1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "3.0.1";
19 import "vnet/ip/ip_types.api";
20 import "vnet/tunnel/tunnel_types.api";
23 * @brief Support cryptographic algorithms
27 IPSEC_API_CRYPTO_ALG_NONE = 0,
28 IPSEC_API_CRYPTO_ALG_AES_CBC_128,
29 IPSEC_API_CRYPTO_ALG_AES_CBC_192,
30 IPSEC_API_CRYPTO_ALG_AES_CBC_256,
31 IPSEC_API_CRYPTO_ALG_AES_CTR_128,
32 IPSEC_API_CRYPTO_ALG_AES_CTR_192,
33 IPSEC_API_CRYPTO_ALG_AES_CTR_256,
34 IPSEC_API_CRYPTO_ALG_AES_GCM_128,
35 IPSEC_API_CRYPTO_ALG_AES_GCM_192,
36 IPSEC_API_CRYPTO_ALG_AES_GCM_256,
37 IPSEC_API_CRYPTO_ALG_DES_CBC,
38 IPSEC_API_CRYPTO_ALG_3DES_CBC,
39 IPSEC_API_CRYPTO_ALG_CHACHA20_POLY1305 [backwards_compatible],
40 IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_128 [backwards_compatible],
41 IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_192 [backwards_compatible],
42 IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_256 [backwards_compatible],
46 * @brief Supported Integrity Algorithms
50 IPSEC_API_INTEG_ALG_NONE = 0,
52 IPSEC_API_INTEG_ALG_MD5_96,
54 IPSEC_API_INTEG_ALG_SHA1_96,
55 /* draft-ietf-ipsec-ciph-sha-256-00 */
56 IPSEC_API_INTEG_ALG_SHA_256_96,
58 IPSEC_API_INTEG_ALG_SHA_256_128,
60 IPSEC_API_INTEG_ALG_SHA_384_192,
62 IPSEC_API_INTEG_ALG_SHA_512_256,
67 IPSEC_API_SAD_FLAG_NONE = 0,
68 /* Enable extended sequence numbers */
69 IPSEC_API_SAD_FLAG_USE_ESN = 0x01,
70 /* Enable Anti-replay */
71 IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
72 /* IPsec tunnel mode if non-zero, else transport mode */
73 IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,
74 /* IPsec tunnel mode is IPv6 if non-zero,
75 * else IPv4 tunnel only valid if is_tunnel is non-zero
76 * DEPRECATED - the user does not need to set this it is
77 * derived from the tunnel's address types.
79 IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
80 /* enable UDP encapsulation for NAT traversal */
81 IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
82 /* IPsec SA is for inbound traffic */
83 IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,
84 /* IPsec SA uses an Async driver */
85 IPSEC_API_SAD_FLAG_ASYNC = 0x80 [backwards_compatible],
90 IPSEC_API_PROTO_ESP = 50,
91 IPSEC_API_PROTO_AH = 51,
96 /* the length of the key */
98 /* The data for the key */
102 enum ipsec_spd_action
104 /* bypass - no IPsec processing */
105 IPSEC_API_SPD_ACTION_BYPASS = 0,
106 /* discard - discard packet with ICMP processing */
107 IPSEC_API_SPD_ACTION_DISCARD,
108 /* resolve - send request to control plane for SA resolving */
109 IPSEC_API_SPD_ACTION_RESOLVE,
110 /* protect - apply IPsec policy using following parameters */
111 IPSEC_API_SPD_ACTION_PROTECT,
114 /** \brief IPsec: Security Policy Database entry
116 See RFC 4301, 4.4.1.1 on how to match packet to selectors
118 @param spd_id - SPD instance id (control plane allocated)
119 @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
120 @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
121 @param remote_address_start - start of remote address range to match
122 @param remote_address_stop - end of remote address range to match
123 @param local_address_start - start of local address range to match
124 @param local_address_stop - end of local address range to match
125 @param protocol - protocol type to match [0 means any] otherwise IANA value
126 @param remote_port_start - start of remote port range to match ...
127 @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
128 @param local_port_start - start of local port range to match ...
129 @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
130 @param policy - action to perform on match
131 @param sa_id - SAD instance id (control plane allocated)
133 typedef ipsec_spd_entry
140 vl_api_ipsec_spd_action_t policy;
141 /* Which protocol?? */
145 vl_api_address_t remote_address_start;
146 vl_api_address_t remote_address_stop;
147 vl_api_address_t local_address_start;
148 vl_api_address_t local_address_stop;
150 u16 remote_port_start;
151 u16 remote_port_stop;
152 u16 local_port_start;
156 /** \brief IPsec: Security Policy Database entry v2
158 See RFC 4301, 4.4.1.1 on how to match packet to selectors
160 @param spd_id - SPD instance id (control plane allocated)
161 @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
162 @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
163 @param remote_address_start - start of remote address range to match
164 @param remote_address_stop - end of remote address range to match
165 @param local_address_start - start of local address range to match
166 @param local_address_stop - end of local address range to match
167 @param protocol - protocol type to match [255 means any] otherwise IANA value
168 @param remote_port_start - start of remote port range to match ...
