X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_types.api;h=37c1141ab4669529af1e21725cfb4ca60cd400a1;hb=2f4586d9b3507243918c11ce99b9d151d5bde7a0;hp=b47355908e7c573cbc455134756572ab81f46e53;hpb=9ec846c2684b69f47505d73ea9f873b793a11558;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api index b47355908e7..37c1141ab46 100644 --- a/src/vnet/ipsec/ipsec_types.api +++ b/src/vnet/ipsec/ipsec_types.api @@ -36,6 +36,10 @@ enum ipsec_crypto_alg IPSEC_API_CRYPTO_ALG_AES_GCM_256, IPSEC_API_CRYPTO_ALG_DES_CBC, IPSEC_API_CRYPTO_ALG_3DES_CBC, + IPSEC_API_CRYPTO_ALG_CHACHA20_POLY1305 [backwards_compatible], + IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_128 [backwards_compatible], + IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_192 [backwards_compatible], + IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_256 [backwards_compatible], }; /* @@ -68,12 +72,17 @@ enum ipsec_sad_flags /* IPsec tunnel mode if non-zero, else transport mode */ IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04, /* IPsec tunnel mode is IPv6 if non-zero, - * else IPv4 tunnel only valid if is_tunnel is non-zero */ + * else IPv4 tunnel only valid if is_tunnel is non-zero + * DEPRECATED - the user does not need to set this it is + * derived from the tunnel's address types. + */ IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08, /* enable UDP encapsulation for NAT traversal */ IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10, /* IPsec SA is for inbound traffic */ IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40, + /* IPsec SA uses an Async driver */ + IPSEC_API_SAD_FLAG_ASYNC = 0x80 [backwards_compatible], }; enum ipsec_proto @@ -90,10 +99,103 @@ typedef key u8 data[128]; }; +enum ipsec_spd_action +{ + /* bypass - no IPsec processing */ + IPSEC_API_SPD_ACTION_BYPASS = 0, + /* discard - discard packet with ICMP processing */ + IPSEC_API_SPD_ACTION_DISCARD, + /* resolve - send request to control plane for SA resolving */ + IPSEC_API_SPD_ACTION_RESOLVE, + /* protect - apply IPsec policy using following parameters */ + IPSEC_API_SPD_ACTION_PROTECT, +}; + +/** \brief IPsec: Security Policy Database entry + + See RFC 4301, 4.4.1.1 on how to match packet to selectors + + @param spd_id - SPD instance id (control plane allocated) + @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower + @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic + @param remote_address_start - start of remote address range to match + @param remote_address_stop - end of remote address range to match + @param local_address_start - start of local address range to match + @param local_address_stop - end of local address range to match + @param protocol - protocol type to match [0 means any] otherwise IANA value + @param remote_port_start - start of remote port range to match ... + @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] + @param local_port_start - start of local port range to match ... + @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] + @param policy - action to perform on match + @param sa_id - SAD instance id (control plane allocated) +*/ +typedef ipsec_spd_entry +{ + u32 spd_id; + i32 priority; + bool is_outbound; + + u32 sa_id; + vl_api_ipsec_spd_action_t policy; + /* Which protocol?? */ + u8 protocol; + + // Selector + vl_api_address_t remote_address_start; + vl_api_address_t remote_address_stop; + vl_api_address_t local_address_start; + vl_api_address_t local_address_stop; + + u16 remote_port_start; + u16 remote_port_stop; + u16 local_port_start; + u16 local_port_stop; +}; + +/** \brief IPsec: Security Policy Database entry v2 + + See RFC 4301, 4.4.1.1 on how to match packet to selectors + + @param spd_id - SPD instance id (control plane allocated) + @param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower + @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic + @param remote_address_start - start of remote address range to match + @param remote_address_stop - end of remote address range to match + @param local_address_start - start of local address range to match + @param local_address_stop - end of local address range to match + @param protocol - protocol type to match [255 means any] otherwise IANA value + @param remote_port_start - start of remote port range to match ... + @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] + @param local_port_start - start of local port range to match ... + @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] + @param policy - action to perform on match + @param sa_id - SAD instance id (control plane allocated) +*/ +typedef ipsec_spd_entry_v2 +{ + u32 spd_id; + i32 priority; + bool is_outbound; + + u32 sa_id; + vl_api_ipsec_spd_action_t policy; + u8 protocol; + + // Selector + vl_api_address_t remote_address_start; + vl_api_address_t remote_address_stop; + vl_api_address_t local_address_start; + vl_api_address_t local_address_stop; + + u16 remote_port_start; + u16 remote_port_stop; + u16 local_port_start; + u16 local_port_stop; +}; + + /** \brief IPsec: Security Association Database entry - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - @param is_add - add SAD entry if non-zero, else delete @param sad_id - sad id @param spi - security parameter index @param protocol - 0 = AH, 1 = ESP @@ -101,6 +203,7 @@ typedef key @param crypto_key - crypto keying material @param integrity_algorithm - one of the supported algorithms @param integrity_key - integrity keying material + @param flags - SA flags (see ipsec_sad_flags above) @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero @param tx_table_id - the FIB id used for encapsulated packets @@ -112,6 +215,7 @@ typedef key @param tunnel_flags - Flags controlling the copying of encap/decap value @param dscp - Fixed DSCP vaule for tunnel encap */ + typedef ipsec_sad_entry { u32 sad_id; @@ -184,6 +288,46 @@ typedef ipsec_sad_entry_v3 u16 udp_dst_port [default=4500]; }; +/** \brief IPsec: Security Association Database entry + @param sad_id - sad id + @param spi - security parameter index + @param protocol - 0 = AH, 1 = ESP + @param crypto_algorithm - a supported crypto algorithm + @param crypto_key - crypto keying material + @param integrity_algorithm - one of the supported algorithms + @param integrity_key - integrity keying material + @param flags - SA flags (see ipsec_sad_flags above) + @param tunnel - tunnel description (see vnet/tunnel/tunnel_types.api) + @param salt - for use with counter mode ciphers + @param udp_src_port - If using UDP Encapsulation, use this source port for + TX. It is ignored for RX. + @param udp_dst_port - If using UDP Encapsulation, use this destination port + for TX. Expect traffic on this port for RX. + @param anti_replay_window_size - AR window size to use. The supplied value is round up to the nearest power of 2. + */ +typedef ipsec_sad_entry_v4 +{ + u32 sad_id; + u32 spi; + + vl_api_ipsec_proto_t protocol; + + vl_api_ipsec_crypto_alg_t crypto_algorithm; + vl_api_key_t crypto_key; + + vl_api_ipsec_integ_alg_t integrity_algorithm; + vl_api_key_t integrity_key; + + vl_api_ipsec_sad_flags_t flags; + + vl_api_tunnel_t tunnel; + + u32 salt; + u16 udp_src_port [default=4500]; + u16 udp_dst_port [default=4500]; + + u32 anti_replay_window_size [default=64]; +}; /* * Local Variables: