ipsec: Use .api declared error counters

[vpp.git] / src / vnet / ipsec / ipsec.api

diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 9b09131..401564b 100644 (file)
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-option version = "4.0.0";
+option version = "5.0.2";
 
 import "vnet/ipsec/ipsec_types.api";
 import "vnet/interface_types.api";
@@ -57,74 +57,35 @@ autoreply define ipsec_interface_add_del_spd
   u32 spd_id;
 };
 
+/** \brief IPsec: Add/delete Security Policy Database entry
 
-enum ipsec_spd_action
-{
-  /* bypass - no IPsec processing */
-  IPSEC_API_SPD_ACTION_BYPASS = 0,
-  /* discard - discard packet with ICMP processing */
-  IPSEC_API_SPD_ACTION_DISCARD,
-  /* resolve - send request to control plane for SA resolving */
-  IPSEC_API_SPD_ACTION_RESOLVE,
-  /* protect - apply IPsec policy using following parameters */
-  IPSEC_API_SPD_ACTION_PROTECT,
-};
-
-/** \brief IPsec: Security Policy Database entry
-
-    See RFC 4301, 4.4.1.1 on how to match packet to selectors
-
-    @param spd_id - SPD instance id (control plane allocated)
-    @param priority - priority of SPD entry (non-unique value).  Used to order SPD matching - higher priorities match before lower
-    @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
-    @param remote_address_start - start of remote address range to match
-    @param remote_address_stop - end of remote address range to match
-    @param local_address_start - start of local address range to match
-    @param local_address_stop - end of local address range to match
-    @param protocol - protocol type to match [0 means any] otherwise IANA value
-    @param remote_port_start - start of remote port range to match ...
-    @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
-    @param local_port_start - start of local port range to match ...
-    @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
-    @param policy - action to perform on match
-    @param sa_id - SAD instance id (control plane allocated)
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param is_add - add SPD if non-zero, else delete
+    @param entry - Description of the entry to add/dell
 */
-typedef ipsec_spd_entry
+define ipsec_spd_entry_add_del
 {
-  u32 spd_id;
-  i32 priority;
-  bool is_outbound;
-
-  u32 sa_id;
-  vl_api_ipsec_spd_action_t policy;
-  /* Which protocol?? */
-  u8 protocol;
-
-  // Selector
-  vl_api_address_t remote_address_start;
-  vl_api_address_t remote_address_stop;
-  vl_api_address_t local_address_start;
-  vl_api_address_t local_address_stop;
-
-  u16 remote_port_start;
-  u16 remote_port_stop;
-  u16 local_port_start;
-  u16 local_port_stop;
+  option deprecated;
+  u32 client_index;
+  u32 context;
+  bool is_add;
+  vl_api_ipsec_spd_entry_t entry;
 };
 
-/** \brief IPsec: Add/delete Security Policy Database entry
+/** \brief IPsec: Add/delete Security Policy Database entry v2
 
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
     @param is_add - add SPD if non-zero, else delete
     @param entry - Description of the entry to add/dell
 */
-define ipsec_spd_entry_add_del
+define ipsec_spd_entry_add_del_v2
 {
   u32 client_index;
   u32 context;
   bool is_add;
-  vl_api_ipsec_spd_entry_t entry;
+  vl_api_ipsec_spd_entry_v2_t entry;
 };
 
 /** \brief IPsec: Reply Add/delete Security Policy Database entry
@@ -140,6 +101,19 @@ define ipsec_spd_entry_add_del_reply
   u32 stat_index;
 };
 
