aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_types.api
AgeCommit message (Collapse)AuthorFilesLines
2023-10-30ipsec: huge anti-replay window supportMaxime Peim1-3/+41
Type: improvement Since RFC4303 does not specify the anti-replay window size, VPP should support multiple window size. It is done through a clib_bitmap. Signed-off-by: Maxime Peim <mpeim@cisco.com> Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc
2023-08-08ipsec: add support for RFC-4543 ENCR_NULL_AUTH_AES_GMACBenoît Ganne1-0/+3
Type: improvement Change-Id: I830f7a2ea3ac0aff5185698b9fa7a278c45116b0 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-09-14ipsec: make chacha20-poly1305 available via APIVladimir Ratnikov1-0/+1
Type: feature Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I4e03f60f34acd7809ddc5a743650bedbb95b2e98
2022-06-28ipsec: change wildcard value for any protocol of spd policyPiotr Bronowski1-0/+97
Currently 0 has been used as the wildcard representing ANY type of protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore it should not be used as a wildcard. Instead 255 is used which is guaranteed by IANA to be reserved and not used as a protocol id. Type: improvement Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
2021-06-30ipsec: Derive the TUNNEL_V6 flag from the configured address typesNeale Ranns1-1/+4
Type: improvement There's no need for the user to set the TUNNEL_V6 flag, it can be derived from the tunnel's address type. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I073073dc970b8a3f2b2645bc697fc00db1adbb47
2021-03-05ipsec: Support async mode per-SANeale Ranns1-0/+2
Type: feature This feautre only applies to ESP not AH SAs. As well as the gobal switch for ayncs mode, allow individual SAs to be async. If global async is on, all SAs are async. If global async mode is off, then if then an SA can be individually set to async. This preserves the global switch behaviour. the stratergy in the esp encrypt.decrypt nodes is to separate the frame into, 1) sync buffers, 2) async buffers and 3) no-op buffers. Sync buffer will undergo a cyrpto/ath operation, no-op will not, they are dropped or handed-off. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ifc15b10b870b19413ad030ce7f92ed56275d6791
2021-02-10ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-1/+23
support Type: feature attmpet 2. this includes changes in ah_encrypt that don't use uninitialised memory when doing tunnel mode fixups. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ie3cb776f5c415c93b8a5ee22f22586fd0181110d
2021-02-09Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"Matthew Smith1-23/+1
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f. Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged. Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-02-08ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-1/+23
support Type: feature Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6d4a9b187daa725d4b2cbb66e11616802d44d2d3
2020-11-02ipsec: Tunnel SA DSCP behaviourNeale Ranns1-0/+30
Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
2020-05-05ipsec: User can choose the UDP source portNeale Ranns1-0/+6
Type: feature thus allowing NAT traversal, Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-03-10ipsec: API cleanupJakub Grajciar1-2/+2
Use consistent API types. Change vl_api_ipsec_proto_t to iana values: ESP 50, AH 51, Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I2becefb343246e0233f290fefbfdd172d8237325 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-05api: ipsec: add missing IS_INBOUND flag.Christian Hopps1-0/+2
External IKE daemons need to be able to flag an SA as inbound (just as the included ike plugin does). This commit adds this flag to the API. This change is backward bug-compatible as not setting the flag (old clients) continues to mean all SAs are created as outbound and fib nodes are created for them. The addition of this flag inhibits this forwarding node creation as well as properly flagging the SA as inbound. Ticket: VPP-1845 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I195e32c430e51155fac2d9f33671e06ef42a3f7f
2020-02-26ipsec: Revert API cleanupOle Trøan1-2/+2
This reverts commit 666ece35cd2625bbd8b6ddadb6e87444a617df4d. Reason for revert: Awaiting CSIT CRC job to catch up Type: fix Change-Id: Ib38bbd5879ff761496a6819186f1af1dbee48590 Signed-off-by: Ole Troan <ot@cisco.com>
2020-02-26ipsec: API cleanupJakub Grajciar1-2/+2
Use consistent API types. Change vl_api_ipsec_proto_t to iana values: ESP 50, AH 51, Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: Ic961130ffa519d1c904d872c34f9a7461b1be77e Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2019-12-03ipsec: Changes to make ipsec encoder/decoders reusable by the pluginsPrashant Maheshwari1-0/+132
Type: fix Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com> Change-Id: I81b937fc8cfec36f8fb5de711ffbb02f23f3664e Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com>