* limitations under the License.
*/
+option version = "2.0.0";
+
/** \brief IPsec: Add/delete Security Policy Database
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param spd_id - SPD instance id (control plane allocated)
*/
-define ipsec_spd_add_del
+autoreply define ipsec_spd_add_del
{
u32 client_index;
u32 context;
u32 spd_id;
};
-/** \brief Reply for IPsec: Add/delete Security Policy Database entry
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-
-define ipsec_spd_add_del_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IPsec: Add/delete SPD from interface
@param client_index - opaque cookie to identify the sender
*/
-define ipsec_interface_add_del_spd
+autoreply define ipsec_interface_add_del_spd
{
u32 client_index;
u32 context;
u32 spd_id;
};
-/** \brief Reply for IPsec: Add/delete SPD from interface
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-
-define ipsec_interface_add_del_spd_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IPsec: Add/delete Security Policy Database entry
See RFC 4301, 4.4.1.1 on how to match packet to selectors
*/
-define ipsec_spd_add_del_entry
+autoreply define ipsec_spd_add_del_entry
{
u32 client_index;
u32 context;
u32 sa_id;
};
-/** \brief Reply for IPsec: Add/delete Security Policy Database entry
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-
-define ipsec_spd_add_del_entry_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IPsec: Add/delete Security Association Database entry
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param is_tunnel_ipv6 - IPsec tunnel mode is IPv6 if non-zero, else IPv4 tunnel only valid if is_tunnel is non-zero
@param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
@param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
+ @param udp_encap - enable UDP encapsulation for NAT traversal
To be added:
Anti-replay
IPsec tunnel address copy mode (to support GDOI)
*/
-define ipsec_sad_add_del_entry
+autoreply define ipsec_sad_add_del_entry
{
u32 client_index;
u32 context;
u8 integrity_key[128];
u8 use_extended_sequence_number;
+ u8 use_anti_replay;
u8 is_tunnel;
u8 is_tunnel_ipv6;
u8 tunnel_src_address[16];
u8 tunnel_dst_address[16];
-};
-
-/** \brief Reply for IPsec: Add/delete Security Association Database entry
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-
-define ipsec_sad_add_del_entry_reply
-{
- u32 context;
- i32 retval;
+ u8 udp_encap;
};
/** \brief IPsec: Update Security Association keys
@param integrity_key - integrity keying material
*/
-define ipsec_sa_set_key
+autoreply define ipsec_sa_set_key
{
u32 client_index;
u32 context;
u8 integrity_key[128];
};
-/** \brief Reply for IPsec: Update Security Association keys
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-
-define ipsec_sa_set_key_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Add/delete profile
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param name - IKEv2 profile name
@param is_add - Add IKEv2 profile if non-zero, else delete
*/
-define ikev2_profile_add_del
+autoreply define ikev2_profile_add_del
{
u32 client_index;
u32 context;
u8 is_add;
};
-/** \brief Reply for IKEv2: Add/delete profile
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_profile_add_del_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Set IKEv2 profile authentication method
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param data_len - Authentication data length
@param data - Authentication data (for rsa-sig cert file path)
*/
-define ikev2_profile_set_auth
+autoreply define ikev2_profile_set_auth
{
u32 client_index;
u32 context;
u8 auth_method;
u8 is_hex;
u32 data_len;
- u8 data[0];
-};
-
-/** \brief Reply for IKEv2: Set IKEv2 profile authentication method
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_profile_set_auth_reply
-{
- u32 context;
- i32 retval;
+ u8 data[data_len];
};
/** \brief IKEv2: Set IKEv2 profile local/remote identification
@param data_len - Identification data length
@param data - Identification data
*/
-define ikev2_profile_set_id
+autoreply define ikev2_profile_set_id
{
u32 client_index;
u32 context;
u8 is_local;
