I'm sponsoring the following fasttrack for Mark Fenwick. Timer expires
4/8/2008. Release binding is Patch/Micro. Commitment levels match
existing interfaces (Committed for CLI, Uncommitted for PF_KEY).
Description:
------------
IPsec Security Associations as defined in RFC 2401, Security Architecture for
the Internet Protocol are unidirectional. They are uniquely identified by a
triple consisting of Security Parameter Index (SPI), an IP Destination
Address, and a security protocol (AH or ESP) identifier.
These Security Associations (SA's) exist independently from each other but are
typically created by key management protocols in pairs (one inbound, one
outbound). Management of these SA's would be simplified if the SADB
maintained state about how SA's are paired with each other.
Proposal:
---------
The PF_KEY(7P) socket will be extended to allow consumers to create, update
and delete SA's in pairs.
The Solaris provided Key management mechanisms ipseckey(1M) and in.iked(1M) will
be modified to make use of this new functionality.
The project private ipsa_t structure, defined in usr/src/uts/common/inet/sadb.h
will be extended to include soft linkage to another ipsa_t, managed within the
kernel.
These changes are tracked by CR 6628201.
Details:
--------
The following changes are proposed to pfkeyv2.h:
New sadb_x_pair_t structure:
typedef struct sadb_x_pair
{
uint16_t sadb_x_pair_len;
uint16_t sadb_x_pair_exttype;
uint32_t sadb_x_pair_spi; /* SPI of paired SA */
} sadb_x_pair_t;
New PF_KEY message types:
#define SADB_X_UPDATEPAIR 13
#define SADB_X_DELPAIR 14
New SA flags:
#define SADB_X_SAFLAGS_PAIRED 0x10000 /* inbound/outbound pair
*/
#define SADB_X_SAFLAGS_OUTBOUND 0x8000 /* SA direction bit */
#define SADB_X_SAFLAGS_INBOUND 0x4000 /* SA direction bit */
The two direction flags allow the key management mechanism to optionally
define the direction of the SA, simplifying the kernel's decision
regarding which hash table in which to insert/delete/update an SA.
New PF_KEY message extension:
#define SADB_X_EXT_PAIR 23
New PF_KEY extended diagnostic types:
#define SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE 73
#define SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH 74
#define SADB_X_DIAGNOSTIC_PAIR_ALREADY 75
#define SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND 76
#define SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION 77
#define SADB_X_DIAGNOSTIC_SA_NOTFOUND 78
#define SADB_X_DIAGNOSTIC_SA_EXPIRED 79
Changes to ipseckey(1M) - The following new new commands and keywords
have been introduced, their functionality is described in the man page
diffs below:
update-pair
delete-pair
pair-spi
inbound
outbound
*** ipseckey.txt.orig Fri Feb 22 17:21:06 2008
--- ipseckey.txt.new Thu Mar 20 14:48:41 2008
***************
*** 17,27 ****
ipseckey -c filename
! ipseckey [-nvp] [delete | get] SA_TYPE {EXTENSION value...}
ipseckey [-np] [monitor | passive_monitor | pmonitor]
--- 17,27 ----
ipseckey -c filename
! ipseckey [-nvp] [delete | delete-pair | get] SA_TYPE {EXTENSION
value...}
ipseckey [-np] [monitor | passive_monitor | pmonitor]
***************
*** 168,193 ****
either from the interactive ipseckey> prompt or in a
command file specified by the -f command. The update
command accepts all extension-value pairs, but normally
is only used for SA lifetime updates.
delete
Delete a specific SA from a specific SADB. This command
requires the spi extension, and the dest extension for
IPsec SAs. Other extension-value pairs are superfluous
! for a delete message.
get
Lookup and display a security association from a
specific SADB. Like delete, this command only requires
spi and dest for IPsec.
-
flush
Remove all SA for a given SA_TYPE, or all SA for all
--- 168,205 ----
either from the interactive ipseckey> prompt or in a
command file specified by the -f command. The update
command accepts all extension-value pairs, but normally
is only used for SA lifetime updates.
+ update-pair
+ As update, but apply the update to the SA and its paired
+ SA, if there is one.
+
+
delete
Delete a specific SA from a specific SADB. This command
requires the spi extension, and the dest extension for
IPsec SAs. Other extension-value pairs are superfluous
! for a delete message. If the SA to be deleted is paired
! with another SA, the SA is deleted and the pair SA is
! updated to indicate its now unpaired.
+ delete-pair
+ Delete a specific SA from a specific SADB. If the SA is
+ paired with another SA, delete that SA too. This command
+ requires the spi extension and the dest extension for the
+ IPsec SA, or its pair.
