From c87b66c86201458c0475d50c6e93f1497f9eec2e Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Thu, 7 Feb 2019 07:26:12 -0800 Subject: ipsec: ipsec-tun protect please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns --- src/vnet/ipsec/ipsec.api | 76 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) (limited to 'src/vnet/ipsec/ipsec.api') diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index bb9e8056251..12bdad0f9c3 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -17,6 +17,7 @@ option version = "3.0.0"; import "vnet/ip/ip_types.api"; +import "vnet/interface_types.api"; /** \brief IPsec: Add/delete Security Policy Database @param client_index - opaque cookie to identify the sender @@ -305,6 +306,81 @@ define ipsec_sad_entry_add_del_reply u32 stat_index; }; +/** \brief Add or Update Protection for a tunnel with IPSEC + + Tunnel protection directly associates an SA with all packets + ingress and egress on the tunnel. This could also be achieved by + assigning an SPD to the tunnel, but that would incur an unnessccary + SPD entry lookup. + + For tunnels the ESP acts on the post-encapsulated packet. So if this + packet: + +---------+------+ + | Payload | O-IP | + +---------+------+ + where O-IP is the overlay IP addrees that was routed into the tunnel, + the resulting encapsulated packet will be: + +---------+------+------+ + | Payload | O-IP | T-IP | + +---------+------+------+ + where T-IP is the tunnel's src.dst IP addresses. + If the SAs used for protection are in transport mode then the ESP is + inserted before T-IP, i.e.: + +---------+------+-----+------+ + | Payload | O-IP | ESP | T-IP | + +---------+------+-----+------+ + If the SAs used for protection are in tunnel mode then another + encapsulation occurs, i.e.: + +---------+------+------+-----+------+ + | Payload | O-IP | T-IP | ESP | C-IP | + +---------+------+------+-----+------+ + where C-IP are the crypto endpoint IP addresses defined as the tunnel + endpoints in the SA. + The mode for the inbound and outbound SA must be the same. + + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param sw_id_index - Tunnel interface to protect + @param sa_in - The ID [set] of inbound SAs + @param sa_out - The ID of outbound SA +*/ +typedef ipsec_tunnel_protect +{ + vl_api_interface_index_t sw_if_index; + u32 sa_out; + u8 n_sa_in; + u32 sa_in[n_sa_in]; +}; + +autoreply define ipsec_tunnel_protect_update +{ + u32 client_index; + u32 context; + + vl_api_ipsec_tunnel_protect_t tunnel; +}; + +autoreply define ipsec_tunnel_protect_del +{ + u32 client_index; + u32 context; + + vl_api_interface_index_t sw_if_index; +}; + +define ipsec_tunnel_protect_dump +{ + u32 client_index; + u32 context; + vl_api_interface_index_t sw_if_index; +}; + +define ipsec_tunnel_protect_details +{ + u32 context; + vl_api_ipsec_tunnel_protect_t tun; +}; + /** \brief IPsec: Get SPD interfaces @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request -- cgit 1.2.3-korg