FD.io VPP  v21.06-3-gbb25fbf28
Vector Packet Processing
ipsec_sa.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #ifndef __IPSEC_SPD_SA_H__
16 #define __IPSEC_SPD_SA_H__
17 
18 #include <vlib/vlib.h>
19 #include <vnet/crypto/crypto.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/fib/fib_node.h>
22 #include <vnet/tunnel/tunnel.h>
23 
24 #define foreach_ipsec_crypto_alg \
25  _ (0, NONE, "none") \
26  _ (1, AES_CBC_128, "aes-cbc-128") \
27  _ (2, AES_CBC_192, "aes-cbc-192") \
28  _ (3, AES_CBC_256, "aes-cbc-256") \
29  _ (4, AES_CTR_128, "aes-ctr-128") \
30  _ (5, AES_CTR_192, "aes-ctr-192") \
31  _ (6, AES_CTR_256, "aes-ctr-256") \
32  _ (7, AES_GCM_128, "aes-gcm-128") \
33  _ (8, AES_GCM_192, "aes-gcm-192") \
34  _ (9, AES_GCM_256, "aes-gcm-256") \
35  _ (10, DES_CBC, "des-cbc") \
36  _ (11, 3DES_CBC, "3des-cbc")
37 
38 typedef enum
39 {
40 #define _(v, f, s) IPSEC_CRYPTO_ALG_##f = v,
42 #undef _
44 } __clib_packed ipsec_crypto_alg_t;
45 
46 #define IPSEC_CRYPTO_ALG_IS_GCM(_alg) \
47  (((_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) || \
48  (_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) || \
49  (_alg == IPSEC_CRYPTO_ALG_AES_GCM_256)))
50 
51 #define IPSEC_CRYPTO_ALG_IS_CTR(_alg) \
52  (((_alg == IPSEC_CRYPTO_ALG_AES_CTR_128) || \
53  (_alg == IPSEC_CRYPTO_ALG_AES_CTR_192) || \
54  (_alg == IPSEC_CRYPTO_ALG_AES_CTR_256)))
55 
56 #define foreach_ipsec_integ_alg \
57  _ (0, NONE, "none") \
58  _ (1, MD5_96, "md5-96") /* RFC2403 */ \
59  _ (2, SHA1_96, "sha1-96") /* RFC2404 */ \
60  _ (3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
61  _ (4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
62  _ (5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
63  _ (6, SHA_512_256, "sha-512-256") /* RFC4868 */
64 
65 typedef enum
66 {
67 #define _(v, f, s) IPSEC_INTEG_ALG_##f = v,
69 #undef _
71 } __clib_packed ipsec_integ_alg_t;
72 
73 typedef enum
74 {
77 } __clib_packed ipsec_protocol_t;
78 
79 #define IPSEC_KEY_MAX_LEN 128
80 typedef struct ipsec_key_t_
81 {
84 } ipsec_key_t;
85 
86 /*
87  * Enable extended sequence numbers
88  * Enable Anti-replay
89  * IPsec tunnel mode if non-zero, else transport mode
90  * IPsec tunnel mode is IPv6 if non-zero,
91  * else IPv4 tunnel only valid if is_tunnel is non-zero
92  * enable UDP encapsulation for NAT traversal
93  */
94 #define foreach_ipsec_sa_flags \
95  _ (0, NONE, "none") \
96  _ (1, USE_ESN, "esn") \
97  _ (2, USE_ANTI_REPLAY, "anti-replay") \
98  _ (4, IS_TUNNEL, "tunnel") \
99  _ (8, IS_TUNNEL_V6, "tunnel-v6") \
100  _ (16, UDP_ENCAP, "udp-encap") \
101  _ (32, IS_PROTECT, "Protect") \
102  _ (64, IS_INBOUND, "inbound") \
103  _ (128, IS_AEAD, "aead") \
104  _ (256, IS_CTR, "ctr") \
105  _ (512, IS_ASYNC, "async")
106 
107 typedef enum ipsec_sad_flags_t_
108 {
109 #define _(v, f, s) IPSEC_SA_FLAG_##f = v,
111 #undef _
112 } __clib_packed ipsec_sa_flags_t;
113 
114 STATIC_ASSERT (sizeof (ipsec_sa_flags_t) == 2, "IPSEC SA flags != 2 byte");
115 
116 typedef struct
117 {
118  CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
119 
120  /* flags */
122 
126 
127  u8 __pad1[3];
128 
130 
138 
141 
142  /* Union data shared by sync and async ops, updated when mode is
143  * changed. */
144  union
145  {
146  struct
147  {
151  };
152 
153  struct
154  {
158  };
159 
161  };
162 
163  CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
164 
166  union
167  {
170  };
172 
173  /* Salt used in CTR modes (incl. GCM) - stored in network byte order */
175 
176  ipsec_protocol_t protocol;
178  u8 __pad[2];
