1.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the project nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" $FreeBSD$ 31.\" 32.Dd February 6, 2017 33.Dt IPSEC 4 34.Os 35.Sh NAME 36.Nm ipsec 37.Nd Internet Protocol Security protocol 38.Sh SYNOPSIS 39.Cd "options IPSEC" 40.Cd "options IPSEC_SUPPORT" 41.Cd "device crypto" 42.Pp 43.In sys/types.h 44.In netinet/in.h 45.In netipsec/ipsec.h 46.In netipsec/ipsec6.h 47.Sh DESCRIPTION 48.Nm 49is a security protocol implemented within the Internet Protocol layer 50of the networking stack. 51.Nm 52is defined for both IPv4 and IPv6 53.Xr ( inet 4 54and 55.Xr inet6 4 ) . 56.Nm 57is a set of protocols, 58.Tn ESP 59(for Encapsulating Security Payload) 60.Tn AH 61(for Authentication Header), 62and 63.Tn IPComp 64(for IP Payload Compression Protocol) 65that provide security services for IP datagrams. 66AH both authenticates and guarantees the integrity of an IP packet 67by attaching a cryptographic checksum computed using one-way hash functions. 68ESP, in addition, prevents unauthorized parties from reading the payload of 69an IP packet by also encrypting it. 70IPComp tries to increase communication performance by compressing IP payload, 71thus reducing the amount of data sent. 72This will help nodes on slow links but with enough computing power. 73.Nm 74operates in one of two modes: transport mode or tunnel mode. 75Transport mode is used to protect peer-to-peer communication between end nodes. 76Tunnel mode encapsulates IP packets within other IP packets 77and is designed for security gateways such as VPN endpoints. 78.Pp 79System configuration requires the 80.Xr crypto 4 81subsystem. 82.Pp 83The packets can be passed to a virtual 84.Xr enc 4 85interface, 86to perform packet filtering before outbound encryption and after decapsulation 87inbound. 88.Pp 89To properly filter on the inner packets of an 90.Nm 91tunnel with firewalls, you can change the values of the following sysctls 92.Bl -column net.inet6.ipsec6.filtertunnel default enable 93.It Sy "Name Default Enable" 94.It "net.inet.ipsec.filtertunnel 0 1" 95.It "net.inet6.ipsec6.filtertunnel 0 1" 96.El 97.\" 98.Ss Kernel interface 99.Nm 100is controlled by a key management and policy engine, 101that reside in the operating system kernel. 102Key management 103is the process of associating keys with security associations, also 104know as SAs. 105Policy management dictates when new security 106associations created or destroyed. 107.Pp 108The key management engine can be accessed from userland by using 109.Dv PF_KEY 110sockets. 111The 112.Dv PF_KEY 113socket API is defined in RFC2367. 114.Pp 115The policy engine is controlled by an extension to the 116.Dv PF_KEY 117API, 118.Xr setsockopt 2 119operations, and 120.Xr sysctl 3 121interface. 122The kernel implements 123an extended version of the 124.Dv PF_KEY 125interface and allows the programmer to define IPsec policies 126which are similar to the per-packet filters. 127The 128.Xr setsockopt 2 129interface is used to define per-socket behavior, and 130.Xr sysctl 3 131interface is used to define host-wide default behavior. 132.Pp 133The kernel code does not implement a dynamic encryption key exchange protocol 134such as IKE 135(Internet Key Exchange). 136Key exchange protocols are beyond what is necessary in the kernel and 137should be implemented as daemon processes which call the 138.Nm APIs. 139.\" 140.Ss Policy management 141IPsec policies can be managed in one of two ways, either by 142configuring per-socket policies using the 143.Xr setsockopt 2 144system calls, or by configuring kernel level packet filter-based 145policies using the 146.Dv PF_KEY 147interface, via the 148.Xr setkey 8 149you can define IPsec policies against packets using rules similar to packet 150filtering rules. 151Refer to 152.Xr setkey 8 153on how to use it. 154.Pp 155Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6 156transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options 157may be used to configure per-socket security policies. 158A properly-formed IPsec policy specification structure can be 159created using 160.Xr ipsec_set_policy 3 161function and used as socket option value for the 162.Xr setsockopt 2 163call. 164.Pp 165When setting policies using the 166.Xr setkey 8 167command, the 168.Dq Li default 169option instructs the system to use its default policy, as 170explained below, for processing packets. 171The following sysctl variables are available for configuring the 172system's IPsec behavior. 173The variables can have one of two values. 174A 175.Li 1 176means 177.Dq Li use , 178which means that if there is a security association then use it but if 179there is not then the packets are not processed by IPsec. 180The value 181.Li 2 182is synonymous with 183.Dq Li require , 184which requires that a security association must exist for the packets 185to move, and not be dropped. 186These terms are defined in 187.Xr ipsec_set_policy 8 . 188.Bl -column net.inet6.ipsec6.esp_trans_deflev integerxxx 189.It Sy "Name Type Changeable" 190.It "net.inet.ipsec.esp_trans_deflev integer yes" 191.It "net.inet.ipsec.esp_net_deflev integer yes" 192.It "net.inet.ipsec.ah_trans_deflev integer yes" 193.It "net.inet.ipsec.ah_net_deflev integer yes" 194.It "net.inet6.ipsec6.esp_trans_deflev integer yes" 195.It "net.inet6.ipsec6.esp_net_deflev integer yes" 196.It "net.inet6.ipsec6.ah_trans_deflev integer yes" 197.It "net.inet6.ipsec6.ah_net_deflev integer yes" 198.El 199.Pp 200If the kernel does not find a matching, system wide, policy then the 201default value is applied. 202The system wide default policy is specified 203by the following 204.Xr sysctl 8 205variables. 206.Li 0 207means 208.Dq Li discard 209which asks the kernel to drop the packet. 210.Li 1 211means 212.Dq Li none . 213.Bl -column net.inet6.ipsec6.def_policy integerxxx 214.It Sy "Name Type Changeable" 215.It "net.inet.ipsec.def_policy integer yes" 216.It "net.inet6.ipsec6.def_policy integer yes" 217.El 218.\" 219.Ss Miscellaneous sysctl variables 220When the 221.Nm 222protocols are configured for use, all protocols are included in the system. 223To selectively enable/disable protocols, use 224.Xr sysctl 8 . 225.Bl -column net.inet.ipcomp.ipcomp_enable 226.It Sy "Name Default" 227.It "net.inet.esp.esp_enable On" 228.It "net.inet.ah.ah_enable On" 229.It "net.inet.ipcomp.ipcomp_enable On" 230.El 231.Pp 232In addition the following variables are accessible via 233.Xr sysctl 8 , 234for tweaking the kernel's IPsec behavior: 235.Bl -column net.inet6.ipsec6.inbonud_call_ike integerxxx 236.It Sy "Name Type Changeable" 237.It "net.inet.ipsec.ah_cleartos integer yes" 238.It "net.inet.ipsec.ah_offsetmask integer yes" 239.It "net.inet.ipsec.dfbit integer yes" 240.It "net.inet.ipsec.ecn integer yes" 241.It "net.inet.ipsec.debug integer yes" 242.It "net.inet.ipsec.natt_cksum_policy integer yes" 243.It "net.inet.ipsec.check_policy_history integer yes" 244.It "net.inet6.ipsec6.ecn integer yes" 245.It "net.inet6.ipsec6.debug integer yes" 246.El 247.Pp 248The variables are interpreted as follows: 249.Bl -tag -width 6n 250.It Li ipsec.ah_cleartos 251If set to non-zero, the kernel clears the type-of-service field in the IPv4 header 252during AH authentication data computation. 253This variable is used to get current systems to inter-operate with devices that 254implement RFC1826 AH. 255It should be set to non-zero 256(clear the type-of-service field) 257for RFC2402 conformance. 258.It Li ipsec.ah_offsetmask 259During AH authentication data computation, the kernel will include a 26016bit fragment offset field 261(including flag bits) 262in the IPv4 header, after computing logical AND with the variable. 263The variable is used for inter-operating with devices that 264implement RFC1826 AH. 265It should be set to zero 266(clear the fragment offset field during computation) 267for RFC2402 conformance. 268.It Li ipsec.dfbit 269This variable configures the kernel behavior on IPv4 IPsec tunnel encapsulation. 270If set to 0, the DF bit on the outer IPv4 header will be cleared while 2711 means that the outer DF bit is set regardless from the inner DF bit and 2722 indicates that the DF bit is copied from the inner header to the 273outer one. 274The variable is supplied to conform to RFC2401 chapter 6.1. 275.It Li ipsec.ecn 276If set to non-zero, IPv4 IPsec tunnel encapsulation/decapsulation behavior will 277be friendly to ECN 278(explicit congestion notification), 279as documented in 280.Li draft-ietf-ipsec-ecn-02.txt . 281.Xr gif 4 282talks more about the behavior. 283.It Li ipsec.debug 284If set to non-zero, debug messages will be generated via 285.Xr syslog 3 . 286.It Li ipsec.natt_cksum_policy 287Controls how the kernel handles TCP and UDP checksums when ESP in UDP 288encapsulation is used for IPsec transport mode. 289If set to a non-zero value, the kernel fully recomputes checksums for 290inbound TCP segments and UDP datagrams after they are decapsulated and 291decrypted. 292If set to 0 and original addresses were configured for corresponding SA 293by the IKE daemon, the kernel incrementally recomputes checksums for 294inbound TCP segments and UDP datagrams. 295If addresses were not configured, the checksums are ignored. 296.It Li ipsec.check_policy_history 297Enables strict policy checking for inbound packets. 298By default, inbound security policies check that packets handled by IPsec 299have been decrypted and authenticated. 300If this variable is set to a non-zero value, each packet handled by IPsec 301is checked against the history of IPsec security associations. 302The IPsec security protocol, mode, and SA addresses must match. 303.El 304.Pp 305Variables under the 306.Li net.inet6.ipsec6 307tree have similar meanings to those described above. 308.\" 309.Sh PROTOCOLS 310The 311.Nm 312protocol acts as a plug-in to the 313.Xr inet 4 314and 315.Xr inet6 4 316protocols and therefore supports most of the protocols defined upon 317those IP-layer protocols. 318The 319.Xr icmp 4 320and 321.Xr icmp6 4 322protocols may behave differently with 323.Nm 324because 325.Nm 326can prevent 327.Xr icmp 4 328or 329.Xr icmp6 4 330routines from looking into the IP payload. 331.\" 332.Sh SEE ALSO 333.Xr ioctl 2 , 334.Xr socket 2 , 335.Xr ipsec_set_policy 3 , 336.Xr crypto 4 , 337.Xr enc 4 , 338.Xr if_ipsec 4 , 339.Xr icmp6 4 , 340.Xr intro 4 , 341.Xr ip6 4 , 342.Xr setkey 8 , 343.Xr sysctl 8 344.\".Xr racoon 8 345.Rs 346.%A "S. Kent" 347.%A "R. Atkinson" 348.%T "IP Authentication Header" 349.%O "RFC 2404" 350.Re 351.Rs 352.%A "S. Kent" 353.%A "R. Atkinson" 354.%T "IP Encapsulating Security Payload (ESP)" 355.%O "RFC 2406" 356.Re 357.Sh STANDARDS 358.Rs 359.%A Daniel L. McDonald 360.%A Craig Metz 361.%A Bao G. Phan 362.%T "PF_KEY Key Management API, Version 2" 363.%R RFC 364.%N 2367 365.Re 366.Pp 367.Rs 368.%A "D. L. McDonald" 369.%T "A Simple IP Security API Extension to BSD Sockets" 370.%R internet draft 371.%N "draft-mcdonald-simple-ipsec-api-03.txt" 372.%O work in progress material 373.Re 374.Sh HISTORY 375The original 376.Nm 377implementation appeared in the WIDE/KAME IPv6/IPsec stack. 378.Pp 379For 380.Fx 5.0 381a fully locked IPsec implementation called fast_ipsec was brought in. 382The protocols drew heavily on the 383.Ox 384implementation of the 385.Tn IPsec 386protocols. 387The policy management code was derived from the 388.Tn KAME 389implementation found 390in their 391.Tn IPsec 392protocols. 393The fast_ipsec implementation lacked 394.Xr ip6 4 395support but made use of the 396.Xr crypto 4 397subsystem. 398.Pp 399For 400.Fx 7.0 401.Xr ip6 4 402support was added to fast_ipsec. 403After this the old KAME IPsec implementation was dropped and fast_ipsec 404became what now is the only 405.Nm 406implementation in 407.Fx . 408.Sh BUGS 409There is no single standard for the policy engine API, 410so the policy engine API described herein is just for this implementation. 411.Pp 412AH and tunnel mode encapsulation may not work as you might expect. 413If you configure inbound 414.Dq require 415policy with an AH tunnel or any IPsec encapsulating policy with AH 416(like 417.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require ) , 418tunnelled packets will be rejected. 419This is because the policy check is enforced on the inner packet on reception, 420and AH authenticates encapsulating 421(outer) 422packet, not the encapsulated 423(inner) 424packet 425(so for the receiving kernel there is no sign of authenticity). 426The issue will be solved when we revamp our policy engine to keep all the 427packet decapsulation history. 428.Pp 429When a large database of security associations or policies is present 430in the kernel the 431.Dv SADB_DUMP 432and 433.Dv SADB_SPDDUMP 434operations on 435.Dv PF_KEY 436sockets may fail due to lack of space. 437Increasing the socket buffer 438size may alleviate this problem. 439.Pp 440The 441.Tn IPcomp 442protocol may occasionally error because of 443.Xr zlib 3 444problems. 445.Pp 446This documentation needs more review. 447