1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "5.0.2";
19 import "vnet/ipsec/ipsec_types.api";
20 import "vnet/interface_types.api";
21 import "vnet/ip/ip_types.api";
22 import "vnet/interface_types.api";
23 import "vnet/tunnel/tunnel_types.api";
25 /** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
32 autoreply define ipsec_spd_add_del
40 /** \brief IPsec: Add/delete SPD from interface
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
50 autoreply define ipsec_interface_add_del_spd
56 vl_api_interface_index_t sw_if_index;
60 /** \brief IPsec: Add/delete Security Policy Database entry
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
67 define ipsec_spd_entry_add_del
73 vl_api_ipsec_spd_entry_t entry;
76 /** \brief IPsec: Add/delete Security Policy Database entry v2
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
83 define ipsec_spd_entry_add_del_v2
88 vl_api_ipsec_spd_entry_v2_t entry;
91 /** \brief IPsec: Reply Add/delete Security Policy Database entry
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
97 define ipsec_spd_entry_add_del_reply
105 /** \brief IPsec: Reply Add/delete Security Policy Database entry v2
107 @param context - sender context, to match reply w/ request
108 @param retval - success/fail rutrun code
109 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
111 define ipsec_spd_entry_add_del_v2_reply
118 /** \brief Dump IPsec all SPD IDs
119 @param client_index - opaque cookie to identify the sender
120 @param context - sender context, to match reply w/ request
122 define ipsec_spds_dump {
127 /** \brief Dump IPsec all SPD IDs response
128 @param client_index - opaque cookie to identify the sender
129 @param spd_id - SPD instance id (control plane allocated)
130 @param npolicies - number of policies in SPD
132 define ipsec_spds_details {
138 /** \brief Dump ipsec policy database data
139 @param client_index - opaque cookie to identify the sender
140 @param context - sender context, to match reply w/ request
141 @param spd_id - SPD instance id
142 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
144 define ipsec_spd_dump {
151 /** \brief IPsec policy database response
152 @param context - sender context which was passed in the request
153 €param entry - The SPD entry.
154 @param bytes - byte count of packets matching this policy
155 @param packets - count of packets matching this policy
157 define ipsec_spd_details {
159 vl_api_ipsec_spd_entry_t entry;
162 /** \brief IPsec: Add/delete Security Association Database entry
163 @param client_index - opaque cookie to identify the sender
164 @param context - sender context, to match reply w/ request
165 @param entry - Entry to add or delete
167 define ipsec_sad_entry_add_del
173 vl_api_ipsec_sad_entry_t entry;
176 define ipsec_sad_entry_add_del_v2
181 vl_api_ipsec_sad_entry_v2_t entry;
184 define ipsec_sad_entry_add_del_v3
189 vl_api_ipsec_sad_entry_v3_t entry;
191 define ipsec_sad_entry_add
195 vl_api_ipsec_sad_entry_v3_t entry;
197 autoreply define ipsec_sad_entry_del
204 define ipsec_sad_entry_add_del_reply
212 define ipsec_sad_entry_add_del_v2_reply
219 define ipsec_sad_entry_add_del_v3_reply
225 define ipsec_sad_entry_add_reply
232 /** \brief Add or Update Protection for a tunnel with IPSEC
234 Tunnel protection directly associates an SA with all packets
235 ingress and egress on the tunnel. This could also be achieved by
236 assigning an SPD to the tunnel, but that would incur an unnessccary
239 For tunnels the ESP acts on the post-encapsulated packet. So if this
244 where O-IP is the overlay IP addrees that was routed into the tunnel,
245 the resulting encapsulated packet will be:
246 +---------+------+------+
247 | Payload | O-IP | T-IP |
248 +---------+------+------+
249 where T-IP is the tunnel's src.dst IP addresses.
