diff options
Diffstat (limited to 'src/vnet/ipsec/ipsec_sa.h')
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 68 |
1 files changed, 61 insertions, 7 deletions
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 43d699be928..775343b4b73 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -17,6 +17,7 @@ #include <vlib/vlib.h> #include <vnet/ip/ip.h> +#include <vnet/fib/fib_node.h> #define foreach_ipsec_crypto_alg \ _ (0, NONE, "none") \ @@ -63,19 +64,50 @@ typedef enum IPSEC_PROTOCOL_ESP = 1 } ipsec_protocol_t; +#define IPSEC_N_PROTOCOLS (IPSEC_PROTOCOL_ESP+1) + +#define IPSEC_KEY_MAX_LEN 128 +typedef struct ipsec_key_t_ +{ + u8 len; + u8 data[IPSEC_KEY_MAX_LEN]; +} ipsec_key_t; + +/* + * Enable extended sequence numbers + * Enable Anti-replay + * IPsec tunnel mode if non-zero, else transport mode + * IPsec tunnel mode is IPv6 if non-zero, + * else IPv4 tunnel only valid if is_tunnel is non-zero + * enable UDP encapsulation for NAT traversal + */ +#define foreach_ipsec_sa_flags \ + _ (0, NONE, "none") \ + _ (1, USE_EXTENDED_SEQ_NUM, "esn") \ + _ (2, USE_ANTI_REPLAY, "anti-replay") \ + _ (4, IS_TUNNEL, "tunnel") \ + _ (8, IS_TUNNEL_V6, "tunnel-v6") \ + _ (16, UDP_ENCAP, "udp-encap") \ + +typedef enum ipsec_sad_flags_t_ +{ +#define _(v, f, s) IPSEC_SA_FLAG_##f = v, + foreach_ipsec_sa_flags +#undef _ +} ipsec_sa_flags_t; + typedef struct { + fib_node_t node; u32 id; u32 spi; ipsec_protocol_t protocol; ipsec_crypto_alg_t crypto_alg; - u8 crypto_key_len; - u8 crypto_key[128]; + ipsec_key_t crypto_key; ipsec_integ_alg_t integ_alg; - u8 integ_key_len; - u8 integ_key[128]; + ipsec_key_t integ_key; u8 use_esn; u8 use_anti_replay; @@ -86,6 +118,10 @@ typedef struct ip46_address_t tunnel_src_addr; ip46_address_t tunnel_dst_addr; + fib_node_index_t fib_entry_index; + u32 sibling; + dpo_id_t dpo[IPSEC_N_PROTOCOLS]; + u32 tx_fib_index; u32 salt; @@ -100,18 +136,36 @@ typedef struct u64 total_data_size; } ipsec_sa_t; -extern int ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, - int is_add); +extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len); + +extern int ipsec_sa_add (u32 id, + u32 spi, + ipsec_protocol_t proto, + ipsec_crypto_alg_t crypto_alg, + const ipsec_key_t * ck, + ipsec_integ_alg_t integ_alg, + const ipsec_key_t * ik, + ipsec_sa_flags_t flags, + u32 tx_table_id, + const ip46_address_t * tunnel_src_addr, + const ip46_address_t * tunnel_dst_addr, + u32 * sa_index); +extern u32 ipsec_sa_del (u32 id); + extern u8 ipsec_is_sa_used (u32 sa_index); -extern int ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update); +extern int ipsec_set_sa_key (u32 id, + const ipsec_key_t * ck, const ipsec_key_t * ik); extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id); extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args); extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args); +extern u8 *format_ipsec_sa (u8 * s, va_list * args); +extern u8 *format_ipsec_key (u8 * s, va_list * args); extern uword unformat_ipsec_crypto_alg (unformat_input_t * input, va_list * args); extern uword unformat_ipsec_integ_alg (unformat_input_t * input, va_list * args); +extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args); #endif /* __IPSEC_SPD_SA_H__ */ |