179 
180  /* data accessed by dataplane code should be above this comment */
181  CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
182 
183  /* Elements with u64 size multiples */
184  union
185  {
186  struct
187  {
188  vnet_crypto_op_id_t crypto_enc_op_id:16;
189  vnet_crypto_op_id_t crypto_dec_op_id:16;
190  vnet_crypto_op_id_t integ_op_id:16;
191  };
193  } sync_op_data;
194 
195  union
196  {
197  struct
198  {
199  vnet_crypto_async_op_id_t crypto_async_enc_op_id:16;
200  vnet_crypto_async_op_id_t crypto_async_dec_op_id:16;
201  vnet_crypto_key_index_t linked_key_index;
202  };
203  u64 data;
204  } async_op_data;
205 
207 
209 
210  /* elements with u32 size */
215 
216  /* else u8 packed */
217  ipsec_crypto_alg_t crypto_alg;
218  ipsec_integ_alg_t integ_alg;
219 
222 } ipsec_sa_t;
223 
226 
227 /**
228  * Pool of IPSec SAs
229  */
230 extern ipsec_sa_t *ipsec_sa_pool;
231 
232 /*
233  * Ensure that the IPsec data does not overlap with the IP data in
234  * the buffer meta data
235  */
237  STRUCT_OFFSET_OF (vnet_buffer_opaque_t, ip.save_protocol),
238  "IPSec data is overlapping with IP data");
239 
240 #define _(a,v,s) \
241  always_inline int \
242  ipsec_sa_is_set_##v (const ipsec_sa_t *sa) { \
243  return (sa->flags & IPSEC_SA_FLAG_##v); \
244  }
246 #undef _
247 #define _(a,v,s) \
248  always_inline int \
249  ipsec_sa_set_##v (ipsec_sa_t *sa) { \
250  return (sa->flags |= IPSEC_SA_FLAG_##v); \
251  }
253 #undef _
254 #define _(a,v,s) \
255  always_inline int \
256  ipsec_sa_unset_##v (ipsec_sa_t *sa) { \
257  return (sa->flags &= ~IPSEC_SA_FLAG_##v); \
258  }
260 #undef _
261 /**
262  * @brief
263  * SA packet & bytes counters
264  */
266 
267 extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
268 
269 extern int
270 ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto,
271  ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck,
272  ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik,
274  u16 dst_port, const tunnel_t *tun, u32 *sa_out_index);
276 extern int ipsec_sa_unlock_id (u32 id);
277 extern void ipsec_sa_unlock (index_t sai);
278 extern void ipsec_sa_lock (index_t sai);
279 extern void ipsec_sa_clear (index_t sai);
280 extern void ipsec_sa_set_crypto_alg (ipsec_sa_t * sa,
281  ipsec_crypto_alg_t crypto_alg);
282 extern void ipsec_sa_set_integ_alg (ipsec_sa_t * sa,
283  ipsec_integ_alg_t integ_alg);
284 
285 typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx);
286 extern void ipsec_sa_walk (ipsec_sa_walk_cb_t cd, void *ctx);
287 
288 extern u8 *format_ipsec_replay_window (u8 *s, va_list *args);
289 extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
290 extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
291 extern u8 *format_ipsec_sa (u8 * s, va_list * args);
292 extern u8 *format_ipsec_key (u8 * s, va_list * args);
294  va_list * args);
296  va_list * args);
297 extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args);
298 
299 #define IPSEC_UDP_PORT_NONE ((u16)~0)
300 
301 /*
302  * Anti Replay definitions
303  */
304 
305 #define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (64)
306 #define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE-1)
307 
308 /*
309  * sequence number less than the lower bound are outside of the window
310  * From RFC4303 Appendix A:
311  * Bl = Tl - W + 1
312  */
313 #define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl) (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1)
314 
315 /*
316  * Anti replay check.
317  * inputs need to be in host byte order.
