ikev2.api

Go to the documentation of this file.

/* Hey Emacs use -*- mode: C -*- */
/*
 * Copyright (c) 2015-2020 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 
option version = "1.0.1";
 
import "plugins/ikev2/ikev2_types.api";
import "vnet/ip/ip_types.api";
import "vnet/interface_types.api";
 
/** \brief Get the plugin version
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
*/
define ikev2_plugin_get_version
{
  u32 client_index;
  u32 context;
};
 
/** \brief Reply to get the plugin version
    @param context - returned sender context, to match reply w/ request
    @param major - Incremented every time a known breaking behavior change is introduced
    @param minor - Incremented with small changes, may be used to avoid buggy versions
*/
define ikev2_plugin_get_version_reply
{
  u32 context;
  u32 major;
  u32 minor;
};
 
/** \brief Dump all profiles
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
*/
define ikev2_profile_dump
{
  u32 client_index;
  u32 context;
  option status="in_progress";
};
 
/** \brief Details about all profiles
    @param context - returned sender context, to match reply w/ request
    @param profile - profile element with encapsulated attributes
*/
define ikev2_profile_details
{
  u32 context;
  vl_api_ikev2_profile_t profile;
  option status="in_progress";
};
 
/** \brief Dump all SAs
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
*/
define ikev2_sa_dump
{
  u32 client_index;
  u32 context;
 
  option status = "in_progress";
};
 
/** \brief Details about IKE SA
    @param context - sender context, to match reply w/ request
    @param retval - return code
    @param sa - SA data
*/
define ikev2_sa_details
{
  u32 context;
  i32 retval;
 
  vl_api_ikev2_sa_t sa;
  option status = "in_progress";
};
 
/** \brief Dump child SA of specific SA
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param sa_index - index of specific sa
*/
define ikev2_child_sa_dump
{
  u32 client_index;
  u32 context;
 
  u32 sa_index;
  option vat_help = "sa_index <index>";
  option status = "in_progress";
};
 
/** \brief Child SA details
    @param context - sender context, to match reply w/ request
    @param retval - return code
    @param child_sa - child SA data
*/
define ikev2_child_sa_details
{
  u32 context;
  i32 retval;
 
  vl_api_ikev2_child_sa_t child_sa;
  option status = "in_progress";
};
 
/** \brief get specific nonce
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_initiator - specify type initiator|responder of nonce
    @param sa_index - index of specific sa
*/
define ikev2_nonce_get
{
  u32 client_index;
  u32 context;
 
  bool is_initiator;
  u32 sa_index;
  option vat_help = "initiator|responder sa_index <index>";
  option status = "in_progress";
};
 
/** \brief reply on specific nonce
    @param context - sender context, to match reply w/ request
    @param retval - return code
    @param data_len - nonce length
    @param nonce - nonce data
*/
 
define ikev2_nonce_get_reply
{
  u32 context;
  i32 retval;
 
  u32 data_len;
  u8 nonce[data_len];
  option status = "in_progress";
};
 
/** \brief dump traffic selectors
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_initiator - specify type initiator|responder of nonce
    @param sa_index - index of specific sa
    @param child_sa_index - index of specific sa child of specific sa
*/
 
define ikev2_traffic_selector_dump
{
  u32 client_index;
  u32 context;
 
  bool is_initiator;
  u32 sa_index;
  u32 child_sa_index;
  option vat_help = "initiator|responder sa_index <index> child_sa_index <index>";
  option status = "in_progress";
};
 
/** \brief details on specific traffic selector
    @param context - sender context, to match reply w/ request
    @param retval - return code
    @param ts - traffic selector data
*/
 
define ikev2_traffic_selector_details
{
  u32 context;
  i32 retval;
 
  vl_api_ikev2_ts_t ts;
  option status = "in_progress";
};
 
/** \brief IKEv2: Add/delete profile
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
    @param is_add - Add IKEv2 profile if non-zero, else delete
*/
autoreply define ikev2_profile_add_del
{
  u32 client_index;
  u32 context;
 
  string name[64];
  bool is_add;
  option vat_help = "name <profile_name> [del]";
  option status="in_progress";
};
 
/** \brief IKEv2: Set IKEv2 profile authentication method
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
    @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig)
    @param is_hex - Authentication data in hex format if non-zero, else string
    @param data_len - Authentication data length
    @param data - Authentication data (for rsa-sig cert file path)
*/
autoreply define ikev2_profile_set_auth
{
  u32 client_index;
  u32 context;
 
  string name[64];
  u8 auth_method;
  bool is_hex;
  u32 data_len;
  u8 data[data_len];
  option vat_help = "name <profile_name> auth_method <method> (auth_data 0x<data> | auth_data <data>)";
  option status="in_progress";
};
 
/** \brief IKEv2: Set IKEv2 profile local/remote identification
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
    @param is_local - Identification is local if non-zero, else remote
    @param id_type - Identification type
    @param data_len - Identification data length
    @param data - Identification data
*/
autoreply define ikev2_profile_set_id
{
  u32 client_index;
  u32 context;
 
  string name[64];
  bool is_local;
  u8 id_type;
  u32 data_len;
  u8 data[data_len];
  option vat_help = "name <profile_name> id_type <type> (id_data 0x<data> | id_data <data>) (local|remote)";
  option status="in_progress";
};
 
/** \brief IKEv2: Disable NAT traversal
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
*/
autoreply define ikev2_profile_disable_natt
{
  u32 client_index;
  u32 context;
 
  string name[64];
  option status="in_progress";
};
 
/** \brief IKEv2: Set IKEv2 profile traffic selector parameters
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
    @param ts - traffic selector data
*/
autoreply define ikev2_profile_set_ts
{
  u32 client_index;
  u32 context;
 
  string name[64];
  vl_api_ikev2_ts_t ts;
  option vat_help = "name <profile_name> protocol <proto> start_port <port> end_port <port> start_addr <ip> end_addr <ip> (local|remote)";
  option status="in_progress";
};
 
/** \brief IKEv2: Set IKEv2 local RSA private key
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param key_file - Key file absolute path
*/
autoreply define ikev2_set_local_key
{
  u32 client_index;
  u32 context;
 
  string key_file[256];
  option vat_help = "file <absolute_file_path>";
  option status="in_progress";
};
 
/** \brief IKEv2: Set the tunnel interface which will be protected by IKE
    If this API is not called, a new tunnel will be created
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
    @param sw_if_index - Of an existing tunnel
*/
autoreply define ikev2_set_tunnel_interface
{
  u32 client_index;
  u32 context;
  string name[64];
 
  vl_api_interface_index_t sw_if_index;
  option status="in_progress";
};
 
/** \brief IKEv2: Set IKEv2 responder interface and IP address
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
    @param responder - responder data
*/
autoreply define ikev2_set_responder
{
  u32 client_index;
  u32 context;
 
  string name[64];
  vl_api_ikev2_responder_t responder;
  option vat_help = "<profile_name> interface <interface> address <addr>";
  option status="in_progress";
};
 
autoreply define ikev2_set_responder_hostname
{
  u32 client_index;
  u32 context;
 
  string name[64];
  string hostname[64];
  vl_api_interface_index_t sw_if_index;
  option status="in_progress";
};
 
/** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
    @param tr - IKE transforms
*/
autoreply define ikev2_set_ike_transforms
{
  u32 client_index;
  u32 context;
 
  string name[64];
  vl_api_ikev2_ike_transforms_t tr;
  option vat_help = "<profile_name> <crypto alg> <key size> <integrity alg> <DH group>";
  option status="in_progress";
};
 
/** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
    @param tr - ESP transforms
*/
autoreply define ikev2_set_esp_transforms
{
  u32 client_index;
  u32 context;
 
  string name[64];
  vl_api_ikev2_esp_transforms_t tr;
  option vat_help = "<profile_name> <crypto alg> <key size> <integrity alg>";
  option status="in_progress";
};
 
/** \brief IKEv2: Set Child SA lifetime, limited by time and/or data
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
    @param lifetime - SA maximum life time in seconds (0 to disable)
    @param lifetime_jitter - Jitter added to prevent simultaneous rekeying
    @param handover - Hand over time
    @param lifetime_maxdata - SA maximum life time in bytes (0 to disable)
*/
autoreply define ikev2_set_sa_lifetime
{
  u32 client_index;
  u32 context;
 
  string name[64];
  u64 lifetime;
  u32 lifetime_jitter;
  u32 handover;
  u64 lifetime_maxdata;
  option vat_help = "<profile_name> <seconds> <jitter> <handover> <max bytes>";
  option status="in_progress";
};
 
