Denys Haryachyy
07b2274073
Introduced SA and child SA uptime. Type: improvement Change-Id: I28cf9f90d35ebe035a31ed0a985a5e462c8536a8 Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
673 lines
17 KiB
C
673 lines
17 KiB
C
/* Hey Emacs use -*- mode: C -*- */
|
|
/*
|
|
* Copyright (c) 2015-2020 Cisco and/or its affiliates.
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at:
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
option version = "1.0.1";
|
|
|
|
import "plugins/ikev2/ikev2_types.api";
|
|
import "vnet/ip/ip_types.api";
|
|
import "vnet/interface_types.api";
|
|
|
|
/** \brief Get the plugin version
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
*/
|
|
define ikev2_plugin_get_version
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
};
|
|
|
|
/** \brief Reply to get the plugin version
|
|
@param context - returned sender context, to match reply w/ request
|
|
@param major - Incremented every time a known breaking behavior change is introduced
|
|
@param minor - Incremented with small changes, may be used to avoid buggy versions
|
|
*/
|
|
define ikev2_plugin_get_version_reply
|
|
{
|
|
u32 context;
|
|
u32 major;
|
|
u32 minor;
|
|
};
|
|
|
|
/** \brief Dump all profiles
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
*/
|
|
define ikev2_profile_dump
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief Details about all profiles
|
|
@param context - returned sender context, to match reply w/ request
|
|
@param profile - profile element with encapsulated attributes
|
|
*/
|
|
define ikev2_profile_details
|
|
{
|
|
u32 context;
|
|
vl_api_ikev2_profile_t profile;
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief Dump all SAs
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
*/
|
|
define ikev2_sa_dump
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
};
|
|
|
|
/** \brief Dump all SAs
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
*/
|
|
define ikev2_sa_v2_dump
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
};
|
|
|
|
/** \brief Dump all SAs
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
*/
|
|
define ikev2_sa_v3_dump
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
option status = "in_progress";
|
|
};
|
|
|
|
/** \brief Details about IKE SA
|
|
@param context - sender context, to match reply w/ request
|
|
@param retval - return code
|
|
@param sa - SA data
|
|
*/
|
|
define ikev2_sa_details
|
|
{
|
|
u32 context;
|
|
i32 retval;
|
|
|
|
vl_api_ikev2_sa_t sa;
|
|
};
|
|
|
|
/** \brief Details about IKE SA
|
|
@param context - sender context, to match reply w/ request
|
|
@param retval - return code
|
|
@param sa - SA data
|
|
*/
|
|
define ikev2_sa_v2_details
|
|
{
|
|
u32 context;
|
|
i32 retval;
|
|
|
|
vl_api_ikev2_sa_v2_t sa;
|
|
};
|
|
|
|
/** \brief Details about IKE SA
|
|
@param context - sender context, to match reply w/ request
|
|
@param retval - return code
|
|
@param sa - SA data
|
|
*/
|
|
define ikev2_sa_v3_details
|
|
{
|
|
u32 context;
|
|
i32 retval;
|
|
|
|
vl_api_ikev2_sa_v3_t sa;
|
|
option status = "in_progress";
|
|
};
|
|
|
|
/** \brief Dump child SA of specific SA
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param sa_index - index of specific sa
|
|
*/
|
|
define ikev2_child_sa_dump
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
u32 sa_index;
|
|
option vat_help = "sa_index <index>";
|
|
};
|
|
|
|
/** \brief Child SA details
|
|
@param context - sender context, to match reply w/ request
|
|
@param retval - return code
|
|
@param child_sa - child SA data
|
|
*/
|
|
define ikev2_child_sa_details
|
|
{
|
|
u32 context;
|
|
i32 retval;
|
|
|
|
vl_api_ikev2_child_sa_t child_sa;
|
|
};
|
|
|
|
/** \brief Dump child SA of specific SA
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param sa_index - index of specific sa
|
|
*/
|
|
define ikev2_child_sa_v2_dump
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
u32 sa_index;
|
|
option vat_help = "sa_index <index>";
|
|
option status = "in_progress";
|
|
};
|
|
|
|
/** \brief Child SA details
|
|
@param context - sender context, to match reply w/ request
|
|
@param retval - return code
|
|
@param child_sa - child SA data
|
|
*/
|
|
define ikev2_child_sa_v2_details
|
|
{
|
|
u32 context;
|
|
i32 retval;
|
|
|
|
vl_api_ikev2_child_sa_v2_t child_sa;
|
|
option status = "in_progress";
|
|
};
|
|
|
|
/** \brief get specific nonce
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param is_initiator - specify type initiator|responder of nonce
|
|
@param sa_index - index of specific sa
|
|
*/
|
|
define ikev2_nonce_get
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
bool is_initiator;
|
|
u32 sa_index;
|
|
option vat_help = "initiator|responder sa_index <index>";
|
|
option status = "in_progress";
|
|
};
|
|
|
|
/** \brief reply on specific nonce
|
|
@param context - sender context, to match reply w/ request
|
|
@param retval - return code
|
|
@param data_len - nonce length
|
|
@param nonce - nonce data
|
|
*/
|
|
|
|
define ikev2_nonce_get_reply
|
|
{
|
|
u32 context;
|
|
i32 retval;
|
|
|
|
u32 data_len;
|
|
u8 nonce[data_len];
|
|
option status = "in_progress";
|
|
};
|
|
|
|
