summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec.c
diff options
context:
space:
mode:
authorAndrew Li <zhaoxili@cisco.com>2017-06-18 12:11:57 -0700
committerOle Trøan <otroan@employees.org>2017-07-14 13:54:31 +0000
commit0f09b77778644577545235156a2ea2798ec9ee6c (patch)
tree826510eeb9ef489f36fcdfe90cb5855458c33097 /src/vnet/ipsec/ipsec.c
parent3b12cdc59c8ec98b580b356f20b68e3554f91e97 (diff)
flowprobe: Fixed assert error with less than 1 second passive timer
When passive timer has less than 1 second left, it'll be forcifully changed to 0 when converting from f64 to u64. As a result the assertion will fail at the beginning of the passive timer start fuction. This commit fixed this bug by adding a check of the delta. Change-Id: I899b6e0ab4967dcecc821daf7e812dbbc90969ce Signed-off-by: Andrew Li <zhaoxili@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec.c')
0 files changed, 0 insertions, 0 deletions
' href='#n149'>149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 
/* Hey Emacs use -*- mode: C -*- */
/*
 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

option version = "3.0.0";

import "vnet/ip/ip_types.api";

/** \brief IPsec: Add/delete Security Policy Database
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add SPD if non-zero, else delete
    @param spd_id - SPD instance id (control plane allocated)
*/

autoreply define ipsec_spd_add_del
{
  u32 client_index;
  u32 context;
  u8 is_add;
  u32 spd_id;
};

/** \brief IPsec: Add/delete SPD from interface

    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add security mode if non-zero, else delete
    @param sw_if_index - index of the interface
    @param spd_id - SPD instance id to use for lookups
*/


autoreply define ipsec_interface_add_del_spd
{
  u32 client_index;
  u32 context;

  u8 is_add;
  u32 sw_if_index;
  u32 spd_id;
};


enum ipsec_spd_action
{
  /* bypass - no IPsec processing */
  IPSEC_API_SPD_ACTION_BYPASS = 0,
  /* discard - discard packet with ICMP processing */
  IPSEC_API_SPD_ACTION_DISCARD,
  /* resolve - send request to control plane for SA resolving */
  IPSEC_API_SPD_ACTION_RESOLVE,
  /* protect - apply IPsec policy using following parameters */
  IPSEC_API_SPD_ACTION_PROTECT,
};

/** \brief IPsec: Security Policy Database entry

    See RFC 4301, 4.4.1.1 on how to match packet to selectors

    @param spd_id - SPD instance id (control plane allocated)
    @param priority - priority of SPD entry (non-unique value).  Used to order SPD matching - higher priorities match before lower
    @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
    @param remote_address_start - start of remote address range to match
    @param remote_address_stop - end of remote address range to match
    @param local_address_start - start of local address range to match
    @param local_address_stop - end of local address range to match
    @param protocol - protocol type to match [0 means any] otherwise IANA value
    @param remote_port_start - start of remote port range to match ...
    @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
    @param local_port_start - start of local port range to match ...
    @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
    @param policy - action to perform on match
    @param sa_id - SAD instance id (control plane allocated)
*/
typedef ipsec_spd_entry
{
  u32 spd_id;
  i32 priority;
  u8 is_outbound;

  u32 sa_id;
  vl_api_ipsec_spd_action_t policy;
  u8 protocol;

  // Selector
  vl_api_address_t remote_address_start;
  vl_api_address_t remote_address_stop;
  vl_api_address_t local_address_start;
  vl_api_address_t local_address_stop;

  u16 remote_port_start;
  u16 remote_port_stop;
  u16 local_port_start;
  u16 local_port_stop;
};

/** \brief IPsec: Add/delete Security Policy Database entry

    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add SPD if non-zero, else delete
    @param entry - Description of the entry to add/dell
*/
define ipsec_spd_entry_add_del
{
  u32 client_index;
  u32 context;
  u8 is_add;
  vl_api_ipsec_spd_entry_t entry;
};