/** \brief IKEv2: Initiate the SA_INIT exchange
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
*/
autoreply define ikev2_initiate_sa_init
{
  u32 client_index;
  u32 context;
 
  string name[64];
  option vat_help = "<profile_name>";
  option status="in_progress";
};
 
/** \brief IKEv2: Initiate the delete IKE SA exchange
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param ispi - IKE SA initiator SPI
*/
autoreply define ikev2_initiate_del_ike_sa
{
  u32 client_index;
  u32 context;
 
  u64 ispi;
  option vat_help = "<ispi>";
  option status="in_progress";
};
 
/** \brief IKEv2: Initiate the delete Child SA exchange
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param ispi - Child SA initiator SPI
*/
autoreply define ikev2_initiate_del_child_sa
{
  u32 client_index;
  u32 context;
 
  u32 ispi;
  option vat_help = "<ispi>";
  option status="in_progress";
};
 
/** \brief IKEv2: Initiate the rekey Child SA exchange
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param ispi - Child SA initiator SPI
*/
autoreply define ikev2_initiate_rekey_child_sa
{
  u32 client_index;
  u32 context;
 
  u32 ispi;
  option vat_help = "<ispi>";
  option status="in_progress";
};
 
/** \brief IKEv2: Set UDP encapsulation
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param name - IKEv2 profile name
*/
autoreply define ikev2_profile_set_udp_encap
{
  u32 client_index;
  u32 context;
 
  string name[64];
  option status="in_progress";
};
 
/** \brief IKEv2: Set/unset custom ipsec-over-udp port
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_set - whether set or unset custom port
    @param port - port number
    @param name - IKEv2 profile name
*/
autoreply define ikev2_profile_set_ipsec_udp_port
{
  u32 client_index;
  u32 context;
 
  u8 is_set;
  u16 port;
  string name[64];
  option status="in_progress";
};
 
/** \brief IKEv2: Set liveness parameters
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param period - how often is liveness check performed
    @param max_retries - max retries for liveness check
*/
autoreply define ikev2_profile_set_liveness
{
  u32 client_index;
  u32 context;
 
  u32 period;
  u32 max_retries;
  option status="in_progress";
};
 
counters ikev2 {
  processed {
    severity info;
    type counter64;
    units "packets";
    description "packets processed";
  };
  ike_sa_init_retransmit {
    severity info;
    type counter64;
    units "packets";
    description "IKE SA INIT retransmit";
  };
  ike_sa_init_ignore {
    severity error;
    type counter64;
    units "packets";
    description "IKE_SA_INIT ignore (IKE SA already auth)";
  };
  ike_req_retransmit {
    severity error;
    type counter64;
    units "packets";
    description "IKE request retransmit";
  };
  ike_req_ignore {
    severity error;
    type counter64;
    units "packets";
    description "IKE request ignore (old msgid)";
  };
  not_ikev2 {
    severity error;
    type counter64;
    units "packets";
    description "Non IKEv2 packets received";
  };
  bad_length {
    severity error;
    type counter64;
    units "packets";
    description "Bad packet length";
  };
  malformed_packet {
    severity error;
    type counter64;
    units "packets";
    description "Malformed packet";
  };
  no_buff_space {
    severity error;
    type counter64;
    units "packets";
    description "No buffer space";
  };
  keepalive {
    severity info;
    type counter64;
    units "packets";
    description "IKE keepalive messages received";
  };
  rekey_req {
    severity info;
    type counter64;
    units "packets";
    description "IKE rekey requests received";
  };
  init_sa_req {
    severity info;
    type counter64;
    units "packets";
    description "IKE EXCHANGE SA requests received";
  };
  ike_auth_req {
    severity info;
    type counter64;
    units "packets";
    description "IKE AUTH SA requests received";
  };
};
paths {
  "/err/ikev2-ip4" "ike";
  "/err/ikev2-ip6" "ike";
  "/err/ikev2-ip4-natt" "ike";
};
 
/*
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */