FD.io VPP
v19.08.2-294-g37e99c22d
Vector Packet Processing
|
Go to the source code of this file.
Data Structures | |
struct | vl_api_ipsec_spd_add_del_t |
IPsec: Add/delete Security Policy Database. More... | |
struct | vl_api_ipsec_interface_add_del_spd_t |
IPsec: Add/delete SPD from interface. More... | |
struct | vl_api_ipsec_spd_entry_add_del_t |
IPsec: Add/delete Security Policy Database entry. More... | |
struct | vl_api_ipsec_spd_entry_add_del_reply_t |
IPsec: Reply Add/delete Security Policy Database entry. More... | |
struct | vl_api_ipsec_spds_dump_t |
Dump IPsec all SPD IDs. More... | |
struct | vl_api_ipsec_spds_details_t |
Dump IPsec all SPD IDs response. More... | |
struct | vl_api_ipsec_spd_dump_t |
Dump ipsec policy database data. More... | |
struct | vl_api_ipsec_spd_details_t |
IPsec policy database response. More... | |
struct | vl_api_ipsec_sad_entry_add_del_t |
IPsec: Add/delete Security Association Database entry. More... | |
struct | vl_api_ipsec_sad_entry_add_del_reply_t |
struct | vl_api_ipsec_tunnel_protect_update_t |
struct | vl_api_ipsec_tunnel_protect_del_t |
struct | vl_api_ipsec_tunnel_protect_dump_t |
struct | vl_api_ipsec_tunnel_protect_details_t |
struct | vl_api_ipsec_spd_interface_dump_t |
IPsec: Get SPD interfaces. More... | |
struct | vl_api_ipsec_spd_interface_details_t |
IPsec: SPD interface response. More... | |
struct | vl_api_ipsec_tunnel_if_add_del_t |
Add or delete IPsec tunnel interface. More... | |
struct | vl_api_ipsec_tunnel_if_add_del_reply_t |
Add/delete IPsec tunnel interface response. More... | |
struct | vl_api_ipsec_sa_dump_t |
Dump IPsec security association. More... | |
struct | vl_api_ipsec_sa_details_t |
IPsec security association database response. More... | |
struct | vl_api_ipsec_tunnel_if_set_sa_t |
Set new SA on IPsec interface. More... | |
struct | vl_api_ipsec_backend_dump_t |
Dump IPsec backends. More... | |
struct | vl_api_ipsec_backend_details_t |
IPsec backend details. More... | |
struct | vl_api_ipsec_select_backend_t |
Select IPsec backend. More... | |
Variables | |
option | version = "3.0.0" |
import vnet ip ip_types | api |
typedef | ipsec_spd_entry |
IPsec: Security Policy Database entry. More... | |
i32 | priority |
u8 | is_outbound |
u32 | sa_id |
vl_api_ipsec_spd_action_t | policy |
u8 | protocol |
vl_api_address_t | remote_address_start |
vl_api_address_t | remote_address_stop |
vl_api_address_t | local_address_start |
vl_api_address_t | local_address_stop |
u16 | remote_port_start |
u16 | remote_port_stop |
u16 | local_port_start |
u16 | local_port_stop |
typedef | key |
u8 | data [128] |
typedef | ipsec_sad_entry |
IPsec: Security Association Database entry. More... | |
u32 | spi |
vl_api_ipsec_crypto_alg_t | crypto_algorithm |
vl_api_key_t | crypto_key |
vl_api_ipsec_integ_alg_t | integrity_algorithm |
vl_api_key_t | integrity_key |
vl_api_ipsec_sad_flags_t | flags |
vl_api_address_t | tunnel_src |
vl_api_address_t | tunnel_dst |
u32 | tx_table_id |
u32 | salt |
typedef | ipsec_tunnel_protect |
Add or Update Protection for a tunnel with IPSEC. More... | |
u32 | sa_out |
u8 | n_sa_in |
u32 | sa_in [n_sa_in] |
enum ipsec_crypto_alg |
enum ipsec_integ_alg |
enum ipsec_proto |
enum ipsec_sad_flags |
enum ipsec_spd_action |
typedef ipsec_sad_entry |
IPsec: Security Association Database entry.
client_index | - opaque cookie to identify the sender |
context | - sender context, to match reply w/ request |
is_add | - add SAD entry if non-zero, else delete |
sad_id | - sad id |
spi | - security parameter index |
protocol | - 0 = AH, 1 = ESP |
crypto_algorithm | - a supported crypto algorithm |
crypto_key | - crypto keying material |
integrity_algorithm | - one of the supported algorithms |
integrity_key | - integrity keying material |
tunnel_src_address | - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero |
tunnel_dst_address | - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero |
tx_table_id | - the FIB id used for encapsulated packets |
salt | - for use with counter mode ciphers |
typedef ipsec_spd_entry |
IPsec: Security Policy Database entry.
See RFC 4301, 4.4.1.1 on how to match packet to selectors
spd_id | - SPD instance id (control plane allocated) |
priority | - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower |
is_outbound | - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic |
remote_address_start | - start of remote address range to match |
remote_address_stop | - end of remote address range to match |
local_address_start | - start of local address range to match |
local_address_stop | - end of local address range to match |
protocol | - protocol type to match [0 means any] otherwise IANA value |
remote_port_start | - start of remote port range to match ... |
remote_port_stop | - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] |
local_port_start | - start of local port range to match ... |
local_port_stop | - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE] |
policy | - action to perform on match |
sa_id | - SAD instance id (control plane allocated) |
typedef ipsec_tunnel_protect |
Add or Update Protection for a tunnel with IPSEC.
Tunnel protection directly associates an SA with all packets ingress and egress on the tunnel. This could also be achieved by assigning an SPD to the tunnel, but that would incur an unnessccary SPD entry lookup.
For tunnels the ESP acts on the post-encapsulated packet. So if this packet: +------—+---—+ | Payload | O-IP | +------—+---—+ where O-IP is the overlay IP addrees that was routed into the tunnel, the resulting encapsulated packet will be: +------—+---—+---—+ | Payload | O-IP | T-IP | +------—+---—+---—+ where T-IP is the tunnel's src.dst IP addresses. If the SAs used for protection are in transport mode then the ESP is inserted before T-IP, i.e.: +------—+---—+--—+---—+ | Payload | O-IP | ESP | T-IP | +------—+---—+--—+---—+ If the SAs used for protection are in tunnel mode then another encapsulation occurs, i.e.: +------—+---—+---—+--—+---—+ | Payload | O-IP | T-IP | ESP | C-IP | +------—+---—+---—+--—+---—+ where C-IP are the crypto endpoint IP addresses defined as the tunnel endpoints in the SA. The mode for the inbound and outbound SA must be the same.
client_index | - opaque cookie to identify the sender |
context | - sender context, to match reply w/ request |
sw_id_index | - Tunnel interface to protect |
sa_in | - The ID [set] of inbound SAs |
sa_out | - The ID of outbound SA |
typedef key |