summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec.api
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-02-07 07:26:12 -0800
committerDamjan Marion <dmarion@me.com>2019-06-18 13:54:35 +0000
commitc87b66c86201458c0475d50c6e93f1497f9eec2e (patch)
tree57bf69c2adb85a93b26a86b5a1110e4290e7f391 /src/vnet/ipsec/ipsec.api
parent097fa66b986f06281f603767d321ab13ab6c88c3 (diff)
ipsec: ipsec-tun protect
please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec.api')
-rw-r--r--src/vnet/ipsec/ipsec.api76
1 files changed, 76 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index bb9e8056251..12bdad0f9c3 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -17,6 +17,7 @@
option version = "3.0.0";
import "vnet/ip/ip_types.api";
+import "vnet/interface_types.api";
/** \brief IPsec: Add/delete Security Policy Database
@param client_index - opaque cookie to identify the sender
@@ -305,6 +306,81 @@ define ipsec_sad_entry_add_del_reply
u32 stat_index;
};
+/** \brief Add or Update Protection for a tunnel with IPSEC
+
+ Tunnel protection directly associates an SA with all packets
+ ingress and egress on the tunnel. This could also be achieved by
+ assigning an SPD to the tunnel, but that would incur an unnessccary
+ SPD entry lookup.
+
+ For tunnels the ESP acts on the post-encapsulated packet. So if this
+ packet:
+ +---------+------+
+ | Payload | O-IP |
+ +---------+------+
+ where O-IP is the overlay IP addrees that was routed into the tunnel,
+ the resulting encapsulated packet will be:
+ +---------+------+------+
+ | Payload | O-IP | T-IP |
+ +---------+------+------+
+ where T-IP is the tunnel's src.dst IP addresses.
+ If the SAs used for protection are in transport mode then the ESP is
+ inserted before T-IP, i.e.:
+ +---------+------+-----+------+
+ | Payload | O-IP | ESP | T-IP |
+ +---------+------+-----+------+
+ If the SAs used for protection are in tunnel mode then another
+ encapsulation occurs, i.e.:
+ +---------+------+------+-----+------+
+ | Payload | O-IP | T-IP | ESP | C-IP |
+ +---------+------+------+-----+------+
+ where C-IP are the crypto endpoint IP addresses defined as the tunnel
+ endpoints in the SA.
+ The mode for the inbound and outbound SA must be the same.
+
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param sw_id_index - Tunnel interface to protect
+ @param sa_in - The ID [set] of inbound SAs
+ @param sa_out - The ID of outbound SA
+*/
+typedef ipsec_tunnel_protect
+{
+ vl_api_interface_index_t sw_if_index;
+ u32 sa_out;
+ u8 n_sa_in;
+ u32 sa_in[n_sa_in];
+};
+
+autoreply define ipsec_tunnel_protect_update
+{
+ u32 client_index;
+ u32 context;
+
+ vl_api_ipsec_tunnel_protect_t tunnel;
+};
+
+autoreply define ipsec_tunnel_protect_del
+{
+ u32 client_index;
+ u32 context;
+
+ vl_api_interface_index_t sw_if_index;
+};
+
+define ipsec_tunnel_protect_dump
+{
+ u32 client_index;
+ u32 context;
+ vl_api_interface_index_t sw_if_index;
+};
+
+define ipsec_tunnel_protect_details
+{
+ u32 context;
+ vl_api_ipsec_tunnel_protect_t tun;
+};
+
/** \brief IPsec: Get SPD interfaces
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request