diff options
-rw-r--r-- | share/man/man4/ipsec.4 | 23 |
1 files changed, 7 insertions, 16 deletions
diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4 index 4365c0d3d88..557e0b80a5c 100644 --- a/share/man/man4/ipsec.4 +++ b/share/man/man4/ipsec.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.4,v 1.54 2003/03/22 08:55:01 david Exp $ +.\" $OpenBSD: ipsec.4,v 1.55 2003/05/27 13:21:19 jmc Exp $ .\" .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. @@ -100,7 +100,6 @@ WARNING: as per the standards specification, replay protection is not performed when using manual-keyed IPsec (e.g., when using .Xr ipsecadm 8 ) . .El -.Pp .Ss IPsec Protocols .Tn IPsec provides these services using two new protocols: @@ -137,7 +136,6 @@ header of the packet (such as the source/destination addresses). .Tn ESP authenticates only the packet payload. -.Pp .Ss Security Associations (SAs) These protocols require certain parameters for each connection, describing exactly how the desired protection will be achieved. @@ -149,14 +147,14 @@ Typical .Tn SA parameters include encryption algorithm, hash algorithm, encryption key, and authentication key, to name a few. -When two peers have established matching +When two peers have established matching .Tn SAs (one at each end), packets protected with one end's .Tn SA may be verified and/or decrypted using the information in the other end's -.Tn SA. +.Tn SA . The only issue remaining is to ensure that both ends have matching .Tn SAs . This may be done manually, or automatically using a key management daemon. @@ -167,7 +165,6 @@ establishment is described in .Xr ipsecadm 8 . Information on automated key management may be found in .Xr isakmpd 8 . -.Pp .Ss Authentication Header (AH) .Tn AH works by computing a value that depends on all of the payload @@ -184,7 +181,6 @@ active attacker (man-in-the-middle) can recompute the correct value after altering the packet. The algorithms used to compute these values are called hash algorithms and are parameters in the SA, just like the authentication key. -.Pp .Ss Encapsulating Security Payload (ESP) .Tn ESP optionally does almost everything that @@ -197,7 +193,6 @@ algorithm using a secret encryption key. Only the ones knowing this key can decrypt the data, thus providing confidentiality. Both the algorithm and the encryption key are parameters of the SA. -.Pp .Ss Security Parameter Indexes (SPIs) In order to identify an SA we need to have a unique name for it. This name is a triplet, consisting of the destination address, security @@ -214,7 +209,6 @@ The security protocol number should be 50 for and 51 for .Tn AH , as these are the protocol numbers assigned by IANA. -.Pp .Ss Modes of Operation .Tn IPsec can operate in two modes, either tunnel or transport mode. @@ -236,13 +230,11 @@ An SA will hold information telling if it is a tunnel or transport mode SA, and for tunnels, it will contain values to fill in into the outer .Tn IP header. -.Pp .Ss Lifetimes The SA also holds a couple of other parameters, especially useful for automatic keying, called lifetimes, which puts a limit on how much we can use an SA for protecting our data. These limits can be in wall-clock time or in volume of our data. -.Pp .Ss IPsec Examples To better illustrate how .Tn IPsec @@ -311,7 +303,7 @@ This implementation makes use of a virtual interface .Nm enc0 , which can be used in packet filters to specify those packets that have been or will be processed by -.Tn IPsec. +.Tn IPsec . .Pp NAT can also be applied to .Nm enc# @@ -343,7 +335,6 @@ Security Associations can be set up manually with the utility or automatically with the .Xr isakmpd 8 key management daemon. -.Pp .Ss API Details The following .Tn IP-level @@ -351,7 +342,7 @@ The following and .Xr getsockopt 2 options are specific to -.Xr ipsec 4 . +.Nm ipsec . A socket can specify security levels for three different categories: .Bl -tag -width IP_ESP_NETWORK_LEVEL .It IP_AUTH_LEVEL @@ -457,7 +448,7 @@ At the moment the socket options are not fully implemented. .Xr tcp 4 , .Xr udp 4 , .Xr ipsecadm 8 , -.Xr isakmpd 8 +.Xr isakmpd 8 , .Xr vpn 8 .Sh ACKNOWLEDGMENTS The authors of the @@ -474,7 +465,7 @@ Steve Reid's SHA-1 code was also used. .Pp The .Xr setsockopt 2 / Ns Xr getsockopt 2 -interface follows somewhat loosely the +interface follows somewhat loosely the draft-mcdonald-simple-ipsec-api (since expired, but still available from .Pa ftp://ftp.kame.net/pub/internet-drafts/ ) |