1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "5.0.2";
19 import "vnet/ipsec/ipsec_types.api";
20 import "vnet/interface_types.api";
21 import "vnet/ip/ip_types.api";
22 import "vnet/interface_types.api";
23 import "vnet/tunnel/tunnel_types.api";
25 /** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
32 autoreply define ipsec_spd_add_del
40 /** \brief IPsec: Add/delete SPD from interface
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
50 autoreply define ipsec_interface_add_del_spd
56 vl_api_interface_index_t sw_if_index;
60 /** \brief IPsec: Add/delete Security Policy Database entry
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
67 define ipsec_spd_entry_add_del
73 vl_api_ipsec_spd_entry_t entry;
76 /** \brief IPsec: Add/delete Security Policy Database entry v2
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
83 define ipsec_spd_entry_add_del_v2
88 vl_api_ipsec_spd_entry_v2_t entry;
91 /** \brief IPsec: Reply Add/delete Security Policy Database entry
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
97 define ipsec_spd_entry_add_del_reply
105 /** \brief IPsec: Reply Add/delete Security Policy Database entry v2
107 @param context - sender context, to match reply w/ request
108 @param retval - success/fail rutrun code
109 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
111 define ipsec_spd_entry_add_del_v2_reply
118 /** \brief Dump IPsec all SPD IDs
119 @param client_index - opaque cookie to identify the sender
120 @param context - sender context, to match reply w/ request
122 define ipsec_spds_dump {
127 /** \brief Dump IPsec all SPD IDs response
128 @param client_index - opaque cookie to identify the sender
129 @param spd_id - SPD instance id (control plane allocated)
130 @param npolicies - number of policies in SPD
132 define ipsec_spds_details {
138 /** \brief Dump ipsec policy database data
139 @param client_index - opaque cookie to identify the sender
140 @param context - sender context, to match reply w/ request
141 @param spd_id - SPD instance id
142 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
144 define ipsec_spd_dump {
151 /** \brief IPsec policy database response
152 @param context - sender context which was passed in the request
153 €param entry - The SPD entry.
154 @param bytes - byte count of packets matching this policy
155 @param packets - count of packets matching this policy
157 define ipsec_spd_details {
159 vl_api_ipsec_spd_entry_t entry;
162 /** \brief IPsec: Add/delete Security Association Database entry
163 @param client_index - opaque cookie to identify the sender
164 @param context - sender context, to match reply w/ request
165 @param entry - Entry to add or delete
167 define ipsec_sad_entry_add_del
173 vl_api_ipsec_sad_entry_t entry;
176 define ipsec_sad_entry_add_del_v2
181 vl_api_ipsec_sad_entry_v2_t entry;
184 define ipsec_sad_entry_add_del_v3
189 vl_api_ipsec_sad_entry_v3_t entry;
191 define ipsec_sad_entry_add
195 vl_api_ipsec_sad_entry_v3_t entry;
197 autoreply define ipsec_sad_entry_del
205 /** \brief An API to bind an SAD entry to a specific worker
207 @param client_index - opaque cookie to identify the sender
208 @param context - sender context, to match reply w/ request
209 @param sa_id - the id of the SA to bind
210 @param worker - the worker's index to which the SA will be bound to
212 autoreply define ipsec_sad_bind
220 autoreply define ipsec_sad_unbind
227 /** \brief An API to update the tunnel parameters and the ports associated with an SA
229 Used in the NAT-T case when the NAT data changes
230 @param client_index - opaque cookie to identify the sender
231 @param context - sender context, to match reply w/ request
232 @param sa_id - the id of the SA to update
233 @param is_tun - update the tunnel if non-zero, else update only the ports
234 @param tunnel - sender context, to match reply w/ request
235 @param udp_src_port - new src port for NAT-T. Used if different from 0xffff
236 @param udp_dst_port - new dst port for NAT-T. Used if different from 0xffff
238 autoreply define ipsec_sad_entry_update
244 vl_api_tunnel_t tunnel;
245 u16 udp_src_port [default=0xffff];
246 u16 udp_dst_port [default=0xffff];
249 define ipsec_sad_entry_add_del_reply
257 define ipsec_sad_entry_add_del_v2_reply
264 define ipsec_sad_entry_add_del_v3_reply
270 define ipsec_sad_entry_add_reply
277 /** \brief Add or Update Protection for a tunnel with IPSEC
279 Tunnel protection directly associates an SA with all packets
280 ingress and egress on the tunnel. This could also be achieved by
281 assigning an SPD to the tunnel, but that would incur an unnessccary
284 For tunnels the ESP acts on the post-encapsulated packet. So if this
289 where O-IP is the overlay IP addrees that was routed into the tunnel,
290 the resulting encapsulated packet will be:
291 +---------+------+------+
292 | Payload | O-IP | T-IP |
293 +---------+------+------+
294 where T-IP is the tunnel's src.dst IP addresses.
