ikev2.h revision c41217ab
1/*
2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15#ifndef __included_ikev2_h__
16#define __included_ikev2_h__
17
18#include <vnet/vnet.h>
19#include <vnet/ip/ip.h>
20
21#include <vppinfra/error.h>
22
23#define IKEV2_NONCE_SIZE  32
24
25#define IKEV2_KEY_PAD "Key Pad for IKEv2"
26
27typedef u8 v8;
28
29/* *INDENT-OFF* */
30typedef CLIB_PACKED (struct {
31  u64 ispi;
32  u64 rspi;
33  u8 nextpayload;
34  u8 version;
35  u8 exchange;
36  u8 flags;
37  u32 msgid; u32 length; u8 payload[0];
38}) ike_header_t;
39/* *INDENT-ON* */
40
41/* *INDENT-OFF* */
42typedef CLIB_PACKED (struct
43		     {
44		     u8 nextpayload;
45		     u8 flags;
46		     u16 length;
47		     u16 dh_group;
48		     u8 reserved[2]; u8 payload[0];}) ike_ke_payload_header_t;
49/* *INDENT-ON* */
50
51/* *INDENT-OFF* */
52typedef CLIB_PACKED (struct {
53  u8 nextpayload;
54  u8 flags;
55  u16 length; u8 payload[0];
56}) ike_payload_header_t;
57/* *INDENT-ON* */
58
59/* *INDENT-OFF* */
60typedef CLIB_PACKED (struct {
61  u8 nextpayload;
62  u8 flags;
63  u16 length;
64  u8 auth_method;
65  u8 reserved[3];
66  u8 payload[0];
67}) ike_auth_payload_header_t;
68/* *INDENT-ON* */
69
70/* *INDENT-OFF* */
71typedef CLIB_PACKED (struct {
72  u8 nextpayload;
73  u8 flags;
74  u16 length;
75  u8 id_type;
76  u8 reserved[3]; u8 payload[0];
77}) ike_id_payload_header_t;
78/* *INDENT-ON* */
79
80#define IKE_VERSION_2                    0x20
81
82#define IKEV2_EXCHANGE_SA_INIT           34
83#define IKEV2_EXCHANGE_IKE_AUTH          35
84#define IKEV2_EXCHANGE_CREATE_CHILD_SA   36
85#define IKEV2_EXCHANGE_INFORMATIONAL     37
86
87#define IKEV2_HDR_FLAG_INITIATOR         (1<<3)
88#define IKEV2_HDR_FLAG_VERSION           (1<<4)
89#define IKEV2_HDR_FLAG_RESPONSE          (1<<5)
90
91#define IKEV2_PAYLOAD_FLAG_CRITICAL      (1<<7)
92
93#define IKEV2_PAYLOAD_NONE      0
94#define IKEV2_PAYLOAD_SA        33
95#define IKEV2_PAYLOAD_KE        34
96#define IKEV2_PAYLOAD_IDI       35
97#define IKEV2_PAYLOAD_IDR       36
98#define IKEV2_PAYLOAD_AUTH      39
99#define IKEV2_PAYLOAD_NONCE     40
100#define IKEV2_PAYLOAD_NOTIFY    41
101#define IKEV2_PAYLOAD_DELETE    42
102#define IKEV2_PAYLOAD_VENDOR    43
103#define IKEV2_PAYLOAD_TSI       44
104#define IKEV2_PAYLOAD_TSR       45
105#define IKEV2_PAYLOAD_SK        46
106
107typedef enum
108{
109  IKEV2_PROTOCOL_IKE = 1,
110  IKEV2_PROTOCOL_AH = 2,
111  IKEV2_PROTOCOL_ESP = 3,
112} ikev2_protocol_id_t;
113
114#define foreach_ikev2_notify_msg_type \
115  _(    0, NONE)                                \
116  _(    1, UNSUPPORTED_CRITICAL_PAYLOAD)        \
117  _(    4, INVALID_IKE_SPI)                     \
118  _(    5, INVALID_MAJOR_VERSION)               \
119  _(    7, INVALID_SYNTAX)                      \
120  _(    8, INVALID_MESSAGE_ID)                  \
121  _(   11, INVALID_SPI)                         \
122  _(   14, NO_PROPOSAL_CHOSEN)                  \
123  _(   17, INVALID_KE_PAYLOAD)                  \
124  _(   24, AUTHENTICATION_FAILED)               \
125  _(   34, SINGLE_PAIR_REQUIRED)                \
126  _(   35, NO_ADDITIONAL_SAS)                   \
127  _(   36, INTERNAL_ADDRESS_FAILURE)            \
128  _(   37, FAILED_CP_REQUIRED)                  \
129  _(   38, TS_UNACCEPTABLE)                     \
130  _(   39, INVALID_SELECTORS)                   \
131  _(   40, UNACCEPTABLE_ADDRESSES)              \
132  _(   41, UNEXPECTED_NAT_DETECTED)             \
133  _(   42, USE_ASSIGNED_HoA)                    \
134  _(   43, TEMPORARY_FAILURE)                   \
135  _(   44, CHILD_SA_NOT_FOUND)                  \
136  _(   45, INVALID_GROUP_ID)                    \
137  _(   46, AUTHORIZATION_FAILED)                \
138  _(16384, INITIAL_CONTACT)                     \
139  _(16385, SET_WINDOW_SIZE)                     \
140  _(16386, ADDITIONAL_TS_POSSIBLE)              \
141  _(16387, IPCOMP_SUPPORTED)                    \
142  _(16388, NAT_DETECTION_SOURCE_IP)             \
143  _(16389, NAT_DETECTION_DESTINATION_IP)        \
144  _(16390, COOKIE)                              \
145  _(16391, USE_TRANSPORT_MODE)                  \
146  _(16392, HTTP_CERT_LOOKUP_SUPPORTED)          \
147  _(16393, REKEY_SA)                            \
148  _(16394, ESP_TFC_PADDING_NOT_SUPPORTED)       \
149  _(16395, NON_FIRST_FRAGMENTS_ALSO)            \
150  _(16396, MOBIKE_SUPPORTED)                    \
151  _(16397, ADDITIONAL_IP4_ADDRESS)              \
152  _(16398, ADDITIONAL_IP6_ADDRESS)              \
153  _(16399, NO_ADDITIONAL_ADDRESSES)             \
154  _(16400, UPDATE_SA_ADDRESSES)                 \
155  _(16401, COOKIE2)                             \
156  _(16402, NO_NATS_ALLOWED)                     \
157  _(16403, AUTH_LIFETIME)                       \
158  _(16404, MULTIPLE_AUTH_SUPPORTED)             \
159  _(16405, ANOTHER_AUTH_FOLLOWS)                \
160  _(16406, REDIRECT_SUPPORTED)                  \
161  _(16407, REDIRECT)                            \
162  _(16408, REDIRECTED_FROM)                     \
163  _(16409, TICKET_LT_OPAQUE)                    \
164  _(16410, TICKET_REQUEST)                      \
165  _(16411, TICKET_ACK)                          \
166  _(16412, TICKET_NACK)                         \
167  _(16413, TICKET_OPAQUE)                       \
168  _(16414, LINK_ID)                             \
169  _(16415, USE_WESP_MODE)                       \
170  _(16416, ROHC_SUPPORTED)                      \
171  _(16417, EAP_ONLY_AUTHENTICATION)             \
172  _(16418, CHILDLESS_IKEV2_SUPPORTED)           \
173  _(16419, QUICK_CRASH_DETECTION)               \
174  _(16420, IKEV2_MESSAGE_ID_SYNC_SUPPORTED)     \
175  _(16421, IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED) \
176  _(16422, IKEV2_MESSAGE_ID_SYNC)               \
177  _(16423, IPSEC_REPLAY_COUNTER_SYNC)           \
178  _(16424, SECURE_PASSWORD_METHODS)             \
179  _(16425, PSK_PERSIST)                         \
180  _(16426, PSK_CONFIRM)                         \
181  _(16427, ERX_SUPPORTED)                       \
182  _(16428, IFOM_CAPABILITY)                     \
183  _(16429, SENDER_REQUEST_ID)                   \
184  _(16430, IKEV2_FRAGMENTATION_SUPPORTED)       \
