introductory manpage for IPsec and IPv6.

share/man/man4/inet6.4

@@ -0,0 +1,251 @@
+.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	$Id: inet6.4,v 1.1 1999/07/01 10:48:30 itojun Exp $
+.\"
+.Dd January 29, 1999
+.Dt INET6 4
+.Os KAME
+.Sh NAME
+.Nm inet6
+.Nd Internet protocol version 6 family
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <netinet/in.h>
+.Sh DESCRIPTION
+The
+.Nm
+family is an updated version of
+.Xr inet 4
+family.
+While
+.Xr inet 4
+implements Internet Protocol version 4,
+.Nm
+implements Internet Protocol version 6.
+.Pp
+.Nm
+is a collection of protocols layered atop the
+.Em Internet Protocol version 6
+.Pq Tn IPv6
+transport layer, and utilizing the IPv6 address format.
+The
+.Nm
+family provides protocol support for the
+.Dv SOCK_STREAM , SOCK_DGRAM ,
+and
+.Dv SOCK_RAW
+socket types; the
+.Dv SOCK_RAW
+interface provides access to the
+.Tn IPv6
+protocol.
+.Sh ADDRESSING
+IPv6 addresses are 16 byte quantities, stored in network standard format
+The include file
+.Aq Pa netinet/in.h
+defines this address
+as a discriminated union.
+.Pp
+Sockets bound to the
+.Nm
+family utilize the following addressing structure,
+.Bd -literal -offset indent
+struct sockaddr_in6 {
+	u_char		sin6_len;
+	u_char		sin6_family;
+	u_int16_t	sin6_port;
+	u_int32_t	sin6_flowinfo;
+	struct in6_addr	sin6_addr;
+	u_int32_t	sin6_scope_id;
+};
+.Ed
+.Pp
+Sockets may be created with the local address
+.Dq Dv ::
+.Po
+which is equal to IPv6 address
+.Dv 0:0:0:0:0:0:0:0
+.Pc
+to effect
+.Dq wildcard
+matching on incoming messages. 
+The address in a
+.Xr connect 2
+or
+.Xr sendto 2
+call may be given as
+.Dq Dv ::
+to mean
+.Dq this host .
+.Dq Dv ::
+can be obtained by setting
+.Dv sin6_addr
+field into 0, or by using the address contained in variable
+.Dv in6addr_any .
+.Sh PROTOCOLS
+The
+.Nm
+family is comprised of the
+.Tn IPv6
+network protocol, Internet Control
+Message Protocol version 6
+.Pq Tn ICMPv6 ,
+Transmission Control Protocol
+.Pq Tn TCP ,
+and User Datagram Protocol
+.Pq Tn UDP .
+.Tn TCP
+is used to support the
+.Dv SOCK_STREAM
+abstraction while
+.Tn UDP
+is used to support the
+.Dv SOCK_DGRAM
+abstraction.
+Note that
+.Tn TCP
+and
+.Tn UDP
+are common to
+.Xr inet 4
+and
+.Nm inet6 .
+A raw interface to
+.Tn IPv6
+is available
+by creating an Internet socket of type
+.Dv SOCK_RAW .
+The
+.Tn ICMPv6
+message protocol is accessible from a raw socket.
+.\" .Pp
+.\" The 128-bit IPv6 address contains both network and host parts.
+.\" However, direct examination of addresses is discouraged.
+.\" For those programs which absolutely need to break addresses
+.\" into their component parts, the following
+.\" .Xr ioctl 2
+.\" commands are provided for a datagram socket in the
+.\" .Nm
+.\" domain; they have the same form as the
+.\" .Dv SIOCIFADDR
+.\" command (see
+.\" .Xr intro 4 ) .
+.\" .Pp
+.\" .Bl -tag -width SIOCSIFNETMASK
+.\" .It Dv SIOCSIFNETMASK
+.\" Set interface network mask.
+.\" The network mask defines the network part of the address;
+.\" if it contains more of the address than the address type would indicate,
+.\" then subnets are in use.
+.\" .It Dv SIOCGIFNETMASK
+.\" Get interface network mask.
+.\" .El
+.\" .Sh ROUTING
+.\" The current implementation of Internet protocols includes some routing-table
+.\" adaptations to provide enhanced caching of certain end-to-end
+.\" information necessary for Transaction TCP and Path MTU Discovery.  The
+.\" following changes are the most significant:
+.\" .Bl -enum
+.\" .It
+.\" All IP routes, except those with the
+.\" .Dv RTF_CLONING
+.\" flag and those to multicast destinations, have the
+.\" .Dv RTF_PRCLONING
+.\" flag forcibly enabled (they are thus said to be
+.\" .Dq "protocol cloning" ).
+.\" .It
+.\" When the last reference to an IP route is dropped, the route is
+.\" examined to determine if it was created by cloning such a route.  If
+.\" this is the case, the
+.\" .Dv RTF_PROTO3
+.\" flag is turned on, and the expiration timer is initialized to go off
+.\" in net.inet.ip.rtexpire seconds.  If such a route is re-referenced,
+.\" the flag and expiration timer are reset.
+.\" .It
+.\" A kernel timeout runs once every ten minutes, or sooner if there are
+.\" soon-to-expire routes in the kernel routing table, and deletes the
+.\" expired routes.
+.\" .El
+.\" .Pp
+.\" A dynamic process is in place to modify the value of
+.\" net.inet.ip.rtexpire if the number of cached routes grows too large.
+.\" If after an expiration run there are still more than
+.\" net.inet.ip.rtmaxcache unreferenced routes remaining, the rtexpire
+.\" value is multiplied by 3/4, and any routes which have longer
+.\" expiration times have those times adjusted.  This process is damped
+.\" somewhat by specification of a minimum rtexpire value
+.\" (net.inet.ip.rtminexpire), and by restricting the reduction to once in
+.\" a ten-minute period.
+.\" .Pp
+.\" If some external process deletes the original route from which a
+.\" protocol-cloned route was generated, the ``child route'' is deleted.
+.\" (This is actually a generic mechanism in the routing code support for
+.\" protocol-requested cloning.)
+.\" .Pp
+.\" No attempt is made to manage routes which were not created by protocol
+.\" cloning; these are assumed to be static, under the management of an
+.\" external routing process, or under the management of a link layer
+.\" (e.g.,
+.\" .Tn ARP
+.\" for Ethernets).
+.\" .Pp
+.\" Only certain types of network activity will result in the cloning of a
+.\" route using this mechanism.  Specifically, those protocols (such as
+.\" .Tn TCP
+.\" and
+.\" .Tn UDP )
+.\" which themselves cache a long-lasting reference to route for a destination
+.\" will trigger the mechanism; whereas raw
+.\" .Tn IP
+.\" packets, whether locally-generated or forwarded, will not.
+.Sh SEE ALSO
+.Xr ioctl 2 ,
+.Xr socket 2 ,
+.Xr sysctl 3 ,
+.Xr icmp6 4 ,
+.Xr intro 4 ,
+.Xr ip6 4 ,
+.Xr tcp 4 ,
+.Xr ttcp 4 ,
+.Xr udp 4
+.Sh CAVEAT
+The IPv6 support is subject to change as the Internet protocols develop.
+Users should not depend on details of the current implementation,
+but rather the services exported.
+.Pp
+Users are suggested to implement
+.Dq version independent
+code as much as possible, as you will need to support both
+.Xr inet 4
+and
+.Nm inet6 .
+.Sh HISTORY
+The
+.Nm
+protocol interface are defined in RFC2133 and RFC2292.
+The implementation described herein appeared in WIDE/KAME project.

share/man/man4/ipsec.4

@@ -0,0 +1,198 @@
+.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	$Id: ipsec.4,v 1.1 1999/07/01 10:48:30 itojun Exp $
+.\"
+.Dd January 29, 1999
+.Dt IPSEC 4
+.Os KAME
+.Sh NAME
+.Nm ipsec
+.Nd IP security protocol
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <netinet/in.h>
+.Fd #include <netinet6/ipsec.h>
+.Sh DESCRIPTION
+.Nm
+is a security protocol in Internet Protocol layer.
+.Nm
+is defined for both IPv4
+.Pq Xr inet 4
+and IPv6
+.Pq Xr inet6 4 .
+.Nm
+consists of two sub-protocols, namely
+ESP
+.Pq encapsulated security payload
+and AH
+.Pq authentication header .
+ESP protects IP payload from wire-tapping by encrypting it by
+secret key cryptography algorithms.
+AH guarantees integrity of IP packet
+and protects it from intermediate alteration or impersonation,
+by attaching cryptographic checksum computed by one-way hash functions.
+.Nm
+has two operation modes: transport mode and tunnel mode.
+Transport mode is for protecting peer-to-peer commuication between end nodes.
+Tunnel mode includes IP-in-IP encapsulation operation
+and is designed for security gateways, like VPN configurations.
+.\"
+.Sh KERNEL INTERFACE
+.Nm
+is controlled by key management engine, and policy engine in the
+operating system kernel.
+.Pp
+Key management engine can be accessed from the userland by using
+.Dv PF_KEY
+sockets.
+The
+.Dv PF_KEY
+socket API is defined in RFC2367.
+.Pp
+Policy engine can be controlled by
+.Dv PF_KEY
+API,
+.Xr setsockopt 2
+operations, and
+.Xr sysctl 3
+interface.
+.Dv PF_KEY
+interface is an extension to RFC2367,
+and defines IPsec policy like per-packet filters.
+.Xr setsockopt 2
+interface is used to define per-socket behavior, and
+.Xr sysctl 3
+interface is used to define host-wide default behavior.
+.Pp
+The kernel code does not implement dynamic encryption key exchange protocol
+like IKE
+.Pq Internet Key Exchange .
+That should be implemented as userland programs, or daemons, by using
+the above described APIs.
+.\"
+.Sh POLICY MANAGEMENT
+The policy management code is experimental, but this is almostly
+conformed to RFC2401.  You can manage the SPD by two way.  One is the way to use
+.Xr setkey 8 ,
+and other is the way to use
+.Xr setsockopt 3 .
+.Xr setkey 8
+can define either
+.Nm default , use
+or
+.Nm require
+like filtering rule.
+and
+.Xr setsockopt 3
+can define either
+.Nm entrust , ipsec
+or
+.Nm bypass
+as Security level per socket.
+.Pp
+When
+.Nm default
+(or
+.Nm entrust
+)
+is defined, Policy engine consults to system wide default defined
+.Xr sysctl 8
+.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx
+.It Sy Name	Type	Changeable
+.It net.inet.ipsec.esp_trans_deflev	integer	yes
+.It net.inet.ipsec.esp_net_deflev	integer	yes
+.It net.inet.ipsec.ah_trans_deflev	integer	yes
+.It net.inet.ipsec.ah_net_deflev	integer	yes
+.It net.inet6.ipsec6.esp_trans_deflev	integer	yes
+.It net.inet6.ipsec6.esp_net_deflev	integer	yes
+.It net.inet6.ipsec6.ah_trans_deflev	integer	yes
+.It net.inet6.ipsec6.ah_net_deflev	integer	yes
+.El
+.Pp
+They are 1:use or 2:require.
+.Pp
+If kernel doesn't find out policy entry, then system wide default is applied.
+You can specify the system wide default as discarding packet or not to do IPsec.
+.Bl -column net.inet6.ipsec6.def_policy integerxxx
+.It Sy Name	Type	Changeable
+.It net.inet.ipsec.def_policy	integer	yes
+.It net.inet6.ipsec6.def_policy	integer	yes
+.El
+.Pp
+They are 0:discard or 1:none.
+.\"
+.Sh PROTOCOLS
+The
+.Nm
+protocol works like plug-in to
+.Xr inet 4
+and
+.Xr inet6 4
+protocols.
+Therefore,
+.Nm
+supports most of the protocols defined upon those IP-layer protocols.
+Some of the protocols, like 
+.Xr icmp 4
+or
+.Xr icmp6 4 ,
+may behave differently with
+.Nm ipsec .
+This is because
+.Nm
+can prevent
+.Xr icmp 4
+or
+.Xr icmp6 4
+routines from looking into IP payload.
+.\"
+.Sh SEE ALSO
+.Xr ioctl 2 ,
+.Xr socket 2 ,
+.Xr sysctl 3 ,
+.Xr icmp6 4 ,
+.Xr intro 4 ,
+.Xr ip6 4 ,
+.Xr setkey 8 ,
+.Xr racoon 8
+.Pp
+.%T RFC2367
+.Rs
+.%A "D. L. McDonald"
+.%T "A Simple IP Security API Extension to BSD Sockets"
+.%N "draft-mcdonald-simple-ipsec-api-03.txt"
+.%O "internet draft"
+.Re
+.Sh CAVEAT
+The IPsec support is subject to change as the Internet protocols develop.
+.Pp
+There is no single standard for policy engine API,
+so the policy engine API described herein is just for KAME implementation.
+.\"
+.Sh HISTORY
+The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.