318  */
319 always_inline int
321 {
322  u32 diff, tl, th;
323 
324  if ((sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
325  return 0;
326 
327  if (!ipsec_sa_is_set_USE_ESN (sa))
328  {
329  if (PREDICT_TRUE (seq > sa->last_seq))
330  return 0;
331 
332  diff = sa->last_seq - seq;
333 
335  return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
336  else
337  return 1;
338 
339  return 0;
340  }
341 
342  tl = sa->last_seq;
343  th = sa->last_seq_hi;
344  diff = tl - seq;
345 
347  {
348  /*
349  * the last sequence number VPP recieved is more than one
350  * window size greater than zero.
351  * Case A from RFC4303 Appendix A.
352  */
354  {
355  /*
356  * the received sequence number is lower than the lower bound
357  * of the window, this could mean either a replay packet or that
358  * the high sequence number has wrapped. if it decrypts corrently
359  * then it's the latter.
360  */
361  sa->seq_hi = th + 1;
362  return 0;
363  }
364  else
365  {
366  /*
367  * the recieved sequence number greater than the low
368  * end of the window.
369  */
370  sa->seq_hi = th;
371  if (seq <= tl)
372  /*
373  * The recieved seq number is within bounds of the window
374  * check if it's a duplicate
375  */
376  return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
377  else
378  /*
379  * The received sequence number is greater than the window
380  * upper bound. this packet will move the window along, assuming
381  * it decrypts correctly.
382  */
383  return 0;
384  }
385  }
386  else
387  {
388  /*
389  * the last sequence number VPP recieved is within one window
390  * size of zero, i.e. 0 < TL < WINDOW_SIZE, the lower bound is thus a
391  * large sequence number.
392  * Note that the check below uses unsiged integer arthimetic, so the
393  * RHS will be a larger number.
394  * Case B from RFC4303 Appendix A.
395  */
397  {
398  /*
399  * the sequence number is less than the lower bound.
400  */
401  if (seq <= tl)
402  {
403  /*
404  * the packet is within the window upper bound.
405  * check for duplicates.
406  */
407  sa->seq_hi = th;
408  return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
409  }
410  else
411  {
412  /*
413  * the packet is less the window lower bound or greater than
414  * the higher bound, depending on how you look at it...
415  * We're assuming, given that the last sequence number received,
416  * TL < WINDOW_SIZE, that a largeer seq num is more likely to be
417  * a packet that moves the window forward, than a packet that has
418  * wrapped the high sequence again. If it were the latter then
419  * we've lost close to 2^32 packets.
420  */
421  sa->seq_hi = th;
422  return 0;
423  }
424  }
425  else
426  {
427  /*
428  * the packet seq number is between the lower bound (a large nubmer)
429  * and MAX_SEQ_NUM. This is in the window since the window upper bound
430  * tl > 0.
431  * However, since TL is the other side of 0 to the received
432  * packet, the SA has moved on to a higher sequence number.
433  */
434  sa->seq_hi = th - 1;
435  return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
436  }
437  }
438 
439  return 0;
440 }
441 
442 /*
443  * Anti replay window advance
444  * inputs need to be in host byte order.
445  */
446 always_inline void
448 {
449  u32 pos;
450  if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
451  return;
452 
453  if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ESN))
454  {
455  int wrap = sa->seq_hi - sa->last_seq_hi;
456 
457  if (wrap == 0 && seq > sa->last_seq)
458  {
459  pos = seq - sa->last_seq;
461  sa->replay_window = ((sa->replay_window) << pos) | 1;
462  else
463  sa->replay_window = 1;
464  sa->last_seq = seq;
465  }
466  else if (wrap > 0)
467  {
468  pos = ~seq + sa->last_seq + 1;
470  sa->replay_window = ((sa->replay_window) << pos) | 1;
471  else
472  sa->replay_window = 1;
473  sa->last_seq = seq;
474  sa->last_seq_hi = sa->seq_hi;
475  }
476  else if (wrap < 0)
477  {
478  pos = ~seq + sa->last_seq + 1;
479  sa->replay_window |= (1ULL << pos);
480  }
481  else
482  {
483  pos = sa->last_seq - seq;
484  sa->replay_window |= (1ULL << pos);
485  }
486  }
487  else
488  {
489  if (seq > sa->last_seq)
490  {
491  pos = seq - sa->last_seq;
493  sa->replay_window = ((sa->replay_window) << pos) | 1;
494  else
495  sa->replay_window = 1;
496  sa->last_seq = seq;
497  }
498  else
499  {
500  pos = sa->last_seq - seq;
501  sa->replay_window |= (1ULL << pos);
502  }
503  }
504 }
505 
506 
507 /*
508  * Makes choice for thread_id should be assigned.
