ip-xfrm.8 (15385B)
- '\" t
- .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux"
- .SH "NAME"
- ip-xfrm \- transform configuration
- .SH "SYNOPSIS"
- .sp
- .ad l
- .in +8
- .ti -8
- .B ip
- .RI "[ " OPTIONS " ]"
- .B xfrm
- .RI " { " COMMAND " | "
- .BR help " }"
- .sp
- .ti -8
- .B "ip xfrm"
- .IR XFRM-OBJECT " { " COMMAND " | "
- .BR help " }"
- .sp
- .ti -8
- .IR XFRM-OBJECT " :="
- .BR state " | " policy " | " monitor
- .sp
- .ti -8
- .BR "ip xfrm state" " { " add " | " update " } "
- .IR ID " [ " ALGO-LIST " ]"
- .RB "[ " mode
- .IR MODE " ]"
- .RB "[ " mark
- .I MARK
- .RB "[ " mask
- .IR MASK " ] ]"
- .RB "[ " reqid
- .IR REQID " ]"
- .RB "[ " seq
- .IR SEQ " ]"
- .RB "[ " replay-window
- .IR SIZE " ]"
- .RB "[ " replay-seq
- .IR SEQ " ]"
- .RB "[ " replay-oseq
- .IR SEQ " ]"
- .RB "[ " replay-seq-hi
- .IR SEQ " ]"
- .RB "[ " replay-oseq-hi
- .IR SEQ " ]"
- .RB "[ " flag
- .IR FLAG-LIST " ]"
- .RB "[ " sel
- .IR SELECTOR " ] [ " LIMIT-LIST " ]"
- .RB "[ " encap
- .IR ENCAP " ]"
- .RB "[ " coa
- .IR ADDR "[/" PLEN "] ]"
- .RB "[ " ctx
- .IR CTX " ]"
- .RB "[ " extra-flag
- .IR EXTRA-FLAG-LIST " ]"
- .RB "[ " output-mark
- .IR OUTPUT-MARK
- .RB "[ " mask
- .IR MASK " ] ]"
- .RB "[ " if_id
- .IR IF-ID " ]"
- .RB "[ " offload
- .RB "[ " crypto | packet " ]"
- .RB dev
- .IR DEV "
- .RB dir
- .IR DIR " ]"
- .RB "[ " tfcpad
- .IR LENGTH " ]"
- .ti -8
- .B "ip xfrm state allocspi"
- .I ID
- .RB "[ " mode
- .IR MODE " ]"
- .RB "[ " mark
- .I MARK
- .RB "[ " mask
- .IR MASK " ] ]"
- .RB "[ " reqid
- .IR REQID " ]"
- .RB "[ " seq
- .IR SEQ " ]"
- .RB "[ " min
- .I SPI
- .B max
- .IR SPI " ]"
- .ti -8
- .BR "ip xfrm state" " { " delete " | " get " } "
- .I ID
- .RB "[ " mark
- .I MARK
- .RB "[ " mask
- .IR MASK " ] ]"
- .ti -8
- .BR ip " [ " -4 " | " -6 " ] " "xfrm state deleteall" " ["
- .IR ID " ]"
- .RB "[ " mode
- .IR MODE " ]"
- .RB "[ " reqid
- .IR REQID " ]"
- .RB "[ " flag
- .IR FLAG-LIST " ]"
- .ti -8
- .BR ip " [ " -4 " | " -6 " ] " "xfrm state list" " ["
- .IR ID " ]"
- .RB "[ " nokeys " ]"
- .RB "[ " mode
- .IR MODE " ]"
- .RB "[ " reqid
- .IR REQID " ]"
- .RB "[ " flag
- .IR FLAG-LIST " ]"
- .ti -8
- .BR "ip xfrm state flush" " [ " proto
- .IR XFRM-PROTO " ]"
- .ti -8
- .BR "ip xfrm state count"
- .ti -8
- .IR ID " :="
- .RB "[ " src
- .IR ADDR " ]"
- .RB "[ " dst
- .IR ADDR " ]"
- .RB "[ " proto
- .IR XFRM-PROTO " ]"
- .RB "[ " spi
- .IR SPI " ]"
- .ti -8
- .IR XFRM-PROTO " :="
- .BR esp " | " ah " | " comp " | " route2 " | " hao
- .ti -8
- .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO
- .ti -8
- .IR ALGO " :="
- .RB "{ " enc " | " auth " } "
- .IR ALGO-NAME " " ALGO-KEYMAT " |"
- .br
- .B auth-trunc
- .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |"
- .br
- .B aead
- .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |"
- .br
- .B comp
- .IR ALGO-NAME
- .ti -8
- .IR MODE " := "
- .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
- .ti -8
- .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
- .ti -8
- .IR FLAG " :="
- .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | "
- .BR af-unspec " | " align4 " | " esn
- .ti -8
- .IR SELECTOR " :="
- .RB "[ " src
- .IR ADDR "[/" PLEN "] ]"
- .RB "[ " dst
- .IR ADDR "[/" PLEN "] ]"
- .RB "[ " dev
- .IR DEV " ]"
- .br
- .RI "[ " UPSPEC " ]"
- .ti -8
- .IR UPSPEC " := "
- .BR proto " {"
- .IR PROTO " |"
- .br
- .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
- .IR PORT " ]"
- .RB "[ " dport
- .IR PORT " ] |"
- .br
- .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
- .IR NUMBER " ]"
- .RB "[ " code
- .IR NUMBER " ] |"
- .br
- .BR gre " [ " key
- .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
- .ti -8
- .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
- .B limit
- .I LIMIT
- .ti -8
- .IR LIMIT " :="
- .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
- .IR "SECONDS" " |"
- .br
- .RB "{ " byte-soft " | " byte-hard " }"
- .IR SIZE " |"
- .br
- .RB "{ " packet-soft " | " packet-hard " }"
- .I COUNT
- .ti -8
- .IR ENCAP " :="
- .RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }"
- .IR SPORT " " DPORT " " OADDR
- .ti -8
- .IR EXTRA-FLAG-LIST " := [ " EXTRA-FLAG-LIST " ] " EXTRA-FLAG
- .ti -8
- .IR EXTRA-FLAG " := "
- .BR dont-encap-dscp " | " oseq-may-wrap
- .ti -8
- .BR "ip xfrm policy" " { " add " | " update " }"
- .I SELECTOR
- .B dir
- .I DIR
- .RB "[ " ctx
- .IR CTX " ]"
- .RB "[ " mark
- .I MARK
- .RB "[ " mask
- .IR MASK " ] ]"
- .RB "[ " index
- .IR INDEX " ]"
- .RB "[ " ptype
- .IR PTYPE " ]"
- .RB "[ " action
- .IR ACTION " ]"
- .RB "[ " priority
- .IR PRIORITY " ]"
- .RB "[ " flag
- .IR FLAG-LIST " ]"
- .RB "[ " if_id
- .IR IF-ID " ]"
- .RB "[ " offload
- .RB packet
- .RB dev
- .IR DEV " ]"
- .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]"
- .ti -8
- .BR "ip xfrm policy" " { " delete " | " get " }"
- .RI "{ " SELECTOR " | "
- .B index
- .IR INDEX " }"
- .B dir
- .I DIR
- .RB "[ " ctx
- .IR CTX " ]"
- .RB "[ " mark
- .I MARK
- .RB "[ " mask
- .IR MASK " ] ]"
- .RB "[ " ptype
- .IR PTYPE " ]"
- .RB "[ " if_id
- .IR IF-ID " ]"
- .ti -8
- .BR ip " [ " -4 " | " -6 " ] " "xfrm policy" " { " deleteall " | " list " }"
- .RB "[ " nosock " ]"
- .RI "[ " SELECTOR " ]"
- .RB "[ " dir
- .IR DIR " ]"
- .RB "[ " index
- .IR INDEX " ]"
- .RB "[ " ptype
- .IR PTYPE " ]"
- .RB "[ " action
- .IR ACTION " ]"
- .RB "[ " priority
- .IR PRIORITY " ]"
- .RB "[ " flag
- .IR FLAG-LIST "]"
- .ti -8
- .B "ip xfrm policy flush"
- .RB "[ " ptype
- .IR PTYPE " ]"
- .ti -8
- .B "ip xfrm policy count"
- .ti -8
- .B "ip xfrm policy set"
- .RB "[ " hthresh4
- .IR LBITS " " RBITS " ]"
- .RB "[ " hthresh6
- .IR LBITS " " RBITS " ]"
- .ti -8
- .B "ip xfrm policy setdefault"
- .IR DIR
- .IR ACTION " [ "
- .IR DIR
- .IR ACTION " ] [ "
- .IR DIR
- .IR ACTION " ]"
- .ti -8
- .B "ip xfrm policy getdefault"
- .ti -8
- .IR SELECTOR " :="
- .RB "[ " src
- .IR ADDR "[/" PLEN "] ]"
- .RB "[ " dst
- .IR ADDR "[/" PLEN "] ]"
- .RB "[ " dev
- .IR DEV " ]"
- .RI "[ " UPSPEC " ]"
- .ti -8
- .IR UPSPEC " := "
- .BR proto " {"
- .IR PROTO " |"
- .br
- .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport
- .IR PORT " ]"
- .RB "[ " dport
- .IR PORT " ] |"
- .br
- .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type
- .IR NUMBER " ]"
- .RB "[ " code
- .IR NUMBER " ] |"
- .br
- .BR gre " [ " key
- .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }"
- .ti -8
- .IR DIR " := "
- .BR in " | " out " | " fwd
- .ti -8
- .IR PTYPE " := "
- .BR main " | " sub
- .ti -8
- .IR ACTION " := "
- .BR allow " | " block
- .ti -8
- .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG
- .ti -8
- .IR FLAG " :="
- .BR localok " | " icmp
- .ti -8
- .IR LIMIT-LIST " := [ " LIMIT-LIST " ]"
- .B limit
- .I LIMIT
- .ti -8
- .IR LIMIT " :="
- .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }"
- .IR "SECONDS" " |"
- .br
- .RB "{ " byte-soft " | " byte-hard " }"
- .IR SIZE " |"
- .br
- .RB "{ " packet-soft " | " packet-hard " }"
- .I COUNT
- .ti -8
- .IR TMPL-LIST " := [ " TMPL-LIST " ]"
- .B tmpl
- .I TMPL
- .ti -8
- .IR TMPL " := " ID
- .RB "[ " mode
- .IR MODE " ]"
- .RB "[ " reqid
- .IR REQID " ]"
- .RB "[ " level
- .IR LEVEL " ]"
- .ti -8
- .IR ID " :="
- .RB "[ " src
- .IR ADDR " ]"
- .RB "[ " dst
- .IR ADDR " ]"
- .RB "[ " proto
- .IR XFRM-PROTO " ]"
- .RB "[ " spi
- .IR SPI " ]"
- .ti -8
- .IR XFRM-PROTO " :="
- .BR esp " | " ah " | " comp " | " route2 " | " hao
- .ti -8
- .IR MODE " := "
- .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger
- .ti -8
- .IR LEVEL " :="
- .BR required " | " use
- .ti -8
- .BR "ip xfrm monitor" " ["
- .BI all-nsid
- ] [
- .BI nokeys
- ] [
- .BI all
- |
- .IR LISTofXFRM-OBJECTS " ]"
- .ti -8
- .IR LISTofXFRM-OBJECTS " := [ " LISTofXFRM-OBJECTS " ] " XFRM-OBJECT
- .ti -8
- .IR XFRM-OBJECT " := "
- .BR acquire " | " expire " | " SA " | " policy " | " aevent " | " report
- .in -8
- .ad b
- .SH DESCRIPTION
- xfrm is an IP framework for transforming packets (such as encrypting
- their payloads). This framework is used to implement the IPsec protocol
- suite (with the
- .B state
- object operating on the Security Association Database, and the
- .B policy
- object operating on the Security Policy Database). It is also used for
- the IP Payload Compression Protocol and features of Mobile IPv6.
- .TS
- l l.
- ip xfrm state add add new state into xfrm
- ip xfrm state update update existing state in xfrm
- ip xfrm state allocspi allocate an SPI value
- ip xfrm state delete delete existing state in xfrm
- ip xfrm state get get existing state in xfrm
- ip xfrm state deleteall delete all existing state in xfrm
- ip xfrm state list print out the list of existing state in xfrm
- ip xfrm state flush flush all state in xfrm
- ip xfrm state count count all existing state in xfrm
- .TE
- .TP
- .IR ID
- is specified by a source address, destination address,
- .RI "transform protocol " XFRM-PROTO ","
- and/or Security Parameter Index
- .IR SPI "."
- (For IP Payload Compression, the Compression Parameter Index or CPI is used for
- .IR SPI ".)"
- .TP
- .I XFRM-PROTO
- specifies a transform protocol:
- .RB "IPsec Encapsulating Security Payload (" esp "),"
- .RB "IPsec Authentication Header (" ah "),"
- .RB "IP Payload Compression (" comp "),"
- .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
- .RB "Mobile IPv6 Home Address Option (" hao ")."
- .TP
- .I ALGO-LIST
- contains one or more algorithms to use. Each algorithm
- .I ALGO
- is specified by:
- .RS
- .IP \[bu]
- the algorithm type:
- .RB "encryption (" enc "),"
- .RB "authentication (" auth " or " auth-trunc "),"
- .RB "authenticated encryption with associated data (" aead "), or"
- .RB "compression (" comp ")"
- .IP \[bu]
- the algorithm name
- .IR ALGO-NAME
- (see below)
- .IP \[bu]
- .RB "(for all except " comp ")"
- the keying material
- .IR ALGO-KEYMAT ","
- which may include both a key and a salt or nonce value; refer to the
- corresponding RFC
- .IP \[bu]
- .RB "(for " auth-trunc " only)"
- the truncation length
- .I ALGO-TRUNC-LEN
- in bits
- .IP \[bu]
- .RB "(for " aead " only)"
- the Integrity Check Value length
- .I ALGO-ICV-LEN
- in bits
- .RE
- .nh
- .RS
- Encryption algorithms include
- .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) ","
- .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) ","
- .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "."
- Authentication algorithms include
- .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) ","
- .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd160) ", and " xcbc(aes) "."
- Authenticated encryption with associated data (AEAD) algorithms include
- .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "."
- Compression algorithms include
- .BR deflate ", " lzs ", and " lzjh "."
- .RE
- .hy
- .TP
- .I MODE
- specifies a mode of operation for the transform protocol. IPsec and IP Payload
- Compression modes are
- .BR transport ", " tunnel ","
- and (for IPsec ESP only) Bound End-to-End Tunnel
- .RB "(" beet ")."
- Mobile IPv6 modes are route optimization
- .RB "(" ro ")"
- and inbound trigger
- .RB "(" in_trigger ")."
- .TP
- .I FLAG-LIST
- contains one or more of the following optional flags:
- .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", "
- .BR af-unspec ", " align4 ", or " esn "."
- .TP
- .IR SELECTOR
- selects the traffic that will be controlled by the policy, based on the source
- address, the destination address, the network device, and/or
- .IR UPSPEC "."
- .TP
- .IR UPSPEC
- selects traffic by protocol. For the
- .BR tcp ", " udp ", " sctp ", or " dccp
- protocols, the source and destination port can optionally be specified.
- For the
- .BR icmp ", " ipv6-icmp ", or " mobility-header
- protocols, the type and code numbers can optionally be specified.
- For the
- .B gre
- protocol, the key can optionally be specified as a dotted-quad or number.
- Other protocols can be selected by name or number
- .IR PROTO "."
- .TP
- .I LIMIT-LIST
- sets limits in seconds, bytes, or numbers of packets.
- .TP
- .I ENCAP
- encapsulates packets with protocol
- .BR espinudp ", " espinudp-nonike ", or " espintcp ","
- .RI "using source port " SPORT ", destination port " DPORT
- .RI ", and original address " OADDR "."
- .TP
- .I MARK
- used to match xfrm policies and states
- .TP
- .I OUTPUT-MARK
- used to set the output mark to influence the routing
- of the packets emitted by the state
- .TP
- .I IF-ID
- xfrm interface identifier used to in both xfrm policies and states
- .TP
- .I DEV
- Network interface name used to offload policies and states
- .sp
- .PP
- .TS
- l l.
- ip xfrm policy add add a new policy
- ip xfrm policy update update an existing policy
- ip xfrm policy delete delete an existing policy
- ip xfrm policy get get an existing policy
- ip xfrm policy deleteall delete all existing xfrm policies
- ip xfrm policy list print out the list of xfrm policies
- ip xfrm policy flush flush policies
- .TE
- .TP
- .BR nosock
- filter (remove) all socket policies from the output.
- .TP
- .IR SELECTOR
- selects the traffic that will be controlled by the policy, based on the source
- address, the destination address, the network device, and/or
- .IR UPSPEC "."
- .TP
- .IR UPSPEC
- selects traffic by protocol. For the
- .BR tcp ", " udp ", " sctp ", or " dccp
- protocols, the source and destination port can optionally be specified.
- For the
- .BR icmp ", " ipv6-icmp ", or " mobility-header
- protocols, the type and code numbers can optionally be specified.
- For the
- .B gre
- protocol, the key can optionally be specified as a dotted-quad or number.
- Other protocols can be selected by name or number
- .IR PROTO "."
- .TP
- .I DIR
- selects the policy direction as
- .BR in ", " out ", or " fwd "."
- .TP
- .I CTX
- sets the security context.
- .TP
- .I PTYPE
- can be
- .BR main " (default) or " sub "."
- .TP
- .I ACTION
- can be
- .BR allow " (default) or " block "."
- .TP
- .I PRIORITY
- is a number that defaults to zero.
- .TP
- .I FLAG-LIST
- contains one or both of the following optional flags:
- .BR local " or " icmp "."
- .TP
- .I LIMIT-LIST
- sets limits in seconds, bytes, or numbers of packets.
- .TP
- .I TMPL-LIST
- is a template list specified using
- .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". "
- .TP
- .IR ID
- is specified by a source address, destination address,
- .RI "transform protocol " XFRM-PROTO ","
- and/or Security Parameter Index
- .IR SPI "."
- (For IP Payload Compression, the Compression Parameter Index or CPI is used for
- .IR SPI ".)"
- .TP
- .I XFRM-PROTO
- specifies a transform protocol:
- .RB "IPsec Encapsulating Security Payload (" esp "),"
- .RB "IPsec Authentication Header (" ah "),"
- .RB "IP Payload Compression (" comp "),"
- .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or"
- .RB "Mobile IPv6 Home Address Option (" hao ")."
- .TP
- .I MODE
- specifies a mode of operation for the transform protocol. IPsec and IP Payload
- Compression modes are
- .BR transport ", " tunnel ","
- and (for IPsec ESP only) Bound End-to-End Tunnel
- .RB "(" beet ")."
- Mobile IPv6 modes are route optimization
- .RB "(" ro ")"
- and inbound trigger
- .RB "(" in_trigger ")."
- .TP
- .I LEVEL
- can be
- .BR required " (default) or " use "."
- .sp
- .PP
- .TS
- l l.
- ip xfrm policy count count existing policies
- .TE
- .PP
- Use one or more -s options to display more details, including policy hash table
- information.
- .sp
- .PP
- .TS
- l l.
- ip xfrm policy set configure the policy hash table
- .TE
- .PP
- Security policies whose address prefix lengths are greater than or equal
- policy hash table thresholds are hashed. Others are stored in the
- policy_inexact chained list.
- .TP
- .I LBITS
- specifies the minimum local address prefix length of policies that are
- stored in the Security Policy Database hash table.
- .TP
- .I RBITS
- specifies the minimum remote address prefix length of policies that are
- stored in the Security Policy Database hash table.
- .sp
- .PP
- .TS
- l l.
- ip xfrm monitor state monitoring for xfrm objects
- .TE
- .PP
- The xfrm objects to monitor can be optionally specified.
- .P
- If the
- .BI all-nsid
- option is set, the program listens to all network namespaces that have a
- nsid assigned into the network namespace were the program is running.
- A prefix is displayed to show the network namespace where the message
- originates. Example:
- .sp
- .in +2
- [nsid 1]Flushed state proto 0
- .in -2
- .sp
- .SH AUTHOR
- Manpage revised by David Ward <david.ward@ll.mit.edu>
- .br
- Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
- .br
- Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>