/** \brief dump traffic selectors
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param is_initiator - specify type initiator|responder of nonce
|
|
@param sa_index - index of specific sa
|
|
@param child_sa_index - index of specific sa child of specific sa
|
|
*/
|
|
|
|
define ikev2_traffic_selector_dump
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
bool is_initiator;
|
|
u32 sa_index;
|
|
u32 child_sa_index;
|
|
option vat_help = "initiator|responder sa_index <index> child_sa_index <index>";
|
|
option status = "in_progress";
|
|
};
|
|
|
|
/** \brief details on specific traffic selector
|
|
@param context - sender context, to match reply w/ request
|
|
@param retval - return code
|
|
@param ts - traffic selector data
|
|
*/
|
|
|
|
define ikev2_traffic_selector_details
|
|
{
|
|
u32 context;
|
|
i32 retval;
|
|
|
|
vl_api_ikev2_ts_t ts;
|
|
option status = "in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Add/delete profile
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
@param is_add - Add IKEv2 profile if non-zero, else delete
|
|
*/
|
|
autoreply define ikev2_profile_add_del
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
bool is_add;
|
|
option vat_help = "name <profile_name> [del]";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set IKEv2 profile authentication method
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
@param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig)
|
|
@param is_hex - Authentication data in hex format if non-zero, else string
|
|
@param data_len - Authentication data length
|
|
@param data - Authentication data (for rsa-sig cert file path)
|
|
*/
|
|
autoreply define ikev2_profile_set_auth
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
u8 auth_method;
|
|
bool is_hex;
|
|
u32 data_len;
|
|
u8 data[data_len];
|
|
option vat_help = "name <profile_name> auth_method <method> (auth_data 0x<data> | auth_data <data>)";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set IKEv2 profile local/remote identification
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
@param is_local - Identification is local if non-zero, else remote
|
|
@param id_type - Identification type
|
|
@param data_len - Identification data length
|
|
@param data - Identification data
|
|
*/
|
|
autoreply define ikev2_profile_set_id
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
bool is_local;
|
|
u8 id_type;
|
|
u32 data_len;
|
|
u8 data[data_len];
|
|
option vat_help = "name <profile_name> id_type <type> (id_data 0x<data> | id_data <data>) (local|remote)";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Disable NAT traversal
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
*/
|
|
autoreply define ikev2_profile_disable_natt
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set IKEv2 profile traffic selector parameters
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
@param ts - traffic selector data
|
|
*/
|
|
autoreply define ikev2_profile_set_ts
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
vl_api_ikev2_ts_t ts;
|
|
option vat_help = "name <profile_name> protocol <proto> start_port <port> end_port <port> start_addr <ip> end_addr <ip> (local|remote)";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set IKEv2 local RSA private key
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param key_file - Key file absolute path
|
|
*/
|
|
autoreply define ikev2_set_local_key
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string key_file[256];
|
|
option vat_help = "file <absolute_file_path>";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set the tunnel interface which will be protected by IKE
|
|
If this API is not called, a new tunnel will be created
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
@param sw_if_index - Of an existing tunnel
|
|
*/
|
|
autoreply define ikev2_set_tunnel_interface
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
string name[64];
|
|
|
|
vl_api_interface_index_t sw_if_index;
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set IKEv2 responder interface and IP address
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
@param responder - responder data
|
|
*/
|
|
autoreply define ikev2_set_responder
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
vl_api_ikev2_responder_t responder;
|
|
option vat_help = "<profile_name> interface <interface> address <addr>";
|
|
option status="in_progress";
|
|
};
|
|
|
|
autoreply define ikev2_set_responder_hostname
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
string hostname[64];
|
|
vl_api_interface_index_t sw_if_index;
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
@param tr - IKE transforms
|
|
*/
|
|
autoreply define ikev2_set_ike_transforms
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
vl_api_ikev2_ike_transforms_t tr;
|
|
option vat_help = "<profile_name> <crypto alg> <key size> <integrity alg> <DH group>";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
@param tr - ESP transforms
|
|
*/
|
|
autoreply define ikev2_set_esp_transforms
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
vl_api_ikev2_esp_transforms_t tr;
|
|
