FD.io VPP  v17.04.2-2-ga8f93f8
Vector Packet Processing
ipsec.api
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015-2016 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 /** \brief IPsec: Add/delete Security Policy Database
17  @param client_index - opaque cookie to identify the sender
18  @param context - sender context, to match reply w/ request
19  @param is_add - add SPD if non-zero, else delete
20  @param spd_id - SPD instance id (control plane allocated)
21 */
22 
23 define ipsec_spd_add_del
24 {
29 };
30 
31 /** \brief Reply for IPsec: Add/delete Security Policy Database entry
32  @param context - returned sender context, to match reply w/ request
33  @param retval - return code
34 */
35 
36 define ipsec_spd_add_del_reply
37 {
40 };
41 
42 /** \brief IPsec: Add/delete SPD from interface
43 
44  @param client_index - opaque cookie to identify the sender
45  @param context - sender context, to match reply w/ request
46  @param is_add - add security mode if non-zero, else delete
47  @param sw_if_index - index of the interface
48  @param spd_id - SPD instance id to use for lookups
49 */
50 
51 
52 define ipsec_interface_add_del_spd
53 {
56 
60 };
61 
62 /** \brief Reply for IPsec: Add/delete SPD from interface
63  @param context - returned sender context, to match reply w/ request
64  @param retval - return code
65 */
66 
67 define ipsec_interface_add_del_spd_reply
68 {
71 };
72 
73 /** \brief IPsec: Add/delete Security Policy Database entry
74 
75  See RFC 4301, 4.4.1.1 on how to match packet to selectors
76 
77  @param client_index - opaque cookie to identify the sender
78  @param context - sender context, to match reply w/ request
79  @param is_add - add SPD if non-zero, else delete
80  @param spd_id - SPD instance id (control plane allocated)
81  @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
82  @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
83  @param is_ipv6 - remote/local address are IPv6 if non-zero, else IPv4
84  @param remote_address_start - start of remote address range to match
85  @param remote_address_stop - end of remote address range to match
86  @param local_address_start - start of local address range to match
87  @param local_address_stop - end of local address range to match
88  @param protocol - protocol type to match [0 means any]
89  @param remote_port_start - start of remote port range to match ...
90  @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
91  @param local_port_start - start of local port range to match ...
92  @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
93  @param policy - 0 = bypass (no IPsec processing), 1 = discard (discard packet with ICMP processing), 2 = resolve (send request to control plane for SA resolving, and discard without ICMP processing), 3 = protect (apply IPsec policy using following parameters)
94  @param sa_id - SAD instance id (control plane allocated)
95 
96 */
97 
98 define ipsec_spd_add_del_entry
99 {
103 
107 
108  // Selector
111  u8 remote_address_start[16];
112  u8 remote_address_stop[16];
113  u8 local_address_start[16];
114  u8 local_address_stop[16];
115 
117 
122 
123  // Policy
126 };
127 
128 /** \brief Reply for IPsec: Add/delete Security Policy Database entry
129  @param context - returned sender context, to match reply w/ request
130  @param retval - return code
131 */
132 
133 define ipsec_spd_add_del_entry_reply
134 {
137 };
138 
139 /** \brief IPsec: Add/delete Security Association Database entry
140  @param client_index - opaque cookie to identify the sender
141  @param context - sender context, to match reply w/ request
142  @param is_add - add SAD entry if non-zero, else delete
143 
144  @param sad_id - sad id
145 
146  @param spi - security parameter index
147 
148  @param protocol - 0 = AH, 1 = ESP
149 
150  @param crypto_algorithm - 0 = Null, 1 = AES-CBC-128, 2 = AES-CBC-192, 3 = AES-CBC-256, 4 = 3DES-CBC
151  @param crypto_key_length - length of crypto_key in bytes
152  @param crypto_key - crypto keying material
153 
154  @param integrity_algorithm - 0 = None, 1 = MD5-96, 2 = SHA1-96, 3 = SHA-256, 4 = SHA-384, 5=SHA-512
155  @param integrity_key_length - length of integrity_key in bytes
156  @param integrity_key - integrity keying material
157 
158  @param use_extended_sequence_number - use ESN when non-zero
159 
160  @param is_tunnel - IPsec tunnel mode if non-zero, else transport mode
161  @param is_tunnel_ipv6 - IPsec tunnel mode is IPv6 if non-zero, else IPv4 tunnel only valid if is_tunnel is non-zero
162  @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
163  @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
164 
165  To be added:
166  Anti-replay
167  IPsec tunnel address copy mode (to support GDOI)
168  */
169 
170 define ipsec_sad_add_del_entry
171 {
175 
177 
179 
181 
184  u8 crypto_key[128];
185 
188  u8 integrity_key[128];
189 
191 
194  u8 tunnel_src_address[16];
195  u8 tunnel_dst_address[16];
196 };
197 
198 /** \brief Reply for IPsec: Add/delete Security Association Database entry
199  @param context - returned sender context, to match reply w/ request
200  @param retval - return code
201 */
202 
203 define ipsec_sad_add_del_entry_reply
204 {
207 };
208 
209 /** \brief IPsec: Update Security Association keys
210  @param client_index - opaque cookie to identify the sender
211  @param context - sender context, to match reply w/ request
212 
213  @param sa_id - sa id
214 
215  @param crypto_key_length - length of crypto_key in bytes
216  @param crypto_key - crypto keying material
217 
218  @param integrity_key_length - length of integrity_key in bytes
219  @param integrity_key - integrity keying material
220 */
221 
222 define ipsec_sa_set_key
223 {
226 
228 
230  u8 crypto_key[128];
231 
233  u8 integrity_key[128];
234 };
235 
236 /** \brief Reply for IPsec: Update Security Association keys
237  @param context - returned sender context, to match reply w/ request
238  @param retval - return code
239 */
240 
241 define ipsec_sa_set_key_reply
242 {
245 };
246 
247 /** \brief IKEv2: Add/delete profile
248  @param client_index - opaque cookie to identify the sender
249  @param context - sender context, to match reply w/ request
250 
251  @param name - IKEv2 profile name
252  @param is_add - Add IKEv2 profile if non-zero, else delete
253 */
254 define ikev2_profile_add_del
255 {
258 
259  u8 name[64];
261 };
262 
263 /** \brief Reply for IKEv2: Add/delete profile
264  @param context - returned sender context, to match reply w/ request
265  @param retval - return code
266 */
267 define ikev2_profile_add_del_reply
268 {
271 };
272 
273 /** \brief IKEv2: Set IKEv2 profile authentication method
274  @param client_index - opaque cookie to identify the sender
275  @param context - sender context, to match reply w/ request
276 
277  @param name - IKEv2 profile name
278  @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig)
279  @param is_hex - Authentication data in hex format if non-zero, else string
280  @param data_len - Authentication data length
281  @param data - Authentication data (for rsa-sig cert file path)
282 */
283 define ikev2_profile_set_auth
284 {
287 
288  u8 name[64];
292  u8 data[0];
293 };
294 
295 /** \brief Reply for IKEv2: Set IKEv2 profile authentication method
296  @param context - returned sender context, to match reply w/ request
297  @param retval - return code
298 */
299 define ikev2_profile_set_auth_reply
300 {
303 };
304 
305 /** \brief IKEv2: Set IKEv2 profile local/remote identification
306  @param client_index - opaque cookie to identify the sender
307  @param context - sender context, to match reply w/ request
308 
309  @param name - IKEv2 profile name
310  @param is_local - Identification is local if non-zero, else remote
311  @param id_type - Identification type
312  @param data_len - Identification data length
313  @param data - Identification data
314 */
315 define ikev2_profile_set_id
316 {
319 
320  u8 name[64];
324  u8 data[0];
325 };
326 
327 /** \brief Reply for IKEv2:
328  @param context - returned sender context, to match reply w/ request
329  @param retval - return code
330 */
331 define ikev2_profile_set_id_reply
332 {
335 };
336 
337 /** \brief IKEv2: Set IKEv2 profile traffic selector parameters
338  @param client_index - opaque cookie to identify the sender
339  @param context - sender context, to match reply w/ request
340 
341  @param name - IKEv2 profile name
342  @param is_local - Traffic selector is local if non-zero, else remote
343  @param proto - Traffic selector IP protocol (if zero not relevant)
344  @param start_port - The smallest port number allowed by traffic selector
345  @param end_port - The largest port number allowed by traffic selector
346  @param start_addr - The smallest address included in traffic selector
347  @param end_addr - The largest address included in traffic selector
348 */
349 define ikev2_profile_set_ts
350 {
353 
354  u8 name[64];
361 };
362 
363 /** \brief Reply for IKEv2: Set IKEv2 profile traffic selector parameters
364  @param context - returned sender context, to match reply w/ request
365  @param retval - return code
