1IP-XFRM(8) Linux IP-XFRM(8)
2
6 ip-xfrm - transform configuration
7
9 ip [ OPTIONS ] xfrm { COMMAND | help }
10 ip xfrm XFRM-OBJECT { COMMAND | help }
13 XFRM-OBJECT := state | policy | monitor
16 ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark
19 MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-win‐
20 dow SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ replay-seq-
21 hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELEC‐
22 TOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx
23 CTX ] [ extra-flag EXTRA-FLAG-LIST ]
24 ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [
26 reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
27 ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]
29 ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ]
31 [ flag FLAG-LIST ]
32 ip xfrm state flush [ proto XFRM-PROTO ]
34 ip xfrm state count
36 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
38 XFRM-PROTO := esp | ah | comp | route2 | hao
40 ALGO-LIST := [ ALGO-LIST ] ALGO
42 ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
44 auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
45 aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
46 comp ALGO-NAME
47 MODE := transport | tunnel | beet | ro | in_trigger
49 FLAG-LIST := [ FLAG-LIST ] FLAG
51 FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec |
53 align4 | esn
54 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]
56 [ UPSPEC ]
57 UPSPEC := proto { PROTO |
59 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
60 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
61 NUMBER ] |
62 gre [ key { DOTTED-QUAD | NUMBER } ] }
63 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
65 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
67 ONDS |
68 { byte-soft | byte-hard } SIZE |
69 { packet-soft | packet-hard } COUNT
70 ENCAP := { espinudp | espinudp-nonike } SPORT DPORT OADDR
72 EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
74 EXTRA-FLAG := dont-encap-dscp
76 ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark
78 MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action
79 ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ LIMIT-LIST
80 ] [ TMPL-LIST ]
81 ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [
83 ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]
84 ip xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ] [ dir DIR ]
86 [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority
87 PRIORITY ] [ flag FLAG-LIST]
88 ip xfrm policy flush [ ptype PTYPE ]
90 ip xfrm policy count
92 ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]
94 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [
96 UPSPEC ]
97 UPSPEC := proto { PROTO |
99 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
100 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
101 NUMBER ] |
102 gre [ key { DOTTED-QUAD | NUMBER } ] }
103 DIR := in | out | fwd
105 PTYPE := main | sub
107 ACTION := allow | block
109 FLAG-LIST := [ FLAG-LIST ] FLAG
111 FLAG := localok | icmp
113 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
115 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
117 ONDS |
118 { byte-soft | byte-hard } SIZE |
119 { packet-soft | packet-hard } COUNT
120 TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
122 TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
124 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
126 XFRM-PROTO := esp | ah | comp | route2 | hao
128 MODE := transport | tunnel | beet | ro | in_trigger
130 LEVEL := required | use
132 ip xfrm monitor [ all-nsid ] [ all
134 | LISTofXFRM-OBJECTS ]
135 LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT
137 XFRM-OBJECT := acquire | expire | SA | policy | aevent | report
139
143 xfrm is an IP framework for transforming packets (such as encrypting
144 their payloads). This framework is used to implement the IPsec protocol
145 suite (with the state object operating on the Security Association
146 Database, and the policy object operating on the Security Policy Data‐
147 base). It is also used for the IP Payload Compression Protocol and fea‐
148 tures of Mobile IPv6.
149 ip xfrm state add add new state into xfrm
152 ip xfrm state update update existing state in xfrm
153 ip xfrm state allocspi allocate an SPI value
154 ip xfrm state delete delete existing state in xfrm
155 ip xfrm state get get existing state in xfrm
156 ip xfrm state deleteall delete all existing state in xfrm
157 ip xfrm state list print out the list of existing state in xfrm
158 ip xfrm state flush flush all state in xfrm
159 ip xfrm state count count all existing state in xfrm
160 ID is specified by a source address, destination address, transform
163 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
164 IP Payload Compression, the Compression Parameter Index or CPI
165 is used for SPI.)
166 XFRM-PROTO
169 specifies a transform protocol: IPsec Encapsulating Security
170 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
171 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
172 Mobile IPv6 Home Address Option (hao).
173 ALGO-LIST
176 contains one or more algorithms to use. Each algorithm ALGO is
177 specified by:
178 · the algorithm type: encryption (enc), authentication
180 (auth or auth-trunc), authenticated encryption with asso‐
181 ciated data (aead), or compression (comp)
182 · the algorithm name ALGO-NAME (see below)
184 · (for all except comp) the keying material ALGO-KEYMAT,
186 which may include both a key and a salt or nonce value;
187 refer to the corresponding RFC
188 · (for auth-trunc only) the truncation length ALGO-TRUNC-
190 LEN in bits
191 · (for aead only) the Integrity Check Value length ALGO-
193 ICV-LEN in bits
194 Encryption algorithms include ecb(cipher_null), cbc(des),
196 cbc(des3_ede), cbc(cast5), cbc(blowfish), cbc(aes),
197 cbc(serpent), cbc(camellia), cbc(twofish), and
198 rfc3686(ctr(aes)).
199 Authentication algorithms include digest_null, hmac(md5),
201 hmac(sha1), hmac(sha256), hmac(sha384), hmac(sha512),
202 hmac(rmd160), and xcbc(aes).
203 Authenticated encryption with associated data (AEAD) algorithms
205 include rfc4106(gcm(aes)), rfc4309(ccm(aes)), and
206 rfc4543(gcm(aes)).
207 Compression algorithms include deflate, lzs, and lzjh.
209 MODE specifies a mode of operation for the transform protocol. IPsec
212 and IP Payload Compression modes are transport, tunnel, and (for
213 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
214 modes are route optimization (ro) and inbound trigger (in_trig‐
215 ger).
216 FLAG-LIST
219 contains one or more of the following optional flags: noecn, de‐
220 cap-dscp, nopmtudisc, wildrecv, icmp, af-unspec, align4, or esn.
221 SELECTOR
224 selects the traffic that will be controlled by the policy, based
225 on the source address, the destination address, the network de‐
226 vice, and/or UPSPEC.
227 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
230 protocols, the source and destination port can optionally be
231 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
232 cols, the type and code numbers can optionally be specified.
233 For the gre protocol, the key can optionally be specified as a
234 dotted-quad or number. Other protocols can be selected by name
235 or number PROTO.
236 LIMIT-LIST
239 sets limits in seconds, bytes, or numbers of packets.
240 ENCAP encapsulates packets with protocol espinudp or espinudp-nonike,
243 using source port SPORT, destination port DPORT , and original
244 address OADDR.
245 ip xfrm policy add add a new policy
249 ip xfrm policy update update an existing policy
250 ip xfrm policy delete delete an existing policy
251 ip xfrm policy get get an existing policy
252 ip xfrm policy deleteall delete all existing xfrm policies
253 ip xfrm policy list print out the list of xfrm policies
254 ip xfrm policy flush flush policies
255 nosock filter (remove) all socket policies from the output.
258 SELECTOR
261 selects the traffic that will be controlled by the policy, based
262 on the source address, the destination address, the network de‐
263 vice, and/or UPSPEC.
264 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
267 protocols, the source and destination port can optionally be
268 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
269 cols, the type and code numbers can optionally be specified.
270 For the gre protocol, the key can optionally be specified as a
271 dotted-quad or number. Other protocols can be selected by name
272 or number PROTO.
273 DIR selects the policy direction as in, out, or fwd.
276 CTX sets the security context.
279 PTYPE can be main (default) or sub.
282 ACTION can be allow (default) or block.
285 PRIORITY
288 is a number that defaults to zero.
289 FLAG-LIST
292 contains one or both of the following optional flags: local or
293 icmp.
294 LIMIT-LIST
297 sets limits in seconds, bytes, or numbers of packets.
298 TMPL-LIST
301 is a template list specified using ID, MODE, REQID, and/or LEV‐
302 EL.
303 ID is specified by a source address, destination address, transform
306 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
307 IP Payload Compression, the Compression Parameter Index or CPI
308 is used for SPI.)
309 XFRM-PROTO
312 specifies a transform protocol: IPsec Encapsulating Security
313 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
314 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
315 Mobile IPv6 Home Address Option (hao).
316 MODE specifies a mode of operation for the transform protocol. IPsec
319 and IP Payload Compression modes are transport, tunnel, and (for
320 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
321 modes are route optimization (ro) and inbound trigger (in_trig‐
322 ger).
323 LEVEL can be required (default) or use.
326 ip xfrm policy count count existing policies
330 Use one or more -s options to display more details, including policy
333 hash table information.
334 ip xfrm policy set configure the policy hash table
338 Security policies whose address prefix lengths are greater than or
341 equal policy hash table thresholds are hashed. Others are stored in the
342 policy_inexact chained list.
343 LBITS specifies the minimum local address prefix length of policies
346 that are stored in the Security Policy Database hash table.
347 RBITS specifies the minimum remote address prefix length of policies
350 that are stored in the Security Policy Database hash table.
351 ip xfrm monitor state monitoring for xfrm objects
355 The xfrm objects to monitor can be optionally specified.
358 If the all-nsid option is set, the program listens to all network
361 namespaces that have a nsid assigned into the network namespace were
362 the program is running. A prefix is displayed to show the network
363 namespace where the message originates. Example:
364 [nsid 1]Flushed state proto 0
366
370 Manpage revised by David Ward <david.ward@ll.mit.edu>
371 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
372 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
373iproute2 20 Dec 2011 IP-XFRM(8)