1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "5.0.2";
19 import "vnet/ipsec/ipsec_types.api";
20 import "vnet/interface_types.api";
21 import "vnet/ip/ip_types.api";
22 import "vnet/interface_types.api";
23 import "vnet/tunnel/tunnel_types.api";
25 /** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
32 autoreply define ipsec_spd_add_del
40 /** \brief IPsec: Add/delete SPD from interface
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
50 autoreply define ipsec_interface_add_del_spd
56 vl_api_interface_index_t sw_if_index;
60 /** \brief IPsec: Add/delete Security Policy Database entry
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
67 define ipsec_spd_entry_add_del
73 vl_api_ipsec_spd_entry_t entry;
76 /** \brief IPsec: Add/delete Security Policy Database entry v2
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
83 define ipsec_spd_entry_add_del_v2
88 vl_api_ipsec_spd_entry_v2_t entry;
91 /** \brief IPsec: Reply Add/delete Security Policy Database entry
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
97 define ipsec_spd_entry_add_del_reply
105 /** \brief IPsec: Reply Add/delete Security Policy Database entry v2
107 @param context - sender context, to match reply w/ request
108 @param retval - success/fail rutrun code
109 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
111 define ipsec_spd_entry_add_del_v2_reply
118 /** \brief Dump IPsec all SPD IDs
119 @param client_index - opaque cookie to identify the sender
120 @param context - sender context, to match reply w/ request
122 define ipsec_spds_dump {
127 /** \brief Dump IPsec all SPD IDs response
128 @param client_index - opaque cookie to identify the sender
129 @param spd_id - SPD instance id (control plane allocated)
130 @param npolicies - number of policies in SPD
132 define ipsec_spds_details {
138 /** \brief Dump ipsec policy database data
139 @param client_index - opaque cookie to identify the sender
140 @param context - sender context, to match reply w/ request
141 @param spd_id - SPD instance id
142 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
144 define ipsec_spd_dump {
151 /** \brief IPsec policy database response
152 @param context - sender context which was passed in the request
153 €param entry - The SPD entry.
154 @param bytes - byte count of packets matching this policy
155 @param packets - count of packets matching this policy
157 define ipsec_spd_details {
159 vl_api_ipsec_spd_entry_t entry;
162 /** \brief IPsec: Add/delete Security Association Database entry
163 @param client_index - opaque cookie to identify the sender
164 @param context - sender context, to match reply w/ request
165 @param entry - Entry to add or delete
167 define ipsec_sad_entry_add_del
174 vl_api_ipsec_sad_entry_t entry;
177 define ipsec_sad_entry_add_del_v2
184 vl_api_ipsec_sad_entry_v2_t entry;
187 define ipsec_sad_entry_add_del_v3
192 vl_api_ipsec_sad_entry_v3_t entry;
194 define ipsec_sad_entry_add
198 vl_api_ipsec_sad_entry_v3_t entry;
200 autoreply define ipsec_sad_entry_del
208 /** \brief An API to bind an SAD entry to a specific worker
210 @param client_index - opaque cookie to identify the sender
211 @param context - sender context, to match reply w/ request
212 @param sa_id - the id of the SA to bind
213 @param worker - the worker's index to which the SA will be bound to
215 autoreply define ipsec_sad_bind
223 autoreply define ipsec_sad_unbind
230 /** \brief An API to update the tunnel parameters and the ports associated with an SA
232 Used in the NAT-T case when the NAT data changes
233 @param client_index - opaque cookie to identify the sender
234 @param context - sender context, to match reply w/ request
235 @param sa_id - the id of the SA to update
236 @param is_tun - update the tunnel if non-zero, else update only the ports
237 @param tunnel - sender context, to match reply w/ request
238 @param udp_src_port - new src port for NAT-T. Used if different from 0xffff
239 @param udp_dst_port - new dst port for NAT-T. Used if different from 0xffff
241 autoreply define ipsec_sad_entry_update
247 vl_api_tunnel_t tunnel;
248 u16 udp_src_port [default=0xffff];
249 u16 udp_dst_port [default=0xffff];
252 define ipsec_sad_entry_add_del_reply
261 define ipsec_sad_entry_add_del_v2_reply
270 define ipsec_sad_entry_add_del_v3_reply
276 define ipsec_sad_entry_add_reply
283 /** \brief Add or Update Protection for a tunnel with IPSEC
285 Tunnel protection directly associates an SA with all packets
286 ingress and egress on the tunnel. This could also be achieved by
287 assigning an SPD to the tunnel, but that would incur an unnessccary
290 For tunnels the ESP acts on the post-encapsulated packet. So if this
295 where O-IP is the overlay IP addrees that was routed into the tunnel,
296 the resulting encapsulated packet will be:
297 +---------+------+------+
298 | Payload | O-IP | T-IP |
299 +---------+------+------+
300 where T-IP is the tunnel's src.dst IP addresses.
301 If the SAs used for protection are in transport mode then the ESP is
302 inserted before T-IP, i.e.:
303 +---------+------+-----+------+
304 | Payload | O-IP | ESP | T-IP |
305 +---------+------+-----+------+
306 If the SAs used for protection are in tunnel mode then another
307 encapsulation occurs, i.e.:
308 +---------+------+------+-----+------+
309 | Payload | O-IP | T-IP | ESP | C-IP |
310 +---------+------+------+-----+------+
311 where C-IP are the crypto endpoint IP addresses defined as the tunnel
313 The mode for the inbound and outbound SA must be the same.
315 @param client_index - opaque cookie to identify the sender
316 @param context - sender context, to match reply w/ request
317 @param sw_id_index - Tunnel interface to protect
318 @param nh - The peer/next-hop on the tunnel to which the traffic
319 should be protected. For a P2P interface set this to the
321 @param sa_in - The ID [set] of inbound SAs
322 @param sa_out - The ID of outbound SA
324 typedef ipsec_tunnel_protect
326 vl_api_interface_index_t sw_if_index;
333 autoreply define ipsec_tunnel_protect_update
338 vl_api_ipsec_tunnel_protect_t tunnel;
341 autoreply define ipsec_tunnel_protect_del
346 vl_api_interface_index_t sw_if_index;
351 * @brief Dump all tunnel protections
353 define ipsec_tunnel_protect_dump
357 vl_api_interface_index_t sw_if_index;
360 define ipsec_tunnel_protect_details
363 vl_api_ipsec_tunnel_protect_t tun;
366 /** \brief IPsec: Get SPD interfaces
367 @param client_index - opaque cookie to identify the sender
368 @param context - sender context, to match reply w/ request
369 @param spd_index - SPD index
370 @param spd_index_valid - if 1 spd_index is used to filter
371 spd_index's, if 0 no filtering is done
373 define ipsec_spd_interface_dump {
380 /** \brief IPsec: SPD interface response
381 @param context - sender context which was passed in the request
382 @param spd_index - SPD index
383 @param sw_if_index - index of the interface
385 define ipsec_spd_interface_details {
388 vl_api_interface_index_t sw_if_index;
393 u32 user_instance [default=0xffffffff];
394 vl_api_tunnel_mode_t mode;
395 vl_api_interface_index_t sw_if_index;
398 /** \brief Create an IPSec interface
400 define ipsec_itf_create {
403 vl_api_ipsec_itf_t itf;
406 /** \brief Add IPsec interface interface response
407 @param context - sender context, to match reply w/ request
408 @param retval - return status
409 @param sw_if_index - sw_if_index of new interface (for successful add)
411 define ipsec_itf_create_reply
415 vl_api_interface_index_t sw_if_index;
418 autoreply define ipsec_itf_delete
422 vl_api_interface_index_t sw_if_index;
425 define ipsec_itf_dump
429 vl_api_interface_index_t sw_if_index;
432 define ipsec_itf_details
435 vl_api_ipsec_itf_t itf;
438 /** \brief Dump IPsec security association
439 @param client_index - opaque cookie to identify the sender
440 @param context - sender context, to match reply w/ request
441 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
451 define ipsec_sa_v2_dump
459 define ipsec_sa_v3_dump
465 define ipsec_sa_v4_dump
472 /** \brief IPsec security association database response
473 @param context - sender context which was passed in the request
474 @param entry - The SA details
475 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
476 @param salt - 4 byte salt
477 @param seq - current sequence number for outbound
478 @param seq_hi - high 32 bits of ESN for outbound
479 @param last_seq - highest sequence number received inbound
480 @param last_seq_hi - high 32 bits of highest ESN received inbound
481 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
482 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
484 define ipsec_sa_details {
488 vl_api_ipsec_sad_entry_t entry;
490 vl_api_interface_index_t sw_if_index;
493 u64 last_seq_inbound;
498 define ipsec_sa_v2_details {
502 vl_api_ipsec_sad_entry_v2_t entry;
504 vl_api_interface_index_t sw_if_index;
507 u64 last_seq_inbound;
512 define ipsec_sa_v3_details {
514 vl_api_ipsec_sad_entry_v3_t entry;
516 vl_api_interface_index_t sw_if_index;
518 u64 last_seq_inbound;
523 define ipsec_sa_v4_details {
