1.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the project nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.Dd March 4, 2025 31.Dt IPSEC 4 32.Os 33.Sh NAME 34.Nm ipsec 35.Nd Internet Protocol Security protocol 36.Sh SYNOPSIS 37.Cd "options IPSEC" 38.Cd "options IPSEC_SUPPORT" 39.Cd "device crypto" 40.Pp 41.In sys/types.h 42.In netinet/in.h 43.In netipsec/ipsec.h 44.In netipsec/ipsec6.h 45.Sh DESCRIPTION 46.Nm 47is a security protocol implemented within the Internet Protocol layer 48of the networking stack. 49.Nm 50is defined for both IPv4 and IPv6 51.Xr ( inet 4 52and 53.Xr inet6 4 ) . 54.Nm 55is a set of protocols, 56.Tn ESP 57(for Encapsulating Security Payload) 58.Tn AH 59(for Authentication Header), 60and 61.Tn IPComp 62(for IP Payload Compression Protocol) 63that provide security services for IP datagrams. 64AH both authenticates and guarantees the integrity of an IP packet 65by attaching a cryptographic checksum computed using one-way hash functions. 66ESP, in addition, prevents unauthorized parties from reading the payload of 67an IP packet by also encrypting it. 68IPComp tries to increase communication performance by compressing IP payload, 69thus reducing the amount of data sent. 70This will help nodes on slow links but with enough computing power. 71.Nm 72operates in one of two modes: transport mode or tunnel mode. 73Transport mode is used to protect peer-to-peer communication between end nodes. 74Tunnel mode encapsulates IP packets within other IP packets 75and is designed for security gateways such as VPN endpoints. 76.Pp 77System configuration requires the 78.Xr crypto 4 79subsystem. 80.Pp 81The packets can be passed to a virtual 82.Xr enc 4 83interface, 84to perform packet filtering before outbound encryption and after decapsulation 85inbound. 86.Pp 87To properly filter on the inner packets of an 88.Nm 89tunnel with firewalls, you can change the values of the following sysctls 90.Bl -column net.inet6.ipsec6.filtertunnel default enable 91.It Sy "Name Default Enable" 92.It "net.inet.ipsec.filtertunnel 0 1" 93.It "net.inet6.ipsec6.filtertunnel 0 1" 94.El 95.\" 96.Ss Kernel interface 97.Nm 98is controlled by a key management and policy engine, 99that reside in the operating system kernel. 100Key management 101is the process of associating keys with security associations, also 102know as SAs. 103Policy management dictates when new security 104associations created or destroyed. 105.Pp 106The key management engine can be accessed from userland by using 107.Dv PF_KEY 108sockets. 109The 110.Dv PF_KEY 111socket API is defined in RFC2367. 112.Pp 113The policy engine is controlled by an extension to the 114.Dv PF_KEY 115API, 116.Xr setsockopt 2 117operations, and 118.Xr sysctl 3 119interface. 120The kernel implements 121an extended version of the 122.Dv PF_KEY 123interface and allows the programmer to define IPsec policies 124which are similar to the per-packet filters. 125The 126.Xr setsockopt 2 127interface is used to define per-socket behavior, and 128.Xr sysctl 3 129interface is used to define host-wide default behavior. 130.Pp 131The kernel code does not implement a dynamic encryption key exchange protocol 132such as IKE 133(Internet Key Exchange). 134Key exchange protocols are beyond what is necessary in the kernel and 135should be implemented as daemon processes which call the 136.Nm APIs. 137.\" 138.Ss Policy management 139IPsec policies can be managed in one of two ways, either by 140configuring per-socket policies using the 141.Xr setsockopt 2 142system calls, or by configuring kernel level packet filter-based 143policies using the 144.Dv PF_KEY 145interface, via the 146.Xr setkey 8 147you can define IPsec policies against packets using rules similar to packet 148filtering rules. 149Refer to 150.Xr setkey 8 151on how to use it. 152.Pp 153Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6 154transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options 155may be used to configure per-socket security policies. 156A properly-formed IPsec policy specification structure can be 157created using 158.Xr ipsec_set_policy 3 159function and used as socket option value for the 160.Xr setsockopt 2 161call. 162.Pp 163When setting policies using the 164.Xr setkey 8 165command, the 166.Dq Li default 167option instructs the system to use its default policy, as 168explained below, for processing packets. 169The following sysctl variables are available for configuring the 170system's IPsec behavior. 171The variables can have one of two values. 172A 173.Li 1 174means 175.Dq Li use , 176which means that if there is a security association then use it but if 177there is not then the packets are not processed by IPsec. 178The value 179.Li 2 180is synonymous with 181.Dq Li require , 182which requires that a security association must exist for the packets 183to move, and not be dropped. 184These terms are defined in 185.Xr ipsec_set_policy 3 . 186.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx 187.It Sy "Name Type Changeable" 188.It "net.inet.ipsec.esp_trans_deflev integer yes" 189.It "net.inet.ipsec.esp_net_deflev integer yes" 190.It "net.inet.ipsec.ah_trans_deflev integer yes" 191.It "net.inet.ipsec.ah_net_deflev integer yes" 192.It "net.inet6.ipsec6.esp_trans_deflev integer yes" 193.It "net.inet6.ipsec6.esp_net_deflev integer yes" 194.It "net.inet6.ipsec6.ah_trans_deflev integer yes" 195.It "net.inet6.ipsec6.ah_net_deflev integer yes" 196.El 197.Pp 198If the kernel does not find a matching, system wide, policy then the 199default value is applied. 200The system wide default policy is specified 201by the following 202.Xr sysctl 8 203variables. 204.Li 0 205means 206.Dq Li discard 207which asks the kernel to drop the packet. 208.Li 1 209means 210.Dq Li none . 211.Bl -column net.inet6.ipsec6.def_policy integerxxx 212.It Sy "Name Type Changeable" 213.It "net.inet.ipsec.def_policy integer yes" 214.It "net.inet6.ipsec6.def_policy integer yes" 215.El 216.\" 217.Ss Miscellaneous sysctl variables 218When the 219.Nm 220protocols are configured for use, all protocols are included in the system. 221To selectively enable/disable protocols, use 222.Xr sysctl 8 . 223.Bl -column net.inet.ipcomp.ipcomp_enable 224.It Sy "Name Default" 225.It "net.inet.esp.esp_enable On" 226.It "net.inet.ah.ah_enable On" 227.It "net.inet.ipcomp.ipcomp_enable On" 228.El 229.Pp 230In addition the following variables are accessible via 231.Xr sysctl 8 , 232for tweaking the kernel's IPsec behavior: 233.Bl -column net.inet6.ipsec6.inbonud_call_ike integerxxx 234.It Sy "Name Type Changeable" 235.It "net.inet.ipsec.ah_cleartos integer yes" 236.It "net.inet.ipsec.ah_offsetmask integer yes" 237.It "net.inet.ipsec.dfbit integer yes" 238.It "net.inet.ipsec.ecn integer yes" 239.It "net.inet.ipsec.debug integer yes" 240.It "net.inet.ipsec.natt_cksum_policy integer yes" 241.It "net.inet.ipsec.check_policy_history integer yes" 242.It "net.inet.ipsec.random_id integer yes" 243.It "net.inet6.ipsec6.ecn integer yes" 244.It "net.inet6.ipsec6.debug integer yes" 245.El 246.Pp 247The variables are interpreted as follows: 248.Bl -tag -width 6n 249.It Li ipsec.ah_cleartos 250If set to non-zero, the kernel clears the type-of-service field in the IPv4 header 251during AH authentication data computation. 252This variable is used to get current systems to inter-operate with devices that 253implement RFC1826 AH. 254It should be set to non-zero 255(clear the type-of-service field) 256for RFC2402 conformance. 257.It Li ipsec.ah_offsetmask 258During AH authentication data computation, the kernel will include a 25916bit fragment offset field 260(including flag bits) 261in the IPv4 header, after computing logical AND with the variable. 262The variable is used for inter-operating with devices that 263implement RFC1826 AH. 264It should be set to zero 265(clear the fragment offset field during computation) 266for RFC2402 conformance. 267.It Li ipsec.dfbit 268This variable configures the kernel behavior on IPv4 IPsec tunnel encapsulation. 269If set to 0, the DF bit on the outer IPv4 header will be cleared while 2701 means that the outer DF bit is set regardless from the inner DF bit and 2712 indicates that the DF bit is copied from the inner header to the 272outer one. 273The variable is supplied to conform to RFC2401 chapter 6.1. 274.It Li ipsec.ecn 275If set to non-zero, IPv4 IPsec tunnel encapsulation/decapsulation behavior will 276be friendly to ECN 277(explicit congestion notification), 278as documented in 279.Li draft-ietf-ipsec-ecn-02.txt . 280.Xr gif 4 281talks more about the behavior. 282.It Li ipsec.debug 283If set to non-zero, debug messages will be generated via 284.Xr syslog 3 . 285.It Li ipsec.natt_cksum_policy 286Controls how the kernel handles TCP and UDP checksums when ESP in UDP 287encapsulation is used for IPsec transport mode. 288If set to a non-zero value, the kernel fully recomputes checksums for 289inbound TCP segments and UDP datagrams after they are decapsulated and 290decrypted. 291If set to 0 and original addresses were configured for corresponding SA 292by the IKE daemon, the kernel incrementally recomputes checksums for 293inbound TCP segments and UDP datagrams. 294If addresses were not configured, the checksums are ignored. 295.It Li ipsec.check_policy_history 296Enables strict policy checking for inbound packets. 297By default, inbound security policies check that packets handled by IPsec 298have been decrypted and authenticated. 299If this variable is set to a non-zero value, each packet handled by IPsec 300is checked against the history of IPsec security associations. 301The IPsec security protocol, mode, and SA addresses must match. 302.It Li ipsec.random_id 303Enables randomization of encapsulated IPv4 packets ID. 304By default, ID randomization is not enabled. 305.El 306.Pp 307Variables under the 308.Li net.inet6.ipsec6 309tree have similar meanings to those described above. 310.\" 311.Sh PROTOCOLS 312The 313.Nm 314protocol acts as a plug-in to the 315.Xr inet 4 316and 317.Xr inet6 4 318protocols and therefore supports most of the protocols defined upon 319those IP-layer protocols. 320The 321.Xr icmp 4 322and 323.Xr icmp6 4 324protocols may behave differently with 325.Nm 326because 327.Nm 328can prevent 329.Xr icmp 4 330or 331.Xr icmp6 4 332routines from looking into the IP payload. 333.\" 334.Sh SEE ALSO 335.Xr ioctl 2 , 336.Xr socket 2 , 337.Xr ipsec_set_policy 3 , 338.Xr crypto 4 , 339.Xr enc 4 , 340.Xr icmp6 4 , 341.Xr if_ipsec 4 , 342.Xr intro 4 , 343.Xr ip6 4 , 344.Xr setkey 8 , 345.Xr sysctl 8 346.\".Xr racoon 8 347.Rs 348.%A "S. Kent" 349.%A "R. Atkinson" 350.%T "IP Authentication Header" 351.%O "RFC 2404" 352.Re 353.Rs 354.%A "S. Kent" 355.%A "R. Atkinson" 356.%T "IP Encapsulating Security Payload (ESP)" 357.%O "RFC 2406" 358.Re 359.Sh STANDARDS 360.Rs 361.%A Daniel L. McDonald 362.%A Craig Metz 363.%A Bao G. Phan 364.%T "PF_KEY Key Management API, Version 2" 365.%R RFC 366.%N 2367 367.Re 368.Pp 369.Rs 370.%A "D. L. McDonald" 371.%T "A Simple IP Security API Extension to BSD Sockets" 372.%R internet draft 373.%N "draft-mcdonald-simple-ipsec-api-03.txt" 374.%O work in progress material 375.Re 376.Sh HISTORY 377The original 378.Nm 379implementation appeared in the WIDE/KAME IPv6/IPsec stack. 380.Pp 381For 382.Fx 5.0 383a fully locked IPsec implementation called fast_ipsec was brought in. 384The protocols drew heavily on the 385.Ox 386implementation of the 387.Tn IPsec 388protocols. 389The policy management code was derived from the 390.Tn KAME 391implementation found 392in their 393.Tn IPsec 394protocols. 395The fast_ipsec implementation lacked 396.Xr ip6 4 397support but made use of the 398.Xr crypto 4 399subsystem. 400.Pp 401For 402.Fx 7.0 403.Xr ip6 4 404support was added to fast_ipsec. 405After this the old KAME IPsec implementation was dropped and fast_ipsec 406became what now is the only 407.Nm 408implementation in 409.Fx . 410.Sh BUGS 411There is no single standard for the policy engine API, 412so the policy engine API described herein is just for this implementation. 413.Pp 414AH and tunnel mode encapsulation may not work as you might expect. 415If you configure inbound 416.Dq require 417policy with an AH tunnel or any IPsec encapsulating policy with AH 418(like 419.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require ) , 420tunnelled packets will be rejected. 421This is because the policy check is enforced on the inner packet on reception, 422and AH authenticates encapsulating 423(outer) 424packet, not the encapsulated 425(inner) 426packet 427(so for the receiving kernel there is no sign of authenticity). 428The issue will be solved when we revamp our policy engine to keep all the 429packet decapsulation history. 430.Pp 431When a large database of security associations or policies is present 432in the kernel the 433.Dv SADB_DUMP 434and 435.Dv SADB_SPDDUMP 436operations on 437.Dv PF_KEY 438sockets may fail due to lack of space. 439Increasing the socket buffer 440size may alleviate this problem. 441.Pp 442The 443.Tn IPcomp 444protocol may occasionally error because of 445.Xr zlib 3 446problems. 447.Pp 448This documentation needs more review. 449