250 If the SAs used for protection are in transport mode then the ESP is
251 inserted before T-IP, i.e.:
252 +---------+------+-----+------+
253 | Payload | O-IP | ESP | T-IP |
254 +---------+------+-----+------+
255 If the SAs used for protection are in tunnel mode then another
256 encapsulation occurs, i.e.:
257 +---------+------+------+-----+------+
258 | Payload | O-IP | T-IP | ESP | C-IP |
259 +---------+------+------+-----+------+
260 where C-IP are the crypto endpoint IP addresses defined as the tunnel
262 The mode for the inbound and outbound SA must be the same.
264 @param client_index - opaque cookie to identify the sender
265 @param context - sender context, to match reply w/ request
266 @param sw_id_index - Tunnel interface to protect
267 @param nh - The peer/next-hop on the tunnel to which the traffic
268 should be protected. For a P2P interface set this to the
270 @param sa_in - The ID [set] of inbound SAs
271 @param sa_out - The ID of outbound SA
273 typedef ipsec_tunnel_protect
275 vl_api_interface_index_t sw_if_index;
282 autoreply define ipsec_tunnel_protect_update
287 vl_api_ipsec_tunnel_protect_t tunnel;
290 autoreply define ipsec_tunnel_protect_del
295 vl_api_interface_index_t sw_if_index;
300 * @brief Dump all tunnel protections
302 define ipsec_tunnel_protect_dump
306 vl_api_interface_index_t sw_if_index;
309 define ipsec_tunnel_protect_details
312 vl_api_ipsec_tunnel_protect_t tun;
315 /** \brief IPsec: Get SPD interfaces
316 @param client_index - opaque cookie to identify the sender
317 @param context - sender context, to match reply w/ request
318 @param spd_index - SPD index
319 @param spd_index_valid - if 1 spd_index is used to filter
320 spd_index's, if 0 no filtering is done
322 define ipsec_spd_interface_dump {
329 /** \brief IPsec: SPD interface response
330 @param context - sender context which was passed in the request
331 @param spd_index - SPD index
332 @param sw_if_index - index of the interface
334 define ipsec_spd_interface_details {
337 vl_api_interface_index_t sw_if_index;
342 u32 user_instance [default=0xffffffff];
343 vl_api_tunnel_mode_t mode;
344 vl_api_interface_index_t sw_if_index;
347 /** \brief Create an IPSec interface
349 define ipsec_itf_create {
352 vl_api_ipsec_itf_t itf;
355 /** \brief Add IPsec interface interface response
356 @param context - sender context, to match reply w/ request
357 @param retval - return status
358 @param sw_if_index - sw_if_index of new interface (for successful add)
360 define ipsec_itf_create_reply
364 vl_api_interface_index_t sw_if_index;
367 autoreply define ipsec_itf_delete
371 vl_api_interface_index_t sw_if_index;
374 define ipsec_itf_dump
378 vl_api_interface_index_t sw_if_index;
381 define ipsec_itf_details
384 vl_api_ipsec_itf_t itf;
387 /** \brief Dump IPsec security association
388 @param client_index - opaque cookie to identify the sender
389 @param context - sender context, to match reply w/ request
390 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
399 define ipsec_sa_v2_dump
405 define ipsec_sa_v3_dump
412 /** \brief IPsec security association database response
413 @param context - sender context which was passed in the request
414 @param entry - The SA details
415 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
416 @param salt - 4 byte salt
417 @param seq - current sequence number for outbound
418 @param seq_hi - high 32 bits of ESN for outbound
419 @param last_seq - highest sequence number received inbound
420 @param last_seq_hi - high 32 bits of highest ESN received inbound
421 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
422 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
424 define ipsec_sa_details {
427 vl_api_ipsec_sad_entry_t entry;
429 vl_api_interface_index_t sw_if_index;
432 u64 last_seq_inbound;
437 define ipsec_sa_v2_details {
439 vl_api_ipsec_sad_entry_v2_t entry;
441 vl_api_interface_index_t sw_if_index;
444 u64 last_seq_inbound;
449 define ipsec_sa_v3_details {
451 vl_api_ipsec_sad_entry_v3_t entry;
