summaryrefslogtreecommitdiff
path: root/lib/libc/gen/sysctl.3
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2000-01-11 00:44:45 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2000-01-11 00:44:45 +0000
commit83e7d1c86ecf51ccb53c9c192ea60f2de6f08a22 (patch)
tree053618e37ee04d2eccb6d2169f208369fec0a764 /lib/libc/gen/sysctl.3
parentc7ef56d120c6c1475de84091acb2e9da2f9d361a (diff)
Document the new ipsec sysctl variables.
Diffstat (limited to 'lib/libc/gen/sysctl.3')
-rw-r--r--lib/libc/gen/sysctl.3103
1 files changed, 98 insertions, 5 deletions
diff --git a/lib/libc/gen/sysctl.3 b/lib/libc/gen/sysctl.3
index e6a1352a137..845efe10f8c 100644
--- a/lib/libc/gen/sysctl.3
+++ b/lib/libc/gen/sysctl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sysctl.3,v 1.37 2000/01/10 04:36:16 angelos Exp $
+.\" $OpenBSD: sysctl.3,v 1.38 2000/01/11 00:44:44 angelos Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
@@ -555,7 +555,7 @@ If the kernel has been compiled with the
option,
then debugging information will also be reported when this variable is set.
.It Li ip.ipsec-acl
-If set to 1, incoming IPsec packets that are successfully
+If set to any non-zero value, incoming IPsec packets that are successfully
decrypted/authenticated are further validated against a list of acceptable
packet classes per Security Association.
When using automated key management, such as
@@ -566,14 +566,107 @@ the acceptable packet classes should be set up automatically.
When using manual keying, the appropriate entries have to be configured on a
per-SA basis via
.Xr ipsecadm 8 .
-If this value is set to 1 and no access control is configured, IPsec packets
-will be dropped.
+If this value is set to any non-zero value and no access control is
+configured, IPsec packets will be dropped.
If set to 0, no testing of ingress packets will occur.
+The default value (for now) is 0.
.It Li ip.ipsec-invalid-life
The lifetime of embryonic Security Associations (SAs that key management
daemons have reserved but not fully established yet) in seconds.
+If set to less than or equal to zero, embryonic SAs will not expire.
The default value is 60.
-If set to zero or a negative value, embryonic SAs will not expire.
+.It Li ip.ipsec-pfs
+If set to any non-zero value, the kernel will ask the key management
+daemons to use Perfect Forward Secrecy when establishing IPsec
+Security Associations.
+Perfect Forward Secrecy makes IPsec Security Associations
+cryptographically distinct from each other, such that breaking the key
+for one such SA does not compromise any others.
+Requiring PFS for every security association significantly increases the
+computational load of
+.Xr isakmpd 8
+exchanges.
+The default value is 1.
+.It Li ip.ipsec-soft-allocs
+The number of IPsec flows that can use a security association before a
+message is sent by the kernel to key management for renegotiation
+of the security association.
+If set to less than or equal to zero, no message is sent to key
+management.
+The default value is 0.
+.It Li ip.ipsec-allocs
+The number of IPsec flows that can use a security association before
+it will expire.
+If set to less than or equal to zero, the security association will not
+expire because of this counter.
+The default value is 0.
+.It Li ip.ipsec-soft-bytes
+The number of bytes that will be processed by a security association
+before a message is sent by the kernel to key management for
+renegotiation of the security association.
+If set to less than or equal to zero, no message is sent to key
+management.
+The default value is 0.
+.It Li ip.ipsec-bytes
+The number of bytes that will be processed by a security association
+before it will expire.
+If set to less than or equal to zero, the security association will not
+expire because of this counter.
+The default value is 0.
+.It Li ip.ipsec-soft-timeout
+The number of seconds after a security association is established
+before a message is sent by the kernel to key management for
+renegotiation of the security association.
+If set to less than or equal to zero, no message is sent to key
+management.
+The default value is 80000 seconds.
+.It Li ip.ipsec-timeout
+The number of seconds after a security association is established
+before it will expire.
+If set to less than or equal to zero, the security association will
+not expire because of this timer.
+The default value is 86400 seconds.
+.It Li ip.ipsec-soft-firstuse
+The number of seconds after a security association is first used
+before a message is sent by the kernel to key management for
+renegotiation of the security association.
+If set to less than or equal to zero, no message is sent to key
+management.
+The default value is 3600 seconds.
+.It Li ip.ipsec-firstuse
+The number of seconds after a security association is first use before
+it will expire.
+If set to less than or equal to zero, the security association will
+not expire because of this timer.
+The default value is 7200 seconds.
+.It Li ip.ipsec-enc-alg
+This is the default encryption algorithm the kernel will instruct key
+management daemons to negotiate when establishing security
+associations on behalf of the kernel.
+Such security associations can occur as a result of a process having
+requested some security level through
+.Xr setsockopt 3 ,
+or as a result of dynamic
+.Xr vpn 8
+entries.
+Supported values are des, 3des, blowfish, cast128, and skipjack.
+If set to any other value, it is left to the key management daemons to
+select an encryption algorithm for the security association.
+The default value is 3des.
+.It Li ip.ipsec-auth-alg
+This is the default authentication algorithm the kernel will instruct
+key management daemons to negotiate when establishing security
+associations on behalf of the kernel.
+Such security associations can occur as a result of a process having
+requested some security level through
+.Xr setsockopt 3 ,
+or as a result of dynamic
+.Xr vpn 8
+entries.
+Supported values are hmac-md5, hmac-sha1, and hmac-ripemd160.
+If set to any other value, it is left to the key management daemons to
+select an authentiction algorithm for the security association.
+The default value is hmac-sha1.
.It Li ip4.allow
If set to 0, incoming IPv4-in-IPv4 packets will not be processed.
If set to any other value, processing will occur.