option vat_help = "<profile_name> <crypto alg> <key size> <integrity alg>";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set Child SA lifetime, limited by time and/or data
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
@param lifetime - SA maximum life time in seconds (0 to disable)
|
|
@param lifetime_jitter - Jitter added to prevent simultaneous rekeying
|
|
@param handover - Hand over time
|
|
@param lifetime_maxdata - SA maximum life time in bytes (0 to disable)
|
|
*/
|
|
autoreply define ikev2_set_sa_lifetime
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
u64 lifetime;
|
|
u32 lifetime_jitter;
|
|
u32 handover;
|
|
u64 lifetime_maxdata;
|
|
option vat_help = "<profile_name> <seconds> <jitter> <handover> <max bytes>";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Initiate the SA_INIT exchange
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
*/
|
|
autoreply define ikev2_initiate_sa_init
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
option vat_help = "<profile_name>";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Initiate the delete IKE SA exchange
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param ispi - IKE SA initiator SPI
|
|
*/
|
|
autoreply define ikev2_initiate_del_ike_sa
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
u64 ispi;
|
|
option vat_help = "<ispi>";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Initiate the delete Child SA exchange
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param ispi - Child SA initiator SPI
|
|
*/
|
|
autoreply define ikev2_initiate_del_child_sa
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
u32 ispi;
|
|
option vat_help = "<ispi>";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Initiate the rekey Child SA exchange
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param ispi - Child SA initiator SPI
|
|
*/
|
|
autoreply define ikev2_initiate_rekey_child_sa
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
u32 ispi;
|
|
option vat_help = "<ispi>";
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set UDP encapsulation
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param name - IKEv2 profile name
|
|
*/
|
|
autoreply define ikev2_profile_set_udp_encap
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
string name[64];
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set/unset custom ipsec-over-udp port
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param is_set - whether set or unset custom port
|
|
@param port - port number
|
|
@param name - IKEv2 profile name
|
|
*/
|
|
autoreply define ikev2_profile_set_ipsec_udp_port
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
u8 is_set;
|
|
u16 port;
|
|
string name[64];
|
|
option status="in_progress";
|
|
};
|
|
|
|
/** \brief IKEv2: Set liveness parameters
|
|
@param client_index - opaque cookie to identify the sender
|
|
@param context - sender context, to match reply w/ request
|
|
@param period - how often is liveness check performed
|
|
@param max_retries - max retries for liveness check
|
|
*/
|
|
autoreply define ikev2_profile_set_liveness
|
|
{
|
|
u32 client_index;
|
|
u32 context;
|
|
|
|
u32 period;
|
|
u32 max_retries;
|
|
option status="in_progress";
|
|
};
|
|
|
|
counters ikev2 {
|
|
processed {
|
|
severity info;
|
|
type counter64;
|
|
units "packets";
|
|
description "packets processed";
|
|
};
|
|
ike_sa_init_retransmit {
|
|
severity info;
|
|
type counter64;
|
|
units "packets";
|
|
description "IKE SA INIT retransmit";
|
|
};
|
|
ike_sa_init_ignore {
|
|
severity error;
|
|
type counter64;
|
|
units "packets";
|
|
description "IKE_SA_INIT ignore (IKE SA already auth)";
|
|
};
|
|
ike_req_retransmit {
|
|
severity error;
|
|
type counter64;
|
|
units "packets";
|
|
description "IKE request retransmit";
|
|
};
|
|
ike_req_ignore {
|
|
severity error;
|
|
type counter64;
|
|
units "packets";
|
|
description "IKE request ignore (old msgid)";
|
|
};
|
|
not_ikev2 {
|
|
severity error;
|
|
type counter64;
|
|
units "packets";
|
|
description "Non IKEv2 packets received";
|
|
};
|
|
bad_length {
|
|
severity error;
|
|
type counter64;
|
|
units "packets";
|
|
description "Bad packet length";
|
|
};
|
|
malformed_packet {
|
|
severity error;
|
|
type counter64;
|
|
units "packets";
|
|
description "Malformed packet";
|
|
};
|
|
no_buff_space {
|
|
severity error;
|
|
type counter64;
|
|
units "packets";
|
|
description "No buffer space";
|
|
};
|
|
keepalive {
|
|
severity info;
|
|
type counter64;
|
|
units "packets";
|
|
description "IKE keepalive messages received";
|
|
};
|
|
rekey_req {
|
|
severity info;
|
|
type counter64;
|
|
units "packets";
|
|
description "IKE rekey requests received";
|
|
};
|
|
init_sa_req {
|
|
severity info;
|
|
type counter64;
|
|
units "packets";
|
|
description "IKE EXCHANGE SA requests received";
|
|
};
|
|
ike_auth_req {
|
|
severity info;
|
|
type counter64;
|
|
units "packets";
|
|
description "IKE AUTH SA requests received";
|
|
};
|
|
};
|
|
paths {
|
|
"/err/ikev2-ip4" "ike";
|
|
"/err/ikev2-ip6" "ike";
|
|
"/err/ikev2-ip4-natt" "ike";
|
|
};
|
|
|
|
/*
|
|
* Local Variables:
|
|
* eval: (c-set-style "gnu")
|
|
* End:
|
|
*/
|