1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "3.0.1";
19 import "vnet/ip/ip_types.api";
20 import "vnet/tunnel/tunnel_types.api";
23 * @brief Support cryptographic algorithms
27 IPSEC_API_CRYPTO_ALG_NONE = 0,
28 IPSEC_API_CRYPTO_ALG_AES_CBC_128,
29 IPSEC_API_CRYPTO_ALG_AES_CBC_192,
30 IPSEC_API_CRYPTO_ALG_AES_CBC_256,
31 IPSEC_API_CRYPTO_ALG_AES_CTR_128,
32 IPSEC_API_CRYPTO_ALG_AES_CTR_192,
33 IPSEC_API_CRYPTO_ALG_AES_CTR_256,
34 IPSEC_API_CRYPTO_ALG_AES_GCM_128,
35 IPSEC_API_CRYPTO_ALG_AES_GCM_192,
36 IPSEC_API_CRYPTO_ALG_AES_GCM_256,
37 IPSEC_API_CRYPTO_ALG_DES_CBC,
38 IPSEC_API_CRYPTO_ALG_3DES_CBC,
39 IPSEC_API_CRYPTO_ALG_CHACHA20_POLY1305 [backwards_compatible],
43 * @brief Supported Integrity Algorithms
47 IPSEC_API_INTEG_ALG_NONE = 0,
49 IPSEC_API_INTEG_ALG_MD5_96,
51 IPSEC_API_INTEG_ALG_SHA1_96,
52 /* draft-ietf-ipsec-ciph-sha-256-00 */
53 IPSEC_API_INTEG_ALG_SHA_256_96,
55 IPSEC_API_INTEG_ALG_SHA_256_128,
57 IPSEC_API_INTEG_ALG_SHA_384_192,
59 IPSEC_API_INTEG_ALG_SHA_512_256,
64 IPSEC_API_SAD_FLAG_NONE = 0,
65 /* Enable extended sequence numbers */
66 IPSEC_API_SAD_FLAG_USE_ESN = 0x01,
67 /* Enable Anti-replay */
68 IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
69 /* IPsec tunnel mode if non-zero, else transport mode */
70 IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,
71 /* IPsec tunnel mode is IPv6 if non-zero,
72 * else IPv4 tunnel only valid if is_tunnel is non-zero
73 * DEPRECATED - the user does not need to set this it is
74 * derived from the tunnel's address types.
76 IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
77 /* enable UDP encapsulation for NAT traversal */
78 IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
79 /* IPsec SA is for inbound traffic */
80 IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,
81 /* IPsec SA uses an Async driver */
82 IPSEC_API_SAD_FLAG_ASYNC = 0x80 [backwards_compatible],
87 IPSEC_API_PROTO_ESP = 50,
88 IPSEC_API_PROTO_AH = 51,
93 /* the length of the key */
95 /* The data for the key */
101 /* bypass - no IPsec processing */
102 IPSEC_API_SPD_ACTION_BYPASS = 0,
103 /* discard - discard packet with ICMP processing */
104 IPSEC_API_SPD_ACTION_DISCARD,
105 /* resolve - send request to control plane for SA resolving */
106 IPSEC_API_SPD_ACTION_RESOLVE,
107 /* protect - apply IPsec policy using following parameters */
108 IPSEC_API_SPD_ACTION_PROTECT,
111 /** \brief IPsec: Security Policy Database entry
113 See RFC 4301, 4.4.1.1 on how to match packet to selectors
115 @param spd_id - SPD instance id (control plane allocated)
116 @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
117 @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
118 @param remote_address_start - start of remote address range to match
119 @param remote_address_stop - end of remote address range to match
120 @param local_address_start - start of local address range to match
121 @param local_address_stop - end of local address range to match
122 @param protocol - protocol type to match [0 means any] otherwise IANA value
123 @param remote_port_start - start of remote port range to match ...
124 @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
125 @param local_port_start - start of local port range to match ...