509  * if input ~0, gets random worker_id based on unix_time_now_nsec
510 */
513 {
514  return ((thread_id) ? thread_id
515  : (unix_time_now_nsec () % vlib_num_workers ()) + 1);
516 }
517 
519 ipsec_sa_get (u32 sa_index)
520 {
521  return (pool_elt_at_index (ipsec_sa_pool, sa_index));
522 }
523 
524 #endif /* __IPSEC_SPD_SA_H__ */
525 
526 /*
527  * fd.io coding-style-patch-verification: ON
528  *
529  * Local Variables:
530  * eval: (c-set-style "gnu")
531  * End:
532  */
ipsec_sa_pool
ipsec_sa_t * ipsec_sa_pool
Pool of IPSec SAs.
Definition: ipsec_sa.c:32
vlib.h
ipsec_sa_set_integ_alg
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
Definition: ipsec_sa.c:116
vlib_num_workers
static u32 vlib_num_workers()
Definition: threads.h:354
ipsec_sa_t::integ_key_index
vnet_crypto_key_index_t integ_key_index
Definition: ipsec_sa.h:140
ipsec_sa_t::protocol
ipsec_protocol_t protocol
Definition: ipsec_sa.h:176
tunnel_encap_decap_flags_t
enum tunnel_encap_decap_flags_t_ tunnel_encap_decap_flags_t
dst_port
vl_api_ip_port_and_mask_t dst_port
Definition: flow_types.api:92
ipsec_sa_t::ctr_iv_counter
u64 ctr_iv_counter
Definition: ipsec_sa.h:165
crypto.h
ipsec_sa_find_and_lock
index_t ipsec_sa_find_and_lock(u32 id)
Definition: ipsec_sa.c:383
ipsec_sa_t::thread_index
u32 thread_index
Definition: ipsec_sa.h:129
ipsec_sa_add_and_lock
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 salt, u16 src_port, u16 dst_port, const tunnel_t *tun, u32 *sa_out_index)
Definition: ipsec_sa.c:170
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:553
tunnel_t_
A representation of an IP tunnel config.
Definition: tunnel.h:85
CLIB_CACHE_LINE_ALIGN_MARK
#define CLIB_CACHE_LINE_ALIGN_MARK(mark)
Definition: cache.h:60
unformat_ipsec_key
uword unformat_ipsec_key(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:243
tunnel.h
ipsec_sa_t::ip4_hdr
ip4_header_t ip4_hdr
Definition: ipsec_sa.h:168
u16
unsigned short u16
Definition: types.h:57
vnet_crypto_key_index_t
u32 vnet_crypto_key_index_t
Definition: crypto.h:378
ipsec_sa_t::integ_icv_size
u8 integ_icv_size
Definition: ipsec_sa.h:125
IPSEC_PROTOCOL_ESP
@ IPSEC_PROTOCOL_ESP
Definition: ipsec_sa.h:76
ipsec_sa_t::crypto_key
ipsec_key_t crypto_key
Definition: ipsec_sa.h:221
IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX
#define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX
Definition: ipsec_sa.h:306
unformat_input_t
struct _unformat_input_t unformat_input_t
ipsec_sa_t::crypto_dec_op_id
vnet_crypto_op_id_t crypto_dec_op_id
Definition: ipsec_sa.h:149
fib_node.h
ipsec_sa_t::esp_block_align
u8 esp_block_align
Definition: ipsec_sa.h:124
ipsec_sa_t::tunnel
tunnel_t tunnel
Definition: ipsec_sa.h:206
udp_header_t
Definition: udp_packet.h:45
ip4_header_t
Definition: ip4_packet.h:87
ipsec_sa_t::udp_hdr
udp_header_t udp_hdr
Definition: ipsec_sa.h:171
key
typedef key
Definition: ipsec_types.api:88
ipsec_key_t_::data
u8 data[IPSEC_KEY_MAX_LEN]
Definition: ipsec_sa.h:83
STATIC_ASSERT
STATIC_ASSERT(sizeof(ipsec_sa_flags_t)==2, "IPSEC SA flags != 2 byte")
ipsec_sa_walk
void ipsec_sa_walk(ipsec_sa_walk_cb_t cd, void *ctx)
Definition: ipsec_sa.c:424
STRUCT_OFFSET_OF
#define STRUCT_OFFSET_OF(t, f)
Definition: clib.h:73
ipsec_sa_t::last_seq_hi
u32 last_seq_hi
Definition: ipsec_sa.h:135
ipsec_sa_unlock_id
int ipsec_sa_unlock_id(u32 id)
Definition: ipsec_sa.c:402
ipsec_sa_flags_t
