IPSEC(4) | Device Drivers Manual | IPSEC(4) |
ipsec
—
options IPSEC
options IPSEC_DEBUG
ipsec
is a security protocol in the
Internet Protocol (IP) layer. ipsec
is defined for
both IPv4 and IPv6 (inet(4) and
inet6(4)).
ipsec
consists of three sub-protocols:
ipsec
has two operation modes:
ipsec
is controlled by two engines in the kernel: one
for key management and one for policy.
The key management engine can be accessed from userland by using
PF_KEY
sockets. The PF_KEY
socket API is defined in RFC2367.
The policy engine can be controlled through the
PF_KEY
API,
setsockopt(2) operations,
and the sysctl(3) interface.
The kernel implements an extended version of the
PF_KEY
interface and allows you to define IPsec
policy like per-packet filters.
setsockopt(2) is used to
define per-socket behavior, and
sysctl(3) is used to define
host-wide default behavior.
The kernel does not implement dynamic encryption key exchange protocols like IKE (Internet Key Exchange). That should be done in userland (usually as a daemon), using the APIs described above.
PF_KEY
interface, via
setkey(8). In both cases, IPsec
policy must be specified with syntax described in
ipsec_set_policy(3).
With setsockopt(2), you can define IPsec policy on a per-socket basis. You can enforce particular IPsec policy on packets that go through a particular socket.
With setkey(8) you can define IPsec policy for packets using a form of packet filtering rules. See setkey(8) for details.
In the latter case,
“default
” policy is allowed for use
with setkey(8). By configuring
policy to default
, you can refer to system-wide
sysctl(8) variables for
default settings. The following variables are available.
1
means “use
”,
and 2
means
“require
” in the syntax.
Name | Type | Changeable |
net.inet.ipsec.esp_trans_deflev | integer | yes |
net.inet.ipsec.esp_net_deflev | integer | yes |
net.inet.ipsec.ah_trans_deflev | integer | yes |
net.inet.ipsec.ah_net_deflev | integer | yes |
net.inet6.ipsec6.esp_trans_deflev | integer | yes |
net.inet6.ipsec6.esp_net_deflev | integer | yes |
net.inet6.ipsec6.ah_trans_deflev | integer | yes |
net.inet6.ipsec6.ah_net_deflev | integer | yes |
If the kernel finds no matching policy, the system-wide default
value is applied. System-wide defaults are specified by the following
sysctl(8) variables.
0
means
“discard
” which asks the kernel to
drop the packet. 1
means
“none
”.
Name | Type | Changeable |
net.inet.ipsec.def_policy | integer | yes |
net.inet6.ipsec6.def_policy | integer | yes |
Name | Type | Changeable |
net.inet.ipsec.ah_cleartos | integer | yes |
net.inet.ipsec.ah_offsetmask | integer | yes |
net.inet.ipsec.crypto_support | integer | yes |
net.inet.ipsec.dfbit | integer | yes |
net.inet.ipsec.ecn | integer | yes |
net.inet.ipsec.debug | integer | yes |
net.inet6.ipsec6.ecn | integer | yes |
net.inet6.ipsec6.debug | integer | yes |
The variables are interpreted as follows:
ipsec.ah_cleartos
ipsec.ah_offsetmask
ipsec.crypto_support
ipsec.dfbit
ipsec.ecn
draft-ietf-ipsec-ecn-02.txt
.
gif(4) talks more about the
behavior.ipsec.debug
Variables under the net.inet6.ipsec6
tree
have similar meanings to their net.inet.ipsec
counterparts.
System configuration requires the opencrypto(9) subsystem. When the Fast IPsec protocols are configured for use, all protocols are included in the system. To selectively enable/disable protocols, use sysctl(8).
ipsec
protocol works like a plug-in to
inet(4) and
inet6(4) protocols. Therefore,
ipsec
supports most of the protocols defined upon
those IP-layer protocols. Some of the protocols, like
icmp(4) or
icmp6(4), may behave differently
with ipsec
. This is because
ipsec
can prevent
icmp(4) or
icmp6(4) routines from looking
into IP payload.
Support for IPv6 and IPcomp protocols has been added in NetBSD 4.0.
Support for Network Address Translator Traversal as described in RFCs 3947 and 3948 has been added in NetBSD 5.0.
Since NetBSD 6.0, the IPsec implementation formerly known as Fast IPsec is used.
There is no single standard for policy engine API, so the policy engine API described herein is just for the version introduced by KAME.
AH and tunnel mode encapsulation may not work as you might expect.
If you configure inbound “require” policy against AH tunnel or
any IPsec encapsulating policy with AH (like
“esp/tunnel/A-B/use
ah/transport/A-B/require
”), tunneled packets will be rejected.
This is because we enforce policy check on inner packet on reception, and AH
authenticates encapsulating (outer) packet, not the encapsulated (inner)
packet (so for the receiving kernel there's no sign of authenticity). The
issue will be solved when we revamp our policy engine to keep all the packet
decapsulation history.
Under certain condition, truncated result may be raised from the
kernel against SADB_DUMP
and
SADB_SPDDUMP
operation on
PF_KEY
socket. This occurs if there are too many
database entries in the kernel and socket buffer for the
PF_KEY
socket is insufficient. If you manipulate
many IPsec key/policy database entries, increase the size of socket buffer
or use sysctl(8)
interface.
Certain legacy authentication algorithms are not supported because of issues with the opencrypto(9) subsystem.
June 13, 2018 | NetBSD 9.4 |