126 @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
127 @param policy - action to perform on match
128 @param sa_id - SAD instance id (control plane allocated)
130 typedef ipsec_spd_entry
137 vl_api_ipsec_spd_action_t policy;
138 /* Which protocol?? */
142 vl_api_address_t remote_address_start;
143 vl_api_address_t remote_address_stop;
144 vl_api_address_t local_address_start;
145 vl_api_address_t local_address_stop;
147 u16 remote_port_start;
148 u16 remote_port_stop;
149 u16 local_port_start;
153 /** \brief IPsec: Security Policy Database entry v2
155 See RFC 4301, 4.4.1.1 on how to match packet to selectors
157 @param spd_id - SPD instance id (control plane allocated)
158 @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
159 @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
160 @param remote_address_start - start of remote address range to match
161 @param remote_address_stop - end of remote address range to match
162 @param local_address_start - start of local address range to match
163 @param local_address_stop - end of local address range to match
164 @param protocol - protocol type to match [255 means any] otherwise IANA value
165 @param remote_port_start - start of remote port range to match ...
166 @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
167 @param local_port_start - start of local port range to match ...
168 @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
169 @param policy - action to perform on match
170 @param sa_id - SAD instance id (control plane allocated)
172 typedef ipsec_spd_entry_v2
179 vl_api_ipsec_spd_action_t policy;
183 vl_api_address_t remote_address_start;
184 vl_api_address_t remote_address_stop;
185 vl_api_address_t local_address_start;
186 vl_api_address_t local_address_stop;
188 u16 remote_port_start;
189 u16 remote_port_stop;
190 u16 local_port_start;
195 /** \brief IPsec: Security Association Database entry
196 @param client_index - opaque cookie to identify the sender
197 @param context - sender context, to match reply w/ request
198 @param is_add - add SAD entry if non-zero, else delete
199 @param sad_id - sad id
200 @param spi - security parameter index
201 @param protocol - 0 = AH, 1 = ESP
202 @param crypto_algorithm - a supported crypto algorithm
203 @param crypto_key - crypto keying material
204 @param integrity_algorithm - one of the supported algorithms
205 @param integrity_key - integrity keying material
206 @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
207 @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
208 @param tx_table_id - the FIB id used for encapsulated packets
209 @param salt - for use with counter mode ciphers
210 @param udp_src_port - If using UDP Encapsulation, use this source port for
211 TX. It is ignored for RX.
212 @param udp_dst_port - If using UDP Encapsulation, use this destination port
213 for TX. Expect traffic on this port for RX.
214 @param tunnel_flags - Flags controlling the copying of encap/decap value
215 @param dscp - Fixed DSCP vaule for tunnel encap
218 typedef ipsec_sad_entry
224 vl_api_ipsec_proto_t protocol;
226 vl_api_ipsec_crypto_alg_t crypto_algorithm;
227 vl_api_key_t crypto_key;
229 vl_api_ipsec_integ_alg_t integrity_algorithm;
230 vl_api_key_t integrity_key;
232 vl_api_ipsec_sad_flags_t flags;
234 vl_api_address_t tunnel_src;
235 vl_api_address_t tunnel_dst;
238 u16 udp_src_port [default=4500];
239 u16 udp_dst_port [default=4500];
242 typedef ipsec_sad_entry_v2
248 vl_api_ipsec_proto_t protocol;
250 vl_api_ipsec_crypto_alg_t crypto_algorithm;
251 vl_api_key_t crypto_key;
253 vl_api_ipsec_integ_alg_t integrity_algorithm;
254 vl_api_key_t integrity_key;
256 vl_api_ipsec_sad_flags_t flags;
258 vl_api_address_t tunnel_src;
259 vl_api_address_t tunnel_dst;
260 vl_api_tunnel_encap_decap_flags_t tunnel_flags;
261 vl_api_ip_dscp_t dscp;
264 u16 udp_src_port [default=4500];
265 u16 udp_dst_port [default=4500];
268 typedef ipsec_sad_entry_v3
273 vl_api_ipsec_proto_t protocol;
275 vl_api_ipsec_crypto_alg_t crypto_algorithm;
276 vl_api_key_t crypto_key;
278 vl_api_ipsec_integ_alg_t integrity_algorithm;
279 vl_api_key_t integrity_key;
281 vl_api_ipsec_sad_flags_t flags;
283 vl_api_tunnel_t tunnel;
286 u16 udp_src_port [default=4500];
287 u16 udp_dst_port [default=4500];
293 * eval: (c-set-style "gnu")