+
get
Lookup and display a security association from a
specific SADB. Like delete, this command only requires
spi and dest for IPsec.
flush
Remove all SA for a given SA_TYPE, or all SA for all
***************
*** 297,307 ****
--- 309,346 ----
Specifies the security parameters index of the SA. This
extension is required for the add, delete, get and
update commands.
+ pair-spi <number>
+ When pair-spi is used with the add or update commands, the
+ SA being added or updated will be paired with the SA defined
+ by pair-spi. A pair of SAs can be updated or deleted with
+ a single command.
+
+ The two SAs that will make up the pair need to be in opposite
+ directions between the same pair of IP addresses, the command
+ will fail if either of the SAs specified are already paired with
+ another SA.
+
+ If the pair-spi token is used in a command and the SA defined
+ by pair-spi does not exist, the command will fail.
+
+ inbound | outbound
+
+ These are optional flags which specify the direction of the SA.
+ When the inbound or outbound flag is specified with the add command
+ the kernel will insert the new SA into the specified hash table
+ for faster lookups. If the flag is omitted, the kernel will
+ decide which hash table to insert the new SA based on its knowledge
+ the IP addresses specified with the src and dst extensions.
+
+ When these flags are used with the update, delete, update-pair
+ or get commands, the flag provideds a hint as to which hash table
+ the kernel should find the SA.
+
replay <number>
Specifies the replay window size. If not specified, the
replay window size is assumed to be zero. It is not
recommended that manually added SAs have a replay win-
***************
*** 1009,1019 ****
--- 1048,1061 ----
address are needed:
example# ipseckey delete esp spi 0x2112 dst 224.0.0.1
+ An alternative would be to delete the SA and the SAs pair
+ if it has one:
+ example# ipseckey delete-pair esp spi 0x2112 dst 192.168.99.2
Example 6 Getting Information on an IPsec SA
Likewise, getting information on a SA only requires the des-
***************
*** 1035,1046 ****
--- 1077,1099 ----
authalg md5 authkey 1234567890abcdef1234567890abcdef
ipseckey> update ah spi 0x90125 dst you.domain.com hard_bytes
16000000
ipseckey> exit
+ For paired SAs:
+ example# ipseckey
+ ipseckey> update-pair esp spi 0x991122 dst 10.10.2.2 hard_addtime
+ 2000 soft_addtime 1800
+ ipseckey> exit
+ Specifying SA direction:
+
+ ipseckey> add ah spi 0x45677654 src 10.0.0.1 dst 192.168.99.2
+ outbound authalg md5 authkey 1234567890abcdef1234567890abcdef
+
+
Example 8 Adding an SA in the Opposite Direction
In the case of IPsec, SAs are unidirectional. To communicate
securely, a second SA needs to be added in the opposite
***************
*** 1131,1142 ****
--- 1184,1199 ----
ipseckey> add esp spi 0x6789 src6 fec0:bbbb::4483 dst6 fec0:bbbb::7843
authalg md5 authkey bde359723576fdea08e56cbe876e24ad
encralg des encrkey be02938e7def2839 hard_usetime 28800
ipseckey>exit
+ Example 12 Linking two SAs together in a pair.
+ example# ipseckey update esp spi 0x123456 dst 192.168.99.2
+ pair-spi 0x654321
+
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
Note: It is not possible to add a pair of SA's using a single
ipseckey(1m)
command, the syntax to do this would be too complicated. In general, key
management is best left to a key management daemon such as in.iked(1m)
which
automatically makes use of this feature.
Interfaces:
-----------
+------------------------------------+--------------------+---------------------+
| Interface Name | Commitment | Comments
|
+------------------------------------+--------------------+---------------------+
| ipseckey(1m) commands: | Committed | documented in man
|
| update-pair | | page.
|
| delete-pair | |
|
| pair-with | |
|
| pair-spi | |
|
| inbound | |
|
| outbound | |
|
+------------------------------------+--------------------+---------------------+
| pfkeyv2.h | Uncommitted |
|
| sadb_x_pair_t | |
|
| SADB_X_UPDATEPAIR | |
|
| SADB_X_DELPAIR | |
|
| SADB_X_SAFLAGS_PAIRED | |
|
| SADB_X_SAFLAGS_OUTBOUND | |
|
| SADB_X_SAFLAGS_INBOUND | |
|
| SADB_X_EXT_PAIR | |
|
|SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE| |
|
|SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH | |
|
|SADB_X_DIAGNOSTIC_PAIR_ALREADY | |
|
|SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND | |
|
|SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION | |
|
|SADB_X_DIAGNOSTIC_SA_NOTFOUND | |
|
|SADB_X_DIAGNOSTIC_SA_EXPIRED | |
|
+----------------------------------+----------------------+---------------------+
