FAST_IPSEC(4) BSD Kernel Interfaces Manual FAST_IPSEC(4)NAME
fast_ipsec -- Fast IPsec hardware-accelerated IP Security Protocols
SYNOPSIS
options IPSEC
options IPSEC_DEBUG
options IPSEC_NAT_T
DESCRIPTION
IPsec is a set of protocols, ESP (for Encapsulating Security Payload) AH (for Authentication Header), and IPComp (for IP Payload Compression
Protocol) that provide security services for IP datagrams. Fast IPsec is an implementation of these protocols that uses the opencrypto(9)
subsystem to carry out cryptographic operations. This means, in particular, that cryptographic hardware devices are employed whenever possi-
ble to optimize the performance of these protocols.
In general, the Fast IPsec implementation is intended to be compatible with the KAME IPsec implementation. The user should refer to ipsec(4)
for basic information on setting up and using these protocols.
System configuration requires the opencrypto(9) subsystem. When the Fast IPsec protocols are configured for use, all protocols are included
in the system. To selectively enable/disable protocols, use sysctl(8).
DIAGNOSTICS
To be added.
SEE ALSO kame_ipsec(4), setkey(8), sysctl(8), opencrypto(9)HISTORY
The protocols draw heavily on the OpenBSD implementation of the IPsec protocols. The policy management code is derived from the KAME imple-
mentation found in their IPsec protocols. The Fast IPsec protocols are based on code which appeared in FreeBSD 4.7. The NetBSD version is a
close copy of the FreeBSD original, and first appeared in NetBSD 2.0.
Support for IPv6 and IPcomp protocols has been added in NetBSD 4.0.
Support for IPSEC_NAT_T (Network Address Translator Traversal as described in RFCs 3947 and 3948) has been added in NetBSD 5.0.
BUGS
Certain legacy authentication algorithms are not supported because of issues with the opencrypto(9) subsystem.
This documentation is incomplete.
BSD January 23, 2012 BSD
Check Out this Related Man Page
KAME_IPSEC(4) BSD Kernel Interfaces Manual KAME_IPSEC(4)NAME
ipsec -- IP security protocol
SYNOPSIS
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet6/ipsec.h>
options KAME_IPSEC
options IPSEC_ESP
options IPSEC_NAT_T
options IPSEC_DEBUG
DESCRIPTION
ipsec is the first implemtation of IPSEC in NetBSD. It is being replaced by fast_ipsec(4).
The following kernel options are available:
options IPSEC
Includes support for the IPsec protocol. IPSEC will enable secret key management part, policy management part, AH and IPComp. Kernel binary
will not be subject to export control in most of countries, even if compiled with IPSEC. For example, it should be okay to export it from
the United States of America. INET6 and IPSEC are orthogonal so you can get IPv4-only kernel with IPsec support, IPv4/v6 dual support kernel
without IPsec, and so forth. This option requires INET at this moment, but it should not.
options IPSEC_DEBUG
Enables debugging code in IPsec stack. This option assumes IPSEC.
options IPSEC_ESP
Includes support for IPsec ESP protocol. IPSEC_ESP will enable source code that is subject to export control in some countries (including
the United States), and compiled kernel binary will be subject to certain restriction. This option assumes IPSEC.
options IPSEC_NAT_T
Includes support for IPsec Network Address Translator Traversal (NAT-T), as described in RFCs 3947 and 3948. This feature might be patent-
encumbered in some countries. This option assumes IPSEC and IPSEC_ESP.
SEE ALSO ioctl(2), socket(2), ipsec_set_policy(3), fast_ipsec(4), icmp6(4), intro(4), ip6(4), ipsec(4), racoon(8), setkey(8), sysctl(8)STANDARDS
Daniel L. McDonald, Craig Metz, and Bao G. Phan, PF_KEY Key Management API, Version 2, RFC, 2367.
HISTORY
The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.
BUGS
The IPsec support is subject to change as the IPsec protocols develop.
There is no single standard for policy engine API, so the policy engine API described herein is just for KAME implementation.
AH and tunnel mode encapsulation may not work as you might expect. If you configure inbound ``require'' policy against AH tunnel or any
IPsec encapsulating policy with AH (like ``esp/tunnel/A-B/use ah/transport/A-B/require''), tunneled packets will be rejected. This is
because we enforce policy check on inner packet on reception, and AH authenticates encapsulating (outer) packet, not the encapsulated (inner)
packet (so for the receiving kernel there's no sign of authenticity). The issue will be solved when we revamp our policy engine to keep all
the packet decapsulation history.
Under certain condition, truncated result may be raised from the kernel against SADB_DUMP and SADB_SPDDUMP operation on PF_KEY socket. This
occurs if there are too many database entries in the kernel and socket buffer for the PF_KEY socket is insufficient. If you manipulate many
IPsec key/policy database entries, increase the size of socket buffer or use sysctl(8) interface.
BSD January 16, 2012 BSD