go.ligato.io/vpp-agent/v3@v3.5.0/proto/ligato/vpp/ipsec/ipsec.proto (about) 1 syntax = "proto3"; 2 3 package ligato.vpp.ipsec; 4 5 option go_package = "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec;vpp_ipsec"; 6 7 import "ligato/annotations.proto"; 8 9 /* Cryptographic algorithm for encryption */ 10 enum CryptoAlg { // vpp/src/vnet/ipsec/ipsec_sa.h:22 11 NONE_CRYPTO = 0; 12 AES_CBC_128 = 1; 13 AES_CBC_192 = 2; 14 AES_CBC_256 = 3; 15 AES_CTR_128 = 4; 16 AES_CTR_192 = 5; 17 AES_CTR_256 = 6; 18 AES_GCM_128 = 7; 19 AES_GCM_192 = 8; 20 AES_GCM_256 = 9; 21 DES_CBC = 10; 22 DES3_CBC = 11; // 3DES_CBC 23 } 24 25 /* Cryptographic algorithm for authentication */ 26 enum IntegAlg { // vpp/src/vnet/ipsec/ipsec_sa.h:44 27 NONE_INTEG = 0; 28 MD5_96 = 1; /* RFC2403 */ 29 SHA1_96 = 2; /* RFC2404 */ 30 SHA_256_96 = 3; /* draft-ietf-ipsec-ciph-sha-256-00 */ 31 SHA_256_128 = 4; /* RFC4868 */ 32 SHA_384_192 = 5; /* RFC4868 */ 33 SHA_512_256 = 6; /* RFC4868 */ 34 } 35 36 /* Security Policy Database (SPD) */ 37 message SecurityPolicyDatabase { 38 uint32 index = 1; /* Numerical security policy database index, serves as a unique identifier */ 39 40 message Interface { 41 string name = 1; /* Name of the related interface */ 42 } 43 repeated Interface interfaces = 2; /* List of interfaces belonging to this SPD */ 44 45 message PolicyEntry { 46 uint32 sa_index = 1; /* Security association index */ 47 48 int32 priority = 2; 49 bool is_outbound = 3; 50 51 string remote_addr_start = 4 [(ligato_options).type = IP]; 52 string remote_addr_stop = 5 [(ligato_options).type = IP]; 53 string local_addr_start = 6 [(ligato_options).type = IP]; 54 string local_addr_stop = 7 [(ligato_options).type = IP]; 55 56 uint32 protocol = 8; 57 58 uint32 remote_port_start = 9 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 59 uint32 remote_port_stop = 10 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 60 uint32 local_port_start = 11 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 61 uint32 local_port_stop = 12 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 62 63 enum Action { 64 BYPASS = 0; 65 DISCARD = 1; 66 RESOLVE = 2; /* Note: this particular action is unused in VPP */ 67 PROTECT = 3; 68 } 69 Action action = 13; 70 } 71 // List of policy entries belonging to this SPD. 72 // Deprecated and actually trying to use this will return an error. 73 // Use separate model for Security Policy (SP) defined below. 74 repeated PolicyEntry policy_entries = 3 [deprecated=true]; 75 } 76 77 message SecurityPolicy { 78 uint32 spd_index = 1; /* Security policy database index */ 79 uint32 sa_index = 2; /* Security association index */ 80 81 int32 priority = 3; 82 bool is_outbound = 4; 83 84 string remote_addr_start = 5 [(ligato_options).type = IP]; 85 string remote_addr_stop = 6 [(ligato_options).type = IP]; 86 string local_addr_start = 7 [(ligato_options).type = IP]; 87 string local_addr_stop = 8 [(ligato_options).type = IP]; 88 89 uint32 protocol = 9; 90 91 uint32 remote_port_start = 10 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 92 uint32 remote_port_stop = 11 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 93 uint32 local_port_start = 12 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 94 uint32 local_port_stop = 13 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 95 96 enum Action { 97 BYPASS = 0; 98 DISCARD = 1; 99 RESOLVE = 2; /* Note: this particular action is unused in VPP */ 100 PROTECT = 3; 101 } 102 Action action = 14; 103 } 104 105 /* Security Association (SA) */ 106 message SecurityAssociation { 107 uint32 index = 1; /* Numerical security association index, serves as a unique identifier */ 108 uint32 spi = 2; /* Security parameter index */ 109 110 enum IPSecProtocol { 111 AH = 0; /* Authentication Header, provides a mechanism for authentication only */ 112 ESP = 1; /* Encapsulating Security Payload is for data confidentiality and authentication */ 113 } 114 IPSecProtocol protocol = 3; 115 116 CryptoAlg crypto_alg = 4; /* Cryptographic algorithm for encryption */ 117 string crypto_key = 5; 118 uint32 crypto_salt = 15; 119 120 IntegAlg integ_alg = 6; /* Cryptographic algorithm for authentication */ 121 string integ_key = 7; 122 123 bool use_esn = 8; /* Use extended sequence number */ 124 bool use_anti_replay = 9; /* Use anti replay */ 125 126 string tunnel_src_addr = 10 [(ligato_options).type = IP]; 127 string tunnel_dst_addr = 11 [(ligato_options).type = IP]; 128 129 bool enable_udp_encap = 12; /* Enable UDP encapsulation for NAT traversal */ 130 131 uint32 tunnel_src_port = 13 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 132 uint32 tunnel_dst_port = 14 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 133 } 134 135 // TunnelProtection allows enabling IPSec tunnel protection on an existing interface 136 // (only IPIP tunnel interfaces are currently supported) 137 message TunnelProtection { 138 // Name of the interface to be protected with IPSec. 139 string interface = 1; 140 141 // Outbound security associations identified by SA index. 142 repeated uint32 sa_out = 2; 143 144 // Inbound security associations identified by SA index. 145 repeated uint32 sa_in = 3; 146 147 // (Optional) Next hop IP address, used for multipoint tunnels. 148 string next_hop_addr = 4 [(ligato_options).type = IP]; 149 }