525 vl_api_ipsec_sad_entry_v3_t entry;
527 vl_api_interface_index_t sw_if_index;
529 u64 last_seq_inbound;
536 /** \brief Dump IPsec backends
537 @param client_index - opaque cookie to identify the sender
538 @param context - sender context, to match reply w/ request
540 define ipsec_backend_dump {
545 /** \brief IPsec backend details
546 @param name - name of the backend
547 @param protocol - IPsec protocol (value from ipsec_protocol_t)
548 @param index - backend index
549 @param active - set to 1 if the backend is active, otherwise 0
551 define ipsec_backend_details {
554 vl_api_ipsec_proto_t protocol;
559 /** \brief Select IPsec backend
560 @param client_index - opaque cookie to identify the sender
561 @param context - sender context, to match reply w/ request
562 @param protocol - IPsec protocol (value from ipsec_protocol_t)
563 @param index - backend index
565 autoreply define ipsec_select_backend {
568 vl_api_ipsec_proto_t protocol;
573 /** \brief IPsec Set Async mode
574 @param client_index - opaque cookie to identify the sender
575 @param context - sender context, to match reply w/ request
576 @param async_enable - ipsec async mode on or off
578 autoreply define ipsec_set_async_mode {
584 counters esp_decrypt {
589 description "ESP pkts received";
595 description "ESP-POST pkts received";
601 description "hand-off";
607 description "ESP decryption failed";
613 description "integrity check failed";
615 crypto_engine_error {
619 description "crypto engine error (packet dropped)";
625 description "SA replayed packet";
631 description "undersized packet";
637 description "no buffers (packet dropped)";
643 description "buffer with oversized header (dropped)";
649 description "no enough buffer tail space (dropped)";
655 description "no tunnel protocol";
661 description "unsupported payload";
667 description "no available frame (packet dropped)";
671 counters esp_encrypt {
676 description "ESP pkts received";
682 description "ESP-post pkts received";
688 description "Hand-off";
694 description "sequence number cycled (packet dropped)";
696 crypto_engine_error {
700 description "crypto engine error (packet dropped)";
706 description "crypto queue full (packet dropped)";
712 description "no buffers (packet dropped)";
718 description "no protecting SA (packet dropped)";
724 description "no Encrypting SA (packet dropped)";
730 description "no available frame (packet dropped)";
734 counters ah_encrypt {
739 description "AH pkts received";
741 crypto_engine_error {
745 description "crypto engine error (packet dropped)";
751 description "sequence number cycled (packet dropped)";
755 counters ah_decrypt {
760 description "AH pkts received";
766 description "AH decryption failed";
772 description "Integrity check failed";
778 description "not enough buffer tail space (dropped)";
784 description "IP fragments drop";
790 description "SA replayed packet";
799 description "good packets received";
805 description "ipsec packets received on disabled interface";
811 description "no matching tunnel";
817 description "SPI-tunnel mismatch";
823 description "NAT Keepalive";
829 description "Too Short";
840 "/err/esp4-encrypt" "esp_encrypt";
841 "/err/esp4-encrypt-post" "esp_encrypt";
842 "/err/esp4-encrypt-tun" "esp_encrypt";
843 "/err/esp4-encrypt-tun-post" "esp_encrypt";
844 "/err/esp6-encrypt" "esp_encrypt";
845 "/err/esp6-encrypt-post" "esp_encrypt";
846 "/err/esp6-encrypt-tun" "esp_encrypt";
847 "/err/esp6-encrypt-tun-post" "esp_encrypt";
848 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
849 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
850 "/err/esp4-decrypt" "esp_decrypt";
851 "/err/esp4-decrypt-post" "esp_decrypt";
852 "/err/esp4-decrypt-tun" "esp_decrypt";
853 "/err/esp4-decrypt-tun-post" "esp_decrypt";
854 "/err/esp6-decrypt" "esp_decrypt";
855 "/err/esp6-decrypt-post" "esp_decrypt";
856 "/err/esp6-decrypt-tun" "esp_decrypt";
857 "/err/esp6-decrypt-tun-post" "esp_decrypt";
858 "/err/ah4-encrypt" "ah_encrypt";
859 "/err/ah6-encrypt" "ah_encrypt";
860 "/err/ipsec4-tun-input" "ipsec_tun";
861 "/err/ipsec6-tun-input" "ipsec_tun";
866 * eval: (c-set-style "gnu")