go.ligato.io/vpp-agent/v3@v3.5.0/proto/ligato/vpp/ipsec/ipsec.proto (about)

     1  syntax = "proto3";
     2  
     3  package ligato.vpp.ipsec;
     4  
     5  option go_package = "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec;vpp_ipsec";
     6  
     7  import "ligato/annotations.proto";
     8  
     9  /* Cryptographic algorithm for encryption */
    10  enum CryptoAlg { // vpp/src/vnet/ipsec/ipsec_sa.h:22
    11      NONE_CRYPTO = 0;
    12      AES_CBC_128 = 1;
    13      AES_CBC_192 = 2;
    14      AES_CBC_256 = 3;
    15      AES_CTR_128 = 4;
    16      AES_CTR_192 = 5;
    17      AES_CTR_256 = 6;
    18      AES_GCM_128 = 7;
    19      AES_GCM_192 = 8;
    20      AES_GCM_256 = 9;
    21      DES_CBC = 10;
    22      DES3_CBC = 11;  // 3DES_CBC
    23  }
    24  
    25  /* Cryptographic algorithm for authentication */
    26  enum IntegAlg { // vpp/src/vnet/ipsec/ipsec_sa.h:44
    27      NONE_INTEG = 0;
    28      MD5_96 = 1;         /* RFC2403 */
    29      SHA1_96 = 2;        /* RFC2404 */
    30      SHA_256_96 = 3;     /* draft-ietf-ipsec-ciph-sha-256-00 */
    31      SHA_256_128 = 4;    /* RFC4868 */
    32      SHA_384_192 = 5;    /* RFC4868 */
    33      SHA_512_256 = 6;    /* RFC4868 */
    34  }
    35  
    36  /* Security Policy Database (SPD) */
    37  message SecurityPolicyDatabase {
    38      uint32 index = 1;                           /* Numerical security policy database index, serves as a unique identifier */
    39  
    40      message Interface {
    41          string name = 1;                        /* Name of the related interface */
    42      }
    43      repeated Interface interfaces = 2;          /* List of interfaces belonging to this SPD */
    44  
    45      message PolicyEntry {
    46          uint32 sa_index = 1;                    /* Security association index */
    47  
    48          int32 priority = 2;
    49          bool is_outbound = 3;
    50  
    51          string remote_addr_start = 4  [(ligato_options).type = IP];
    52          string remote_addr_stop = 5  [(ligato_options).type = IP];
    53          string local_addr_start = 6  [(ligato_options).type = IP];
    54          string local_addr_stop = 7  [(ligato_options).type = IP];
    55  
    56          uint32 protocol = 8;
    57  
    58          uint32 remote_port_start = 9  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
    59          uint32 remote_port_stop = 10  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
    60          uint32 local_port_start = 11  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
    61          uint32 local_port_stop = 12  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
    62  
    63          enum Action {
    64              BYPASS = 0;
    65              DISCARD = 1;
    66              RESOLVE = 2;                        /* Note: this particular action is unused in VPP */
    67              PROTECT = 3;
    68          }
    69          Action action = 13;
    70      }
    71      // List of policy entries belonging to this SPD.
    72      // Deprecated and actually trying to use this will return an error.
    73      // Use separate model for Security Policy (SP) defined below.
    74      repeated PolicyEntry policy_entries = 3 [deprecated=true];
    75  }
    76  
    77  message SecurityPolicy {
    78      uint32 spd_index = 1;                   /* Security policy database index */
    79      uint32 sa_index = 2;                    /* Security association index */
    80  
    81      int32 priority = 3;
    82      bool is_outbound = 4;
    83  
    84      string remote_addr_start = 5  [(ligato_options).type = IP];
    85      string remote_addr_stop = 6  [(ligato_options).type = IP];
    86      string local_addr_start = 7  [(ligato_options).type = IP];
    87      string local_addr_stop = 8  [(ligato_options).type = IP];
    88  
    89      uint32 protocol = 9;
    90  
    91      uint32 remote_port_start = 10  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
    92      uint32 remote_port_stop = 11  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
    93      uint32 local_port_start = 12  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
    94      uint32 local_port_stop = 13  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
    95  
    96      enum Action {
    97          BYPASS = 0;
    98          DISCARD = 1;
    99          RESOLVE = 2;                        /* Note: this particular action is unused in VPP */
   100          PROTECT = 3;
   101      }
   102      Action action = 14;
   103  }
   104  
   105  /* Security Association (SA) */
   106  message SecurityAssociation {
   107      uint32 index = 1;               /* Numerical security association index, serves as a unique identifier */
   108      uint32 spi = 2;                 /* Security parameter index */
   109  
   110      enum IPSecProtocol {
   111          AH = 0;                     /* Authentication Header, provides a mechanism for authentication only */
   112          ESP = 1;                    /* Encapsulating Security Payload is for data confidentiality and authentication */
   113      }
   114      IPSecProtocol protocol = 3;
   115  
   116      CryptoAlg crypto_alg = 4;       /* Cryptographic algorithm for encryption */
   117      string crypto_key = 5;
   118      uint32 crypto_salt = 15;
   119  
   120      IntegAlg integ_alg = 6;         /* Cryptographic algorithm for authentication */
   121      string integ_key = 7;
   122  
   123      bool use_esn = 8;               /* Use extended sequence number */
   124      bool use_anti_replay = 9;       /* Use anti replay */
   125  
   126      string tunnel_src_addr = 10  [(ligato_options).type = IP];
   127      string tunnel_dst_addr = 11  [(ligato_options).type = IP];
   128  
   129      bool enable_udp_encap = 12;     /* Enable UDP encapsulation for NAT traversal */
   130  
   131      uint32 tunnel_src_port = 13  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
   132      uint32 tunnel_dst_port = 14  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
   133  }
   134  
   135  // TunnelProtection allows enabling IPSec tunnel protection on an existing interface
   136  // (only IPIP tunnel interfaces are currently supported)
   137  message TunnelProtection {
   138      // Name of the interface to be protected with IPSec.
   139      string interface = 1;
   140  
   141      // Outbound security associations identified by SA index.
   142      repeated uint32 sa_out = 2;
   143  
   144      // Inbound security associations identified by SA index.
   145      repeated uint32 sa_in = 3;
   146  
   147      // (Optional) Next hop IP address, used for multipoint tunnels.
   148      string next_hop_addr = 4  [(ligato_options).type = IP];
   149  }