453 vl_api_interface_index_t sw_if_index;
455 u64 last_seq_inbound;
461 /** \brief Dump IPsec backends
462 @param client_index - opaque cookie to identify the sender
463 @param context - sender context, to match reply w/ request
465 define ipsec_backend_dump {
470 /** \brief IPsec backend details
471 @param name - name of the backend
472 @param protocol - IPsec protocol (value from ipsec_protocol_t)
473 @param index - backend index
474 @param active - set to 1 if the backend is active, otherwise 0
476 define ipsec_backend_details {
479 vl_api_ipsec_proto_t protocol;
484 /** \brief Select IPsec backend
485 @param client_index - opaque cookie to identify the sender
486 @param context - sender context, to match reply w/ request
487 @param protocol - IPsec protocol (value from ipsec_protocol_t)
488 @param index - backend index
490 autoreply define ipsec_select_backend {
493 vl_api_ipsec_proto_t protocol;
498 /** \brief IPsec Set Async mode
499 @param client_index - opaque cookie to identify the sender
500 @param context - sender context, to match reply w/ request
501 @param async_enable - ipsec async mode on or off
503 autoreply define ipsec_set_async_mode {
509 counters esp_decrypt {
514 description "ESP pkts received";
520 description "ESP-POST pkts received";
526 description "hand-off";
532 description "ESP decryption failed";
538 description "integrity check failed";
540 crypto_engine_error {
544 description "crypto engine error (packet dropped)";
550 description "SA replayed packet";
556 description "undersized packet";
562 description "no buffers (packet dropped)";
568 description "buffer with oversized header (dropped)";
574 description "no enough buffer tail space (dropped)";
580 description "no tunnel protocol";
586 description "unsupported payload";
590 counters esp_encrypt {
595 description "ESP pkts received";
601 description "ESP-post pkts received";
607 description "Hand-off";
613 description "sequence number cycled (packet dropped)";
615 crypto_engine_error {
619 description "crypto engine error (packet dropped)";
625 description "crypto queue full (packet dropped)";
631 description "no buffers (packet dropped)";
637 description "no protecting SA (packet dropped)";
643 description "no Encrypting SA (packet dropped)";
647 counters ah_encrypt {
652 description "AH pkts received";
654 crypto_engine_error {
658 description "crypto engine error (packet dropped)";
664 description "sequence number cycled (packet dropped)";
668 counters ah_decrypt {
673 description "AH pkts received";
679 description "AH decryption failed";
685 description "Integrity check failed";
691 description "not enough buffer tail space (dropped)";
697 description "IP fragments drop";
703 description "SA replayed packet";
712 description "good packets received";
718 description "ipsec packets received on disabled interface";
724 description "no matching tunnel";
730 description "SPI-tunnel mismatch";
736 description "NAT Keepalive";
742 description "Too Short";
753 "/err/esp4-encrypt" "esp_encrypt";
754 "/err/esp4-encrypt-post" "esp_encrypt";
755 "/err/esp4-encrypt-tun" "esp_encrypt";
756 "/err/esp4-encrypt-tun-post" "esp_encrypt";
757 "/err/esp6-encrypt" "esp_encrypt";
758 "/err/esp6-encrypt-post" "esp_encrypt";
759 "/err/esp6-encrypt-tun" "esp_encrypt";
760 "/err/esp6-encrypt-tun-post" "esp_encrypt";
761 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
762 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
763 "/err/esp4-decrypt" "esp_decrypt";
764 "/err/esp4-decrypt-post" "esp_decrypt";
765 "/err/esp4-decrypt-tun" "esp_decrypt";
766 "/err/esp4-decrypt-tun-post" "esp_decrypt";
767 "/err/esp6-decrypt" "esp_decrypt";
768 "/err/esp6-decrypt-post" "esp_decrypt";
769 "/err/esp6-decrypt-tun" "esp_decrypt";
770 "/err/esp6-decrypt-tun-post" "esp_decrypt";
771 "/err/ah4-encrypt" "ah_encrypt";
772 "/err/ah6-encrypt" "ah_encrypt";
773 "/err/ipsec4-tun-input" "ipsec_tun";
774 "/err/ipsec6-tun-input" "ipsec_tun";
779 * eval: (c-set-style "gnu")