X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fikev2%2Fikev2.api;h=ff9ed72e88840c919778a1463d554f95c3f5e220;hb=af2cc6425;hp=6c47482ae1299e90889583aa89cdb5b653613265;hpb=7c44d78ef2e7bf0c8714be4184511ed8f23ff239;p=vpp.git diff --git a/src/plugins/ikev2/ikev2.api b/src/plugins/ikev2/ikev2.api index 6c47482ae12..ff9ed72e888 100644 --- a/src/plugins/ikev2/ikev2.api +++ b/src/plugins/ikev2/ikev2.api @@ -1,6 +1,6 @@ /* Hey Emacs use -*- mode: C -*- */ /* - * Copyright (c) 2015-2016 Cisco and/or its affiliates. + * Copyright (c) 2015-2020 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -14,7 +14,11 @@ * limitations under the License. */ -option version = "1.0.0"; +option version = "1.0.1"; + +import "plugins/ikev2/ikev2_types.api"; +import "vnet/ip/ip_types.api"; +import "vnet/interface_types.api"; /** \brief Get the plugin version @param client_index - opaque cookie to identify the sender @@ -38,10 +42,155 @@ define ikev2_plugin_get_version_reply u32 minor; }; -/** \brief IKEv2: Add/delete profile +/** \brief Dump all profiles + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request +*/ +define ikev2_profile_dump +{ + u32 client_index; + u32 context; + option status="in_progress"; +}; + +/** \brief Details about all profiles + @param context - returned sender context, to match reply w/ request + @param profile - profile element with encapsulated attributes +*/ +define ikev2_profile_details +{ + u32 context; + vl_api_ikev2_profile_t profile; + option status="in_progress"; +}; + +/** \brief Dump all SAs @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request +*/ +define ikev2_sa_dump +{ + u32 client_index; + u32 context; + + option status = "in_progress"; +}; + +/** \brief Details about IKE SA + @param context - sender context, to match reply w/ request + @param retval - return code + @param sa - SA data +*/ +define ikev2_sa_details +{ + u32 context; + i32 retval; + + vl_api_ikev2_sa_t sa; + option status = "in_progress"; +}; + +/** \brief Dump child SA of specific SA + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param sa_index - index of specific sa +*/ +define ikev2_child_sa_dump +{ + u32 client_index; + u32 context; + + u32 sa_index; + option vat_help = "sa_index "; + option status = "in_progress"; +}; + +/** \brief Child SA details + @param context - sender context, to match reply w/ request + @param retval - return code + @param child_sa - child SA data +*/ +define ikev2_child_sa_details +{ + u32 context; + i32 retval; + + vl_api_ikev2_child_sa_t child_sa; + option status = "in_progress"; +}; + +/** \brief get specific nonce + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param is_initiator - specify type initiator|responder of nonce + @param sa_index - index of specific sa +*/ +define ikev2_nonce_get +{ + u32 client_index; + u32 context; + + bool is_initiator; + u32 sa_index; + option vat_help = "initiator|responder sa_index "; + option status = "in_progress"; +}; + +/** \brief reply on specific nonce + @param context - sender context, to match reply w/ request + @param retval - return code + @param data_len - nonce length + @param nonce - nonce data +*/ + +define ikev2_nonce_get_reply +{ + u32 context; + i32 retval; + + u32 data_len; + u8 nonce[data_len]; + option status = "in_progress"; +}; + +/** \brief dump traffic selectors + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param is_initiator - specify type initiator|responder of nonce + @param sa_index - index of specific sa + @param child_sa_index - index of specific sa child of specific sa +*/ + +define ikev2_traffic_selector_dump +{ + u32 client_index; + u32 context; + + bool is_initiator; + u32 sa_index; + u32 child_sa_index; + option vat_help = "initiator|responder sa_index child_sa_index "; + option status = "in_progress"; +}; + +/** \brief details on specific traffic selector + @param context - sender context, to match reply w/ request + @param retval - return code + @param ts - traffic selector data +*/ + +define ikev2_traffic_selector_details +{ + u32 context; + i32 retval; + vl_api_ikev2_ts_t ts; + option status = "in_progress"; +}; + +/** \brief IKEv2: Add/delete profile + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param is_add - Add IKEv2 profile if non-zero, else delete */ @@ -50,14 +199,15 @@ autoreply define ikev2_profile_add_del u32 client_index; u32 context; - u8 name[64]; - u8 is_add; + string name[64]; + bool is_add; + option vat_help = "name [del]"; + option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 profile authentication method @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param name - IKEv2 profile name @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig) @param is_hex - Authentication data in hex format if non-zero, else string @@ -69,17 +219,18 @@ autoreply define ikev2_profile_set_auth u32 client_index; u32 context; - u8 