366 */
367 define ikev2_profile_set_ts_reply
368 {
371 };
372 
373 /** \brief IKEv2: Set IKEv2 local RSA private key
374  @param client_index - opaque cookie to identify the sender
375  @param context - sender context, to match reply w/ request
376 
377  @param key_file - Key file absolute path
378 */
380 {
383 
384  u8 key_file[256];
385 };
386 
387 /** \brief Reply for IKEv2: Set IKEv2 local key
388  @param context - returned sender context, to match reply w/ request
389  @param retval - return code
390 */
391 define ikev2_set_local_key_reply
392 {
395 };
396 
397 /** \brief IKEv2: Set IKEv2 responder interface and IP address
398  @param client_index - opaque cookie to identify the sender
399  @param context - sender context, to match reply w/ request
400 
401  @param name - IKEv2 profile name
402  @param sw_if_index - interface index
403  @param address - interface address
404 */
405 define ikev2_set_responder
406 {
409 
410  u8 name[64];
412  u8 address[4];
413 };
414 
415 /** \brief Reply for IKEv2: Set IKEv2 responder interface and IP address
416  @param context - returned sender context, to match reply w/ request
417  @param retval - return code
418 */
419 define ikev2_set_responder_reply
420 {
423 };
424 
425 
426 /** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
427  @param client_index - opaque cookie to identify the sender
428  @param context - sender context, to match reply w/ request
429 
430  @param name - IKEv2 profile name
431  @param crypto_alg - encryption algorithm
432  @param crypto_key_size - encryption key size
433  @param integ_alg - integrity algorithm
434  @param dh_group - Diffie-Hellman group
435 
436 */
437 define ikev2_set_ike_transforms
438 {
441 
442  u8 name[64];
447 };
448 
449 /** \brief Reply for IKEv2: Set IKEv2 IKE transforms
450  @param context - returned sender context, to match reply w/ request
451  @param retval - return code
452 */
453 define ikev2_set_ike_transforms_reply
454 {
457 };
458 
459 /** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
460  @param client_index - opaque cookie to identify the sender
461  @param context - sender context, to match reply w/ request
462 
463  @param name - IKEv2 profile name
464  @param crypto_alg - encryption algorithm
465  @param crypto_key_size - encryption key size
466  @param integ_alg - integrity algorithm
467  @param dh_group - Diffie-Hellman group
468 
469 */
470 define ikev2_set_esp_transforms
471 {
474 
475  u8 name[64];
480 };
481 
482 /** \brief Reply for IKEv2: Set IKEv2 ESP transforms
483  @param context - returned sender context, to match reply w/ request
484  @param retval - return code
485 */
486 define ikev2_set_esp_transforms_reply
487 {
490 };
491 
492 /** \brief IKEv2: Set Child SA lifetime, limited by time and/or data
493  @param client_index - opaque cookie to identify the sender
494  @param context - sender context, to match reply w/ request
495 
496  @param name - IKEv2 profile name
497  @param lifetime - SA maximum life time in seconds (0 to disable)
498  @param lifetime_jitter - Jitter added to prevent simultaneounus rekeying
499  @param handover - Hand over time
500  @param lifetime_maxdata - SA maximum life time in bytes (0 to disable)
501 
502 */
503 define ikev2_set_sa_lifetime
504 {
507 
508  u8 name[64];
513 };
514 
515 /** \brief Reply for IKEv2: Set Child SA lifetime
516  @param context - returned sender context, to match reply w/ request
517  @param retval - return code
518 */
519 define ikev2_set_sa_lifetime_reply
520 {
523 };
524 
525 /** \brief IKEv2: Initiate the SA_INIT exchange
526  @param client_index - opaque cookie to identify the sender
527  @param context - sender context, to match reply w/ request
528 
529  @param name - IKEv2 profile name
530 
531 */
533 {
536 
537  u8 name[64];
538 };
539 
540 /** \brief Reply for IKEv2: Initiate the SA_INIT exchange
541  @param context - returned sender context, to match reply w/ request
542  @param retval - return code
543 */
544 define ikev2_initiate_sa_init_reply
545 {
548 };
549 
550 /** \brief IKEv2: Initiate the delete IKE SA exchange
551  @param client_index - opaque cookie to identify the sender
552  @param context - sender context, to match reply w/ request
553 
554  @param ispi - IKE SA initiator SPI
555 
556 */
557 define ikev2_initiate_del_ike_sa
558 {
561 
563 };
564 
565 /** \brief Reply for IKEv2: Initiate the delete IKE SA exchange
566  @param context - returned sender context, to match reply w/ request
567  @param retval - return code
568 */
569 define ikev2_initiate_del_ike_sa_reply
