/* Hey Emacs use -*- mode: C -*- */ /* * Copyright (c) 2015-2020 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ option version = "1.0.1"; import "plugins/ikev2/ikev2_types.api"; import "vnet/ip/ip_types.api"; import "vnet/interface_types.api"; /** \brief Get the plugin version @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request */ define ikev2_plugin_get_version { u32 client_index; u32 context; }; /** \brief Reply to get the plugin version @param context - returned sender context, to match reply w/ request @param major - Incremented every time a known breaking behavior change is introduced @param minor - Incremented with small changes, may be used to avoid buggy versions */ define ikev2_plugin_get_version_reply { u32 context; u32 major; u32 minor; }; /** \brief Dump all profiles @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request */ define ikev2_profile_dump { u32 client_index; u32 context; option status="in_progress"; }; /** \brief Details about all profiles @param context - returned sender context, to match reply w/ request @param profile - profile element with encapsulated attributes */ define ikev2_profile_details { u32 context; vl_api_ikev2_profile_t profile; option status="in_progress"; }; /** \brief Dump all SAs @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request */ define ikev2_sa_dump { u32 client_index; u32 context; }; /** \brief Dump all SAs @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request */ define ikev2_sa_v2_dump { u32 client_index; u32 context; }; /** \brief Dump all SAs @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request */ define ikev2_sa_v3_dump { u32 client_index; u32 context; option status = "in_progress"; }; /** \brief Details about IKE SA @param context - sender context, to match reply w/ request @param retval - return code @param sa - SA data */ define ikev2_sa_details { u32 context; i32 retval; vl_api_ikev2_sa_t sa; }; /** \brief Details about IKE SA @param context - sender context, to match reply w/ request @param retval - return code @param sa - SA data */ define ikev2_sa_v2_details { u32 context; i32 retval; vl_api_ikev2_sa_v2_t sa; }; /** \brief Details about IKE SA @param context - sender context, to match reply w/ request @param retval - return code @param sa - SA data */ define ikev2_sa_v3_details { u32 context; i32 retval; vl_api_ikev2_sa_v3_t sa; option status = "in_progress"; }; /** \brief Dump child SA of specific SA @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param sa_index - index of specific sa */ define ikev2_child_sa_dump { u32 client_index; u32 context; u32 sa_index; option vat_help = "sa_index <index>"; }; /** \brief Child SA details @param context - sender context, to match reply w/ request @param retval - return code @param child_sa - child SA data */ define ikev2_child_sa_details { u32 context; i32 retval; vl_api_ikev2_child_sa_t child_sa; }; /** \brief Dump child SA of specific SA @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param sa_index - index of specific sa */ define ikev2_child_sa_v2_dump { u32 client_index; u32 context; u32 sa_index; option vat_help = "sa_index <index>"; option status = "in_progress"; }; /** \brief Child SA details @param context - sender context, to match reply w/ request @param retval - return code @param child_sa - child SA data */ define ikev2_child_sa_v2_details { u32 context; i32 retval; vl_api_ikev2_child_sa_v2_t child_sa; option status = "in_progress"; }; /** \brief get specific nonce @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param is_initiator - specify type initiator|responder of nonce @param sa_index - index of specific sa */ define ikev2_nonce_get { u32 client_index; u32 context; bool is_initiator; u32 sa_index; option vat_help = "initiator|responder sa_index <index>"; option status = "in_progress"; }; /** \brief reply on specific nonce @param context - sender context, to match reply w/ request @param retval - return code @param data_len - nonce length @param nonce - nonce data */ define ikev2_nonce_get_reply { u32 context; i32 retval; u32 data_len; u8 nonce[data_len]; option status = "in_progress"; }; /** \brief dump traffic selectors @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param is_initiator - specify type initiator|responder of nonce @param sa_index - index of specific sa @param child_sa_index - index of specific sa child of specific sa */ define ikev2_traffic_selector_dump { u32 client_index; u32 context; bool is_initiator; u32 