man/man8/ip-xfrm.8

   1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
   2 .SH "NAME"
   3 ip-xfrm \- transform configuration
   4 .SH "SYNOPSIS"
   5 .sp
   6 .ad l
   7 .in +8
   8 .ti -8
   9 .B ip
  10 .RI "[ " OPTIONS " ]"
  11 .B xfrm
  12 .RI " { " COMMAND " | "
  13 .BR help " }"
  14 .sp
  15
  16 .ti -8
  17 .B "ip xfrm"
  18 .IR XFRM-OBJECT " { " COMMAND " | "
  19 .BR help " }"
  20 .sp
  21
  22 .ti -8
  23 .IR XFRM-OBJECT " :="
  24 .BR state " | " policy " | " monitor
  25 .sp
  26
  27 .ti -8
  28 .BR "ip xfrm state" " { " add " | " update " } "
  29 .IR ID " [ " ALGO-LIST " ]"
  30 .RB "[ " mode
  31 .IR MODE " ]"
  32 .RB "[ " mark
  33 .I MARK
  34 .RB "[ " mask
  35 .IR MASK " ] ]"
  36 .RB "[ " reqid
  37 .IR REQID " ]"
  38 .RB "[ " seq
  39 .IR SEQ " ]"
  40 .RB "[ " replay-window
  41 .IR SIZE " ]"
  42 .RB "[ " replay-seq
  43 .IR SEQ " ]"
  44 .RB "[ " replay-oseq
  45 .IR SEQ " ]"
  46 .RB "[ " flag
  47 .IR FLAG-LIST " ]"
  48 .RB "[ " sel
  49 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
  50 .RB "[ " encap
  51 .IR ENCAP " ]"
  52 .RB "[ " coa
  53 .IR ADDR "[/" PLEN "] ]"
  54 .RB "[ " ctx
  55 .IR CTX " ]"
  56
  57 .ti -8
  58 .B "ip xfrm state allocspi"
  59 .I ID
  60 .RB "[ " mode
  61 .IR MODE " ]"
  62 .RB "[ " mark
  63 .I MARK
  64 .RB "[ " mask
  65 .IR MASK " ] ]"
  66 .RB "[ " reqid
  67 .IR REQID " ]"
  68 .RB "[ " seq
  69 .IR SEQ " ]"
  70 .RB "[ " min
  71 .I SPI
  72 .B max
  73 .IR SPI " ]"
  74
  75 .ti -8
  76 .BR "ip xfrm state" " { " delete " | " get " } "
  77 .I ID
  78 .RB "[ " mark
  79 .I MARK
  80 .RB "[ " mask
  81 .IR MASK " ] ]"
  82
  83 .ti -8
  84 .BR "ip xfrm state" " { " deleteall " | " list " } ["
  85 .IR ID " ]"
  86 .RB "[ " mode
  87 .IR MODE " ]"
  88 .RB "[ " reqid
  89 .IR REQID " ]"
  90 .RB "[ " flag
  91 .IR FLAG-LIST " ]"
  92
  93 .ti -8
  94 .BR "ip xfrm state flush" " [ " proto
  95 .IR XFRM-PROTO " ]"
  96
  97 .ti -8
  98 .BR "ip xfrm state count"
  99
 100 .ti -8
 101 .IR ID " :="
 102 .RB "[ " src
 103 .IR ADDR " ]"
 104 .RB "[ " dst
 105 .IR ADDR " ]"
 106 .RB "[ " proto
 107 .IR XFRM-PROTO " ]"
 108 .RB "[ " spi
 109 .IR SPI " ]"
 110
 111 .ti -8
 112 .IR XFRM-PROTO " :="
 113 .BR esp " | " ah " | " comp " | " route2 " | " hao
 114
 115 .ti -8
 116 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
 117
 118 .ti -8
 119 .IR ALGO " :="
 120 .RB "{ " enc " | " auth " } "
 121 .IR ALGO-NAME " " ALGO-KEYMAT " |"
 122 .br
 123 .B auth-trunc
 124 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
 125 .br
 126 .B aead
 127 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
 128 .br
 129 .B comp
 130 .IR ALGO-NAME
 131
 132 .ti -8
 133 .IR MODE " := "
 134 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
 135
 136 .ti -8
 137 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
 138
 139 .ti -8
 140 .IR FLAG " :="
 141 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4
 142
 143 .ti -8
 144 .IR SELECTOR " :="
 145 .RB "[ " src
 146 .IR ADDR "[/" PLEN "] ]"
 147 .RB "[ " dst
 148 .IR ADDR "[/" PLEN "] ]"
 149 .RB "[ " dev
 150 .IR DEV " ]"
 151 .br
 152 .RI "[ " UPSPEC " ]"
 153
 154 .ti -8
 155 .IR UPSPEC " := "
 156 .BR proto " {"
 157 .IR PROTO " |"
 158 .br
 159 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
 160 .IR PORT " ]"
 161 .RB "[ " dport
 162 .IR PORT " ] |"
 163 .br
 164 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
 165 .IR NUMBER " ]"
 166 .RB "[ " code
 167 .IR NUMBER " ] |"
 168 .br
 169 .BR gre " [ " key
 170 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
 171
 172 .ti -8
 173 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
 174 .B limit
 175 .I LIMIT
 176
 177 .ti -8
 178 .IR LIMIT " :="
 179 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
 180 .IR "SECONDS" " |"
 181 .br
 182 .RB "{ " byte-soft " | " byte-hard " }"
 183 .IR SIZE " |"
 184 .br
 185 .RB "{ " packet-soft " | " packet-hard " }"
 186 .I COUNT
 187
 188 .ti -8
 189 .IR ENCAP " :="
 190 .RB "{ " espinudp " | " espinudp-nonike " }"
 191 .IR SPORT " " DPORT " " OADDR
 192
 193 .ti -8
 194 .BR "ip xfrm policy" " { " add " | " update " }"
 195 .I SELECTOR
 196 .B dir
 197 .I DIR
 198 .RB "[ " ctx
 199 .IR CTX " ]"
 200 .RB "[ " mark
 201 .I MARK
 202 .RB "[ " mask
 203 .IR MASK " ] ]"
 204 .RB "[ " index
 205 .IR INDEX " ]"
 206 .RB "[ " ptype
 207 .IR PTYPE " ]"
 208 .RB "[ " action
 209 .IR ACTION " ]"
 210 .RB "[ " priority
 211 .IR PRIORITY " ]"
 212 .RB "[ " flag
 213 .IR FLAG-LIST " ]"
 214 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
 215
 216 .ti -8
 217 .BR "ip xfrm policy" " { " delete " | " get " }"
 218 .RI "{ " SELECTOR " | "
 219 .B index
 220 .IR INDEX " }"
 221 .B dir
 222 .I DIR
 223 .RB "[ " ctx
 224 .IR CTX " ]"
 225 .RB "[ " mark
 226 .I MARK
 227 .RB "[ " mask
 228 .IR MASK " ] ]"
 229 .RB "[ " ptype
 230 .IR PTYPE " ]"
 231
 232 .ti -8
 233 .BR "ip xfrm policy" " { " deleteall " | " list " }"
 234 .RI "[ " SELECTOR " ]"
 235 .RB "[ " dir
 236 .IR DIR " ]"
 237 .RB "[ " index
 238 .IR INDEX " ]"
 239 .RB "[ " ptype
 240 .IR PTYPE " ]"
 241 .RB "[ " action
 242 .IR ACTION " ]"
 243 .RB "[ " priority
 244 .IR PRIORITY " ]"
 245
 246 .ti -8
 247 .B "ip xfrm policy flush"
 248 .RB "[ " ptype
 249 .IR PTYPE " ]"
 250
 251 .ti -8
 252 .B "ip xfrm policy count"
 253
 254 .ti -8
 255 .IR SELECTOR " :="
 256 .RB "[ " src
 257 .IR ADDR "[/" PLEN "] ]"
 258 .RB "[ " dst
 259 .IR ADDR "[/" PLEN "] ]"
 260 .RB "[ " dev
 261 .IR DEV " ]"
 262 .RI "[ " UPSPEC " ]"
 263
 264 .ti -8
 265 .IR UPSPEC " := "
 266 .BR proto " {"
 267 .IR PROTO " |"
 268 .br
 269 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
 270 .IR PORT " ]"
 271 .RB "[ " dport
 272 .IR PORT " ] |"
 273 .br
 274 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
 275 .IR NUMBER " ]"