name[64]; + string name[64]; u8 auth_method; - u8 is_hex; + bool is_hex; u32 data_len; u8 data[data_len]; + option vat_help = "name auth_method (auth_data 0x | auth_data )"; + option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 profile local/remote identification @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param name - IKEv2 profile name @param is_local - Identification is local if non-zero, else remote @param id_type - Identification type @@ -91,43 +242,49 @@ autoreply define ikev2_profile_set_id u32 client_index; u32 context; - u8 name[64]; - u8 is_local; + string name[64]; + bool is_local; u8 id_type; u32 data_len; u8 data[data_len]; + option vat_help = "name id_type (id_data 0x | id_data ) (local|remote)"; + option status="in_progress"; }; -/** \brief IKEv2: Set IKEv2 profile traffic selector parameters +/** \brief IKEv2: Disable NAT traversal @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request + @param name - IKEv2 profile name +*/ +autoreply define ikev2_profile_disable_natt +{ + u32 client_index; + u32 context; + string name[64]; + option status="in_progress"; +}; + +/** \brief IKEv2: Set IKEv2 profile traffic selector parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request @param name - IKEv2 profile name - @param is_local - Traffic selector is local if non-zero, else remote - @param proto - Traffic selector IP protocol (if zero not relevant) - @param start_port - The smallest port number allowed by traffic selector - @param end_port - The largest port number allowed by traffic selector - @param start_addr - The smallest address included in traffic selector - @param end_addr - The largest address included in traffic selector + @param ts - traffic selector data */ autoreply define ikev2_profile_set_ts { u32 client_index; u32 context; - u8 name[64]; - u8 is_local; - u8 proto; - u16 start_port; - u16 end_port; - u32 start_addr; - u32 end_addr; + string name[64]; + vl_api_ikev2_ts_t ts; + option vat_help = "name protocol start_port end_port start_addr end_addr (local|remote)"; + option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 local RSA private key @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param key_file - Key file absolute path */ autoreply define ikev2_set_local_key @@ -135,117 +292,132 @@ autoreply define ikev2_set_local_key u32 client_index; u32 context; - u8 key_file[256]; + string key_file[256]; + option vat_help = "file "; + option status="in_progress"; }; -/** \brief IKEv2: Set IKEv2 responder interface and IP address +/** \brief IKEv2: Set the tunnel interface which will be protected by IKE + If this API is not called, a new tunnel will be created @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request + @param name - IKEv2 profile name + @param sw_if_index - Of an existing tunnel +*/ +autoreply define ikev2_set_tunnel_interface +{ + u32 client_index; + u32 context; + string name[64]; + vl_api_interface_index_t sw_if_index; + option status="in_progress"; +}; + +/** \brief IKEv2: Set IKEv2 responder interface and IP address + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request @param name - IKEv2 profile name - @param sw_if_index - interface index - @param address - interface address + @param responder - responder data */ autoreply define ikev2_set_responder { u32 client_index; u32 context; - u8 name[64]; - u32 sw_if_index; - u8 address[4]; + string name[64]; + vl_api_ikev2_responder_t responder; + option vat_help = " interface address "; + option status="in_progress"; +}; + +autoreply define ikev2_set_responder_hostname +{ + u32 client_index; + u32 context; + + string name[64]; + string hostname[64]; + vl_api_interface_index_t sw_if_index; + option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296) @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param name - IKEv2 profile name - @param crypto_alg - encryption algorithm - @param crypto_key_size - encryption key size - @param integ_alg - integrity algorithm - @param dh_group - Diffie-Hellman group - + @param tr - IKE transforms */ autoreply define ikev2_set_ike_transforms { u32 client_index; u32 context; - u8 name[64]; - u32 crypto_alg; - u32 crypto_key_size; - u32 integ_alg; - u32 dh_group; + string name[64]; + vl_api_ikev2_ike_transforms_t tr; + option vat_help = " "; + option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296) @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param name - IKEv2 profile name - @param crypto_alg - encryption algorithm - @param crypto_key_size - encryption key size - @param integ_alg - integrity algorithm - @param dh_group - Diffie-Hellman group - + @param tr - ESP transforms */ autoreply define ikev2_set_esp_transforms { u32 client_index; u32 context; - u8 name[64]; - u32 crypto_alg; - u32 crypto_key_size; - u32 integ_alg; - u32 dh_group; + string name[64]; + vl_api_ikev2_esp_transforms_t