/////////////////////////////////////////////////////////////////////////////// // // Copyright (c) 2000-2019 Ericsson Telecom AB // // All rights reserved. This program and the accompanying materials // are made available under the terms of the Eclipse Public License v2.0 // which accompanies this distribution, and is available at // https://www.eclipse.org/org/documents/epl-2.0/EPL-2.0.html /////////////////////////////////////////////////////////////////////////////// // // File: TCCIPsec_XFRM_Definitions.ttcn // Description: TCC Useful Functions: IPsec XFRM Functions // Rev: R36B // Prodnr: CNL 113 472 // /////////////////////////////////////////////////////////////////////////////// module TCCIPsec_XFRM_Definitions{ external function f_XFRM_add_sa(in SAAddInfo pl_sa_info) return XFRM_Result; external function f_XFRM_delete_sa(in SADelInfo pl_sa_info) return XFRM_Result; external function f_XFRM_flush_sa() return XFRM_Result; external function f_XFRM_add_policy(in SPAddInfo pl_pol_info) return XFRM_Result; external function f_XFRM_delete_policy(in SPDelInfo pl_pol_info) return XFRM_Result; external function f_XFRM_flush_policy() return XFRM_Result; external function f_XFRM_allocate_SPI(in AllocSPI_Info pl_AllocSPI_info, inout integer pl_spi) return XFRM_Result; /////////////////////////////////////////////////////////////////////////////////// // Type: NetworkAddress // // Purpose: // Defines a record for using IP addresses with port and prefix number. // // Elements: // ip_address - An IPv4 or IPv6 address (string). // Not valid address form can result an error in the database. // For example not inserting the new database entry. // // port_number - An integer used to specify a given port for the policies. // address_prefix - An integer indivating the network prefix for the address. // /////////////////////////////////////////////////////////////////////////////////// type record NetworkAddress{ charstring ip_address, integer port_number optional, integer address_prefix optional } /////////////////////////////////////////////////////////////////////////////////// // Type: TransportProtocol // // Purpose: // Defines an enumerated value for selecting the Transport Protocol. // For default value, the ANY choice is used in the protocol. // /////////////////////////////////////////////////////////////////////////////////// type enumerated TransportProtocol{ ANY (0), ICMP (1), //IPPROTO_ICMP TCP (6), //IPPROTO_TCP UDP (17), //IPPROTO_UDP DCCP (33), //IPPROTO_DCCP GRE (47), //IPPROTO_GRE ICMPV6 (58), //IPPROTO_ICMPV6 SCTP (132) //IPPROTO_SCTP } /////////////////////////////////////////////////////////////////////////////////// // Type: PolicyDirection // // Purpose: // Defines the direction of a policy used on the packets. // ///////////////////////////////////////////////////////////////////////////////// type enumerated PolicyDirection{ IN (0), //XFRM_POLICY_IN OUT (1), //XFRM_POLICY_OUT FWD (2) //XFRM_POLICY_FWD } /////////////////////////////////////////////////////////////////////////////////// // Type: IPsecAlgorithms // // Purpose: // Defines the encryption and authentication methods used in the Security // Associations. // // Elements: // auth - Defines an authentication method and the key used. // enc - Defines an encryption method and the key used. // // Comment: // Using Encryption without authentication is strongly discouraged, because // it is insecure. ///////////////////////////////////////////////////////////////////////////////// type record IPsecAlgorithms{ Authentication auth optional, Encryption enc optional } /////////////////////////////////////////////////////////////////////////////////// // Type: IPSecProtocol // // Purpose: // Defines the IPSec protocol used. // // Elements: // ESP - Encapsulating Security Payloads: it provides origin authenticity, // integrity and confidentiality protection of packets. // AH - Authentication Header: It guarantees connectionless integrity and data // origin authentication of IP packets // COMP - IP Payload Compression: a low level compression protocol for IP datagrams // Compression must be done before fragmenting or encrypting the packet. ///////////////////////////////////////////////////////////////////////////////// type enumerated IPSecProtocol{ ESP(50), //IPPROTO_ESP AH(51), //IPPROTO_AH COMP(108) //IPPROTO_COMP } /////////////////////////////////////////////////////////////////////////////////// // Type: IPSecKey // // Purpose: // Defines a charstring or hexstring for the key used in ESP or AH. // /////////////////////////////////////////////////////////////////////////////////// type union IPSecKey{ charstring text, hexstring hex } /////////////////////////////////////////////////////////////////////////////////// // Type: Authentication // // Purpose: // Defines the name of the authentication algorithm and the key used. // // Elements: // name - An enumerated value for selecting the algorithm // key - The used key for the authentication. It can be given in charstring // or hexstring value. // /////////////////////////////////////////////////////////////////////////////////// type record Authentication{ AuthenticationAlgorithms name, IPSecKey key } /////////////////////////////////////////////////////////////////////////////////// // Type: AuthenticationAlgorithms // // Purpose: // Defines an enumerated value for selecting the authentication alogrithm. // // Comment: // The key lengths are next to each possible algorithm. // /////////////////////////////////////////////////////////////////////////////////// type enumerated AuthenticationAlgorithms{ NULL_AUTH (0), HMAC_MD5 (1), //key length: 128 bits HMAC_SHA1 (2), //key length: 160 bits HMAC_SHA256 (3), //key length: 256 bits HMAC_SHA384 (4), //key length: 384 bits HMAC_SHA512 (5), //key length: 512 bits HMAC_RMD160 (6) //key length: 160 bits }; /////////////////////////////////////////////////////////////////////////////////// // Type: Encryption // // Purpose: // Defines the name of the encryption algorithm and the key used. // // Elements: // name - An enumerated value for selecting the algorithm // key - The used key for the encryption. It can be given in charstring // or hexstring value. // /////////////////////////////////////////////////////////////////////////////////// type record Encryption{ EncryptionAlgorithms name, IPSecKey key } /////////////////////////////////////////////////////////////////////////////////// // Type: EncryptionAlgorithms // // Purpose: // Defines an enumerated value for selecting the encryption alogrithm. // // Comment: // The key lengths are next to each possible algorithm. // /////////////////////////////////////////////////////////////////////////////////// type enumerated EncryptionAlgorithms{ NULL_ENCR (0), CBC_AES (1), //key length: 128 bits CBC_DES (2), //key length: 64 bits CBC_3DES (3), //key length: 192 bits CBC_CAST5 (4), //key length: 40-128 bits CBC_BLOWFISH (5), //key length: 40-448 bits CBC_SERPENT (6), //key length: 128-256 bits CBC_CAMELLIA (7), //key length: 128-256 bits CBC_TWOFISH (8) //key length: 128-256 bits } ////////////////////////////////////////////////////////////////////////////////// // Type: Mode // // Purpose: // Defines an enumerated value for selecting the mode of the operation for the // transform protocol.. // // Comment: // BEET - Bound End-to-End Tunnel is for ESP only. // /////////////////////////////////////////////////////////////////////////////////// type enumerated Mode{ TRANSPORT (0), //XFRM_MODE_TRANSPORT TUNNEL (1), //XFRM_MODE_TUNNEL BEET (4) //XFRM_MODE_BEET } ////////////////////////////////////////////////////////////////////////////////// // Type: Share // // Purpose: // Defines an enumerated value for selecting sharing mode. // // Comment: // Should be ANY. In the current version, not used by the kernel, but required // for forward compatibility.. // /////////////////////////////////////////////////////////////////////////////////// type enumerated Share{ ANY (0), //XFRM_SHARE_ANY: No limitations(default value) SESSION (1), //XFRM_SHARE_SESSION: For this session only USER (2), //XFRM_SHARE_USER: For this user only UNIQUE (3) //XFRM_SHARE_UNIQUE: Use once } ////////////////////////////////////////////////////////////////////////////////// // Type: Action // // Purpose: // Defines an enumerated value for allowing/blocking traffic // /////////////////////////////////////////////////////////////////////////////////// type enumerated Action{ ALLOW (0), //XFRM_POLICY_ALLOW BLOCK (1) //XFRM_POLICY_BLOCK } ////////////////////////////////////////////////////////////////////////////////// // Type: Level // // Purpose: // Defines an enumerated value for setting the level of the policy // // Comment: // use - Indicates, that the policy should be used if there is an // appropriate SA avaiable. (else the policy is bypassed) // required - The policy has to be used. // /////////////////////////////////////////////////////////////////////////////////// type enumerated Level{ required (0), use (1) } ////////////////////////////////////////////////////////////////////////////////// // Type: Template // // Purpose: // Defines a record for the policy template. The behavior of the policy can be // described with the templates. For example, the use of AH or ESP can be set // via the templates. // // Elements: // ip_version - Specifies the IP version // src - Source address of the tunnel. Ignored in other cases. // dst - Destination of the tunnel. It may be zero for transport mode. // spi - Security Parameter Index, it is used to select the appropriate SA. // The default value of SPI can be zero. // reqid - Association between the policies and the SAs.(If a policy matches // on a packet, then it will start searching for a matching SA based // on the reqid value.) // share - Selects the share mode(Default value: ANY, probably not used by // the kernel, but it is required for forward compatibility.) // ipsec - Defines the IPSec protocol used. // mode - Transform mode. // level - Sets the level of the policy. /////////////////////////////////////////////////////////////////////////////////// type record Template{ NetworkAddress src optional, NetworkAddress dst optional, integer spi, integer reqid optional, Share share optional, IPSecProtocol ipsec, Mode mode, Level level } ////////////////////////////////////////////////////////////////////////////////// // Type: Template_List // // Purpose: // Defines a list of Templates. // /////////////////////////////////////////////////////////////////////////////////// type set of Template Template_List; ////////////////////////////////////////////////////////////////////////////////// // Type: Limits // // Purpose: // With the help of th is record, time, packet and byte limits can be set for // the policies and the SAs. // // Comment: // soft vs hard: If the soft limit expire, then rekeying is required. If the // hard limit expires, the entry from the database will be deleted. // // Elements: // byte_limit - Defines a limit based on the sent/recieved bytes // packet_limit - Defines a limit based on the sent/recieved packets // add_expires_seconds - Defines a limit based on the time elapsed since insertion/update /////////////////////////////////////////////////////////////////////////////////// type record Limits{ integer soft_byte_limit optional, integer hard_byte_limit optional, integer soft_packet_limit optional, integer hard_packet_limit optional, integer soft_add_expires_seconds optional, integer hard_add_expires_seconds optional, integer soft_use_expires_seconds optional, integer hard_use_expires_seconds optional } ////////////////////////////////////////////////////////////////////////////////// // Type: Encap_type // // Purpose: // Encapsulates packets with protocol espinudp or espinudp-non-ike // // Comment: // It uses source port, destination port and original address. /////////////////////////////////////////////////////////////////////////////////// type enumerated Encap_type{ ESPINUDP_NON_IKE (1), ESPINUDP (2) //Default value should be this } ////////////////////////////////////////////////////////////////////////////////// // Type: NAT_T // // Purpose: // Enables the usage of Network Address Traversal for the IPsec tunnel // // Elements: // encap_type - Defines encapsulation protocol // sport - Source port --> "hole" in the wall // dport - Destination port --> "hole" in the wall // oa - Original Adress /////////////////////////////////////////////////////////////////////////////////// type record NAT_T{ Encap_type encap_type, //Default value should be ESPINUDP integer sport, //Default value should be 4500 integer dport, //Default value should be 4500 charstring oa optional } ////////////////////////////////////////////////////////////////////////////////// // Type: SAAdditionalInfo // // Purpose: // Defines additional information regarding the Security Association creation. // These are not mandatory parameters for creating a valid SA. // // Elements: // sel_src and sel_dst - Selector address that is used to identify if a packet // requires IPsec related actions. // reqid - Also serves as an identification between the SP and SA // limits - Lifetime limits for the Security Association /////////////////////////////////////////////////////////////////////////////////// type record SAAdditionalInfo{ NetworkAddress sel_src optional, NetworkAddress sel_dst optional, integer reqid optional, //Policy<->SA connection, else selector Limits limits optional } ////////////////////////////////////////////////////////////////////////////////// // Type: SAAddInfo // // Purpose: // Defines the basic information for creating a Security Assoctiation. // // Elements: // update - if set to true and the SA already exists, it will be updated/overwritten // if not exists, it will be created. // protocol - Defines the used transport protocol // ipsec - Defines the type of IPsec usage // ipsec_agos - Defines the algorithms and keys // mode - IPsec mode (tunneling or transport) // spi - Security Parameter Index // src - Source address // dst - Destination adress // nat_t - Enable NAT // info - Defines additional settings /////////////////////////////////////////////////////////////////////////////////// type record SAAddInfo{ boolean update optional, TransportProtocol protocol, IPSecProtocol ipsec, IPsecAlgorithms ipsec_algos, Mode mode, integer spi, NetworkAddress src, NetworkAddress dst, NAT_T nat_t optional, SAAdditionalInfo info optional } ////////////////////////////////////////////////////////////////////////////////// // Type: SADelInfo // // Purpose: // Defines the basic information toidentiy and remove a Security Assoctiation. // // Elements: // protocol - Defines the used transport protocol // spi - Security Parameter Index // src - Source address // dst - Destination adress /////////////////////////////////////////////////////////////////////////////////// type record SADelInfo{ IPSecProtocol proto, integer spi, NetworkAddress src, NetworkAddress dst } ////////////////////////////////////////////////////////////////////////////////// // Type: SPAdditionalInfo // // Purpose: // Defines additional information regarding the Security Policy creation. // These are not mandatory parameters for creating a valid SP. // // Elements: // share - Defines the scope of the policy // priority - Enables prioritization of SPs // policy_action - Policy rule (ALLOW or BLOCK) // index - Used for identification, similar to the selector // interface_index - Enables the usage of an SP only for a specific interface // limits - Lifetime limits for the Security Policy /////////////////////////////////////////////////////////////////////////////////// type record SPAdditionalInfo{ Share share optional, integer priority optional, Action policy_action optional, integer index optional, integer interface_index optional, Limits limits optional } ////////////////////////////////////////////////////////////////////////////////// // Type: SPAddInfo // // Purpose: // Defines the basic information for creating a Security Policy. // // Elements: // update - if set to true and the SP already exists, it will be updated/overwritten // if not exists, it will be created. // protocol - Defines the used transport protocol // src - Source address // dst - Destination adress // dir - Direction of the traffic // tmpl - Defines Templates for the SP that is used for idetification // info - Defines additional settings /////////////////////////////////////////////////////////////////////////////////// type record SPAddInfo{ boolean update optional, TransportProtocol protocol, NetworkAddress src, NetworkAddress dst, PolicyDirection dir, Template_List tmpl, SPAdditionalInfo info optional } ////////////////////////////////////////////////////////////////////////////////// // Type: SPDelInfo // // Purpose: // Defines the basic information for identifying and removing a Security Policy. // // Elements: // dir - Direction of the traffic // protocol - Defines the used transport protocol // src - Source address // dst - Destination adress /////////////////////////////////////////////////////////////////////////////////// type record SPDelInfo{ PolicyDirection dir, TransportProtocol protocol, NetworkAddress src, NetworkAddress dst } ////////////////////////////////////////////////////////////////////////////////// // Type: SPI_Range // // Purpose: // Minimum and maximum value for SPI /////////////////////////////////////////////////////////////////////////////////// type record SPI_Range{ integer min, integer max } ////////////////////////////////////////////////////////////////////////////////// // Type: AllocSPI_Info // // Purpose: // Defines the basic information for allocating an SPI value. // // Elements: // src - Source address // dst - Destination adress // protocol - IPsec protocol // range - Range of the SPI /////////////////////////////////////////////////////////////////////////////////// type record AllocSPI_Info{ charstring src, charstring dst, IPSecProtocol protocol, SPI_Range range optional } ////////////////////////////////////////////////////////////////////////////////// // Type: XFRM_Result // // Purpose: // Serves as a return value for the TTCN-3 functions. It contains general result // and in case of an error, some description on the error. // // Elements: // result - If the execution is successful,the value is 0. // msg - If error occurs before reaching the kernel or the error is in the // communications with the kernel, then this contains information on it. // If the reponse is negative, then it contains the message from the kernel. /////////////////////////////////////////////////////////////////////////////////// type record XFRM_Result{ integer result, charstring msg } }