aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec.api
AgeCommit message (Collapse)AuthorFilesLines
2022-08-11ipsec: Use .api declared error countersNeale Ranns1-0/+268
Type: improvement Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ica7de5a493389c6f53b7cf04e06939473a63d2b9
2022-06-28ipsec: change wildcard value for any protocol of spd policyPiotr Bronowski1-53/+31
Currently 0 has been used as the wildcard representing ANY type of protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore it should not be used as a wildcard. Instead 255 is used which is guaranteed by IANA to be reserved and not used as a protocol id. Type: improvement Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
2021-06-28ipsec: Split the SA add_del API into an separate add and delNeale Ranns1-1/+19
Type: improvement the rationale being that the del only requires the SA's ID, so it's a bit mean to require the client to fill out all the other information as well. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4
2021-02-10ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-1/+36
support Type: feature attmpet 2. this includes changes in ah_encrypt that don't use uninitialised memory when doing tunnel mode fixups. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
2021-02-09Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"Matthew Smith1-36/+1
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f. Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged. Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-08ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-1/+36
support Type: feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
2021-01-07ipsec: Deprecated the old IPsec Tunnel interfaceNeale Ranns1-91/+1
Type: fix it's been 2 releases since it was marked deprecated. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I0eba7ed607826ed0d00e7d2d8f9b27d09e8e9a6e
2021-01-06ipsec: Mark the interface create reply deprecatedNeale Ranns1-0/+1
Type: fix I should have done this wehn i marked the request as deprecated. The reply also needs to be marked deprecated so the API compliance script can remove it along with the request. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I8391257944b6cff7b32a01a479dd1dcab30cd33b
2020-11-02ipsec: Tunnel SA DSCP behaviourNeale Ranns1-16/+32
Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
2020-09-16api: clean up use of deprecated flagOle Troan1-2/+2
The syntax of the deprecated flag has evolved. Clean up usage to be "option deprecated;". Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: If2b639f275eb8db58b36c457f9245fe35a4d8cb1
2020-09-02ipsec: add ipsec set async mode apiYulong Pei1-0/+12
Type: improvement Signed-off-by: Yulong Pei <yulong.pei@intel.com> Change-Id: I841f4407ed8c1a448e5102059fc79ae1f7d461de
2020-08-27ipsec: Deprecate old interface APINeale Ranns1-1/+3
Type: feature Change-Id: Ib5d7b7e4735a5dec6c3ed74068206a86782588ca Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-07-21ipsec: Dedicated IPSec interface typeNeale Ranns1-1/+50
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8bd50df163aea2798e9f9d35a13dcadc4a4a4b2
2020-04-02ipsec: provide stat index in sa detailsMatthew Smith1-3/+3
Type: improvement When IPsec SAs are dumped, include the index that can be used to find byte & packet counters for the SA in the stat segment. Removed the field total_data_size from the details since it was not being populated and put the stat index field in its place. Change-Id: If73efc230542a11944551b6e710b57b575450da3 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-03-10ipsec: API cleanupJakub Grajciar1-23/+25
Use consistent API types. Change vl_api_ipsec_proto_t to iana values: ESP 50, AH 51, Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I2becefb343246e0233f290fefbfdd172d8237325 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-02-26ipsec: Revert API cleanupOle Trøan1-25/+23
This reverts commit 666ece35cd2625bbd8b6ddadb6e87444a617df4d. Reason for revert: Awaiting CSIT CRC job to catch up Type: fix Change-Id: Ib38bbd5879ff761496a6819186f1af1dbee48590 Signed-off-by: Ole Troan <ot@cisco.com>
2020-02-26ipsec: API cleanupJakub Grajciar1-23/+25
Use consistent API types. Change vl_api_ipsec_proto_t to iana values: ESP 50, AH 51, Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: Ic961130ffa519d1c904d872c34f9a7461b1be77e Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-02-21ipsec: IPSec protection for multi-point tunnel interfacesNeale Ranns1-0/+5
Type: feature Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
2019-12-03ipsec: Changes to make ipsec encoder/decoders reusable by the pluginsPrashant Maheshwari1-108/+1
Type: fix Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com> Change-Id: I81b937fc8cfec36f8fb5de711ffbb02f23f3664e Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com>
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns1-0/+10
APIs for dedicated IPSec tunnels will remain in this release and are used to programme the IPIP tunnel protect. APIs will be removed in a future release. see: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18ipsec: ipsec-tun protectNeale Ranns1-0/+76
please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-07ipsec: remove the set_key APINeale Ranns1-40/+0
there's no use case to just change the key of an SA. instead the SA should be renegociated and the new SA applied to the existing SPD entry or tunnel. the set_key functions were untested. Type: refactor Change-Id: Ib096eebaafb20be7b5501ece5a24aea038373002 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-17IPSEC: Pass the algorithm salt (used in GCM) over the APINeale Ranns1-0/+4
Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-28ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESNDamjan Marion1-1/+1
Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-21ipsec: add ipv6 support for ipsec tunnel interfaceKingwel Xie1-2/+3
Change-Id: I6a76907dc7bed2a81282b63669bea2219d6903c9 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com> Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2019-03-08updates now that flags are supported on the APINeale Ranns1-5/+0
Change-Id: I9c45f390a6454c114f12f9c46c3a93fcecffa73f Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-28TEST: IPSEC NAT-T with UDP headerNeale Ranns1-0/+1
Change-Id: I5ef8b3f4be40a7a0b0f1cb90dc0e15a4711e8664 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-25IKEv2 to pluginNeale Ranns1-247/+0
for easy integration with ptoducts running their own Ike stack. Without the VPP IKE plugin loaded, the product is free to handle IKE packets as it pleases. Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18IPSEC: move SA counters into the stats segmentNeale Ranns1-1/+7
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-07IPSEC: no second lookup after tunnel encapNeale Ranns1-25/+8
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-05IPSEC: SPD counters in the stats sgementNeale Ranns1-4/+14
- return the stats_index of each SPD in the create API call - no ip_any in the API as this creates 2 SPD entries. client must add both v4 and v6 explicitly - only one pool of SPD entries (rhter than one per-SPD) to support this - no packets/bytes in the dump API. Polling the stats segment is much more efficient (if the SA lifetime is based on packet/bytes) - emit the policy index in the packet trace and CLI commands. Change-Id: I7eaf52c9d0495fa24450facf55229941279b8569 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-31IPSEC: API modernisationNeale Ranns1-148/+186
- use enums to enumerate the algoritms and protocols that are supported - use address_t types to simplify encode/deocde - use typedefs of entry objects to get consistency between add/del API and dump Change-Id: I7e7c58c06a150e2439633ba9dca58bc1049677ee Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-12-11Add IPSec interface FIB index for TX packetPierre Pfister1-1/+6
This patch adds a configuration parameter to IPSec tunnels, enabling custom FIB selection for encapsulated packets. Although this option could also be used for policy-based IPSec, this change only enables it for virtual-tunnel-interface mode. Note that this patch does change the API default behavior regarding TX fib selection for encapsulated packets. Previous behavior was to use the same FIB after and before encap. The new default behavior consists in using the FIB 0 as default. Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-12-03Add UDP encap flagFilip Tehlar1-0/+2
Change-Id: Ic6a8b9aaec7e5dee4fb1971168988dbe4f931f86 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera1-0/+36
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-11-05VPP-1450: binary api call for dumping SPD to interface registrationFilip Varga1-1/+26
Change-Id: Idd4a5f8bab5d39e5f33f5c130601175af70a20d4 Signed-off-by: Filip Varga <filip.varga@pantheon.tech>
2018-10-02IPsec: add API for SPDs dump (VPP-1363)Matus Fabian1-1/+21
Change-Id: I36e6878712c394de629a9182d2af24c53a8f811d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra1-1/+1
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-05-09ipsec: support UDP encap/decap for NAT traversalKlement Sekera1-0/+4
Change-Id: I65c12617ad49e4d5ef242e53988782f0cefa5684 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-04-25Fix some build warnings about "Old Style VLA"Juraj Sloboda1-2/+2
Change-Id: I69fee1dcf07a4d2eed69a59f0a36e63e3741ed4e Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-19Allow an IPsec tunnel interface to be renumberedMatthew Smith1-0/+4
When creating an IPsec tunnel interface, allow a numeric identifier to be set for use in the interface's name in place of the dev instance. Default to using the dev instance if no value is explicitly set. When an IPsec tunnel is deleted, the interface is deleted now instead of being kept in a pool of available hw interfaces. Otherwise there was the possibility of conflicting tx node names between deleted tunnels and newly created ones. Change-Id: Ic525466622a0dec38a845fa5871c084f6d9da380 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-01-23VPPAPIGEN: vppapigen replacement in Python PLY.Ole Troan1-1/+1
This is a version of the VPP API generator in Python PLY. It supports the existing language, and has a plugin architecture for generators. Currently C and JSON are supported. Changes: - vl_api_version to option version = "major.minor.patch" - enum support - Added error checking and reporting - import support (removed the C pre-processor) - services (tying request/reply together) Version: option version = "1.0.0"; Enum: enum colours { RED, BLUE = 50, }; define foo { vl_api_colours_t colours; }; Services: service { rpc foo returns foo_reply; rpc foo_dump returns stream foo_details; rpc want_stats returns want_stats_reply events ip4_counters, ip6_counters; }; Future planned features: - unions - bool, text - array support (including length) - proto3 output plugin - Refactor C/C++ generator as a plugin - Refactor Java generator as a plugin Change-Id: Ifa289966c790e1b1a8e2938a91e69331e3a58bdf Signed-off-by: Ole Troan <ot@cisco.com>
2017-10-26Allow IPsec interface to have SAs resetMatthew Smith1-0/+16
Make it easier to integrate with external IKE daemon. IPsec interfaces can have one or both SAs replaced after creation. This allows for the possibility of setting a new child SA on an interface when rekeying occurs. It also allows for the possibility of creating an interface ahead of time and updating the SA when parameters that are negotiated during IKE exchange become known. Change-Id: I0a31afdcc2bdff7098a924a51abbc58bdab2bd08 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-14Add API call to set keys on IPsec tunnel intfMatthew Smith1-0/+19
There was already a CLI command and a libvnet function to set the keys on an existing IPsec tunnel interface. Expose this via the API. Change-Id: I226a9616f680fc022f04447177a2e8232690657f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-10-09vppapigen: support per-file (major,minor,patch) version stampsDave Barach1-0/+2
Add one of these statements to foo.api: vl_api_version 1.2.3 to generate a version tuple stanza in foo.api.h: /****** Version tuple *****/ vl_api_version_tuple(foo, 1, 2, 3) Change-Id: Ic514439e4677999daa8463a94f948f76b132ff15 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Ole Troan <ot@cisco.com>
2017-10-04Add API support to dump IPsec SAsMatthew Smith1-0/+69
Add an API request message type to dump IPsec SAs. Either all IPsec SAs can be dumped or it can be limited to a single SA ID (numeric ID set at creation time - not an index). Add a handler for incoming messages with the new request type. Add an API response message type containing the data for an IPsec SA. Add VAT support for new message type. Change-Id: Id7828d000efc637dee7f988a87d3f707a8b466b7 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-05-15Add sw_if_index of tunnel interface to API reply for ipsec_tunnel_if_add_delMatthew Smith1-1/+12
Change-Id: If5158f6fa7344dee94548c93dace779430e0647f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-05-09API support for IPsec tunnel interface creationMatthew Smith1-1/+43
Change-Id: I8c9f886cb95e92adbe1c646844789ca0a6bb6140 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2017-04-25"autoreply" flag: autogenerate standard xxx_reply_t messagesDave Barach1-205/+19
Change-Id: I72298aaae7d172082ece3a8edea4217c11b28d79 Signed-off-by: Dave Barach <dave@barachs.net>
2017-02-17Implemented IKEv2 initiator features:Radu Nicolau1-0/+228
- IKE_SA_INIT and IKE_AUTH initial exchanges - Delete IKA SA - Rekey and delete Child SA - Child SAs lifetime policy To set up one VPP instance as the initiator use the following CLI commands (or API equivalents): ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> and finally ikev2 initiate sa-init <profile id> to initiate the IKE_SA_INIT exchange Child SA re-keying process: 1. Child SA expires 2. A new Child SA is created using the Child SA rekey exchange 3. For a set time both SAs are alive 4. After the set time interval expires old SA is deleted Any additional settings will not be carried over (i.e. settings of the ipsec<x> interface associated with the Child SA) CLI API additions: ikev2 profile set <id> responder <interface> <addr> ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type> ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type> ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes> ikev2 initiate sa-init <profile id> ikev2 initiate del-child-sa <child sa ispi> ikev2 initiate del-sa <sa ispi> ikev2 initiate rekey-child-sa <profile id> <child sa ispi> Sample configurations: Responder: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.responder ikev2 profile set pr1 id remote fqdn vpp.home.initiator ikev2 profile set pr1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 Initiator: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home.initiator ikev2 profile set pr1 id remote fqdn vpp.home.responder ikev2 profile set pr1 traffic-selector local ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 responder TenGigabitEthernet3/0/1 192.168.40.20 ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg sha1-96 ike-dh modp-2048 ikev2 profile set pr1 esp-crypto-alg aes-cbc 192 esp-integ-alg sha1-96 esp-dh ecp-256 ikev2 profile set pr1 sa-lifetime 3600 10 5 0 Change-Id: I1db9084dc787129ea61298223fb7585a6f7eaf9e Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>