1IP-XFRM(8) Linux IP-XFRM(8)
2
6 ip-xfrm - transform configuration
7
9 ip [ OPTIONS ] xfrm { COMMAND | help }
10 ip xfrm XFRM-OBJECT { COMMAND | help }
13 XFRM-OBJECT := state | policy | monitor
16 ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark
19 MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-win‐
20 dow SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ replay-seq-
21 hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELEC‐
22 TOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx
23 CTX ] [ extra-flag EXTRA-FLAG-LIST ] [ output-mark OUTPUT-MARK
24 ]
25 ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [
27 reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
28 ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]
30 ip [ -4 | -6 ] xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID
32 ] [ flag FLAG-LIST ]
33 ip [ -4 | -6 ] xfrm state list [ ID ] [ nokeys ] [ mode MODE ] [ reqid
35 REQID ] [ flag FLAG-LIST ]
36 ip xfrm state flush [ proto XFRM-PROTO ]
38 ip xfrm state count
40 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
42 XFRM-PROTO := esp | ah | comp | route2 | hao
44 ALGO-LIST := [ ALGO-LIST ] ALGO
46 ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
48 auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
49 aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
50 comp ALGO-NAME
51 MODE := transport | tunnel | beet | ro | in_trigger
53 FLAG-LIST := [ FLAG-LIST ] FLAG
55 FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec |
57 align4 | esn
58 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]
60 [ UPSPEC ]
61 UPSPEC := proto { PROTO |
63 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
64 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
65 NUMBER ] |
66 gre [ key { DOTTED-QUAD | NUMBER } ] }
67 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
69 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
71 ONDS |
72 { byte-soft | byte-hard } SIZE |
73 { packet-soft | packet-hard } COUNT
74 ENCAP := { espinudp | espinudp-nonike } SPORT DPORT OADDR
76 EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
78 EXTRA-FLAG := dont-encap-dscp
80 ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark
82 MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action
83 ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ LIMIT-LIST
84 ] [ TMPL-LIST ]
85 ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [
87 ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]
88 ip [ -4 | -6 ] xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ]
90 [ dir DIR ] [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [
91 priority PRIORITY ] [ flag FLAG-LIST]
92 ip xfrm policy flush [ ptype PTYPE ]
94 ip xfrm policy count
96 ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]
98 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [
100 UPSPEC ]
101 UPSPEC := proto { PROTO |
103 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
104 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
105 NUMBER ] |
106 gre [ key { DOTTED-QUAD | NUMBER } ] }
107 DIR := in | out | fwd
109 PTYPE := main | sub
111 ACTION := allow | block
113 FLAG-LIST := [ FLAG-LIST ] FLAG
115 FLAG := localok | icmp
117 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
119 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
121 ONDS |
122 { byte-soft | byte-hard } SIZE |
123 { packet-soft | packet-hard } COUNT
124 TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
126 TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
128 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
130 XFRM-PROTO := esp | ah | comp | route2 | hao
132 MODE := transport | tunnel | beet | ro | in_trigger
134 LEVEL := required | use
136 ip xfrm monitor [ all-nsid ] [ nokeys ] [ all
138 | LISTofXFRM-OBJECTS ]
139 LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT
141 XFRM-OBJECT := acquire | expire | SA | policy | aevent | report
143
147 xfrm is an IP framework for transforming packets (such as encrypting
148 their payloads). This framework is used to implement the IPsec protocol
149 suite (with the state object operating on the Security Association
150 Database, and the policy object operating on the Security Policy Data‐
151 base). It is also used for the IP Payload Compression Protocol and fea‐
152 tures of Mobile IPv6.
153 ip xfrm state add add new state into xfrm
156 ip xfrm state update update existing state in xfrm
157 ip xfrm state allocspi allocate an SPI value
158 ip xfrm state delete delete existing state in xfrm
159 ip xfrm state get get existing state in xfrm
160 ip xfrm state deleteall delete all existing state in xfrm
161 ip xfrm state list print out the list of existing state in xfrm
162 ip xfrm state flush flush all state in xfrm
163 ip xfrm state count count all existing state in xfrm
164 ID is specified by a source address, destination address, transform
167 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
168 IP Payload Compression, the Compression Parameter Index or CPI
169 is used for SPI.)
170 XFRM-PROTO
173 specifies a transform protocol: IPsec Encapsulating Security
174 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
175 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
176 Mobile IPv6 Home Address Option (hao).
177 ALGO-LIST
180 contains one or more algorithms to use. Each algorithm ALGO is
181 specified by:
182 · the algorithm type: encryption (enc), authentication
184 (auth or auth-trunc), authenticated encryption with asso‐
185 ciated data (aead), or compression (comp)
186 · the algorithm name ALGO-NAME (see below)
188 · (for all except comp) the keying material ALGO-KEYMAT,
190 which may include both a key and a salt or nonce value;
191 refer to the corresponding RFC
192 · (for auth-trunc only) the truncation length ALGO-TRUNC-
194 LEN in bits
195 · (for aead only) the Integrity Check Value length ALGO-
197 ICV-LEN in bits
198 Encryption algorithms include ecb(cipher_null), cbc(des),
200 cbc(des3_ede), cbc(cast5), cbc(blowfish), cbc(aes),
201 cbc(serpent), cbc(camellia), cbc(twofish), and
202 rfc3686(ctr(aes)).
