From 4117b24acb4241d7f2ef38248bc254f6a4a7b422 Mon Sep 17 00:00:00 2001 From: Arthur de Kerhor Date: Wed, 31 Aug 2022 19:13:03 +0200 Subject: ipsec: new api for sa ips and ports updates Useful to update the tunnel paramaters and udp ports (NAT-T) of an SA without having to rekey. Could be done by deleting and re-adding the SA but it would not preserve the anti-replay window if there is one. Use case: a nat update/reboot between the 2 endpoints of the tunnel. Type: feature Change-Id: Icf5c0aac218603e8aa9a008ed6f614e4a6db59a0 Signed-off-by: Arthur de Kerhor --- src/vnet/ipsec/ipsec.api | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'src/vnet/ipsec/ipsec.api') diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 56ad646d001..6cbad6e74fa 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -201,6 +201,28 @@ autoreply define ipsec_sad_entry_del u32 id; }; +/** \brief An API to update the tunnel parameters and the ports associated with an SA + + Used in the NAT-T case when the NAT data changes + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param sa_id - the id of the SA to update + @param is_tun - update the tunnel if non-zero, else update only the ports + @param tunnel - sender context, to match reply w/ request + @param udp_src_port - new src port for NAT-T. Used if different from 0xffff + @param udp_dst_port - new dst port for NAT-T. Used if different from 0xffff + */ +autoreply define ipsec_sad_entry_update +{ + u32 client_index; + u32 context; + u32 sad_id; + bool is_tun; + vl_api_tunnel_t tunnel; + u16 udp_src_port [default=0xffff]; + u16 udp_dst_port [default=0xffff]; +}; + define ipsec_sad_entry_add_del_reply { option deprecated; -- cgit 1.2.3-korg