1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "3.0.1";
19 import "vnet/ip/ip_types.api";
20 import "vnet/tunnel/tunnel_types.api";
23 * @brief Support cryptographic algorithms
27 IPSEC_API_CRYPTO_ALG_NONE = 0,
28 IPSEC_API_CRYPTO_ALG_AES_CBC_128,
29 IPSEC_API_CRYPTO_ALG_AES_CBC_192,
30 IPSEC_API_CRYPTO_ALG_AES_CBC_256,
31 IPSEC_API_CRYPTO_ALG_AES_CTR_128,
32 IPSEC_API_CRYPTO_ALG_AES_CTR_192,
33 IPSEC_API_CRYPTO_ALG_AES_CTR_256,
34 IPSEC_API_CRYPTO_ALG_AES_GCM_128,
35 IPSEC_API_CRYPTO_ALG_AES_GCM_192,
36 IPSEC_API_CRYPTO_ALG_AES_GCM_256,
37 IPSEC_API_CRYPTO_ALG_DES_CBC,
38 IPSEC_API_CRYPTO_ALG_3DES_CBC,
39 IPSEC_API_CRYPTO_ALG_CHACHA20_POLY1305 [backwards_compatible],
40 IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_128 [backwards_compatible],
41 IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_192 [backwards_compatible],
42 IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_256 [backwards_compatible],
46 * @brief Supported Integrity Algorithms
50 IPSEC_API_INTEG_ALG_NONE = 0,
52 IPSEC_API_INTEG_ALG_MD5_96,
54 IPSEC_API_INTEG_ALG_SHA1_96,
55 /* draft-ietf-ipsec-ciph-sha-256-00 */
56 IPSEC_API_INTEG_ALG_SHA_256_96,
58 IPSEC_API_INTEG_ALG_SHA_256_128,
60 IPSEC_API_INTEG_ALG_SHA_384_192,
62 IPSEC_API_INTEG_ALG_SHA_512_256,
67 IPSEC_API_SAD_FLAG_NONE = 0,
68 /* Enable extended sequence numbers */
69 IPSEC_API_SAD_FLAG_USE_ESN = 0x01,
70 /* Enable Anti-replay */
71 IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
72 /* IPsec tunnel mode if non-zero, else transport mode */
73 IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,
74 /* IPsec tunnel mode is IPv6 if non-zero,
75 * else IPv4 tunnel only valid if is_tunnel is non-zero
76 * DEPRECATED - the user does not need to set this it is
77 * derived from the tunnel's address types.
79 IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
80 /* enable UDP encapsulation for NAT traversal */
81 IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
82 /* IPsec SA is for inbound traffic */
83 IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,
84 /* IPsec SA uses an Async driver */
85 IPSEC_API_SAD_FLAG_ASYNC = 0x80 [backwards_compatible],
90 IPSEC_API_PROTO_ESP = 50,
91 IPSEC_API_PROTO_AH = 51,
96 /* the length of the key */
98 /* The data for the key */
102 enum ipsec_spd_action
104 /* bypass - no IPsec processing */
105 IPSEC_API_SPD_ACTION_BYPASS = 0,
106 /* discard - discard packet with ICMP processing */
107 IPSEC_API_SPD_ACTION_DISCARD,
108 /* resolve - send request to control plane for SA resolving */
109 IPSEC_API_SPD_ACTION_RESOLVE,
110 /* protect - apply IPsec policy using following parameters */
111 IPSEC_API_SPD_ACTION_PROTECT,
114 /** \brief IPsec: Security Policy Database entry
116 See RFC 4301, 4.4.1.1 on how to match packet to selectors
118 @param spd_id - SPD instance id (control plane allocated)
119 @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
120 @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
121 @param remote_address_start - start of remote address range to match
122 @param remote_address_stop - end of remote address range to match
123 @param local_address_start - start of local address range to match
124 @param local_address_stop - end of local address range to match
125 @param protocol - protocol type to match [0 means any] otherwise IANA value
126 @param remote_port_start - start of remote port range to match ...
127 @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
128 @param local_port_start - start of local port range to match ...
