FD.io VPP  v20.05.1-6-gf53edbc3b
Vector Packet Processing
ipsec.api File Reference

Go to the source code of this file.

Data Structures

struct  vl_api_ipsec_spd_add_del_t
 IPsec: Add/delete Security Policy Database. More...
 
struct  vl_api_ipsec_interface_add_del_spd_t
 IPsec: Add/delete SPD from interface. More...
 
struct  vl_api_ipsec_spd_entry_add_del_t
 IPsec: Add/delete Security Policy Database entry. More...
 
struct  vl_api_ipsec_spd_entry_add_del_reply_t
 IPsec: Reply Add/delete Security Policy Database entry. More...
 
struct  vl_api_ipsec_spds_dump_t
 Dump IPsec all SPD IDs. More...
 
struct  vl_api_ipsec_spds_details_t
 Dump IPsec all SPD IDs response. More...
 
struct  vl_api_ipsec_spd_dump_t
 Dump ipsec policy database data. More...
 
struct  vl_api_ipsec_spd_details_t
 IPsec policy database response. More...
 
struct  vl_api_ipsec_sad_entry_add_del_t
 IPsec: Add/delete Security Association Database entry. More...
 
struct  vl_api_ipsec_sad_entry_add_del_reply_t
 
struct  vl_api_ipsec_tunnel_protect_update_t
 
struct  vl_api_ipsec_tunnel_protect_del_t
 
struct  vl_api_ipsec_tunnel_protect_dump_t
 Dump all tunnel protections. More...
 
struct  vl_api_ipsec_tunnel_protect_details_t
 
struct  vl_api_ipsec_spd_interface_dump_t
 IPsec: Get SPD interfaces. More...
 
struct  vl_api_ipsec_spd_interface_details_t
 IPsec: SPD interface response. More...
 
struct  vl_api_ipsec_tunnel_if_add_del_t
 Add or delete IPsec tunnel interface. More...
 
struct  vl_api_ipsec_tunnel_if_add_del_reply_t
 Add/delete IPsec tunnel interface response. More...
 
struct  vl_api_ipsec_sa_dump_t
 Dump IPsec security association. More...
 
struct  vl_api_ipsec_sa_details_t
 IPsec security association database response. More...
 
struct  vl_api_ipsec_tunnel_if_set_sa_t
 Set new SA on IPsec interface. More...
 
struct  vl_api_ipsec_backend_dump_t
 Dump IPsec backends. More...
 
struct  vl_api_ipsec_backend_details_t
 IPsec backend details. More...
 
struct  vl_api_ipsec_select_backend_t
 Select IPsec backend. More...
 

Enumerations

enum  ipsec_spd_action { IPSEC_API_SPD_ACTION_BYPASS = 0, IPSEC_API_SPD_ACTION_DISCARD, IPSEC_API_SPD_ACTION_RESOLVE, IPSEC_API_SPD_ACTION_PROTECT }
 

Variables

option version = "3.0.2"
 
import vnet ipsec ipsec_types api
 
typedef ipsec_spd_entry
 IPsec: Security Policy Database entry. More...
 
i32 priority
 
bool is_outbound
 
u32 sa_id
 
vl_api_ipsec_spd_action_t policy
 
u8 protocol
 
vl_api_address_t remote_address_start
 
vl_api_address_t remote_address_stop
 
vl_api_address_t local_address_start
 
vl_api_address_t local_address_stop
 
u16 remote_port_start
 
u16 remote_port_stop
 
u16 local_port_start
 
u16 local_port_stop
 
typedef ipsec_tunnel_protect
 Add or Update Protection for a tunnel with IPSEC. More...
 
vl_api_address_t nh
 
u32 sa_out
 
u8 n_sa_in
 
u32 sa_in [n_sa_in]
 

Enumeration Type Documentation

◆ ipsec_spd_action

Enumerator
IPSEC_API_SPD_ACTION_BYPASS 
IPSEC_API_SPD_ACTION_DISCARD 
IPSEC_API_SPD_ACTION_RESOLVE 
IPSEC_API_SPD_ACTION_PROTECT 

Definition at line 60 of file ipsec.api.

Variable Documentation

◆ api

import vnet interface_types api

Definition at line 19 of file ipsec.api.