/** \brief IPsec: Reply Add/delete Security Policy Database entry

    @param context - sender context, to match reply w/ request
    @param retval - success/fail rutrun code
    @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
*/
define ipsec_spd_entry_add_del_reply
{
  u32 context;
  i32 retval;
  u32 stat_index;
};

/** \brief Dump IPsec all SPD IDs
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
*/
define ipsec_spds_dump {
  u32 client_index;
  u32 context;
};

/** \brief Dump IPsec all SPD IDs response
    @param client_index - opaque cookie to identify the sender
    @param spd_id - SPD instance id (control plane allocated)
    @param npolicies - number of policies in SPD
*/
define ipsec_spds_details {
  u32 context;
  u32 spd_id;
  u32 npolicies;
}; 

/** \brief Dump ipsec policy database data
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param spd_id - SPD instance id
    @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
*/
define ipsec_spd_dump {
    u32 client_index;
    u32 context;
    u32 spd_id;
    u32 sa_id;
};

/** \brief IPsec policy database response
    @param context - sender context which was passed in the request
    €param entry - The SPD entry.
    @param bytes - byte count of packets matching this policy
    @param packets - count of packets matching this policy
*/
define ipsec_spd_details {
    u32 context;
    vl_api_ipsec_spd_entry_t entry;
};

/*
 * @brief Support cryptographic algorithms
 */
enum ipsec_crypto_alg
{
  IPSEC_API_CRYPTO_ALG_NONE = 0,
  IPSEC_API_CRYPTO_ALG_AES_CBC_128,
  IPSEC_API_CRYPTO_ALG_AES_CBC_192,
  IPSEC_API_CRYPTO_ALG_AES_CBC_256,
  IPSEC_API_CRYPTO_ALG_AES_CTR_128,
  IPSEC_API_CRYPTO_ALG_AES_CTR_192,
  IPSEC_API_CRYPTO_ALG_AES_CTR_256,
  IPSEC_API_CRYPTO_ALG_AES_GCM_128,
  IPSEC_API_CRYPTO_ALG_AES_GCM_192,
  IPSEC_API_CRYPTO_ALG_AES_GCM_256,
  IPSEC_API_CRYPTO_ALG_DES_CBC,
  IPSEC_API_CRYPTO_ALG_3DES_CBC,
};

/*
 * @brief Supported Integrity Algorithms
 */
enum ipsec_integ_alg
{
  IPSEC_API_INTEG_ALG_NONE = 0,
  /* RFC2403 */
  IPSEC_API_INTEG_ALG_MD5_96,
  /* RFC2404 */
  IPSEC_API_INTEG_ALG_SHA1_96,
  /* draft-ietf-ipsec-ciph-sha-256-00 */
  IPSEC_API_INTEG_ALG_SHA_256_96,
  /* RFC4868 */
  IPSEC_API_INTEG_ALG_SHA_256_128,
  /* RFC4868 */
  IPSEC_API_INTEG_ALG_SHA_384_192,
  /* RFC4868 */
  IPSEC_API_INTEG_ALG_SHA_512_256,
};

enum ipsec_sad_flags
{
  IPSEC_API_SAD_FLAG_NONE = 0,
  /* Enable extended sequence numbers */
  IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM = 0x01,
  /* Enable Anti-replay */
  IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
  /* IPsec tunnel mode if non-zero, else transport mode */
  IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,
  /* IPsec tunnel mode is IPv6 if non-zero,
   *  else IPv4 tunnel only valid if is_tunnel is non-zero */
  IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
  /* enable UDP encapsulation for NAT traversal */
  IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,

  /* come-on Ole please fix this */
  IPSEC_API_SAD_COMBO_12 = 12,
  IPSEC_API_SAD_COMBO_20 = 20,
};

enum ipsec_proto
{
  IPSEC_API_PROTO_ESP,
  IPSEC_API_PROTO_AH,
};

typedef key
{
  /* the length of the key */
  u8 length;
  /* The data for the key */
  u8 data[128];
};