129 @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
130 @param policy - action to perform on match
131 @param sa_id - SAD instance id (control plane allocated)
133 typedef ipsec_spd_entry
140 vl_api_ipsec_spd_action_t policy;
141 /* Which protocol?? */
145 vl_api_address_t remote_address_start;
146 vl_api_address_t remote_address_stop;
147 vl_api_address_t local_address_start;
148 vl_api_address_t local_address_stop;
150 u16 remote_port_start;
151 u16 remote_port_stop;
152 u16 local_port_start;
156 /** \brief IPsec: Security Policy Database entry v2
158 See RFC 4301, 4.4.1.1 on how to match packet to selectors
160 @param spd_id - SPD instance id (control plane allocated)
161 @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
162 @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
163 @param remote_address_start - start of remote address range to match
164 @param remote_address_stop - end of remote address range to match
165 @param local_address_start - start of local address range to match
166 @param local_address_stop - end of local address range to match
167 @param protocol - protocol type to match [255 means any] otherwise IANA value
168 @param remote_port_start - start of remote port range to match ...
169 @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
170 @param local_port_start - start of local port range to match ...
171 @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
172 @param policy - action to perform on match
173 @param sa_id - SAD instance id (control plane allocated)
175 typedef ipsec_spd_entry_v2
182 vl_api_ipsec_spd_action_t policy;
186 vl_api_address_t remote_address_start;
187 vl_api_address_t remote_address_stop;
188 vl_api_address_t local_address_start;
189 vl_api_address_t local_address_stop;
191 u16 remote_port_start;
192 u16 remote_port_stop;
193 u16 local_port_start;
198 /** \brief IPsec: Security Association Database entry
199 @param client_index - opaque cookie to identify the sender
200 @param context - sender context, to match reply w/ request
201 @param is_add - add SAD entry if non-zero, else delete
202 @param sad_id - sad id
203 @param spi - security parameter index
204 @param protocol - 0 = AH, 1 = ESP
205 @param crypto_algorithm - a supported crypto algorithm
206 @param crypto_key - crypto keying material
207 @param integrity_algorithm - one of the supported algorithms
208 @param integrity_key - integrity keying material
209 @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
210 @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
211 @param tx_table_id - the FIB id used for encapsulated packets
212 @param salt - for use with counter mode ciphers
213 @param udp_src_port - If using UDP Encapsulation, use this source port for
214 TX. It is ignored for RX.
215 @param udp_dst_port - If using UDP Encapsulation, use this destination port
216 for TX. Expect traffic on this port for RX.
217 @param tunnel_flags - Flags controlling the copying of encap/decap value
218 @param dscp - Fixed DSCP vaule for tunnel encap
221 typedef ipsec_sad_entry
227 vl_api_ipsec_proto_t protocol;
229 vl_api_ipsec_crypto_alg_t crypto_algorithm;
230 vl_api_key_t crypto_key;
232 vl_api_ipsec_integ_alg_t integrity_algorithm;
233 vl_api_key_t integrity_key;
235 vl_api_ipsec_sad_flags_t flags;
237 vl_api_address_t tunnel_src;
238 vl_api_address_t tunnel_dst;
241 u16 udp_src_port [default=4500];
242 u16 udp_dst_port [default=4500];
245 typedef ipsec_sad_entry_v2
251 vl_api_ipsec_proto_t protocol;
253 vl_api_ipsec_crypto_alg_t crypto_algorithm;
254 vl_api_key_t crypto_key;
256 vl_api_ipsec_integ_alg_t integrity_algorithm;
257 vl_api_key_t integrity_key;
259 vl_api_ipsec_sad_flags_t flags;
261 vl_api_address_t tunnel_src;
262 vl_api_address_t tunnel_dst;
263 vl_api_tunnel_encap_decap_flags_t tunnel_flags;
264 vl_api_ip_dscp_t dscp;
267 u16 udp_src_port [default=4500];
268 u16 udp_dst_port [default=4500];
271 typedef ipsec_sad_entry_v3
276 vl_api_ipsec_proto_t protocol;
278 vl_api_ipsec_crypto_alg_t crypto_algorithm;
279 vl_api_key_t crypto_key;
281 vl_api_ipsec_integ_alg_t integrity_algorithm;
282 vl_api_key_t integrity_key;
284 vl_api_ipsec_sad_flags_t flags;
286 vl_api_tunnel_t tunnel;
289 u16 udp_src_port [default=4500];
290 u16 udp_dst_port [default=4500];
296 * eval: (c-set-style "gnu")