summaryrefslogtreecommitdiff
path: root/sys/net/encap.h
blob: 6eabab45ed2bb1c3eac537fb45a730e7acaf3fa7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
/*	$OpenBSD: encap.h,v 1.12 1998/05/18 21:10:18 provos Exp $	*/

/*
 * The authors of this code are John Ioannidis (ji@tla.org),
 * Angelos D. Keromytis (kermit@csd.uch.gr) and 
 * Niels Provos (provos@physnet.uni-hamburg.de).
 *
 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
 * in November 1995.
 *
 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
 * by Angelos D. Keromytis.
 *
 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
 * and Niels Provos.
 *
 * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
 * and Niels Provos.
 *	
 * Permission to use, copy, and modify this software without fee
 * is hereby granted, provided that this entire notice is included in
 * all copies of any software which is or includes a copy or
 * modification of this software. 
 * You may use this code under the GNU public license if you so wish. Please
 * contribute changes back to the authors under this freer than GPL license
 * so that we may further the use of strong encryption without limitations to
 * all.
 *
 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
 * PURPOSE.
 */

/*
 * encap.h
 *
 * Declarations useful in the encapsulation code.
 */

/* Sysctl definitions */

#define ENCAPCTL_ENCDEBUG	1
#define ENCAPCTL_MAXID		2

#define ENCAPCTL_NAMES {\
	{ 0, 0 }, \
	{ "encdebug", CTLTYPE_INT }, \
}

/*
 * Definitions for encapsulation-related phenomena.
 *
 * A lot of encapsulation protocols (ipip, swipe, ip_encap, ipsp, etc.)
 * select their tunnel based on the destination (and sometimes the source)
 * of the packet. The encap address/protocol family provides a generic
 * mechanism for specifying tunnels.
 */

/*
 * A tunnel is characterized by which source/destination address pairs
 * (with netmasks) it is valid for (the "destination" as far as the
 * routing code is concerned), and what the source (local) and destination
 * (remote) endpoints of the tunnel, and the SPI, should be (the "gateway"
 * as far as the routing code is concerned.
 */
  
struct sockaddr_encap
{
    u_int8_t	sen_len;		/* length */
    u_int8_t	sen_family;		/* AF_ENCAP */
    u_int16_t	sen_type;		/* see SENT_* */
    union
    {
	u_int8_t	Data[16];	/* other stuff mapped here */

	struct				/* SENT_IP4 */
	{
	    struct in_addr Src;
	    struct in_addr Dst;
	    u_int16_t Sport;
	    u_int16_t Dport;
	    u_int8_t Proto;
	    u_int8_t Filler[3];
	} Sip4;

	struct				/* SENT_IPSP */
	{
	    struct in_addr Dst;
	    u_int32_t Spi;
	    u_int8_t Sproto;
	    u_int8_t Filler[7];
	} Sipsp;
    } Sen;
};

#define PFENCAP_VERSION_0	0
#define PFENCAP_VERSION_1	1

#define sen_data	Sen.Data
#define sen_ip_src	Sen.Sip4.Src
#define sen_ip_dst	Sen.Sip4.Dst
#define sen_proto	Sen.Sip4.Proto
#define sen_sport	Sen.Sip4.Sport
#define sen_dport	Sen.Sip4.Dport
#define sen_ipsp_dst	Sen.Sipsp.Dst
#define sen_ipsp_spi	Sen.Sipsp.Spi
#define sen_ipsp_sproto	Sen.Sipsp.Sproto

/*
 * The "type" is really part of the address as far as the routing
 * system is concerned. By using only one bit in the type field
 * for each type, we sort-of make sure that different types of
 * encapsulation addresses won't be matched against the wrong type.
 * 
 */

#define SENT_IP4	0x0001		/* data is two struct in_addr */
#define SENT_IPSP	0x0002		/* data as in IP4 plus SPI */

/*
 * SENT_HDRLEN is the length of the "header"
 * SENT_*_LEN are the lengths of various forms of sen_data
 * SENT_*_OFF are the offsets in the sen_data array of various fields
 */

#define SENT_HDRLEN	(2 * sizeof(u_int8_t) + sizeof(u_int16_t))

#define SENT_IP4_SRCOFF	(0)
#define SENT_IP4_DSTOFF (sizeof (struct in_addr))

#define SENT_IP4_LEN	20
#define SENT_IPSP_LEN	20

/*
 * For encapsulation routes are possible not only for the destination
 * address but also for the protocol, source and destination ports
 * if available
 */

struct route_enc {
    struct rtentry *re_rt;
    struct sockaddr_encap re_dst;
};