/** \brief IPsec: Security Association Database entry
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add SAD entry if non-zero, else delete
    @param sad_id - sad id
    @param spi - security parameter index
    @param protocol - 0 = AH, 1 = ESP
    @param crypto_algorithm - a supported crypto algorithm
    @param crypto_key - crypto keying material
    @param integrity_algorithm - one of the supported algorithms
    @param integrity_key - integrity keying material
    @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
    @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
    @param tx_table_id - the FIB id used for encapsulated packets
 */
typedef ipsec_sad_entry
{
  u32 sad_id;

  u32 spi;

  vl_api_ipsec_proto_t protocol;

  vl_api_ipsec_crypto_alg_t crypto_algorithm;
  vl_api_key_t crypto_key;

  vl_api_ipsec_integ_alg_t integrity_algorithm;
  vl_api_key_t integrity_key;

  vl_api_ipsec_sad_flags_t flags;

  vl_api_address_t tunnel_src;
  vl_api_address_t tunnel_dst;
  u32 tx_table_id;
};

/** \brief IPsec: Add/delete Security Association Database entry
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param entry - Entry to add or delete
 */
define ipsec_sad_entry_add_del
{
  u32 client_index;
  u32 context;
  u8 is_add;
  vl_api_ipsec_sad_entry_t entry;
};
define ipsec_sad_entry_add_del_reply
{
  u32 context;
  i32 retval;
  u32 stat_index;
};

/** \brief IPsec: Update Security Association keys
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request

    @param sa_id - sa id

    @param crypto_key - crypto keying material
    @param integrity_key - integrity keying material
*/

autoreply define ipsec_sa_set_key
{
  u32 client_index;
  u32 context;

  u32 sa_id;

  vl_api_key_t crypto_key;
  vl_api_key_t integrity_key;
};

/** \brief IPsec: Get SPD interfaces
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param spd_index - SPD index
    @param spd_index_valid - if 1 spd_index is used to filter
      spd_index's, if 0 no filtering is done
*/
define ipsec_spd_interface_dump {
    u32 client_index;
    u32 context;
    u32 spd_index;
    u8 spd_index_valid;
};

/** \brief IPsec: SPD interface response
    @param context - sender context which was passed in the request
    @param spd_index - SPD index
    @param sw_if_index - index of the interface
*/
define ipsec_spd_interface_details {
    u32 context;
    u32 spd_index;
    u32 sw_if_index;
};

/** \brief Add or delete IPsec tunnel interface
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add IPsec tunnel interface if nonzero, else delete
    @param esn - enable extended sequence numbers if nonzero, else disable
    @param anti_replay - enable anti replay check if nonzero, else disable
    @param local_ip - local IP address
    @param remote_ip - IP address of remote IPsec peer
    @param local_spi - SPI of outbound IPsec SA
    @param remote_spi - SPI of inbound IPsec SA
    @param crypto_alg - encryption algorithm ID
    @param local_crypto_key_len - length of local crypto key in bytes
    @param local_crypto_key - crypto key for outbound IPsec SA
    @param remote_crypto_key_len - length of remote crypto key in bytes
    @param remote_crypto_key - crypto key for inbound IPsec SA
    @param integ_alg - integrity algorithm ID
    @param local_integ_key_len - length of local integrity key in bytes
    @param local_integ_key - integrity key for outbound IPsec SA
    @param remote_integ_key_len - length of remote integrity key in bytes
    @param remote_integ_key - integrity key for inbound IPsec SA
    @param renumber - intf display name uses a specified instance if != 0
    @param show_instance - instance to display for intf if renumber is set
    @param udp_encap - enable UDP encapsulation for NAT traversal
    @param tx_table_id - the FIB id used after packet encap
*/
define ipsec_tunnel_if_add_del {
  u32 client_index;
  u32 context;
  u8 is_add;
  u8 esn;
  u8 anti_replay;
  u8 local_ip[4];
  u8 remote_ip[4];
  u32 local_spi;
  u32 remote_spi;
  u8 crypto_alg;
  u8 local_crypto_key_len;
  u8 local_crypto_key[128];
  u8 remote_crypto_key_len;
  u8 remote_crypto_key[128];
  u8 integ_alg;
  u8 local_integ_key_len;
  u8 local_integ_key[128];
  u8 remote_integ_key_len;
  u8 remote_integ_key[128];
  u8 renumber;
  u32 show_instance;
  u8 udp_encap;
  u32 tx_table_id;
};

/** \brief Add/delete IPsec tunnel interface response
    @param context - sender context, to match reply w/ request
    @param retval - return status
    @param sw_if_index - sw_if_index of new interface (for successful add)
*/
define ipsec_tunnel_if_add_del_reply {
  u32 context;
  i32 retval;
  u32 sw_if_index;
};

/** \brief Dump IPsec security association
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
*/
define ipsec_sa_dump {
  u32 client_index;
  u32 context;
  u32 sa_id;
};

/** \brief IPsec security association database response
    @param context - sender context which was passed in the request
    @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0 
    @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
    @param spi - security parameter index
    @param protocol - IPsec protocol (value from ipsec_protocol_t)
    @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t)
    @param crypto_key_len - length of crypto_key in bytes
    @param crypto_key - crypto keying material
    @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t)
    @param integ_key_len - length of integ_key in bytes
    @param integ_key - integrity keying material
    @param use_esn - using extended sequence numbers when non-zero
    @param use_anti_replay - using anti-replay window when non-zero
    @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode
    @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6
    @param tunnel_src_addr - Tunnel source address if using tunnel mode
    @param tunnel_dst_addr - Tunnel destination address is using tunnel mode
    @param salt - 4 byte salt 
    @param seq - current sequence number for outbound
    @param seq_hi - high 32 bits of ESN for outbound 
    @param last_seq - highest sequence number received inbound
    @param last_seq_hi - high 32 bits of highest ESN received inbound
    @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
    @param total_data_size - total bytes sent or received
    @param udp_encap - 1 if UDP encap enabled, 0 otherwise
*/
define ipsec_sa_details {
  u32 context;
  vl_api_ipsec_sad_entry_t entry;

  u32 sw_if_index;
  u32 salt;
  u64 seq_outbound;
  u64 last_seq_inbound;
  u64 replay_window;

  u64 total_data_size;
};

/** \brief Set key on IPsec interface
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param sw_if_index - index of tunnel interface
    @param key_type - type of key being set
    @param alg - algorithm used with key
    @param key_len - length key in bytes
    @param key - key
*/
autoreply define ipsec_tunnel_if_set_key {
  u32 client_index;
  u32 context;
  u32 sw_if_index;
  u8 key_type;
  u8 alg;
  u8 key_len;
  u8 key[128];
};

/** \brief Set new SA on IPsec interface
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param sw_if_index - index of tunnel interface
    @param sa_id - ID of SA to use
    @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
*/
autoreply define ipsec_tunnel_if_set_sa {
  u32 client_index;
  u32 context;
  u32 sw_if_index;
  u32 sa_id;
  u8 is_outbound;
};

/** \brief Dump IPsec backends
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
*/
define ipsec_backend_dump {
  u32 client_index;
  u32 context;
};

/** \brief IPsec backend details
    @param name - name of the backend
    @param protocol - IPsec protocol (value from ipsec_protocol_t)
    @param index - backend index
    @param active - set to 1 if the backend is active, otherwise 0
*/
define ipsec_backend_details {
  u32 context;
  u8 name[128];
  vl_api_ipsec_proto_t protocol;
  u8 index;
  u8 active;
};

/** \brief Select IPsec backend
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param protocol - IPsec protocol (value from ipsec_protocol_t)
    @param index - backend index
*/
autoreply define ipsec_select_backend {
  u32 client_index;
  u32 context;
  vl_api_ipsec_proto_t protocol;
  u8 index;
};

/*
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */