1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 option version = "3.0.1";
19 import "vnet/ip/ip_types.api";
20 import "vnet/tunnel/tunnel_types.api";
23 * @brief Support cryptographic algorithms
27 IPSEC_API_CRYPTO_ALG_NONE = 0,
28 IPSEC_API_CRYPTO_ALG_AES_CBC_128,
29 IPSEC_API_CRYPTO_ALG_AES_CBC_192,
30 IPSEC_API_CRYPTO_ALG_AES_CBC_256,
31 IPSEC_API_CRYPTO_ALG_AES_CTR_128,
32 IPSEC_API_CRYPTO_ALG_AES_CTR_192,
33 IPSEC_API_CRYPTO_ALG_AES_CTR_256,
34 IPSEC_API_CRYPTO_ALG_AES_GCM_128,
35 IPSEC_API_CRYPTO_ALG_AES_GCM_192,
36 IPSEC_API_CRYPTO_ALG_AES_GCM_256,
37 IPSEC_API_CRYPTO_ALG_DES_CBC,
38 IPSEC_API_CRYPTO_ALG_3DES_CBC,
42 * @brief Supported Integrity Algorithms
46 IPSEC_API_INTEG_ALG_NONE = 0,
48 IPSEC_API_INTEG_ALG_MD5_96,
50 IPSEC_API_INTEG_ALG_SHA1_96,
51 /* draft-ietf-ipsec-ciph-sha-256-00 */
52 IPSEC_API_INTEG_ALG_SHA_256_96,
54 IPSEC_API_INTEG_ALG_SHA_256_128,
56 IPSEC_API_INTEG_ALG_SHA_384_192,
58 IPSEC_API_INTEG_ALG_SHA_512_256,
63 IPSEC_API_SAD_FLAG_NONE = 0,
64 /* Enable extended sequence numbers */
65 IPSEC_API_SAD_FLAG_USE_ESN = 0x01,
66 /* Enable Anti-replay */
67 IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
68 /* IPsec tunnel mode if non-zero, else transport mode */
69 IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,
70 /* IPsec tunnel mode is IPv6 if non-zero,
71 * else IPv4 tunnel only valid if is_tunnel is non-zero
72 * DEPRECATED - the user does not need to set this it is
73 * derived from the tunnel's address types.
75 IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
76 /* enable UDP encapsulation for NAT traversal */
77 IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
78 /* IPsec SA is for inbound traffic */
79 IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,
80 /* IPsec SA uses an Async driver */
81 IPSEC_API_SAD_FLAG_ASYNC = 0x80 [backwards_compatible],
86 IPSEC_API_PROTO_ESP = 50,
87 IPSEC_API_PROTO_AH = 51,
92 /* the length of the key */
94 /* The data for the key */
98 /** \brief IPsec: Security Association Database entry
99 @param client_index - opaque cookie to identify the sender
100 @param context - sender context, to match reply w/ request
101 @param is_add - add SAD entry if non-zero, else delete
102 @param sad_id - sad id
103 @param spi - security parameter index
104 @param protocol - 0 = AH, 1 = ESP
105 @param crypto_algorithm - a supported crypto algorithm
106 @param crypto_key - crypto keying material
107 @param integrity_algorithm - one of the supported algorithms
108 @param integrity_key - integrity keying material
109 @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
110 @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
111 @param tx_table_id - the FIB id used for encapsulated packets
112 @param salt - for use with counter mode ciphers
113 @param udp_src_port - If using UDP Encapsulation, use this source port for
114 TX. It is ignored for RX.
115 @param udp_dst_port - If using UDP Encapsulation, use this destination port
116 for TX. Expect traffic on this port for RX.
117 @param tunnel_flags - Flags controlling the copying of encap/decap value
118 @param dscp - Fixed DSCP vaule for tunnel encap
120 typedef ipsec_sad_entry
126 vl_api_ipsec_proto_t protocol;
128 vl_api_ipsec_crypto_alg_t crypto_algorithm;
129 vl_api_key_t crypto_key;
131 vl_api_ipsec_integ_alg_t integrity_algorithm;
132 vl_api_key_t integrity_key;
134 vl_api_ipsec_sad_flags_t flags;
136 vl_api_address_t tunnel_src;
137 vl_api_address_t tunnel_dst;
140 u16 udp_src_port [default=4500];
141 u16 udp_dst_port [default=4500];
144 typedef ipsec_sad_entry_v2
150 vl_api_ipsec_proto_t protocol;
152 vl_api_ipsec_crypto_alg_t crypto_algorithm;
153 vl_api_key_t crypto_key;
155 vl_api_ipsec_integ_alg_t integrity_algorithm;
156 vl_api_key_t integrity_key;
158 vl_api_ipsec_sad_flags_t flags;
160 vl_api_address_t tunnel_src;
161 vl_api_address_t tunnel_dst;
162 vl_api_tunnel_encap_decap_flags_t tunnel_flags;
163 vl_api_ip_dscp_t dscp;
166 u16 udp_src_port [default=4500];
167 u16 udp_dst_port [default=4500];
170 typedef ipsec_sad_entry_v3
175 vl_api_ipsec_proto_t protocol;
177 vl_api_ipsec_crypto_alg_t crypto_algorithm;
178 vl_api_key_t crypto_key;
180 vl_api_ipsec_integ_alg_t integrity_algorithm;
181 vl_api_key_t integrity_key;
183 vl_api_ipsec_sad_flags_t flags;
185 vl_api_tunnel_t tunnel;
188 u16 udp_src_port [default=4500];
189 u16 udp_dst_port [default=4500];
195 * eval: (c-set-style "gnu")