1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "5.0.2";
19 import "vnet/ipsec/ipsec_types.api";
20 import "vnet/interface_types.api";
21 import "vnet/ip/ip_types.api";
22 import "vnet/interface_types.api";
23 import "vnet/tunnel/tunnel_types.api";
25 /** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
32 autoreply define ipsec_spd_add_del
40 /** \brief IPsec: Add/delete SPD from interface
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
50 autoreply define ipsec_interface_add_del_spd
56 vl_api_interface_index_t sw_if_index;
60 /** \brief IPsec: Add/delete Security Policy Database entry
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
67 define ipsec_spd_entry_add_del
73 vl_api_ipsec_spd_entry_t entry;
76 /** \brief IPsec: Add/delete Security Policy Database entry v2
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
83 define ipsec_spd_entry_add_del_v2
88 vl_api_ipsec_spd_entry_v2_t entry;
91 /** \brief IPsec: Reply Add/delete Security Policy Database entry
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
97 define ipsec_spd_entry_add_del_reply
104 /** \brief IPsec: Reply Add/delete Security Policy Database entry v2
106 @param context - sender context, to match reply w/ request
107 @param retval - success/fail rutrun code
108 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
110 define ipsec_spd_entry_add_del_v2_reply
117 /** \brief Dump IPsec all SPD IDs
118 @param client_index - opaque cookie to identify the sender
119 @param context - sender context, to match reply w/ request
121 define ipsec_spds_dump {
126 /** \brief Dump IPsec all SPD IDs response
127 @param client_index - opaque cookie to identify the sender
128 @param spd_id - SPD instance id (control plane allocated)
129 @param npolicies - number of policies in SPD
131 define ipsec_spds_details {
137 /** \brief Dump ipsec policy database data
138 @param client_index - opaque cookie to identify the sender
139 @param context - sender context, to match reply w/ request
140 @param spd_id - SPD instance id
141 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
143 define ipsec_spd_dump {
150 /** \brief IPsec policy database response
151 @param context - sender context which was passed in the request
152 €param entry - The SPD entry.
153 @param bytes - byte count of packets matching this policy
154 @param packets - count of packets matching this policy
156 define ipsec_spd_details {
158 vl_api_ipsec_spd_entry_t entry;
161 /** \brief IPsec: Add/delete Security Association Database entry
162 @param client_index - opaque cookie to identify the sender
163 @param context - sender context, to match reply w/ request
164 @param entry - Entry to add or delete
166 define ipsec_sad_entry_add_del
172 vl_api_ipsec_sad_entry_t entry;
175 define ipsec_sad_entry_add_del_v2
180 vl_api_ipsec_sad_entry_v2_t entry;
183 define ipsec_sad_entry_add_del_v3
188 vl_api_ipsec_sad_entry_v3_t entry;
190 define ipsec_sad_entry_add
194 vl_api_ipsec_sad_entry_v3_t entry;
196 autoreply define ipsec_sad_entry_del
203 define ipsec_sad_entry_add_del_reply
211 define ipsec_sad_entry_add_del_v2_reply
218 define ipsec_sad_entry_add_del_v3_reply
224 define ipsec_sad_entry_add_reply
231 /** \brief Add or Update Protection for a tunnel with IPSEC
233 Tunnel protection directly associates an SA with all packets
234 ingress and egress on the tunnel. This could also be achieved by
235 assigning an SPD to the tunnel, but that would incur an unnessccary
238 For tunnels the ESP acts on the post-encapsulated packet. So if this
243 where O-IP is the overlay IP addrees that was routed into the tunnel,
244 the resulting encapsulated packet will be:
245 +---------+------+------+
246 | Payload | O-IP | T-IP |
247 +---------+------+------+
248 where T-IP is the tunnel's src.dst IP addresses.
249 If the SAs used for protection are in transport mode then the ESP is
250 inserted before T-IP, i.e.:
251 +---------+------+-----+------+
252 | Payload | O-IP | ESP | T-IP |
253 +---------+------+-----+------+
254 If the SAs used for protection are in tunnel mode then another
255 encapsulation occurs, i.e.:
256 +---------+------+------+-----+------+
257 | Payload | O-IP | T-IP | ESP | C-IP |
258 +---------+------+------+-----+------+
259 where C-IP are the crypto endpoint IP addresses defined as the tunnel
261 The mode for the inbound and outbound SA must be the same.
263 @param client_index - opaque cookie to identify the sender
264 @param context - sender context, to match reply w/ request
265 @param sw_id_index - Tunnel interface to protect
266 @param nh - The peer/next-hop on the tunnel to which the traffic
267 should be protected. For a P2P interface set this to the
269 @param sa_in - The ID [set] of inbound SAs
270 @param sa_out - The ID of outbound SA
272 typedef ipsec_tunnel_protect
274 vl_api_interface_index_t sw_if_index;
281 autoreply define ipsec_tunnel_protect_update
286 vl_api_ipsec_tunnel_protect_t tunnel;
289 autoreply define ipsec_tunnel_protect_del
294 vl_api_interface_index_t sw_if_index;
299 * @brief Dump all tunnel protections
301 define ipsec_tunnel_protect_dump
305 vl_api_interface_index_t sw_if_index;
308 define ipsec_tunnel_protect_details
311 vl_api_ipsec_tunnel_protect_t tun;
314 /** \brief IPsec: Get SPD interfaces
315 @param client_index - opaque cookie to identify the sender
316 @param context - sender context, to match reply w/ request
317 @param spd_index - SPD index
318 @param spd_index_valid - if 1 spd_index is used to filter
319 spd_index's, if 0 no filtering is done
321 define ipsec_spd_interface_dump {
328 /** \brief IPsec: SPD interface response
329 @param context - sender context which was passed in the request
330 @param spd_index - SPD index
331 @param sw_if_index - index of the interface
333 define ipsec_spd_interface_details {
336 vl_api_interface_index_t sw_if_index;
341 u32 user_instance [default=0xffffffff];
342 vl_api_tunnel_mode_t mode;
343 vl_api_interface_index_t sw_if_index;
346 /** \brief Create an IPSec interface
348 define ipsec_itf_create {
351 vl_api_ipsec_itf_t itf;
354 /** \brief Add IPsec interface interface response
355 @param context - sender context, to match reply w/ request
356 @param retval - return status
357 @param sw_if_index - sw_if_index of new interface (for successful add)
359 define ipsec_itf_create_reply
363 vl_api_interface_index_t sw_if_index;
366 autoreply define ipsec_itf_delete
370 vl_api_interface_index_t sw_if_index;
373 define ipsec_itf_dump
377 vl_api_interface_index_t sw_if_index;
380 define ipsec_itf_details
383 vl_api_ipsec_itf_t itf;
386 /** \brief Dump IPsec security association
387 @param client_index - opaque cookie to identify the sender
388 @param context - sender context, to match reply w/ request
389 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
398 define ipsec_sa_v2_dump
404 define ipsec_sa_v3_dump
411 /** \brief IPsec security association database response
412 @param context - sender context which was passed in the request
413 @param entry - The SA details
414 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
415 @param salt - 4 byte salt
416 @param seq - current sequence number for outbound
417 @param seq_hi - high 32 bits of ESN for outbound
418 @param last_seq - highest sequence number received inbound
419 @param last_seq_hi - high 32 bits of highest ESN received inbound
420 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
421 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
423 define ipsec_sa_details {
426 vl_api_ipsec_sad_entry_t entry;
428 vl_api_interface_index_t sw_if_index;
431 u64 last_seq_inbound;
436 define ipsec_sa_v2_details {
438 vl_api_ipsec_sad_entry_v2_t entry;
440 vl_api_interface_index_t sw_if_index;
443 u64 last_seq_inbound;
448 define ipsec_sa_v3_details {
450 vl_api_ipsec_sad_entry_v3_t entry;
452 vl_api_interface_index_t sw_if_index;
454 u64 last_seq_inbound;
460 /** \brief Dump IPsec backends
461 @param client_index - opaque cookie to identify the sender
462 @param context - sender context, to match reply w/ request
464 define ipsec_backend_dump {
469 /** \brief IPsec backend details
470 @param name - name of the backend
471 @param protocol - IPsec protocol (value from ipsec_protocol_t)
472 @param index - backend index
473 @param active - set to 1 if the backend is active, otherwise 0
475 define ipsec_backend_details {
478 vl_api_ipsec_proto_t protocol;
483 /** \brief Select IPsec backend
484 @param client_index - opaque cookie to identify the sender
485 @param context - sender context, to match reply w/ request
486 @param protocol - IPsec protocol (value from ipsec_protocol_t)
487 @param index - backend index
489 autoreply define ipsec_select_backend {
492 vl_api_ipsec_proto_t protocol;
497 /** \brief IPsec Set Async mode
498 @param client_index - opaque cookie to identify the sender
499 @param context - sender context, to match reply w/ request
500 @param async_enable - ipsec async mode on or off
502 autoreply define ipsec_set_async_mode {
510 * eval: (c-set-style "gnu")