summaryrefslogtreecommitdiffstats
path: root/share/man/man4
diff options
context:
space:
mode:
Diffstat (limited to 'share/man/man4')
-rw-r--r--share/man/man4/Makefile1
-rw-r--r--share/man/man4/if_ipsec.4141
-rw-r--r--share/man/man4/ipsec.433
-rw-r--r--share/man/man4/tcp.424
-rw-r--r--share/man/man4/udp.416
5 files changed, 197 insertions, 18 deletions
diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
index 1ac5387..8543ec0 100644
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -202,6 +202,7 @@ MAN= aac.4 \
icmp.4 \
icmp6.4 \
ida.4 \
+ if_ipsec.4 \
ifmib.4 \
ig4.4 \
igb.4 \
diff --git a/share/man/man4/if_ipsec.4 b/share/man/man4/if_ipsec.4
new file mode 100644
index 0000000..2e978c0
--- /dev/null
+++ b/share/man/man4/if_ipsec.4
@@ -0,0 +1,141 @@
+.\" Copyright (c) 2017 Andrey V. Elsukov <ae@FreeBSD.org>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd February 6, 2017
+.Dt if_ipsec 4
+.Os
+.Sh NAME
+.Nm if_ipsec
+.Nd IPsec virtual tunneling interface
+.Sh SYNOPSIS
+The
+.Cm if_ipsec
+network interface is a part of the
+.Fx
+IPsec implementation.
+To compile it into the kernel, place this line in the kernel
+configuration file:
+.Bd -ragged -offset indent
+.Cd "options IPSEC"
+.Ed
+.Pp
+It can also be loaded as part of the
+.Cm ipsec
+kernel module if the kernel was compiled with
+.Bd -ragged -offset indent
+.Cd "options IPSEC_SUPPORT"
+.Ed
+.Sh DESCRIPTION
+The
+.Nm
+network interface is targeted for creating route-based VPNs.
+It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure
+it with ESP.
+.Pp
+.Nm
+interfaces are dynamically created and destroyed with the
+.Xr ifconfig 8
+.Cm create
+and
+.Cm destroy
+subcommands.
+The administrator must configure IPsec
+.Cm tunnel
+endpoint addresses.
+These addresses will be used for the outer IP header of ESP packets.
+The administrator can also configure the protocol and addresses for the inner
+IP header with
+.Xr ifconfig 8 ,
+and modify the routing table to route the packets through the
+.Nm
+interface.
+.Pp
+When the
+.Nm
+interface is configured, it automatically creates special security policies.
+These policies can be used to acquire security associations from the IKE daemon,
+which are needed for establishing an IPsec tunnel.
+It is also possible to create needed security associations manually with the
+.Xr setkey 8
+utility.
+.Pp
+Each
+.Nm
+interface has an additional numeric configuration option
+.Cm reqid Ar id .
+This
+.Ar id
+is used to distinguish traffic and security policies between several
+.Nm
+interfaces.
+The
+.Cm reqid
+can be specified on interface creation and changed later.
+If not specified, it is automatically assigned.
+Note that changing
+.Cm reqid
+will lead to generation of new security policies, and this
+may require creating new security associations.
+.Sh EXAMPLES
+The example below shows manual configuration of an IPsec tunnel
+between two FreeBSD hosts.
+Host A has the IP address 192.168.0.3, and host B has the IP address
+192.168.0.5.
+.Pp
+On host A:
+.Bd -literal -offset indent
+ifconfig ipsec0 create reqid 100
+ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5
+ifconfig ipsec0 inet 172.16.0.3/16 172.16.0.5
+setkey -c
+add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1";
+add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2";
+^D
+.Ed
+.Pp
+On host B:
+.Bd -literal -offset indent
+ifconfig ipsec0 create reqid 200
+ifconfig ipsec0 inet tunnel 192.168.0.5 192.168.0.3
+ifconfig ipsec0 inet 172.16.0.5/16 172.16.0.3
+setkey -c
+add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1";
+add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2";
+^D
+.Ed
+.Pp
+Note the value 100 on host A and value 200 on host B are used as reqid.
+The same value must be used as identifier of the policy entry in the
+.Xr setkey 8
+command.
+.Sh SEE ALSO
+.Xr gif 4 ,
+.Xr gre 4 ,
+.Xr ipsec 4 ,
+.Xr ifconfig 8 ,
+.Xr setkey 8
+.Sh AUTHORS
+.An Andrey V. Elsukov Aq Mt ae@FreeBSD.org
diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4
index c6a3f24..9bee931 100644
--- a/share/man/man4/ipsec.4
+++ b/share/man/man4/ipsec.4
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd November 29, 2009
+.Dd February 6, 2017
.Dt IPSEC 4
.Os
.Sh NAME
@@ -37,6 +37,7 @@
.Nd Internet Protocol Security protocol
.Sh SYNOPSIS
.Cd "options IPSEC"
+.Cd "options IPSEC_SUPPORT"
.Cd "device crypto"
.Pp
.In sys/types.h
@@ -151,6 +152,16 @@ Refer to
.Xr setkey 8
on how to use it.
.Pp
+Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6
+transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options
+may be used to configure per-socket security policies.
+A properly-formed IPsec policy specification structure can be
+created using
+.Xr ipsec_set_policy 3
+function and used as socket option value for the
+.Xr setsockopt 2
+call.
+.Pp
When setting policies using the
.Xr setkey 8
command, the
@@ -228,6 +239,8 @@ for tweaking the kernel's IPsec behavior:
.It "net.inet.ipsec.dfbit integer yes"
.It "net.inet.ipsec.ecn integer yes"
.It "net.inet.ipsec.debug integer yes"
+.It "net.inet.ipsec.natt_cksum_policy integer yes"
+.It "net.inet.ipsec.check_policy_history integer yes"
.It "net.inet6.ipsec6.ecn integer yes"
.It "net.inet6.ipsec6.debug integer yes"
.El
@@ -270,6 +283,23 @@ talks more about the behavior.
.It Li ipsec.debug
If set to non-zero, debug messages will be generated via
.Xr syslog 3 .
+.It Li ipsec.natt_cksum_policy
+Controls how the kernel handles TCP and UDP checksums when ESP in UDP
+encapsulation is used for IPsec transport mode.
+If set to a non-zero value, the kernel fully recomputes checksums for
+inbound TCP segments and UDP datagrams after they are decapsulated and
+decrypted.
+If set to 0 and original addresses were configured for corresponding SA
+by the IKE daemon, the kernel incrementally recomputes checksums for
+inbound TCP segments and UDP datagrams.
+If addresses were not configured, the checksums are ignored.
+.It Li ipsec.check_policy_history
+Enables strict policy checking for inbound packets.
+By default, inbound security policies check that packets handled by IPsec
+have been decrypted and authenticated.
+If this variable is set to a non-zero value, each packet handled by IPsec
+is checked against the history of IPsec security associations.
+The IPsec security protocol, mode, and SA addresses must match.
.El
.Pp
Variables under the
@@ -305,6 +335,7 @@ routines from looking into the IP payload.
.Xr ipsec_set_policy 3 ,
.Xr crypto 4 ,
.Xr enc 4 ,
+.Xr if_ipsec 4 ,
.Xr icmp6 4 ,
.Xr intro 4 ,
.Xr ip6 4 ,
diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4
index 9911a36..8c71716 100644
--- a/share/man/man4/tcp.4
+++ b/share/man/man4/tcp.4
@@ -34,7 +34,7 @@
.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd October 21, 2016
+.Dd February 6, 2017
.Dt TCP 4
.Os
.Sh NAME
@@ -272,33 +272,27 @@ or the internal send buffer is filled.
This option enables the use of MD5 digests (also known as TCP-MD5)
on writes to the specified socket.
Outgoing traffic is digested;
-digests on incoming traffic are verified if the
-.Va net.inet.tcp.signature_verify_input
-sysctl is nonzero.
-The current default behavior for the system is to respond to a system
-advertising this option with TCP-MD5; this may change.
+digests on incoming traffic are verified.
+When this option is enabled on a socket, all inbound and outgoing
+TCP segments must be signed with MD5 digests.
.Pp
One common use for this in a
.Fx
router deployment is to enable
based routers to interwork with Cisco equipment at peering points.
Support for this feature conforms to RFC 2385.
-Only IPv4
-.Pq Dv AF_INET
-sessions are supported.
.Pp
In order for this option to function correctly, it is necessary for the
administrator to add a tcp-md5 key entry to the system's security
associations database (SADB) using the
.Xr setkey 8
utility.
-This entry must have an SPI of 0x1000 and can therefore only be specified
-on a per-host basis at this time.
+This entry can only be specified on a per-host basis at this time.
.Pp
-If an SADB entry cannot be found for the destination, the outgoing traffic
-will have an invalid digest option prepended, and the following error message
-will be visible on the system console:
-.Em "tcp_signature_compute: SADB lookup failed for %d.%d.%d.%d" .
+If an SADB entry cannot be found for the destination,
+the system does not send any outgoing segments and drops any inbound segments.
+.Pp
+Each dropped segment is taken into account in the TCP protocol statistics.
.El
.Pp
The option level for the
diff --git a/share/man/man4/udp.4 b/share/man/man4/udp.4
index 2f828bf..3d869c3 100644
--- a/share/man/man4/udp.4
+++ b/share/man/man4/udp.4
@@ -28,7 +28,7 @@
.\" @(#)udp.4 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd June 5, 1993
+.Dd February 6, 2017
.Dt UDP 4
.Os
.Sh NAME
@@ -99,6 +99,17 @@ transport level may be used with
.Tn UDP ;
see
.Xr ip 4 .
+.Tn UDP_ENCAP
+socket option may be used at the
+.Tn IPPROTO_UDP
+level to encapsulate
+.Tn ESP
+packets in
+.Tn UDP .
+Only one value is supported for this option:
+.Tn UDP_ENCAP_ESPINUDP
+from RFC 3948, defined in
+.In netinet/udp.h .
.Sh MIB VARIABLES
The
.Nm
@@ -158,7 +169,8 @@ exists.
.Xr blackhole 4 ,
.Xr inet 4 ,
.Xr intro 4 ,
-.Xr ip 4
+.Xr ip 4 ,
+.Xr udplite 4
.Sh HISTORY
The
.Nm
OpenPOWER on IntegriCloud