From 832f8d224926758a9ae0b23a6b45353e44fbc87a Mon Sep 17 00:00:00 2001 From: ume Date: Mon, 11 Jun 2001 12:39:29 +0000 Subject: Sync with recent KAME. This work was based on kame-20010528-freebsd43-snap.tgz and some critical problem after the snap was out were fixed. There are many many changes since last KAME merge. TODO: - The definitions of SADB_* in sys/net/pfkeyv2.h are still different from RFC2407/IANA assignment because of binary compatibility issue. It should be fixed under 5-CURRENT. - ip6po_m member of struct ip6_pktopts is no longer used. But, it is still there because of binary compatibility issue. It should be removed under 5-CURRENT. Reviewed by: itojun Obtained from: KAME MFC after: 3 weeks --- usr.sbin/setkey/setkey.8 | 161 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 115 insertions(+), 46 deletions(-) (limited to 'usr.sbin/setkey/setkey.8') diff --git a/usr.sbin/setkey/setkey.8 b/usr.sbin/setkey/setkey.8 index 7921800..368fc5d 100644 --- a/usr.sbin/setkey/setkey.8 +++ b/usr.sbin/setkey/setkey.8 @@ -1,5 +1,5 @@ -.\" $FreeBSD$ -.\" $KAME: setkey.8,v 1.28 2000/06/16 12:03:46 sakane Exp $ +.\" $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $ +.\" $FreeBSD$ .\" .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" All rights reserved. @@ -28,9 +28,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd May 17, 1998 +.Dd November 20, 2000 .Dt SETKEY 8 -.Os KAME +.Os .\" .Sh NAME .Nm setkey @@ -55,7 +55,7 @@ .\" .Sh DESCRIPTION .Nm -addes, updates, dumpes, or flushes +adds, updates, dumps, or flushes Security Association Database (SAD) entries as well as Security Policy Database (SPD) entries in the kernel. .Pp @@ -94,11 +94,14 @@ it has been expired but remains because it is referenced by SPD entries. .It Fl d Enable to print debugging messages for command parser, -without talking to kernel. It is not used usually. +without talking to kernel. +It is not used usually. .It Fl x Loop forever and dump all the messages transmitted to .Dv PF_KEY socket. +.Fl xx +makes each timestamps unformatted. .It Fl h Add hexadecimal dump on .Fl x @@ -108,14 +111,13 @@ Loop forever with short output on .Fl D . .It Fl v Be verbose. +The program will dump messages exchanged on .Dv PF_KEY -socket -.Po -including messages sent from other processes -.Pc . +socket, including messages sent from other processes to the kernel. .El .Pp -Operations have the following grammar. Note that lines starting with +Operations have the following grammar. +Note that lines starting with hashmarks ('#') are treated as comment lines. .Bl -tag -width Ds .It Xo @@ -142,6 +144,13 @@ Show an SAD entry. Remove an SAD entry. .\" .It Xo +.Li deleteall +.Ar src Ar dst Ar protocol +.Li ; +.Xc +Remove all SAD entries that match the specification. +.\" +.It Xo .Li flush .Op Ar protocol .Li ; @@ -227,7 +236,7 @@ attached .\" .Pp .It Ar extensions -take some of the following: +takes some of the following: .Bl -tag -width Fl -compact .\" .It Fl m Ar mode @@ -243,39 +252,49 @@ The default value is .It Fl r Ar size Specify window size of bytes for replay prevention. .Ar size -must be decimal number in 32-bit word. If +must be decimal number in 32-bit word. +If .Ar size is zero or not specified, replay check don't take place. .\" .It Fl u Ar id -Specify the identifier of policy. See also -.Xr ipsec_set_policy 3 . +Specify the identifier of the policy entry in SPD. +See +.Ar policy . .\" .It Fl f Ar pad_option +defines the content of the ESP padding. .Ar pad_option is one of following: -.Li zero-pad , random-pad -or -.Li seq-pad +.Bl -tag -width random-pad -compact +.It Li zero-pad +All of the padding are zero. +.It Li random-pad +A series of randomized values are set. +.It Li seq-pad +A series of sequential increasing numbers started from 1 are set. +.El .\" .It Fl f Li nocyclic-seq Don't allow cyclic sequence number. .\" .It Fl lh Ar time .It Fl ls Ar time -Specify hard/soft lifetime. +Specify hard/soft life time duration of the SA. .El .