2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
15 #ifndef __included_ikev2_h__
16 #define __included_ikev2_h__
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
21 #include <vppinfra/error.h>
23 #define IKEV2_NONCE_SIZE 32
24 #define IKEV2_PORT 500
25 #define IKEV2_PORT_NATT 4500
26 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
28 #define IKEV2_GCM_ICV_SIZE 16
29 #define IKEV2_GCM_NONCE_SIZE 12
30 #define IKEV2_GCM_SALT_SIZE 4
31 #define IKEV2_GCM_IV_SIZE (IKEV2_GCM_NONCE_SIZE - IKEV2_GCM_SALT_SIZE)
36 typedef CLIB_PACKED (struct {
43 u32 msgid; u32 length; u8 payload[0];
47 #define ike_hdr_is_response(_h) ((_h)->flags & IKEV2_HDR_FLAG_RESPONSE)
48 #define ike_hdr_is_request(_h) (!ike_hdr_is_response(_h))
49 #define ike_hdr_is_initiator(_h) ((_h)->flags & IKEV2_HDR_FLAG_INITIATOR)
50 #define ike_hdr_is_responder(_h) (!(ike_hdr_is_initiator(_h)))
53 typedef CLIB_PACKED (struct {
60 }) ike_ke_payload_header_t;
64 typedef CLIB_PACKED (struct {
67 u16 length; u8 payload[0];
68 }) ike_payload_header_t;
72 typedef CLIB_PACKED (struct {
79 }) ike_auth_payload_header_t;
83 typedef CLIB_PACKED (struct {
88 u8 reserved[3]; u8 payload[0];
89 }) ike_id_payload_header_t;
92 #define IKE_VERSION_2 0x20
94 #define IKEV2_EXCHANGE_SA_INIT 34
95 #define IKEV2_EXCHANGE_IKE_AUTH 35
96 #define IKEV2_EXCHANGE_CREATE_CHILD_SA 36
97 #define IKEV2_EXCHANGE_INFORMATIONAL 37
99 #define IKEV2_HDR_FLAG_INITIATOR (1<<3)
100 #define IKEV2_HDR_FLAG_VERSION (1<<4)
101 #define IKEV2_HDR_FLAG_RESPONSE (1<<5)
103 #define IKEV2_PAYLOAD_FLAG_CRITICAL (1<<7)
105 #define IKEV2_PAYLOAD_NONE 0
106 #define IKEV2_PAYLOAD_NAT_D 20
107 #define IKEV2_PAYLOAD_NAT_OA 21
108 #define IKEV2_PAYLOAD_SA 33
109 #define IKEV2_PAYLOAD_KE 34
110 #define IKEV2_PAYLOAD_IDI 35
111 #define IKEV2_PAYLOAD_IDR 36
112 #define IKEV2_PAYLOAD_AUTH 39
113 #define IKEV2_PAYLOAD_NONCE 40
114 #define IKEV2_PAYLOAD_NOTIFY 41
115 #define IKEV2_PAYLOAD_DELETE 42
116 #define IKEV2_PAYLOAD_VENDOR 43
117 #define IKEV2_PAYLOAD_TSI 44
118 #define IKEV2_PAYLOAD_TSR 45
119 #define IKEV2_PAYLOAD_SK 46
123 IKEV2_PROTOCOL_IKE = 1,
124 IKEV2_PROTOCOL_AH = 2,
125 IKEV2_PROTOCOL_ESP = 3,
126 } ikev2_protocol_id_t;
128 #define foreach_ikev2_notify_msg_type \
130 _( 1, UNSUPPORTED_CRITICAL_PAYLOAD) \
131 _( 4, INVALID_IKE_SPI) \
132 _( 5, INVALID_MAJOR_VERSION) \
133 _( 7, INVALID_SYNTAX) \
134 _( 8, INVALID_MESSAGE_ID) \
135 _( 11, INVALID_SPI) \
136 _( 14, NO_PROPOSAL_CHOSEN) \
137 _( 17, INVALID_KE_PAYLOAD) \
138 _( 24, AUTHENTICATION_FAILED) \
139 _( 34, SINGLE_PAIR_REQUIRED) \
140 _( 35, NO_ADDITIONAL_SAS) \
141 _( 36, INTERNAL_ADDRESS_FAILURE) \
142 _( 37, FAILED_CP_REQUIRED) \
143 _( 38, TS_UNACCEPTABLE) \
144 _( 39, INVALID_SELECTORS) \
145 _( 40, UNACCEPTABLE_ADDRESSES) \
146 _( 41, UNEXPECTED_NAT_DETECTED) \
147 _( 42, USE_ASSIGNED_HoA) \
148 _( 43, TEMPORARY_FAILURE) \
149 _( 44, CHILD_SA_NOT_FOUND) \
150 _( 45, INVALID_GROUP_ID) \
151 _( 46, AUTHORIZATION_FAILED) \
152 _(16384, INITIAL_CONTACT) \
153 _(16385, SET_WINDOW_SIZE) \
154 _(16386, ADDITIONAL_TS_POSSIBLE) \
155 _(16387, IPCOMP_SUPPORTED) \
156 _(16388, NAT_DETECTION_SOURCE_IP) \
