aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec.api
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-02-06 01:41:05 -0800
committerFlorin Coras <florin.coras@gmail.com>2019-02-07 19:13:32 +0000
commit8d7c502002636da1cb7c71a87757f328e7c2c4fd (patch)
tree1005d63dcb3a24f7bb2ad2d3224bfcb062909666 /src/vnet/ipsec/ipsec.api
parent3d0ef26a0285b9baa486c91b2e6609125a2bc651 (diff)
IPSEC: no second lookup after tunnel encap
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec.api')
-rw-r--r--src/vnet/ipsec/ipsec.api33
1 files changed, 8 insertions, 25 deletions
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 54cc76bb9d6..ece0b024485 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -232,6 +232,10 @@ enum ipsec_sad_flags
IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
/* enable UDP encapsulation for NAT traversal */
IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
+
+ /* come-on Ole please fix this */
+ IPSEC_API_SAD_COMBO_12 = 12,
+ IPSEC_API_SAD_COMBO_20 = 20,
};
enum ipsec_proto
@@ -261,6 +265,7 @@ typedef key
@param integrity_key - integrity keying material
@param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
@param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
+ @param tx_table_id - the FIB id used for encapsulated packets
*/
typedef ipsec_sad_entry
{
@@ -280,6 +285,7 @@ typedef ipsec_sad_entry
vl_api_address_t tunnel_src;
vl_api_address_t tunnel_dst;
+ u32 tx_table_id;
};
/** \brief IPsec: Add/delete Security Association Database entry
@@ -687,41 +693,18 @@ define ipsec_sa_dump {
@param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
@param total_data_size - total bytes sent or received
@param udp_encap - 1 if UDP encap enabled, 0 otherwise
- @param tx_table_id - the FIB id used for encapsulated packets
*/
define ipsec_sa_details {
u32 context;
- u32 sa_id;
- u32 sw_if_index;
-
- u32 spi;
- u8 protocol;
-
- u8 crypto_alg;
- u8 crypto_key_len;
- u8 crypto_key[128];
-
- u8 integ_alg;
- u8 integ_key_len;
- u8 integ_key[128];
-
- u8 use_esn;
- u8 use_anti_replay;
-
- u8 is_tunnel;
- u8 is_tunnel_ip6;
- u8 tunnel_src_addr[16];
- u8 tunnel_dst_addr[16];
+ vl_api_ipsec_sad_entry_t entry;
+ u32 sw_if_index;
u32 salt;
u64 seq_outbound;
u64 last_seq_inbound;
u64 replay_window;
u64 total_data_size;
- u8 udp_encap;
-
- u32 tx_table_id;
};
/** \brief Set key on IPsec interface