FD.io VPP
v20.01-48-g3e0dafb74
Vector Packet Processing
|
Go to the source code of this file.
Data Structures | |
struct | vl_api_ipsec_spd_add_del_t |
IPsec: Add/delete Security Policy Database. More... | |
struct | vl_api_ipsec_interface_add_del_spd_t |
IPsec: Add/delete SPD from interface. More... | |
struct | vl_api_ipsec_spd_entry_add_del_t |
IPsec: Add/delete Security Policy Database entry. More... | |
struct | vl_api_ipsec_spd_entry_add_del_reply_t |
IPsec: Reply Add/delete Security Policy Database entry. More... | |
struct | vl_api_ipsec_spds_dump_t |
Dump IPsec all SPD IDs. More... | |
struct | vl_api_ipsec_spds_details_t |
Dump IPsec all SPD IDs response. More... | |
struct | vl_api_ipsec_spd_dump_t |
Dump ipsec policy database data. More... | |
struct | vl_api_ipsec_spd_details_t |
IPsec policy database response. More... | |
struct | vl_api_ipsec_sad_entry_add_del_t |
IPsec: Add/delete Security Association Database entry. More... | |
struct | vl_api_ipsec_sad_entry_add_del_reply_t |
struct | vl_api_ipsec_tunnel_protect_update_t |
struct | vl_api_ipsec_tunnel_protect_del_t |
struct | vl_api_ipsec_tunnel_protect_dump_t |
Dump all tunnel protections. More... | |
struct | vl_api_ipsec_tunnel_protect_details_t |
struct | vl_api_ipsec_spd_interface_dump_t |
IPsec: Get SPD interfaces. More... | |
struct | vl_api_ipsec_spd_interface_details_t |
IPsec: SPD interface response. More... | |
struct | vl_api_ipsec_tunnel_if_add_del_t |
Add or delete IPsec tunnel interface. More... | |
struct | vl_api_ipsec_tunnel_if_add_del_reply_t |
Add/delete IPsec tunnel interface response. More... | |
struct | vl_api_ipsec_sa_dump_t |
Dump IPsec security association. More... | |
struct | vl_api_ipsec_sa_details_t |
IPsec security association database response. More... | |
struct | vl_api_ipsec_tunnel_if_set_sa_t |
Set new SA on IPsec interface. More... | |
struct | vl_api_ipsec_backend_dump_t |
Dump IPsec backends. More... | |
struct | vl_api_ipsec_backend_details_t |
IPsec backend details. More... | |
struct | vl_api_ipsec_select_backend_t |
Select IPsec backend. More... | |
Enumerations | |
enum | ipsec_spd_action { IPSEC_API_SPD_ACTION_BYPASS = 0, IPSEC_API_SPD_ACTION_DISCARD, IPSEC_API_SPD_ACTION_RESOLVE, IPSEC_API_SPD_ACTION_PROTECT } |
Variables | |
option | version = "3.0.0" |
import vnet ipsec ipsec_types | api |
typedef | ipsec_spd_entry |
IPsec: Security Policy Database entry. More... | |
i32 | priority |
u8 | is_outbound |
u32 | sa_id |
vl_api_ipsec_spd_action_t | policy |
u8 | protocol |
vl_api_address_t | remote_address_start |
vl_api_address_t | remote_address_stop |
vl_api_address_t | local_address_start |
vl_api_address_t | local_address_stop |
u16 | remote_port_start |
u16 | remote_port_stop |
u16 | local_port_start |
u16 | local_port_stop |
typedef | ipsec_tunnel_protect |
Add or Update Protection for a tunnel with IPSEC. More... | |
u32 | sa_out |
u8 | n_sa_in |
u32 | sa_in [n_sa_in] |
enum ipsec_spd_action |
typedef ipsec_spd_entry |
IPsec: Security Policy Database entry.
See RFC 4301, 4.4.1.1 on how to match packet to selectors
spd_id | - SPD instance id (control plane allocated) |
priority | - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower |
is_outbound | - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic |
remote_address_start | - start of remote address range to match |
remote_address_stop | - end of remote address range to match |
local_address_start | - start of local address range to match |
local_address_stop | - end of local address range to match |
protocol | - protocol type to match [0 means any] otherwise IANA value |
remote_port_start | - start of remote port range to match ... |
remote_port_stop | - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] |
local_port_start | - start of local port range to match ... |
local_port_stop | - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] |
policy | - action to perform on match |
sa_id | - SAD instance id (control plane allocated) |
typedef ipsec_tunnel_protect |
Add or Update Protection for a tunnel with IPSEC.
Tunnel protection directly associates an SA with all packets ingress and egress on the tunnel. This could also be achieved by assigning an SPD to the tunnel, but that would incur an unnessccary SPD entry lookup.
For tunnels the ESP acts on the post-encapsulated packet. So if this packet: +------—+---—+ | Payload | O-IP | +------—+---—+ where O-IP is the overlay IP addrees that was routed into the tunnel, the resulting encapsulated packet will be: +------—+---—+---—+ | Payload | O-IP | T-IP | +------—+---—+---—+ where T-IP is the tunnel's src.dst IP addresses. If the SAs used for protection are in transport mode then the ESP is inserted before T-IP, i.e.: +------—+---—+--—+---—+ | Payload | O-IP | ESP | T-IP | +------—+---—+--—+---—+ If the SAs used for protection are in tunnel mode then another encapsulation occurs, i.e.: +------—+---—+---—+--—+---—+ | Payload | O-IP | T-IP | ESP | C-IP | +------—+---—+---—+--—+---—+ where C-IP are the crypto endpoint IP addresses defined as the tunnel endpoints in the SA. The mode for the inbound and outbound SA must be the same.
client_index | - opaque cookie to identify the sender |
context | - sender context, to match reply w/ request |
sw_id_index | - Tunnel interface to protect |
sa_in | - The ID [set] of inbound SAs |
sa_out | - The ID of outbound SA |