db/d7c/ipsec__types_8api_source.html

/* Hey Emacs use -*- mode: C -*- */

/*

 * Copyright (c) 2015-2016 Cisco and/or its affiliates.

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at:

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */


option version = "3.0.1";


import "vnet/ip/ip_types.api";

import "vnet/tunnel/tunnel_types.api";


/*

 * @brief Support cryptographic algorithms

 */

enum ipsec_crypto_alg

{

  IPSEC_API_CRYPTO_ALG_NONE = 0,

  IPSEC_API_CRYPTO_ALG_AES_CBC_128,

  IPSEC_API_CRYPTO_ALG_AES_CBC_192,

  IPSEC_API_CRYPTO_ALG_AES_CBC_256,

  IPSEC_API_CRYPTO_ALG_AES_CTR_128,

  IPSEC_API_CRYPTO_ALG_AES_CTR_192,

  IPSEC_API_CRYPTO_ALG_AES_CTR_256,

  IPSEC_API_CRYPTO_ALG_AES_GCM_128,

  IPSEC_API_CRYPTO_ALG_AES_GCM_192,

  IPSEC_API_CRYPTO_ALG_AES_GCM_256,

  IPSEC_API_CRYPTO_ALG_DES_CBC,

  IPSEC_API_CRYPTO_ALG_3DES_CBC,

};


/*

 * @brief Supported Integrity Algorithms

 */

enum ipsec_integ_alg

{

  IPSEC_API_INTEG_ALG_NONE = 0,

  /* RFC2403 */

  IPSEC_API_INTEG_ALG_MD5_96,

  /* RFC2404 */

  IPSEC_API_INTEG_ALG_SHA1_96,

  /* draft-ietf-ipsec-ciph-sha-256-00 */

  IPSEC_API_INTEG_ALG_SHA_256_96,

  /* RFC4868 */

  IPSEC_API_INTEG_ALG_SHA_256_128,

  /* RFC4868 */

  IPSEC_API_INTEG_ALG_SHA_384_192,

  /* RFC4868 */

  IPSEC_API_INTEG_ALG_SHA_512_256,

};


enum ipsec_sad_flags

{

  IPSEC_API_SAD_FLAG_NONE = 0,

  /* Enable extended sequence numbers */

  IPSEC_API_SAD_FLAG_USE_ESN = 0x01,

  /* Enable Anti-replay */

  IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,

  /* IPsec tunnel mode if non-zero, else transport mode */

  IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,

  /* IPsec tunnel mode is IPv6 if non-zero,

   *  else IPv4 tunnel only valid if is_tunnel is non-zero

   *  DEPRECATED - the user does not need to set this it is

   *               derived from the tunnel's address types.

   */

  IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,

  /* enable UDP encapsulation for NAT traversal */

  IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,

  /* IPsec SA is for inbound traffic */

  IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,

  /* IPsec SA uses an Async driver */

  IPSEC_API_SAD_FLAG_ASYNC = 0x80 [backwards_compatible],

};


enum ipsec_proto

{

  IPSEC_API_PROTO_ESP = 50,

  IPSEC_API_PROTO_AH = 51,

};


typedef key

{

  /* the length of the key */

  u8 length;

  /* The data for the key */

  u8 data[128];

};


/** \brief IPsec: Security Association Database entry

    @param client_index - opaque cookie to identify the sender

    @param context - sender context, to match reply w/ request

    @param is_add - add SAD entry if non-zero, else delete

    @param sad_id - sad id

    @param spi - security parameter index

    @param protocol - 0 = AH, 1 = ESP

    @param crypto_algorithm - a supported crypto algorithm

    @param crypto_key - crypto keying material

    @param integrity_algorithm - one of the supported algorithms

    @param integrity_key - integrity keying material

    @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero

    @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero

    @param tx_table_id - the FIB id used for encapsulated packets

    @param salt - for use with counter mode ciphers

    @param udp_src_port - If using UDP Encapsulation, use this source port for

                          TX. It is ignored for RX.

    @param udp_dst_port - If using UDP Encapsulation, use this destination port

                          for TX. Expect traffic on this port for RX.

    @param tunnel_flags - Flags controlling the copying of encap/decap value

    @param dscp - Fixed DSCP vaule for tunnel encap

 */

typedef ipsec_sad_entry

{

  u32 sad_id;


  u32 spi;


  vl_api_ipsec_proto_t protocol;


  vl_api_ipsec_crypto_alg_t crypto_algorithm;

  vl_api_key_t crypto_key;


  vl_api_ipsec_integ_alg_t integrity_algorithm;

  vl_api_key_t integrity_key;


  vl_api_ipsec_sad_flags_t flags;


  vl_api_address_t tunnel_src;

  vl_api_address_t tunnel_dst;

  u32 tx_table_id;

  u32 salt;

  u16 udp_src_port [default=4500];

  u16 udp_dst_port [default=4500];

};


typedef ipsec_sad_entry_v2

{

  u32 sad_id;


  u32 spi;


  vl_api_ipsec_proto_t protocol;


  vl_api_ipsec_crypto_alg_t crypto_algorithm;

  vl_api_key_t crypto_key;


  vl_api_ipsec_integ_alg_t integrity_algorithm;

  vl_api_key_t integrity_key;


  vl_api_ipsec_sad_flags_t flags;


  vl_api_address_t tunnel_src;

  vl_api_address_t tunnel_dst;

  vl_api_tunnel_encap_decap_flags_t tunnel_flags;

  vl_api_ip_dscp_t dscp;

  u32 tx_table_id;

  u32 salt;

  u16 udp_src_port [default=4500];

  u16 udp_dst_port [default=4500];

};


typedef ipsec_sad_entry_v3

{

  u32 sad_id;

  u32 spi;


  vl_api_ipsec_proto_t protocol;


  vl_api_ipsec_crypto_alg_t crypto_algorithm;

  vl_api_key_t crypto_key;


  vl_api_ipsec_integ_alg_t integrity_algorithm;

  vl_api_key_t integrity_key;


  vl_api_ipsec_sad_flags_t flags;


  vl_api_tunnel_t tunnel;


  u32 salt;

  u16 udp_src_port [default=4500];

  u16 udp_dst_port [default=4500];

};


/*

 * Local Variables:

 * eval: (c-set-style "gnu")

 * End:

 */