FD.io VPP  v19.08.2-294-g37e99c22d
Vector Packet Processing
ipsec.api File Reference

Go to the source code of this file.

Data Structures

struct  vl_api_ipsec_spd_add_del_t
 IPsec: Add/delete Security Policy Database. More...
 
struct  vl_api_ipsec_interface_add_del_spd_t
 IPsec: Add/delete SPD from interface. More...
 
struct  vl_api_ipsec_spd_entry_add_del_t
 IPsec: Add/delete Security Policy Database entry. More...
 
struct  vl_api_ipsec_spd_entry_add_del_reply_t
 IPsec: Reply Add/delete Security Policy Database entry. More...
 
struct  vl_api_ipsec_spds_dump_t
 Dump IPsec all SPD IDs. More...
 
struct  vl_api_ipsec_spds_details_t
 Dump IPsec all SPD IDs response. More...
 
struct  vl_api_ipsec_spd_dump_t
 Dump ipsec policy database data. More...
 
struct  vl_api_ipsec_spd_details_t
 IPsec policy database response. More...
 
struct  vl_api_ipsec_sad_entry_add_del_t
 IPsec: Add/delete Security Association Database entry. More...
 
struct  vl_api_ipsec_sad_entry_add_del_reply_t
 
struct  vl_api_ipsec_tunnel_protect_update_t
 
struct  vl_api_ipsec_tunnel_protect_del_t
 
struct  vl_api_ipsec_tunnel_protect_dump_t
 
struct  vl_api_ipsec_tunnel_protect_details_t
 
struct  vl_api_ipsec_spd_interface_dump_t
 IPsec: Get SPD interfaces. More...
 
struct  vl_api_ipsec_spd_interface_details_t
 IPsec: SPD interface response. More...
 
struct  vl_api_ipsec_tunnel_if_add_del_t
 Add or delete IPsec tunnel interface. More...
 
struct  vl_api_ipsec_tunnel_if_add_del_reply_t
 Add/delete IPsec tunnel interface response. More...
 
struct  vl_api_ipsec_sa_dump_t
 Dump IPsec security association. More...
 
struct  vl_api_ipsec_sa_details_t
 IPsec security association database response. More...
 
struct  vl_api_ipsec_tunnel_if_set_sa_t
 Set new SA on IPsec interface. More...
 
struct  vl_api_ipsec_backend_dump_t
 Dump IPsec backends. More...
 
struct  vl_api_ipsec_backend_details_t
 IPsec backend details. More...
 
struct  vl_api_ipsec_select_backend_t
 Select IPsec backend. More...
 

Enumerations

enum  ipsec_spd_action { IPSEC_API_SPD_ACTION_BYPASS = 0, IPSEC_API_SPD_ACTION_DISCARD, IPSEC_API_SPD_ACTION_RESOLVE, IPSEC_API_SPD_ACTION_PROTECT }
 
enum  ipsec_crypto_alg {
  IPSEC_API_CRYPTO_ALG_NONE = 0, IPSEC_API_CRYPTO_ALG_AES_CBC_128, IPSEC_API_CRYPTO_ALG_AES_CBC_192, IPSEC_API_CRYPTO_ALG_AES_CBC_256,
  IPSEC_API_CRYPTO_ALG_AES_CTR_128, IPSEC_API_CRYPTO_ALG_AES_CTR_192, IPSEC_API_CRYPTO_ALG_AES_CTR_256, IPSEC_API_CRYPTO_ALG_AES_GCM_128,
  IPSEC_API_CRYPTO_ALG_AES_GCM_192, IPSEC_API_CRYPTO_ALG_AES_GCM_256, IPSEC_API_CRYPTO_ALG_DES_CBC, IPSEC_API_CRYPTO_ALG_3DES_CBC
}
 
enum  ipsec_integ_alg {
  IPSEC_API_INTEG_ALG_NONE = 0, IPSEC_API_INTEG_ALG_MD5_96, IPSEC_API_INTEG_ALG_SHA1_96, IPSEC_API_INTEG_ALG_SHA_256_96,
  IPSEC_API_INTEG_ALG_SHA_256_128, IPSEC_API_INTEG_ALG_SHA_384_192, IPSEC_API_INTEG_ALG_SHA_512_256
}
 
enum  ipsec_sad_flags {
  IPSEC_API_SAD_FLAG_NONE = 0, IPSEC_API_SAD_FLAG_USE_ESN = 0x01, IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02, IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,
  IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08, IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10, IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40
}
 
enum  ipsec_proto { IPSEC_API_PROTO_ESP, IPSEC_API_PROTO_AH }
 

Variables

option version = "3.0.0"
 
import vnet ip ip_types api
 
typedef ipsec_spd_entry
 IPsec: Security Policy Database entry. More...
 