169 @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
170 @param local_port_start - start of local port range to match ...
171 @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
172 @param policy - action to perform on match
173 @param sa_id - SAD instance id (control plane allocated)
175 typedef ipsec_spd_entry_v2
182 vl_api_ipsec_spd_action_t policy;
186 vl_api_address_t remote_address_start;
187 vl_api_address_t remote_address_stop;
188 vl_api_address_t local_address_start;
189 vl_api_address_t local_address_stop;
191 u16 remote_port_start;
192 u16 remote_port_stop;
193 u16 local_port_start;
198 /** \brief IPsec: Security Association Database entry
199 @param sad_id - sad id
200 @param spi - security parameter index
201 @param protocol - 0 = AH, 1 = ESP
202 @param crypto_algorithm - a supported crypto algorithm
203 @param crypto_key - crypto keying material
204 @param integrity_algorithm - one of the supported algorithms
205 @param integrity_key - integrity keying material
206 @param flags - SA flags (see ipsec_sad_flags above)
207 @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
208 @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
209 @param tx_table_id - the FIB id used for encapsulated packets
210 @param salt - for use with counter mode ciphers
211 @param udp_src_port - If using UDP Encapsulation, use this source port for
212 TX. It is ignored for RX.
213 @param udp_dst_port - If using UDP Encapsulation, use this destination port
214 for TX. Expect traffic on this port for RX.
215 @param tunnel_flags - Flags controlling the copying of encap/decap value
216 @param dscp - Fixed DSCP vaule for tunnel encap
219 typedef ipsec_sad_entry
225 vl_api_ipsec_proto_t protocol;
227 vl_api_ipsec_crypto_alg_t crypto_algorithm;
228 vl_api_key_t crypto_key;
230 vl_api_ipsec_integ_alg_t integrity_algorithm;
231 vl_api_key_t integrity_key;
233 vl_api_ipsec_sad_flags_t flags;
235 vl_api_address_t tunnel_src;
236 vl_api_address_t tunnel_dst;
239 u16 udp_src_port [default=4500];
240 u16 udp_dst_port [default=4500];
243 typedef ipsec_sad_entry_v2
249 vl_api_ipsec_proto_t protocol;
251 vl_api_ipsec_crypto_alg_t crypto_algorithm;
252 vl_api_key_t crypto_key;
254 vl_api_ipsec_integ_alg_t integrity_algorithm;
255 vl_api_key_t integrity_key;
257 vl_api_ipsec_sad_flags_t flags;
259 vl_api_address_t tunnel_src;
260 vl_api_address_t tunnel_dst;
261 vl_api_tunnel_encap_decap_flags_t tunnel_flags;
262 vl_api_ip_dscp_t dscp;
265 u16 udp_src_port [default=4500];
266 u16 udp_dst_port [default=4500];
269 typedef ipsec_sad_entry_v3
274 vl_api_ipsec_proto_t protocol;
276 vl_api_ipsec_crypto_alg_t crypto_algorithm;
277 vl_api_key_t crypto_key;
279 vl_api_ipsec_integ_alg_t integrity_algorithm;
280 vl_api_key_t integrity_key;
282 vl_api_ipsec_sad_flags_t flags;
284 vl_api_tunnel_t tunnel;
287 u16 udp_src_port [default=4500];
288 u16 udp_dst_port [default=4500];
291 /** \brief IPsec: Security Association Database entry
292 @param sad_id - sad id
293 @param spi - security parameter index
294 @param protocol - 0 = AH, 1 = ESP
295 @param crypto_algorithm - a supported crypto algorithm
296 @param crypto_key - crypto keying material
297 @param integrity_algorithm - one of the supported algorithms
298 @param integrity_key - integrity keying material
299 @param flags - SA flags (see ipsec_sad_flags above)
300 @param tunnel - tunnel description (see vnet/tunnel/tunnel_types.api)
301 @param salt - for use with counter mode ciphers
302 @param udp_src_port - If using UDP Encapsulation, use this source port for
303 TX. It is ignored for RX.
304 @param udp_dst_port - If using UDP Encapsulation, use this destination port
305 for TX. Expect traffic on this port for RX.
306 @param anti_replay_window_size - AR window size to use. The supplied value is round up to the nearest power of 2.
308 typedef ipsec_sad_entry_v4
313 vl_api_ipsec_proto_t protocol;
315 vl_api_ipsec_crypto_alg_t crypto_algorithm;
316 vl_api_key_t crypto_key;
318 vl_api_ipsec_integ_alg_t integrity_algorithm;
319 vl_api_key_t integrity_key;
321 vl_api_ipsec_sad_flags_t flags;
323 vl_api_tunnel_t tunnel;
326 u16 udp_src_port [default=4500];
327 u16 udp_dst_port [default=4500];
329 u32 anti_replay_window_size [default=64];
334 * eval: (c-set-style "gnu")