\" .Pp .It Ar algorithm .Bl -tag -width Fl -compact .It Fl E Ar ealgo Ar key -Specify encryption algorithm. +Specify a encryption algorithm. .It Fl A Ar aalgo Ar key -Specify authentication algorithm. +Specify a authentication algorithm. If .Fl A -is used for esp, it will be treated as ESP payload authentication algorithm. +is used with +.Ar protocol Li esp , +it will be treated as ESP payload authentication algorithm. .It Fl C Ar calgo Op Fl R Specify compression algorithm. If @@ -302,23 +321,23 @@ field needs to be smaller than in this case. .El .Pp -.Li esp -SAs accept +.Ar protocol Li esp +accepts .Fl E and .Fl A . -.Li esp-old -SAs accept +.Ar protocol Li esp-old +accepts .Fl E only. -.Li ah +.Ar protocol Li ah and .Li ah-old -SAs accept +accept .Fl A only. -.Li ipcomp -SAs accept +.Ar protocol Li ipcomp +accepts .Fl C only. .Pp @@ -365,45 +384,57 @@ They must be in numeric form. .Pp .It Ar upperspec Upper-layer protocol to be used. -Currently -.Li icmp , +You can use one of words in +.Pa /etc/protocols +as +.Ar upperspec . +Or .Li icmp6 , .Li ip4 , -.Li tcp , -.Li udp and .Li any can be specified. .Li any stands for .Dq any protocol . +Also you can use the protocol number. .Pp NOTE: .Ar upperspec does not work against forwarding case at this moment, as it requires extra reassembly at forwarding node .Pq not implemented at this moment . +We have many protocols in +.Pa /etc/protocols , +but protocols except of TCP, UDP and ICMP may not be suitable to use with IPSec. +You have to consider and be careful to use them. +.Li icmp +.Li tcp +.Li udp +all protocols .\" .Pp .It Ar policy .Ar policy is the one of following: -.Pp -.Bl -item -compact -.It +.Bd -literal -offset +.Xo .Fl P .Ar direction .Li discard -.It +.Xc +.Xo .Fl P .Ar direction .Li none -.It +.Xc +.Xo .Fl P .Ar direction .Li ipsec .Ar protocol/mode/src-dst/level -.El +.Xc +.Ed .Pp You must specify the direction of its policy as .Ar direction . @@ -430,18 +461,33 @@ is either .Li transport or .Li tunnel . -You must specify the end-points addresses of the SA as +If +.Ar mode +is +.Li tunnel , +you must specify the end-points addresses of the SA as .Ar src and .Ar dst with .Sq - between these addresses which is used to specify the SA to use. +If +.Ar mode +is +.Li transport , +both +.Ar src +and +.Ar dst +can be omited. .Ar level is to be one of the following: -.Li default , use +.Li default , use , require or -.Li require . +.Li unique . +If the SA is not available in every level, the kernel will request +getting SA to the key exchange daemon. .Li default means the kernel consults to the system wide default against protocol you specified, e.g. @@ -451,7 +497,23 @@ sysctl variable, when the kernel processes the packet. means that the kernel use a SA if it's available, otherwise the kernel keeps normal operation. .Li require -means SA is required whenever the kernel deals with the packet. +means SA is required whenever the kernel sends a packet matched +with the policy. +.Li unique +is the same to require. +In addition, it allows the policy to bind with the unique out-bound SA. +If you use the SA by manual keying, +you can put the decimal number as the policy identifier after +.Li unique +separated by colon +.Sq \: +like the following; +.Li unique:number . +.Li number +must be between 1 and 32767. +It corresponds to +.Ar extensions Fl u . +.Pp Note that .Dq Li discard and @@ -491,6 +553,12 @@ keyed-md5 128 ah: 96bit ICV (no document) keyed-sha1 160 ah: 96bit ICV (no document) 160 ah-old: 128bit ICV (no document) null 0 to 2048 for debugging +hmac-sha2-256 256 ah: 96bit ICV (no document) + 256 ah-old: 128bit ICV (no document) +hmac-sha2-384 384 ah: 96bit ICV (no document) + 384 ah-old: 128bit ICV (no document) +hmac-sha2-512 512 ah: 96bit ICV (no document) + 512 ah-old: 128bit ICV (no document) .Ed .Pp Followings are the list of encryption algorithms that can be used as @@ -508,9 +576,9 @@ des-cbc 64 esp-old: rfc1829, esp: rfc2405 simple 0 to 2048 rfc2410 blowfish-cbc 40 to 448 rfc2451 cast128-cbc 40 to 128 rfc2451 -rc5-cbc 40 to 2040 rfc2451 des-deriv 64 ipsec-ciph-des-derived-01 (expired) 3des-deriv 192 no document +rijndael-cbc 128/192/256 draft-ietf-ipsec-ciph-aes-cbc-00 .Ed .Pp Followings are the list of compression algorithms that can be used as @@ -555,7 +623,8 @@ The command exits with 0 on success, and non-zero on errors. .\" .Sh SEE ALSO .Xr ipsec_set_policy 3 , -.Xr sysctl 8 +.Xr sysctl 8 , +.Xr racoon 8 .\" .Sh HISTORY The -- cgit v1.1