185  _(16431, SIGNATURE_HASH_ALGORITHMS)
186
187
188typedef enum
189{
190#define _(v,f) IKEV2_NOTIFY_MSG_##f = v,
191  foreach_ikev2_notify_msg_type
192#undef _
193} ikev2_notify_msg_type_t;
194
195#define foreach_ikev2_transform_type       \
196  _(0, UNDEFINED, "undefined") \
197  _(1, ENCR,  "encr")           \
198  _(2, PRF,   "prf")            \
199  _(3, INTEG, "integ")          \
200  _(4, DH,    "dh-group")       \
201  _(5, ESN,   "esn")
202
203typedef enum
204{
205#define _(v,f,s) IKEV2_TRANSFORM_TYPE_##f = v,
206  foreach_ikev2_transform_type
207#undef _
208  IKEV2_TRANSFORM_NUM_TYPES
209} ikev2_transform_type_t;
210
211
212#define foreach_ikev2_transform_encr_type     \
213  _(1 , DES_IV64,  "des-iv64") \
214  _(2 , DES,       "des")      \
215  _(3 , 3DES,      "3des")     \
216  _(4 , RC5,       "rc5")      \
217  _(5 , IDEA,      "idea")     \
218  _(6 , CAST,      "cast")     \
219  _(7 , BLOWFISH,  "blowfish") \
220  _(8 , 3IDEA,     "3idea")    \
221  _(9 , DES_IV32,  "des-iv32") \
222  _(11, NULL,      "null")     \
223  _(12, AES_CBC,   "aes-cbc")  \
224  _(13, AES_CTR,   "aes-ctr")  \
225  _(20, AES_GCM_16, "aes-gcm-16")
226
227typedef enum
228{
229#define _(v,f,str) IKEV2_TRANSFORM_ENCR_TYPE_##f = v,
230  foreach_ikev2_transform_encr_type
231#undef _
232} ikev2_transform_encr_type_t;
233
234#define foreach_ikev2_transform_prf_type   \
235  _(1, PRF_HMAC_MD5,      "hmac-md5")      \
236  _(2, PRF_HMAC_SHA1,     "hmac-sha1")     \
237  _(3, PRF_MAC_TIGER,     "mac-tiger")     \
238  _(4, PRF_AES128_XCBC,   "aes128-xcbc")   \
239  _(5, PRF_HMAC_SHA2_256, "hmac-sha2-256") \
240  _(6, PRF_HMAC_SHA2_384, "hmac-sha2-384") \
241  _(7, PRF_HMAC_SHA2_512, "hmac-sha2-512") \
242  _(8, PRF_AES128_CMAC,   "aes128-cmac")
243
244typedef enum
245{
246#define _(v,f,str) IKEV2_TRANSFORM_PRF_TYPE_##f = v,
247  foreach_ikev2_transform_prf_type
248#undef _
249} ikev2_transform_prf_type_t;
250
251#define foreach_ikev2_transform_integ_type           \
252  _(0,  NONE,                   "none")              \
253  _(1,  AUTH_HMAC_MD5_96,       "md5-96")            \
254  _(2,  AUTH_HMAC_SHA1_96,      "sha1-96")           \
255  _(3,  AUTH_DES_MAC,           "des-mac")           \
256  _(4,  AUTH_KPDK_MD5,          "kpdk-md5")          \
257  _(5,  AUTH_AES_XCBC_96,       "aes-xcbc-96")       \
258  _(6,  AUTH_HMAC_MD5_128,      "md5-128")           \
259  _(7,  AUTH_HMAC_SHA1_160,     "sha1-160")          \
260  _(8,  AUTH_AES_CMAC_96,       "cmac-96")           \
261  _(9,  AUTH_AES_128_GMAC,      "aes-128-gmac")      \
262  _(10, AUTH_AES_192_GMAC,      "aes-192-gmac")      \
263  _(11, AUTH_AES_256_GMAC,      "aes-256-gmac")      \
264  _(12, AUTH_HMAC_SHA2_256_128, "hmac-sha2-256-128") \
265  _(13, AUTH_HMAC_SHA2_384_192, "hmac-sha2-384-192") \
266  _(14, AUTH_HMAC_SHA2_512_256, "hmac-sha2-512-256")
267
268typedef enum
269{
270#define _(v,f, str) IKEV2_TRANSFORM_INTEG_TYPE_##f = v,
271  foreach_ikev2_transform_integ_type
272#undef _
273} ikev2_transform_integ_type_t;
274
275#if defined(OPENSSL_NO_CISCO_FECDH)
276#define foreach_ikev2_transform_dh_type \
277  _(0, NONE,           "none")          \
