Module Name: src
Committed By: drochner
Date: Mon Jan 9 15:16:31 UTC 2012
Modified Files:
src/distrib/sets/lists/man: mi
src/share/man/man4: Makefile fast_ipsec.4 ipsec.4 options.4
src/sys/netinet6: files.ipsec
src/sys/netipsec: files.netipsec
Added Files:
src/share/man/man4: kame_ipsec.4
Log Message:
Make FAST_IPSEC the default IPSEC implementation which is built
into the kernel if the "IPSEC" kernel option is given.
The old implementation is still available as KAME_IPSEC.
Do some minimal manpage adjustment -- kame_ipsec(4) is a copy
of the old ipsec(4) and the latter is now a copy of fast_ipsec(4).
To generate a diff of this commit:
cvs rdiff -u -r1.1363 -r1.1364 src/distrib/sets/lists/man/mi
cvs rdiff -u -r1.576 -r1.577 src/share/man/man4/Makefile
cvs rdiff -u -r1.9 -r1.10 src/share/man/man4/fast_ipsec.4
cvs rdiff -u -r1.31 -r1.32 src/share/man/man4/ipsec.4
cvs rdiff -u -r0 -r1.1 src/share/man/man4/kame_ipsec.4
cvs rdiff -u -r1.409 -r1.410 src/share/man/man4/options.4
cvs rdiff -u -r1.7 -r1.8 src/sys/netinet6/files.ipsec
cvs rdiff -u -r1.8 -r1.9 src/sys/netipsec/files.netipsec
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/distrib/sets/lists/man/mi
diff -u src/distrib/sets/lists/man/mi:1.1363 src/distrib/sets/lists/man/mi:1.1364
--- src/distrib/sets/lists/man/mi:1.1363 Wed Jan 4 16:25:15 2012
+++ src/distrib/sets/lists/man/mi Mon Jan 9 15:16:30 2012
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1363 2012/01/04 16:25:15 yamt Exp $
+# $NetBSD: mi,v 1.1364 2012/01/09 15:16:30 drochner Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -1236,6 +1236,7 @@
./usr/share/man/cat4/jme.0 man-sys-catman .cat
./usr/share/man/cat4/jmide.0 man-sys-catman .cat
./usr/share/man/cat4/joy.0 man-sys-catman .cat
+./usr/share/man/cat4/kame_ipsec.0 man-sys-catman .cat
./usr/share/man/cat4/kloader.0 man-sys-catman .cat
./usr/share/man/cat4/kse.0 man-sys-catman .cat
./usr/share/man/cat4/ksyms.0 man-sys-catman .cat
@@ -6719,6 +6720,7 @@
./usr/share/man/man4/jme.4 man-sys-man .man
./usr/share/man/man4/jmide.4 man-sys-man .man
./usr/share/man/man4/joy.4 man-sys-man .man
+./usr/share/man/man4/kame_ipsec.4 man-sys-man .man
./usr/share/man/man4/kloader.4 man-sys-man .man
./usr/share/man/man4/kse.4 man-sys-man .man
./usr/share/man/man4/ksyms.4 man-sys-man .man
Index: src/share/man/man4/Makefile
diff -u src/share/man/man4/Makefile:1.576 src/share/man/man4/Makefile:1.577
--- src/share/man/man4/Makefile:1.576 Wed Jan 4 16:25:16 2012
+++ src/share/man/man4/Makefile Mon Jan 9 15:16:31 2012
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.576 2012/01/04 16:25:16 yamt Exp $
+# $NetBSD: Makefile,v 1.577 2012/01/09 15:16:31 drochner Exp $
# @(#)Makefile 8.1 (Berkeley) 6/18/93
MAN= aac.4 ac97.4 acardide.4 aceride.4 acphy.4 \
@@ -35,7 +35,7 @@ MAN= aac.4 ac97.4 acardide.4 aceride.4 a
ioasic.4 ioat.4 iop.4 iophy.4 iopsp.4 ip.4 ipkdb.4 ipmi.4 ipw.4 \
irmce.4 iso.4 isp.4 isv.4 itesio.4 iteide.4 iwi.4 iwn.4 ixg.4 ixpide.4 \
jme.4 jmide.4 joy.4 \
- kloader.4 kse.4 ksyms.4 kttcp.4 \
+ kame_ipsec.4 kloader.4 kse.4 ksyms.4 kttcp.4 \
lc.4 ld.4 lii.4 lo.4 lxtphy.4 \
mainbus.4 makphy.4 mbe.4 mca.4 mcclock.4 md.4 mfb.4 mfi.4 mhzc.4 \
midi.4 mii.4 mk48txx.4 mlx.4 mly.4 mpls.4 mpt.4 mpu.4 mtd.4 \
Index: src/share/man/man4/fast_ipsec.4
diff -u src/share/man/man4/fast_ipsec.4:1.9 src/share/man/man4/fast_ipsec.4:1.10
--- src/share/man/man4/fast_ipsec.4:1.9 Tue Sep 21 13:47:41 2010
+++ src/share/man/man4/fast_ipsec.4 Mon Jan 9 15:16:31 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: fast_ipsec.4,v 1.9 2010/09/21 13:47:41 degroote Exp $
+.\" $NetBSD: fast_ipsec.4,v 1.10 2012/01/09 15:16:31 drochner Exp $
.\" $FreeBSD: fast_ipsec.4,v 1.2 2003/03/03 11:51:30 ru Exp $
.\"
.\" Copyright (c) 2004
@@ -28,17 +28,16 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
.\" THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd April 24, 2007
+.Dd January 9, 2012
.Dt FAST_IPSEC 4
.Os
.Sh NAME
.Nm fast_ipsec
.Nd Fast IPsec hardware-accelerated IP Security Protocols
.Sh SYNOPSIS
-.Cd "options FAST_IPSEC"
+.Cd "options IPSEC"
.Cd "options IPSEC_DEBUG"
.Cd "options IPSEC_NAT_T"
-.Cd "pseudo-device crypto"
.Sh DESCRIPTION
.Tn IPsec
is a set of protocols,
Index: src/share/man/man4/ipsec.4
diff -u src/share/man/man4/ipsec.4:1.31 src/share/man/man4/ipsec.4:1.32
--- src/share/man/man4/ipsec.4:1.31 Sun May 17 02:22:43 2009
+++ src/share/man/man4/ipsec.4 Mon Jan 9 15:16:31 2012
@@ -1,8 +1,11 @@
-.\" $NetBSD: ipsec.4,v 1.31 2009/05/17 02:22:43 fair Exp $
-.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $
+.\" $NetBSD: ipsec.4,v 1.32 2012/01/09 15:16:31 drochner Exp $
+.\" $FreeBSD: fast_ipsec.4,v 1.2 2003/03/03 11:51:30 ru Exp $
.\"
-.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
-.\" All rights reserved.
+.\" Copyright (c) 2004
+.\" Jonathan Stone <[email protected]>. All rights reserved.
+.\"
+.\" Copyright (c) 2003
+.\" Sam Leffler <[email protected]>. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
@@ -12,383 +15,112 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of the project nor the names of its contributors
-.\" may be used to endorse or promote products derived from this software
-.\" without specific prior written permission.
.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" THIS SOFTWARE IS PROVIDED BY Sam Leffler AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
+.\" ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+.\" THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd May 16, 2009
-.Dt IPSEC 4
+.Dd January 9, 2012
+.Dt FAST_IPSEC 4
.Os
.Sh NAME
-.Nm ipsec
-.Nd IP security protocol
+.Nm fast_ipsec
+.Nd Fast IPsec hardware-accelerated IP Security Protocols
.Sh SYNOPSIS
-.In sys/types.h
-.In netinet/in.h
-.In netinet6/ipsec.h
-.Pp
-.Cd options IPSEC
-.Cd options IPSEC_ESP
-.Cd options IPSEC_NAT_T
-.Cd options IPSEC_DEBUG
+.Cd "options IPSEC"
+.Cd "options IPSEC_DEBUG"
+.Cd "options IPSEC_NAT_T"
.Sh DESCRIPTION
-.Nm
-is a security protocol in Internet Protocol (IP) layer.
-.Nm
-is defined for both IPv4 and IPv6
-.Po
-.Xr inet 4
-and
-.Xr inet6 4
-.Pc .
-.Nm
-consists of two sub-protocols:
-.Pp
-.Bl -hang
-.It Em Encapsulated Security Payload Pq ESP
-protects IP payload from wire-tapping (interception) by encrypting it with
-secret key cryptography algorithms.
-.It Em Authentication Header Pq AH
-guarantees integrity of IP packet
-and protects it from intermediate alteration or impersonation,
-by attaching cryptographic checksum computed by one-way hash functions.
-.El
-.Pp
-.Nm
-has two operation modes:
-.Pp
-.Bl -hang
-.It Em Transport mode
-is for protecting peer-to-peer communication between end nodes.
-.It Em Tunnel mode
-includes IP-in-IP encapsulation operation
-and is designed for security gateways, as in Virtual Private Network
-.Pq Tn VPN
-configurations.
-.El
-.Pp
-The following kernel options are available:
-.Bl -ohang
-.It Cd options IPSEC
-Includes support for the
.Tn IPsec
-protocol.
