_spd_id
Definition: ipsec.h:248
ip46_address_t tunnel_dst_addr
Definition: ipsec.h:112
ipsec_main_t ipsec_main
Definition: ipsec.h:260
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:142
int ipsec_add_del_sa(vlib_main_t *vm, ipsec_sa_t *new_sa, int is_add)
Definition: ipsec.c:427
u32 esp_encrypt_node_index
Definition: ipsec.h:256
vlib_node_registration_t esp_encrypt_node
(constructor) VLIB_REGISTER_NODE (esp_encrypt_node)
Definition: esp_encrypt.c:61
u32 sa_index
Definition: ipsec.h:189
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Definition: ipsec.c:102
int ipsec_set_sa_key(vlib_main_t *vm, ipsec_sa_t *sa_update)
Definition: ipsec.c:468
uword * sa_index_by_sa_id
Definition: ipsec.h:250
u32 output_sa_index
Definition: ipsec.h:222
ipsec_policy_action_t
Definition: ipsec.h:26
vlib_main_t * vlib_main
Definition: ipsec.h:241
vlib_node_registration_t esp_decrypt_node
(constructor) VLIB_REGISTER_NODE (esp_decrypt_node)
Definition: esp_decrypt.c:404
port_range_t rport
Definition: ipsec.h:184
ip46_address_range_t raddr
Definition: ipsec.h:181
unsigned int u32
Definition: types.h:88
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:58
#define vnet_buffer(b)
Definition: buffer.h:361
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:147
ipsec_sa_t * sad
Definition: ipsec.h:230
#define foreach_ipsec_crypto_alg
Definition: ipsec.h:42
u8 * format_ipsec_policy_action(u8 *s, va_list *args)
Definition: ipsec_format.c:26
u8 integ_key_len
Definition: ipsec.h:103
ipsec_protocol_t protocol
Definition: ipsec.h:96
u32 vlib_buffer_alloc(vlib_main_t *vm, u32 *buffers, u32 n_buffers)
Allocate buffers into supplied array.
u32 input_sa_index
Definition: ipsec.h:221
u32 seq
Definition: ipsec.h:117
u64 uword
Definition: types.h:112
u8 crypto_key_len
Definition: ipsec.h:99
Definition: defs.h:47
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:90
unsigned short u16
Definition: types.h:57
#define foreach_ipsec_integ_alg
Definition: ipsec.h:68
u32 * ipv4_inbound_policy_discard_and_bypass_indices
Definition: ipsec.h:204
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
Definition: ipsec_if.c:87
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
unsigned char u8
Definition: types.h:56
vlib_counter_t counter
Definition: ipsec.h:192
u8 is_outbound
Definition: ipsec.h:176
u32 * free_tunnel_if_indices
Definition: ipsec.h:234
u32 * ipv6_inbound_policy_discard_and_bypass_indices
Definition: ipsec.h:206
u32 * ipv6_outbound_policies
Definition: ipsec.h:202
u32 id
Definition: ipsec.h:197
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:98
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Definition: ipsec.c:55
static vlib_node_t * vlib_get_node(vlib_main_t *vm, u32 i)
Get vlib node by index.
Definition: node_funcs.h:58
uword unformat_ipsec_policy_action(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:44
struct _unformat_input_t unformat_input_t
u32 ** empty_buffers
Definition: ipsec.h:236
u8 use_anti_replay
Definition: ipsec.h:107
vlib_node_registration_t ipsec_if_output_node
(constructor) VLIB_REGISTER_NODE (ipsec_if_output_node)
Definition: ipsec_if_out.c:135