i32 priority
 
u8 is_outbound
 
u32 sa_id
 
vl_api_ipsec_spd_action_t policy
 
u8 protocol
 
vl_api_address_t remote_address_start
 
vl_api_address_t remote_address_stop
 
vl_api_address_t local_address_start
 
vl_api_address_t local_address_stop
 
u16 remote_port_start
 
u16 remote_port_stop
 
u16 local_port_start
 
u16 local_port_stop
 
typedef key
 
u8 data [128]
 
typedef ipsec_sad_entry
 IPsec: Security Association Database entry. More...
 
u32 spi
 
vl_api_ipsec_crypto_alg_t crypto_algorithm
 
vl_api_key_t crypto_key
 
vl_api_ipsec_integ_alg_t integrity_algorithm
 
vl_api_key_t integrity_key
 
vl_api_ipsec_sad_flags_t flags
 
vl_api_address_t tunnel_src
 
vl_api_address_t tunnel_dst
 
u32 tx_table_id
 
u32 salt
 
typedef ipsec_tunnel_protect
 Add or Update Protection for a tunnel with IPSEC. More...
 
u32 sa_out
 
u8 n_sa_in
 
u32 sa_in [n_sa_in]
 

Enumeration Type Documentation

◆ ipsec_crypto_alg

Enumerator
IPSEC_API_CRYPTO_ALG_NONE 
IPSEC_API_CRYPTO_ALG_AES_CBC_128 
IPSEC_API_CRYPTO_ALG_AES_CBC_192 
IPSEC_API_CRYPTO_ALG_AES_CBC_256 
IPSEC_API_CRYPTO_ALG_AES_CTR_128 
IPSEC_API_CRYPTO_ALG_AES_CTR_192 
IPSEC_API_CRYPTO_ALG_AES_CTR_256 
IPSEC_API_CRYPTO_ALG_AES_GCM_128 
IPSEC_API_CRYPTO_ALG_AES_GCM_192 
IPSEC_API_CRYPTO_ALG_AES_GCM_256 
IPSEC_API_CRYPTO_ALG_DES_CBC 
IPSEC_API_CRYPTO_ALG_3DES_CBC 

Definition at line 186 of file ipsec.api.

◆ ipsec_integ_alg

Enumerator
IPSEC_API_INTEG_ALG_NONE 
IPSEC_API_INTEG_ALG_MD5_96 
IPSEC_API_INTEG_ALG_SHA1_96 
IPSEC_API_INTEG_ALG_SHA_256_96 
IPSEC_API_INTEG_ALG_SHA_256_128 
IPSEC_API_INTEG_ALG_SHA_384_192 
IPSEC_API_INTEG_ALG_SHA_512_256 

Definition at line 205 of file ipsec.api.

◆ ipsec_proto

Enumerator
IPSEC_API_PROTO_ESP 
IPSEC_API_PROTO_AH 

Definition at line 240 of file ipsec.api.

◆ ipsec_sad_flags

Enumerator
IPSEC_API_SAD_FLAG_NONE 
IPSEC_API_SAD_FLAG_USE_ESN 
IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY 
IPSEC_API_SAD_FLAG_IS_TUNNEL 
IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 
IPSEC_API_SAD_FLAG_UDP_ENCAP 
IPSEC_API_SAD_FLAG_IS_INBOUND 

Definition at line 222 of file ipsec.api.

◆ ipsec_spd_action

Enumerator
IPSEC_API_SPD_ACTION_BYPASS 
IPSEC_API_SPD_ACTION_DISCARD 
IPSEC_API_SPD_ACTION_RESOLVE 
IPSEC_API_SPD_ACTION_PROTECT 

Definition at line 58 of file ipsec.api.

Variable Documentation

◆ api

import vnet interface_types api

Definition at line 19 of file ipsec.api.

◆ crypto_algorithm

vl_api_ipsec_crypto_alg_t crypto_algorithm

Definition at line 278 of file ipsec.api.

◆ crypto_key

vl_api_key_t crypto_key

Definition at line 279 of file ipsec.api.

◆ data

u8 data[128]

Definition at line 251 of file ipsec.api.

◆ flags

vl_api_ipsec_sad_flags_t flags

Definition at line 284 of file ipsec.api.

◆ integrity_algorithm

vl_api_ipsec_integ_alg_t integrity_algorithm

Definition at line 281 of file ipsec.api.

◆ integrity_key

vl_api_key_t integrity_key

Definition at line 282 of file ipsec.api.

◆ ipsec_sad_entry

typedef ipsec_sad_entry
Initial value:
{
u32 sad_id
unsigned int u32
Definition: types.h:88

IPsec: Security Association Database entry.

Template Parameters
client_index- opaque cookie to identify the sender
context- sender context, to match reply w/ request
is_add- add SAD entry if non-zero, else delete
sad_id- sad id
spi- security parameter index
protocol- 0 = AH, 1 = ESP
crypto_algorithm- a supported crypto algorithm
crypto_key- crypto keying material
integrity_algorithm- one of the supported algorithms
integrity_key- integrity keying material
tunnel_src_address- IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
tunnel_dst_address- IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
tx_table_id- the FIB id used for encapsulated packets
salt- for use with counter mode ciphers

Definition at line 271 of file ipsec.api.

