FD.io VPP  v18.07.1-19-g511ce25
Vector Packet Processing
ikev2.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #ifndef __included_ikev2_h__
16 #define __included_ikev2_h__
17 
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 
21 #include <vppinfra/error.h>
22 
23 #define IKEV2_NONCE_SIZE 32
24 
25 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
26 
27 typedef u8 v8;
28 
29 /* *INDENT-OFF* */
30 typedef CLIB_PACKED (struct {
31  u64 ispi;
32  u64 rspi;
33  u8 nextpayload;
34  u8 version;
35  u8 exchange;
36  u8 flags;
37  u32 msgid; u32 length; u8 payload[0];
38 }) ike_header_t;
39 /* *INDENT-ON* */
40 
41 /* *INDENT-OFF* */
42 typedef CLIB_PACKED (struct
43  {
44  u8 nextpayload;
45  u8 flags;
46  u16 length;
47  u16 dh_group;
48  u8 reserved[2]; u8 payload[0];}) ike_ke_payload_header_t;
49 /* *INDENT-ON* */
50 
51 /* *INDENT-OFF* */
52 typedef CLIB_PACKED (struct {
53  u8 nextpayload;
54  u8 flags;
55  u16 length; u8 payload[0];
56 }) ike_payload_header_t;
57 /* *INDENT-ON* */
58 
59 /* *INDENT-OFF* */
60 typedef CLIB_PACKED (struct {
61  u8 nextpayload;
62  u8 flags;
63  u16 length;
64  u8 auth_method;
65  u8 reserved[3];
66  u8 payload[0];
67 }) ike_auth_payload_header_t;
68 /* *INDENT-ON* */
69 
70 /* *INDENT-OFF* */
71 typedef CLIB_PACKED (struct {
72  u8 nextpayload;
73  u8 flags;
74  u16 length;
75  u8 id_type;
76  u8 reserved[3]; u8 payload[0];
77 }) ike_id_payload_header_t;
78 /* *INDENT-ON* */
79 
80 #define IKE_VERSION_2 0x20
81 
82 #define IKEV2_EXCHANGE_SA_INIT 34
83 #define IKEV2_EXCHANGE_IKE_AUTH 35
84 #define IKEV2_EXCHANGE_CREATE_CHILD_SA 36
85 #define IKEV2_EXCHANGE_INFORMATIONAL 37
86 
87 #define IKEV2_HDR_FLAG_INITIATOR (1<<3)
88 #define IKEV2_HDR_FLAG_VERSION (1<<4)
89 #define IKEV2_HDR_FLAG_RESPONSE (1<<5)
90 
91 #define IKEV2_PAYLOAD_FLAG_CRITICAL (1<<7)
92 
93 #define IKEV2_PAYLOAD_NONE 0
94 #define IKEV2_PAYLOAD_SA 33
95 #define IKEV2_PAYLOAD_KE 34
96 #define IKEV2_PAYLOAD_IDI 35
97 #define IKEV2_PAYLOAD_IDR 36
98 #define IKEV2_PAYLOAD_AUTH 39
99 #define IKEV2_PAYLOAD_NONCE 40
100 #define IKEV2_PAYLOAD_NOTIFY 41
101 #define IKEV2_PAYLOAD_DELETE 42
102 #define IKEV2_PAYLOAD_VENDOR 43
103 #define IKEV2_PAYLOAD_TSI 44
104 #define IKEV2_PAYLOAD_TSR 45
105 #define IKEV2_PAYLOAD_SK 46
106 
107 typedef enum
108 {
113 
114 #define foreach_ikev2_notify_msg_type \
115  _( 0, NONE) \
116  _( 1, UNSUPPORTED_CRITICAL_PAYLOAD) \
117  _( 4, INVALID_IKE_SPI) \
118  _( 5, INVALID_MAJOR_VERSION) \
119  _( 7, INVALID_SYNTAX) \
120  _( 8, INVALID_MESSAGE_ID) \
121  _( 11, INVALID_SPI) \
122  _( 14, NO_PROPOSAL_CHOSEN) \
123  _( 17, INVALID_KE_PAYLOAD) \
124  _( 24, AUTHENTICATION_FAILED) \
125  _( 34, SINGLE_PAIR_REQUIRED) \
126  _( 35, NO_ADDITIONAL_SAS) \
127  _( 36, INTERNAL_ADDRESS_FAILURE) \
128  _( 37, FAILED_CP_REQUIRED) \
129  _( 38, TS_UNACCEPTABLE) \
130  _( 39, INVALID_SELECTORS) \
131  _( 40, UNACCEPTABLE_ADDRESSES) \
132  _( 41, UNEXPECTED_NAT_DETECTED) \
133  _( 42, USE_ASSIGNED_HoA) \
134  _( 43, TEMPORARY_FAILURE) \
135  _( 44, CHILD_SA_NOT_FOUND) \
