#!/usr/bin/env python3
# AUTOSAR IPsec Security Policy Database (SPD) configuration
# IPsec Transport mode: encrypt IP payload only, preserve IP header
ipsec_policies = [
{
"name": "Policy_OTA_Backend",
"description": "Encrypt all traffic to OEM OTA server",
"traffic_selector": {
"src_ip": "0.0.0.0/0", # any vehicle IP (DHCP)
"dst_ip": "203.0.113.10/32", # OEM OTA server
"protocol": "TCP",
"dst_port": 443,
},
"action": "ENCRYPT",
"sa_params": {
"mode": "Transport",
"encryption": "AES-256-GCM", # AEAD: encrypt + authenticate
"ike_version": "IKEv2",
"auth_method": "X.509_ECDSA", # ECU cert provisioned at EOL
"dh_group": "19", # ECDH P-256 (DH group 19)
},
},
{
"name": "Policy_V2X_Backend",
"description": "Encrypt V2X certificate management traffic",
"traffic_selector": {
"src_ip": "0.0.0.0/0",
"dst_ip": "203.0.113.50/32", # V2X PKI backend
"protocol": "TCP",
"dst_port": 443,
},
"action": "ENCRYPT",
"sa_params": {
"mode": "Transport",
"encryption": "AES-256-GCM",
"ike_version": "IKEv2",
"auth_method": "X.509_ECDSA",
"dh_group": "20", # ECDH P-384 for higher-security V2X
},
},
{
"name": "Policy_Internal_Bypass",
"description": "Bypass IPsec for intra-vehicle (MACsec-protected) traffic",
"traffic_selector": {
"src_ip": "10.0.0.0/8", "dst_ip": "10.0.0.0/8",
"protocol": "ANY", "dst_port": None,
},
"action": "BYPASS",
},
]
for p in ipsec_policies:
print(f" {p['name']}: {p['action']}")
if p["action"] == "ENCRYPT":
print(f" {p['sa_params']['encryption']} via IKEv2/{p['sa_params']['auth_method']}")