-.Em IPSEC
-will enable
-secret key management part,
-policy management part,
+is a set of protocols,
+.Tn ESP
+(for Encapsulating Security Payload)
.Tn AH
+(for Authentication Header),
and
-.Tn IPComp .
-Kernel binary will not be subject to export control in most of countries,
-even if compiled with
-.Em IPSEC .
-For example, it should be okay to export it from the United States of America.
-.Em INET6
-and
-.Em IPSEC
-are orthogonal so you can get IPv4-only kernel with IPsec support,
-IPv4/v6 dual support kernel without IPsec, and so forth.
-This option requires
-.Em INET
-at this moment, but it should not.
-.It Cd options IPSEC_DEBUG
-Enables debugging code in
-.Tn IPsec
-stack.
-This option assumes
-.Em IPSEC .
-.It Cd options IPSEC_ESP
-Includes support for
+.Tn IPComp
+(for IP Payload Compression Protocol)
+that provide security services for IP datagrams.
+Fast IPsec
+is an implementation of these protocols that uses the
+.Xr opencrypto 9
+subsystem to carry out cryptographic operations.
+This means, in particular, that cryptographic hardware devices are
+employed whenever possible to optimize the performance of these protocols.
+.Pp
+In general, the
+Fast IPsec
+implementation is intended to be compatible with the
+.Tn KAME IPsec
+implementation.
+This documentation concentrates on differences from that software.
+The user should refer to
+.Xr ipsec 4
+for basic information on setting up and using these protocols.
+.Pp
+System configuration requires the
+.Xr opencrypto 9
+subsystem.
+When the
+Fast IPsec
+protocols are configured for use, all protocols are included in the system.
+To selectively enable/disable protocols, use
+.Xr sysctl 8 .
+.Sh DIAGNOSTICS
+To be added.
+.Sh SEE ALSO
+.Xr ipsec 4 ,
+.Xr setkey 8 ,
+.Xr sysctl 8 ,
+.Xr opencrypto 9
+.Sh HISTORY
+The protocols draw heavily on the
+.Ox
+implementation of the
.Tn IPsec
-.Tn ESP
-protocol.
-.Em IPSEC_ESP
-will enable source code that is subject to export control in some countries
-.Pq including the United States ,
-and compiled kernel binary will be subject to certain restriction.
-This option assumes
-.Em IPSEC .
-.It Cd options IPSEC_NAT_T
-Includes support for
+protocols.
+The policy management code is derived from the
+.Tn KAME
+implementation found in their
.Tn IPsec
-Network Address Translator Traversal (NAT-T), as described in RFCs 3947
-and 3948.
-This feature might be patent-encumbered in some countries.
-This option assumes
-.Em IPSEC
-and
-.Em IPSEC_ESP .
-.El
-.\"
-.Ss Kernel interface
-.Nm
-is controlled by key management engine and policy engine,
-in the operating system kernel.
-.Pp
-Key management engine can be accessed from the userland by using
-.Dv PF_KEY
-sockets.
+protocols.
The
-.Dv PF_KEY
-socket API is defined in RFC2367.
-.Pp
-Policy engine can be controlled by extended part of
-.Dv PF_KEY
-API,
-.Xr setsockopt 2
-operations, and
-.Xr sysctl 3
-interface.
-The kernel implements
-extended version of
-.Dv PF_KEY
-interface, and allows you to define IPsec policy like per-packet filters.
-.Xr setsockopt 2
-interface is used to define per-socket behavior, and
-.Xr sysctl 3
-interface is used to define host-wide default behavior.
-.Pp
-The kernel code does not implement dynamic encryption key exchange protocol
-like IKE
-.Pq Internet Key Exchange .
-That should be implemented as userland programs
-.Pq usually as daemons ,
-by using the above described APIs.
-.\"
-.Ss Policy management
-The kernel implements experimental policy management code.
-You can manage the IPsec policy in two ways.
-One is to configure per-socket policy using
-.Xr setsockopt 2 .
-The other is to configure kernel packet filter-based policy using
-.Dv PF_KEY
-interface, via
-.Xr setkey 8 .
-In both cases, IPsec policy must be specified with syntax described in
-.Xr ipsec_set_policy 3 .
-.Pp
-With
-.Xr setsockopt 2 ,
-you can define IPsec policy in per-socket basis.
-You can enforce particular IPsec policy onto packets that go through
-particular socket.
-.Pp
-With
-.Xr setkey 8
-you can define IPsec policy against packets,
-using sort of packet filtering rule.
-Refer to
-.Xr setkey 8
-on how to use it.