+/** \brief IPsec: Reply Add/delete Security Policy Database entry v2
+
+    @param context - sender context, to match reply w/ request
+    @param retval - success/fail rutrun code
+    @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
+*/
+define ipsec_spd_entry_add_del_v2_reply
+{
+  u32 context;
+  i32 retval;
+  u32 stat_index;
+};
+
 /** \brief Dump IPsec all SPD IDs
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
@@ -191,11 +165,13 @@ define ipsec_spd_details {
  */
 define ipsec_sad_entry_add_del
 {
+  option deprecated;
   u32 client_index;
   u32 context;
   bool is_add;
   vl_api_ipsec_sad_entry_t entry;
 };
+
 define ipsec_sad_entry_add_del_v2
 {
   u32 client_index;
@@ -203,12 +179,35 @@ define ipsec_sad_entry_add_del_v2
   bool is_add;
   vl_api_ipsec_sad_entry_v2_t entry;
 };
+
+define ipsec_sad_entry_add_del_v3
+{
+  u32 client_index;
+  u32 context;
+  bool is_add;
+  vl_api_ipsec_sad_entry_v3_t entry;
+};
+define ipsec_sad_entry_add
+{
+  u32 client_index;
+  u32 context;
+  vl_api_ipsec_sad_entry_v3_t entry;
+};
+autoreply define ipsec_sad_entry_del
+{
+  u32 client_index;
+  u32 context;
+  u32 id;
+};
+
 define ipsec_sad_entry_add_del_reply
 {
+  option deprecated;
   u32 context;
   i32 retval;
   u32 stat_index;
 };
+
 define ipsec_sad_entry_add_del_v2_reply
 {
   u32 context;
@@ -216,6 +215,19 @@ define ipsec_sad_entry_add_del_v2_reply
   u32 stat_index;
 };
 
+define ipsec_sad_entry_add_del_v3_reply
+{
+  u32 context;
+  i32 retval;
+  u32 stat_index;
+};
+define ipsec_sad_entry_add_reply
+{
+  u32 context;
+  i32 retval;
+  u32 stat_index;
+};
+
 /** \brief Add or Update Protection for a tunnel with IPSEC
 
     Tunnel protection directly associates an SA with all packets
@@ -324,77 +336,6 @@ define ipsec_spd_interface_details {
     vl_api_interface_index_t sw_if_index;
 };
 
-/** \brief Add or delete IPsec tunnel interface
-
-    !!DEPRECATED!!
-         use the tunnel protect APIs instead
-
-    @param client_index - opaque cookie to identify the sender
-    @param context - sender context, to match reply w/ request
-    @param is_add - add IPsec tunnel interface if nonzero, else delete
-    @param is_ip6 - tunnel v6 or v4
-    @param esn - enable extended sequence numbers if nonzero, else disable
-    @param anti_replay - enable anti replay check if nonzero, else disable
-    @param local_ip - local IP address
-    @param remote_ip - IP address of remote IPsec peer
-    @param local_spi - SPI of outbound IPsec SA
-    @param remote_spi - SPI of inbound IPsec SA
-    @param crypto_alg - encryption algorithm ID
-    @param local_crypto_key_len - length of local crypto key in bytes
-    @param local_crypto_key - crypto key for outbound IPsec SA
-    @param remote_crypto_key_len - length of remote crypto key in bytes
-    @param remote_crypto_key - crypto key for inbound IPsec SA
-    @param integ_alg - integrity algorithm ID
-    @param local_integ_key_len - length of local integrity key in bytes
-    @param local_integ_key - integrity key for outbound IPsec SA
-    @param remote_integ_key_len - length of remote integrity key in bytes
-    @param remote_integ_key - integrity key for inbound IPsec SA
-    @param renumber - intf display name uses a specified instance if != 0
-    @param show_instance - instance to display for intf if renumber is set
-    @param udp_encap - enable UDP encapsulation for NAT traversal
-    @param tx_table_id - the FIB id used after packet encap
-    @param salt - for use with counter mode ciphers
-*/
-define ipsec_tunnel_if_add_del {
-  option deprecated;
-  u32 client_index;
-  u32 context;
-  bool is_add;
-  bool esn;
-  bool anti_replay;
-  vl_api_address_t local_ip;
-  vl_api_address_t remote_ip;
-  u32 local_spi;
-  u32 remote_spi;
-  u8 crypto_alg;
-  u8 local_crypto_key_len;
-  u8 local_crypto_key[128];
-  u8 remote_crypto_key_len;
-  u8 remote_crypto_key[128];
-  u8 integ_alg;
-  u8 local_integ_key_len;
-  u8 local_integ_key[128];
-  u8 remote_integ_key_len;
-  u8 remote_integ_key[128];
-  bool renumber;
-  u32 show_instance;
-  bool udp_encap;
-  u32 tx_table_id;
-  u32 salt;
-};
-
-/** \brief Add/delete IPsec tunnel interface response
-    @param context - sender context, to match reply w/ request
-    @param retval - return status
-    @param sw_if_index - sw_if_index of new interface (for successful add)
-*/
-define ipsec_tunnel_if_add_del_reply {
-  option deprecated;
-  u32 context;
-  i32 retval;
-  vl_api_interface_index_t sw_if_index;
-};
-
 typedef ipsec_itf
 {
   u32 user_instance [default=0xffffffff];
@@ -449,6 +390,7 @@ define ipsec_itf_details
 */
 define ipsec_sa_dump
 {
+  option deprecated;
   u32 client_index;
   u32 context;
   u32 sa_id;
@@ -459,6 +401,12 @@ define ipsec_sa_v2_dump
   u32 context;
   u32 sa_id;
 };
+define ipsec_sa_v3_dump
+{
+  u32 client_index;
+  u32 context;
+  u32 sa_id;
+};
 