157 _(16389, NAT_DETECTION_DESTINATION_IP) \
159 _(16391, USE_TRANSPORT_MODE) \
160 _(16392, HTTP_CERT_LOOKUP_SUPPORTED) \
162 _(16394, ESP_TFC_PADDING_NOT_SUPPORTED) \
163 _(16395, NON_FIRST_FRAGMENTS_ALSO) \
164 _(16396, MOBIKE_SUPPORTED) \
165 _(16397, ADDITIONAL_IP4_ADDRESS) \
166 _(16398, ADDITIONAL_IP6_ADDRESS) \
167 _(16399, NO_ADDITIONAL_ADDRESSES) \
168 _(16400, UPDATE_SA_ADDRESSES) \
170 _(16402, NO_NATS_ALLOWED) \
171 _(16403, AUTH_LIFETIME) \
172 _(16404, MULTIPLE_AUTH_SUPPORTED) \
173 _(16405, ANOTHER_AUTH_FOLLOWS) \
174 _(16406, REDIRECT_SUPPORTED) \
176 _(16408, REDIRECTED_FROM) \
177 _(16409, TICKET_LT_OPAQUE) \
178 _(16410, TICKET_REQUEST) \
179 _(16411, TICKET_ACK) \
180 _(16412, TICKET_NACK) \
181 _(16413, TICKET_OPAQUE) \
183 _(16415, USE_WESP_MODE) \
184 _(16416, ROHC_SUPPORTED) \
185 _(16417, EAP_ONLY_AUTHENTICATION) \
186 _(16418, CHILDLESS_IKEV2_SUPPORTED) \
187 _(16419, QUICK_CRASH_DETECTION) \
188 _(16420, IKEV2_MESSAGE_ID_SYNC_SUPPORTED) \
189 _(16421, IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED) \
190 _(16422, IKEV2_MESSAGE_ID_SYNC) \
191 _(16423, IPSEC_REPLAY_COUNTER_SYNC) \
192 _(16424, SECURE_PASSWORD_METHODS) \
193 _(16425, PSK_PERSIST) \
194 _(16426, PSK_CONFIRM) \
195 _(16427, ERX_SUPPORTED) \
196 _(16428, IFOM_CAPABILITY) \
197 _(16429, SENDER_REQUEST_ID) \
198 _(16430, IKEV2_FRAGMENTATION_SUPPORTED) \
199 _(16431, SIGNATURE_HASH_ALGORITHMS)
204 #define _(v,f) IKEV2_NOTIFY_MSG_##f = v,
205 foreach_ikev2_notify_msg_type
207 } ikev2_notify_msg_type_t;
209 #define foreach_ikev2_transform_type \
210 _(0, UNDEFINED, "undefined") \
213 _(3, INTEG, "integ") \
214 _(4, DH, "dh-group") \
219 #define _(v,f,s) IKEV2_TRANSFORM_TYPE_##f = v,
220 foreach_ikev2_transform_type
222 IKEV2_TRANSFORM_NUM_TYPES
223 } ikev2_transform_type_t;
226 #define foreach_ikev2_transform_encr_type \
227 _(1 , DES_IV64, "des-iv64") \
229 _(3 , 3DES, "3des") \
231 _(5 , IDEA, "idea") \
232 _(6 , CAST, "cast") \
233 _(7 , BLOWFISH, "blowfish") \
234 _(8 , 3IDEA, "3idea") \
235 _(9 , DES_IV32, "des-iv32") \
236 _(11, NULL, "null") \
237 _(12, AES_CBC, "aes-cbc") \
238 _(13, AES_CTR, "aes-ctr") \
239 _(20, AES_GCM_16, "aes-gcm-16")
243 #define _(v,f,str) IKEV2_TRANSFORM_ENCR_TYPE_##f = v,
244 foreach_ikev2_transform_encr_type
246 } ikev2_transform_encr_type_t;
248 #define foreach_ikev2_transform_prf_type \
249 _(1, PRF_HMAC_MD5, "hmac-md5") \
250 _(2, PRF_HMAC_SHA1, "hmac-sha1") \
251 _(3, PRF_MAC_TIGER, "mac-tiger") \
252 _(4, PRF_AES128_XCBC, "aes128-xcbc") \
253 _(5, PRF_HMAC_SHA2_256, "hmac-sha2-256") \
254 _(6, PRF_HMAC_SHA2_384, "hmac-sha2-384") \
255 _(7, PRF_HMAC_SHA2_512, "hmac-sha2-512") \
256 _(8, PRF_AES128_CMAC, "aes128-cmac")
260 #define _(v,f,str) IKEV2_TRANSFORM_PRF_TYPE_##f = v,
261 foreach_ikev2_transform_prf_type
263 } ikev2_transform_prf_type_t;
265 #define foreach_ikev2_transform_integ_type \
267 _(1, AUTH_HMAC_MD5_96, "md5-96") \
268 _(2, AUTH_HMAC_SHA1_96, "sha1-96") \
269 _(3, AUTH_DES_MAC, "des-mac") \
270 _(4, AUTH_KPDK_MD5, "kpdk-md5") \
271 _(5, AUTH_AES_XCBC_96, "aes-xcbc-96") \
272 _(6, AUTH_HMAC_MD5_128, "md5-128") \
