X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec.api;h=793422d86fbaeded92f323d1abac5cb6b5638381;hb=871bca9;hp=14d6c18750386ee947fd7ccbd09b32a4d4a690d1;hpb=0d056e5ede136cd0111dc3f9f41ef7b36a938027;p=vpp.git diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 14d6c187503..793422d86fb 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -13,7 +13,7 @@ * limitations under the License. */ -vl_api_version 1.0.0 +option version = "2.0.0"; /** \brief IPsec: Add/delete Security Policy Database @param client_index - opaque cookie to identify the sender @@ -130,6 +130,7 @@ autoreply define ipsec_spd_add_del_entry @param is_tunnel_ipv6 - IPsec tunnel mode is IPv6 if non-zero, else IPv4 tunnel only valid if is_tunnel is non-zero @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero + @param udp_encap - enable UDP encapsulation for NAT traversal To be added: Anti-replay @@ -157,11 +158,13 @@ autoreply define ipsec_sad_add_del_entry u8 integrity_key[128]; u8 use_extended_sequence_number; + u8 use_anti_replay; u8 is_tunnel; u8 is_tunnel_ipv6; u8 tunnel_src_address[16]; u8 tunnel_dst_address[16]; + u8 udp_encap; }; /** \brief IPsec: Update Security Association keys @@ -226,7 +229,7 @@ autoreply define ikev2_profile_set_auth u8 auth_method; u8 is_hex; u32 data_len; - u8 data[0]; + u8 data[data_len]; }; /** \brief IKEv2: Set IKEv2 profile local/remote identification @@ -248,7 +251,7 @@ autoreply define ikev2_profile_set_id u8 is_local; u8 id_type; u32 data_len; - u8 data[0]; + u8 data[data_len]; }; /** \brief IKEv2: Set IKEv2 profile traffic selector parameters @@ -361,7 +364,7 @@ autoreply define ikev2_set_esp_transforms @param name - IKEv2 profile name @param lifetime - SA maximum life time in seconds (0 to disable) - @param lifetime_jitter - Jitter added to prevent simultaneounus rekeying + @param lifetime_jitter - Jitter added to prevent simultaneous rekeying @param handover - Hand over time @param lifetime_maxdata - SA maximum life time in bytes (0 to disable) @@ -438,6 +441,26 @@ autoreply define ikev2_initiate_rekey_child_sa u32 ispi; }; +/** \brief Dump IPsec all SPD IDs + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request +*/ +define ipsec_spds_dump { + u32 client_index; + u32 context; +}; + +/** \brief Dump IPsec all SPD IDs response + @param client_index - opaque cookie to identify the sender + @param spd_id - SPD instance id (control plane allocated) + @param npolicies - number of policies in SPD +*/ +define ipsec_spds_details { + u32 context; + u32 spd_id; + u32 npolicies; +}; + /** \brief Dump ipsec policy database data @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @@ -492,6 +515,31 @@ define ipsec_spd_details { u64 packets; }; +/** \brief IPsec: Get SPD interfaces + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param spd_index - SPD index + @param spd_index_valid - if 1 spd_index is used to filter + spd_index's, if 0 no filtering is done +*/ +define ipsec_spd_interface_dump { + u32 client_index; + u32 context; + u32 spd_index; + u8 spd_index_valid; +}; + +/** \brief IPsec: SPD interface response + @param context - sender context which was passed in the request + @param spd_index - SPD index + @param sw_if_index - index of the interface +*/ +define ipsec_spd_interface_details { + u32 context; + u32 spd_index; + u32 sw_if_index; +}; + /** \brief Add or delete IPsec tunnel interface @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @@ -512,6 +560,8 @@ define ipsec_spd_details { @param local_integ_key - integrity key for outbound IPsec SA @param remote_integ_key_len - length of remote integrity key in bytes @param remote_integ_key - integrity key for inbound IPsec SA + @param renumber - intf display name uses a specified instance if != 0 + @param show_instance - instance to display for intf if renumber is set */ define ipsec_tunnel_if_add_del { u32 client_index; @@ -533,6 +583,8 @@ define ipsec_tunnel_if_add_del { u8 local_integ_key[128]; u8 remote_integ_key_len; u8 remote_integ_key[128]; + u8 renumber; + u32 show_instance; }; /** \brief Add/delete IPsec tunnel interface response @@ -582,6 +634,7 @@ define ipsec_sa_dump { @param last_seq_hi - high 32 bits of highest ESN received inbound @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay @param total_data_size - total bytes sent or received + @param udp_encap - 1 if UDP encap enabled, 0 otherwise */ define ipsec_sa_details { u32 context; @@ -613,6 +666,41 @@ define ipsec_sa_details { u64 replay_window; u64 total_data_size; + u8 udp_encap; +}; + +/** \brief Set key on IPsec interface + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param sw_if_index - index of tunnel interface + @param key_type - type of key being set + @param alg - algorithm used with key + @param key_len - length key in bytes + @param key - key +*/ +autoreply define ipsec_tunnel_if_set_key { + u32 client_index; + u32 context; + u32 sw_if_index; + u8 key_type; + u8 alg; + u8 key_len; + u8 key[128]; +}; + +/** \brief Set new SA on IPsec interface + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param sw_if_index - index of tunnel interface + @param sa_id - ID of SA to use + @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote) +*/ +autoreply define ipsec_tunnel_if_set_sa { + u32 client_index; + u32 context; + u32 sw_if_index; + u32 sa_id; + u8 is_outbound; }; /*