From 1e22d809ed2b65bdac0c1d1537bd5af5e1f431cc Mon Sep 17 00:00:00 2001 From: Niklas Hallqvist Date: Mon, 7 Feb 2000 01:32:33 +0000 Subject: Merge with EOM 1.8 author: angelos Add Canonical Names as policy targets (so they can be specified in the Licensees field), with the "CN:..." format. author: angelos Done. author: angelos One missing item left... author: angelos More text. author: angelos Passphrases are encoded as "passphrase:xxxx" now, to distinguish between passphrases and logic labels. author: angelos Consistent references. author: angelos Minor tweak. --- sbin/isakmpd/isakmpd.policy.5 | 40 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 36 insertions(+), 4 deletions(-) (limited to 'sbin/isakmpd') diff --git a/sbin/isakmpd/isakmpd.policy.5 b/sbin/isakmpd/isakmpd.policy.5 index 689e164b7e6..16baae2de80 100644 --- a/sbin/isakmpd/isakmpd.policy.5 +++ b/sbin/isakmpd/isakmpd.policy.5 @@ -1,5 +1,5 @@ -.\" $EOM: isakmpd.policy.5,v 1.1 1999/10/16 20:07:18 angelos Exp $ -.\" $OpenBSD: isakmpd.policy.5,v 1.2 2000/01/26 15:21:22 niklas Exp $ +.\" $OpenBSD: isakmpd.policy.5,v 1.3 2000/02/07 01:32:32 niklas Exp $ +.\" $EOM: isakmpd.policy.5,v 1.8 2000/02/07 01:30:35 angelos Exp $ .\" .\" Copyright (c) 1999, Angelos D. Keromytis. All rights reserved. .\" @@ -130,8 +130,8 @@ characteristics: below, for use of policy delegation). * The Licensees field can be an expression of passphrases used for - authentication of the Main Mode exchanges and/or public keys - (typically, X509 certificates). + authentication of the Main Mode exchanges, and/or public keys + (typically, X509 certificates), and/or X509 Canonical names. * The Conditions field contains an expression of attributes from the IPsec policy action set (see below as well as the keynote syntax man @@ -157,6 +157,19 @@ certificate encoded as "abcd==" will be accepted, as long as it contains ESP with a non-null algorithm (i.e., the packet will be encrypted). .Pp +The following policy assertion: +.Bd -literal + Authorizer: "POLICY" + Licensees: "CN:/CN=CA Certificate" + Conditions: app_domain == "IPsec policy" && esp_present == "yes" + && esp_enc_alg != "null" -> "true"; +.Ed + +is similar to the previous one, but instead of including a complete +X509 credential in the Licensees field, only the X509 certificate's +Subject Canonical Name need to be specified (note that the "CN:" +prefix is necessary). +.Pp KeyNote credentials have the same format as policy assertions, with one difference: the Authorizer field always contains a public key, and the assertion is signed (and thus its integrity can be @@ -396,6 +409,8 @@ Set to the local date/time, in YYYYMMDDHHmmSS format. Authorizer: "POLICY" Comment: This bare-bones assertion accepts everything + + Authorizer: "POLICY" Licensees: "passphrase:mekmitasisgoat" Comment: This policy accepts anyone using shared-secret @@ -405,6 +420,8 @@ Set to the local date/time, in YYYYMMDDHHmmSS format. esp_present == "yes" && esp_enc_alg != "null" -> "true"; + + Authorizer: "POLICY" Licensees: "subpolicy1" || "subpolicy2" Comment: Delegate to two other sub-policies, so we @@ -413,11 +430,15 @@ Set to the local date/time, in YYYYMMDDHHmmSS format. have to be in isakmpd.policy. Conditions: app_domain == "IPsec policy"; + + KeyNote-Version: 2 Licensees: "passphrase:somepassword" Conditions: esp_present == "yes" -> "true"; Authorizer: "subpolicy1" + + Conditions: ah_present == "yes" -> { ah_auth_alg == "md5" -> "true"; @@ -427,6 +448,15 @@ Set to the local date/time, in YYYYMMDDHHmmSS format. Licensees: "passphrase:otherpassword" || "passphrase:thirdpassword" Authorizer: "subpolicy2" + + + keynote-version: 2 + comment: this is an example of a policy delegating to a CN. + authorizer: "POLICY" + licensees: "CN:/CN=CA Certificate/Email=ca@foo.bar.com" + + + keynote-version: 2 comment: This is an example of a policy delegating to a key. authorizer: "POLICY" @@ -449,6 +479,8 @@ Set to the local date/time, in YYYYMMDDHHmmSS format. pfs == "yes" && esp_present == "yes" && ah_present == "no" && (esp_enc_alg == "3des" || esp_enc_alg == "idea") -> "true"; + + keynote-version: 2 comment: This is an example of a credential, the signature does not really verify (although the keys are real). -- cgit v1.2.3