diff options
author | Radu Nicolau <radu.nicolau@intel.com> | 2017-02-16 16:49:46 +0000 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2017-02-17 16:32:26 +0000 |
commit | cb33dc2d7a566d571c86b950b4aa92dd7ae01c3c (patch) | |
tree | cc767067b6dcaad882982088bd0c62d98a148e23 /src/vnet/ipsec/ipsec.api | |
parent | 665e482f2422cab52da221b019bb81993d7950f3 (diff) |
Implemented IKEv2 initiator features:
- IKE_SA_INIT and IKE_AUTH initial exchanges
- Delete IKA SA
- Rekey and delete Child SA
- Child SAs lifetime policy
To set up one VPP instance as the initiator use the following CLI commands (or API equivalents):
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
and finally
ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange
Child SA re-keying process:
1. Child SA expires
2. A new Child SA is created using the Child SA rekey exchange
3. For a set time both SAs are alive
4. After the set time interval expires old SA is deleted
Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA)
CLI API additions:
ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>
ikev2 initiate sa-init <profile id>
ikev2 initiate del-child-sa <child sa ispi>
ikev2 initiate del-sa <sa ispi>
ikev2 initiate rekey-child-sa <profile id> <child sa ispi>
Sample configurations:
Responder:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.responder
ikev2 profile set pr1 id remote fqdn vpp.home.initiator
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
Initiator:
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home.initiator
ikev2 profile set pr1 id remote fqdn vpp.home.responder
ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20
ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec.api')
-rw-r--r-- | src/vnet/ipsec/ipsec.api | 228 |
1 files changed, 228 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 178bb757168..ef090f84c8f 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -394,6 +394,234 @@ define ikev2_set_local_key_reply i32 retval; }; +/** \brief IKEv2: Set IKEv2 responder interface and IP address + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param name - IKEv2 profile name + @param sw_if_index - interface index + @param address - interface address +*/ +define ikev2_set_responder +{ + u32 client_index; + u32 context; + + u8 name[64]; + u32 sw_if_index; + u8 address[4]; +}; + +/** \brief Reply for IKEv2: Set IKEv2 responder interface and IP address + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_set_responder_reply +{ + u32 context; + i32 retval; +}; + + +/** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296) + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param name - IKEv2 profile name + @param crypto_alg - encryption algorithm + @param crypto_key_size - encryption key size + @param integ_alg - integrity algorithm + @param dh_group - Diffie-Hellman group + +*/ +define ikev2_set_ike_transforms +{ + u32 client_index; + u32 context; + + u8 name[64]; + u32 crypto_alg; + u32 crypto_key_size; + u32 integ_alg; + u32 dh_group; +}; + +/** \brief Reply for IKEv2: Set IKEv2 IKE transforms + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_set_ike_transforms_reply +{ + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296) + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param name - IKEv2 profile name + @param crypto_alg - encryption algorithm + @param crypto_key_size - encryption key size + @param integ_alg - integrity algorithm + @param dh_group - Diffie-Hellman group + +*/ +define ikev2_set_esp_transforms +{ + u32 client_index; + u32 context; + + u8 name[64]; + u32 crypto_alg; + u32 crypto_key_size; + u32 integ_alg; + u32 dh_group; +}; + +/** \brief Reply for IKEv2: Set IKEv2 ESP transforms + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_set_esp_transforms_reply +{ + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Set Child SA lifetime, limited by time and/or data + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param name - IKEv2 profile name + @param lifetime - SA maximum life time in seconds (0 to disable) + @param lifetime_jitter - Jitter added to prevent simultaneounus rekeying + @param handover - Hand over time + @param lifetime_maxdata - SA maximum life time in bytes (0 to disable) + +*/ +define ikev2_set_sa_lifetime +{ + u32 client_index; + u32 context; + + u8 name[64]; + u64 lifetime; + u32 lifetime_jitter; + u32 handover; + u64 lifetime_maxdata; +}; + +/** \brief Reply for IKEv2: Set Child SA lifetime + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_set_sa_lifetime_reply +{ + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Initiate the SA_INIT exchange + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param name - IKEv2 profile name + +*/ +define ikev2_initiate_sa_init +{ + u32 client_index; + u32 context; + + u8 name[64]; +}; + +/** \brief Reply for IKEv2: Initiate the SA_INIT exchange + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_initiate_sa_init_reply +{ + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Initiate the delete IKE SA exchange + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param ispi - IKE SA initiator SPI + +*/ +define ikev2_initiate_del_ike_sa +{ + u32 client_index; + u32 context; + + u64 ispi; +}; + +/** \brief Reply for IKEv2: Initiate the delete IKE SA exchange + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_initiate_del_ike_sa_reply +{ + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Initiate the delete Child SA exchange + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param ispi - Child SA initiator SPI + +*/ +define ikev2_initiate_del_child_sa +{ + u32 client_index; + u32 context; + + u32 ispi; +}; + +/** \brief Reply for IKEv2: Initiate the delete Child SA exchange + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_initiate_del_child_sa_reply +{ + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Initiate the rekey Child SA exchange + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param ispi - Child SA initiator SPI + +*/ +define ikev2_initiate_rekey_child_sa +{ + u32 client_index; + u32 context; + + u32 ispi; +}; + +/** \brief Reply for IKEv2: Initiate the rekey Child SA exchange + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_initiate_rekey_child_sa_reply +{ + u32 context; + i32 retval; +}; + /** \brief Dump ipsec policy database data @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request |