diff options
author | bz <bz@FreeBSD.org> | 2007-08-02 08:04:48 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2007-08-02 08:04:48 +0000 |
commit | e911ed379e86d959007164b5b30ddbe18009dd35 (patch) | |
tree | 4bffec198d31290b4dba25f1cfb71ea21a64f1c2 /share/man/man4/ipsec.4 | |
parent | 024818b7783a689d9deb4e2877b0a4b728f89edd (diff) | |
download | FreeBSD-src-e911ed379e86d959007164b5b30ddbe18009dd35.zip FreeBSD-src-e911ed379e86d959007164b5b30ddbe18009dd35.tar.gz |
Remove the last entries to fast_ipsec.
Merge in parts of the old fast_ipsec.4 man page to ipsec.4 and
start updating ipsec.4 man page.
Reviewed by: brueffer, sam (slightly earlier versions), bmah
Approved by: re (bmah)
Diffstat (limited to 'share/man/man4/ipsec.4')
-rw-r--r-- | share/man/man4/ipsec.4 | 132 |
1 files changed, 102 insertions, 30 deletions
diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4 index e2510c2..3bfd7bd 100644 --- a/share/man/man4/ipsec.4 +++ b/share/man/man4/ipsec.4 @@ -29,44 +29,68 @@ .\" .\" $FreeBSD$ .\" -.Dd August 24, 2006 +.Dd August 1, 2007 .Dt IPSEC 4 .Os .Sh NAME -.Nm ipsec -.Nd IP security protocol +.Nm IPsec +.Nd Internet Protocol Security protocol .Sh SYNOPSIS .Cd "options IPSEC" -.Cd "options IPSEC_DEBUG" -.Cd "options IPSEC_ESP" .Cd "options IPSEC_FILTERGIF" +.Cd "device crypto" .Pp .In sys/types.h .In netinet/in.h -.In netinet6/ipsec.h +.In netipsec/ipsec.h +.In netipsec/ipsec6.h .Sh DESCRIPTION .Nm is a security protocol implemented within the Internet Protocol layer -of the TCP/IP stack. +of the networking stack. .Nm is defined for both IPv4 and IPv6 .Xr ( inet 4 and .Xr inet6 4 ) . .Nm -contains two protocols, -ESP, the encapsulated security payload protocol and -AH, the authentication header protocol. -ESP prevents unauthorized parties from reading the payload of an IP packet -by encrypting it using -secret key cryptography algorithms. -AH both authenticates guarantees the integrity of an IP packet +is a set of protocols, +.Tn ESP +(for Encapsulating Security Payload) +.Tn AH +(for Authentication Header), +and +.Tn IPComp +(for IP Payload Compression Protocol) +that provide security services for IP datagrams. +AH both authenticates and guarantees the integrity of an IP packet by attaching a cryptographic checksum computed using one-way hash functions. +ESP, in addition, prevents unauthorized parties from reading the payload of +an IP packet by also encrypting it. +IPComp tries to increase communication performance by compressing IP payload, +thus reducing the amount of data sent. +This will help nodes on slow links but with enough computing power. .Nm -has operates in one of two modes: transport mode or tunnel mode. +operates in one of two modes: transport mode or tunnel mode. Transport mode is used to protect peer-to-peer communication between end nodes. Tunnel mode encapsulates IP packets within other IP packets and is designed for security gateways such as VPN endpoints. +.Pp +System configuration requires the +.Xr crypto 4 +subsystem. +.Pp +The packets can be passed to a virtual +.Xr enc 4 +interface, +to perform packet filtering before outbound encryption and after decapsulation +inbound. +.Pp +To properly filter on the inner packets of an +.Nm +tunnel with firewalls, add +.Cd "options IPSEC_FILTERGIF" +to the kernel configuration file. .\" .Ss Kernel interface .Nm @@ -95,7 +119,7 @@ interface. The kernel implements an extended version of the .Dv PF_KEY -interface, and allows the programmer to define IPsec policies +interface and allows the programmer to define IPsec policies which are similar to the per-packet filters. The .Xr setsockopt 2 @@ -119,19 +143,18 @@ policies using the .Dv PF_KEY interface, via the .Xr setkey 8 -command. -In either case, IPsec policies must be specified using the syntax described in -.Xr ipsec_set_policy 3 . -Please refer to the +you can define IPsec policies against packets using rules similar to packet +filtering rules. +Refer to .Xr setkey 8 -man page for instructions on its use. +on how to use it. .Pp When setting policies using the .Xr setkey 8 -command the +command, the .Dq Li default -option you can have the system use its default policy, explained -below, for processing packets. +option instructs the system to use its default policy, as +explained below, for processing packets. The following sysctl variables are available for configuring the system's IPsec behavior. The variables can have one of two values. @@ -181,7 +204,19 @@ means .El .\" .Ss Miscellaneous sysctl variables -The following variables are accessible via +When the +.Nm +protocols are configured for use, all protocols are included in the system. +To selectively enable/disable protocols, use +.Xr sysctl 8 . +.Bl -column net.inet.ipcomp.ipcomp_enable +.It Sy "Name Default" +.It "net.inet.esp.esp_enable On" +.It "net.inet.ah.ah_enable On" +.It "net.inet.ipcomp.ipcomp_enable Off" +.El +.Pp +In addition the following variables are accessible via .Xr sysctl 8 , for tweaking the kernel's IPsec behavior: .Bl -column net.inet6.ipsec6.inbonud_call_ike integerxxx @@ -266,7 +301,8 @@ routines from looking into the IP payload. .Xr ioctl 2 , .Xr socket 2 , .Xr ipsec_set_policy 3 , -.Xr fast_ipsec 4 , +.Xr crypto 4 , +.Xr enc 4 , .Xr icmp6 4 , .Xr intro 4 , .Xr ip6 4 , @@ -303,12 +339,42 @@ routines from looking into the IP payload. .%O work in progress material .Re .Sh HISTORY -The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack. -.Sh BUGS -The IPsec support is subject to change as the IPsec protocols develop. +The original +.Nm +implementation appeared in the WIDE/KAME IPv6/IPsec stack. .Pp +For +.Fx 5.0 +a fully locked IPsec implementation called fast_ipsec was brought in. +The protocols drew heavily on the +.Ox +implementation of the +.Tn IPsec +protocols. +The policy management code was derived from the +.Tn KAME +implementation found +in their +.Tn IPsec +protocols. +The fast_ipsec implementation lacked +.Xr ip6 4 +support but made use of the +.Xr crypto 4 +subsystem. +.Pp +For +.Fx 7.0 +.Xr ip6 4 +support was added to fast_ipsec. +After this the old KAME IPsec implementation was dropped and fast_ipsec +became what now is the only +.Nm +implementation in +.Fx . +.Sh BUGS There is no single standard for the policy engine API, -so the policy engine API described herein is just for KAME implementation. +so the policy engine API described herein is just for this implementation. .Pp AH and tunnel mode encapsulation may not work as you might expect. If you configure inbound @@ -337,3 +403,9 @@ operations on sockets may fail due to lack of space. Increasing the socket buffer size may alleviate this problem. +.Pp +The +.Tn IPcomp +protocol support is currently broken. +.Pp +This documentation needs more review. |