 /** \brief IPsec security association database response
     @param context - sender context which was passed in the request
@@ -473,6 +421,7 @@ define ipsec_sa_v2_dump
     @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
 */
 define ipsec_sa_details {
+  option deprecated;
   u32 context;
   vl_api_ipsec_sad_entry_t entry;
 
@@ -496,24 +445,16 @@ define ipsec_sa_v2_details {
 
   u32 stat_index;
 };
-
-/** \brief Set new SA on IPsec interface
-
-    !! DEPRECATED !!
-
-    @param client_index - opaque cookie to identify the sender
-    @param context - sender context, to match reply w/ request
-    @param sw_if_index - index of tunnel interface
-    @param sa_id - ID of SA to use
-    @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
-*/
-autoreply define ipsec_tunnel_if_set_sa {
-  option deprecated;
-  u32 client_index;
+define ipsec_sa_v3_details {
   u32 context;
+  vl_api_ipsec_sad_entry_v3_t entry;
+
   vl_api_interface_index_t sw_if_index;
-  u32 sa_id;
-  u8 is_outbound;
+  u64 seq_outbound;
+  u64 last_seq_inbound;
+  u64 replay_window;
+
+  u32 stat_index;
 };
 
 /** \brief Dump IPsec backends
@@ -564,6 +505,274 @@ autoreply define ipsec_set_async_mode {
   bool async_enable;
 };
 