tr; + option vat_help = " "; + option status="in_progress"; }; /** \brief IKEv2: Set Child SA lifetime, limited by time and/or data @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param name - IKEv2 profile name @param lifetime - SA maximum life time in seconds (0 to disable) @param lifetime_jitter - Jitter added to prevent simultaneous rekeying @param handover - Hand over time @param lifetime_maxdata - SA maximum life time in bytes (0 to disable) - */ autoreply define ikev2_set_sa_lifetime { u32 client_index; u32 context; - u8 name[64]; + string name[64]; u64 lifetime; u32 lifetime_jitter; u32 handover; u64 lifetime_maxdata; + option vat_help = " "; + option status="in_progress"; }; /** \brief IKEv2: Initiate the SA_INIT exchange @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param name - IKEv2 profile name - */ autoreply define ikev2_initiate_sa_init { u32 client_index; u32 context; - u8 name[64]; + string name[64]; + option vat_help = ""; + option status="in_progress"; }; /** \brief IKEv2: Initiate the delete IKE SA exchange @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param ispi - IKE SA initiator SPI - */ autoreply define ikev2_initiate_del_ike_sa { @@ -253,14 +425,14 @@ autoreply define ikev2_initiate_del_ike_sa u32 context; u64 ispi; + option vat_help = ""; + option status="in_progress"; }; /** \brief IKEv2: Initiate the delete Child SA exchange @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param ispi - Child SA initiator SPI - */ autoreply define ikev2_initiate_del_child_sa { @@ -268,14 +440,14 @@ autoreply define ikev2_initiate_del_child_sa u32 context; u32 ispi; + option vat_help = ""; + option status="in_progress"; }; /** \brief IKEv2: Initiate the rekey Child SA exchange @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request - @param ispi - Child SA initiator SPI - */ autoreply define ikev2_initiate_rekey_child_sa { @@ -283,6 +455,142 @@ autoreply define ikev2_initiate_rekey_child_sa u32 context; u32 ispi; + option vat_help = ""; + option status="in_progress"; +}; + +/** \brief IKEv2: Set UDP encapsulation + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param name - IKEv2 profile name +*/ +autoreply define ikev2_profile_set_udp_encap +{ + u32 client_index; + u32 context; + + string name[64]; + option status="in_progress"; +}; + +/** \brief IKEv2: Set/unset custom ipsec-over-udp port + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param is_set - whether set or unset custom port + @param port - port number + @param name - IKEv2 profile name +*/ +autoreply define ikev2_profile_set_ipsec_udp_port +{ + u32 client_index; + u32 context; + + u8 is_set; + u16 port; + string name[64]; + option status="in_progress"; +}; + +/** \brief IKEv2: Set liveness parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param period - how often is liveness check performed + @param max_retries - max retries for liveness check +*/ +autoreply define ikev2_profile_set_liveness +{ + u32 client_index; + u32 context; + + u32 period; + u32 max_retries; + option status="in_progress"; +}; + +counters ikev2 { + processed { + severity info; + type counter64; + units "packets"; + description "packets processed"; + }; + ike_sa_init_retransmit { + severity info; + type counter64; + units "packets"; + description "IKE SA INIT retransmit"; + }; + ike_sa_init_ignore { + severity error; + type counter64; + units "packets"; + description "IKE_SA_INIT ignore (IKE SA already auth)"; + }; + ike_req_retransmit { + severity error; + type counter64; + units "packets"; + description "IKE request retransmit"; + }; + ike_req_ignore { + severity error; + type counter64; + units "packets"; + description "IKE request ignore (old msgid)"; + }; + not_ikev2 { + severity error; + type counter64; + units "packets"; + description "Non IKEv2 packets received"; + }; + bad_length { + severity error; + type counter64; + units "packets"; + description "Bad packet length"; + }; + malformed_packet { + severity error; + type counter64; + units "packets"; + description "Malformed packet"; + }; + no_buff_space { + severity error; + type counter64; + units "packets"; + description "No buffer space"; + }; + keepalive { + severity info; + type counter64; + units "packets"; + description "IKE keepalive messages received"; + }; + rekey_req { + severity info; + type counter64; + units "packets"; + description "IKE rekey requests received"; + }; + init_sa_req { + severity info; + type counter64; + units "packets"; + description "IKE EXCHANGE SA requests received"; + }; + ike_auth_req { + severity info; + type counter64; + units "packets"; + description "IKE AUTH SA requests received"; + }; +}; +paths { + "/err/ikev2-ip4" "ike"; + "/err/ikev2-ip6" "ike"; + "/err/ikev2-ip4-natt" "ike"; }; /* @@ -290,4 +598,3 @@ autoreply define ikev2_initiate_rekey_child_sa * eval: (c-set-style "gnu") * End: */ -