273 _(7, AUTH_HMAC_SHA1_160, "sha1-160") \
274 _(8, AUTH_AES_CMAC_96, "cmac-96") \
275 _(9, AUTH_AES_128_GMAC, "aes-128-gmac") \
276 _(10, AUTH_AES_192_GMAC, "aes-192-gmac") \
277 _(11, AUTH_AES_256_GMAC, "aes-256-gmac") \
278 _(12, AUTH_HMAC_SHA2_256_128, "hmac-sha2-256-128") \
279 _(13, AUTH_HMAC_SHA2_384_192, "hmac-sha2-384-192") \
280 _(14, AUTH_HMAC_SHA2_512_256, "hmac-sha2-512-256")
284 #define _(v,f, str) IKEV2_TRANSFORM_INTEG_TYPE_##f = v,
285 foreach_ikev2_transform_integ_type
287 } ikev2_transform_integ_type_t;
289 #if defined(OPENSSL_NO_CISCO_FECDH)
290 #define foreach_ikev2_transform_dh_type \
292 _(1, MODP_768, "modp-768") \
293 _(2, MODP_1024, "modp-1024") \
294 _(5, MODP_1536, "modp-1536") \
295 _(14, MODP_2048, "modp-2048") \
296 _(15, MODP_3072, "modp-3072") \
297 _(16, MODP_4096, "modp-4096") \
298 _(17, MODP_6144, "modp-6144") \
299 _(18, MODP_8192, "modp-8192") \
300 _(19, ECP_256, "ecp-256") \
301 _(20, ECP_384, "ecp-384") \
302 _(21, ECP_521, "ecp-521") \
303 _(22, MODP_1024_160, "modp-1024-160") \
304 _(23, MODP_2048_224, "modp-2048-224") \
305 _(24, MODP_2048_256, "modp-2048-256") \
306 _(25, ECP_192, "ecp-192") \
307 _(26, ECP_224, "ecp-224") \
308 _(27, BRAINPOOL_224, "brainpool-224") \
309 _(28, BRAINPOOL_256, "brainpool-256") \
310 _(29, BRAINPOOL_384, "brainpool-384") \
311 _(30, BRAINPOOL_512, "brainpool-512")
313 #define foreach_ikev2_transform_dh_type \
315 _(1, MODP_768, "modp-768") \
316 _(2, MODP_1024, "modp-1024") \
317 _(5, MODP_1536, "modp-1536") \
318 _(14, MODP_2048, "modp-2048") \
319 _(15, MODP_3072, "modp-3072") \
320 _(16, MODP_4096, "modp-4096") \
321 _(17, MODP_6144, "modp-6144") \
322 _(18, MODP_8192, "modp-8192") \
323 _(19, ECP_256, "ecp-256") \
324 _(20, ECP_384, "ecp-384") \
325 _(21, ECP_521, "ecp-521") \
326 _(22, MODP_1024_160, "modp-1024-160") \
327 _(23, MODP_2048_224, "modp-2048-224") \
328 _(24, MODP_2048_256, "modp-2048-256") \
329 _(25, ECP_192, "ecp-192")
334 #define _(v,f, str) IKEV2_TRANSFORM_DH_TYPE_##f = v,
335 foreach_ikev2_transform_dh_type
337 } ikev2_transform_dh_type_t;
339 #define foreach_ikev2_transform_esn_type \
345 #define _(v,f,str) IKEV2_TRANSFORM_ESN_TYPE_##f = v,
346 foreach_ikev2_transform_esn_type
348 } ikev2_transform_esn_type_t;
350 #define foreach_ikev2_auth_method \
351 _( 1, RSA_SIG, "rsa-sig") \
352 _( 2, SHARED_KEY_MIC, "shared-key-mic")
356 #define _(v,f,s) IKEV2_AUTH_METHOD_##f = v,
357 foreach_ikev2_auth_method
359 } ikev2_auth_method_t;
361 #define foreach_ikev2_id_type \
362 _( 1, ID_IPV4_ADDR, "ip4-addr") \
363 _( 2, ID_FQDN, "fqdn") \
364 _( 3, ID_RFC822_ADDR, "rfc822") \
365 _( 5, ID_IPV6_ADDR, "ip6-addr") \
366 _( 9, ID_DER_ASN1_DN, "der-asn1-dn") \
367 _(10, ID_DER_ASN1_GN, "der-asn1-gn") \
368 _(11, ID_KEY_ID, "key-id")
372 #define _(v,f,s) IKEV2_ID_TYPE_##f = v,
373 foreach_ikev2_id_type
379 TS_IPV4_ADDR_RANGE = 7,
380 TS_IPV6_ADDR_RANGE = 8,
381 } ikev2_traffic_selector_type_t;
383 clib_error_t *ikev2_init (vlib_main_t * vm);
384 clib_error_t *ikev2_set_local_key (vlib_main_t * vm, u8 * file);
385 clib_error_t *ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add);
