1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "5.0.2";
19 import "vnet/ipsec/ipsec_types.api";
20 import "vnet/interface_types.api";
21 import "vnet/ip/ip_types.api";
22 import "vnet/interface_types.api";
23 import "vnet/tunnel/tunnel_types.api";
25 /** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
32 autoreply define ipsec_spd_add_del
40 /** \brief IPsec: Add/delete SPD from interface
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
50 autoreply define ipsec_interface_add_del_spd
56 vl_api_interface_index_t sw_if_index;
60 /** \brief IPsec: Add/delete Security Policy Database entry
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
67 define ipsec_spd_entry_add_del
73 vl_api_ipsec_spd_entry_t entry;
76 /** \brief IPsec: Add/delete Security Policy Database entry v2
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
83 define ipsec_spd_entry_add_del_v2
88 vl_api_ipsec_spd_entry_v2_t entry;
91 /** \brief IPsec: Reply Add/delete Security Policy Database entry
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
97 define ipsec_spd_entry_add_del_reply
105 /** \brief IPsec: Reply Add/delete Security Policy Database entry v2
107 @param context - sender context, to match reply w/ request
108 @param retval - success/fail rutrun code
109 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
111 define ipsec_spd_entry_add_del_v2_reply
118 /** \brief Dump IPsec all SPD IDs
119 @param client_index - opaque cookie to identify the sender
120 @param context - sender context, to match reply w/ request
122 define ipsec_spds_dump {
127 /** \brief Dump IPsec all SPD IDs response
128 @param client_index - opaque cookie to identify the sender
129 @param spd_id - SPD instance id (control plane allocated)
130 @param npolicies - number of policies in SPD
132 define ipsec_spds_details {
138 /** \brief Dump ipsec policy database data
139 @param client_index - opaque cookie to identify the sender
140 @param context - sender context, to match reply w/ request
141 @param spd_id - SPD instance id
142 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
144 define ipsec_spd_dump {
151 /** \brief IPsec policy database response
152 @param context - sender context which was passed in the request
153 €param entry - The SPD entry.
154 @param bytes - byte count of packets matching this policy
155 @param packets - count of packets matching this policy
157 define ipsec_spd_details {
159 vl_api_ipsec_spd_entry_t entry;
162 /** \brief IPsec: Add/delete Security Association Database entry
163 @param client_index - opaque cookie to identify the sender
164 @param context - sender context, to match reply w/ request
165 @param entry - Entry to add or delete
167 define ipsec_sad_entry_add_del
174 vl_api_ipsec_sad_entry_t entry;
177 define ipsec_sad_entry_add_del_v2
184 vl_api_ipsec_sad_entry_v2_t entry;
187 define ipsec_sad_entry_add_del_v3
192 vl_api_ipsec_sad_entry_v3_t entry;
195 define ipsec_sad_entry_add
199 vl_api_ipsec_sad_entry_v3_t entry;
202 define ipsec_sad_entry_add_v2
206 vl_api_ipsec_sad_entry_v4_t entry;
209 autoreply define ipsec_sad_entry_del
217 /** \brief An API to bind an SAD entry to a specific worker
219 @param client_index - opaque cookie to identify the sender
220 @param context - sender context, to match reply w/ request
221 @param sa_id - the id of the SA to bind
222 @param worker - the worker's index to which the SA will be bound to
224 autoreply define ipsec_sad_bind
232 autoreply define ipsec_sad_unbind
239 /** \brief An API to update the tunnel parameters and the ports associated with an SA
241 Used in the NAT-T case when the NAT data changes
242 @param client_index - opaque cookie to identify the sender
243 @param context - sender context, to match reply w/ request
244 @param sa_id - the id of the SA to update
245 @param is_tun - update the tunnel if non-zero, else update only the ports
246 @param tunnel - sender context, to match reply w/ request
247 @param udp_src_port - new src port for NAT-T. Used if different from 0xffff
248 @param udp_dst_port - new dst port for NAT-T. Used if different from 0xffff
250 autoreply define ipsec_sad_entry_update
256 vl_api_tunnel_t tunnel;
257 u16 udp_src_port [default=0xffff];
258 u16 udp_dst_port [default=0xffff];
261 define ipsec_sad_entry_add_del_reply
270 define ipsec_sad_entry_add_del_v2_reply
279 define ipsec_sad_entry_add_del_v3_reply
286 define ipsec_sad_entry_add_reply
293 define ipsec_sad_entry_add_v2_reply
300 /** \brief Add or Update Protection for a tunnel with IPSEC
302 Tunnel protection directly associates an SA with all packets
303 ingress and egress on the tunnel. This could also be achieved by
304 assigning an SPD to the tunnel, but that would incur an unnessccary
307 For tunnels the ESP acts on the post-encapsulated packet. So if this
312 where O-IP is the overlay IP addrees that was routed into the tunnel,
313 the resulting encapsulated packet will be:
314 +---------+------+------+
315 | Payload | O-IP | T-IP |
316 +---------+------+------+
317 where T-IP is the tunnel's src.dst IP addresses.
318 If the SAs used for protection are in transport mode then the ESP is
319 inserted before T-IP, i.e.:
320 +---------+------+-----+------+
321 | Payload | O-IP | ESP | T-IP |
322 +---------+------+-----+------+
323 If the SAs used for protection are in tunnel mode then another
324 encapsulation occurs, i.e.:
325 +---------+------+------+-----+------+
326 | Payload | O-IP | T-IP | ESP | C-IP |
327 +---------+------+------+-----+------+
328 where C-IP are the crypto endpoint IP addresses defined as the tunnel
330 The mode for the inbound and outbound SA must be the same.
332 @param client_index - opaque cookie to identify the sender
333 @param context - sender context, to match reply w/ request
334 @param sw_id_index - Tunnel interface to protect
335 @param nh - The peer/next-hop on the tunnel to which the traffic
336 should be protected. For a P2P interface set this to the
338 @param sa_in - The ID [set] of inbound SAs
339 @param sa_out - The ID of outbound SA
341 typedef ipsec_tunnel_protect
343 vl_api_interface_index_t sw_if_index;
350 autoreply define ipsec_tunnel_protect_update
355 vl_api_ipsec_tunnel_protect_t tunnel;
358 autoreply define ipsec_tunnel_protect_del
363 vl_api_interface_index_t sw_if_index;
368 * @brief Dump all tunnel protections
370 define ipsec_tunnel_protect_dump
374 vl_api_interface_index_t sw_if_index;
377 define ipsec_tunnel_protect_details
380 vl_api_ipsec_tunnel_protect_t tun;
383 /** \brief IPsec: Get SPD interfaces
384 @param client_index - opaque cookie to identify the sender
385 @param context - sender context, to match reply w/ request
386 @param spd_index - SPD index
387 @param spd_index_valid - if 1 spd_index is used to filter
388 spd_index's, if 0 no filtering is done
390 define ipsec_spd_interface_dump {
397 /** \brief IPsec: SPD interface response
398 @param context - sender context which was passed in the request
399 @param spd_index - SPD index
400 @param sw_if_index - index of the interface
402 define ipsec_spd_interface_details {
405 vl_api_interface_index_t sw_if_index;
410 u32 user_instance [default=0xffffffff];
411 vl_api_tunnel_mode_t mode;
412 vl_api_interface_index_t sw_if_index;
415 /** \brief Create an IPSec interface
417 define ipsec_itf_create {
420 vl_api_ipsec_itf_t itf;
423 /** \brief Add IPsec interface interface response
424 @param context - sender context, to match reply w/ request
425 @param retval - return status
426 @param sw_if_index - sw_if_index of new interface (for successful add)
428 define ipsec_itf_create_reply
432 vl_api_interface_index_t sw_if_index;
435 autoreply define ipsec_itf_delete
439 vl_api_interface_index_t sw_if_index;
442 define ipsec_itf_dump
446 vl_api_interface_index_t sw_if_index;
449 define ipsec_itf_details
452 vl_api_ipsec_itf_t itf;
455 /** \brief Dump IPsec security association
456 @param client_index - opaque cookie to identify the sender
457 @param context - sender context, to match reply w/ request
458 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
468 define ipsec_sa_v2_dump
476 define ipsec_sa_v3_dump
482 define ipsec_sa_v4_dump
488 define ipsec_sa_v5_dump
495 /** \brief IPsec security association database response
496 @param context - sender context which was passed in the request
497 @param entry - The SA details
498 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
499 @param salt - 4 byte salt
500 @param seq - current sequence number for outbound
501 @param seq_hi - high 32 bits of ESN for outbound
502 @param last_seq - highest sequence number received inbound
503 @param last_seq_hi - high 32 bits of highest ESN received inbound
504 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
505 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
507 define ipsec_sa_details {
511 vl_api_ipsec_sad_entry_t entry;
513 vl_api_interface_index_t sw_if_index;
516 u64 last_seq_inbound;
521 define ipsec_sa_v2_details {
525 vl_api_ipsec_sad_entry_v2_t entry;
527 vl_api_interface_index_t sw_if_index;
530 u64 last_seq_inbound;
535 define ipsec_sa_v3_details {
537 vl_api_ipsec_sad_entry_v3_t entry;
539 vl_api_interface_index_t sw_if_index;
541 u64 last_seq_inbound;
546 define ipsec_sa_v4_details {
548 vl_api_ipsec_sad_entry_v3_t entry;
550 vl_api_interface_index_t sw_if_index;
552 u64 last_seq_inbound;
557 define ipsec_sa_v5_details {
559 vl_api_ipsec_sad_entry_v4_t entry;
561 vl_api_interface_index_t sw_if_index;
563 u64 last_seq_inbound;
569 /** \brief Dump IPsec backends
570 @param client_index - opaque cookie to identify the sender
571 @param context - sender context, to match reply w/ request
573 define ipsec_backend_dump {
578 /** \brief IPsec backend details
579 @param name - name of the backend
580 @param protocol - IPsec protocol (value from ipsec_protocol_t)
581 @param index - backend index
582 @param active - set to 1 if the backend is active, otherwise 0
584 define ipsec_backend_details {
587 vl_api_ipsec_proto_t protocol;
592 /** \brief Select IPsec backend
593 @param client_index - opaque cookie to identify the sender
594 @param context - sender context, to match reply w/ request
595 @param protocol - IPsec protocol (value from ipsec_protocol_t)
596 @param index - backend index
598 autoreply define ipsec_select_backend {
601 vl_api_ipsec_proto_t protocol;
606 /** \brief IPsec Set Async mode
607 @param client_index - opaque cookie to identify the sender
608 @param context - sender context, to match reply w/ request
609 @param async_enable - ipsec async mode on or off
611 autoreply define ipsec_set_async_mode {
617 counters esp_decrypt {
622 description "ESP pkts received";
628 description "ESP-POST pkts received";
634 description "hand-off";
640 description "ESP decryption failed";
646 description "integrity check failed";
648 crypto_engine_error {
652 description "crypto engine error (packet dropped)";
658 description "SA replayed packet";
664 description "undersized packet";
670 description "no buffers (packet dropped)";
676 description "buffer with oversized header (dropped)";
682 description "no enough buffer tail space (dropped)";
688 description "no tunnel protocol";
694 description "unsupported payload";
700 description "no available frame (packet dropped)";
704 counters esp_encrypt {
709 description "ESP pkts received";
715 description "ESP-post pkts received";
721 description "Hand-off";
727 description "sequence number cycled (packet dropped)";
729 crypto_engine_error {
733 description "crypto engine error (packet dropped)";
739 description "crypto queue full (packet dropped)";
745 description "no buffers (packet dropped)";
751 description "no protecting SA (packet dropped)";
757 description "no Encrypting SA (packet dropped)";
763 description "no available frame (packet dropped)";
767 counters ah_encrypt {
772 description "AH pkts received";
774 crypto_engine_error {
778 description "crypto engine error (packet dropped)";
784 description "sequence number cycled (packet dropped)";
788 counters ah_decrypt {
793 description "AH pkts received";
799 description "AH decryption failed";
805 description "Integrity check failed";
811 description "not enough buffer tail space (dropped)";
817 description "IP fragments drop";
823 description "SA replayed packet";
832 description "good packets received";
838 description "ipsec packets received on disabled interface";
844 description "no matching tunnel";
850 description "SPI-tunnel mismatch";
856 description "NAT Keepalive";
862 description "Too Short";
873 "/err/esp4-encrypt" "esp_encrypt";
874 "/err/esp4-encrypt-post" "esp_encrypt";
875 "/err/esp4-encrypt-tun" "esp_encrypt";
876 "/err/esp4-encrypt-tun-post" "esp_encrypt";
877 "/err/esp6-encrypt" "esp_encrypt";
878 "/err/esp6-encrypt-post" "esp_encrypt";
879 "/err/esp6-encrypt-tun" "esp_encrypt";
880 "/err/esp6-encrypt-tun-post" "esp_encrypt";
881 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
882 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
883 "/err/esp4-decrypt" "esp_decrypt";
884 "/err/esp4-decrypt-post" "esp_decrypt";
885 "/err/esp4-decrypt-tun" "esp_decrypt";
886 "/err/esp4-decrypt-tun-post" "esp_decrypt";
887 "/err/esp6-decrypt" "esp_decrypt";
888 "/err/esp6-decrypt-post" "esp_decrypt";
889 "/err/esp6-decrypt-tun" "esp_decrypt";
890 "/err/esp6-decrypt-tun-post" "esp_decrypt";
891 "/err/ah4-encrypt" "ah_encrypt";
892 "/err/ah6-encrypt" "ah_encrypt";
893 "/err/ipsec4-tun-input" "ipsec_tun";
894 "/err/ipsec6-tun-input" "ipsec_tun";
899 * eval: (c-set-style "gnu")