 276 .RB "[ " code
 277 .IR NUMBER " ] |"
 278 .br
 279 .BR gre " [ " key
 280 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
 281
 282 .ti -8
 283 .IR DIR " := "
 284 .BR in " | " out " | " fwd
 285
 286 .ti -8
 287 .IR PTYPE " := "
 288 .BR main " | " sub
 289
 290 .ti -8
 291 .IR ACTION " := "
 292 .BR allow " | " block
 293
 294 .ti -8
 295 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
 296
 297 .ti -8
 298 .IR FLAG " :="
 299 .BR localok " | " icmp
 300
 301 .ti -8
 302 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
 303 .B limit
 304 .I LIMIT
 305
 306 .ti -8
 307 .IR LIMIT " :="
 308 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
 309 .IR "SECONDS" " |"
 310 .br
 311 .RB "{ " byte-soft " | " byte-hard " }"
 312 .IR SIZE " |"
 313 .br
 314 .RB "{ " packet-soft " | " packet-hard " }"
 315 .I COUNT
 316
 317 .ti -8
 318 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
 319 .B tmpl
 320 .I TMPL
 321
 322 .ti -8
 323 .IR TMPL " := " ID
 324 .RB "[ " mode
 325 .IR MODE " ]"
 326 .RB "[ " reqid
 327 .IR REQID " ]"
 328 .RB "[ " level
 329 .IR LEVEL " ]"
 330
 331 .ti -8
 332 .IR ID " :="
 333 .RB "[ " src
 334 .IR ADDR " ]"
 335 .RB "[ " dst
 336 .IR ADDR " ]"
 337 .RB "[ " proto
 338 .IR XFRM-PROTO " ]"
 339 .RB "[ " spi
 340 .IR SPI " ]"
 341
 342 .ti -8
 343 .IR XFRM-PROTO " :="
 344 .BR esp " | " ah " | " comp " | " route2 " | " hao
 345
 346 .ti -8
 347 .IR MODE " := "
 348 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
 349
 350 .ti -8
 351 .IR LEVEL " :="
 352 .BR required " | " use
 353
 354 .ti -8
 355 .BR "ip xfrm monitor" " [ " all " |"
 356 .IR LISTofXFRM-OBJECTS " ]"
 357
 358 .in -8
 359 .ad b
 360
 361 .SH DESCRIPTION
 362
 363 xfrm is an IP framework for transforming packets (such as encrypting
 364 their payloads). This framework is used to implement the IPsec protocol
 365 suite (with the
 366 .B state
 367 object operating on the Security Association Database, and the
 368 .B policy
 369 object operating on the Security Policy Database). It is also used for
 370 the IP Payload Compression Protocol and features of Mobile IPv6.
 371
 372 .SS ip xfrm state add - add new state into xfrm
 373
 374 .SS ip xfrm state update - update existing state in xfrm
 375
 376 .SS ip xfrm state allocspi - allocate an SPI value
 377
 378 .SS ip xfrm state delete - delete existing state in xfrm
 379
 380 .SS ip xfrm state get - get existing state in xfrm
 381
 382 .SS ip xfrm state deleteall - delete all existing state in xfrm
 383
 384 .SS ip xfrm state list - print out the list of existing state in xfrm
 385
 386 .SS ip xfrm state flush - flush all state in xfrm
 387
 388 .SS ip xfrm state count - count all existing state in xfrm
 389
 390 .TP
 391 .IR ID
 392 is specified by a source address, destination address,
 393 .RI "transform protocol " XFRM-PROTO ","
 394 and/or Security Parameter Index
 395 .IR SPI "."
