Internet security protocol
#include <sys/types.h> #include <netinet/in.h> #include <netinet6/ipsec.h> int socket( PF_KEY, SOCK_RAW, PF_KEY_V2 );
IPsec is a security protocol for the Internet Protocol layer. It consists of these sub-protocols:
IPsec has these modes of operation:
Kernel interface
The IPsec protocol behavior is controlled by these engines:
These engines are located in the socket manager. The socket manager implements the PF_KEY interface and allows you to define IPsec policy similar to per-packet filters. Note that the socket manager code doesn't implement the dynamic encryption key exchange protocol IKE (Internet Key Exchange) — that implementation should be done at the application level (usually as daemons), using the previously described APIs.
Policy management
The socket manager implements experimental policy management. You can manage the IPsec policy in these ways:
In this case, the default policy is allowed with the setkey. By configuring the policy to default, you can use the system-wide sysctl utility variables. (The sysctl utility displays various runtime options.)
If the socket manager finds no matching policy, the system-wide default value is applied.
For a list of net.inet6.ipsec6.* variables, see the sysctl utility in the Utilities Reference.
Miscellaneous sysctl variables
The following variables are accessible via the sysctl utility for tweaking socket manager IPsec behavior:
Name | Type | Changeable? |
---|---|---|
net.inet.ipsec.ah_cleartos | Integer | Yes |
net.inet.ipsec.ah_offsetmask | Integer | Yes |
net.inet.ipsec.dfbit | Integer | Yes |
net.inet.ipsec.ecn | Integer | Yes |
net.inet.ipsec.debug | Integer | Yes |
net.inet6.ipsec6.ecn | Integer | Yes |
net.inet6.ipsec6.debug | Integer | Yes |
The variables are interpreted as follows:
If the value is set to: | Then: |
---|---|
0 | The DF bit on the outer IPv4 header is cleared. |
1 | The outer DF bit on the header is set from the inner DF bit. |
2 | The DF bit is copied from the inner header to the outer. |
Variables under the net.inet6.ipsec6 tree have meaning similar to their net.inet.ipsec counterparts.
Protocols
Because the IPsec protocol works like a plugin to the INET and INET6 protocols, IPsec supports most of the protocols defined upon those IP-layer protocols. Some of the protocols, like ICMP or ICMP6, may behave differently with IPsec. This is because IPsec can prevent ICMP or ICMP6 routines from looking into the IP payload.
You can set the policy manually by calling setkey, or set it permanently in /etc/inetd.conf. Valid policy settings include:
-P direction discard -P direction ipsec request ... -P direction none
direction bypass direction entrust direction ipsec request ...
where:
protocol/mode/src-dst[/level]
For detailed descriptions of the arguments in the request string, see below.
If transport is specified as the mode, you can omit these values.
You may need the identifier in order to relate the policy and the SA when you define the SA by manual keying. You can put the decimal number as the identifier after unique, such as: unique: number
The value of number must be between 1 and 32767. If the request string is kept unambiguous, the level and slash prior to level can be omitted. However, you should specify them explicitly to avoid unintended behaviors.
Based on:
RFC 2367, RFC 1826, RFC 2402, RFC 2403
Detailed documentation about the IP security protocol may be found at the IPsec FAQ website at http://www.netbsd.org/Documentation/network/ipsec/.
The IPsec support is subject to change as the IPsec protocols develop.
There's no single standard for policy engine API, so the policy engine API described herein is just for KAME implementation.
The AH tunnel may not work as you might expect. If you configure the require policy against AH tunnel for inbound, tunneled packets will be rejected. This is because AH authenticates the encapsulating (outer) packet, not the encapsulated (inner) packet.
Under certain conditions, a truncated result may be returned from the socket manager from SADB_DUMP and SADB_SPDDUMP operations on a PF_KEY socket. This occurs if there are too many database entries in the socket manager and the socket buffer for the PF_KEY socket is too small. If you manipulate many IPsec key/policy database entries, increase the size of socket buffer.