ipsec: new api for sa ips and ports updates

Useful to update the tunnel paramaters and udp ports (NAT-T) of an SA without having to rekey. Could be done by deleting and re-adding the SA but it would not preserve the anti-replay window if there is one. Use case: a nat update/reboot between the 2 endpoints of the tunnel. Type: feature Change-Id: Icf5c0aac218603e8aa9a008ed6f614e4a6db59a0 Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
author: Arthur de Kerhor <arthurdekerhor@gmail.com> 2022-08-31 19:13:03 +0200
committer: Beno�t Ganne <bganne@cisco.com> 2022-12-16 10:13:24 +0000
commit: 4117b24acb4241d7f2ef38248bc254f6a4a7b422 (patch)
tree: 982eb58cbe8cfd0d43e2a09e129d129c1a8a5511 /src/vnet/ipsec/ipsec_sa.h
parent: 863d1c8711018ded9bd4db5f27851a0b8ac45836 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 057e8cd9bff..df079b13872 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -270,6 +270,8 @@ extern vlib_simple_counter_main_t ipsec_sa_lost_counters;
 
 extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
 
+extern int ipsec_sa_update (u32 id, u16 src_port, u16 dst_port,
+			    const tunnel_t *tun, bool is_tun);
 extern int
 ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto,
 		       ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck,
author	Arthur de Kerhor <arthurdekerhor@gmail.com>	2022-08-31 19:13:03 +0200
committer	Beno�t Ganne <bganne@cisco.com>	2022-12-16 10:13:24 +0000
commit	4117b24acb4241d7f2ef38248bc254f6a4a7b422 (patch)
tree	982eb58cbe8cfd0d43e2a09e129d129c1a8a5511 /src/vnet/ipsec/ipsec_sa.h
parent	863d1c8711018ded9bd4db5f27851a0b8ac45836 (diff)