sa_index; u32 child_sa_index; option vat_help = "initiator|responder sa_index <index> child_sa_index <index>"; option status = "in_progress"; }; /** \brief details on specific traffic selector @param context - sender context, to match reply w/ request @param retval - return code @param ts - traffic selector data */ define ikev2_traffic_selector_details { u32 context; i32 retval; vl_api_ikev2_ts_t ts; option status = "in_progress"; }; /** \brief IKEv2: Add/delete profile @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param is_add - Add IKEv2 profile if non-zero, else delete */ autoreply define ikev2_profile_add_del { u32 client_index; u32 context; string name[64]; bool is_add; option vat_help = "name <profile_name> [del]"; option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 profile authentication method @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig) @param is_hex - Authentication data in hex format if non-zero, else string @param data_len - Authentication data length @param data - Authentication data (for rsa-sig cert file path) */ autoreply define ikev2_profile_set_auth { u32 client_index; u32 context; string name[64]; u8 auth_method; bool is_hex; u32 data_len; u8 data[data_len]; option vat_help = "name <profile_name> auth_method <method> (auth_data 0x<data> | auth_data <data>)"; option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 profile local/remote identification @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param is_local - Identification is local if non-zero, else remote @param id_type - Identification type @param data_len - Identification data length @param data - Identification data */ autoreply define ikev2_profile_set_id { u32 client_index; u32 context; string name[64]; bool is_local; u8 id_type; u32 data_len; u8 data[data_len]; option vat_help = "name <profile_name> id_type <type> (id_data 0x<data> | id_data <data>) (local|remote)"; option status="in_progress"; }; /** \brief IKEv2: Disable NAT traversal @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name */ autoreply define ikev2_profile_disable_natt { u32 client_index; u32 context; string name[64]; option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 profile traffic selector parameters @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param ts - traffic selector data */ autoreply define ikev2_profile_set_ts { u32 client_index; u32 context; string name[64]; vl_api_ikev2_ts_t ts; option vat_help = "name <profile_name> protocol <proto> start_port <port> end_port <port> start_addr <ip> end_addr <ip> (local|remote)"; option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 local RSA private key @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param key_file - Key file absolute path */ autoreply define ikev2_set_local_key { u32 client_index; u32 context; string key_file[256]; option vat_help = "file <absolute_file_path>"; option status="in_progress"; }; /** \brief IKEv2: Set the tunnel interface which will be protected by IKE If this API is not called, a new tunnel will be created @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param sw_if_index - Of an existing tunnel */ autoreply define ikev2_set_tunnel_interface { u32 client_index; u32 context; string name[64]; vl_api_interface_index_t sw_if_index; option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 responder interface and IP address @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param responder - responder data */ autoreply define ikev2_set_responder { u32 client_index; u32 context; string name[64]; vl_api_ikev2_responder_t responder; option vat_help = "<profile_name> interface <interface> address <addr>"; option status="in_progress"; }; autoreply define ikev2_set_responder_hostname { u32 client_index; u32 context; string name[64]; string hostname[64]; vl_api_interface_index_t sw_if_index; option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296) @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param tr - IKE transforms */ autoreply define ikev2_set_ike_transforms { u32 client_index; u32 context; string name[64]; vl_api_ikev2_ike_transforms_t tr; option vat_help = "<profile_name> <crypto alg> <key size> <integrity alg> <DH group>"; option status="in_progress"; }; /** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296) @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param tr - ESP transforms */ autoreply define ikev2_set_esp_transforms { u32 client_index; u32 context; string name[64]; vl_api_ikev2_esp_transforms_t tr; option vat_help = "<profile_name> <crypto alg> <key size> <integrity alg>"; option status="in_progress"; }; /** \brief IKEv2: Set Child SA lifetime, limited by time and/or data @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name @param lifetime - SA maximum life time in seconds (0 to disable) @param lifetime_jitter - Jitter added to prevent simultaneous rekeying @param handover - Hand over time @param lifetime_maxdata - SA maximum life time in bytes (0 to disable) */ autoreply define ikev2_set_sa_lifetime { u32 client_index; u32 context; string name[64]; u64 lifetime; u32 lifetime_jitter; u32 handover; u64 lifetime_maxdata; option vat_help = "<profile_name> <seconds> <jitter> <handover> <max bytes>"; option status="in_progress"; }; /** \brief IKEv2: Initiate the SA_INIT exchange @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name */ autoreply define ikev2_initiate_sa_init { u32 client_index; u32 context; string name[64]; option vat_help = "<profile_name>"; option status="in_progress"; }; /** \brief IKEv2: Initiate the delete IKE SA exchange @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param ispi - IKE SA initiator SPI */ autoreply define ikev2_initiate_del_ike_sa { u32 client_index; u32 context; u64 ispi; option vat_help = "<ispi>"; option status="in_progress"; }; /** \brief IKEv2: Initiate the delete Child SA exchange @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param ispi - Child SA initiator SPI */ autoreply define ikev2_initiate_del_child_sa { u32 client_index; u32 context; u32 ispi; option vat_help = "<ispi>"; option status="in_progress"; }; /** \brief IKEv2: Initiate the rekey Child SA exchange @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param ispi - Child SA initiator SPI */ autoreply define ikev2_initiate_rekey_child_sa { u32 client_index; u32 context; u32 ispi; option vat_help = "<ispi>"; option status="in_progress"; }; /** \brief IKEv2: Set UDP encapsulation @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param name - IKEv2 profile name */ autoreply define ikev2_profile_set_udp_encap { u32 client_index; u32 context; string name[64]; option status="in_progress"; }; /** \brief IKEv2: Set/unset custom ipsec-over-udp port @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param is_set - whether set or unset custom port @param port - port number @param name - IKEv2 profile name */ autoreply define ikev2_profile_set_ipsec_udp_port { u32 client_index; u32 context; u8 is_set; u16 port; string name[64]; option status="in_progress"; }; /** \brief IKEv2: Set liveness parameters @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @param period - how often is liveness check performed @param max_retries - max retries for liveness check */ autoreply define ikev2_profile_set_liveness { u32 client_index; u32 context; u32 period; u32 max_retries; option status="in_progress"; }; counters ikev2 { processed { severity info; type counter64; units "packets"; description "packets processed"; }; ike_sa_init_retransmit { severity info; type counter64; units "packets"; description "IKE SA INIT retransmit"; }; ike_sa_init_ignore { severity error; type counter64; units "packets"; description "IKE_SA_INIT ignore (IKE SA already auth)"; }; ike_req_retransmit { severity error; type counter64; units "packets"; description "IKE request retransmit"; }; ike_req_ignore { severity error; type counter64; units "packets"; description "IKE request ignore (old msgid)"; }; not_ikev2 { severity error; type counter64; units "packets"; description "Non IKEv2 packets received"; }; bad_length { severity error; type counter64; units "packets"; description "Bad packet length"; }; malformed_packet { severity error; type counter64; units "packets"; description "Malformed packet"; }; no_buff_space { severity error; type counter64; units "packets"; description "No buffer space"; }; keepalive { severity info; type counter64; units "packets"; description "IKE keepalive messages received"; }; rekey_req { severity info; type counter64; units "packets"; description "IKE rekey requests received"; }; init_sa_req { severity info; type counter64; units "packets"; description "IKE EXCHANGE SA requests received"; }; ike_auth_req { severity info; type counter64; units "packets"; description "IKE AUTH SA requests received"; }; }; paths { "/err/ikev2-ip4" "ike"; "/err/ikev2-ip6" "ike"; "/err/ikev2-ip4-natt" "ike"; }; /* * Local Variables: * eval: (c-set-style "gnu") * End: */