278  _(1, MODP_768,       "modp-768")      \
279  _(2, MODP_1024,      "modp-1024")     \
280  _(5, MODP_1536,      "modp-1536")     \
281  _(14, MODP_2048,     "modp-2048")     \
282  _(15, MODP_3072,     "modp-3072")     \
283  _(16, MODP_4096,     "modp-4096")     \
284  _(17, MODP_6144,     "modp-6144")     \
285  _(18, MODP_8192,     "modp-8192")     \
286  _(19, ECP_256,       "ecp-256")       \
287  _(20, ECP_384,       "ecp-384")       \
288  _(21, ECP_521,       "ecp-521")       \
289  _(22, MODP_1024_160, "modp-1024-160") \
290  _(23, MODP_2048_224, "modp-2048-224") \
291  _(24, MODP_2048_256, "modp-2048-256") \
292  _(25, ECP_192,       "ecp-192")       \
293  _(26, ECP_224,       "ecp-224")       \
294  _(27, BRAINPOOL_224, "brainpool-224") \
295  _(28, BRAINPOOL_256, "brainpool-256") \
296  _(29, BRAINPOOL_384, "brainpool-384") \
297  _(30, BRAINPOOL_512, "brainpool-512")
298#else
299#define foreach_ikev2_transform_dh_type \
300  _(0, NONE,           "none")          \
301  _(1, MODP_768,       "modp-768")      \
302  _(2, MODP_1024,      "modp-1024")     \
303  _(5, MODP_1536,      "modp-1536")     \
304  _(14, MODP_2048,     "modp-2048")     \
305  _(15, MODP_3072,     "modp-3072")     \
306  _(16, MODP_4096,     "modp-4096")     \
307  _(17, MODP_6144,     "modp-6144")     \
308  _(18, MODP_8192,     "modp-8192")     \
309  _(19, ECP_256,       "ecp-256")       \
310  _(20, ECP_384,       "ecp-384")       \
311  _(21, ECP_521,       "ecp-521")       \
312  _(22, MODP_1024_160, "modp-1024-160") \
313  _(23, MODP_2048_224, "modp-2048-224") \
314  _(24, MODP_2048_256, "modp-2048-256") \
315  _(25, ECP_192,       "ecp-192")
316#endif
317
318typedef enum
319{
320#define _(v,f, str) IKEV2_TRANSFORM_DH_TYPE_##f = v,
321  foreach_ikev2_transform_dh_type
322#undef _
323} ikev2_transform_dh_type_t;
324
325#define foreach_ikev2_transform_esn_type     \
326  _(0, NO_ESN, "no")       \
327  _(1, ESN,    "yes")
328
329typedef enum
330{
331#define _(v,f,str) IKEV2_TRANSFORM_ESN_TYPE_##f = v,
332  foreach_ikev2_transform_esn_type
333#undef _
334} ikev2_transform_esn_type_t;
335
336#define foreach_ikev2_auth_method \
337 _( 1, RSA_SIG,        "rsa-sig")        \
338 _( 2, SHARED_KEY_MIC, "shared-key-mic")
339
340typedef enum
341{
342#define _(v,f,s) IKEV2_AUTH_METHOD_##f = v,
343  foreach_ikev2_auth_method
344#undef _
345} ikev2_auth_method_t;
346
347#define foreach_ikev2_id_type \
348 _( 1, ID_IPV4_ADDR,   "ip4-addr")    \
349 _( 2, ID_FQDN,        "fqdn")        \
350 _( 3, ID_RFC822_ADDR, "rfc822")      \
351 _( 5, ID_IPV6_ADDR,   "ip6-addr")    \
352 _( 9, ID_DER_ASN1_DN, "der-asn1-dn") \
353 _(10, ID_DER_ASN1_GN, "der-asn1-gn") \
354 _(11, ID_KEY_ID,      "key-id")
355
356typedef enum
357{
358#define _(v,f,s) IKEV2_ID_TYPE_##f = v,
359  foreach_ikev2_id_type
360#undef _
361} ikev2_id_type_t;
362
363clib_error_t *ikev2_init (vlib_main_t * vm);
364clib_error_t *ikev2_set_local_key (vlib_main_t * vm, u8 * file);
365clib_error_t *ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add);
366clib_error_t *ikev2_set_profile_auth (vlib_main_t * vm, u8 * name,
367				      u8 auth_method, u8 * data,
368				      u8 data_hex_format);
369clib_error_t *ikev2_set_profile_id (vlib_main_t * vm, u8 * name,
370				    u8 id_type, u8 * data, int is_local);
371clib_error_t *ikev2_set_profile_ts (vlib_main_t * vm, u8 * name,
372				    u8 protocol_id, u16 start_port,
373				    u16 end_port, ip4_address_t start_addr,
374				    ip4_address_t end_addr, int is_local);
375clib_error_t *ikev2_set_profile_responder (vlib_main_t * vm, u8 * name,
376					   u32 sw_if_index,
377					   ip4_address_t ip4);
378clib_error_t *ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name,
379						ikev2_transform_encr_type_t
380						crypto_alg,
381						ikev2_transform_integ_type_t
382						integ_alg,
383						ikev2_transform_dh_type_t
384						dh_type, u32 crypto_key_size);
385clib_error_t *ikev2_set_profile_esp_transforms (vlib_main_t * vm, u8 * name,
386						ikev2_transform_encr_type_t
387						crypto_alg,
388						ikev2_transform_integ_type_t
389						integ_alg,
390						ikev2_transform_dh_type_t
391						dh_type, u32 crypto_key_size);
392clib_error_t *ikev2_set_profile_sa_lifetime (vlib_main_t * vm, u8 * name,
393					     u64 lifetime, u32 jitter,
394					     u32 handover, u64 maxdata);
395clib_error_t *ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name);
396clib_error_t *ikev2_initiate_delete_child_sa (vlib_main_t * vm, u32 ispi);
397clib_error_t *ikev2_initiate_delete_ike_sa (vlib_main_t * vm, u64 ispi);
398clib_error_t *ikev2_initiate_rekey_child_sa (vlib_main_t * vm, u32 ispi);
399
400/* ikev2_format.c */
401u8 *format_ikev2_auth_method (u8 * s, va_list * args);
402u8 *format_ikev2_id_type (u8 * s, va_list * args);
403u8 *format_ikev2_transform_type (u8 * s, va_list * args);
404u8 *format_ikev2_notify_msg_type (u8 * s, va_list * args);
405u8 *format_ikev2_transform_encr_type (u8 * s, va_list * args);
406u8 *format_ikev2_transform_prf_type (u8 * s, va_list * args);
407u8 *format_ikev2_transform_integ_type (u8 * s, va_list * args);
408u8 *format_ikev2_transform_dh_type (u8 * s, va_list * args);
409u8 *format_ikev2_transform_esn_type (u8 * s, va_list * args);
410u8 *format_ikev2_sa_transform (u8 * s, va_list * args);
411
412uword unformat_ikev2_auth_method (unformat_input_t * input, va_list * args);
413uword unformat_ikev2_id_type (unformat_input_t * input, va_list * args);
414uword unformat_ikev2_transform_type (unformat_input_t * input,
415				     va_list * args);
416uword unformat_ikev2_transform_encr_type (unformat_input_t * input,
417					  va_list * args);
418uword unformat_ikev2_transform_prf_type (unformat_input_t * input,
419					 va_list * args);
420uword unformat_ikev2_transform_integ_type (unformat_input_t * input,
421					   va_list * args);
422uword unformat_ikev2_transform_dh_type (unformat_input_t * input,
423					va_list * args);
424uword unformat_ikev2_transform_esn_type (unformat_input_t * input,
425					 va_list * args);
426void ikev2_cli_reference (void);
427
428#endif /* __included_ikev2_h__ */
429
430
431/*
432 * fd.io coding-style-patch-verification: ON
433 *
434 * Local Variables:
435 * eval: (c-set-style "gnu")
436 * End:
437 */
438