 396 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
 397 .IR SPI ".)"
 398
 399 .TP
 400 .I XFRM-PROTO
 401 specifies a transform protocol:
 402 .RB "IPsec Encapsulating Security Payload (" esp "),"
 403 .RB "IPsec Authentication Header (" ah "),"
 404 .RB "IP Payload Compression (" comp "),"
 405 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
 406 .RB "Mobile IPv6 Home Address Option (" hao ")."
 407
 408 .TP
 409 .I ALGO-LIST
 410 contains one or more algorithms to use. Each algorithm
 411 .I ALGO
 412 is specified by:
 413 .RS
 414 .IP \[bu]
 415 the algorithm type:
 416 .RB "encryption (" enc "),"
 417 .RB "authentication (" auth " or " auth-trunc "),"
 418 .RB "authenticated encryption with associated data (" aead "), or"
 419 .RB "compression (" comp ")"
 420 .IP \[bu]
 421 the algorithm name
 422 .IR ALGO-NAME
 423 (see below)
 424 .IP \[bu]
 425 .RB "(for all except " comp ")"
 426 the keying material
 427 .IR ALGO-KEYMAT ","
 428 which may include both a key and a salt or nonce value; refer to the
 429 corresponding RFC
 430 .IP \[bu]
 431 .RB "(for " auth-trunc " only)"
 432 the truncation length
 433 .I ALGO-TRUNC-LEN
 434 in bits
 435 .IP \[bu]
 436 .RB "(for " aead " only)"
 437 the Integrity Check Value length
 438 .I ALGO-ICV-LEN
 439 in bits
 440 .RE
 441
 442 .nh
 443 .RS
 444 Encryption algorithms include
 445 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
 446 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
 447 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
 448
 449 Authentication algorithms include
 450 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
 451 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "."
 452
 453 Authenticated encryption with associated data (AEAD) algorithms include
 454 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
 455
 456 Compression algorithms include
 457 .BR deflate ", " lzs ", and " lzjh "."
 458 .RE
 459 .hy
 460
 461 .TP
 462 .I MODE
 463 specifies a mode of operation for the transform protocol. IPsec and IP Payload
 464 Compression modes are
 465 .BR transport ", " tunnel ","
 466 and (for IPsec ESP only) Bound End-to-End Tunnel
 467 .RB "(" beet ")."
 468 Mobile IPv6 modes are route optimization
 469 .RB "(" ro ")"
 470 and inbound trigger
 471 .RB "(" in_trigger ")."
 472
 473 .TP
 474 .I FLAG-LIST
 475 contains one or more of the following optional flags:
 476 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
 477 .BR af-unspec ", or " align4 "."
 478
 479 .TP
 480 .IR SELECTOR
 481 selects the traffic that will be controlled by the policy, based on the source
 482 address, the destination address, the network device, and/or
 483 .IR UPSPEC "."
 484
 485 .TP
 486 .IR UPSPEC
 487 selects traffic by protocol. For the
 488 .BR tcp ", " udp ", " sctp ", or " dccp
 489 protocols, the source and destination port can optionally be specified.
 490 For the
 491 .BR icmp ", " ipv6-icmp ", or " mobility-header
 492 protocols, the type and code numbers can optionally be specified.
 493 For the
 494 .B gre
 495 protocol, the key can optionally be specified as a dotted-quad or number.
 496 Other protocols can be selected by name or number
 497 .IR PROTO "."
 498
 499 .TP
 500 .I LIMIT-LIST
 501 sets limits in seconds, bytes, or numbers of packets.
