/* * Copyright (c) 2015 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * @file * @brief Segment Routing header */ #ifndef included_vnet_sr_h #define included_vnet_sr_h #include <vnet/vnet.h> #include <vnet/sr/sr_packet.h> #include <vnet/ip/ip6_packet.h> #include <openssl/opensslconf.h> #include <stdlib.h> #include <string.h> #include <openssl/crypto.h> #include <openssl/sha.h> #include <openssl/opensslv.h> #include <openssl/hmac.h> /** * @brief Segment Route tunnel key */ typedef struct { ip6_address_t src; ip6_address_t dst; } ip6_sr_tunnel_key_t; /** * @brief Segment Route tunnel */ typedef struct { /** src, dst address */ ip6_sr_tunnel_key_t key; /** Pptional tunnel name */ u8 *name; /** Mask width for FIB entry */ u32 dst_mask_width; /** First hop, to save 1 elt in the segment list */ ip6_address_t first_hop; /** RX Fib index */ u32 rx_fib_index; /** TX Fib index */ u32 tx_fib_index; /** The actual ip6 SR header */ u8 *rewrite; /** Indicates that this tunnel is part of a policy comprising of multiple tunnels. If == ~0 tunnel is not part of a policy */ u32 policy_index; /** * The FIB node graph linkage */ fib_node_t node; /** * The FIB entry index for the first hop. We track this so we * don't need an extra lookup for it in the data plane */ fib_node_index_t fib_entry_index; /** * This tunnel's sibling index in the children of the FIB entry */ u32 sibling_index; /** * The DPO contributed by the first-hop FIB entry. */ dpo_id_t first_hop_dpo; } ip6_sr_tunnel_t; /** * @brief Shared secret for keyed-hash message authentication code (HMAC). */ typedef struct { u8 *shared_secret; } ip6_sr_hmac_key_t; /** * @brief Args required for add/del tunnel. * * Else we end up passing a LOT of parameters around. */ typedef struct { /** Key (header imposition case) */ ip6_address_t *src_address; ip6_address_t *dst_address; u32 dst_mask_width; u32 rx_table_id; u32 tx_table_id; /** optional name argument - for referencing SR tunnel/policy by name */ u8 *name; /** optional policy name */ u8 *policy_name; /** segment list, when inserting an ip6 SR header */ ip6_address_t *segments; /** * "Tag" list, aka segments inserted at the end of the list, * past last_seg */ ip6_address_t *tags; /** Shared secret => generate SHA-256 HMAC security fields */ u8 *shared_secret; /** Flags, e.g. cleanup, policy-list flags */ u16 flags_net_byte_order; /** Delete the tunnnel? */ u8 is_del; } ip6_sr_add_del_tunnel_args_t; /** * @brief Args for creating a policy. * * Typically used for multicast replication. * ie a multicast address can be associated with a policy, * then replicated across a number of unicast SR tunnels. */ typedef struct { /** policy name */ u8 *name; /** tunnel names */ u8 **tunnel_names; /** Delete the policy? */ u8 is_del; } ip6_sr_add_del_policy_args_t; /** * @brief Segment Routing policy. * * Typically used for multicast replication. * ie a multicast address can be associated with a policy, * then replicated across a number of unicast SR tunnels. */ typedef struct { /** name of policy */ u8 *name; /** vector to SR tunnel index */ u32 *tunnel_indices; } ip6_sr_policy_t; /** * @brief Args for mapping of multicast address to policy name. * * Typically used for multicast replication. * ie a multicast address can be associated with a policy, * then replicated across a number of unicast SR tunnels. */ typedef struct { /** multicast IP6 address */ ip6_address_t *multicast_address; /** name of policy to map to */ u8 *policy_name; /** Delete the mapping */ u8 is_del; } ip6_sr_add_del_multicastmap_args_t; /** * @brief Segment Routing state. */ typedef struct { /** pool of tunnel instances, sr entry only */ ip6_sr_tunnel_t *tunnels; /** find an sr "tunnel" by its outer-IP src/dst */ uword *tunnel_index_by_key; /** find an sr "tunnel" by its name */ uword *tunnel_index_by_name; /** policy pool */ ip6_sr_policy_t *policies; /** find a policy by name */ uword *policy_index_by_policy_name; /** multicast address to policy mapping */ uword *policy_index_by_multicast_address; /** hmac key id by shared secret */ uword *hmac_key_by_shared_secret; /** ip6-rewrite next index for reinstalling the original dst address */ u32 ip6_rewrite_sr_next_index; /** application API callback */ void *sr_local_cb; /** validate hmac keys */ u8 validate_hmac; /** pool of hmac keys */ ip6_sr_hmac_key_t *hmac_keys; /** Openssl var */ EVP_MD *md; /** Openssl var */ HMAC_CTX *hmac_ctx; /** enable debug spew */ u8 is_debug; /** convenience */ vlib_main_t *vlib_main; /** convenience */ vnet_main_t *vnet_main; } ip6_sr_main_t; ip6_sr_main_t sr_main; format_function_t format_ip6_sr_header; format_function_t format_ip6_sr_header_with_length; vlib_node_registration_t ip6_sr_input_node; int ip6_sr_add_del_tunnel (ip6_sr_add_del_tunnel_args_t * a); int ip6_sr_add_del_policy (ip6_sr_add_del_policy_args_t * a); int ip6_sr_add_del_multicastmap (ip6_sr_add_del_multicastmap_args_t * a); void vnet_register_sr_app_callback (void *cb); void sr_fix_hmac (ip6_sr_main_t * sm, ip6_header_t * ip, ip6_sr_header_t * sr); #endif /* included_vnet_sr_h */ /* * fd.io coding-style-patch-verification: ON * * Local Variables: * eval: (c-set-style "gnu") * End: */