1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "4.0.0";
19 import "vnet/ipsec/ipsec_types.api";
20 import "vnet/interface_types.api";
21 import "vnet/ip/ip_types.api";
22 import "vnet/interface_types.api";
23 import "vnet/tunnel/tunnel_types.api";
25 /** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
32 autoreply define ipsec_spd_add_del
40 /** \brief IPsec: Add/delete SPD from interface
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
50 autoreply define ipsec_interface_add_del_spd
56 vl_api_interface_index_t sw_if_index;
63 /* bypass - no IPsec processing */
64 IPSEC_API_SPD_ACTION_BYPASS = 0,
65 /* discard - discard packet with ICMP processing */
66 IPSEC_API_SPD_ACTION_DISCARD,
67 /* resolve - send request to control plane for SA resolving */
68 IPSEC_API_SPD_ACTION_RESOLVE,
69 /* protect - apply IPsec policy using following parameters */
70 IPSEC_API_SPD_ACTION_PROTECT,
73 /** \brief IPsec: Security Policy Database entry
75 See RFC 4301, 4.4.1.1 on how to match packet to selectors
77 @param spd_id - SPD instance id (control plane allocated)
78 @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
79 @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
80 @param remote_address_start - start of remote address range to match
81 @param remote_address_stop - end of remote address range to match
82 @param local_address_start - start of local address range to match
83 @param local_address_stop - end of local address range to match
84 @param protocol - protocol type to match [0 means any] otherwise IANA value
85 @param remote_port_start - start of remote port range to match ...
86 @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
87 @param local_port_start - start of local port range to match ...
88 @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
89 @param policy - action to perform on match
90 @param sa_id - SAD instance id (control plane allocated)
92 typedef ipsec_spd_entry
99 vl_api_ipsec_spd_action_t policy;
100 /* Which protocol?? */
104 vl_api_address_t remote_address_start;
105 vl_api_address_t remote_address_stop;
106 vl_api_address_t local_address_start;
107 vl_api_address_t local_address_stop;
109 u16 remote_port_start;
110 u16 remote_port_stop;
111 u16 local_port_start;
115 /** \brief IPsec: Add/delete Security Policy Database entry
117 @param client_index - opaque cookie to identify the sender
118 @param context - sender context, to match reply w/ request
119 @param is_add - add SPD if non-zero, else delete
120 @param entry - Description of the entry to add/dell
122 define ipsec_spd_entry_add_del
127 vl_api_ipsec_spd_entry_t entry;
130 /** \brief IPsec: Reply Add/delete Security Policy Database entry
132 @param context - sender context, to match reply w/ request
133 @param retval - success/fail rutrun code
134 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
136 define ipsec_spd_entry_add_del_reply
143 /** \brief Dump IPsec all SPD IDs
144 @param client_index - opaque cookie to identify the sender
145 @param context - sender context, to match reply w/ request
147 define ipsec_spds_dump {
152 /** \brief Dump IPsec all SPD IDs response
153 @param client_index - opaque cookie to identify the sender
154 @param spd_id - SPD instance id (control plane allocated)
155 @param npolicies - number of policies in SPD
157 define ipsec_spds_details {
163 /** \brief Dump ipsec policy database data
164 @param client_index - opaque cookie to identify the sender
165 @param context - sender context, to match reply w/ request
166 @param spd_id - SPD instance id
167 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
169 define ipsec_spd_dump {
176 /** \brief IPsec policy database response
177 @param context - sender context which was passed in the request
178 €param entry - The SPD entry.
179 @param bytes - byte count of packets matching this policy
180 @param packets - count of packets matching this policy
182 define ipsec_spd_details {
184 vl_api_ipsec_spd_entry_t entry;
187 /** \brief IPsec: Add/delete Security Association Database entry
188 @param client_index - opaque cookie to identify the sender
189 @param context - sender context, to match reply w/ request
190 @param entry - Entry to add or delete
192 define ipsec_sad_entry_add_del
197 vl_api_ipsec_sad_entry_t entry;
199 define ipsec_sad_entry_add_del_reply
206 /** \brief Add or Update Protection for a tunnel with IPSEC
208 Tunnel protection directly associates an SA with all packets
209 ingress and egress on the tunnel. This could also be achieved by
210 assigning an SPD to the tunnel, but that would incur an unnessccary
213 For tunnels the ESP acts on the post-encapsulated packet. So if this
218 where O-IP is the overlay IP addrees that was routed into the tunnel,
219 the resulting encapsulated packet will be:
220 +---------+------+------+
221 | Payload | O-IP | T-IP |
222 +---------+------+------+
223 where T-IP is the tunnel's src.dst IP addresses.
224 If the SAs used for protection are in transport mode then the ESP is
225 inserted before T-IP, i.e.:
226 +---------+------+-----+------+
227 | Payload | O-IP | ESP | T-IP |
228 +---------+------+-----+------+
229 If the SAs used for protection are in tunnel mode then another
230 encapsulation occurs, i.e.:
231 +---------+------+------+-----+------+
232 | Payload | O-IP | T-IP | ESP | C-IP |
233 +---------+------+------+-----+------+
234 where C-IP are the crypto endpoint IP addresses defined as the tunnel
236 The mode for the inbound and outbound SA must be the same.
238 @param client_index - opaque cookie to identify the sender
239 @param context - sender context, to match reply w/ request
240 @param sw_id_index - Tunnel interface to protect
241 @param nh - The peer/next-hop on the tunnel to which the traffic
242 should be protected. For a P2P interface set this to the
244 @param sa_in - The ID [set] of inbound SAs
245 @param sa_out - The ID of outbound SA
247 typedef ipsec_tunnel_protect
249 vl_api_interface_index_t sw_if_index;
256 autoreply define ipsec_tunnel_protect_update
261 vl_api_ipsec_tunnel_protect_t tunnel;
264 autoreply define ipsec_tunnel_protect_del
269 vl_api_interface_index_t sw_if_index;
274 * @brief Dump all tunnel protections
276 define ipsec_tunnel_protect_dump
280 vl_api_interface_index_t sw_if_index;
283 define ipsec_tunnel_protect_details
286 vl_api_ipsec_tunnel_protect_t tun;
289 /** \brief IPsec: Get SPD interfaces
290 @param client_index - opaque cookie to identify the sender
291 @param context - sender context, to match reply w/ request
292 @param spd_index - SPD index
293 @param spd_index_valid - if 1 spd_index is used to filter
294 spd_index's, if 0 no filtering is done
296 define ipsec_spd_interface_dump {
303 /** \brief IPsec: SPD interface response
304 @param context - sender context which was passed in the request
305 @param spd_index - SPD index
306 @param sw_if_index - index of the interface
308 define ipsec_spd_interface_details {
311 vl_api_interface_index_t sw_if_index;
314 /** \brief Add or delete IPsec tunnel interface
317 use the tunnel protect APIs instead
319 @param client_index - opaque cookie to identify the sender
320 @param context - sender context, to match reply w/ request
321 @param is_add - add IPsec tunnel interface if nonzero, else delete
322 @param is_ip6 - tunnel v6 or v4
323 @param esn - enable extended sequence numbers if nonzero, else disable
324 @param anti_replay - enable anti replay check if nonzero, else disable
325 @param local_ip - local IP address
326 @param remote_ip - IP address of remote IPsec peer
327 @param local_spi - SPI of outbound IPsec SA
328 @param remote_spi - SPI of inbound IPsec SA
329 @param crypto_alg - encryption algorithm ID
330 @param local_crypto_key_len - length of local crypto key in bytes
331 @param local_crypto_key - crypto key for outbound IPsec SA
332 @param remote_crypto_key_len - length of remote crypto key in bytes
333 @param remote_crypto_key - crypto key for inbound IPsec SA
334 @param integ_alg - integrity algorithm ID
335 @param local_integ_key_len - length of local integrity key in bytes
336 @param local_integ_key - integrity key for outbound IPsec SA
337 @param remote_integ_key_len - length of remote integrity key in bytes
338 @param remote_integ_key - integrity key for inbound IPsec SA
339 @param renumber - intf display name uses a specified instance if != 0
340 @param show_instance - instance to display for intf if renumber is set
341 @param udp_encap - enable UDP encapsulation for NAT traversal
342 @param tx_table_id - the FIB id used after packet encap
343 @param salt - for use with counter mode ciphers
345 define ipsec_tunnel_if_add_del {
346 option deprecated="20.09";
352 vl_api_address_t local_ip;
353 vl_api_address_t remote_ip;
357 u8 local_crypto_key_len;
358 u8 local_crypto_key[128];
359 u8 remote_crypto_key_len;
360 u8 remote_crypto_key[128];
362 u8 local_integ_key_len;
363 u8 local_integ_key[128];
364 u8 remote_integ_key_len;
365 u8 remote_integ_key[128];
373 /** \brief Add/delete IPsec tunnel interface response
374 @param context - sender context, to match reply w/ request
375 @param retval - return status
376 @param sw_if_index - sw_if_index of new interface (for successful add)
378 define ipsec_tunnel_if_add_del_reply {
381 vl_api_interface_index_t sw_if_index;
386 u32 user_instance [default=0xffffffff];
387 vl_api_tunnel_mode_t mode;
388 vl_api_interface_index_t sw_if_index;
391 /** \brief Create an IPSec interface
393 define ipsec_itf_create {
396 vl_api_ipsec_itf_t itf;
399 /** \brief Add IPsec interface interface response
400 @param context - sender context, to match reply w/ request
401 @param retval - return status
402 @param sw_if_index - sw_if_index of new interface (for successful add)
404 define ipsec_itf_create_reply
408 vl_api_interface_index_t sw_if_index;
411 autoreply define ipsec_itf_delete
415 vl_api_interface_index_t sw_if_index;
418 define ipsec_itf_dump
422 vl_api_interface_index_t sw_if_index;
425 define ipsec_itf_details
428 vl_api_ipsec_itf_t itf;
431 /** \brief Dump IPsec security association
432 @param client_index - opaque cookie to identify the sender
433 @param context - sender context, to match reply w/ request
434 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
443 /** \brief IPsec security association database response
444 @param context - sender context which was passed in the request
445 @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0
446 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
447 @param spi - security parameter index
448 @param protocol - IPsec protocol (value from ipsec_protocol_t)
449 @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t)
450 @param crypto_key_len - length of crypto_key in bytes
451 @param crypto_key - crypto keying material
452 @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t)
453 @param integ_key_len - length of integ_key in bytes
454 @param integ_key - integrity keying material
455 @param use_esn - using extended sequence numbers when non-zero
456 @param use_anti_replay - using anti-replay window when non-zero
457 @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode
458 @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6
459 @param tunnel_src_addr - Tunnel source address if using tunnel mode
460 @param tunnel_dst_addr - Tunnel destination address is using tunnel mode
461 @param salt - 4 byte salt
462 @param seq - current sequence number for outbound
463 @param seq_hi - high 32 bits of ESN for outbound
464 @param last_seq - highest sequence number received inbound
465 @param last_seq_hi - high 32 bits of highest ESN received inbound
466 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
467 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
468 @param udp_encap - 1 if UDP encap enabled, 0 otherwise
470 define ipsec_sa_details {
472 vl_api_ipsec_sad_entry_t entry;
474 vl_api_interface_index_t sw_if_index;
477 u64 last_seq_inbound;
483 /** \brief Set new SA on IPsec interface
487 @param client_index - opaque cookie to identify the sender
488 @param context - sender context, to match reply w/ request
489 @param sw_if_index - index of tunnel interface
490 @param sa_id - ID of SA to use
491 @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
493 autoreply define ipsec_tunnel_if_set_sa {
494 option deprecated="20.09";
497 vl_api_interface_index_t sw_if_index;
502 /** \brief Dump IPsec backends
503 @param client_index - opaque cookie to identify the sender
504 @param context - sender context, to match reply w/ request
506 define ipsec_backend_dump {
511 /** \brief IPsec backend details
512 @param name - name of the backend
513 @param protocol - IPsec protocol (value from ipsec_protocol_t)
514 @param index - backend index
515 @param active - set to 1 if the backend is active, otherwise 0
517 define ipsec_backend_details {
520 vl_api_ipsec_proto_t protocol;
525 /** \brief Select IPsec backend
526 @param client_index - opaque cookie to identify the sender
527 @param context - sender context, to match reply w/ request
528 @param protocol - IPsec protocol (value from ipsec_protocol_t)
529 @param index - backend index
531 autoreply define ipsec_select_backend {
534 vl_api_ipsec_proto_t protocol;
540 * eval: (c-set-style "gnu")