136  _( 45, INVALID_GROUP_ID) \
137  _( 46, AUTHORIZATION_FAILED) \
138  _(16384, INITIAL_CONTACT) \
139  _(16385, SET_WINDOW_SIZE) \
140  _(16386, ADDITIONAL_TS_POSSIBLE) \
141  _(16387, IPCOMP_SUPPORTED) \
142  _(16388, NAT_DETECTION_SOURCE_IP) \
143  _(16389, NAT_DETECTION_DESTINATION_IP) \
144  _(16390, COOKIE) \
145  _(16391, USE_TRANSPORT_MODE) \
146  _(16392, HTTP_CERT_LOOKUP_SUPPORTED) \
147  _(16393, REKEY_SA) \
148  _(16394, ESP_TFC_PADDING_NOT_SUPPORTED) \
149  _(16395, NON_FIRST_FRAGMENTS_ALSO) \
150  _(16396, MOBIKE_SUPPORTED) \
151  _(16397, ADDITIONAL_IP4_ADDRESS) \
152  _(16398, ADDITIONAL_IP6_ADDRESS) \
153  _(16399, NO_ADDITIONAL_ADDRESSES) \
154  _(16400, UPDATE_SA_ADDRESSES) \
155  _(16401, COOKIE2) \
156  _(16402, NO_NATS_ALLOWED) \
157  _(16403, AUTH_LIFETIME) \
158  _(16404, MULTIPLE_AUTH_SUPPORTED) \
159  _(16405, ANOTHER_AUTH_FOLLOWS) \
160  _(16406, REDIRECT_SUPPORTED) \
161  _(16407, REDIRECT) \
162  _(16408, REDIRECTED_FROM) \
163  _(16409, TICKET_LT_OPAQUE) \
164  _(16410, TICKET_REQUEST) \
165  _(16411, TICKET_ACK) \
166  _(16412, TICKET_NACK) \
167  _(16413, TICKET_OPAQUE) \
168  _(16414, LINK_ID) \
169  _(16415, USE_WESP_MODE) \
170  _(16416, ROHC_SUPPORTED) \
171  _(16417, EAP_ONLY_AUTHENTICATION) \
172  _(16418, CHILDLESS_IKEV2_SUPPORTED) \
173  _(16419, QUICK_CRASH_DETECTION) \
174  _(16420, IKEV2_MESSAGE_ID_SYNC_SUPPORTED) \
175  _(16421, IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED) \
176  _(16422, IKEV2_MESSAGE_ID_SYNC) \
177  _(16423, IPSEC_REPLAY_COUNTER_SYNC) \
178  _(16424, SECURE_PASSWORD_METHODS) \
179  _(16425, PSK_PERSIST) \
180  _(16426, PSK_CONFIRM) \
181  _(16427, ERX_SUPPORTED) \
182  _(16428, IFOM_CAPABILITY) \
183  _(16429, SENDER_REQUEST_ID) \
184  _(16430, IKEV2_FRAGMENTATION_SUPPORTED) \
185  _(16431, SIGNATURE_HASH_ALGORITHMS)
186 
187 
188 typedef enum
189 {
190 #define _(v,f) IKEV2_NOTIFY_MSG_##f = v,
192 #undef _
194 
195 #define foreach_ikev2_transform_type \
196  _(0, UNDEFINED, "undefinded") \
197  _(1, ENCR, "encr") \
198  _(2, PRF, "prf") \
199  _(3, INTEG, "integ") \
200  _(4, DH, "dh-group") \
201  _(5, ESN, "esn")
202 
203 typedef enum
204 {
205 #define _(v,f,s) IKEV2_TRANSFORM_TYPE_##f = v,
207 #undef _
210 
211 
212 #define foreach_ikev2_transform_encr_type \
213  _(1 , DES_IV64, "des-iv64") \
214  _(2 , DES, "des") \
215  _(3 , 3DES, "3des") \
216  _(4 , RC5, "rc5") \
217  _(5 , IDEA, "idea") \
218  _(6 , CAST, "cast") \
219  _(7 , BLOWFISH, "blowfish") \
220  _(8 , 3IDEA, "3idea") \
221  _(9 , DES_IV32, "des-iv32") \
222  _(11, NULL, "null") \
223  _(12, AES_CBC, "aes-cbc") \
224  _(13, AES_CTR, "aes-ctr")
225 
226 typedef enum
227 {
228 #define _(v,f,str) IKEV2_TRANSFORM_ENCR_TYPE_##f = v,
230 #undef _
232 
233 #define foreach_ikev2_transform_prf_type \
234  _(1, PRF_HMAC_MD5, "hmac-md5") \
235  _(2, PRF_HMAC_SHA1, "hmac-sha1") \
236  _(3, PRF_MAC_TIGER, "mac-tiger") \
237  _(4, PRF_AES128_XCBC, "aes128-xcbc") \
238  _(5, PRF_HMAC_SHA2_256, "hmac-sha2-256") \
239  _(6, PRF_HMAC_SHA2_384, "hmac-sha2-384") \
240  _(7, PRF_HMAC_SHA2_512, "hmac-sha2-512") \
241  _(8, PRF_AES128_CMAC, "aes128-cmac")
242 
243 typedef enum
244 {
245 #define _(v,f,str) IKEV2_TRANSFORM_PRF_TYPE_##f = v,
247 #undef _
249 
250 #define foreach_ikev2_transform_integ_type \
251  _(0, NONE, "none") \
252  _(1, AUTH_HMAC_MD5_96, "md5-96") \
253  _(2, AUTH_HMAC_SHA1_96, "sha1-96") \
254  _(3, AUTH_DES_MAC, "des-mac") \
255  _(4, AUTH_KPDK_MD5, "kpdk-md5") \
256  _(5, AUTH_AES_XCBC_96, "aes-xcbc-96") \
257  _(6, AUTH_HMAC_MD5_128, "md5-128") \
258  _(7, AUTH_HMAC_SHA1_160, "sha1-160") \
259  _(8, AUTH_AES_CMAC_96, "cmac-96") \
260  _(9, AUTH_AES_128_GMAC, "aes-128-gmac") \
261  _(10, AUTH_AES_192_GMAC, "aes-192-gmac") \
262  _(11, AUTH_AES_256_GMAC, "aes-256-gmac") \
263  _(12, AUTH_HMAC_SHA2_256_128, "hmac-sha2-256-128") \
264  _(13, AUTH_HMAC_SHA2_384_192, "hmac-sha2-384-192") \
265  _(14, AUTH_HMAC_SHA2_512_256, "hmac-sha2-512-256")
266 
267 typedef enum
268 {
269 #define _(v,f, str) IKEV2_TRANSFORM_INTEG_TYPE_##f = v,
271 #undef _
273 
274 #if defined(OPENSSL_NO_CISCO_FECDH)
275 #define foreach_ikev2_transform_dh_type \
276  _(0, NONE, "none") \
277  _(1, MODP_768, "modp-768") \
278  _(2, MODP_1024, "modp-1024") \
279  _(5, MODP_1536, "modp-1536") \
280  _(14, MODP_2048, "modp-2048") \
281  _(15, MODP_3072, "modp-3072") \
282  _(16, MODP_4096, "modp-4096") \
283  _(17, MODP_6144, "modp-6144") \
284  _(18, MODP_8192, "modp-8192") \
285  _(19, ECP_256, "ecp-256") \
286  _(20, ECP_384, "ecp-384") \
287  _(21, ECP_521, "ecp-521") \
288  _(22, MODP_1024_160, "modp-1024-160") \
289  _(23, MODP_2048_224, "modp-2048-224") \
290  _(24, MODP_2048_256, "modp-2048-256") \
291  _(25, ECP_192, "ecp-192") \
292  _(26, ECP_224, "ecp-224") \
293  _(27, BRAINPOOL_224, "brainpool-224") \
294  _(28, BRAINPOOL_256, "brainpool-256") \
295  _(29, BRAINPOOL_384, "brainpool-384") \
296  _(30, BRAINPOOL_512, "brainpool-512")
297 #else
298 #define foreach_ikev2_transform_dh_type \
299  _(0, NONE, "none") \
300  _(1, MODP_768, "modp-768") \
301  _(2, MODP_1024, "modp-1024") \
302  _(5, MODP_1536, "modp-1536") \
303  _(14, MODP_2048, "modp-2048") \
304  _(15, MODP_3072, "modp-3072") \
305  _(16, MODP_4096, "modp-4096") \
306  _(17, MODP_6144, "modp-6144") \
307  _(18, MODP_8192, "modp-8192") \
308  _(19, ECP_256, "ecp-256") \
309  _(20, ECP_384, "ecp-384") \
310  _(21, ECP_521, "ecp-521") \
311  _(22, MODP_1024_160, "modp-1024-160") \
312  _(23, MODP_2048_224, "modp-2048-224") \
313  _(24, MODP_2048_256, "modp-2048-256") \
314  _(25, ECP_192, "ecp-192")
315 #endif
316 
317 typedef enum
318 {
319 #define _(v,f, str) IKEV2_TRANSFORM_DH_TYPE_##f = v,
321 #undef _
323 
324 #define foreach_ikev2_transform_esn_type \
325  _(0, NO_ESN, "no") \
326  _(1, ESN, "yes")
327 
328 typedef enum
329 {
330 #define _(v,f,str) IKEV2_TRANSFORM_ESN_TYPE_##f = v,
332 #undef _
334 
335 #define foreach_ikev2_auth_method \
336  _( 1, RSA_SIG, "rsa-sig") \
337  _( 2, SHARED_KEY_MIC, "shared-key-mic")
338 
339 typedef enum
340 {
341 #define _(v,f,s) IKEV2_AUTH_METHOD_##f = v,
