NetBSD/share/man/man4/fast_ipsec.4

.\"	$NetBSD: fast_ipsec.4,v 1.3 2004/05/11 23:19:45 wiz Exp $
.\"	$FreeBSD: fast_ipsec.4,v 1.2 2003/03/03 11:51:30 ru Exp $
.\"
.\" Copyright (c) 2004
.\"	Jonathan Stone <jonathan@dsg.stanford.edu>. All rights reserved.
.\"
.\" Copyright (c) 2003
.\"	Sam Leffler <sam@errno.com>. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY Sam Leffler AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
.\" THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd April 25, 2004
.Dt FAST_IPSEC 4
.Os
.Sh NAME
.Nm "Fast IPsec"
.Nd hardware-accelerated IP Security Protocols
.Sh SYNOPSIS
.Cd "options FAST_IPSEC"
.Cd "pseudo-device crypto"
.Sh DESCRIPTION
.Tn IPsec
is a set of protocols,
.Tn ESP
(for Encapsulating Security Payload)
.Tn AH
(for Authentication Header),
and
.Tn IPComp
(for IP Payload Compression Protocol)
that provide security services for IP datagrams.
.Nm
is an implementation of these protocols that uses the
.Xr opencrypto 9
subsystem to carry out cryptographic operations.
This means, in particular, that cryptographic hardware devices are
employed whenever possible to optimize the performance of these protocols.
.Pp
In general, the
.Nm
implementation is intended to be compatible with the
.Tn KAME IPsec
implementation.
This documentation concentrates on differences from that software.
The user should refer to
.Xr ipsec 4
for basic information on setting up and using these protocols.
.Pp
System configuration requires the
.Xr opencrypto 9
subsystem.
When the
.Nm
protocols are configured for use, all protocols are included in the system.
To selectively enable/disable protocols, use
.Xr sysctl 8 .
.Sh DIAGNOSTICS
To be added.
.Sh SEE ALSO
.Xr ipsec 4 ,
.Xr setkey 8 ,
.Xr sysctl 8 ,
.Xr opencrypto 9
.Sh HISTORY
The protocols draw heavily on the
.Ox
implementation of the
.Tn IPsec
protocols.
The policy management code is derived from the
.Tn KAME
implementation found in their
.Tn IPsec
protocols.
The
.Nm
protocols are based on code which appeared in
.Fx 4.7 .
The
.Nx
version is a close copy of the
.Fx
original, and first appeared in
.Nx 2.0 .
.Sh BUGS
There is presently no support for IPv6.
Configuring
.Nm
in conjunction with INET6
is explictly experimental and unsupported.
At the time of writing, combining
.Nm
and INET6 in a single kernel is believed to yield a working IPv6 stack,
provided that no IPv6 traffic makes any use whatsoever of
.Xr ipsec 4 .
Attempting to send or receive
.Xr ipsec 4
IPv6 traffic to or from such a kernel may trigger kernel panics, or
may expose the unprotected plaintext of IPv6 traffic which is configured
to be secured via
.Xr ipsec 4 .
Caveat emptor.
.Pp
The
.Tn IPcomp
protocol support does not work.
.Pp
Certain legacy authentication algorithms are not supported because of
issues with the
.Xr opencrypto 9
subsystem.
.Pp
This documentation is incomplete.