diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-01-11 00:44:45 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-01-11 00:44:45 +0000 |
commit | 83e7d1c86ecf51ccb53c9c192ea60f2de6f08a22 (patch) | |
tree | 053618e37ee04d2eccb6d2169f208369fec0a764 /lib/libc/gen/sysctl.3 | |
parent | c7ef56d120c6c1475de84091acb2e9da2f9d361a (diff) |
Document the new ipsec sysctl variables.
Diffstat (limited to 'lib/libc/gen/sysctl.3')
-rw-r--r-- | lib/libc/gen/sysctl.3 | 103 |
1 files changed, 98 insertions, 5 deletions
diff --git a/lib/libc/gen/sysctl.3 b/lib/libc/gen/sysctl.3 index e6a1352a137..845efe10f8c 100644 --- a/lib/libc/gen/sysctl.3 +++ b/lib/libc/gen/sysctl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sysctl.3,v 1.37 2000/01/10 04:36:16 angelos Exp $ +.\" $OpenBSD: sysctl.3,v 1.38 2000/01/11 00:44:44 angelos Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -555,7 +555,7 @@ If the kernel has been compiled with the option, then debugging information will also be reported when this variable is set. .It Li ip.ipsec-acl -If set to 1, incoming IPsec packets that are successfully +If set to any non-zero value, incoming IPsec packets that are successfully decrypted/authenticated are further validated against a list of acceptable packet classes per Security Association. When using automated key management, such as @@ -566,14 +566,107 @@ the acceptable packet classes should be set up automatically. When using manual keying, the appropriate entries have to be configured on a per-SA basis via .Xr ipsecadm 8 . -If this value is set to 1 and no access control is configured, IPsec packets -will be dropped. +If this value is set to any non-zero value and no access control is +configured, IPsec packets will be dropped. If set to 0, no testing of ingress packets will occur. +The default value (for now) is 0. .It Li ip.ipsec-invalid-life The lifetime of embryonic Security Associations (SAs that key management daemons have reserved but not fully established yet) in seconds. +If set to less than or equal to zero, embryonic SAs will not expire. The default value is 60. -If set to zero or a negative value, embryonic SAs will not expire. +.It Li ip.ipsec-pfs +If set to any non-zero value, the kernel will ask the key management +daemons to use Perfect Forward Secrecy when establishing IPsec +Security Associations. +Perfect Forward Secrecy makes IPsec Security Associations +cryptographically distinct from each other, such that breaking the key +for one such SA does not compromise any others. +Requiring PFS for every security association significantly increases the +computational load of +.Xr isakmpd 8 +exchanges. +The default value is 1. +.It Li ip.ipsec-soft-allocs +The number of IPsec flows that can use a security association before a +message is sent by the kernel to key management for renegotiation +of the security association. +If set to less than or equal to zero, no message is sent to key +management. +The default value is 0. +.It Li ip.ipsec-allocs +The number of IPsec flows that can use a security association before +it will expire. +If set to less than or equal to zero, the security association will not +expire because of this counter. +The default value is 0. +.It Li ip.ipsec-soft-bytes +The number of bytes that will be processed by a security association +before a message is sent by the kernel to key management for +renegotiation of the security association. +If set to less than or equal to zero, no message is sent to key +management. +The default value is 0. +.It Li ip.ipsec-bytes +The number of bytes that will be processed by a security association +before it will expire. +If set to less than or equal to zero, the security association will not +expire because of this counter. +The default value is 0. +.It Li ip.ipsec-soft-timeout +The number of seconds after a security association is established +before a message is sent by the kernel to key management for +renegotiation of the security association. +If set to less than or equal to zero, no message is sent to key +management. +The default value is 80000 seconds. +.It Li ip.ipsec-timeout +The number of seconds after a security association is established +before it will expire. +If set to less than or equal to zero, the security association will +not expire because of this timer. +The default value is 86400 seconds. +.It Li ip.ipsec-soft-firstuse +The number of seconds after a security association is first used +before a message is sent by the kernel to key management for +renegotiation of the security association. +If set to less than or equal to zero, no message is sent to key +management. +The default value is 3600 seconds. +.It Li ip.ipsec-firstuse +The number of seconds after a security association is first use before +it will expire. +If set to less than or equal to zero, the security association will +not expire because of this timer. +The default value is 7200 seconds. +.It Li ip.ipsec-enc-alg +This is the default encryption algorithm the kernel will instruct key +management daemons to negotiate when establishing security +associations on behalf of the kernel. +Such security associations can occur as a result of a process having +requested some security level through +.Xr setsockopt 3 , +or as a result of dynamic +.Xr vpn 8 +entries. +Supported values are des, 3des, blowfish, cast128, and skipjack. +If set to any other value, it is left to the key management daemons to +select an encryption algorithm for the security association. +The default value is 3des. +.It Li ip.ipsec-auth-alg +This is the default authentication algorithm the kernel will instruct +key management daemons to negotiate when establishing security +associations on behalf of the kernel. +Such security associations can occur as a result of a process having +requested some security level through +.Xr setsockopt 3 , +or as a result of dynamic +.Xr vpn 8 +entries. +Supported values are hmac-md5, hmac-sha1, and hmac-ripemd160. +If set to any other value, it is left to the key management daemons to +select an authentiction algorithm for the security association. +The default value is hmac-sha1. .It Li ip4.allow If set to 0, incoming IPv4-in-IPv4 packets will not be processed. If set to any other value, processing will occur. |