FD.io VPP  v21.01.1
Vector Packet Processing
ipsec_tun.h
Go to the documentation of this file.
1 /*
2  * ipsec_tun.h : IPSEC tunnel protection
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/ipsec/ipsec.h>
19 
20 #define foreach_ipsec_protect_flags \
21  _(L2, 1, "l2") \
22  _(ENCAPED, 2, "encapped") \
23  _(ITF, 4, "itf") \
24 
25 typedef enum ipsec_protect_flags_t_
26 {
27  IPSEC_PROTECT_NONE = 0,
28 #define _(a,b,c) IPSEC_PROTECT_##a = b,
29  foreach_ipsec_protect_flags
30 #undef _
31 } __clib_packed ipsec_protect_flags_t;
32 
33 extern u8 *format_ipsec_tun_protect_flags (u8 * s, va_list * args);
34 
35 /**
36  * result of a lookup in the protection bihash
37  */
38 typedef struct ipsec_tun_lkup_result_t_
39 {
40  u32 tun_index;
41  u32 sa_index;
42  u32 sw_if_index;
43  ipsec_protect_flags_t flags;
44  u8 __pad[3];
45 } ipsec_tun_lkup_result_t;
46 
47 typedef struct ipsec4_tunnel_kv_t
48 {
49  /*
50  * Key fields: remote ip and spi on incoming packet
51  * all fields in NET byte order
52  */
53  u64 key;
54  ipsec_tun_lkup_result_t value;
55 } __clib_packed ipsec4_tunnel_kv_t;
56 
57 STATIC_ASSERT_SIZEOF (ipsec4_tunnel_kv_t, sizeof (clib_bihash_kv_8_16_t));
58 STATIC_ASSERT_OFFSET_OF (ipsec4_tunnel_kv_t, value,
59  STRUCT_OFFSET_OF (clib_bihash_kv_8_16_t, value));
60 
61 static inline void
62 ipsec4_tunnel_mk_key (ipsec4_tunnel_kv_t * k,
63  const ip4_address_t * ip, u32 spi)
64 {
65  k->key = (((u64) ip->as_u32) << 32 | spi);
66 }
67 
68 static inline void
69 ipsec4_tunnel_extract_key (const ipsec4_tunnel_kv_t * k,
70  ip4_address_t * ip, u32 * spi)
71 {
72  *spi = (u32) k->key;
73  (*ip).as_u32 = k->key >> 32;
74 }
75 
76 typedef struct ipsec6_tunnel_kv_t_
77 {
78  /*
79  * Key fields: remote ip and spi on incoming packet
80  * all fields in NET byte order
81  */
82  struct
83  {
84  ip6_address_t remote_ip;
85  u32 spi;
86  u32 __pad;
87  } key;
88  ipsec_tun_lkup_result_t value;
89 } __clib_packed ipsec6_tunnel_kv_t;
90 
91 STATIC_ASSERT_SIZEOF (ipsec6_tunnel_kv_t, sizeof (clib_bihash_kv_24_16_t));
92 STATIC_ASSERT_OFFSET_OF (ipsec6_tunnel_kv_t, value,
93  STRUCT_OFFSET_OF (clib_bihash_kv_24_16_t, value));
94 
95 extern u8 *format_ipsec4_tunnel_kv (u8 * s, va_list * args);
96 extern u8 *format_ipsec6_tunnel_kv (u8 * s, va_list * args);
97 
98 typedef struct ipsec_ep_t_
99 {
100  ip46_address_t src;
101  ip46_address_t dst;
102 } ipsec_ep_t;
103 
104 #define ITP_MAX_N_SA_IN 4
105 
106 typedef struct ipsec_tun_protect_t_
107 {
108  CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
109  index_t itp_out_sa;
110 
111  /* not using a vector since we want the memory inline
112  * with this struct */
113  u32 itp_n_sa_in;
114  index_t itp_in_sas[ITP_MAX_N_SA_IN];
115 
116  u32 itp_sw_if_index;
117 
118  ipsec_ep_t itp_crypto;
119 
120  ipsec_protect_flags_t itp_flags;
121  adj_index_t itp_ai;
122 
123  ipsec_ep_t itp_tun;
124 
125  ip_address_t *itp_key;
126 
127 } ipsec_tun_protect_t;
128 
129 #define FOR_EACH_IPSEC_PROTECT_INPUT_SAI(_itp, _sai, body) \
130 { \
131  u32 __ii; \
132  for (__ii = 0; __ii < _itp->itp_n_sa_in; __ii++) { \
133  _sai = itp->itp_in_sas[__ii]; \
134  body; \
135  } \
136 }
137 #define FOR_EACH_IPSEC_PROTECT_INPUT_SA(_itp, _sa, body) \
138 { \
139  u32 __ii; \
140  for (__ii = 0; __ii < _itp->itp_n_sa_in; __ii++) { \
141  _sa = ipsec_sa_get(itp->itp_in_sas[__ii]); \
142  body; \
143  } \
144 }
145 
146 extern int ipsec_tun_protect_update_one (u32 sw_if_index,
147  const ip_address_t * nh,
148  u32 sa_out, u32 sa_in);
149 extern int ipsec_tun_protect_update (u32 sw_if_index,
150  const ip_address_t * nh,
151  u32 sa_out, u32 * sa_ins);
152 extern int ipsec_tun_protect_update_in (u32 sw_if_index,
153  const ip_address_t * nh, u32 sa_in);
154 extern int ipsec_tun_protect_update_out (u32 sw_if_index,
155  const ip_address_t * nh, u32 sa_out);
156 
157 extern int ipsec_tun_protect_del (u32 sw_if_index, const ip_address_t * nh);
158 
159 typedef walk_rc_t (*ipsec_tun_protect_walk_cb_t) (index_t itpi, void *arg);
160 extern void ipsec_tun_protect_walk (ipsec_tun_protect_walk_cb_t fn,
161  void *cttx);
162 extern void ipsec_tun_protect_walk_itf (u32 sw_if_index,
163  ipsec_tun_protect_walk_cb_t fn,
164  void *cttx);
165 
166 extern u8 *format_ipsec_tun_protect (u8 * s, va_list * args);
167 extern u8 *format_ipsec_tun_protect_index (u8 * s, va_list * args);
168 
169 extern void ipsec_tun_register_nodes (ip_address_family_t af);
170 extern void ipsec_tun_unregister_nodes (ip_address_family_t af);
171 
172 extern void ipsec_tun_table_init (ip_address_family_t af,
173  uword table_size, u32 n_buckets);
174 
175 // FIXME
176 extern vlib_node_registration_t ipsec4_tun_input_node;
177 extern vlib_node_registration_t ipsec6_tun_input_node;
178 
179 /*
180  * DP API
181  */
182 extern ipsec_tun_protect_t *ipsec_tun_protect_pool;
183 
184 always_inline ipsec_tun_protect_t *
185 ipsec_tun_protect_get (u32 index)
186 {
187  return (pool_elt_at_index (ipsec_tun_protect_pool, index));
188 }
189 
190 extern index_t *ipsec_tun_protect_sa_by_adj_index;
191 always_inline index_t
192 ipsec_tun_protect_get_sa_out (adj_index_t ai)
193 {
194  ASSERT (vec_len (ipsec_tun_protect_sa_by_adj_index) > ai);
195  ASSERT (INDEX_INVALID != ipsec_tun_protect_sa_by_adj_index[ai]);
196 
197  return (ipsec_tun_protect_sa_by_adj_index[ai]);
198 }
199 
200 /*
201  * fd.io coding-style-patch-verification: ON
202  *
203  * Local Variables:
204  * eval: (c-set-style "gnu")
205  * End:
206  */
ipsec_tun_protect_walk_cb_t
walk_rc_t(* ipsec_tun_protect_walk_cb_t)(index_t itpi, void *arg)
Definition: ipsec_tun.h:159
ipsec_tun_lkup_result_t
struct ipsec_tun_lkup_result_t_ ipsec_tun_lkup_result_t
result of a lookup in the protection bihash
CLIB_CACHE_LINE_ALIGN_MARK
#define CLIB_CACHE_LINE_ALIGN_MARK(mark)
Definition: cache.h:60
ipsec4_tunnel_kv_t::key
u64 key
Definition: ipsec_tun.h:53
ipsec6_tun_input_node
vlib_node_registration_t ipsec6_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec6_tun_input_node)
Definition: ipsec_tun_in.c:396
ipsec_tun_protect_del
int ipsec_tun_protect_del(u32 sw_if_index, const ip_address_t *nh)
Definition: ipsec_tun.c:804
ipsec6_tunnel_kv_t_::spi
u32 spi
Definition: ipsec_tun.h:85
nh
vl_api_fib_path_nh_t nh
Definition: fib_types.api:126
u64
unsigned long u64
Definition: types.h:89
ipsec_tun_protect_t
struct ipsec_tun_protect_t_ ipsec_tun_protect_t
ipsec_tun_protect_update_one
int ipsec_tun_protect_update_one(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 sa_in)
Definition: ipsec_tun.c:533
index_t
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:41
STATIC_ASSERT_SIZEOF
STATIC_ASSERT_SIZEOF(ipsec4_tunnel_kv_t, sizeof(clib_bihash_kv_8_16_t))
STRUCT_OFFSET_OF
#define STRUCT_OFFSET_OF(t, f)
Definition: clib.h:70
ipsec_tun_protect_t_::itp_n_sa_in
u32 itp_n_sa_in
Definition: ipsec_tun.h:113
u8
unsigned char u8
Definition: types.h:56
walk_rc_t
enum walk_rc_t_ walk_rc_t
Walk return code.
