summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--share/man/man4/ipsec.423
1 files changed, 7 insertions, 16 deletions
diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4
index 4365c0d3d88..557e0b80a5c 100644
--- a/share/man/man4/ipsec.4
+++ b/share/man/man4/ipsec.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsec.4,v 1.54 2003/03/22 08:55:01 david Exp $
+.\" $OpenBSD: ipsec.4,v 1.55 2003/05/27 13:21:19 jmc Exp $
.\"
.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
@@ -100,7 +100,6 @@ WARNING: as per the standards specification, replay protection is not
performed when using manual-keyed IPsec (e.g., when using
.Xr ipsecadm 8 ) .
.El
-.Pp
.Ss IPsec Protocols
.Tn IPsec
provides these services using two new protocols:
@@ -137,7 +136,6 @@ header of the packet (such as the source/destination
addresses).
.Tn ESP
authenticates only the packet payload.
-.Pp
.Ss Security Associations (SAs)
These protocols require certain parameters for each connection, describing
exactly how the desired protection will be achieved.
@@ -149,14 +147,14 @@ Typical
.Tn SA
parameters include encryption algorithm, hash algorithm,
encryption key, and authentication key, to name a few.
-When two peers have established matching
+When two peers have established matching
.Tn SAs
(one at each end),
packets protected with one end's
.Tn SA
may be verified and/or decrypted
using the information in the other end's
-.Tn SA.
+.Tn SA .
The only issue remaining is to ensure that both ends have matching
.Tn SAs .
This may be done manually, or automatically using a key management daemon.
@@ -167,7 +165,6 @@ establishment is described in
.Xr ipsecadm 8 .
Information on automated key management may be found in
.Xr isakmpd 8 .
-.Pp
.Ss Authentication Header (AH)
.Tn AH
works by computing a value that depends on all of the payload
@@ -184,7 +181,6 @@ active attacker (man-in-the-middle) can recompute the correct value after
altering the packet.
The algorithms used to compute these values are called hash algorithms and are
parameters in the SA, just like the authentication key.
-.Pp
.Ss Encapsulating Security Payload (ESP)
.Tn ESP
optionally does almost everything that
@@ -197,7 +193,6 @@ algorithm using a secret encryption key.
Only the ones knowing this key can decrypt the data, thus providing
confidentiality.
Both the algorithm and the encryption key are parameters of the SA.
-.Pp
.Ss Security Parameter Indexes (SPIs)
In order to identify an SA we need to have a unique name for it.
This name is a triplet, consisting of the destination address, security
@@ -214,7 +209,6 @@ The security protocol number should be 50 for
and 51 for
.Tn AH ,
as these are the protocol numbers assigned by IANA.
-.Pp
.Ss Modes of Operation
.Tn IPsec
can operate in two modes, either tunnel or transport mode.
@@ -236,13 +230,11 @@ An SA will hold information telling if it is a tunnel or transport mode SA,
and for tunnels, it will contain values to fill in into the outer
.Tn IP
header.
-.Pp
.Ss Lifetimes
The SA also holds a couple of other parameters, especially useful for
automatic keying, called lifetimes, which puts a limit on how much we can
use an SA for protecting our data.
These limits can be in wall-clock time or in volume of our data.
-.Pp
.Ss IPsec Examples
To better illustrate how
.Tn IPsec
@@ -311,7 +303,7 @@ This implementation makes use of a virtual interface
.Nm enc0 ,
which can be used in packet filters to specify those packets that have
been or will be processed by
-.Tn IPsec.
+.Tn IPsec .
.Pp
NAT can also be applied to
.Nm enc#
@@ -343,7 +335,6 @@ Security Associations can be set up manually with the
utility or automatically with the
.Xr isakmpd 8
key management daemon.
-.Pp
.Ss API Details
The following
.Tn IP-level
@@ -351,7 +342,7 @@ The following
and
.Xr getsockopt 2
options are specific to
-.Xr ipsec 4 .
+.Nm ipsec .
A socket can specify security levels for three different categories:
.Bl -tag -width IP_ESP_NETWORK_LEVEL
.It IP_AUTH_LEVEL
@@ -457,7 +448,7 @@ At the moment the socket options are not fully implemented.
.Xr tcp 4 ,
.Xr udp 4 ,
.Xr ipsecadm 8 ,
-.Xr isakmpd 8
+.Xr isakmpd 8 ,
.Xr vpn 8
.Sh ACKNOWLEDGMENTS
The authors of the
@@ -474,7 +465,7 @@ Steve Reid's SHA-1 code was also used.
.Pp
The
.Xr setsockopt 2 / Ns Xr getsockopt 2
-interface follows somewhat loosely the
+interface follows somewhat loosely the
draft-mcdonald-simple-ipsec-api (since expired, but
still available from
.Pa ftp://ftp.kame.net/pub/internet-drafts/ )