1 .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
3 ip-xfrm \- transform configuration
12 .RI " { " COMMAND " | "
18 .IR XFRM-OBJECT " { " COMMAND " | "
24 .BR state " | " policy " | " monitor
28 .BR "ip xfrm state" " { " add " | " update " } "
29 .IR ID " [ " ALGO-LIST " ]"
40 .RB "[ " replay-window
46 .RB "[ " replay-seq-hi
48 .RB "[ " replay-oseq-hi
53 .IR SELECTOR " ] [ " LIMIT-LIST " ]"
57 .IR ADDR "[/" PLEN "] ]"
61 .IR EXTRA-FLAG-LIST " ]"
70 .B "ip xfrm state allocspi"
88 .BR "ip xfrm state" " { " delete " | " get " } "
96 .BR ip " [ " -4 " | " -6 " ] " "xfrm state deleteall" " ["
106 .BR ip " [ " -4 " | " -6 " ] " "xfrm state list" " ["
117 .BR "ip xfrm state flush" " [ " proto
121 .BR "ip xfrm state count"
136 .BR esp " | " ah " | " comp " | " route2 " | " hao
139 .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
143 .RB "{ " enc " | " auth " } "
144 .IR ALGO-NAME " " ALGO-KEYMAT " |"
147 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
150 .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
157 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
160 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
164 .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
165 .BR af-unspec " | " align4 " | " esn
170 .IR ADDR "[/" PLEN "] ]"
172 .IR ADDR "[/" PLEN "] ]"
183 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
188 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
194 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
197 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
203 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
206 .RB "{ " byte-soft " | " byte-hard " }"
209 .RB "{ " packet-soft " | " packet-hard " }"
214 .RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }"
215 .IR SPORT " " DPORT " " OADDR
218 .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
221 .IR EXTRA-FLAG " := "
222 .BR dont-encap-dscp " | " oseq-may-wrap
225 .BR "ip xfrm policy" " { " add " | " update " }"
247 .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
250 .BR "ip xfrm policy" " { " delete " | " get " }"
251 .RI "{ " SELECTOR " | "
268 .BR ip " [ " -4 " | " -6 " ] " "xfrm policy" " { " deleteall " | " list " }"
270 .RI "[ " SELECTOR " ]"
285 .B "ip xfrm policy flush"
290 .B "ip xfrm policy count"
293 .B "ip xfrm policy set"
295 .IR LBITS " " RBITS " ]"
297 .IR LBITS " " RBITS " ]"
302 .IR ADDR "[/" PLEN "] ]"
304 .IR ADDR "[/" PLEN "] ]"
314 .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
319 .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
325 .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
329 .BR in " | " out " | " fwd
337 .BR allow " | " block
340 .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
344 .BR localok " | " icmp
347 .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
353 .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
356 .RB "{ " byte-soft " | " byte-hard " }"
359 .RB "{ " packet-soft " | " packet-hard " }"
363 .IR TMPL-LIST " := [ " TMPL-LIST " ]"
389 .BR esp " | " ah " | " comp " | " route2 " | " hao
393 .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
397 .BR required " | " use
400 .BR "ip xfrm monitor" " ["
407 .IR LISTofXFRM-OBJECTS " ]"
410 .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
413 .IR XFRM-OBJECT " := "
414 .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
421 xfrm is an IP framework for transforming packets (such as encrypting
422 their payloads). This framework is used to implement the IPsec protocol
425 object operating on the Security Association Database, and the
427 object operating on the Security Policy Database). It is also used for
428 the IP Payload Compression Protocol and features of Mobile IPv6.
432 ip xfrm state add add new state into xfrm
433 ip xfrm state update update existing state in xfrm
434 ip xfrm state allocspi allocate an SPI value
435 ip xfrm state delete delete existing state in xfrm
436 ip xfrm state get get existing state in xfrm
437 ip xfrm state deleteall delete all existing state in xfrm
438 ip xfrm state list print out the list of existing state in xfrm
439 ip xfrm state flush flush all state in xfrm
440 ip xfrm state count count all existing state in xfrm
445 is specified by a source address, destination address,
446 .RI "transform protocol " XFRM-PROTO ","
447 and/or Security Parameter Index
449 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
454 specifies a transform protocol:
455 .RB "IPsec Encapsulating Security Payload (" esp "),"
456 .RB "IPsec Authentication Header (" ah "),"
457 .RB "IP Payload Compression (" comp "),"
458 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
459 .RB "Mobile IPv6 Home Address Option (" hao ")."
463 contains one or more algorithms to use. Each algorithm
469 .RB "encryption (" enc "),"
470 .RB "authentication (" auth " or " auth-trunc "),"
471 .RB "authenticated encryption with associated data (" aead "), or"
472 .RB "compression (" comp ")"
478 .RB "(for all except " comp ")"
481 which may include both a key and a salt or nonce value; refer to the
484 .RB "(for " auth-trunc " only)"
485 the truncation length
489 .RB "(for " aead " only)"
490 the Integrity Check Value length
497 Encryption algorithms include
498 .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
499 .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
500 .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
502 Authentication algorithms include
503 .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
504 .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
506 Authenticated encryption with associated data (AEAD) algorithms include
507 .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
509 Compression algorithms include
510 .BR deflate ", " lzs ", and " lzjh "."
516 specifies a mode of operation for the transform protocol. IPsec and IP Payload
517 Compression modes are
518 .BR transport ", " tunnel ","
519 and (for IPsec ESP only) Bound End-to-End Tunnel
521 Mobile IPv6 modes are route optimization
524 .RB "(" in_trigger ")."
528 contains one or more of the following optional flags:
529 .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
530 .BR af-unspec ", " align4 ", or " esn "."
534 selects the traffic that will be controlled by the policy, based on the source
535 address, the destination address, the network device, and/or
540 selects traffic by protocol. For the
541 .BR tcp ", " udp ", " sctp ", or " dccp
542 protocols, the source and destination port can optionally be specified.
544 .BR icmp ", " ipv6-icmp ", or " mobility-header
545 protocols, the type and code numbers can optionally be specified.
548 protocol, the key can optionally be specified as a dotted-quad or number.
549 Other protocols can be selected by name or number
554 sets limits in seconds, bytes, or numbers of packets.
558 encapsulates packets with protocol
559 .BR espinudp ", " espinudp-nonike ", or " espintcp ","
560 .RI "using source port " SPORT ", destination port " DPORT
561 .RI ", and original address " OADDR "."
565 used to match xfrm policies and states
569 used to set the output mark to influence the routing
570 of the packets emitted by the state
574 xfrm interface identifier used to in both xfrm policies and states
580 ip xfrm policy add add a new policy
581 ip xfrm policy update update an existing policy
582 ip xfrm policy delete delete an existing policy
583 ip xfrm policy get get an existing policy
584 ip xfrm policy deleteall delete all existing xfrm policies
585 ip xfrm policy list print out the list of xfrm policies
586 ip xfrm policy flush flush policies
591 filter (remove) all socket policies from the output.
595 selects the traffic that will be controlled by the policy, based on the source
596 address, the destination address, the network device, and/or
601 selects traffic by protocol. For the
602 .BR tcp ", " udp ", " sctp ", or " dccp
603 protocols, the source and destination port can optionally be specified.
605 .BR icmp ", " ipv6-icmp ", or " mobility-header
606 protocols, the type and code numbers can optionally be specified.
609 protocol, the key can optionally be specified as a dotted-quad or number.
610 Other protocols can be selected by name or number
615 selects the policy direction as
616 .BR in ", " out ", or " fwd "."
620 sets the security context.
625 .BR main " (default) or " sub "."
630 .BR allow " (default) or " block "."
634 is a number that defaults to zero.
638 contains one or both of the following optional flags:
639 .BR local " or " icmp "."
643 sets limits in seconds, bytes, or numbers of packets.
647 is a template list specified using
648 .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
652 is specified by a source address, destination address,
653 .RI "transform protocol " XFRM-PROTO ","
654 and/or Security Parameter Index
656 (For IP Payload Compression, the Compression Parameter Index or CPI is used for
661 specifies a transform protocol:
662 .RB "IPsec Encapsulating Security Payload (" esp "),"
663 .RB "IPsec Authentication Header (" ah "),"
664 .RB "IP Payload Compression (" comp "),"
665 .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
666 .RB "Mobile IPv6 Home Address Option (" hao ")."
670 specifies a mode of operation for the transform protocol. IPsec and IP Payload
671 Compression modes are
672 .BR transport ", " tunnel ","
673 and (for IPsec ESP only) Bound End-to-End Tunnel
675 Mobile IPv6 modes are route optimization
678 .RB "(" in_trigger ")."
683 .BR required " (default) or " use "."
689 ip xfrm policy count count existing policies
693 Use one or more -s options to display more details, including policy hash table
700 ip xfrm policy set configure the policy hash table
704 Security policies whose address prefix lengths are greater than or equal
705 policy hash table thresholds are hashed. Others are stored in the
706 policy_inexact chained list.
710 specifies the minimum local address prefix length of policies that are
711 stored in the Security Policy Database hash table.
715 specifies the minimum remote address prefix length of policies that are
716 stored in the Security Policy Database hash table.
722 ip xfrm monitor state monitoring for xfrm objects
726 The xfrm objects to monitor can be optionally specified.
731 option is set, the program listens to all network namespaces that have a
732 nsid assigned into the network namespace were the program is running.
733 A prefix is displayed to show the network namespace where the message
737 [nsid 1]Flushed state proto 0
742 Manpage revised by David Ward <david.ward@ll.mit.edu>
744 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
746 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>