X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec.api;h=610f2325ebcc83d8f8b53f8b7bbd178f1344cc47;hb=b4a7a7dcf;hp=f3b5993700b2c0aa147826404a6d9034a98abcb4;hpb=b0972cbb35550619483b90004a00566f9641f983;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index f3b5993700b..610f2325ebc 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -13,6 +13,8 @@
  * limitations under the License.
  */
 
+option version = "2.0.0";
+
 /** \brief IPsec: Add/delete Security Policy Database
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
@@ -128,6 +130,7 @@ autoreply define ipsec_spd_add_del_entry
     @param is_tunnel_ipv6 - IPsec tunnel mode is IPv6 if non-zero, else IPv4 tunnel only valid if is_tunnel is non-zero
     @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
     @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
+    @param udp_encap - enable UDP encapsulation for NAT traversal
 
     To be added:
      Anti-replay
@@ -155,11 +158,13 @@ autoreply define ipsec_sad_add_del_entry
   u8 integrity_key[128];
 
   u8 use_extended_sequence_number;
+  u8 use_anti_replay;
 
   u8 is_tunnel;
   u8 is_tunnel_ipv6;
   u8 tunnel_src_address[16];
   u8 tunnel_dst_address[16];
+  u8 udp_encap;
 };
 
 /** \brief IPsec: Update Security Association keys
@@ -224,7 +229,7 @@ autoreply define ikev2_profile_set_auth
   u8 auth_method;
   u8 is_hex;
   u32 data_len;
-  u8 data[0];
+  u8 data[data_len];
 };
 
 /** \brief IKEv2: Set IKEv2 profile local/remote identification
@@ -246,7 +251,7 @@ autoreply define ikev2_profile_set_id
   u8 is_local;
   u8 id_type;
   u32 data_len;
-  u8 data[0];
+  u8 data[data_len];
 };
 
 /** \brief IKEv2: Set IKEv2 profile traffic selector parameters
@@ -359,7 +364,7 @@ autoreply define ikev2_set_esp_transforms
 
     @param name - IKEv2 profile name
     @param lifetime - SA maximum life time in seconds (0 to disable)
-    @param lifetime_jitter - Jitter added to prevent simultaneounus rekeying
+    @param lifetime_jitter - Jitter added to prevent simultaneous rekeying
     @param handover - Hand over time
     @param lifetime_maxdata - SA maximum life time in bytes (0 to disable)
     
@@ -436,6 +441,26 @@ autoreply define ikev2_initiate_rekey_child_sa
   u32 ispi;
 };
 
+/** \brief Dump IPsec all SPD IDs
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+*/
+define ipsec_spds_dump {
+  u32 client_index;
+  u32 context;
+};
+
+/** \brief Dump IPsec all SPD IDs response
+    @param client_index - opaque cookie to identify the sender
+    @param spd_id - SPD instance id (control plane allocated)
+    @param npolicies - number of policies in SPD
+*/
+define ipsec_spds_details {
+  u32 context;
+  u32 spd_id;
+  u32 npolicies;
+}; 
+
 /** \brief Dump ipsec policy database data
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
@@ -490,6 +515,31 @@ define ipsec_spd_details {
     u64 packets;
 };
 
+/** \brief IPsec: Get SPD interfaces
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param spd_index - SPD index
+    @param spd_index_valid - if 1 spd_index is used to filter
+      spd_index's, if 0 no filtering is done
+*/
+define ipsec_spd_interface_dump {
+    u32 client_index;
+    u32 context;
+    u32 spd_index;
+    u8 spd_index_valid;
+};
+
+/** \brief IPsec: SPD interface response
+    @param context - sender context which was passed in the request
+    @param spd_index - SPD index
+    @param sw_if_index - index of the interface
+*/
+define ipsec_spd_interface_details {
+    u32 context;
+    u32 spd_index;
+    u32 sw_if_index;
+};
+
 /** \brief Add or delete IPsec tunnel interface
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
@@ -510,8 +560,11 @@ define ipsec_spd_details {
     @param local_integ_key - integrity key for outbound IPsec SA
     @param remote_integ_key_len - length of remote integrity key in bytes
     @param remote_integ_key - integrity key for inbound IPsec SA
+    @param renumber - intf display name uses a specified instance if != 0
+    @param show_instance - instance to display for intf if renumber is set
+    @param udp_encap - enable UDP encapsulation for NAT traversal
 */
-autoreply define ipsec_tunnel_if_add_del {
+define ipsec_tunnel_if_add_del {
   u32 client_index;
   u32 context;
   u8 is_add;
@@ -531,6 +584,161 @@ autoreply define ipsec_tunnel_if_add_del {
   u8 local_integ_key[128];
   u8 remote_integ_key_len;
   u8 remote_integ_key[128];
+  u8 renumber;
+  u32 show_instance;
+  u8 udp_encap;
+};
+
+/** \brief Add/delete IPsec tunnel interface response
+    @param context - sender context, to match reply w/ request
+    @param retval - return status
+    @param sw_if_index - sw_if_index of new interface (for successful add)
+*/
+define ipsec_tunnel_if_add_del_reply {
+  u32 context;
+  i32 retval;
+  u32 sw_if_index;
+};
+
+/** \brief Dump IPsec security association
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
+*/
+define ipsec_sa_dump {
+  u32 client_index;
+  u32 context;
+  u32 sa_id;
+};
+
+/** \brief IPsec security association database response
+    @param context - sender context which was passed in the request
+    @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0 
+    @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
+    @param spi - security parameter index
+    @param protocol - IPsec protocol (value from ipsec_protocol_t)
+    @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t)
+    @param crypto_key_len - length of crypto_key in bytes
+    @param crypto_key - crypto keying material
+    @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t)
+    @param integ_key_len - length of integ_key in bytes
+    @param integ_key - integrity keying material
+    @param use_esn - using extended sequence numbers when non-zero
+    @param use_anti_replay - using anti-replay window when non-zero
+    @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode
+    @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6
+    @param tunnel_src_addr - Tunnel source address if using tunnel mode
+    @param tunnel_dst_addr - Tunnel destination address is using tunnel mode
+    @param salt - 4 byte salt 
+    @param seq - current sequence number for outbound
+    @param seq_hi - high 32 bits of ESN for outbound 
+    @param last_seq - highest sequence number received inbound
+    @param last_seq_hi - high 32 bits of highest ESN received inbound
+    @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
+    @param total_data_size - total bytes sent or received
+    @param udp_encap - 1 if UDP encap enabled, 0 otherwise
+*/
+define ipsec_sa_details {
+  u32 context;
+  u32 sa_id;
+  u32 sw_if_index;
+
+  u32 spi;
+  u8 protocol;
+
+  u8 crypto_alg;
+  u8 crypto_key_len;
+  u8 crypto_key[128];
+
+  u8 integ_alg;
+  u8 integ_key_len;
+  u8 integ_key[128];
+
+  u8 use_esn;
+  u8 use_anti_replay;
+
+  u8 is_tunnel;
+  u8 is_tunnel_ip6;
+  u8 tunnel_src_addr[16];
+  u8 tunnel_dst_addr[16];
+
+  u32 salt;
+  u64 seq_outbound;
+  u64 last_seq_inbound;
+  u64 replay_window;
+
+  u64 total_data_size;
+  u8 udp_encap;
+};
+
+/** \brief Set key on IPsec interface
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_index - index of tunnel interface
+    @param key_type - type of key being set
+    @param alg - algorithm used with key
+    @param key_len - length key in bytes
+    @param key - key
+*/
+autoreply define ipsec_tunnel_if_set_key {
+  u32 client_index;
+  u32 context;
+  u32 sw_if_index;
+  u8 key_type;
+  u8 alg;
+  u8 key_len;
+  u8 key[128];
+};
+
+/** \brief Set new SA on IPsec interface
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_index - index of tunnel interface
+    @param sa_id - ID of SA to use
+    @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
+*/
+autoreply define ipsec_tunnel_if_set_sa {
+  u32 client_index;
+  u32 context;
+  u32 sw_if_index;
+  u32 sa_id;
+  u8 is_outbound;
+};
+
+/** \brief Dump IPsec backends
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+*/
+define ipsec_backend_dump {
+  u32 client_index;
+  u32 context;
+};
+
+/** \brief IPsec backend details
+    @param name - name of the backend
+    @param protocol - IPsec protocol (value from ipsec_protocol_t)
+    @param index - backend index
+    @param active - set to 1 if the backend is active, otherwise 0
+*/
+define ipsec_backend_details {
+  u32 context;
+  u8 name[128];
+  u8 protocol;
+  u8 index;
+  u8 active;
+};
+
+/** \brief Select IPsec backend
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param protocol - IPsec protocol (value from ipsec_protocol_t)
+    @param index - backend index
+*/
+autoreply define ipsec_select_backend {
+  u32 client_index;
+  u32 context;
+  u8 protocol;
+  u8 index;
 };
 
 /*