Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ipsecalgs(1m) [xfree86 man page]

ipsecalgs(1M)						  System Administration Commands					     ipsecalgs(1M)

ipsecalgs - configure the IPsec protocols and algorithms table SYNOPSIS
ipsecalgs ipsecalgs -l ipsecalgs -s ipsecalgs -a [-P protocol-number | -p protocol-name] -k keylen-list [-i inc] [-K default-keylen] -b blocklen-list -n alg-names -N alg-num- ber -m mech-name [-f] [-s] ipsecalgs -P protocol-number -p protocol-name [-e exec-mode] [-f] [-s] ipsecalgs -r -p protocol-name [] -n alg-name [-s] ipsecalgs -r -p protocol-name [] -N alg-number [-s] ipsecalgs -R -P protocol-number [-s] ipsecalgs -R -p protocol-name [-s] ipsecalgs -e exec-mode -P protocol-number [-s] ipsecalgs -e exec-mode -p protocol-name [-s] DESCRIPTION
Use the ipsecalgs command to query and modify the IPsec protocol and algorithms stored in /etc/inet/ipsecalgs. You can use the ipsecalgs command to do the following: o list the currently defined IPsec protocols and algorithms o modify IPsec protocols definitions o modify IPsec algorithms definitions Never edit the /etc/inet/ipsecalgs file manually. The valid IPsec protocols and algorithms are described by the ISAKMP DOI. See RFC 2407. In the general sense, a Domain of Interpretation (DOI) defines data formats, network traffic exchange types, and conventions for naming security-relevant information such as security policies or cryptographic algorithms and modes. For ipsecalgs, the DOI defines naming and numbering conventions for algorithms and the protocols they belong to. These numbers are defined by the Internet Assigned Numbers Authority (IANA). Each algorithm belongs to a protocol. Algorithm information includes supported key lengths, block or MAC length, and the name of the cryptographic mechanism corresponding to that algorithm. This information is used by the IPsec modules, ipsecesp(7P) and ipsecah(7P), to determine the authentication and encryption algorithms that can be applied to IPsec traffic. The following protocols are predefined: IPSEC_PROTO_ESP Defines the encryption algorithms (transforms) that can be used by IPsec to provide data confidentiality. IPSEC_PROTO_AH Defines the authentication algorithms (transforms) that can be used by IPsec to provide authentication. The mechanism name specified by an algorithm entry must correspond to a valid Solaris Cryptographic Framework mechanism. You can obtain the list of available mechanisms by using the cryptoadm(1M) command. Applications can retrieve the supported algorithms and their associated protocols by using the functions getipsecalgbyname(3NSL), getipse- calgbynum(3NSL), getipsecprotobyname(3NSL) and getipsecprotobynum(3NSL). Modifications to the protocols and algorithm by default only update the contents of the /etc/inet/ipsecalgs configuration file. In order for the new definitions to be used for IPsec processing, the changes must be communicated to the kernel using the -s option. This synchro- nization is also done automatically when the host is started. When invoked without arguments, ipsecalgs displays the list of mappings that are currently defined in /etc/inet/ipsecalgs. You can obtain the corresponding kernel table of protocols and algorithms by using the -l option. OPTIONS
ipsecalgs supports the following options: -a Adds an algorithm of the protocol specified by the -P option. The algorithm name(s) are specified with the -n option. The sup- ported key lengths and block sizes are specified with the -k, -i, and -b options. -b Specifies the block or MAC lengths of an algorithm, in bytes. Set more than one block length by separating the values with com- mas. -e Designates the execution mode of cryptographic requests for the specified protocol in the absence of cryptographic hardware provider. See cryptoadm(1M). exec-mode can be one of the following values: sync Cryptographic requests are processed synchronously in the absence of a cryptographic hardware provider. This execution mode leads to better latency when no cryptographic hardware providers are available async Cryptographic requests are always processed asynchronously in the absence of cryptographic hardware provider. This execution can improve the resource utilization on a multi-CPU system, but can lead to higher latency when no cryp- tographic hardware providers are available. This option can be specified when defining a new protocol or to modify the execution mode