343 #undef _
345 
346 #define foreach_ikev2_id_type \
347  _( 1, ID_IPV4_ADDR, "ip4-addr") \
348  _( 2, ID_FQDN, "fqdn") \
349  _( 3, ID_RFC822_ADDR, "rfc822") \
350  _( 5, ID_IPV6_ADDR, "ip6-addr") \
351  _( 9, ID_DER_ASN1_DN, "der-asn1-dn") \
352  _(10, ID_DER_ASN1_GN, "der-asn1-gn") \
353  _(11, ID_KEY_ID, "key-id")
354 
355 typedef enum
356 {
357 #define _(v,f,s) IKEV2_ID_TYPE_##f = v,
359 #undef _
361 
364 clib_error_t *ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add);
366  u8 auth_method, u8 * data,
367  u8 data_hex_format);
369  u8 id_type, u8 * data, int is_local);
371  u8 protocol_id, u16 start_port,
372  u16 end_port, ip4_address_t start_addr,
373  ip4_address_t end_addr, int is_local);
375  u32 sw_if_index,
376  ip4_address_t ip4);
378  ikev2_transform_encr_type_t
379  crypto_alg,
380  ikev2_transform_integ_type_t
381  integ_alg,
382  ikev2_transform_dh_type_t
383  dh_type, u32 crypto_key_size);
385  ikev2_transform_encr_type_t
386  crypto_alg,
387  ikev2_transform_integ_type_t
388  integ_alg,
389  ikev2_transform_dh_type_t
390  dh_type, u32 crypto_key_size);
392  u64 lifetime, u32 jitter,
393  u32 handover, u64 maxdata);
398 
399 /* ikev2_format.c */
400 u8 *format_ikev2_auth_method (u8 * s, va_list * args);
401 u8 *format_ikev2_id_type (u8 * s, va_list * args);
402 u8 *format_ikev2_transform_type (u8 * s, va_list * args);
403 u8 *format_ikev2_notify_msg_type (u8 * s, va_list * args);
404 u8 *format_ikev2_transform_encr_type (u8 * s, va_list * args);
405 u8 *format_ikev2_transform_prf_type (u8 * s, va_list * args);
406 u8 *format_ikev2_transform_integ_type (u8 * s, va_list * args);
407 u8 *format_ikev2_transform_dh_type (u8 * s, va_list * args);
408 u8 *format_ikev2_transform_esn_type (u8 * s, va_list * args);
409 u8 *format_ikev2_sa_transform (u8 * s, va_list * args);
410 
411 uword unformat_ikev2_auth_method (unformat_input_t * input, va_list * args);
412 uword unformat_ikev2_id_type (unformat_input_t * input, va_list * args);
414  va_list * args);
416  va_list * args);
418  va_list * args);
420  va_list * args);
422  va_list * args);
424  va_list * args);
425 
426 #endif /* __included_ikev2_h__ */
427 
428 
429 /*
430  * fd.io coding-style-patch-verification: ON
431  *
432  * Local Variables:
433  * eval: (c-set-style "gnu")
434  * End:
435  */
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
Definition: ikev2.c:2729
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3085
ikev2_transform_integ_type_t
Definition: ikev2.h:267
#define foreach_ikev2_transform_esn_type
Definition: ikev2.h:324
uword unformat_ikev2_transform_encr_type(unformat_input_t *input, va_list *args)
ikev2_auth_method_t
Definition: ikev2.h:339
u8 * format_ikev2_auth_method(u8 *s, va_list *args)
unsigned long u64
Definition: types.h:89
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
Definition: ikev2.c:2768
u8 v8
Definition: ikev2.h:27
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2853
u8 * format_ikev2_sa_transform(u8 *s, va_list *args)
Definition: ikev2_format.c:25
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3235
uword unformat_ikev2_id_type(unformat_input_t *input, va_list *args)
uword unformat_ikev2_transform_prf_type(unformat_input_t *input, va_list *args)
#define foreach_ikev2_transform_integ_type
Definition: ikev2.h:250
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
Definition: ikev2.c:2666
unsigned char u8
Definition: types.h:56
ikev2_transform_dh_type_t
Definition: ikev2.h:317
uword unformat_ikev2_transform_dh_type(unformat_input_t *input, va_list *args)
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
Definition: ikev2.c:2878
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:2901
unsigned int u32
Definition: types.h:88
ikev2_notify_msg_type_t
Definition: ikev2.h:188
#define foreach_ikev2_transform_type
Definition: ikev2.h:195
u8 * format_ikev2_transform_prf_type(u8 *s, va_list *args)
struct _unformat_input_t unformat_input_t
unsigned short u16
Definition: types.h:57
ikev2_protocol_id_t
Definition: ikev2.h:107
u32 flags
Definition: vhost_user.h:110
u8 * format_ikev2_notify_msg_type(u8 *s, va_list *args)
typedef CLIB_PACKED(struct{u64 ispi;u64 rspi;u8 nextpayload;u8 version;u8 exchange;u8 flags;u32 msgid;u32 length;u8 payload[0];}) ike_header_t
vlib_main_t * vm
Definition: buffer.c:294
ikev2_transform_encr_type_t
Definition: ikev2.h:226
#define foreach_ikev2_transform_prf_type
Definition: ikev2.h:233
u8 * format_ikev2_transform_encr_type(u8 *s, va_list *args)
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:2654
u8 * format_ikev2_transform_type(u8 *s, va_list *args)
ikev2_id_type_t
Definition: ikev2.h:355
ikev2_transform_esn_type_t
Definition: ikev2.h:328
option version
Definition: memclnt.api:17
uword unformat_ikev2_transform_integ_type(unformat_input_t *input, va_list *args)
clib_error_t * ikev2_init(vlib_main_t *vm)
Definition: ikev2.c:3275
u8 * format_ikev2_transform_dh_type(u8 *s, va_list *args)
u8 * format_ikev2_transform_integ_type(u8 *s, va_list *args)
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2828
#define foreach_ikev2_id_type
Definition: ikev2.h:346
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *data, u8 data_hex_format)
Definition: ikev2.c:2697
#define foreach_ikev2_transform_encr_type
Definition: ikev2.h:212
u64 uword
Definition: types.h:112
u8 * format_ikev2_transform_esn_type(u8 *s, va_list *args)
uword unformat_ikev2_auth_method(unformat_input_t *input, va_list *args)
ikev2_transform_prf_type_t
Definition: ikev2.h:243
uword unformat_ikev2_transform_type(unformat_input_t *input, va_list *args)
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
Definition: ikev2.c:2807
ikev2_transform_type_t
Definition: ikev2.h:203
#define foreach_ikev2_notify_msg_type
Definition: ikev2.h:114
#define foreach_ikev2_transform_dh_type
Definition: ikev2.h:298
uword unformat_ikev2_transform_esn_type(unformat_input_t *input, va_list *args)
u8 * format_ikev2_id_type(u8 *s, va_list *args)
#define foreach_ikev2_auth_method
Definition: ikev2.h:335
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
Definition: ikev2.c:3125