+counters esp_decrypt {
+  rx_pkts {
+    severity info;
+    type counter64;
+    units "packets";
+    description "ESP pkts received";
+  };
+  rx_post_pkts {
+    severity info;
+    type counter64;
+    units "packets";
+    description "ESP-POST pkts received";
+  };
+  handoff {
+    severity info;
+    type counter64;
+    units "packets";
+    description "hand-off";
+  };
+  decryption_failed {
+    severity error;
+    type counter64;
+    units "packets";
+    description "ESP decryption failed";
+  };
+  integ_error {
+    severity error;
+    type counter64;
+    units "packets";
+    description "integrity check failed";
+  };
+  crypto_engine_error {
+    severity error;
+    type counter64;
+    units "packets";
+    description "crypto engine error (packet dropped)";
+  };
+  replay {
+    severity error;
+    type counter64;
+    units "packets";
+    description "SA replayed packet";
+  };
+  runt {
+    severity error;
+    type counter64;
+    units "packets";
+    description "undersized packet";
+  };
+  no_buffers {
+    severity error;
+    type counter64;
+    units "packets";
+    description "no buffers (packet dropped)";
+  };
+  oversized_header {
+    severity error;
+    type counter64;
+    units "packets";
+    description "buffer with oversized header (dropped)";
+  };
+  no_tail_space {
+    severity error;
+    type counter64;
+    units "packets";
+    description "no enough buffer tail space (dropped)";
+  };
+  tun_no_proto {
+    severity error;
+    type counter64;
+    units "packets";
+    description "no tunnel protocol";
+  };
+  unsup_payload {
+    severity error;
+    type counter64;
+    units "packets";
+    description "unsupported payload";
+  };
+};
+
+counters esp_encrypt {
+  rx_pkts {
+    severity info;
+    type counter64;
+    units "packets";
+    description "ESP pkts received";
+  };
+  post_rx_pkts {
+    severity info;
+    type counter64;
+    units "packets";
+    description "ESP-post pkts received";
+  };
+  handoff {
+    severity info;
+    type counter64;
+    units "packets";
+    description "Hand-off";
+  };
+  seq_cycled {
+    severity error;
+    type counter64;
+    units "packets";
+    description "sequence number cycled (packet dropped)";
+  };
+  crypto_engine_error {
+    severity error;
+    type counter64;
+    units "packets";
+    description "crypto engine error (packet dropped)";
+  };
+  crypto_queue_full {
+    severity error;
+    type counter64;
+    units "packets";
+    description "crypto queue full (packet dropped)";
+  };
+  no_buffers {
+    severity error;
+    type counter64;
+    units "packets";
+    description "no buffers (packet dropped)";
+  };
+  no_protection {
+    severity error;
+    type counter64;
+    units "packets";
+    description "no protecting SA (packet dropped)";
+  };
+  no_encryption {
+    severity error;
+    type counter64;
+    units "packets";
+    description "no Encrypting SA (packet dropped)";
+  };
+};
+
+counters ah_encrypt {
+  rx_pkts {
+    severity info;
+    type counter64;
+    units "packets";
+    description "AH pkts received";
+  };
+  crypto_engine_error {
+    severity error;
+    type counter64;
+    units "packets";
+    description "crypto engine error (packet dropped)";
+  };
+  seq_cycled {
+    severity error;
+    type counter64;
+    units "packets";
+    description "sequence number cycled (packet dropped)";
+  };
+};
+
+counters ah_decrypt {
+  rx_pkts {
+    severity info;
+    type counter64;
+    units "packets";
+    description "AH pkts received";
+  };
+  decryption_failed {
+    severity error;
+    type counter64;
+    units "packets";
+    description "AH decryption failed";
+  };
+  integ_error {
+    severity error;
+    type counter64;
+    units "packets";
+    description "Integrity check failed";
+  };
+  no_tail_space {
+    severity error;
+    type counter64;
+    units "packets";
+    description "not enough buffer tail space (dropped)";
+  };
+  drop_fragments {
+    severity error;
+    type counter64;
+    units "packets";
+    description "IP fragments drop";
+  };
+  replay {
+    severity error;
+    type counter64;
+    units "packets";
+    description "SA replayed packet";
+  };
+};
+
+counters ipsec_tun {
+  rx {
+    severity info;
+    type counter64;
+    units "packets";
+    description "good packets received";
+  };
+  disabled {
+    severity error;
+    type counter64;
+    units "packets";
+    description "ipsec packets received on disabled interface";
+  };
+  no_tunnel {
+    severity error;
+    type counter64;
+    units "packets";
+    description "no matching tunnel";
+  };
+  tunnel_mismatch {
+    severity error;
+    type counter64;
+    units "packets";
+    description "SPI-tunnel mismatch";
+  };
+  nat_keepalive {
+    severity info;
+    type counter64;
+    units "packets";
+    description "NAT Keepalive";
+  };
+  too_short {
+    severity error;
+    type counter64;
+    units "packets";
+    description "Too Short";
+  };
+  spi_0 {
+    severity info;
+    type counter64;
+    units "packets";
+    description "SPI 0";
+  };
+};
+
+paths {
+  "/err/esp4-encrypt" "esp_encrypt";
+  "/err/esp4-encrypt-post" "esp_encrypt";
+  "/err/esp4-encrypt-tun" "esp_encrypt";
+  "/err/esp4-encrypt-tun-post" "esp_encrypt";
+  "/err/esp6-encrypt" "esp_encrypt";
+  "/err/esp6-encrypt-post" "esp_encrypt";
+  "/err/esp6-encrypt-tun" "esp_encrypt";
+  "/err/esp6-encrypt-tun-post" "esp_encrypt";
+  "/err/esp-mpls-encrypt-tun" "esp_encrypt";
+  "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
+  "/err/esp4-decrypt" "esp_decrypt";
+  "/err/esp4-decrypt-post" "esp_decrypt";
+  "/err/esp4-decrypt-tun" "esp_decrypt";
+  "/err/esp4-decrypt-tun-post" "esp_decrypt";
+  "/err/esp6-decrypt" "esp_decrypt";
+  "/err/esp6-decrypt-post" "esp_decrypt";
+  "/err/esp6-decrypt-tun" "esp_decrypt";
+  "/err/esp6-decrypt-tun-post" "esp_decrypt";
+  "/err/ah4-encrypt" "ah_encrypt";
+  "/err/ah6-encrypt" "ah_encrypt";
+  "/err/ipsec4-tun-input" "ipsec_tun";
+  "/err/ipsec6-tun-input" "ipsec_tun";
+};
+
 /*
  * Local Variables:
  * eval: (c-set-style "gnu")