summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_sa.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ipsec/ipsec_sa.h')
-rw-r--r--src/vnet/ipsec/ipsec_sa.h68
1 files changed, 61 insertions, 7 deletions
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 43d699be928..775343b4b73 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -17,6 +17,7 @@
#include <vlib/vlib.h>
#include <vnet/ip/ip.h>
+#include <vnet/fib/fib_node.h>
#define foreach_ipsec_crypto_alg \
_ (0, NONE, "none") \
@@ -63,19 +64,50 @@ typedef enum
IPSEC_PROTOCOL_ESP = 1
} ipsec_protocol_t;
+#define IPSEC_N_PROTOCOLS (IPSEC_PROTOCOL_ESP+1)
+
+#define IPSEC_KEY_MAX_LEN 128
+typedef struct ipsec_key_t_
+{
+ u8 len;
+ u8 data[IPSEC_KEY_MAX_LEN];
+} ipsec_key_t;
+
+/*
+ * Enable extended sequence numbers
+ * Enable Anti-replay
+ * IPsec tunnel mode if non-zero, else transport mode
+ * IPsec tunnel mode is IPv6 if non-zero,
+ * else IPv4 tunnel only valid if is_tunnel is non-zero
+ * enable UDP encapsulation for NAT traversal
+ */
+#define foreach_ipsec_sa_flags \
+ _ (0, NONE, "none") \
+ _ (1, USE_EXTENDED_SEQ_NUM, "esn") \
+ _ (2, USE_ANTI_REPLAY, "anti-replay") \
+ _ (4, IS_TUNNEL, "tunnel") \
+ _ (8, IS_TUNNEL_V6, "tunnel-v6") \
+ _ (16, UDP_ENCAP, "udp-encap") \
+
+typedef enum ipsec_sad_flags_t_
+{
+#define _(v, f, s) IPSEC_SA_FLAG_##f = v,
+ foreach_ipsec_sa_flags
+#undef _
+} ipsec_sa_flags_t;
+
typedef struct
{
+ fib_node_t node;
u32 id;
u32 spi;
ipsec_protocol_t protocol;
ipsec_crypto_alg_t crypto_alg;
- u8 crypto_key_len;
- u8 crypto_key[128];
+ ipsec_key_t crypto_key;
ipsec_integ_alg_t integ_alg;
- u8 integ_key_len;
- u8 integ_key[128];
+ ipsec_key_t integ_key;
u8 use_esn;
u8 use_anti_replay;
@@ -86,6 +118,10 @@ typedef struct
ip46_address_t tunnel_src_addr;
ip46_address_t tunnel_dst_addr;
+ fib_node_index_t fib_entry_index;
+ u32 sibling;
+ dpo_id_t dpo[IPSEC_N_PROTOCOLS];
+
u32 tx_fib_index;
u32 salt;
@@ -100,18 +136,36 @@ typedef struct
u64 total_data_size;
} ipsec_sa_t;
-extern int ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa,
- int is_add);
+extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
+
+extern int ipsec_sa_add (u32 id,
+ u32 spi,
+ ipsec_protocol_t proto,
+ ipsec_crypto_alg_t crypto_alg,
+ const ipsec_key_t * ck,
+ ipsec_integ_alg_t integ_alg,
+ const ipsec_key_t * ik,
+ ipsec_sa_flags_t flags,
+ u32 tx_table_id,
+ const ip46_address_t * tunnel_src_addr,
+ const ip46_address_t * tunnel_dst_addr,
+ u32 * sa_index);
+extern u32 ipsec_sa_del (u32 id);
+
extern u8 ipsec_is_sa_used (u32 sa_index);
-extern int ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update);
+extern int ipsec_set_sa_key (u32 id,
+ const ipsec_key_t * ck, const ipsec_key_t * ik);
extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
+extern u8 *format_ipsec_sa (u8 * s, va_list * args);
+extern u8 *format_ipsec_key (u8 * s, va_list * args);
extern uword unformat_ipsec_crypto_alg (unformat_input_t * input,
va_list * args);
extern uword unformat_ipsec_integ_alg (unformat_input_t * input,
va_list * args);
+extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args);
#endif /* __IPSEC_SPD_SA_H__ */