-.Pp
-In the latter case,
-.Dq Li default
-policy is allowed for use with
-.Xr setkey 8 .
-By configuring policy to
-.Li default ,
-you can refer system-wide
-.Xr sysctl 8
-variable for default settings.
-The following variables are available.
-.Li 1
-means
-.Dq Li use ,
-and
-.Li 2
-means
-.Dq Li require
-in the syntax.
-.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx
-.It Sy Name Ta Sy Type Ta Sy Changeable
-.It net.inet.ipsec.esp_trans_deflev Ta integer Ta yes
-.It net.inet.ipsec.esp_net_deflev Ta integer Ta yes
-.It net.inet.ipsec.ah_trans_deflev Ta integer Ta yes
-.It net.inet.ipsec.ah_net_deflev Ta integer Ta yes
-.It net.inet6.ipsec6.esp_trans_deflev Ta integer Ta yes
-.It net.inet6.ipsec6.esp_net_deflev Ta integer Ta yes
-.It net.inet6.ipsec6.ah_trans_deflev Ta integer Ta yes
-.It net.inet6.ipsec6.ah_net_deflev Ta integer Ta yes
-.El
-.Pp
-If kernel finds no matching policy system wide default value is applied.
-System wide default is specified by the following
-.Xr sysctl 8
-variables.
-.Li 0
-means
-.Dq Li discard
-which asks the kernel to drop the packet.
-.Li 1
-means
-.Dq Li none .
-.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx
-.It Sy Name Ta Sy Type Ta Sy Changeable
-.It net.inet.ipsec.def_policy Ta integer Ta yes
-.It net.inet6.ipsec6.def_policy Ta integer Ta yes
-.El
-.\"
-.Ss Miscellaneous sysctl variables
-The following variables are accessible via
-.Xr sysctl 8 ,
-for tweaking kernel IPsec behavior:
-.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx
-.It Sy Name Ta Sy Type Ta Sy Changeable
-.It net.inet.ipsec.ah_cleartos Ta integer Ta yes
-.It net.inet.ipsec.ah_offsetmask Ta integer Ta yes
-.It net.inet.ipsec.dfbit Ta integer Ta yes
-.It net.inet.ipsec.ecn Ta integer Ta yes
-.It net.inet.ipsec.debug Ta integer Ta yes
-.It net.inet6.ipsec6.ecn Ta integer Ta yes
-.It net.inet6.ipsec6.debug Ta integer Ta yes
-.El
-.Pp
-The variables are interpreted as follows:
-.Bl -tag -width "123456"
-.It Li ipsec.ah_cleartos
-If set to non-zero, the kernel clears type-of-service field in the IPv4 header
-during AH authentication data computation.
-The variable is for tweaking AH behavior to interoperate with devices that
-implement RFC1826 AH.
-It should be set to non-zero
-.Pq clear the type-of-service field
-for RFC2402 conformance.
-.It Li ipsec.ah_offsetmask
-During AH authentication data computation, the kernel will include
-16bit fragment offset field
-.Pq including flag bits
-in IPv4 header, after computing logical AND with the variable.
-The variable is for tweaking AH behavior to interoperate with devices that
-implement RFC1826 AH.
-It should be set to zero
-.Pq clear the fragment offset field during computation
-for RFC2402 conformance.
-.It Li ipsec.dfbit
-The variable configures the kernel behavior on IPv4 IPsec tunnel encapsulation.
-If set to 0, DF bit on the outer IPv4 header will be cleared.
-1 means that the outer DF bit is set regardless from the inner DF bit.
-2 means that the DF bit is copied from the inner header to the outer.
-The variable is supplied to conform to RFC2401 chapter 6.1.
-.It Li ipsec.ecn
-If set to non-zero, IPv4 IPsec tunnel encapsulation/decapsulation behavior will
-be friendly to ECN
-.Pq explicit congestion notification ,
-as documented in
-.Li draft-ietf-ipsec-ecn-02.txt .
-.Xr gif 4
-talks more about the behavior.
-.It Li ipsec.debug
-If set to non-zero, debug messages will be generated via
-.Xr syslog 3 .
-.El
-.Pp
-Variables under
-.Li net.inet6.ipsec6
-tree has similar meaning as the
-.Li net.inet.ipsec
-counterpart.
-.\"
-.Sh PROTOCOLS
+Fast IPsec
+protocols are based on code which appeared in
+.Fx 4.7 .
The
-.Nm
-protocol works like plug-in to
-.Xr inet 4
-and
-.Xr inet6 4
-protocols.
-Therefore,
-.Nm
-supports most of the protocols defined upon those IP-layer protocols.