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
ipsec_sa_t::crypto_async_dec_op_id
vnet_crypto_async_op_id_t crypto_async_dec_op_id
Definition: ipsec_sa.h:156
ipsec_sa_clear
void ipsec_sa_clear(index_t sai)
Definition: ipsec_sa.c:418
len
u8 len
Definition: ip_types.api:103
format_ipsec_crypto_alg
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:79
foreach_ipsec_integ_alg
#define foreach_ipsec_integ_alg
Definition: ipsec_sa.h:56
ipsec_sa_t::replay_window
u64 replay_window
Definition: ipsec_sa.h:136
format_ipsec_integ_alg
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:111
ipsec_sa_get
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
Definition: ipsec_sa.h:519
IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE
#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE
Definition: ipsec_sa.h:305
ipsec_sa_t::integ_key
ipsec_key_t integ_key
Definition: ipsec_sa.h:220
ipsec_sa_lock
void ipsec_sa_lock(index_t sai)
Definition: ipsec_sa.c:370
ipsec_sa_walk_cb_t
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
Definition: ipsec_sa.h:285
ipsec_sa_t::crypto_iv_size
u8 crypto_iv_size
Definition: ipsec_sa.h:123
index_t
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:43
ipsec_sa_t::tunnel_flags
tunnel_encap_decap_flags_t tunnel_flags
Definition: ipsec_sa.h:177
ipsec_sa_t::seq
u32 seq
Definition: ipsec_sa.h:132
unix_time_now_nsec
static u64 unix_time_now_nsec(void)
Definition: time.h:270
uword
u64 uword
Definition: types.h:112
ipsec_sa_t::crypto_calg
vnet_crypto_alg_t crypto_calg
Definition: ipsec_sa.h:214
ipsec_sa_anti_replay_advance
static void ipsec_sa_anti_replay_advance(ipsec_sa_t *sa, u32 seq)
Definition: ipsec_sa.h:447
src_port
vl_api_ip_port_and_mask_t src_port
Definition: flow_types.api:91
ipsec_sa_anti_replay_check
static int ipsec_sa_anti_replay_check(ipsec_sa_t *sa, u32 seq)
Definition: ipsec_sa.h:320
vnet_crypto_op_id_t
vnet_crypto_op_id_t
Definition: crypto.h:219
foreach_ipsec_sa_flags
#define foreach_ipsec_sa_flags
Definition: ipsec_sa.h:94
ipsec_key_t_
Definition: ipsec_sa.h:80
ipsec_sad_flags_t_
ipsec_sad_flags_t_
Definition: ipsec_sa.h:107
unformat_ipsec_integ_alg
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:129
IPSEC_CRYPTO_N_ALG
@ IPSEC_CRYPTO_N_ALG
Definition: ipsec_sa.h:43
ipsec_sa_assign_thread
static u32 ipsec_sa_assign_thread(u32 thread_id)
Definition: ipsec_sa.h:512
CLIB_CACHE_LINE_BYTES
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
ipsec_sa_t::crypto_alg
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:217
ipsec_sa_t::crypto_async_enc_op_id
vnet_crypto_async_op_id_t crypto_async_enc_op_id
Definition: ipsec_sa.h:155
data
u8 data[128]
Definition: ipsec_types.api:92
ipsec_sa_t
Definition: ipsec_sa.h:116
IPSEC_KEY_MAX_LEN
#define IPSEC_KEY_MAX_LEN
Definition: ipsec_sa.h:79
always_inline
#define always_inline
Definition: rdma_mlx5dv.h:23
ipsec_sa_unlock
void ipsec_sa_unlock(index_t sai)
Definition: ipsec_sa.c:357
vnet_buffer_opaque_t
Definition: buffer.h:149
unformat_ipsec_crypto_alg
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:97
spi
u32 spi
Definition: flow_types.api:140
u64
unsigned long u64
Definition: types.h:89
ipsec_key_t_::len
u8 len
Definition: ipsec_sa.h:82
ipsec_sa_set_crypto_alg
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
Definition: ipsec_sa.c:92
vlib_combined_counter_main_t
A collection of combined counters.