203 Authentication algorithms include digest_null, hmac(md5),
205 hmac(sha1), hmac(sha256), hmac(sha384), hmac(sha512),
206 hmac(rmd160), and xcbc(aes).
207 Authenticated encryption with associated data (AEAD) algorithms
209 include rfc4106(gcm(aes)), rfc4309(ccm(aes)), and
210 rfc4543(gcm(aes)).
211 Compression algorithms include deflate, lzs, and lzjh.
213 MODE specifies a mode of operation for the transform protocol. IPsec
216 and IP Payload Compression modes are transport, tunnel, and (for
217 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
218 modes are route optimization (ro) and inbound trigger (in_trig‐
219 ger).
220 FLAG-LIST
223 contains one or more of the following optional flags: noecn, de‐
224 cap-dscp, nopmtudisc, wildrecv, icmp, af-unspec, align4, or esn.
225 SELECTOR
228 selects the traffic that will be controlled by the policy, based
229 on the source address, the destination address, the network de‐
230 vice, and/or UPSPEC.
231 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
234 protocols, the source and destination port can optionally be
235 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
236 cols, the type and code numbers can optionally be specified.
237 For the gre protocol, the key can optionally be specified as a
238 dotted-quad or number. Other protocols can be selected by name
239 or number PROTO.
240 LIMIT-LIST
243 sets limits in seconds, bytes, or numbers of packets.
244 ENCAP encapsulates packets with protocol espinudp or espinudp-nonike,
247 using source port SPORT, destination port DPORT , and original
248 address OADDR.
249 MARK used to match xfrm policies and states
252 OUTPUT-MARK
255 used to set the output mark to influence the routing of the
256 packets emitted by the state
257 ip xfrm policy add add a new policy
261 ip xfrm policy update update an existing policy
262 ip xfrm policy delete delete an existing policy
263 ip xfrm policy get get an existing policy
264 ip xfrm policy deleteall delete all existing xfrm policies
266 ip xfrm policy list print out the list of xfrm policies
267 ip xfrm policy flush flush policies
268 nosock filter (remove) all socket policies from the output.
271 SELECTOR
274 selects the traffic that will be controlled by the policy, based
275 on the source address, the destination address, the network de‐
276 vice, and/or UPSPEC.
277 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
280 protocols, the source and destination port can optionally be
281 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
282 cols, the type and code numbers can optionally be specified.
283 For the gre protocol, the key can optionally be specified as a
284 dotted-quad or number. Other protocols can be selected by name
285 or number PROTO.
286 DIR selects the policy direction as in, out, or fwd.
289 CTX sets the security context.
292 PTYPE can be main (default) or sub.
295 ACTION can be allow (default) or block.
298 PRIORITY
301 is a number that defaults to zero.
302 FLAG-LIST
305 contains one or both of the following optional flags: local or
306 icmp.
307 LIMIT-LIST
310 sets limits in seconds, bytes, or numbers of packets.
311 TMPL-LIST
314 is a template list specified using ID, MODE, REQID, and/or LEV‐
315 EL.
316 ID is specified by a source address, destination address, transform
319 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
320 IP Payload Compression, the Compression Parameter Index or CPI
321 is used for SPI.)
322 XFRM-PROTO
325 specifies a transform protocol: IPsec Encapsulating Security
326 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
327 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
328 Mobile IPv6 Home Address Option (hao).
329 MODE specifies a mode of operation for the transform protocol. IPsec
332 and IP Payload Compression modes are transport, tunnel, and (for
333 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
334 modes are route optimization (ro) and inbound trigger (in_trig‐
335 ger).
336 LEVEL can be required (default) or use.
339 ip xfrm policy count count existing policies
343 Use one or more -s options to display more details, including policy
346 hash table information.
347 ip xfrm policy set configure the policy hash table
351 Security policies whose address prefix lengths are greater than or
354 equal policy hash table thresholds are hashed. Others are stored in the
355 policy_inexact chained list.
356 LBITS specifies the minimum local address prefix length of policies
359 that are stored in the Security Policy Database hash table.
360 RBITS specifies the minimum remote address prefix length of policies
363 that are stored in the Security Policy Database hash table.
364 ip xfrm monitor state monitoring for xfrm objects
368 The xfrm objects to monitor can be optionally specified.
371 If the all-nsid option is set, the program listens to all network
374 namespaces that have a nsid assigned into the network namespace were
375 the program is running. A prefix is displayed to show the network
376 namespace where the message originates. Example:
377 [nsid 1]Flushed state proto 0
379
383 Manpage revised by David Ward <david.ward@ll.mit.edu>
384 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
385 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
386iproute2 20 Dec 2011 IP-XFRM(8)