-Some of the protocols, like
-.Xr icmp 4
-or
-.Xr icmp6 4 ,
-may behave differently with
-.Nm ipsec .
-This is because
-.Nm
-can prevent
-.Xr icmp 4
-or
-.Xr icmp6 4
-routines from looking into IP payload.
-.\"
-.Sh SEE ALSO
-.Xr ioctl 2 ,
-.Xr socket 2 ,
-.Xr ipsec_set_policy 3 ,
-.Xr fast_ipsec 4 ,
-.Xr icmp6 4 ,
-.Xr intro 4 ,
-.Xr ip6 4 ,
-.Xr racoon 8 ,
-.Xr setkey 8 ,
-.Xr sysctl 8
-.Sh STANDARDS
-.Rs
-.%A Daniel L. McDonald
-.%A Craig Metz
-.%A Bao G. Phan
-.%T "PF_KEY Key Management API, Version 2"
-.%R RFC
-.%N 2367
-.Re
-.Sh HISTORY
-The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.
+.Nx
+version is a close copy of the
+.Fx
+original, and first appeared in
+.Nx 2.0 .
+.Pp
+Support for IPv6 and
+.Tn IPcomp
+protocols has been added in
+.Nx 4.0 .
+.Pp
+Support for IPSEC_NAT_T
+(Network Address Translator Traversal as
+described in RFCs 3947 and 3948) has been added in
+.Nx 5.0 .
.Sh BUGS
-The IPsec support is subject to change as the IPsec protocols develop.
-.Pp
-There is no single standard for policy engine API,
-so the policy engine API described herein is just for KAME implementation.
+There still are some issues in the IPv6 support.
+In particular
+.Tn FAST_IPSEC
+does not protect packets with IPv6 extension headers.
+.Pp
+Certain legacy authentication algorithms are not supported because of
+issues with the
+.Xr opencrypto 9
+subsystem.
.Pp
-AH and tunnel mode encapsulation may not work as you might expect.
-If you configure inbound
-.Dq require
-policy against AH tunnel or any IPsec encapsulating policy with AH
-.Po
-like
-.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require
-.Pc ,
-tunneled packets will be rejected.
-This is because we enforce policy check on inner packet on reception,
-and AH authenticates encapsulating
-.Pq outer
-packet, not the encapsulated
-.Pq inner
-packet
-.Po
-so for the receiving kernel there's no sign of authenticity
-.Pc .
-The issue will be solved when we revamp our policy engine to keep all the
-packet decapsulation history.
-.Pp
-Under certain condition,
-truncated result may be raised from the kernel
-against
-.Dv SADB_DUMP
-and
-.Dv SADB_SPDDUMP
-operation on
-.Dv PF_KEY
-socket.
-This occurs if there are too many database entries in the kernel
-and socket buffer for the
-.Dv PF_KEY
-socket is insufficient.
-If you manipulate many IPsec key/policy database entries,
-increase the size of socket buffer or use
-.Xr sysctl 8
-interface.
+This documentation is incomplete.
Index: src/share/man/man4/options.4
diff -u src/share/man/man4/options.4:1.409 src/share/man/man4/options.4:1.410
--- src/share/man/man4/options.4:1.409 Sun Oct 2 16:39:46 2011
+++ src/share/man/man4/options.4 Mon Jan 9 15:16:31 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: options.4,v 1.409 2011/10/02 16:39:46 jmcneill Exp $
+.\" $NetBSD: options.4,v 1.410 2012/01/09 15:16:31 drochner Exp $
.\"
.\" Copyright (c) 1996
.\" Perry E. Metzger. All rights reserved.
@@ -30,7 +30,7 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\"
-.Dd October 2, 2011
+.Dd January 9, 2012
.Dt OPTIONS 4
.Os
.Sh NAME
@@ -1646,9 +1646,19 @@ for details.
.It Cd options IPSEC
Includes support for the
.Tn IPsec
+protocol, using the FAST_IPSEC implementation.
+See
+.Xr fast_ipsec 4
+for details.
+(This option is an alias for the
+.Cd FAST_IPSEC
+option described below.)
+.It Cd options KAME_IPSEC
+Includes support for the
+.Tn IPsec
protocol, using the KAME implementation.
See
-.Xr ipsec 4
+.Xr kame_ipsec 4
for details.
.It Cd options IPSEC_DEBUG
Enables debugging code in
@@ -1663,7 +1673,7 @@ Includes support for
.Tn ESP
protocol, using the KAME implementation.
See
-.Xr ipsec 4
+.Xr kame_ipsec 4
for details.
.It Cd options FAST_IPSEC
Includes support for the
Index: src/sys/netinet6/files.ipsec
diff -u src/sys/netinet6/files.ipsec:1.7 src/sys/netinet6/files.ipsec:1.8
--- src/sys/netinet6/files.ipsec:1.7 Mon Dec 19 11:59:57 2011
+++ src/sys/netinet6/files.ipsec Mon Jan 9 15:16:31 2012
@@ -1,7 +1,6 @@
-# $NetBSD: files.ipsec,v 1.7 2011/12/19 11:59:57 drochner Exp $
+# $NetBSD: files.ipsec,v 1.8 2012/01/09 15:16:31 drochner Exp $
defflag opt_ipsec.h KAME_IPSEC
-defflag opt_ipsec.h IPSEC: KAME_IPSEC
defflag opt_ipsec.h IPSEC_ESP: des, blowfish, cast128
defflag opt_ipsec.h IPSEC_NAT_T
Index: src/sys/netipsec/files.netipsec
diff -u src/sys/netipsec/files.netipsec:1.8 src/sys/netipsec/files.netipsec:1.9
--- src/sys/netipsec/files.netipsec:1.8 Mon Dec 19 11:59:58 2011
+++ src/sys/netipsec/files.netipsec Mon Jan 9 15:16:31 2012
@@ -1,9 +1,8 @@
-# $Id: files.netipsec,v 1.8 2011/12/19 11:59:58 drochner Exp $
+# $Id: files.netipsec,v 1.9 2012/01/09 15:16:31 drochner Exp $
#
#
defflag opt_ipsec.h FAST_IPSEC: opencrypto
-# notyet
-#defflag opt_ipsec.h IPSEC: FAST_IPSEC
+defflag opt_ipsec.h IPSEC: FAST_IPSEC
defflag opt_ipsec.h IPSEC_DEBUG
file netipsec/ipsec.c fast_ipsec needs-flag
Added files:
Index: src/share/man/man4/kame_ipsec.4
diff -u /dev/null src/share/man/man4/kame_ipsec.4:1.1
--- /dev/null Mon Jan 9 15:16:32 2012
+++ src/share/man/man4/kame_ipsec.4 Mon Jan 9 15:16:31 2012
@@ -0,0 +1,394 @@
+.\" $NetBSD: kame_ipsec.4,v 1.1 2012/01/09 15:16:31 drochner Exp $
+.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $
+.\"
+.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd May 16, 2009
+.Dt IPSEC 4
+.Os
+.Sh NAME
+.Nm ipsec
+.Nd IP security protocol
+.Sh SYNOPSIS
+.In sys/types.h
+.In netinet/in.h
+.In netinet6/ipsec.h
+.Pp
+.Cd options KAME_IPSEC
+.Cd options IPSEC_ESP
+.Cd options IPSEC_NAT_T
+.Cd options IPSEC_DEBUG
+.Sh DESCRIPTION
+.Nm
+is a security protocol in Internet Protocol (IP) layer.
+.Nm
+is defined for both IPv4 and IPv6
+.Po
+.Xr inet 4
+and
+.Xr inet6 4
+.Pc .
+.Nm
+consists of two sub-protocols:
+.Pp
+.Bl -hang
+.It Em Encapsulated Security Payload Pq ESP
+protects IP payload from wire-tapping (interception) by encrypting it with
+secret key cryptography algorithms.
+.It Em Authentication Header Pq AH
+guarantees integrity of IP packet
+and protects it from intermediate alteration or impersonation,
+by attaching cryptographic checksum computed by one-way hash functions.
+.El
+.Pp
+.Nm
+has two operation modes:
+.Pp
+.Bl -hang
+.It Em Transport mode
+is for protecting peer-to-peer communication between end nodes.
+.It Em Tunnel mode
+includes IP-in-IP encapsulation operation
+and is designed for security gateways, as in Virtual Private Network
+.Pq Tn VPN
+configurations.
+.El
+.Pp
+The following kernel options are available:
+.Bl -ohang
+.It Cd options IPSEC
+Includes support for the
+.Tn IPsec
+protocol.
+.Em IPSEC
+will enable
+secret key management part,
+policy management part,
+.Tn AH
+and
+.Tn IPComp .
+Kernel binary will not be subject to export control in most of countries,
+even if compiled with
+.Em IPSEC .
+For example, it should be okay to export it from the United States of America.
+.Em INET6
+and
+.Em IPSEC
+are orthogonal so you can get IPv4-only kernel with IPsec support,
+IPv4/v6 dual support kernel without IPsec, and so forth.
+This option requires
+.Em INET
+at this moment, but it should not.
+.It Cd options IPSEC_DEBUG
+Enables debugging code in
+.Tn IPsec
+stack.
+This option assumes
+.Em IPSEC .
+.It Cd options IPSEC_ESP
+Includes support for
+.Tn IPsec
+.Tn ESP
+protocol.
+.Em IPSEC_ESP
+will enable source code that is subject to export control in some countries
+.Pq including the United States ,
+and compiled kernel binary will be subject to certain restriction.
+This option assumes
+.Em IPSEC .
+.It Cd options IPSEC_NAT_T
+Includes support for
+.Tn IPsec
+Network Address Translator Traversal (NAT-T), as described in RFCs 3947
+and 3948.
+This feature might be patent-encumbered in some countries.
+This option assumes
+.Em IPSEC
+and
+.Em IPSEC_ESP .
+.El
+.\"
+.Ss Kernel interface
+.Nm
+is controlled by key management engine and policy engine,
+in the operating system kernel.
+.Pp
+Key management engine can be accessed from the userland by using
+.Dv PF_KEY
+sockets.
+The
+.Dv PF_KEY
+socket API is defined in RFC2367.
+.Pp
+Policy engine can be controlled by extended part of
+.Dv PF_KEY
+API,
+.Xr setsockopt 2
+operations, and
+.Xr sysctl 3
+interface.
+The kernel implements
+extended version of
+.Dv PF_KEY
+interface, and allows you to define IPsec policy like per-packet filters.
+.Xr setsockopt 2
+interface is used to define per-socket behavior, and
+.Xr sysctl 3
+interface is used to define host-wide default behavior.
+.Pp
+The kernel code does not implement dynamic encryption key exchange protocol
+like IKE
+.Pq Internet Key Exchange .
+That should be implemented as userland programs
+.Pq usually as daemons ,
+by using the above described APIs.
+.\"
+.Ss Policy management
+The kernel implements experimental policy management code.
+You can manage the IPsec policy in two ways.
+One is to configure per-socket policy using
+.Xr setsockopt 2 .
+The other is to configure kernel packet filter-based policy using
+.Dv PF_KEY
+interface, via
+.Xr setkey 8 .
+In both cases, IPsec policy must be specified with syntax described in
+.Xr ipsec_set_policy 3 .
+.Pp
+With
+.Xr setsockopt 2 ,
+you can define IPsec policy in per-socket basis.
+You can enforce particular IPsec policy onto packets that go through
+particular socket.
+.Pp
+With
+.Xr setkey 8
+you can define IPsec policy against packets,
+using sort of packet filtering rule.
+Refer to
+.Xr setkey 8
+on how to use it.
+.Pp
+In the latter case,
+.Dq Li default
+policy is allowed for use with
+.Xr setkey 8 .
+By configuring policy to
+.Li default ,
+you can refer system-wide
+.Xr sysctl 8
+variable for default settings.
+The following variables are available.
+.Li 1
+means
+.Dq Li use ,
+and
+.Li 2
+means
+.Dq Li require
+in the syntax.
+.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx
+.It Sy Name Ta Sy Type Ta Sy Changeable
+.It net.inet.ipsec.esp_trans_deflev Ta integer Ta yes
+.It net.inet.ipsec.esp_net_deflev Ta integer Ta yes
+.It net.inet.ipsec.ah_trans_deflev Ta integer Ta yes
+.It net.inet.ipsec.ah_net_deflev Ta integer Ta yes
+.It net.inet6.ipsec6.esp_trans_deflev Ta integer Ta yes
+.It net.inet6.ipsec6.esp_net_deflev Ta integer Ta yes
+.It net.inet6.ipsec6.ah_trans_deflev Ta integer Ta yes
+.It net.inet6.ipsec6.ah_net_deflev Ta integer Ta yes
+.El
+.Pp
+If kernel finds no matching policy system wide default value is applied.
+System wide default is specified by the following
+.Xr sysctl 8
+variables.
+.Li 0
+means
+.Dq Li discard
+which asks the kernel to drop the packet.
+.Li 1
+means
+.Dq Li none .
+.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx
+.It Sy Name Ta Sy Type Ta Sy Changeable
+.It net.inet.ipsec.def_policy Ta integer Ta yes
+.It net.inet6.ipsec6.def_policy Ta integer Ta yes
+.El
+.\"
+.Ss Miscellaneous sysctl variables
+The following variables are accessible via
+.Xr sysctl 8 ,
+for tweaking kernel IPsec behavior:
+.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx
+.It Sy Name Ta Sy Type Ta Sy Changeable
+.It net.inet.ipsec.ah_cleartos Ta integer Ta yes
+.It net.inet.ipsec.ah_offsetmask Ta integer Ta yes
+.It net.inet.ipsec.dfbit Ta integer Ta yes
+.It net.inet.ipsec.ecn Ta integer Ta yes
+.It net.inet.ipsec.debug Ta integer Ta yes
+.It net.inet6.ipsec6.ecn Ta integer Ta yes
+.It net.inet6.ipsec6.debug Ta integer Ta yes
+.El
+.Pp
+The variables are interpreted as follows:
+.Bl -tag -width "123456"
+.It Li ipsec.ah_cleartos
+If set to non-zero, the kernel clears type-of-service field in the IPv4 header
+during AH authentication data computation.
+The variable is for tweaking AH behavior to interoperate with devices that
+implement RFC1826 AH.
+It should be set to non-zero
+.Pq clear the type-of-service field
+for RFC2402 conformance.
+.It Li ipsec.ah_offsetmask
+During AH authentication data computation, the kernel will include
+16bit fragment offset field
+.Pq including flag bits
+in IPv4 header, after computing logical AND with the variable.
+The variable is for tweaking AH behavior to interoperate with devices that
+implement RFC1826 AH.
+It should be set to zero
+.Pq clear the fragment offset field during computation
+for RFC2402 conformance.
+.It Li ipsec.dfbit
+The variable configures the kernel behavior on IPv4 IPsec tunnel encapsulation.
+If set to 0, DF bit on the outer IPv4 header will be cleared.
+1 means that the outer DF bit is set regardless from the inner DF bit.
+2 means that the DF bit is copied from the inner header to the outer.
+The variable is supplied to conform to RFC2401 chapter 6.1.
+.It Li ipsec.ecn
+If set to non-zero, IPv4 IPsec tunnel encapsulation/decapsulation behavior will
+be friendly to ECN
+.Pq explicit congestion notification ,
+as documented in
+.Li draft-ietf-ipsec-ecn-02.txt .
+.Xr gif 4
+talks more about the behavior.
+.It Li ipsec.debug
+If set to non-zero, debug messages will be generated via
+.Xr syslog 3 .
+.El
+.Pp
+Variables under
+.Li net.inet6.ipsec6
+tree has similar meaning as the
+.Li net.inet.ipsec
+counterpart.
+.\"
+.Sh PROTOCOLS
+The
+.Nm
+protocol works like plug-in to
+.Xr inet 4
+and
+.Xr inet6 4
+protocols.
+Therefore,
+.Nm
+supports most of the protocols defined upon those IP-layer protocols.
+Some of the protocols, like
+.Xr icmp 4
+or
+.Xr icmp6 4 ,
+may behave differently with
+.Nm ipsec .
+This is because
+.Nm
+can prevent
+.Xr icmp 4
+or
+.Xr icmp6 4
+routines from looking into IP payload.
+.\"
+.Sh SEE ALSO
+.Xr ioctl 2 ,
+.Xr socket 2 ,
+.Xr ipsec_set_policy 3 ,
+.Xr fast_ipsec 4 ,
+.Xr icmp6 4 ,
+.Xr intro 4 ,
+.Xr ip6 4 ,
+.Xr racoon 8 ,
+.Xr setkey 8 ,
+.Xr sysctl 8
+.Sh STANDARDS
+.Rs
+.%A Daniel L. McDonald
+.%A Craig Metz
+.%A Bao G. Phan
+.%T "PF_KEY Key Management API, Version 2"
+.%R RFC
+.%N 2367
+.Re
+.Sh HISTORY
+The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.
+.Sh BUGS
+The IPsec support is subject to change as the IPsec protocols develop.
+.Pp
+There is no single standard for policy engine API,
+so the policy engine API described herein is just for KAME implementation.
+.Pp
+AH and tunnel mode encapsulation may not work as you might expect.
+If you configure inbound
+.Dq require
+policy against AH tunnel or any IPsec encapsulating policy with AH
+.Po
+like
+.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require
+.Pc ,
+tunneled packets will be rejected.
+This is because we enforce policy check on inner packet on reception,
+and AH authenticates encapsulating
+.Pq outer
+packet, not the encapsulated
+.Pq inner
+packet
+.Po
+so for the receiving kernel there's no sign of authenticity
+.Pc .
+The issue will be solved when we revamp our policy engine to keep all the
+packet decapsulation history.
+.Pp
+Under certain condition,
+truncated result may be raised from the kernel
+against
+.Dv SADB_DUMP
+and
+.Dv SADB_SPDDUMP
+operation on
+.Dv PF_KEY
+socket.
+This occurs if there are too many database entries in the kernel
+and socket buffer for the
+.Dv PF_KEY
+socket is insufficient.
+If you manipulate many IPsec key/policy database entries,
+increase the size of socket buffer or use
+.Xr sysctl 8
+interface.