/*
 * Tunnel descriptors are setup and torn down using a socket of the 
 * AF_ENCAP domain. The following defines the messages that can
 * be sent down that socket.
 */
struct encap_msghdr
{
    u_int16_t	em_msglen;		/* message length */
    u_int8_t	em_version;		/* for future expansion */
    u_int8_t	em_type;		/* message type */
    u_int32_t   foo;                    /* Alignment to 64 bit */
    union
    {
	/* 
	 * This is used to set/change the attributes of an SPI. If oSrc and
	 * oDst are set to non-zero values, the SPI will also do IP-in-IP
	 * encapsulation (tunneling). If only one of them is set, an error
	 * is returned. Both zero implies transport mode.
	 */
	struct
	{
	    u_int32_t      Spi;		/* SPI */
	    int32_t        Alg;		/* Algorithm to use */
	    struct in_addr Dst;		/* Destination address */
	    struct in_addr Src;		/* This is used to set our source
					 * address when the outgoing packet
				         * does not have a source address 
					 * (is zero). */
	    struct in_addr oSrc;	 /* Outter header source address */
	    struct in_addr oDst;	 /* Same, for destination address */
	    u_int64_t      First_Use_Hard; /* Expire relative to first use */
	    u_int64_t      First_Use_Soft;
	    u_int64_t      Expire_Hard;	/* Expire at fixed point in time */
	    u_int64_t      Expire_Soft;
	    u_int64_t      Bytes_Hard;	/* Expire after bytes recved/sent */
	    u_int64_t      Bytes_Soft;
	    u_int64_t      Packets_Hard; /* Expire after packets recved/sent */
	    u_int64_t      Packets_Soft;
	    int32_t	   TTL;		/* When tunneling, what TTL to use.
					 * If set to IP4_SAME_TTL, the ttl
					 * from the encapsulated packet will
					 * be copied. If set to IP4_DEFAULT_TTL,
					 * the system default TTL will be used.
					 * If set to anything else, then the
					 * ttl used will be TTL % 256 */
	    u_int16_t      Satype;
	    u_int8_t       Sproto;	/* ESP or AH */
	    u_int8_t	   Foo;		/* Alignment */
	    u_int8_t       Dat[1];	/* Data */
	} Xfm;

	/*
 	 * For expiration notifications, the kernel fills in
	 * Notification_Type, Spi, Dst and Sproto, Src and Satype.
  	 * No direct response is expected.
	 *
 	 * For SA Requests, the kernel fills in
	 * Notification_Type, MsgID, Dst, Satype, (and optionally
	 * Protocol, Src, Sport, Dport and UserID).
 	 *
	 */
	struct				/* kernel->userland notifications */
	{
	    u_int32_t      Notification_Type;
	    u_int32_t      MsgID;	/* Request ID */
	    u_int32_t      Spi;		
	    struct in_addr Dst;		/* Peer */
	    struct in_addr Src;		/* Might have our local address */
	    u_int16_t      Sport;	/* Source port */
            u_int16_t      Dport;	/* Destination port */
	    u_int8_t       Protocol;	/* Transport protocol */
	    u_int8_t       Sproto;	/* IPsec protocol */
	    u_int16_t      Satype;	/* SA type */
	    u_int32_t      Foo;		/* Alignment */
	    u_int8_t       UserID[1];	/* Might be used to indicate user */
	} Notify;

	/* Link two SPIs */
	struct
	{
	    u_int32_t        Spi;	/* SPI */
	    u_int32_t        Spi2;
	    struct in_addr   Dst;	/* Dest */
	    struct in_addr   Dst2;
	    u_int8_t	     Sproto; 	/* IPsec protocol */
	    u_int8_t	     Sproto2;
	} Rel;

	/* Enable/disable an SA for a session */
	struct
	{
	    u_int32_t      Spi;
	    struct in_addr Dst;
	    struct in_addr iSrc;	/* Source... */
	    struct in_addr iDst;	/* ...and destination in inner IP */
	    struct in_addr iSmask;	/* Source netmask */
	    struct in_addr iDmask;	/* Destination netmask */
	    u_int16_t	   Sport; 	/* Source port, if applicable */
	    u_int16_t	   Dport;	/* Destination port, if applicable */
	    u_int8_t       Protocol;	/* Transport mode for which protocol */
	    u_int8_t 	   Sproto;	/* IPsec protocol */
	    u_int16_t	   Flags;
	    u_int32_t      Spi2;	/* Used in REPLACESPI... */
	    struct in_addr Dst2;	/* ...to specify which SPI is... */
	    u_int8_t       Sproto2;	/* ...replaced. */
	} Ena;

	/* For general use: (in)validate, delete (chain), reserve */
	struct 
	{
	    u_int32_t       Spi;
	    struct in_addr  Dst;
	    u_int8_t	    Sproto;
	} Gen;
    } Eu;
};

#define ENABLE_FLAG_REPLACE    	1
#define ENABLE_FLAG_LOCAL      	2

#define ENCAP_MSG_FIXED_LEN    	(2 * sizeof(u_int32_t))

#define NOTIFY_SOFT_EXPIRE     	0	/* Soft expiration of SA */
#define NOTIFY_HARD_EXPIRE     	1	/* Hard expiration of SA */
#define NOTIFY_REQUEST_SA      	2	/* Establish an SA */

#define NOTIFY_SATYPE_CONF	1	/* SA should do encryption */
#define NOTIFY_SATYPE_AUTH	2	/* SA should do authentication */
#define NOTIFY_SATYPE_TUNNEL	4	/* SA should use tunneling */

#define em_ena_spi	  Eu.Ena.Spi
#define em_ena_dst	  Eu.Ena.Dst
#define em_ena_isrc	  Eu.Ena.iSrc
#define em_ena_idst	  Eu.Ena.iDst
#define em_ena_ismask	  Eu.Ena.iSmask
#define em_ena_idmask	  Eu.Ena.iDmask
#define em_ena_sport	  Eu.Ena.Sport
#define em_ena_dport	  Eu.Ena.Dport
#define em_ena_protocol   Eu.Ena.Protocol
#define em_ena_sproto	  Eu.Ena.Sproto
#define em_ena_flags	  Eu.Ena.Flags

#define em_gen_spi        Eu.Gen.Spi
#define em_gen_dst        Eu.Gen.Dst
#define em_gen_sproto	  Eu.Gen.Sproto

#define em_not_type       Eu.Notify.Notification_Type
#define em_not_spi        Eu.Notify.Spi
#define em_not_dst        Eu.Notify.Dst
#define em_not_src	  Eu.Notify.Src
#define em_not_satype     Eu.Notify.Satype
#define em_not_userid     Eu.Notify.UserID
#define em_not_msgid      Eu.Notify.MsgID
#define em_not_sport      Eu.Notify.Sport
#define em_not_dport      Eu.Notify.Dport
#define em_not_protocol   Eu.Notify.Protocol
#define em_not_sproto	  Eu.Notify.Sproto

#define em_spi	          Eu.Xfm.Spi
#define em_dst	          Eu.Xfm.Dst
#define em_src	          Eu.Xfm.Src
#define em_osrc	          Eu.Xfm.oSrc
#define em_odst	          Eu.Xfm.oDst
#define em_alg	          Eu.Xfm.Alg
#define em_dat	          Eu.Xfm.Dat
#define em_first_use_hard Eu.Xfm.First_Use_Hard
#define em_first_use_soft Eu.Xfm.First_Use_Soft
#define em_expire_hard    Eu.Xfm.Expire_Hard
#define em_expire_soft    Eu.Xfm.Expire_Soft
#define em_bytes_hard     Eu.Xfm.Bytes_Hard
#define em_bytes_soft     Eu.Xfm.Bytes_Soft
#define em_packets_hard   Eu.Xfm.Packets_Hard
#define em_packets_soft   Eu.Xfm.Packets_Soft
#define em_ttl		  Eu.Xfm.TTL
#define em_sproto	  Eu.Xfm.Sproto
#define em_satype         Eu.Xfm.Satype

#define em_rel_spi	  Eu.Rel.Spi
#define em_rel_spi2	  Eu.Rel.Spi2
#define em_rel_dst	  Eu.Rel.Dst
#define em_rel_dst2	  Eu.Rel.Dst2
#define em_rel_sproto	  Eu.Rel.Sproto
#define em_rel_sproto2	  Eu.Rel.Sproto2

#define EMT_SETSPI	1		/* Set SPI properties */
#define EMT_GRPSPIS	2		/* Group SPIs */
#define EMT_DELSPI	3		/* delete an SPI */
#define EMT_DELSPICHAIN 4		/* delete an SPI chain starting from */
#define EMT_RESERVESPI  5		/* Give us an SPI */
#define EMT_ENABLESPI   6		/* Enable an SA */
#define EMT_DISABLESPI  7		/* Disable an SA */
#define EMT_NOTIFY      8		/* kernel->userland key mgmt not. */
#define EMT_REPLACESPI  10		/* Replace all uses of an SA */

/* Total packet lengths */
#define EMT_SETSPI_FLEN	      104
#define EMT_GRPSPIS_FLEN      26
#define EMT_GENLEN            17
#define EMT_DELSPI_FLEN       EMT_GENLEN
#define EMT_DELSPICHAIN_FLEN  EMT_GENLEN
#define EMT_RESERVESPI_FLEN   EMT_GENLEN
#define EMT_NOTIFY_FLEN       40
#define EMT_ENABLESPI_FLEN    49
#define EMT_DISABLESPI_FLEN   EMT_ENABLESPI_FLEN
#define EMT_REPLACESPI_FLEN   EMT_ENABLESPI_FLEN

#ifdef _KERNEL
extern struct ifaddr *encap_findgwifa(struct sockaddr *);
extern struct ifnet enc_softc;
#endif