Definition: counter.h:203
ip.h
u32
unsigned int u32
Definition: types.h:88
integ_alg
u8 integ_alg
Definition: ikev2_types.api:59
ipsec_sa_t::last_seq
u32 last_seq
Definition: ipsec_sa.h:134
ctx
long ctx[MAX_CONNS]
Definition: main.c:144
ipsec_sa_t::node
fib_node_t node
Definition: ipsec_sa.h:208
ipsec_sa_t::integ_op_id
vnet_crypto_op_id_t integ_op_id
Definition: ipsec_sa.h:150
IPSEC_PROTOCOL_AH
@ IPSEC_PROTOCOL_AH
Definition: ipsec_sa.h:75
ipsec_sa_t::salt
u32 salt
Definition: ipsec_sa.h:174
ipsec_sa_t::seq_hi
u32 seq_hi
Definition: ipsec_sa.h:133
ip6_header_t
Definition: ip6_packet.h:294
ipsec_sa_t::linked_key_index
vnet_crypto_key_index_t linked_key_index
Definition: ipsec_sa.h:157
ipsec_sa_t::id
u32 id
Definition: ipsec_sa.h:211
ipsec_mk_key
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:57
salt
u32 salt
Definition: ipsec_types.api:136
fib_node_t_
An node in the FIB graph.
Definition: fib_node.h:301
ipsec_sa_counters
foreach_ipsec_sa_flags vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
Definition: ipsec_sa.c:27
u8
unsigned char u8
Definition: types.h:56
vnet_crypto_async_op_id_t
vnet_crypto_async_op_id_t
Definition: crypto.h:182
ipsec_sa_t::ip6_hdr
ip6_header_t ip6_hdr
Definition: ipsec_sa.h:169
ip
vl_api_address_t ip
Definition: l2.api:558
ipsec_sa_t::integ_alg
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:218
IPSEC_INTEG_N_ALG
@ IPSEC_INTEG_N_ALG
Definition: ipsec_sa.h:70
format_ipsec_replay_window
u8 * format_ipsec_replay_window(u8 *s, va_list *args)
Definition: ipsec_format.c:143
IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND
#define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl)
Definition: ipsec_sa.h:313
dpo_id_t_
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
Definition: dpo.h:172
ipsec_sa_t::integ_calg
vnet_crypto_alg_t integ_calg
Definition: ipsec_sa.h:213
ipsec_sa_t::stat_index
u32 stat_index
Definition: ipsec_sa.h:212
ipsec_sa_t::flags
ipsec_sa_flags_t flags
Definition: ipsec_sa.h:121
vnet_buffer_opaque_t::sad_index
u32 sad_index
Definition: buffer.h:330
format_ipsec_sa
u8 * format_ipsec_sa(u8 *s, va_list *args)
Definition: ipsec_format.c:270
proto
vl_api_ip_proto_t proto
Definition: acl_types.api:51
STATIC_ASSERT_OFFSET_OF
STATIC_ASSERT_OFFSET_OF(ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES)
ipsec_sa_t::data
u64 data
Definition: ipsec_sa.h:192
vnet_crypto_alg_t
vnet_crypto_alg_t
Definition: crypto.h:145
PREDICT_TRUE
#define PREDICT_TRUE(x)
Definition: clib.h:125
foreach_ipsec_crypto_alg
#define foreach_ipsec_crypto_alg
Definition: ipsec_sa.h:24
format_ipsec_key
u8 * format_ipsec_key(u8 *s, va_list *args)
Definition: ipsec_format.c:235
tun
vl_api_gbp_endpoint_tun_t tun
Definition: gbp.api:134
walk_rc_t
enum walk_rc_t_ walk_rc_t
Walk return code.
ipsec_sa_t::spi
u32 spi
Definition: ipsec_sa.h:131
ipsec_sa_t::crypto_enc_op_id
vnet_crypto_op_id_t crypto_enc_op_id
Definition: ipsec_sa.h:148
ipsec_sa_t::crypto_key_index
vnet_crypto_key_index_t crypto_key_index
Definition: ipsec_sa.h:139
ipsec_key_t
struct ipsec_key_t_ ipsec_key_t
ipsec_sa_t::dpo
dpo_id_t dpo
Definition: ipsec_sa.h:137
ipsec_sa_t::crypto_op_data
u64 crypto_op_data
Definition: ipsec_sa.h:160
flags
vl_api_wireguard_peer_flags_t flags
Definition: wireguard.api:105