295 If the SAs used for protection are in transport mode then the ESP is
296 inserted before T-IP, i.e.:
297 +---------+------+-----+------+
298 | Payload | O-IP | ESP | T-IP |
299 +---------+------+-----+------+
300 If the SAs used for protection are in tunnel mode then another
301 encapsulation occurs, i.e.:
302 +---------+------+------+-----+------+
303 | Payload | O-IP | T-IP | ESP | C-IP |
304 +---------+------+------+-----+------+
305 where C-IP are the crypto endpoint IP addresses defined as the tunnel
307 The mode for the inbound and outbound SA must be the same.
309 @param client_index - opaque cookie to identify the sender
310 @param context - sender context, to match reply w/ request
311 @param sw_id_index - Tunnel interface to protect
312 @param nh - The peer/next-hop on the tunnel to which the traffic
313 should be protected. For a P2P interface set this to the
315 @param sa_in - The ID [set] of inbound SAs
316 @param sa_out - The ID of outbound SA
318 typedef ipsec_tunnel_protect
320 vl_api_interface_index_t sw_if_index;
327 autoreply define ipsec_tunnel_protect_update
332 vl_api_ipsec_tunnel_protect_t tunnel;
335 autoreply define ipsec_tunnel_protect_del
340 vl_api_interface_index_t sw_if_index;
345 * @brief Dump all tunnel protections
347 define ipsec_tunnel_protect_dump
351 vl_api_interface_index_t sw_if_index;
354 define ipsec_tunnel_protect_details
357 vl_api_ipsec_tunnel_protect_t tun;
360 /** \brief IPsec: Get SPD interfaces
361 @param client_index - opaque cookie to identify the sender
362 @param context - sender context, to match reply w/ request
363 @param spd_index - SPD index
364 @param spd_index_valid - if 1 spd_index is used to filter
365 spd_index's, if 0 no filtering is done
367 define ipsec_spd_interface_dump {
374 /** \brief IPsec: SPD interface response
375 @param context - sender context which was passed in the request
376 @param spd_index - SPD index
377 @param sw_if_index - index of the interface
379 define ipsec_spd_interface_details {
382 vl_api_interface_index_t sw_if_index;
387 u32 user_instance [default=0xffffffff];
388 vl_api_tunnel_mode_t mode;
389 vl_api_interface_index_t sw_if_index;
392 /** \brief Create an IPSec interface
394 define ipsec_itf_create {
397 vl_api_ipsec_itf_t itf;
400 /** \brief Add IPsec interface interface response
401 @param context - sender context, to match reply w/ request
402 @param retval - return status
403 @param sw_if_index - sw_if_index of new interface (for successful add)
405 define ipsec_itf_create_reply
409 vl_api_interface_index_t sw_if_index;
412 autoreply define ipsec_itf_delete
416 vl_api_interface_index_t sw_if_index;
419 define ipsec_itf_dump
423 vl_api_interface_index_t sw_if_index;
426 define ipsec_itf_details
429 vl_api_ipsec_itf_t itf;
432 /** \brief Dump IPsec security association
433 @param client_index - opaque cookie to identify the sender
434 @param context - sender context, to match reply w/ request
435 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
444 define ipsec_sa_v2_dump
450 define ipsec_sa_v3_dump
456 define ipsec_sa_v4_dump
463 /** \brief IPsec security association database response
464 @param context - sender context which was passed in the request
465 @param entry - The SA details
466 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
467 @param salt - 4 byte salt
468 @param seq - current sequence number for outbound
469 @param seq_hi - high 32 bits of ESN for outbound
470 @param last_seq - highest sequence number received inbound
471 @param last_seq_hi - high 32 bits of highest ESN received inbound
472 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
473 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
475 define ipsec_sa_details {
478 vl_api_ipsec_sad_entry_t entry;
480 vl_api_interface_index_t sw_if_index;
483 u64 last_seq_inbound;
488 define ipsec_sa_v2_details {
490 vl_api_ipsec_sad_entry_v2_t entry;
492 vl_api_interface_index_t sw_if_index;
495 u64 last_seq_inbound;
500 define ipsec_sa_v3_details {
502 vl_api_ipsec_sad_entry_v3_t entry;
504 vl_api_interface_index_t sw_if_index;
506 u64 last_seq_inbound;
511 define ipsec_sa_v4_details {