foreach_ipsec_protect_flags
#define foreach_ipsec_protect_flags
Definition: ipsec_tun.h:20
ipsec_ep_t_::src
ip46_address_t src
Definition: ipsec_tun.h:100
format_ipsec_tun_protect_index
u8 * format_ipsec_tun_protect_index(u8 *s, va_list *args)
Definition: ipsec_format.c:346
ipsec_protect_flags_t_
ipsec_protect_flags_t_
Definition: ipsec_tun.h:25
ipsec_tun_protect_t_::itp_tun
ipsec_ep_t itp_tun
Definition: ipsec_tun.h:123
ipsec4_tunnel_mk_key
static void ipsec4_tunnel_mk_key(ipsec4_tunnel_kv_t *k, const ip4_address_t *ip, u32 spi)
Definition: ipsec_tun.h:62
u32
unsigned int u32
Definition: types.h:88
ipsec_tun_protect_t_::itp_ai
adj_index_t itp_ai
Definition: ipsec_tun.h:121
sa_in
u32 sa_in[n_sa_in]
Definition: ipsec.api:266
ipsec_tun_protect_update_out
int ipsec_tun_protect_update_out(u32 sw_if_index, const ip_address_t *nh, u32 sa_out)
Definition: ipsec_tun.c:546
ipsec4_tun_input_node
vlib_node_registration_t ipsec4_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_tun_input_node)
Definition: ipsec_tun_in.c:373
sa_out
u32 sa_out
Definition: ipsec.api:264
ip4_address_t
Definition: ip4_packet.h:50
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:546
clib_bihash_kv_24_16_t
Definition: bihash_24_16.h:40
ipsec_tun_protect_get_sa_out
static index_t ipsec_tun_protect_get_sa_out(adj_index_t ai)
Definition: ipsec_tun.h:192
IPSEC_PROTECT_NONE
Definition: ipsec_tun.h:27
ipsec6_tunnel_kv_t
struct ipsec6_tunnel_kv_t_ ipsec6_tunnel_kv_t
ipsec_tun_protect_t_
Definition: ipsec_tun.h:106
ipsec4_tunnel_kv_t::value
ipsec_tun_lkup_result_t value
Definition: ipsec_tun.h:54
ipsec_tun_protect_update_in
int ipsec_tun_protect_update_in(u32 sw_if_index, const ip_address_t *nh, u32 sa_in)
Definition: ipsec_tun.c:595
always_inline
#define always_inline
Definition: ipsec.h:28
ipsec_tun_unregister_nodes
void ipsec_tun_unregister_nodes(ip_address_family_t af)
Definition: ipsec_tun.c:115
ipsec_tun_lkup_result_t_::sw_if_index
u32 sw_if_index
Definition: ipsec_tun.h:42
ipsec_tun_table_init
void ipsec_tun_table_init(ip_address_family_t af, uword table_size, u32 n_buckets)
Definition: ipsec_tun.c:976
ip_address
Definition: ip_types.h:79
ipsec_tun_protect_t_::itp_sw_if_index
u32 itp_sw_if_index
Definition: ipsec_tun.h:116
format_ipsec_tun_protect
u8 * format_ipsec_tun_protect(u8 *s, va_list *args)
Definition: ipsec_format.c:376
ipsec6_tunnel_kv_t_::value
ipsec_tun_lkup_result_t value
Definition: ipsec_tun.h:88
ipsec_tun_lkup_result_t_::tun_index
u32 tun_index
Definition: ipsec_tun.h:40
ipsec_tun_lkup_result_t_::flags
ipsec_protect_flags_t flags
Definition: ipsec_tun.h:43
ipsec6_tunnel_kv_t_::remote_ip
ip6_address_t remote_ip
Definition: ipsec_tun.h:84
clib_bihash_kv_8_16_t
8 octet key, 8 octet key value pair
Definition: bihash_8_16.h:41
spi
u32 spi
Definition: flow_types.api:140
ipsec6_tunnel_kv_t_
Definition: ipsec_tun.h:76
adj_index_t
u32 adj_index_t
An index for adjacencies.
