diff options
author | Neale Ranns <nranns@cisco.com> | 2019-02-06 01:41:05 -0800 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-02-07 19:13:32 +0000 |
commit | 8d7c502002636da1cb7c71a87757f328e7c2c4fd (patch) | |
tree | 1005d63dcb3a24f7bb2ad2d3224bfcb062909666 /src/vnet/ipsec/ipsec.api | |
parent | 3d0ef26a0285b9baa486c91b2e6609125a2bc651 (diff) |
IPSEC: no second lookup after tunnel encap
in the same maaner as with other tunnel tyeps we use
the FIB to cache and track the destination used to reach
the tunnel endpoint. Post encap we can then ship the packet
straight to this adjacency and thus elide the costly second
lookup.
- SA add and del function so they can be used both directly
from the API and for tunnels.
- API change for the SA dump to use the SA type
- ipsec_key_t type for convenience (copying, [un]formating)
- no matching tunnel counters in ipsec-if-input
Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec.api')
-rw-r--r-- | src/vnet/ipsec/ipsec.api | 33 |
1 files changed, 8 insertions, 25 deletions
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 54cc76bb9d6..ece0b024485 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -232,6 +232,10 @@ enum ipsec_sad_flags IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08, /* enable UDP encapsulation for NAT traversal */ IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10, + + /* come-on Ole please fix this */ + IPSEC_API_SAD_COMBO_12 = 12, + IPSEC_API_SAD_COMBO_20 = 20, }; enum ipsec_proto @@ -261,6 +265,7 @@ typedef key @param integrity_key - integrity keying material @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero + @param tx_table_id - the FIB id used for encapsulated packets */ typedef ipsec_sad_entry { @@ -280,6 +285,7 @@ typedef ipsec_sad_entry vl_api_address_t tunnel_src; vl_api_address_t tunnel_dst; + u32 tx_table_id; }; /** \brief IPsec: Add/delete Security Association Database entry @@ -687,41 +693,18 @@ define ipsec_sa_dump { @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay @param total_data_size - total bytes sent or received @param udp_encap - 1 if UDP encap enabled, 0 otherwise - @param tx_table_id - the FIB id used for encapsulated packets */ define ipsec_sa_details { u32 context; - u32 sa_id; - u32 sw_if_index; - - u32 spi; - u8 protocol; - - u8 crypto_alg; - u8 crypto_key_len; - u8 crypto_key[128]; - - u8 integ_alg; - u8 integ_key_len; - u8 integ_key[128]; - - u8 use_esn; - u8 use_anti_replay; - - u8 is_tunnel; - u8 is_tunnel_ip6; - u8 tunnel_src_addr[16]; - u8 tunnel_dst_addr[16]; + vl_api_ipsec_sad_entry_t entry; + u32 sw_if_index; u32 salt; u64 seq_outbound; u64 last_seq_inbound; u64 replay_window; u64 total_data_size; - u8 udp_encap; - - u32 tx_table_id; }; /** \brief Set key on IPsec interface |