513 vl_api_ipsec_sad_entry_v3_t entry;
515 vl_api_interface_index_t sw_if_index;
517 u64 last_seq_inbound;
524 /** \brief Dump IPsec backends
525 @param client_index - opaque cookie to identify the sender
526 @param context - sender context, to match reply w/ request
528 define ipsec_backend_dump {
533 /** \brief IPsec backend details
534 @param name - name of the backend
535 @param protocol - IPsec protocol (value from ipsec_protocol_t)
536 @param index - backend index
537 @param active - set to 1 if the backend is active, otherwise 0
539 define ipsec_backend_details {
542 vl_api_ipsec_proto_t protocol;
547 /** \brief Select IPsec backend
548 @param client_index - opaque cookie to identify the sender
549 @param context - sender context, to match reply w/ request
550 @param protocol - IPsec protocol (value from ipsec_protocol_t)
551 @param index - backend index
553 autoreply define ipsec_select_backend {
556 vl_api_ipsec_proto_t protocol;
561 /** \brief IPsec Set Async mode
562 @param client_index - opaque cookie to identify the sender
563 @param context - sender context, to match reply w/ request
564 @param async_enable - ipsec async mode on or off
566 autoreply define ipsec_set_async_mode {
572 counters esp_decrypt {
577 description "ESP pkts received";
583 description "ESP-POST pkts received";
589 description "hand-off";
595 description "ESP decryption failed";
601 description "integrity check failed";
603 crypto_engine_error {
607 description "crypto engine error (packet dropped)";
613 description "SA replayed packet";
619 description "undersized packet";
625 description "no buffers (packet dropped)";
631 description "buffer with oversized header (dropped)";
637 description "no enough buffer tail space (dropped)";
643 description "no tunnel protocol";
649 description "unsupported payload";
655 description "no available frame (packet dropped)";
659 counters esp_encrypt {
664 description "ESP pkts received";
670 description "ESP-post pkts received";
676 description "Hand-off";
682 description "sequence number cycled (packet dropped)";
684 crypto_engine_error {
688 description "crypto engine error (packet dropped)";
694 description "crypto queue full (packet dropped)";
700 description "no buffers (packet dropped)";
706 description "no protecting SA (packet dropped)";
712 description "no Encrypting SA (packet dropped)";
718 description "no available frame (packet dropped)";
722 counters ah_encrypt {
727 description "AH pkts received";
729 crypto_engine_error {
733 description "crypto engine error (packet dropped)";
739 description "sequence number cycled (packet dropped)";
743 counters ah_decrypt {
748 description "AH pkts received";
754 description "AH decryption failed";
760 description "Integrity check failed";
766 description "not enough buffer tail space (dropped)";
772 description "IP fragments drop";
778 description "SA replayed packet";
787 description "good packets received";
793 description "ipsec packets received on disabled interface";
799 description "no matching tunnel";
805 description "SPI-tunnel mismatch";
811 description "NAT Keepalive";
817 description "Too Short";
828 "/err/esp4-encrypt" "esp_encrypt";
829 "/err/esp4-encrypt-post" "esp_encrypt";
830 "/err/esp4-encrypt-tun" "esp_encrypt";
831 "/err/esp4-encrypt-tun-post" "esp_encrypt";
832 "/err/esp6-encrypt" "esp_encrypt";
833 "/err/esp6-encrypt-post" "esp_encrypt";
834 "/err/esp6-encrypt-tun" "esp_encrypt";
835 "/err/esp6-encrypt-tun-post" "esp_encrypt";
836 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
837 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
838 "/err/esp4-decrypt" "esp_decrypt";
839 "/err/esp4-decrypt-post" "esp_decrypt";
840 "/err/esp4-decrypt-tun" "esp_decrypt";
841 "/err/esp4-decrypt-tun-post" "esp_decrypt";
842 "/err/esp6-decrypt" "esp_decrypt";
843 "/err/esp6-decrypt-post" "esp_decrypt";
844 "/err/esp6-decrypt-tun" "esp_decrypt";
845 "/err/esp6-decrypt-tun-post" "esp_decrypt";
846 "/err/ah4-encrypt" "ah_encrypt";
847 "/err/ah6-encrypt" "ah_encrypt";
848 "/err/ipsec4-tun-input" "ipsec_tun";
849 "/err/ipsec6-tun-input" "ipsec_tun";
854 * eval: (c-set-style "gnu")