◆ ipsec_spd_entry

typedef ipsec_spd_entry
Initial value:
{
u32 spd_id
unsigned int u32
Definition: types.h:88

IPsec: Security Policy Database entry.

See RFC 4301, 4.4.1.1 on how to match packet to selectors

Template Parameters
spd_id- SPD instance id (control plane allocated)
priority- priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
is_outbound- entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
remote_address_start- start of remote address range to match
remote_address_stop- end of remote address range to match
local_address_start- start of local address range to match
local_address_stop- end of local address range to match
protocol- protocol type to match [0 means any] otherwise IANA value
remote_port_start- start of remote port range to match ...
remote_port_stop- end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
local_port_start- start of local port range to match ...
local_port_stop- end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
policy- action to perform on match
sa_id- SAD instance id (control plane allocated)

Definition at line 90 of file ipsec.api.

◆ ipsec_tunnel_protect

typedef ipsec_tunnel_protect
Initial value:
{
vl_api_interface_index_t sw_if_index
vl_api_interface_index_t sw_if_index
Definition: gre.api:50

Add or Update Protection for a tunnel with IPSEC.

Tunnel protection directly associates an SA with all packets ingress and egress on the tunnel. This could also be achieved by assigning an SPD to the tunnel, but that would incur an unnessccary SPD entry lookup.

For tunnels the ESP acts on the post-encapsulated packet. So if this packet: +------—+---—+ | Payload | O-IP | +------—+---—+ where O-IP is the overlay IP addrees that was routed into the tunnel, the resulting encapsulated packet will be: +------—+---—+---—+ | Payload | O-IP | T-IP | +------—+---—+---—+ where T-IP is the tunnel's src.dst IP addresses. If the SAs used for protection are in transport mode then the ESP is inserted before T-IP, i.e.: +------—+---—+--—+---—+ | Payload | O-IP | ESP | T-IP | +------—+---—+--—+---—+ If the SAs used for protection are in tunnel mode then another encapsulation occurs, i.e.: +------—+---—+---—+--—+---—+ | Payload | O-IP | T-IP | ESP | C-IP | +------—+---—+---—+--—+---—+ where C-IP are the crypto endpoint IP addresses defined as the tunnel endpoints in the SA. The mode for the inbound and outbound SA must be the same.

Template Parameters
client_index- opaque cookie to identify the sender
context- sender context, to match reply w/ request
sw_id_index- Tunnel interface to protect
sa_in- The ID [set] of inbound SAs
sa_out- The ID of outbound SA

Definition at line 350 of file ipsec.api.

◆ is_outbound

u8 is_outbound

Definition at line 93 of file ipsec.api.

◆ key

typedef key
Initial value:
{
u8 length
unsigned char u8
Definition: types.h:56

Definition at line 247 of file ipsec.api.

◆ local_address_start

vl_api_address_t local_address_start

Definition at line 102 of file ipsec.api.

◆ local_address_stop

vl_api_address_t local_address_stop

Definition at line 103 of file ipsec.api.

◆ local_port_start

u16 local_port_start

Definition at line 107 of file ipsec.api.

◆ local_port_stop

u16 local_port_stop

Definition at line 108 of file ipsec.api.

◆ n_sa_in

u8 n_sa_in

Definition at line 353 of file ipsec.api.

◆ policy

vl_api_ipsec_spd_action_t policy

Definition at line 96 of file ipsec.api.

◆ priority

i32 priority

Definition at line 92 of file ipsec.api.

◆ protocol

vl_api_ipsec_proto_t protocol

Definition at line 97 of file ipsec.api.

◆ remote_address_start

vl_api_address_t remote_address_start

Definition at line 100 of file ipsec.api.

◆ remote_address_stop

vl_api_address_t remote_address_stop

Definition at line 101 of file ipsec.api.

◆ remote_port_start

u16 remote_port_start

Definition at line 105 of file ipsec.api.

◆ remote_port_stop

u16 remote_port_stop

Definition at line 106 of file ipsec.api.

◆ sa_id

u32 sa_id

Definition at line 95 of file ipsec.api.

◆ sa_in

u32 sa_in[n_sa_in]

Definition at line 354 of file ipsec.api.

◆ sa_out

u32 sa_out

Definition at line 352 of file ipsec.api.

◆ salt

u32 salt

Definition at line 289 of file ipsec.api.

◆ spi

u32 spi

Definition at line 274 of file ipsec.api.

◆ tunnel_dst

vl_api_address_t tunnel_dst

Definition at line 287 of file ipsec.api.

◆ tunnel_src

vl_api_address_t tunnel_src

Definition at line 286 of file ipsec.api.

◆ tx_table_id

u32 tx_table_id

Definition at line 288 of file ipsec.api.

◆ version

option version = "3.0.0"

Definition at line 17 of file ipsec.api.