 502
 503 .TP
 504 .I ENCAP
 505 encapsulates packets with protocol
 506 .BR espinudp " or " espinudp-nonike ","
 507 .RI "using source port " SPORT ", destination port "  DPORT
 508 .RI ", and original address " OADDR "."
 509
 510 .SS ip xfrm policy add - add a new policy
 511
 512 .SS ip xfrm policy update - update an existing policy
 513
 514 .SS ip xfrm policy delete - delete an existing policy
 515
 516 .SS ip xfrm policy get - get an existing policy
 517
 518 .SS ip xfrm policy deleteall - delete all existing xfrm policies
 519
 520 .SS ip xfrm policy list - print out the list of xfrm policies
 521
 522 .SS ip xfrm policy flush - flush policies
 523
 524 .SS ip xfrm policy count - count existing policies
 525
 526 .TP
 527 .IR SELECTOR
 528 selects the traffic that will be controlled by the policy, based on the source
 529 address, the destination address, the network device, and/or
 530 .IR UPSPEC "."
 531
 532 .TP
 533 .IR UPSPEC
 534 selects traffic by protocol. For the
 535 .BR tcp ", " udp ", " sctp ", or " dccp
 536 protocols, the source and destination port can optionally be specified.
 537 For the
 538 .BR icmp ", " ipv6-icmp ", or " mobility-header
 539 protocols, the type and code numbers can optionally be specified.
 540 For the
 541 .B gre
 542 protocol, the key can optionally be specified as a dotted-quad or number.
 543 Other protocols can be selected by name or number
 544 .IR PROTO "."
 545
 546 .TP
 547 .I DIR
 548 selects the policy direction as
 549 .BR in ", " out ", or " fwd "."
 550
 551 .TP
 552 .I CTX
 553 sets the security context.
 554
 555 .TP
 556 .I PTYPE
 557 can be
 558 .BR main " (default) or " sub "."
 559
 560 .TP
 561 .I ACTION
 562 can be
 563 .BR allow " (default) or " block "."
 564
 565 .TP
 566 .I PRIORITY
 567 is a number that defaults to zero.
 568
 569 .TP
 570 .I FLAG-LIST
 571 contains one or both of the following optional flags:
 572 .BR local " or " icmp "."
 573
 574 .TP
 575 .I LIMIT-LIST
 576 sets limits in seconds, bytes, or numbers of packets.
 577
 578 .TP
 579 .I TMPL-LIST
 580 is a template list specified using
 581 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
 582
 583 .TP
 584 .IR ID
 585 is specified by a source address, destination address,
 586 .RI "transform protocol " XFRM-PROTO ","
 587 and/or Security Parameter Index
 588 .IR SPI "."
 589 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
 590 .IR SPI ".)"
 591
 592 .TP
 593 .I XFRM-PROTO
 594 specifies a transform protocol:
 595 .RB "IPsec Encapsulating Security Payload (" esp "),"
 596 .RB "IPsec Authentication Header (" ah "),"
 597 .RB "IP Payload Compression (" comp "),"
 598 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
 599 .RB "Mobile IPv6 Home Address Option (" hao ")."
 600
 601 .TP
 602 .I MODE
 603 specifies a mode of operation for the transform protocol. IPsec and IP Payload
 604 Compression modes are
 605 .BR transport ", " tunnel ","
 606 and (for IPsec ESP only) Bound End-to-End Tunnel
 607 .RB "(" beet ")."
 608 Mobile IPv6 modes are route optimization
 609 .RB "(" ro ")"
 610 and inbound trigger
 611 .RB "(" in_trigger ")."
 612
 613 .TP
 614 .I LEVEL
 615 can be
 616 .BR required " (default) or " use "."
 617
 618 .SS ip xfrm monitor - state monitoring for xfrm objects
 619 The xfrm objects to monitor can be optionally specified.
 620
 621 .SH AUTHOR
 622 Manpage revised by David Ward <david.ward@ll.mit.edu>