570 {
573 };
574 
575 /** \brief IKEv2: Initiate the delete Child SA exchange
576  @param client_index - opaque cookie to identify the sender
577  @param context - sender context, to match reply w/ request
578 
579  @param ispi - Child SA initiator SPI
580 
581 */
582 define ikev2_initiate_del_child_sa
583 {
586 
588 };
589 
590 /** \brief Reply for IKEv2: Initiate the delete Child SA exchange
591  @param context - returned sender context, to match reply w/ request
592  @param retval - return code
593 */
594 define ikev2_initiate_del_child_sa_reply
595 {
598 };
599 
600 /** \brief IKEv2: Initiate the rekey Child SA exchange
601  @param client_index - opaque cookie to identify the sender
602  @param context - sender context, to match reply w/ request
603 
604  @param ispi - Child SA initiator SPI
605 
606 */
608 {
611 
613 };
614 
615 /** \brief Reply for IKEv2: Initiate the rekey Child SA exchange
616  @param context - returned sender context, to match reply w/ request
617  @param retval - return code
618 */
619 define ikev2_initiate_rekey_child_sa_reply
620 {
623 };
624 
625 /** \brief Dump ipsec policy database data
626  @param client_index - opaque cookie to identify the sender
627  @param context - sender context, to match reply w/ request
628  @param spd_id - SPD instance id
629  @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
630 */
631 define ipsec_spd_dump {
636 };
637 
638 /** \brief IPsec policy database response
639  @param context - sender context which was passed in the request
640  @param spd_id - SPD instance id
641  @param priority - numeric value to control policy evaluation order
642  @param is_outbound - [1|0] to indicate if direction is [out|in]bound
643  @param is_ipv6 - [1|0] to indicate if address family is ipv[6|4]
644  @param local_start_addr - first address in local traffic selector range
645  @param local_stop_addr - last address in local traffic selector range
646  @param local_start_port - first port in local traffic selector range
647  @param local_stop_port - last port in local traffic selector range
648  @param remote_start_addr - first address in remote traffic selector range
649  @param remote_stop_addr - last address in remote traffic selector range
650  @param remote_start_port - first port in remote traffic selector range
651  @param remote_stop_port - last port in remote traffic selector range
652  @param protocol - traffic selector protocol
653  @param policy - policy action
654  @param sa_id - SA id
655  @param bytes - byte count of packets matching this policy
656  @param packets - count of packets matching this policy
657 */
658 
659 define ipsec_spd_details {
665  u8 local_start_addr[16];
666  u8 local_stop_addr[16];
669  u8 remote_start_addr[16];
670  u8 remote_stop_addr[16];
678 };
679 
680 /*
681  * Local Variables:
682  * eval: (c-set-style "gnu")
683  * End:
684  */
685 
u8 crypto_algorithm
Definition: ipsec.api:182
u8 use_extended_sequence_number
Definition: ipsec.api:190
u32 sa_id
Definition: ipsec.api:125
u8 integrity_key_length
Definition: ipsec.api:187
u16 local_port_start
Definition: ipsec.api:120
u8 is_add
Definition: ipsec.api:102
u8 policy
Definition: ipsec.api:124
u32 context
Definition: ipsec.api:135
u16 remote_port_stop
Definition: ipsec.api:119
u8 protocol
Definition: ipsec.api:116
i32 retval
Definition: ipsec.api:136
u32 spd_id
Definition: ipsec.api:104
u8 is_tunnel
Definition: ipsec.api:192
u8 crypto_key_length
Definition: ipsec.api:183
u32 sad_id
Definition: ipsec.api:176
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:2881
int i32
Definition: types.h:81
unsigned long u64
Definition: types.h:89
i32 priority
Definition: ipsec.api:105
i32 retval
Definition: ipsec.api:206
u8 is_add
Definition: ipsec.api:174
u16 local_port_stop
Definition: ipsec.api:121
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:2634
u32 client_index
Definition: ipsec.api:172
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3211
u16 remote_port_start
Definition: ipsec.api:118
u32 client_index
Definition: ipsec.api:100
unsigned int u32
Definition: types.h:88
u32 spi
Definition: ipsec.api:178
u32 context
Definition: ipsec.api:101
unsigned short u16
Definition: types.h:57
unsigned char u8
Definition: types.h:56
u8 integrity_algorithm
Definition: ipsec.api:186
u8 is_tunnel_ipv6
Definition: ipsec.api:193
u32 context
Definition: ipsec.api:173
u8 is_outbound
Definition: ipsec.api:106
u8 is_ipv6
Definition: ipsec.api:109
u32 context
Definition: ipsec.api:205
u8 protocol
Definition: ipsec.api:180
u8 is_ip_any
Definition: ipsec.api:110