◆ ipsec_spd_entry

typedef ipsec_spd_entry
Initial value:
{
u32 spd_id
unsigned int u32
Definition: types.h:88

IPsec: Security Policy Database entry.

See RFC 4301, 4.4.1.1 on how to match packet to selectors

Template Parameters
spd_id- SPD instance id (control plane allocated)
priority- priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
is_outbound- entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
remote_address_start- start of remote address range to match
remote_address_stop- end of remote address range to match
local_address_start- start of local address range to match
local_address_stop- end of local address range to match
protocol- protocol type to match [0 means any] otherwise IANA value
remote_port_start- start of remote port range to match ...
remote_port_stop- end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
local_port_start- start of local port range to match ...
local_port_stop- end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
policy- action to perform on match
sa_id- SAD instance id (control plane allocated)

Definition at line 92 of file ipsec.api.

◆ ipsec_tunnel_protect

typedef ipsec_tunnel_protect
Initial value:
{
vl_api_interface_index_t sw_if_index
vl_api_interface_index_t sw_if_index
Definition: gre.api:53

Add or Update Protection for a tunnel with IPSEC.

Tunnel protection directly associates an SA with all packets ingress and egress on the tunnel. This could also be achieved by assigning an SPD to the tunnel, but that would incur an unnessccary SPD entry lookup.

For tunnels the ESP acts on the post-encapsulated packet. So if this packet: +------—+---—+ | Payload | O-IP | +------—+---—+ where O-IP is the overlay IP addrees that was routed into the tunnel, the resulting encapsulated packet will be: +------—+---—+---—+ | Payload | O-IP | T-IP | +------—+---—+---—+ where T-IP is the tunnel's src.dst IP addresses. If the SAs used for protection are in transport mode then the ESP is inserted before T-IP, i.e.: +------—+---—+--—+---—+ | Payload | O-IP | ESP | T-IP | +------—+---—+--—+---—+ If the SAs used for protection are in tunnel mode then another encapsulation occurs, i.e.: +------—+---—+---—+--—+---—+ | Payload | O-IP | T-IP | ESP | C-IP | +------—+---—+---—+--—+---—+ where C-IP are the crypto endpoint IP addresses defined as the tunnel endpoints in the SA. The mode for the inbound and outbound SA must be the same.

Template Parameters
client_index- opaque cookie to identify the sender
context- sender context, to match reply w/ request
sw_id_index- Tunnel interface to protect
nh- The peer/next-hop on the tunnel to which the traffic should be protected. For a P2P interface set this to the all 0s address.
sa_in- The ID [set] of inbound SAs
sa_out- The ID of outbound SA

Definition at line 247 of file ipsec.api.

◆ is_outbound

bool is_outbound

Definition at line 95 of file ipsec.api.

◆ local_address_start

vl_api_address_t local_address_start

Definition at line 105 of file ipsec.api.

◆ local_address_stop

vl_api_address_t local_address_stop

Definition at line 106 of file ipsec.api.

◆ local_port_start

u16 local_port_start

Definition at line 110 of file ipsec.api.

◆ local_port_stop

u16 local_port_stop

Definition at line 111 of file ipsec.api.

◆ n_sa_in

u8 n_sa_in

Definition at line 251 of file ipsec.api.

◆ nh

vl_api_address_t nh

Definition at line 249 of file ipsec.api.

◆ policy

vl_api_ipsec_spd_action_t policy

Definition at line 98 of file ipsec.api.

◆ priority

u8 priority

Definition at line 94 of file ipsec.api.

◆ protocol

u8 protocol

Definition at line 100 of file ipsec.api.

◆ remote_address_start

vl_api_address_t remote_address_start

Definition at line 103 of file ipsec.api.

◆ remote_address_stop

vl_api_address_t remote_address_stop

Definition at line 104 of file ipsec.api.

◆ remote_port_start

u16 remote_port_start

Definition at line 108 of file ipsec.api.

◆ remote_port_stop

u16 remote_port_stop

Definition at line 109 of file ipsec.api.

◆ sa_id

u32 sa_id

Definition at line 97 of file ipsec.api.

◆ sa_in

u32 sa_in[n_sa_in]

Definition at line 252 of file ipsec.api.

◆ sa_out

u32 sa_out

Definition at line 250 of file ipsec.api.

◆ version

option version = "3.0.2"

Definition at line 17 of file ipsec.api.