15 #ifndef __IPSEC_SPD_SA_H__ 16 #define __IPSEC_SPD_SA_H__ 22 #define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (64) 24 #define foreach_ipsec_crypto_alg \ 26 _ (1, AES_CBC_128, "aes-cbc-128") \ 27 _ (2, AES_CBC_192, "aes-cbc-192") \ 28 _ (3, AES_CBC_256, "aes-cbc-256") \ 29 _ (4, AES_CTR_128, "aes-ctr-128") \ 30 _ (5, AES_CTR_192, "aes-ctr-192") \ 31 _ (6, AES_CTR_256, "aes-ctr-256") \ 32 _ (7, AES_GCM_128, "aes-gcm-128") \ 33 _ (8, AES_GCM_192, "aes-gcm-192") \ 34 _ (9, AES_GCM_256, "aes-gcm-256") \ 35 _ (10, DES_CBC, "des-cbc") \ 36 _ (11, 3DES_CBC, "3des-cbc") 40 #define _(v, f, s) IPSEC_CRYPTO_ALG_##f = v, 46 #define IPSEC_CRYPTO_ALG_IS_GCM(_alg) \ 47 (((_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) || \ 48 (_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) || \ 49 (_alg == IPSEC_CRYPTO_ALG_AES_GCM_256))) 51 #define foreach_ipsec_integ_alg \ 53 _ (1, MD5_96, "md5-96") \ 54 _ (2, SHA1_96, "sha1-96") \ 55 _ (3, SHA_256_96, "sha-256-96") \ 56 _ (4, SHA_256_128, "sha-256-128") \ 57 _ (5, SHA_384_192, "sha-384-192") \ 58 _ (6, SHA_512_256, "sha-512-256") 62 #define _(v, f, s) IPSEC_INTEG_ALG_##f = v, 74 #define IPSEC_N_PROTOCOLS (IPSEC_PROTOCOL_ESP+1) 76 #define IPSEC_KEY_MAX_LEN 128 91 #define foreach_ipsec_sa_flags \ 93 _ (1, USE_ESN, "esn") \ 94 _ (2, USE_ANTI_REPLAY, "anti-replay") \ 95 _ (4, IS_TUNNEL, "tunnel") \ 96 _ (8, IS_TUNNEL_V6, "tunnel-v6") \ 97 _ (16, UDP_ENCAP, "udp-encap") \ 98 _ (32, IS_GRE, "GRE") \ 99 _ (64, IS_INBOUND, "inboud") \ 100 _ (128, IS_AEAD, "aead") \ 104 #define _(v, f, s) IPSEC_SA_FLAG_##f = v, 109 STATIC_ASSERT (
sizeof (ipsec_sa_flags_t) == 1,
"IPSEC SA flags > 1 byte");
172 ipsec_sa_is_set_##v (const ipsec_sa_t *sa) { \ 173 return (sa->flags & IPSEC_SA_FLAG_##v); \ 179 ipsec_sa_set_##v (ipsec_sa_t *sa) { \ 180 return (sa->flags |= IPSEC_SA_FLAG_##v); \ 195 ipsec_crypto_alg_t crypto_alg,
197 ipsec_integ_alg_t integ_alg,
199 ipsec_sa_flags_t
flags,
202 const ip46_address_t * tunnel_src_addr,
203 const ip46_address_t * tunnel_dst_addr,
207 ipsec_crypto_alg_t crypto_alg);
209 ipsec_integ_alg_t integ_alg);
232 u32 seq, diff, tl, th;
233 if ((sa->
flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
236 seq = clib_net_to_host_u32 (*seqp);
238 if ((sa->
flags & IPSEC_SA_FLAG_USE_ESN) == 0)
301 seq = clib_host_to_net_u32 (*seqp);
306 if (wrap == 0 && seq > sa->
last_seq)
static int ipsec_sa_anti_replay_check(ipsec_sa_t *sa, u32 *seqp)
#define CLIB_CACHE_LINE_ALIGN_MARK(mark)
ip46_address_t tunnel_src_addr
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
#define foreach_ipsec_crypto_alg
ipsec_integ_alg_t integ_alg
#define foreach_ipsec_integ_alg
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
int ipsec_set_sa_key(u32 id, const ipsec_key_t *ck, const ipsec_key_t *ik)
vnet_crypto_op_id_t integ_op_id
static void ipsec_sa_anti_replay_advance(ipsec_sa_t *sa, u32 *seqp)
int ipsec_sa_add(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tunnel_src_addr, const ip46_address_t *tunnel_dst_addr, u32 *sa_index)
enum walk_rc_t_ walk_rc_t
Walk return code.
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
uword unformat_ipsec_key(unformat_input_t *input, va_list *args)
#define foreach_ipsec_sa_flags
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
u8 ipsec_is_sa_used(u32 sa_index)
#define IPSEC_N_PROTOCOLS
fib_node_index_t fib_entry_index
#define IPSEC_KEY_MAX_LEN
An node in the FIB graph.
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
ip46_address_t tunnel_dst_addr
foreach_ipsec_sa_flags vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
u32 ipsec_get_sa_index_by_sa_id(u32 sa_id)
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
u32 fib_node_index_t
A typedef of a node index.
u8 * format_ipsec_sa(u8 *s, va_list *args)
u8 data[IPSEC_KEY_MAX_LEN]
STATIC_ASSERT_OFFSET_OF(ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES)
ipsec_protocol_t protocol
void ipsec_sa_walk(ipsec_sa_walk_cb_t cd, void *ctx)
u8 * format_ipsec_key(u8 *s, va_list *args)
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE
vnet_crypto_op_id_t crypto_enc_op_id
A collection of combined counters.
ipsec_crypto_alg_t crypto_alg
struct ipsec_key_t_ ipsec_key_t
#define CLIB_CACHE_LINE_BYTES
vnet_crypto_op_id_t crypto_dec_op_id
STATIC_ASSERT(sizeof(ipsec_sa_flags_t)==1, "IPSEC SA flags > 1 byte")