FD.io VPP
v21.01.1
Vector Packet Processing
|
Go to the source code of this file.
Enumerations | |
enum | ipsec_spd_action { IPSEC_API_SPD_ACTION_BYPASS = 0, IPSEC_API_SPD_ACTION_DISCARD, IPSEC_API_SPD_ACTION_RESOLVE, IPSEC_API_SPD_ACTION_PROTECT } |
Variables | |
option | version = "4.0.0" |
import vnet ipsec ipsec_types | api |
typedef | ipsec_spd_entry |
IPsec: Security Policy Database entry. More... | |
i32 | priority |
bool | is_outbound |
u32 | sa_id |
vl_api_ipsec_spd_action_t | policy |
u8 | protocol |
vl_api_address_t | remote_address_start |
vl_api_address_t | remote_address_stop |
vl_api_address_t | local_address_start |
vl_api_address_t | local_address_stop |
u16 | remote_port_start |
u16 | remote_port_stop |
u16 | local_port_start |
u16 | local_port_stop |
typedef | ipsec_tunnel_protect |
Add or Update Protection for a tunnel with IPSEC. More... | |
vl_api_address_t | nh |
u32 | sa_out |
u8 | n_sa_in |
u32 | sa_in [n_sa_in] |
typedef | ipsec_itf |
vl_api_tunnel_mode_t | mode |
vl_api_interface_index_t | sw_if_index |
enum ipsec_spd_action |
typedef ipsec_itf |
typedef ipsec_spd_entry |
IPsec: Security Policy Database entry.
See RFC 4301, 4.4.1.1 on how to match packet to selectors
spd_id | - SPD instance id (control plane allocated) |
priority | - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower |
is_outbound | - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic |
remote_address_start | - start of remote address range to match |
remote_address_stop | - end of remote address range to match |
local_address_start | - start of local address range to match |
local_address_stop | - end of local address range to match |
protocol | - protocol type to match [0 means any] otherwise IANA value |
remote_port_start | - start of remote port range to match ... |
remote_port_stop | - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] |
local_port_start | - start of local port range to match ... |
local_port_stop | - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] |
policy | - action to perform on match |
sa_id | - SAD instance id (control plane allocated) |
typedef ipsec_tunnel_protect |
Add or Update Protection for a tunnel with IPSEC.
Tunnel protection directly associates an SA with all packets ingress and egress on the tunnel. This could also be achieved by assigning an SPD to the tunnel, but that would incur an unnessccary SPD entry lookup.
For tunnels the ESP acts on the post-encapsulated packet. So if this packet: +------—+---—+ | Payload | O-IP | +------—+---—+ where O-IP is the overlay IP addrees that was routed into the tunnel, the resulting encapsulated packet will be: +------—+---—+---—+ | Payload | O-IP | T-IP | +------—+---—+---—+ where T-IP is the tunnel's src.dst IP addresses. If the SAs used for protection are in transport mode then the ESP is inserted before T-IP, i.e.: +------—+---—+--—+---—+ | Payload | O-IP | ESP | T-IP | +------—+---—+--—+---—+ If the SAs used for protection are in tunnel mode then another encapsulation occurs, i.e.: +------—+---—+---—+--—+---—+ | Payload | O-IP | T-IP | ESP | C-IP | +------—+---—+---—+--—+---—+ where C-IP are the crypto endpoint IP addresses defined as the tunnel endpoints in the SA. The mode for the inbound and outbound SA must be the same.
client_index | - opaque cookie to identify the sender |
context | - sender context, to match reply w/ request |
sw_id_index | - Tunnel interface to protect |
nh | - The peer/next-hop on the tunnel to which the traffic should be protected. For a P2P interface set this to the all 0s address. |
sa_in | - The ID [set] of inbound SAs |
sa_out | - The ID of outbound SA |