X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec.api;h=72677d6e0ea634c9317bb6a8a1e87779bf8c52e7;hb=12989b538881f9681f078cf1485c51df1251877a;hp=4e5337589a5f943d1892990b1ac5aa5e08c0efaf;hpb=5d704aea534a88f6630c803d858bc01a58b4052d;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 4e5337589a5..72677d6e0ea 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -17,6 +17,7 @@
 option version = "3.0.0";
 
 import "vnet/ip/ip_types.api";
+import "vnet/interface_types.api";
 
 /** \brief IPsec: Add/delete Security Policy Database
     @param client_index - opaque cookie to identify the sender
@@ -222,7 +223,7 @@ enum ipsec_sad_flags
 {
   IPSEC_API_SAD_FLAG_NONE = 0,
   /* Enable extended sequence numbers */
-  IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM = 0x01,
+  IPSEC_API_SAD_FLAG_USE_ESN = 0x01,
   /* Enable Anti-replay */
   IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
   /* IPsec tunnel mode if non-zero, else transport mode */
@@ -262,6 +263,7 @@ typedef key
     @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
     @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
     @param tx_table_id - the FIB id used for encapsulated packets
+    @param salt - for use with counter mode ciphers
  */
 typedef ipsec_sad_entry
 {
@@ -282,6 +284,7 @@ typedef ipsec_sad_entry
   vl_api_address_t tunnel_src;
   vl_api_address_t tunnel_dst;
   u32 tx_table_id;
+  u32 salt;
 };
 
 /** \brief IPsec: Add/delete Security Association Database entry
@@ -303,25 +306,82 @@ define ipsec_sad_entry_add_del_reply
   u32 stat_index;
 };
 
-/** \brief IPsec: Update Security Association keys
+/** \brief Add or Update Protection for a tunnel with IPSEC
+
+    Tunnel protection directly associates an SA with all packets
+    ingress and egress on the tunnel. This could also be achieved by
+    assigning an SPD to the tunnel, but that would incur an unnessccary
+    SPD entry lookup.
+
+    For tunnels the ESP acts on the post-encapsulated packet. So if this
+    packet:
+      +---------+------+
+      | Payload | O-IP |
+      +---------+------+
+    where O-IP is the overlay IP addrees that was routed into the tunnel,
+    the resulting encapsulated packet will be:
+      +---------+------+------+
+      | Payload | O-IP | T-IP |
+      +---------+------+------+
+    where T-IP is the tunnel's src.dst IP addresses.
+    If the SAs used for protection are in transport mode then the ESP is
+    inserted before T-IP, i.e.:
+      +---------+------+-----+------+
+      | Payload | O-IP | ESP | T-IP |
+      +---------+------+-----+------+
+    If the SAs used for protection are in tunnel mode then another
+    encapsulation occurs, i.e.:
+      +---------+------+------+-----+------+
+      | Payload | O-IP | T-IP | ESP | C-IP |
+      +---------+------+------+-----+------+
+    where C-IP are the crypto endpoint IP addresses defined as the tunnel
+    endpoints in the SA.
+    The mode for the inbound and outbound SA must be the same.
+
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
+    @param sw_id_index - Tunnel interface to protect
+    @param sa_in - The ID [set] of inbound SAs
+    @param sa_out - The ID of outbound SA
+*/
+typedef ipsec_tunnel_protect
+{
+  vl_api_interface_index_t sw_if_index;
+  u32 sa_out;
+  u8 n_sa_in;
+  u32 sa_in[n_sa_in];
+};
 
-    @param sa_id - sa id
+autoreply define ipsec_tunnel_protect_update
+{
+  u32 client_index;
+  u32 context;
 
-    @param crypto_key - crypto keying material
-    @param integrity_key - integrity keying material
-*/
+  vl_api_ipsec_tunnel_protect_t tunnel;
+};
 
-autoreply define ipsec_sa_set_key
+autoreply define ipsec_tunnel_protect_del
 {
   u32 client_index;
   u32 context;
 
-  u32 sa_id;
+  vl_api_interface_index_t sw_if_index;
+};
 
-  vl_api_key_t crypto_key;
-  vl_api_key_t integrity_key;
+/**
+ * @brief Dump all tunnel protections
+ */
+define ipsec_tunnel_protect_dump
+{
+  u32 client_index;
+  u32 context;
+  vl_api_interface_index_t sw_if_index;
+};
+
+define ipsec_tunnel_protect_details
+{
+  u32 context;
+  vl_api_ipsec_tunnel_protect_t tun;
 };
 
 /** \brief IPsec: Get SPD interfaces
@@ -350,9 +410,14 @@ define ipsec_spd_interface_details {
 };
 
 /** \brief Add or delete IPsec tunnel interface
+
+    !!DEPRECATED!!
+         use the tunnel protect APIs instead
+
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
     @param is_add - add IPsec tunnel interface if nonzero, else delete
+    @param is_ip6 - tunnel v6 or v4
     @param esn - enable extended sequence numbers if nonzero, else disable
     @param anti_replay - enable anti replay check if nonzero, else disable
     @param local_ip - local IP address
@@ -373,6 +438,7 @@ define ipsec_spd_interface_details {
     @param show_instance - instance to display for intf if renumber is set
     @param udp_encap - enable UDP encapsulation for NAT traversal
     @param tx_table_id - the FIB id used after packet encap
+    @param salt - for use with counter mode ciphers
 */
 define ipsec_tunnel_if_add_del {
   u32 client_index;
@@ -380,8 +446,8 @@ define ipsec_tunnel_if_add_del {
   u8 is_add;
   u8 esn;
   u8 anti_replay;
-  u8 local_ip[4];
-  u8 remote_ip[4];
+  vl_api_address_t local_ip;
+  vl_api_address_t remote_ip;
   u32 local_spi;
   u32 remote_spi;
   u8 crypto_alg;
@@ -398,6 +464,7 @@ define ipsec_tunnel_if_add_del {
   u32 show_instance;
   u8 udp_encap;
   u32 tx_table_id;
+  u32 salt;
 };
 
 /** \brief Add/delete IPsec tunnel interface response
@@ -462,26 +529,10 @@ define ipsec_sa_details {
   u64 total_data_size;
 };
 
-/** \brief Set key on IPsec interface
-    @param client_index - opaque cookie to identify the sender
-    @param context - sender context, to match reply w/ request
-    @param sw_if_index - index of tunnel interface
-    @param key_type - type of key being set
-    @param alg - algorithm used with key
-    @param key_len - length key in bytes
-    @param key - key
-*/
-autoreply define ipsec_tunnel_if_set_key {
-  u32 client_index;
-  u32 context;
-  u32 sw_if_index;
-  u8 key_type;
-  u8 alg;
-  u8 key_len;
-  u8 key[128];
-};
-
 /** \brief Set new SA on IPsec interface
+
+    !! DEPRECATED !!
+
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
     @param sw_if_index - index of tunnel interface