ipsec: Changes to make ipsec encoder/decoders reusable by the plugins

[vpp.git] / src / vnet / ipsec / ipsec_types.api

/* Hey Emacs use -*- mode: C -*- */
/*
 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

option version = "3.0.0";

import "vnet/ip/ip_types.api";

/*
 * @brief Support cryptographic algorithms
 */
enum ipsec_crypto_alg
{
  IPSEC_API_CRYPTO_ALG_NONE = 0,
  IPSEC_API_CRYPTO_ALG_AES_CBC_128,
  IPSEC_API_CRYPTO_ALG_AES_CBC_192,
  IPSEC_API_CRYPTO_ALG_AES_CBC_256,
  IPSEC_API_CRYPTO_ALG_AES_CTR_128,
  IPSEC_API_CRYPTO_ALG_AES_CTR_192,
  IPSEC_API_CRYPTO_ALG_AES_CTR_256,
  IPSEC_API_CRYPTO_ALG_AES_GCM_128,
  IPSEC_API_CRYPTO_ALG_AES_GCM_192,
  IPSEC_API_CRYPTO_ALG_AES_GCM_256,
  IPSEC_API_CRYPTO_ALG_DES_CBC,
  IPSEC_API_CRYPTO_ALG_3DES_CBC,
};

/*
 * @brief Supported Integrity Algorithms
 */
enum ipsec_integ_alg
{
  IPSEC_API_INTEG_ALG_NONE = 0,
  /* RFC2403 */
  IPSEC_API_INTEG_ALG_MD5_96,
  /* RFC2404 */
  IPSEC_API_INTEG_ALG_SHA1_96,
  /* draft-ietf-ipsec-ciph-sha-256-00 */
  IPSEC_API_INTEG_ALG_SHA_256_96,
  /* RFC4868 */
  IPSEC_API_INTEG_ALG_SHA_256_128,
  /* RFC4868 */
  IPSEC_API_INTEG_ALG_SHA_384_192,
  /* RFC4868 */
  IPSEC_API_INTEG_ALG_SHA_512_256,
};

enum ipsec_sad_flags
{
  IPSEC_API_SAD_FLAG_NONE = 0,
  /* Enable extended sequence numbers */
  IPSEC_API_SAD_FLAG_USE_ESN = 0x01,
  /* Enable Anti-replay */
  IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
  /* IPsec tunnel mode if non-zero, else transport mode */
  IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,
  /* IPsec tunnel mode is IPv6 if non-zero,
   *  else IPv4 tunnel only valid if is_tunnel is non-zero */
  IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
  /* enable UDP encapsulation for NAT traversal */
  IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
};

enum ipsec_proto
{
  IPSEC_API_PROTO_ESP,
  IPSEC_API_PROTO_AH,
};

typedef key
{
  /* the length of the key */
  u8 length;
  /* The data for the key */
  u8 data[128];
};

/** \brief IPsec: Security Association Database entry
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add SAD entry if non-zero, else delete
    @param sad_id - sad id
    @param spi - security parameter index
    @param protocol - 0 = AH, 1 = ESP
    @param crypto_algorithm - a supported crypto algorithm
    @param crypto_key - crypto keying material
    @param integrity_algorithm - one of the supported algorithms
    @param integrity_key - integrity keying material
    @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
    @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
    @param tx_table_id - the FIB id used for encapsulated packets
    @param salt - for use with counter mode ciphers
 */
typedef ipsec_sad_entry
{
  u32 sad_id;

  u32 spi;

  vl_api_ipsec_proto_t protocol;

  vl_api_ipsec_crypto_alg_t crypto_algorithm;
  vl_api_key_t crypto_key;

  vl_api_ipsec_integ_alg_t integrity_algorithm;
  vl_api_key_t integrity_key;

  vl_api_ipsec_sad_flags_t flags;

  vl_api_address_t tunnel_src;
  vl_api_address_t tunnel_dst;
  u32 tx_table_id;
  u32 salt;
};

/*
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */