summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec.api
blob: 2e69e6250342dbd931839883f43593ea467e8831 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
/* Hey Emacs use -*- mode: C -*- */
/*
 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

option version = "5.0.2";

import "vnet/ipsec/ipsec_types.api";
import "vnet/interface_types.api";
import "vnet/ip/ip_types.api";
import "vnet/interface_types.api";
import "vnet/tunnel/tunnel_types.api";

/** \brief IPsec: Add/delete Security Policy Database
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add SPD if non-zero, else delete
    @param spd_id - SPD instance id (control plane allocated)
*/

autoreply define ipsec_spd_add_del
{
  u32 client_index;
  u32 context;
  bool is_add;
  u32 spd_id;
};

/** \brief IPsec: Add/delete SPD from interface

    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add security mode if non-zero, else delete
    @param sw_if_index - index of the interface
    @param spd_id - SPD instance id to use for lookups
*/


autoreply define ipsec_interface_add_del_spd
{
  u32 client_index;
  u32 context;

  bool is_add;
  vl_api_interface_index_t sw_if_index;
  u32 spd_id;
};

/** \brief IPsec: Add/delete Security Policy Database entry

    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add SPD if non-zero, else delete
    @param entry - Description of the entry to add/dell
*/
define ipsec_spd_entry_add_del
{
  option deprecated;
  u32 client_index;
  u32 context;
  bool is_add;
  vl_api_ipsec_spd_entry_t entry;
};

/** \brief IPsec: Add/delete Security Policy Database entry v2

    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param is_add - add SPD if non-zero, else delete
    @param entry - Description of the entry to add/dell
*/
define ipsec_spd_entry_add_del_v2
{
  u32 client_index;
  u32 context;
  bool is_add;
  vl_api_ipsec_spd_entry_v2_t entry;
};

/** \brief IPsec: Reply Add/delete Security Policy Database entry

    @param context - sender context, to match reply w/ request
    @param retval - success/fail rutrun code
    @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
*/
define ipsec_spd_entry_add_del_reply
{
  option deprecated;
  u32 context;
  i32 retval;
  u32 stat_index;
};

/** \brief IPsec: Reply Add/delete Security Policy Database entry v2

    @param context - sender context, to match reply w/ request
    @param retval - success/fail rutrun code
    @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
*/
define ipsec_spd_entry_add_del_v2_reply
{
  u32 context;
  i32 retval;
  u32 stat_index;
};

/** \brief Dump IPsec all SPD IDs
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
*/
define ipsec_spds_dump {
  u32 client_index;
  u32 context;
};

/** \brief Dump IPsec all SPD IDs response
    @param client_index - opaque cookie to identify the sender
    @param spd_id - SPD instance id (control plane allocated)
    @param npolicies - number of policies in SPD
*/
define ipsec_spds_details {
  u32 context;
  u32 spd_id;
  u32 npolicies;
};

/** \brief Dump ipsec policy database data
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param spd_id - SPD instance id
    @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
*/
define ipsec_spd_dump {
    u32 client_index;
    u32 context;
    u32 spd_id;
    u32 sa_id;
};

/** \brief IPsec policy database response
    @param context - sender context which was passed in the request
    €param entry - The SPD entry.
    @param bytes - byte count of packets matching this policy
    @param packets - count of packets matching this policy
*/
define ipsec_spd_details {
    u32 context;
    vl_api_ipsec_spd_entry_t entry;
};

/** \brief IPsec: Add/delete Security Association Database entry
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param entry - Entry to add or delete
 */
define ipsec_sad_entry_add_del
{
  option deprecated;
  u32 client_index;
  u32 context;
  bool is_add;
  vl_api_ipsec_sad_entry_t entry;
};

define ipsec_sad_entry_add_del_v2
{
  u32 client_index;
  u32 context;
  bool is_add;
  vl_api_ipsec_sad_entry_v2_t entry;
};

define ipsec_sad_entry_add_del_v3
{
  u32 client_index;
  u32 context;
  bool is_add;
  vl_api_ipsec_sad_entry_v3_t entry;
};
define ipsec_sad_entry_add
{
  u32 client_index;
  u32 context;
  vl_api_ipsec_sad_entry_v3_t entry;
};
autoreply define ipsec_sad_entry_del
{
  u32 client_index;
  u32 context;
  u32 id;
};

/** \brief An API to update the tunnel parameters and the ports associated with an SA

    Used in the NAT-T case when the NAT data changes
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param sa_id - the id of the SA to update
    @param is_tun - update the tunnel if non-zero, else update only the ports
    @param tunnel - sender context, to match reply w/ request
    @param udp_src_port - new src port for NAT-T. Used if different from 0xffff
    @param udp_dst_port - new dst port for NAT-T. Used if different from 0xffff
 */
autoreply define ipsec_sad_entry_update
{
  u32 client_index;
  u32 context;
  u32 sad_id;
  bool is_tun;
  vl_api_tunnel_t tunnel;
  u16 udp_src_port [default=0xffff];
  u16 udp_dst_port [default=0xffff];
};

define ipsec_sad_entry_add_del_reply
{
  option deprecated;
  u32 context;
  i32 retval;
  u32 stat_index;
};

define ipsec_sad_entry_add_del_v2_reply
{
  u32 context;
  i32 retval;
  u32 stat_index;
};

define ipsec_sad_entry_add_del_v3_reply
{
  u32 context;
  i32 retval;
  u32 stat_index;
};
define ipsec_sad_entry_add_reply
{
  u32 context;
  i32 retval;
  u32 stat_index;
};

/** \brief Add or Update Protection for a tunnel with IPSEC

    Tunnel protection directly associates an SA with all packets
    ingress and egress on the tunnel. This could also be achieved by
    assigning an SPD to the tunnel, but that would incur an unnessccary
    SPD entry lookup.

    For tunnels the ESP acts on the post-encapsulated packet. So if this
    packet:
      +---------+------+
      | Payload | O-IP |
      +---------+------+
    where O-IP is the overlay IP addrees that was routed into the tunnel,
    the resulting encapsulated packet will be:
      +---------+------+------+
      | Payload | O-IP | T-IP |
      +---------+------+------+
    where T-IP is the tunnel's src.dst IP addresses.
    If the SAs used for protection are in transport mode then the ESP is
    inserted before T-IP, i.e.:
      +---------+------+-----+------+
      | Payload | O-IP | ESP | T-IP |
      +---------+------+-----+------+
    If the SAs used for protection are in tunnel mode then another
    encapsulation occurs, i.e.:
      +---------+------+------+-----+------+
      | Payload | O-IP | T-IP | ESP | C-IP |
      +---------+------+------+-----+------+
    where C-IP are the crypto endpoint IP addresses defined as the tunnel
    endpoints in the SA.
    The mode for the inbound and outbound SA must be the same.

    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param sw_id_index - Tunnel interface to protect
    @param nh - The peer/next-hop on the tunnel to which the traffic
                should be protected. For a P2P interface set this to the
                all 0s address.
    @param sa_in - The ID [set] of inbound SAs
    @param sa_out - The ID of outbound SA
*/
typedef ipsec_tunnel_protect
{
  vl_api_interface_index_t sw_if_index;
  vl_api_address_t nh;
  u32 sa_out;
  u8 n_sa_in;
  u32 sa_in[n_sa_in];
};

autoreply define ipsec_tunnel_protect_update
{
  u32 client_index;
  u32 context;

  vl_api_ipsec_tunnel_protect_t tunnel;
};

autoreply define ipsec_tunnel_protect_del
{
  u32 client_index;
  u32 context;

  vl_api_interface_index_t sw_if_index;
  vl_api_address_t nh;
};

/**
 * @brief Dump all tunnel protections
 */
define ipsec_tunnel_protect_dump
{
  u32 client_index;
  u32 context;
  vl_api_interface_index_t sw_if_index;
};

define ipsec_tunnel_protect_details
{
  u32 context;
  vl_api_ipsec_tunnel_protect_t tun;
};

/** \brief IPsec: Get SPD interfaces
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param spd_index - SPD index
    @param spd_index_valid - if 1 spd_index is used to filter
      spd_index's, if 0 no filtering is done
*/
define ipsec_spd_interface_dump {
    u32 client_index;
    u32 context;
    u32 spd_index;
    u8 spd_index_valid;
};

/** \brief IPsec: SPD interface response
    @param context - sender context which was passed in the request
    @param spd_index - SPD index
    @param sw_if_index - index of the interface
*/
define ipsec_spd_interface_details {
    u32 context;
    u32 spd_index;
    vl_api_interface_index_t sw_if_index;
};

typedef ipsec_itf
{
  u32 user_instance [default=0xffffffff];
  vl_api_tunnel_mode_t mode;
  vl_api_interface_index_t sw_if_index;
};

/** \brief Create an IPSec interface
 */
define ipsec_itf_create {
  u32 client_index;
  u32 context;
  vl_api_ipsec_itf_t itf;
};

/** \brief Add IPsec interface interface response
    @param context - sender context, to match reply w/ request
    @param retval - return status
    @param sw_if_index - sw_if_index of new interface (for successful add)
*/
define ipsec_itf_create_reply
{
  u32 context;
  i32 retval;
  vl_api_interface_index_t sw_if_index;
};

autoreply define ipsec_itf_delete
{
  u32 client_index;
  u32 context;
  vl_api_interface_index_t sw_if_index;
};

define ipsec_itf_dump
{
  u32 client_index;
  u32 context;
  vl_api_interface_index_t sw_if_index;
};

define ipsec_itf_details
{
  u32 context;
  vl_api_ipsec_itf_t itf;
};

/** \brief Dump IPsec security association
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
*/
define ipsec_sa_dump
{
  option deprecated;
  u32 client_index;
  u32 context;
  u32 sa_id;
};
define ipsec_sa_v2_dump
{
  u32 client_index;
  u32 context;
  u32 sa_id;
};
define ipsec_sa_v3_dump
{
  u32 client_index;
  u32 context;
  u32 sa_id;
};

/** \brief IPsec security association database response
    @param context - sender context which was passed in the request
    @param entry - The SA details
    @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
    @param salt - 4 byte salt
    @param seq - current sequence number for outbound
    @param seq_hi - high 32 bits of ESN for outbound
    @param last_seq - highest sequence number received inbound
    @param last_seq_hi - high 32 bits of highest ESN received inbound
    @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
    @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
*/
define ipsec_sa_details {
  option deprecated;
  u32 context;
  vl_api_ipsec_sad_entry_t entry;

  vl_api_interface_index_t sw_if_index;
  u32 salt;
  u64 seq_outbound;
  u64 last_seq_inbound;
  u64 replay_window;

  u32 stat_index;
};
define ipsec_sa_v2_details {
  u32 context;
  vl_api_ipsec_sad_entry_v2_t entry;

  vl_api_interface_index_t sw_if_index;
  u32 salt;
  u64 seq_outbound;
  u64 last_seq_inbound;
  u64 replay_window;

  u32 stat_index;
};
define ipsec_sa_v3_details {
  u32 context;
  vl_api_ipsec_sad_entry_v3_t entry;

  vl_api_interface_index_t sw_if_index;
  u64 seq_outbound;
  u64 last_seq_inbound;
  u64 replay_window;

  u32 stat_index;
};

/** \brief Dump IPsec backends
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
*/
define ipsec_backend_dump {
  u32 client_index;
  u32 context;
};

/** \brief IPsec backend details
    @param name - name of the backend
    @param protocol - IPsec protocol (value from ipsec_protocol_t)
    @param index - backend index
    @param active - set to 1 if the backend is active, otherwise 0
*/
define ipsec_backend_details {
  u32 context;
  string name[128];
  vl_api_ipsec_proto_t protocol;
  u8 index;
  bool active;
};

/** \brief Select IPsec backend
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param protocol - IPsec protocol (value from ipsec_protocol_t)
    @param index - backend index
*/
autoreply define ipsec_select_backend {
  u32 client_index;
  u32 context;
  vl_api_ipsec_proto_t protocol;
  u8 index;
};


/** \brief IPsec Set Async mode
    @param client_index - opaque cookie to identify the sender
    @param context - sender context, to match reply w/ request
    @param async_enable - ipsec async mode on or off
*/
autoreply define ipsec_set_async_mode {
  u32 client_index;
  u32 context;
  bool async_enable;
};

counters esp_decrypt {
  rx_pkts {
    severity info;
    type counter64;
    units "packets";
    description "ESP pkts received";
  };
  rx_post_pkts {
    severity info;
    type counter64;
    units "packets";
    description "ESP-POST pkts received";
  };
  handoff {
    severity info;
    type counter64;
    units "packets";
    description "hand-off";
  };
  decryption_failed {
    severity error;
    type counter64;
    units "packets";
    description "ESP decryption failed";
  };
  integ_error {
    severity error;
    type counter64;
    units "packets";
    description "integrity check failed";
  };
  crypto_engine_error {
    severity error;
    type counter64;
    units "packets";
    description "crypto engine error (packet dropped)";
  };
  replay {
    severity error;
    type counter64;
    units "packets";
    description "SA replayed packet";
  };
  runt {
    severity error;
    type counter64;
    units "packets";
    description "undersized packet";
  };
  no_buffers {
    severity error;
    type counter64;
    units "packets";
    description "no buffers (packet dropped)";
  };
  oversized_header {
    severity error;
    type counter64;
    units "packets";
    description "buffer with oversized header (dropped)";
  };
  no_tail_space {
    severity error;
    type counter64;
    units "packets";
    description "no enough buffer tail space (dropped)";
  };
  tun_no_proto {
    severity error;
    type counter64;
    units "packets";
    description "no tunnel protocol";
  };
  unsup_payload {
    severity error;
    type counter64;
    units "packets";
    description "unsupported payload";
  };
  no_avail_frame {
  severity error;
  type counter64;
  units "packets";
  description "no available frame (packet dropped)";
  };
};

counters esp_encrypt {
  rx_pkts {
    severity info;
    type counter64;
    units "packets";
    description "ESP pkts received";
  };
  post_rx_pkts {
    severity info;
    type counter64;
    units "packets";
    description "ESP-post pkts received";
  };
  handoff {
    severity info;
    type counter64;
    units "packets";
    description "Hand-off";
  };
  seq_cycled {
    severity error;
    type counter64;
    units "packets";
    description "sequence number cycled (packet dropped)";
  };
  crypto_engine_error {
    severity error;
    type counter64;
    units "packets";
    description "crypto engine error (packet dropped)";
  };
  crypto_queue_full {
    severity error;
    type counter64;
    units "packets";
    description "crypto queue full (packet dropped)";
  };
  no_buffers {
    severity error;
    type counter64;
    units "packets";
    description "no buffers (packet dropped)";
  };
  no_protection {
    severity error;
    type counter64;
    units "packets";
    description "no protecting SA (packet dropped)";
  };
  no_encryption {
    severity error;
    type counter64;
    units "packets";
    description "no Encrypting SA (packet dropped)";
  };
  no_avail_frame {
  severity error;
  type counter64;
  units "packets";
  description "no available frame (packet dropped)";
  };
};

counters ah_encrypt {
  rx_pkts {
    severity info;
    type counter64;
    units "packets";
    description "AH pkts received";
  };
  crypto_engine_error {
    severity error;
    type counter64;
    units "packets";
    description "crypto engine error (packet dropped)";
  };
  seq_cycled {
    severity error;
    type counter64;
    units "packets";
    description "sequence number cycled (packet dropped)";
  };
};

counters ah_decrypt {
  rx_pkts {
    severity info;
    type counter64;
    units "packets";
    description "AH pkts received";
  };
  decryption_failed {
    severity error;
    type counter64;
    units "packets";
    description "AH decryption failed";
  };
  integ_error {
    severity error;
    type counter64;
    units "packets";
    description "Integrity check failed";
  };
  no_tail_space {
    severity error;
    type counter64;
    units "packets";
    description "not enough buffer tail space (dropped)";
  };
  drop_fragments {
    severity error;
    type counter64;
    units "packets";
    description "IP fragments drop";
  };
  replay {
    severity error;
    type counter64;
    units "packets";
    description "SA replayed packet";
  };
};

counters ipsec_tun {
  rx {
    severity info;
    type counter64;
    units "packets";
    description "good packets received";
  };
  disabled {
    severity error;
    type counter64;
    units "packets";
    description "ipsec packets received on disabled interface";
  };
  no_tunnel {
    severity error;
    type counter64;
    units "packets";
    description "no matching tunnel";
  };
  tunnel_mismatch {
    severity error;
    type counter64;
    units "packets";
    description "SPI-tunnel mismatch";
  };
  nat_keepalive {
    severity info;
    type counter64;
    units "packets";
    description "NAT Keepalive";
  };
  too_short {
    severity error;
    type counter64;
    units "packets";
    description "Too Short";
  };
  spi_0 {
    severity info;
    type counter64;
    units "packets";
    description "SPI 0";
  };
};

paths {
  "/err/esp4-encrypt" "esp_encrypt";
  "/err/esp4-encrypt-post" "esp_encrypt";
  "/err/esp4-encrypt-tun" "esp_encrypt";
  "/err/esp4-encrypt-tun-post" "esp_encrypt";
  "/err/esp6-encrypt" "esp_encrypt";
  "/err/esp6-encrypt-post" "esp_encrypt";
  "/err/esp6-encrypt-tun" "esp_encrypt";
  "/err/esp6-encrypt-tun-post" "esp_encrypt";
  "/err/esp-mpls-encrypt-tun" "esp_encrypt";
  "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
  "/err/esp4-decrypt" "esp_decrypt";
  "/err/esp4-decrypt-post" "esp_decrypt";
  "/err/esp4-decrypt-tun" "esp_decrypt";
  "/err/esp4-decrypt-tun-post" "esp_decrypt";
  "/err/esp6-decrypt" "esp_decrypt";
  "/err/esp6-decrypt-post" "esp_decrypt";
  "/err/esp6-decrypt-tun" "esp_decrypt";
  "/err/esp6-decrypt-tun-post" "esp_decrypt";
  "/err/ah4-encrypt" "ah_encrypt";
  "/err/ah6-encrypt" "ah_encrypt";
  "/err/ipsec4-tun-input" "ipsec_tun";
  "/err/ipsec6-tun-input" "ipsec_tun";
};

/*
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */