1999-07-01 14:48:30 +04:00
|
|
|
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 3. Neither the name of the project nor the names of its contributors
|
|
|
|
.\" may be used to endorse or promote products derived from this software
|
|
|
|
.\" without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
2000-01-19 09:59:32 +03:00
|
|
|
.\" $NetBSD: ipsec.4,v 1.4 2000/01/19 06:59:32 itojun Exp $
|
|
|
|
.\" KAME Id: ipsec.4,v 1.4 2000/01/19 06:56:51 itojun Exp
|
1999-07-01 14:48:30 +04:00
|
|
|
.\"
|
|
|
|
.Dd January 29, 1999
|
|
|
|
.Dt IPSEC 4
|
1999-07-01 14:50:47 +04:00
|
|
|
.Os
|
1999-07-01 14:48:30 +04:00
|
|
|
.Sh NAME
|
|
|
|
.Nm ipsec
|
|
|
|
.Nd IP security protocol
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
.Fd #include <sys/types.h>
|
|
|
|
.Fd #include <netinet/in.h>
|
|
|
|
.Fd #include <netinet6/ipsec.h>
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
.Nm
|
|
|
|
is a security protocol in Internet Protocol layer.
|
|
|
|
.Nm
|
2000-01-19 09:59:32 +03:00
|
|
|
is defined for both IPv4 and IPv6
|
|
|
|
.Po
|
|
|
|
.Xr inet 4
|
|
|
|
and
|
|
|
|
.Xr inet6 4
|
|
|
|
.Pc .
|
1999-07-01 14:48:30 +04:00
|
|
|
.Nm
|
|
|
|
consists of two sub-protocols, namely
|
|
|
|
ESP
|
|
|
|
.Pq encapsulated security payload
|
|
|
|
and AH
|
|
|
|
.Pq authentication header .
|
|
|
|
ESP protects IP payload from wire-tapping by encrypting it by
|
|
|
|
secret key cryptography algorithms.
|
|
|
|
AH guarantees integrity of IP packet
|
|
|
|
and protects it from intermediate alteration or impersonation,
|
|
|
|
by attaching cryptographic checksum computed by one-way hash functions.
|
|
|
|
.Nm
|
|
|
|
has two operation modes: transport mode and tunnel mode.
|
|
|
|
Transport mode is for protecting peer-to-peer commuication between end nodes.
|
|
|
|
Tunnel mode includes IP-in-IP encapsulation operation
|
|
|
|
and is designed for security gateways, like VPN configurations.
|
|
|
|
.\"
|
|
|
|
.Sh KERNEL INTERFACE
|
|
|
|
.Nm
|
|
|
|
is controlled by key management engine, and policy engine in the
|
|
|
|
operating system kernel.
|
|
|
|
.Pp
|
|
|
|
Key management engine can be accessed from the userland by using
|
|
|
|
.Dv PF_KEY
|
|
|
|
sockets.
|
|
|
|
The
|
|
|
|
.Dv PF_KEY
|
|
|
|
socket API is defined in RFC2367.
|
|
|
|
.Pp
|
2000-01-19 09:59:32 +03:00
|
|
|
Policy engine can be controlled by extended part of
|
1999-07-01 14:48:30 +04:00
|
|
|
.Dv PF_KEY
|
|
|
|
API,
|
|
|
|
.Xr setsockopt 2
|
|
|
|
operations, and
|
|
|
|
.Xr sysctl 3
|
|
|
|
interface.
|
2000-01-19 09:59:32 +03:00
|
|
|
The kernel implements
|
|
|
|
extended version of
|
1999-07-01 14:48:30 +04:00
|
|
|
.Dv PF_KEY
|
2000-01-19 09:59:32 +03:00
|
|
|
interface, and allows you to define IPsec policy like per-packet filters.
|
1999-07-01 14:48:30 +04:00
|
|
|
.Xr setsockopt 2
|
|
|
|
interface is used to define per-socket behavior, and
|
|
|
|
.Xr sysctl 3
|
|
|
|
interface is used to define host-wide default behavior.
|
|
|
|
.Pp
|
|
|
|
The kernel code does not implement dynamic encryption key exchange protocol
|
|
|
|
like IKE
|
|
|
|
.Pq Internet Key Exchange .
|
|
|
|
That should be implemented as userland programs, or daemons, by using
|
|
|
|
the above described APIs.
|
|
|
|
.\"
|
|
|
|
.Sh POLICY MANAGEMENT
|
|
|
|
The policy management code is experimental, but this is almostly
|
|
|
|
conformed to RFC2401. You can manage the SPD by two way. One is the way to use
|
|
|
|
.Xr setkey 8 ,
|
|
|
|
and other is the way to use
|
|
|
|
.Xr setsockopt 3 .
|
|
|
|
.Xr setkey 8
|
|
|
|
can define either
|
|
|
|
.Nm default , use
|
|
|
|
or
|
|
|
|
.Nm require
|
|
|
|
like filtering rule.
|
|
|
|
and
|
|
|
|
.Xr setsockopt 3
|
|
|
|
can define either
|
|
|
|
.Nm entrust , ipsec
|
|
|
|
or
|
|
|
|
.Nm bypass
|
|
|
|
as Security level per socket.
|
|
|
|
.Pp
|
|
|
|
When
|
|
|
|
.Nm default
|
|
|
|
(or
|
|
|
|
.Nm entrust
|
|
|
|
)
|
|
|
|
is defined, Policy engine consults to system wide default defined
|
|
|
|
.Xr sysctl 8
|
|
|
|
.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx
|
|
|
|
.It Sy Name Type Changeable
|
|
|
|
.It net.inet.ipsec.esp_trans_deflev integer yes
|
|
|
|
.It net.inet.ipsec.esp_net_deflev integer yes
|
|
|
|
.It net.inet.ipsec.ah_trans_deflev integer yes
|
|
|
|
.It net.inet.ipsec.ah_net_deflev integer yes
|
|
|
|
.It net.inet6.ipsec6.esp_trans_deflev integer yes
|
|
|
|
.It net.inet6.ipsec6.esp_net_deflev integer yes
|
|
|
|
.It net.inet6.ipsec6.ah_trans_deflev integer yes
|
|
|
|
.It net.inet6.ipsec6.ah_net_deflev integer yes
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
They are 1:use or 2:require.
|
|
|
|
.Pp
|
|
|
|
If kernel doesn't find out policy entry, then system wide default is applied.
|
|
|
|
You can specify the system wide default as discarding packet or not to do IPsec.
|
|
|
|
.Bl -column net.inet6.ipsec6.def_policy integerxxx
|
|
|
|
.It Sy Name Type Changeable
|
|
|
|
.It net.inet.ipsec.def_policy integer yes
|
|
|
|
.It net.inet6.ipsec6.def_policy integer yes
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
They are 0:discard or 1:none.
|
|
|
|
.\"
|
|
|
|
.Sh PROTOCOLS
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
protocol works like plug-in to
|
|
|
|
.Xr inet 4
|
|
|
|
and
|
|
|
|
.Xr inet6 4
|
|
|
|
protocols.
|
|
|
|
Therefore,
|
|
|
|
.Nm
|
|
|
|
supports most of the protocols defined upon those IP-layer protocols.
|
|
|
|
Some of the protocols, like
|
|
|
|
.Xr icmp 4
|
|
|
|
or
|
|
|
|
.Xr icmp6 4 ,
|
|
|
|
may behave differently with
|
|
|
|
.Nm ipsec .
|
|
|
|
This is because
|
|
|
|
.Nm
|
|
|
|
can prevent
|
|
|
|
.Xr icmp 4
|
|
|
|
or
|
|
|
|
.Xr icmp6 4
|
|
|
|
routines from looking into IP payload.
|
|
|
|
.\"
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr ioctl 2 ,
|
|
|
|
.Xr socket 2 ,
|
|
|
|
.Xr icmp6 4 ,
|
|
|
|
.Xr intro 4 ,
|
|
|
|
.Xr ip6 4 ,
|
|
|
|
.Xr setkey 8 ,
|
2000-01-19 09:59:32 +03:00
|
|
|
.Xr sysctl 8 ,
|
1999-07-01 14:48:30 +04:00
|
|
|
.Xr racoon 8
|
|
|
|
.Pp
|
2000-01-19 09:59:32 +03:00
|
|
|
.Rs
|
|
|
|
.%A Daniel L. McDonald
|
|
|
|
.%A Craig Metz
|
|
|
|
.%A Bao G. Phan
|
|
|
|
.%T "PF_KEY Key Management API, Version 2"
|
|
|
|
.%R RFC
|
|
|
|
.%N 2367
|
|
|
|
.Re
|
1999-07-01 14:48:30 +04:00
|
|
|
.Rs
|
|
|
|
.%A "D. L. McDonald"
|
|
|
|
.%T "A Simple IP Security API Extension to BSD Sockets"
|
2000-01-19 09:59:32 +03:00
|
|
|
.%R internet draft
|
1999-07-01 14:48:30 +04:00
|
|
|
.%N "draft-mcdonald-simple-ipsec-api-03.txt"
|
2000-01-19 09:59:32 +03:00
|
|
|
.%O work in progress material
|
1999-07-01 14:48:30 +04:00
|
|
|
.Re
|
|
|
|
.Sh CAVEAT
|
2000-01-19 09:59:32 +03:00
|
|
|
The IPsec support is subject to change as the IPsec protocols develop.
|
1999-07-01 14:48:30 +04:00
|
|
|
.Pp
|
|
|
|
There is no single standard for policy engine API,
|
|
|
|
so the policy engine API described herein is just for KAME implementation.
|
|
|
|
.\"
|
|
|
|
.Sh HISTORY
|
|
|
|
The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.
|