Definition: adj_types.h:30
ipsec_ep_t_
Definition: ipsec_tun.h:98
ITP_MAX_N_SA_IN
#define ITP_MAX_N_SA_IN
Definition: ipsec_tun.h:104
ipsec_tun_protect_pool
ipsec_tun_protect_t * ipsec_tun_protect_pool
Pool of tunnel protection objects.
Definition: ipsec_tun.c:43
ipsec_ep_t_::dst
ip46_address_t dst
Definition: ipsec_tun.h:101
STATIC_ASSERT_OFFSET_OF
STATIC_ASSERT_OFFSET_OF(ipsec4_tunnel_kv_t, value, STRUCT_OFFSET_OF(clib_bihash_kv_8_16_t, value))
value
u8 value
Definition: qos.api:54
ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69
ipsec_tun_protect_get
static ipsec_tun_protect_t * ipsec_tun_protect_get(u32 index)
Definition: ipsec_tun.h:185
ipsec_tun_lkup_result_t_
result of a lookup in the protection bihash
Definition: ipsec_tun.h:38
ipsec_ep_t
struct ipsec_ep_t_ ipsec_ep_t
ipsec_tun_protect_walk
void ipsec_tun_protect_walk(ipsec_tun_protect_walk_cb_t fn, void *cttx)
Definition: ipsec_tun.c:836
ipsec_tun_register_nodes
void ipsec_tun_register_nodes(ip_address_family_t af)
Definition: ipsec_tun.c:98
ip_address_family_t
enum ip_address_family_t_ ip_address_family_t
key
typedef key
Definition: ipsec_types.api:86
vlib_node_registration_t
struct _vlib_node_registration vlib_node_registration_t
ipsec_tun_protect_walk_itf
void ipsec_tun_protect_walk_itf(u32 sw_if_index, ipsec_tun_protect_walk_cb_t fn, void *cttx)
Definition: ipsec_tun.c:849
ip
vl_api_address_t ip
Definition: l2.api:501
ipsec_tun_protect_t_::itp_crypto
ipsec_ep_t itp_crypto
Definition: ipsec_tun.h:118
vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:142
ipsec_tun_lkup_result_t_::sa_index
u32 sa_index
Definition: ipsec_tun.h:41
INDEX_INVALID
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
Definition: dpo.h:47
uword
u64 uword
Definition: types.h:112
ipsec4_tunnel_kv_t
Definition: ipsec_tun.h:47
format_ipsec4_tunnel_kv
u8 * format_ipsec4_tunnel_kv(u8 *s, va_list *args)
Definition: ipsec_format.c:402
ipsec_tun_protect_t_::itp_flags
ipsec_protect_flags_t itp_flags
Definition: ipsec_tun.h:120
index
u32 index
Definition: flow_types.api:221
format_ipsec_tun_protect_flags
u8 * format_ipsec_tun_protect_flags(u8 *s, va_list *args)
Definition: ipsec_format.c:360
format_ipsec6_tunnel_kv
u8 * format_ipsec6_tunnel_kv(u8 *s, va_list *args)
Definition: ipsec_format.c:420
ipsec_tun_protect_t_::itp_key
ip_address_t * itp_key
Definition: ipsec_tun.h:125
ip4_address_t::as_u32
u32 as_u32
Definition: ip4_packet.h:57
ipsec_tun_protect_sa_by_adj_index
index_t * ipsec_tun_protect_sa_by_adj_index
Adj index to TX SA mapping.
Definition: ipsec_tun.c:53
ipsec4_tunnel_extract_key
static void ipsec4_tunnel_extract_key(const ipsec4_tunnel_kv_t *k, ip4_address_t *ip, u32 *spi)
Definition: ipsec_tun.h:69
ipsec_protect_flags_t
enum ipsec_protect_flags_t_ ipsec_protect_flags_t
ipsec4_tunnel_kv_t
struct ipsec4_tunnel_kv_t ipsec4_tunnel_kv_t
ipsec_tun_protect_t_::itp_out_sa
index_t itp_out_sa
Definition: ipsec_tun.h:109
ipsec_tun_protect_update
int ipsec_tun_protect_update(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 *sa_ins)
Definition: ipsec_tun.c:654