-/** \brief IPsec: Update Security Association keys
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param sa_id - sa id
-
- @param crypto_key - crypto keying material
- @param integrity_key - integrity keying material
-*/
-
-autoreply define ipsec_sa_set_key
-{
- u32 client_index;
- u32 context;
-
- u32 sa_id;
-
- vl_api_key_t crypto_key;
- vl_api_key_t integrity_key;
-};
-
-/** \brief IKEv2: Add/delete profile
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param is_add - Add IKEv2 profile if non-zero, else delete
-*/
-autoreply define ikev2_profile_add_del
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u8 is_add;
-};
-
-/** \brief IKEv2: Set IKEv2 profile authentication method
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig)
- @param is_hex - Authentication data in hex format if non-zero, else string
- @param data_len - Authentication data length
- @param data - Authentication data (for rsa-sig cert file path)
-*/
-autoreply define ikev2_profile_set_auth
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u8 auth_method;
- u8 is_hex;
- u32 data_len;
- u8 data[data_len];
-};
-
-/** \brief IKEv2: Set IKEv2 profile local/remote identification
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param is_local - Identification is local if non-zero, else remote
- @param id_type - Identification type
- @param data_len - Identification data length
- @param data - Identification data
-*/
-autoreply define ikev2_profile_set_id
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u8 is_local;
- u8 id_type;
- u32 data_len;
- u8 data[data_len];
-};
-
-/** \brief IKEv2: Set IKEv2 profile traffic selector parameters
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param is_local - Traffic selector is local if non-zero, else remote
- @param proto - Traffic selector IP protocol (if zero not relevant)
- @param start_port - The smallest port number allowed by traffic selector
- @param end_port - The largest port number allowed by traffic selector
- @param start_addr - The smallest address included in traffic selector
- @param end_addr - The largest address included in traffic selector
-*/
-autoreply define ikev2_profile_set_ts
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u8 is_local;
- u8 proto;
- u16 start_port;
- u16 end_port;
- u32 start_addr;
- u32 end_addr;
-};
-
-/** \brief IKEv2: Set IKEv2 local RSA private key
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param key_file - Key file absolute path
-*/
-autoreply define ikev2_set_local_key
-{
- u32 client_index;
- u32 context;
-
- u8 key_file[256];
-};
-
-/** \brief IKEv2: Set IKEv2 responder interface and IP address
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param sw_if_index - interface index
- @param address - interface address
-*/
-autoreply define ikev2_set_responder
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u32 sw_if_index;
- u8 address[4];
-};
-
-/** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param crypto_alg - encryption algorithm
- @param crypto_key_size - encryption key size
- @param integ_alg - integrity algorithm
- @param dh_group - Diffie-Hellman group
-
-*/
-autoreply define ikev2_set_ike_transforms
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u32 crypto_alg;
- u32 crypto_key_size;
- u32 integ_alg;
- u32 dh_group;
-};
-
-/** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
+/** \brief Add or Update Protection for a tunnel with IPSEC
+
+ Tunnel protection directly associates an SA with all packets
+ ingress and egress on the tunnel. This could also be achieved by
+ assigning an SPD to the tunnel, but that would incur an unnessccary
+ SPD entry lookup.
+
+ For tunnels the ESP acts on the post-encapsulated packet. So if this
+ packet:
+ +---------+------+
+ | Payload | O-IP |
+ +---------+------+
+ where O-IP is the overlay IP addrees that was routed into the tunnel,
+ the resulting encapsulated packet will be:
+ +---------+------+------+
+ | Payload | O-IP | T-IP |
+ +---------+------+------+
+ where T-IP is the tunnel's src.dst IP addresses.
+ If the SAs used for protection are in transport mode then the ESP is
+ inserted before T-IP, i.e.:
+ +---------+------+-----+------+
+ | Payload | O-IP | ESP | T-IP |
+ +---------+------+-----+------+
+ If the SAs used for protection are in tunnel mode then another
+ encapsulation occurs, i.e.:
+ +---------+------+------+-----+------+
+ | Payload | O-IP | T-IP | ESP | C-IP |
+ +---------+------+------+-----+------+
+ where C-IP are the crypto endpoint IP addresses defined as the tunnel
+ endpoints in the SA.
+ The mode for the inbound and outbound SA must be the same.