1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "5.0.2";
19 import "vnet/ipsec/ipsec_types.api";
20 import "vnet/interface_types.api";
21 import "vnet/ip/ip_types.api";
22 import "vnet/interface_types.api";
23 import "vnet/tunnel/tunnel_types.api";
25 /** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
32 autoreply define ipsec_spd_add_del
40 /** \brief IPsec: Add/delete SPD from interface
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
50 autoreply define ipsec_interface_add_del_spd
56 vl_api_interface_index_t sw_if_index;
60 /** \brief IPsec: Add/delete Security Policy Database entry
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
67 define ipsec_spd_entry_add_del
73 vl_api_ipsec_spd_entry_t entry;
76 /** \brief IPsec: Add/delete Security Policy Database entry v2
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
83 define ipsec_spd_entry_add_del_v2
88 vl_api_ipsec_spd_entry_v2_t entry;
91 /** \brief IPsec: Reply Add/delete Security Policy Database entry
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
97 define ipsec_spd_entry_add_del_reply
105 /** \brief IPsec: Reply Add/delete Security Policy Database entry v2
107 @param context - sender context, to match reply w/ request
108 @param retval - success/fail rutrun code
109 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
111 define ipsec_spd_entry_add_del_v2_reply
118 /** \brief Dump IPsec all SPD IDs
119 @param client_index - opaque cookie to identify the sender
120 @param context - sender context, to match reply w/ request
122 define ipsec_spds_dump {
127 /** \brief Dump IPsec all SPD IDs response
128 @param client_index - opaque cookie to identify the sender
129 @param spd_id - SPD instance id (control plane allocated)
130 @param npolicies - number of policies in SPD
132 define ipsec_spds_details {
138 /** \brief Dump ipsec policy database data
139 @param client_index - opaque cookie to identify the sender
140 @param context - sender context, to match reply w/ request
141 @param spd_id - SPD instance id
142 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
144 define ipsec_spd_dump {
151 /** \brief IPsec policy database response
152 @param context - sender context which was passed in the request
153 €param entry - The SPD entry.
154 @param bytes - byte count of packets matching this policy
155 @param packets - count of packets matching this policy
157 define ipsec_spd_details {
159 vl_api_ipsec_spd_entry_t entry;
162 /** \brief IPsec: Add/delete Security Association Database entry
163 @param client_index - opaque cookie to identify the sender
164 @param context - sender context, to match reply w/ request
165 @param entry - Entry to add or delete
167 define ipsec_sad_entry_add_del
173 vl_api_ipsec_sad_entry_t entry;
176 define ipsec_sad_entry_add_del_v2
181 vl_api_ipsec_sad_entry_v2_t entry;
184 define ipsec_sad_entry_add_del_v3
189 vl_api_ipsec_sad_entry_v3_t entry;
191 define ipsec_sad_entry_add
195 vl_api_ipsec_sad_entry_v3_t entry;
197 autoreply define ipsec_sad_entry_del
204 /** \brief An API to update the tunnel parameters and the ports associated with an SA
206 Used in the NAT-T case when the NAT data changes
207 @param client_index - opaque cookie to identify the sender
208 @param context - sender context, to match reply w/ request
209 @param sa_id - the id of the SA to update
210 @param is_tun - update the tunnel if non-zero, else update only the ports
211 @param tunnel - sender context, to match reply w/ request
212 @param udp_src_port - new src port for NAT-T. Used if different from 0xffff
213 @param udp_dst_port - new dst port for NAT-T. Used if different from 0xffff
215 autoreply define ipsec_sad_entry_update
221 vl_api_tunnel_t tunnel;
222 u16 udp_src_port [default=0xffff];
223 u16 udp_dst_port [default=0xffff];
226 define ipsec_sad_entry_add_del_reply
234 define ipsec_sad_entry_add_del_v2_reply
241 define ipsec_sad_entry_add_del_v3_reply
247 define ipsec_sad_entry_add_reply
254 /** \brief Add or Update Protection for a tunnel with IPSEC
256 Tunnel protection directly associates an SA with all packets
257 ingress and egress on the tunnel. This could also be achieved by
258 assigning an SPD to the tunnel, but that would incur an unnessccary
261 For tunnels the ESP acts on the post-encapsulated packet. So if this
266 where O-IP is the overlay IP addrees that was routed into the tunnel,
267 the resulting encapsulated packet will be:
268 +---------+------+------+
269 | Payload | O-IP | T-IP |
270 +---------+------+------+
271 where T-IP is the tunnel's src.dst IP addresses.
272 If the SAs used for protection are in transport mode then the ESP is
273 inserted before T-IP, i.e.:
274 +---------+------+-----+------+
275 | Payload | O-IP | ESP | T-IP |
276 +---------+------+-----+------+
277 If the SAs used for protection are in tunnel mode then another
278 encapsulation occurs, i.e.:
279 +---------+------+------+-----+------+
280 | Payload | O-IP | T-IP | ESP | C-IP |
281 +---------+------+------+-----+------+
282 where C-IP are the crypto endpoint IP addresses defined as the tunnel
284 The mode for the inbound and outbound SA must be the same.
286 @param client_index - opaque cookie to identify the sender
287 @param context - sender context, to match reply w/ request
288 @param sw_id_index - Tunnel interface to protect
289 @param nh - The peer/next-hop on the tunnel to which the traffic
290 should be protected. For a P2P interface set this to the
292 @param sa_in - The ID [set] of inbound SAs
293 @param sa_out - The ID of outbound SA
295 typedef ipsec_tunnel_protect
297 vl_api_interface_index_t sw_if_index;
304 autoreply define ipsec_tunnel_protect_update
309 vl_api_ipsec_tunnel_protect_t tunnel;
312 autoreply define ipsec_tunnel_protect_del
317 vl_api_interface_index_t sw_if_index;
322 * @brief Dump all tunnel protections
324 define ipsec_tunnel_protect_dump
328 vl_api_interface_index_t sw_if_index;
331 define ipsec_tunnel_protect_details
334 vl_api_ipsec_tunnel_protect_t tun;
337 /** \brief IPsec: Get SPD interfaces
338 @param client_index - opaque cookie to identify the sender
339 @param context - sender context, to match reply w/ request
340 @param spd_index - SPD index
341 @param spd_index_valid - if 1 spd_index is used to filter
342 spd_index's, if 0 no filtering is done
344 define ipsec_spd_interface_dump {
351 /** \brief IPsec: SPD interface response
352 @param context - sender context which was passed in the request
353 @param spd_index - SPD index
354 @param sw_if_index - index of the interface
356 define ipsec_spd_interface_details {
359 vl_api_interface_index_t sw_if_index;
364 u32 user_instance [default=0xffffffff];
365 vl_api_tunnel_mode_t mode;
366 vl_api_interface_index_t sw_if_index;
369 /** \brief Create an IPSec interface
371 define ipsec_itf_create {
374 vl_api_ipsec_itf_t itf;
377 /** \brief Add IPsec interface interface response
378 @param context - sender context, to match reply w/ request
379 @param retval - return status
380 @param sw_if_index - sw_if_index of new interface (for successful add)
382 define ipsec_itf_create_reply
386 vl_api_interface_index_t sw_if_index;
389 autoreply define ipsec_itf_delete
393 vl_api_interface_index_t sw_if_index;
396 define ipsec_itf_dump
400 vl_api_interface_index_t sw_if_index;
403 define ipsec_itf_details
406 vl_api_ipsec_itf_t itf;
409 /** \brief Dump IPsec security association
410 @param client_index - opaque cookie to identify the sender
411 @param context - sender context, to match reply w/ request
412 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
421 define ipsec_sa_v2_dump
427 define ipsec_sa_v3_dump
434 /** \brief IPsec security association database response
435 @param context - sender context which was passed in the request
436 @param entry - The SA details
437 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
438 @param salt - 4 byte salt
439 @param seq - current sequence number for outbound
440 @param seq_hi - high 32 bits of ESN for outbound
441 @param last_seq - highest sequence number received inbound
442 @param last_seq_hi - high 32 bits of highest ESN received inbound
443 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
444 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
446 define ipsec_sa_details {
449 vl_api_ipsec_sad_entry_t entry;
451 vl_api_interface_index_t sw_if_index;
454 u64 last_seq_inbound;
459 define ipsec_sa_v2_details {
461 vl_api_ipsec_sad_entry_v2_t entry;
463 vl_api_interface_index_t sw_if_index;
466 u64 last_seq_inbound;
471 define ipsec_sa_v3_details {
473 vl_api_ipsec_sad_entry_v3_t entry;
475 vl_api_interface_index_t sw_if_index;
477 u64 last_seq_inbound;
483 /** \brief Dump IPsec backends
484 @param client_index - opaque cookie to identify the sender
485 @param context - sender context, to match reply w/ request
487 define ipsec_backend_dump {
492 /** \brief IPsec backend details
493 @param name - name of the backend
494 @param protocol - IPsec protocol (value from ipsec_protocol_t)
495 @param index - backend index
496 @param active - set to 1 if the backend is active, otherwise 0
498 define ipsec_backend_details {
501 vl_api_ipsec_proto_t protocol;
506 /** \brief Select IPsec backend
507 @param client_index - opaque cookie to identify the sender
508 @param context - sender context, to match reply w/ request
509 @param protocol - IPsec protocol (value from ipsec_protocol_t)
510 @param index - backend index
512 autoreply define ipsec_select_backend {
515 vl_api_ipsec_proto_t protocol;
520 /** \brief IPsec Set Async mode
521 @param client_index - opaque cookie to identify the sender
522 @param context - sender context, to match reply w/ request
523 @param async_enable - ipsec async mode on or off
525 autoreply define ipsec_set_async_mode {
531 counters esp_decrypt {
536 description "ESP pkts received";
542 description "ESP-POST pkts received";
548 description "hand-off";
554 description "ESP decryption failed";
560 description "integrity check failed";
562 crypto_engine_error {
566 description "crypto engine error (packet dropped)";
572 description "SA replayed packet";
578 description "undersized packet";
584 description "no buffers (packet dropped)";
590 description "buffer with oversized header (dropped)";
596 description "no enough buffer tail space (dropped)";
602 description "no tunnel protocol";
608 description "unsupported payload";
612 counters esp_encrypt {
617 description "ESP pkts received";
623 description "ESP-post pkts received";
629 description "Hand-off";
635 description "sequence number cycled (packet dropped)";
637 crypto_engine_error {
641 description "crypto engine error (packet dropped)";
647 description "crypto queue full (packet dropped)";
653 description "no buffers (packet dropped)";
659 description "no protecting SA (packet dropped)";
665 description "no Encrypting SA (packet dropped)";
669 counters ah_encrypt {
674 description "AH pkts received";
676 crypto_engine_error {
680 description "crypto engine error (packet dropped)";
686 description "sequence number cycled (packet dropped)";
690 counters ah_decrypt {
695 description "AH pkts received";
701 description "AH decryption failed";
707 description "Integrity check failed";
713 description "not enough buffer tail space (dropped)";
719 description "IP fragments drop";
725 description "SA replayed packet";
734 description "good packets received";
740 description "ipsec packets received on disabled interface";
746 description "no matching tunnel";
752 description "SPI-tunnel mismatch";
758 description "NAT Keepalive";
764 description "Too Short";
775 "/err/esp4-encrypt" "esp_encrypt";
776 "/err/esp4-encrypt-post" "esp_encrypt";
777 "/err/esp4-encrypt-tun" "esp_encrypt";
778 "/err/esp4-encrypt-tun-post" "esp_encrypt";
779 "/err/esp6-encrypt" "esp_encrypt";
780 "/err/esp6-encrypt-post" "esp_encrypt";
781 "/err/esp6-encrypt-tun" "esp_encrypt";
782 "/err/esp6-encrypt-tun-post" "esp_encrypt";
783 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
784 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
785 "/err/esp4-decrypt" "esp_decrypt";
786 "/err/esp4-decrypt-post" "esp_decrypt";
787 "/err/esp4-decrypt-tun" "esp_decrypt";
788 "/err/esp4-decrypt-tun-post" "esp_decrypt";
789 "/err/esp6-decrypt" "esp_decrypt";
790 "/err/esp6-decrypt-post" "esp_decrypt";
791 "/err/esp6-decrypt-tun" "esp_decrypt";
792 "/err/esp6-decrypt-tun-post" "esp_decrypt";
793 "/err/ah4-encrypt" "ah_encrypt";
794 "/err/ah6-encrypt" "ah_encrypt";
795 "/err/ipsec4-tun-input" "ipsec_tun";
796 "/err/ipsec6-tun-input" "ipsec_tun";
801 * eval: (c-set-style "gnu")