option version = "3.0.0";
import "vnet/ip/ip_types.api";
+import "vnet/interface_types.api";
/** \brief IPsec: Add/delete Security Policy Database
@param client_index - opaque cookie to identify the sender
u32 stat_index;
};
-/** \brief IPsec: Update Security Association keys
+/** \brief Add or Update Protection for a tunnel with IPSEC
+
+ Tunnel protection directly associates an SA with all packets
+ ingress and egress on the tunnel. This could also be achieved by
+ assigning an SPD to the tunnel, but that would incur an unnessccary
+ SPD entry lookup.
+
+ For tunnels the ESP acts on the post-encapsulated packet. So if this
+ packet:
+ +---------+------+
+ | Payload | O-IP |
+ +---------+------+
+ where O-IP is the overlay IP addrees that was routed into the tunnel,
+ the resulting encapsulated packet will be:
+ +---------+------+------+
+ | Payload | O-IP | T-IP |
+ +---------+------+------+
+ where T-IP is the tunnel's src.dst IP addresses.
+ If the SAs used for protection are in transport mode then the ESP is
+ inserted before T-IP, i.e.:
+ +---------+------+-----+------+
+ | Payload | O-IP | ESP | T-IP |
+ +---------+------+-----+------+
+ If the SAs used for protection are in tunnel mode then another
+ encapsulation occurs, i.e.:
+ +---------+------+------+-----+------+
+ | Payload | O-IP | T-IP | ESP | C-IP |
+ +---------+------+------+-----+------+
+ where C-IP are the crypto endpoint IP addresses defined as the tunnel
+ endpoints in the SA.
+ The mode for the inbound and outbound SA must be the same.
+
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
+ @param sw_id_index - Tunnel interface to protect
+ @param sa_in - The ID [set] of inbound SAs
+ @param sa_out - The ID of outbound SA
+*/
+typedef ipsec_tunnel_protect
+{
+ vl_api_interface_index_t sw_if_index;
+ u32 sa_out;
+ u8 n_sa_in;
+ u32 sa_in[n_sa_in];
+};
- @param sa_id - sa id
+autoreply define ipsec_tunnel_protect_update
+{
+ u32 client_index;
+ u32 context;
- @param crypto_key - crypto keying material
- @param integrity_key - integrity keying material
-*/
+ vl_api_ipsec_tunnel_protect_t tunnel;
+};
-autoreply define ipsec_sa_set_key
+autoreply define ipsec_tunnel_protect_del
{
u32 client_index;
u32 context;
- u32 sa_id;
+ vl_api_interface_index_t sw_if_index;
+};
- vl_api_key_t crypto_key;
- vl_api_key_t integrity_key;
+/**
+ * @brief Dump all tunnel protections
+ */
+define ipsec_tunnel_protect_dump
+{
+ u32 client_index;
+ u32 context;
+ vl_api_interface_index_t sw_if_index;
+};
+
+define ipsec_tunnel_protect_details
+{
+ u32 context;
+ vl_api_ipsec_tunnel_protect_t tun;
};
/** \brief IPsec: Get SPD interfaces
};
/** \brief Add or delete IPsec tunnel interface
+
+ !!DEPRECATED!!
+ use the tunnel protect APIs instead
+
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param is_add - add IPsec tunnel interface if nonzero, else delete
u64 total_data_size;
};
-/** \brief Set key on IPsec interface
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param sw_if_index - index of tunnel interface
- @param key_type - type of key being set
- @param alg - algorithm used with key
- @param key_len - length key in bytes
- @param key - key
-*/
-autoreply define ipsec_tunnel_if_set_key {
- u32 client_index;
- u32 context;
- u32 sw_if_index;
- u8 key_type;
- u8 alg;
- u8 key_len;
- u8 key[128];
-};
-
/** \brief Set new SA on IPsec interface
+
+ !! DEPRECATED !!
+
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param sw_if_index - index of tunnel interface