of an existing protocol. By default, the sync execution mode is used in the absence of a cryptographic hardware provider. -f Used with the -a option to force the addition of an algorithm or protocol if an entry with the same name or number already exists. -i Specifies the valid key length increments in bits. This option must be used when the valid key lengths for an algorithm are speci- fied by a range with the -k option. -K Specifies the default key lengths for an algorithm, in bits. If the -K option is not specified, the minimum key length will be determined as follows: o If the supported key lengths are specified by range, the default key length will be the minimum key length. o If the supported key lengths are specified by enumeration, the default key length will be the first listed key length. -k Specifies the supported key lengths for an algorithm, in bits. You can designate the supported key lengths by enumeration or by range. Without the -i option, -k specifies the supported key lengths by enumeration. In this case, keylen-list consists of a list of one or more key lengths separated by commas, for example: 128,192,256 The listed key lengths need not be increasing, and the first listed key length will be used as the default key length for that algorithm unless the -K option is used. With the -i option, -k specifies the range of supported key lengths for the algorithm. The minimum and maximum key lengths must be separated by a dash ('-') character, for example: 32-448 -l Displays the kernel algorithm tables. -m Specifies the name of the cryptographic framework mechanism name corresponding to the algorithm. Cryptographic framework mecha- nisms are described in the cryptoadm(1M) man page. -N Specifies an algorithm number. The algorithm number for a protocol must be unique. IANA manages the algorithm numbers. See RFC 2407. -n Specifies one or more names for an algorithm. When adding an algorithm with the -a option, alg-names contains a string or a comma- separated list of strings, for example: des-cbs,des When used with the -r option to remove an algorithm, alg-names contains one of the valid algorithm names. -P Adds a protocol of the number specified by protocol-number with the name specified by the -p option. This option is also used to specify an IPsec protocol when used with the -a and the -R options. Protocol numbers are managed by the IANA. See RFC 2407. -p Specifies the name of the IPsec protocol. -R Removes and IPsec protocol from the algorithm table. The protocol can be specified by number by using the -P option or by name by using the -p option. The algorithms associated with the protocol are removed as well. -r Removes the mapping for an algorithm The algorithm can be specified by algorithm number using the -N option or by algorithm name using the -A option. -s Synchronizes the kernel with the contents of /etc/inet/ipsecalgs. The contents of /etc/inet/ipsecalgs are always updated, but new information is not passed on to the kernel unless the -s is used. EXAMPLES
Example 1: Adding a Protocol for IPsec Encryption The following example shows how to add a protocol for IPsec encryption: example# ipsecalgs -P 3 -p "IPSEC_PROTO_ESP" Example 2: Adding the Blowfish Algorithm The following example shows how to add the Blowfish algorithm: example# ipsecalgs -a -P 3 -k 32-488 -K 128 -i 8 -n "blowfish" -b 8 -N 7 -m CKM_BF_CBC Example 3: Updating the Kernel Algorithm Table The following example updates the kernel algorithm table with the currently defined protocol and algorithm definitions: example# ipsecalgs -s FILES
/etc/inet/ipsecalgs File that contains the configured IPsec protocols and algorithm definitions. Never edit this file manually. ATTRIBUTES
See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWcsu | +-----------------------------+-----------------------------+ |Interface Stability |Evolving | +-----------------------------+-----------------------------+ SEE ALSO
cryptoadm(1M), getipsecalgbyname(3NSL), getipsecprotobyname(3NSL), attributes(5), ipsecah(7P), ipsecesp(7P) Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP. Network Working Group. November 1998. NOTES
When protocols or algorithm definitions that are removed or altered, services that rely upon these definitions can become unavailable. For example, if the IPSEC_PROTO_ESP protocol is removed, then IPsec cannot encrypt and decrypt packets. SunOS 5.10 20 Aug 2003 ipsecalgs(1M)
Man Page