u8 id_type;
u32 data_len;
- u8 data[0];
-};
-
-/** \brief Reply for IKEv2:
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_profile_set_id_reply
-{
- u32 context;
- i32 retval;
+ u8 data[data_len];
};
/** \brief IKEv2: Set IKEv2 profile traffic selector parameters
@param start_addr - The smallest address included in traffic selector
@param end_addr - The largest address included in traffic selector
*/
-define ikev2_profile_set_ts
+autoreply define ikev2_profile_set_ts
{
u32 client_index;
u32 context;
u32 end_addr;
};
-/** \brief Reply for IKEv2: Set IKEv2 profile traffic selector parameters
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_profile_set_ts_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Set IKEv2 local RSA private key
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param key_file - Key file absolute path
*/
-define ikev2_set_local_key
+autoreply define ikev2_set_local_key
{
u32 client_index;
u32 context;
u8 key_file[256];
};
-/** \brief Reply for IKEv2: Set IKEv2 local key
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_set_local_key_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Set IKEv2 responder interface and IP address
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param sw_if_index - interface index
@param address - interface address
*/
-define ikev2_set_responder
+autoreply define ikev2_set_responder
{
u32 client_index;
u32 context;
u8 address[4];
};
-/** \brief Reply for IKEv2: Set IKEv2 responder interface and IP address
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_set_responder_reply
-{
- u32 context;
- i32 retval;
-};
-
-
/** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param dh_group - Diffie-Hellman group
*/
-define ikev2_set_ike_transforms
+autoreply define ikev2_set_ike_transforms
{
u32 client_index;
u32 context;
u32 dh_group;
};
-/** \brief Reply for IKEv2: Set IKEv2 IKE transforms
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_set_ike_transforms_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param dh_group - Diffie-Hellman group
*/
-define ikev2_set_esp_transforms
+autoreply define ikev2_set_esp_transforms
{
u32 client_index;
u32 context;
u32 dh_group;
};
-/** \brief Reply for IKEv2: Set IKEv2 ESP transforms
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_set_esp_transforms_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Set Child SA lifetime, limited by time and/or data
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param name - IKEv2 profile name
@param lifetime - SA maximum life time in seconds (0 to disable)
- @param lifetime_jitter - Jitter added to prevent simultaneounus rekeying
+ @param lifetime_jitter - Jitter added to prevent simultaneous rekeying
@param handover - Hand over time
@param lifetime_maxdata - SA maximum life time in bytes (0 to disable)
*/
-define ikev2_set_sa_lifetime
+autoreply define ikev2_set_sa_lifetime
{
u32 client_index;
u32 context;
u64 lifetime_maxdata;
};
-/** \brief Reply for IKEv2: Set Child SA lifetime
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_set_sa_lifetime_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Initiate the SA_INIT exchange
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param name - IKEv2 profile name
*/
-define ikev2_initiate_sa_init
+autoreply define ikev2_initiate_sa_init
{
u32 client_index;
u32 context;
u8 name[64];
};
-/** \brief Reply for IKEv2: Initiate the SA_INIT exchange
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_initiate_sa_init_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Initiate the delete IKE SA exchange
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param ispi - IKE SA initiator SPI
*/
-define ikev2_initiate_del_ike_sa
+autoreply define ikev2_initiate_del_ike_sa
{
u32 client_index;
u32 context;
u64 ispi;
};
-/** \brief Reply for IKEv2: Initiate the delete IKE SA exchange
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_initiate_del_ike_sa_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Initiate the delete Child SA exchange
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param ispi - Child SA initiator SPI
*/
-define ikev2_initiate_del_child_sa
+autoreply define ikev2_initiate_del_child_sa
{
u32 client_index;
u32 context;
u32 ispi;
};
-/** \brief Reply for IKEv2: Initiate the delete Child SA exchange
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
-*/
-define ikev2_initiate_del_child_sa_reply
-{
- u32 context;
- i32 retval;
-};
-
/** \brief IKEv2: Initiate the rekey Child SA exchange
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param ispi - Child SA initiator SPI
*/
-define ikev2_initiate_rekey_child_sa
+autoreply define ikev2_initiate_rekey_child_sa
{
u32 client_index;
u32 context;
u32 ispi;
};
-/** \brief Reply for IKEv2: Initiate the rekey Child SA exchange
- @param context - returned sender context, to match reply w/ request
- @param retval - return code
+/** \brief Dump IPsec all SPD IDs
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
*/
-define ikev2_initiate_rekey_child_sa_reply
-{
+define ipsec_spds_dump {
+ u32 client_index;
u32 context;
- i32 retval;
};
+/** \brief Dump IPsec all SPD IDs response
+ @param client_index - opaque cookie to identify the sender
+ @param spd_id - SPD instance id (control plane allocated)
+ @param npolicies - number of policies in SPD
+*/
+define ipsec_spds_details {
+ u32 context;
+ u32 spd_id;
+ u32 npolicies;
+};
+
/** \brief Dump ipsec policy database data
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param bytes - byte count of packets matching this policy
@param packets - count of packets matching this policy
*/
-
define ipsec_spd_details {
u32 context;
u32 spd_id;
u64 packets;
};
+/** \brief IPsec: Get SPD interfaces
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param spd_index - SPD index
+ @param spd_index_valid - if 1 spd_index is used to filter
+ spd_index's, if 0 no filtering is done
+*/
+define ipsec_spd_interface_dump {
+ u32 client_index;
+ u32 context;
+ u32 spd_index;
+ u8 spd_index_valid;
+};
+
+/** \brief IPsec: SPD interface response
+ @param context - sender context which was passed in the request
+ @param spd_index - SPD index
+ @param sw_if_index - index of the interface
+*/
+define ipsec_spd_interface_details {
+ u32 context;
+ u32 spd_index;
+ u32 sw_if_index;
+};
+
+/** \brief Add or delete IPsec tunnel interface
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param is_add - add IPsec tunnel interface if nonzero, else delete
+ @param esn - enable extended sequence numbers if nonzero, else disable
+ @param anti_replay - enable anti replay check if nonzero, else disable
+ @param local_ip - local IP address
+ @param remote_ip - IP address of remote IPsec peer
+ @param local_spi - SPI of outbound IPsec SA
+ @param remote_spi - SPI of inbound IPsec SA
+ @param crypto_alg - encryption algorithm ID
+ @param local_crypto_key_len - length of local crypto key in bytes
+ @param local_crypto_key - crypto key for outbound IPsec SA
+ @param remote_crypto_key_len - length of remote crypto key in bytes
+ @param remote_crypto_key - crypto key for inbound IPsec SA
+ @param integ_alg - integrity algorithm ID
+ @param local_integ_key_len - length of local integrity key in bytes
+ @param local_integ_key - integrity key for outbound IPsec SA
+ @param remote_integ_key_len - length of remote integrity key in bytes
+ @param remote_integ_key - integrity key for inbound IPsec SA
+ @param renumber - intf display name uses a specified instance if != 0
+ @param show_instance - instance to display for intf if renumber is set
+ @param udp_encap - enable UDP encapsulation for NAT traversal
+*/
+define ipsec_tunnel_if_add_del {
+ u32 client_index;
+ u32 context;
+ u8 is_add;
+ u8 esn;
+ u8 anti_replay;
+ u8 local_ip[4];
+ u8 remote_ip[4];
+ u32 local_spi;
+ u32 remote_spi;
+ u8 crypto_alg;
+ u8 local_crypto_key_len;
+ u8 local_crypto_key[128];
+ u8 remote_crypto_key_len;
+ u8 remote_crypto_key[128];
+ u8 integ_alg;
+ u8 local_integ_key_len;
+ u8 local_integ_key[128];
+ u8 remote_integ_key_len;
+ u8 remote_integ_key[128];
+ u8 renumber;
+ u32 show_instance;
+ u8 udp_encap;
+};
+
+/** \brief Add/delete IPsec tunnel interface response
+ @param context - sender context, to match reply w/ request
+ @param retval - return status
+ @param sw_if_index - sw_if_index of new interface (for successful add)
+*/
+define ipsec_tunnel_if_add_del_reply {
+ u32 context;
+ i32 retval;
+ u32 sw_if_index;
+};
+
+/** \brief Dump IPsec security association
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
+*/
+define ipsec_sa_dump {
+ u32 client_index;
+ u32 context;
+ u32 sa_id;
+};
+
+/** \brief IPsec security association database response
+ @param context - sender context which was passed in the request
+ @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0
+ @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
+ @param spi - security parameter index
+ @param protocol - IPsec protocol (value from ipsec_protocol_t)
+ @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t)
+ @param crypto_key_len - length of crypto_key in bytes
+ @param crypto_key - crypto keying material
+ @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t)
+ @param integ_key_len - length of integ_key in bytes
+ @param integ_key - integrity keying material
+ @param use_esn - using extended sequence numbers when non-zero
+ @param use_anti_replay - using anti-replay window when non-zero
+ @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode
+ @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6
+ @param tunnel_src_addr - Tunnel source address if using tunnel mode
+ @param tunnel_dst_addr - Tunnel destination address is using tunnel mode
+ @param salt - 4 byte salt
+ @param seq - current sequence number for outbound
+ @param seq_hi - high 32 bits of ESN for outbound
+ @param last_seq - highest sequence number received inbound
+ @param last_seq_hi - high 32 bits of highest ESN received inbound
+ @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
+ @param total_data_size - total bytes sent or received
+ @param udp_encap - 1 if UDP encap enabled, 0 otherwise
+*/
+define ipsec_sa_details {
+ u32 context;
+ u32 sa_id;
+ u32 sw_if_index;
+
+ u32 spi;
+ u8 protocol;
+
+ u8 crypto_alg;
+ u8 crypto_key_len;
+ u8 crypto_key[128];
+
+ u8 integ_alg;
+ u8 integ_key_len;
+ u8 integ_key[128];
+
+ u8 use_esn;
+ u8 use_anti_replay;
+
+ u8 is_tunnel;
+ u8 is_tunnel_ip6;
+ u8 tunnel_src_addr[16];
+ u8 tunnel_dst_addr[16];
+
+ u32 salt;
+ u64 seq_outbound;
+ u64 last_seq_inbound;
+ u64 replay_window;
+
+ u64 total_data_size;
+ u8 udp_encap;
+};
+
+/** \brief Set key on IPsec interface
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param sw_if_index - index of tunnel interface
+ @param key_type - type of key being set
+ @param alg - algorithm used with key
+ @param key_len - length key in bytes
+ @param key - key
+*/
+autoreply define ipsec_tunnel_if_set_key {
+ u32 client_index;
+ u32 context;
+ u32 sw_if_index;
+ u8 key_type;
+ u8 alg;
+ u8 key_len;
+ u8 key[128];
+};
+
+/** \brief Set new SA on IPsec interface
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param sw_if_index - index of tunnel interface
+ @param sa_id - ID of SA to use
+ @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
+*/
+autoreply define ipsec_tunnel_if_set_sa {
+ u32 client_index;
+ u32 context;
+ u32 sw_if_index;
+ u32 sa_id;
+ u8 is_outbound;
+};
+
+/** \brief Dump IPsec backends
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+*/
+define ipsec_backend_dump {
+ u32 client_index;
+ u32 context;
+};
+
+/** \brief IPsec backend details
+ @param name - name of the backend
+ @param protocol - IPsec protocol (value from ipsec_protocol_t)
+ @param index - backend index
+ @param active - set to 1 if the backend is active, otherwise 0
+*/
+define ipsec_backend_details {
+ u32 context;
+ u8 name[128];
+ u8 protocol;
+ u8 index;
+ u8 active;
+};
+
+/** \brief Select IPsec backend
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param protocol - IPsec protocol (value from ipsec_protocol_t)
+ @param index - backend index
+*/
+autoreply define ipsec_select_backend {
+ u32 client_index;
+ u32 context;
+ u8 protocol;
+ u8 index;
+};
+
/*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/
-
\ No newline at end of file
+