386 clib_error_t *ikev2_set_profile_auth (vlib_main_t * vm, u8 * name,
387 u8 auth_method, u8 * data,
389 clib_error_t *ikev2_set_profile_id (vlib_main_t * vm, u8 * name,
390 u8 id_type, u8 * data, int is_local);
391 clib_error_t *ikev2_set_profile_ts (vlib_main_t * vm, u8 * name,
392 u8 protocol_id, u16 start_port,
393 u16 end_port, ip_address_t start_addr,
394 ip_address_t end_addr, int is_local);
395 clib_error_t *ikev2_set_profile_responder (vlib_main_t * vm, u8 * name,
398 clib_error_t *ikev2_set_profile_responder_hostname (vlib_main_t *vm, u8 *name,
401 clib_error_t *ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name,
402 ikev2_transform_encr_type_t
404 ikev2_transform_integ_type_t
406 ikev2_transform_dh_type_t
407 dh_type, u32 crypto_key_size);
408 clib_error_t *ikev2_set_profile_esp_transforms (vlib_main_t * vm, u8 * name,
409 ikev2_transform_encr_type_t
411 ikev2_transform_integ_type_t
413 u32 crypto_key_size);
414 clib_error_t *ikev2_set_profile_sa_lifetime (vlib_main_t * vm, u8 * name,
415 u64 lifetime, u32 jitter,
416 u32 handover, u64 maxdata);
417 clib_error_t *ikev2_set_profile_tunnel_interface (vlib_main_t * vm, u8 * name,
419 vnet_api_error_t ikev2_set_profile_ipsec_udp_port (vlib_main_t * vm,
422 clib_error_t *ikev2_set_profile_udp_encap (vlib_main_t * vm, u8 * name);
423 clib_error_t *ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name);
424 clib_error_t *ikev2_initiate_delete_child_sa (vlib_main_t * vm, u32 ispi);
425 clib_error_t *ikev2_initiate_delete_ike_sa (vlib_main_t * vm, u64 ispi);
426 clib_error_t *ikev2_initiate_rekey_child_sa (vlib_main_t * vm, u32 ispi);
429 u8 *format_ikev2_auth_method (u8 * s, va_list * args);
430 u8 *format_ikev2_id_type (u8 * s, va_list * args);
431 u8 *format_ikev2_transform_type (u8 * s, va_list * args);
432 u8 *format_ikev2_notify_msg_type (u8 * s, va_list * args);
433 u8 *format_ikev2_transform_encr_type (u8 * s, va_list * args);
434 u8 *format_ikev2_transform_prf_type (u8 * s, va_list * args);
435 u8 *format_ikev2_transform_integ_type (u8 * s, va_list * args);
436 u8 *format_ikev2_transform_dh_type (u8 * s, va_list * args);
437 u8 *format_ikev2_transform_esn_type (u8 * s, va_list * args);
438 u8 *format_ikev2_sa_transform (u8 * s, va_list * args);
440 uword unformat_ikev2_auth_method (unformat_input_t * input, va_list * args);
441 uword unformat_ikev2_id_type (unformat_input_t * input, va_list * args);
442 uword unformat_ikev2_transform_type (unformat_input_t * input,
444 uword unformat_ikev2_transform_encr_type (unformat_input_t * input,
446 uword unformat_ikev2_transform_prf_type (unformat_input_t * input,
448 uword unformat_ikev2_transform_integ_type (unformat_input_t * input,
450 uword unformat_ikev2_transform_dh_type (unformat_input_t * input,
452 uword unformat_ikev2_transform_esn_type (unformat_input_t * input,
454 void ikev2_cli_reference (void);
456 clib_error_t *ikev2_set_liveness_params (u32 period, u32 max_retries);
458 #endif /* __included_ikev2_h__ */
462 * fd.io coding-style-patch-verification: ON
465 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob