cleanup

1 files changed, 43 insertions, 41 deletions

diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4
index 3b05b1e18a0..6e323d62ab2 100644
--- a/share/man/man4/ipsec.4
+++ b/share/man/man4/ipsec.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsec.4,v 1.6 1998/05/18 21:12:50 provos Exp $
+.\" $OpenBSD: ipsec.4,v 1.7 1998/05/18 21:23:11 deraadt Exp $
 .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
 .\" All rights reserved.
 .\"
@@ -43,42 +43,42 @@
 .Ft int
 .Fn socket AF_ENCAP SOCK_RAW AF_UNSPEC
 .Sh DESCRIPTION
-.Tn IPSec is a pair of protocols, 
-.Nm ESP 
+.Tn IPSec is a pair of protocols,
+.Nm ESP
 (for Encapsulting Security
-Payload) and 
-.Nm AH 
+Payload) and
+.Nm AH
 (for Authentication Header), which provide
-security services for IP datagrams. Specifically, 
-.Nm ESP 
+security services for IP datagrams. Specifically,
+.Nm ESP
 provides
 confidentiality, connectionless
 integrity, anti-replay service and limited traffic flow
 confidentiality. It optionally provides data origin authentication.
-.Nm AH 
+.Nm AH
 provides connectionless integrity, data
 origin authentication and anti-replay service.
 .Pp
-This is done by inserting the appropriate header 
-.Nm ( ESP 
-or 
+This is done by inserting the appropriate header
+.Nm ( ESP
+or
 .Nm AH )
 between the IP header and the payload. The inserted header,
 along with the IP header destination address, provide enough
 information to find the relevant state in the kernel (security
-association) and handle the packet appropriately (decrypt, 
+association) and handle the packet appropriately (decrypt,
 authenticate etc.)
 .Pp
 An SA (Security Association) is uniquely defined by the
 .Nm SPI
-(Security Parameter Index), which is a 32-bit integer, 
+(Security Parameter Index), which is a 32-bit integer,
 the remote IP address and the security protocol.
 .Pp
 The payload can be any of the usual IP protocols (TCP, UDP, ICMP
 etc.) or IP itself, for those situations where IP tunneling is
 required.
 .Pp
-This implementation makes use of a virtual interface 
+This implementation makes use of a virtual interface
 .Nm enc0 ,
 which can be used in packet filters to specify those
 packets that have been successfully processed by IPSec.
@@ -92,11 +92,12 @@ key management daemon.
 .Pp
 The following
 .Tn IP-level
-.Xr setsockopt 2 / Ns
+.Xr setsockopt 2
+and
 .Xr getsockopt 2
-are specific to
+options are specific to
 .Xr ipsec 4 .
-A socket can specifiy security levels for three different categories:
+A socket can specify security levels for three different categories:
 .Bl -tag -width IP_ESP_NETWORK_LEVEL
 .It IP_AUTH_LEVEL
 Specifies the use of authentication for packets sent or received by the
@@ -108,13 +109,13 @@ received by the socket.
 Specifies the use of encryption in tunnel mode.
 .El
 .Pp
-For each of the categories there are five possible levels which specify the
-security policy used for each category:
+For each of the categories there are five possible levels which
+specify the security policy to use in that catagory:
 .Bl -tag -width IPSEC_LEVEL_REQUIRE
 .It IPSEC_LEVEL_BYPASS
 Bypass the default system security policy, this options can only be used
-by privileged processes. This level is necessary for key management daemons
-like
+by privileged processes.
+This level is necessary for key management daemons like
 .Xr photurisd 8 .
 .It IPSEC_LEVEL_AVAIL
 If a Security Association is available it will be used for sending packets
@@ -123,34 +124,35 @@ by that socket.
 Use IP Security for sending packets but still accept packets which are not
 secured.
 .It IPSEC_LEVEL_REQUIRE
-Use IP Security for sending packets and also require IP Security for receiving
-data.
+Use IP Security for sending packets and also require IP Security for
+received data.
 .It IPSEC_LEVEL_UNIQUE
 The outbound Security Association will only be used by this socket.
 .El
-.Pp 
-When a socket gets created it is assigned the default system security level
-for each category which can be queried with
-.Xr getsockopt 2 . 
+.Pp
+When a new socket is created, it is assigned the default system security
+level in each category.
+These levels can be queried with
+.Xr getsockopt 2 .
 Only a privileged process can lower the security level with a
-.Xr setsockopt 2 
+.Xr setsockopt 2
 call.
 .Pp
-For example, a server process might want to accept only authenticated 
-connections to prevent session hijacking. It would issue the following
-.Xr setsockopt 2 
+For example, a server process might want to accept only authenticated
+connections to prevent session hijacking.
+It would issue the following
+.Xr setsockopt 2
 call:
 .Bd -literal
 int level = IPSEC_LEVEL_REQUIRE;
-error = setsockopt(s, IPPROTO_IP, IP_AUTH_LEVEL, (u_char *)&level, 
-		   sizeof(int));
+error = setsockopt(s, IPPROTO_IP, IP_AUTH_LEVEL, &level, sizeof(int));
 .Ed
 .Pp
-The system can not guarantee that it will be able to establish the
-required security associations, in any case a properly configured
-key management daemon is required which listens to 
-.Dv EMT_NOTIFY 
-messages on a 
+The system does guarantee that it will succeed at establishing the
+required security associations.  In any case a properly configured
+key management daemon is required which listens to
+.Dv EMT_NOTIFY
+messages on a
 .Dv PF_ENCAP
 socket.
 .Sh DIAGNOSTICS
@@ -187,13 +189,13 @@ DES algorithm.
 .Pp
 Steve Reid's SHA-1 code was also used.
 .Pp
-The 
+The
 .Xr setsockopt 2 / Ns
-.Xr getsockotp 2 
+.Xr getsockotp 2
 interface follows somewhat loosely the draft-mcdonald-simple-ipsec-api,
 which is work in progress.
 .Sh HISTORY
-The IPsec protocol started in 1992, by John Ioannidis, Phil Karn 
+The IPsec protocol started in 1992, by John Ioannidis, Phil Karn
 and William Allen Simpson. In 1995, the former wrote an
 implementation for BSD/OS. Angelos D. Keromytis ported it to
 OpenBSD and NetBSD. The latest transforms and new features were