15 #ifndef __IPSEC_SPD_SA_H__ 16 #define __IPSEC_SPD_SA_H__ 23 #define foreach_ipsec_crypto_alg \ 25 _ (1, AES_CBC_128, "aes-cbc-128") \ 26 _ (2, AES_CBC_192, "aes-cbc-192") \ 27 _ (3, AES_CBC_256, "aes-cbc-256") \ 28 _ (4, AES_CTR_128, "aes-ctr-128") \ 29 _ (5, AES_CTR_192, "aes-ctr-192") \ 30 _ (6, AES_CTR_256, "aes-ctr-256") \ 31 _ (7, AES_GCM_128, "aes-gcm-128") \ 32 _ (8, AES_GCM_192, "aes-gcm-192") \ 33 _ (9, AES_GCM_256, "aes-gcm-256") \ 34 _ (10, DES_CBC, "des-cbc") \ 35 _ (11, 3DES_CBC, "3des-cbc") 39 #define _(v, f, s) IPSEC_CRYPTO_ALG_##f = v, 45 #define IPSEC_CRYPTO_ALG_IS_GCM(_alg) \ 46 (((_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) || \ 47 (_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) || \ 48 (_alg == IPSEC_CRYPTO_ALG_AES_GCM_256))) 50 #define foreach_ipsec_integ_alg \ 52 _ (1, MD5_96, "md5-96") \ 53 _ (2, SHA1_96, "sha1-96") \ 54 _ (3, SHA_256_96, "sha-256-96") \ 55 _ (4, SHA_256_128, "sha-256-128") \ 56 _ (5, SHA_384_192, "sha-384-192") \ 57 _ (6, SHA_512_256, "sha-512-256") 61 #define _(v, f, s) IPSEC_INTEG_ALG_##f = v, 73 #define IPSEC_KEY_MAX_LEN 128 88 #define foreach_ipsec_sa_flags \ 90 _ (1, USE_ESN, "esn") \ 91 _ (2, USE_ANTI_REPLAY, "anti-replay") \ 92 _ (4, IS_TUNNEL, "tunnel") \ 93 _ (8, IS_TUNNEL_V6, "tunnel-v6") \ 94 _ (16, UDP_ENCAP, "udp-encap") \ 95 _ (32, IS_PROTECT, "Protect") \ 96 _ (64, IS_INBOUND, "inbound") \ 97 _ (128, IS_AEAD, "aead") \ 101 #define _(v, f, s) IPSEC_SA_FLAG_##f = v, 106 STATIC_ASSERT (
sizeof (ipsec_sa_flags_t) == 1,
"IPSEC SA flags > 1 byte");
214 ipsec_sa_is_set_##v (const ipsec_sa_t *sa) { \ 215 return (sa->flags & IPSEC_SA_FLAG_##v); \ 221 ipsec_sa_set_##v (ipsec_sa_t *sa) { \ 222 return (sa->flags |= IPSEC_SA_FLAG_##v); \ 228 ipsec_sa_unset_##v (ipsec_sa_t *sa) { \ 229 return (sa->flags &= ~IPSEC_SA_FLAG_##v); \ 244 ipsec_crypto_alg_t crypto_alg,
246 ipsec_integ_alg_t integ_alg,
248 ipsec_sa_flags_t flags,
251 const ip46_address_t * tunnel_src_addr,
252 const ip46_address_t * tunnel_dst_addr,
253 u32 * sa_index,
u16 src_port,
u16 dst_port);
260 ipsec_crypto_alg_t crypto_alg);
262 ipsec_integ_alg_t integ_alg);
277 #define IPSEC_UDP_PORT_NONE ((u16)~0) 283 #define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (64) 284 #define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE-1) 291 #define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl) (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1) 302 if ((sa->
flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
305 if (!ipsec_sa_is_set_USE_ESN (sa))
435 if (wrap == 0 && seq > sa->
last_seq)
492 return ((thread_id) ? thread_id
#define CLIB_CACHE_LINE_ALIGN_MARK(mark)
ip46_address_t tunnel_src_addr
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
static u32 ipsec_sa_assign_thread(u32 thread_id)
#define foreach_ipsec_crypto_alg
ipsec_integ_alg_t integ_alg
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
#define foreach_ipsec_integ_alg
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
int ipsec_sa_unlock_id(u32 id)
vnet_crypto_op_id_t integ_op_id
void ipsec_sa_unlock(index_t sai)
vnet_crypto_key_index_t linked_key_index
enum walk_rc_t_ walk_rc_t
Walk return code.
vnet_crypto_key_index_t crypto_key_index
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
uword unformat_ipsec_key(unformat_input_t *input, va_list *args)
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tunnel_src_addr, const ip46_address_t *tunnel_dst_addr, u32 *sa_index, u16 src_port, u16 dst_port)
#define foreach_ipsec_sa_flags
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
static void ipsec_sa_anti_replay_advance(ipsec_sa_t *sa, u32 seq)
fib_node_index_t fib_entry_index
#define IPSEC_KEY_MAX_LEN
vnet_crypto_async_op_id_t crypto_async_dec_op_id
An node in the FIB graph.
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
ip46_address_t tunnel_dst_addr
void ipsec_sa_lock(index_t sai)
foreach_ipsec_sa_flags vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
u32 fib_node_index_t
A typedef of a node index.
static u64 unix_time_now_nsec(void)
u8 * format_ipsec_sa(u8 *s, va_list *args)
#define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX
u8 data[IPSEC_KEY_MAX_LEN]
STATIC_ASSERT_OFFSET_OF(ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES)
u32 vnet_crypto_key_index_t
static int ipsec_sa_anti_replay_check(ipsec_sa_t *sa, u32 seq)
ipsec_protocol_t protocol
vnet_crypto_async_op_id_t
vnet_crypto_key_index_t integ_key_index
vnet_crypto_alg_t integ_calg
void ipsec_sa_walk(ipsec_sa_walk_cb_t cd, void *ctx)
u8 * format_ipsec_key(u8 *s, va_list *args)
vnet_crypto_alg_t crypto_calg
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
#define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl)
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE
index_t ipsec_sa_find_and_lock(u32 id)
vnet_crypto_op_id_t crypto_enc_op_id
A collection of combined counters.
ipsec_crypto_alg_t crypto_alg
vnet_crypto_async_op_id_t crypto_async_enc_op_id
static u32 vlib_num_workers()
struct ipsec_key_t_ ipsec_key_t
#define CLIB_CACHE_LINE_BYTES
void ipsec_sa_clear(index_t sai)
vnet_crypto_op_id_t crypto_dec_op_id
STATIC_ASSERT(sizeof(ipsec_sa_flags_t)==1, "IPSEC SA flags > 1 byte")