1IP-XFRM(8)                           Linux                          IP-XFRM(8)
2
3
4

NAME

6       ip-xfrm - transform configuration
7

SYNOPSIS

9       ip [ OPTIONS ] xfrm  { COMMAND | help }
10
11
12       ip xfrm XFRM-OBJECT { COMMAND | help }
13
14
15       XFRM-OBJECT := state | policy | monitor
16
17
18       ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark
19               MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-win‐
20               dow SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ replay-seq-
21               hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELEC‐
22               TOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx
23               CTX ] [ extra-flag EXTRA-FLAG-LIST ] [ output-mark OUTPUT-MARK
24               ]
25
26       ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [
27               reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
28
29       ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]
30
31       ip [ -4 | -6 ] xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID
32               ] [ flag FLAG-LIST ]
33
34       ip [ -4 | -6 ] xfrm state list [ ID ] [ nokeys ] [ mode MODE ] [ reqid
35               REQID ] [ flag FLAG-LIST ]
36
37       ip xfrm state flush [ proto XFRM-PROTO ]
38
39       ip xfrm state count
40
41       ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
42
43       XFRM-PROTO := esp | ah | comp | route2 | hao
44
45       ALGO-LIST := [ ALGO-LIST ] ALGO
46
47       ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
48               auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
49               aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
50               comp ALGO-NAME
51
52       MODE := transport | tunnel | beet | ro | in_trigger
53
54       FLAG-LIST := [ FLAG-LIST ] FLAG
55
56       FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec |
57               align4 | esn
58
59       SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]
60               [ UPSPEC ]
61
62       UPSPEC := proto { PROTO |
63               { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
64               { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
65               NUMBER ] |
66               gre [ key { DOTTED-QUAD | NUMBER } ] }
67
68       LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
69
70       LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
71               ONDS |
72               { byte-soft | byte-hard } SIZE |
73               { packet-soft | packet-hard } COUNT
74
75       ENCAP := { espinudp | espinudp-nonike } SPORT DPORT OADDR
76
77       EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
78
79       EXTRA-FLAG := dont-encap-dscp
80
81       ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark
82               MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action
83               ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ LIMIT-LIST
84               ] [ TMPL-LIST ]
85
86       ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [
87               ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]
88
89       ip [ -4 | -6 ] xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ]
90               [ dir DIR ] [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [
91               priority PRIORITY ] [ flag FLAG-LIST]
92
93       ip xfrm policy flush [ ptype PTYPE ]
94
95       ip xfrm policy count
96
97       ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]
98
99       SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [
100               UPSPEC ]
101
102       UPSPEC := proto { PROTO |
103               { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
104               { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
105               NUMBER ] |
106               gre [ key { DOTTED-QUAD | NUMBER } ] }
107
108       DIR := in | out | fwd
109
110       PTYPE := main | sub
111
112       ACTION := allow | block
113
114       FLAG-LIST := [ FLAG-LIST ] FLAG
115
116       FLAG := localok | icmp
117
118       LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
119
120       LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
121               ONDS |
122               { byte-soft | byte-hard } SIZE |
123               { packet-soft | packet-hard } COUNT
124
125       TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
126
127       TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
128
129       ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
130
131       XFRM-PROTO := esp | ah | comp | route2 | hao
132
133       MODE := transport | tunnel | beet | ro | in_trigger
134
135       LEVEL := required | use
136
137       ip xfrm monitor [ all-nsid ] [ nokeys ] [ all
138                | LISTofXFRM-OBJECTS ]
139
140       LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT
141
142       XFRM-OBJECT := acquire | expire | SA | policy | aevent | report
143
144
145

DESCRIPTION

147       xfrm is an IP framework for transforming packets  (such  as  encrypting
148       their payloads). This framework is used to implement the IPsec protocol
149       suite (with the state object  operating  on  the  Security  Association
150       Database,  and the policy object operating on the Security Policy Data‐
151       base). It is also used for the IP Payload Compression Protocol and fea‐
152       tures of Mobile IPv6.
153
154
155       ip xfrm state add         add new state into xfrm
156       ip xfrm state update      update existing state in xfrm
157       ip xfrm state allocspi    allocate an SPI value
158       ip xfrm state delete      delete existing state in xfrm
159       ip xfrm state get         get existing state in xfrm
160       ip xfrm state deleteall   delete all existing state in xfrm
161       ip xfrm state list        print out the list of existing state in xfrm
162       ip xfrm state flush       flush all state in xfrm
163       ip xfrm state count       count all existing state in xfrm
164
165
166       ID     is specified by a source address, destination address, transform
167              protocol XFRM-PROTO, and/or Security Parameter Index SPI.   (For
168              IP  Payload  Compression, the Compression Parameter Index or CPI
169              is used for SPI.)
170
171
172       XFRM-PROTO
173              specifies a transform  protocol:  IPsec  Encapsulating  Security
174              Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
175              pression (comp), Mobile IPv6 Type 2 Routing Header (route2),  or
176              Mobile IPv6 Home Address Option (hao).
177
178
179       ALGO-LIST
180              contains  one  or more algorithms to use. Each algorithm ALGO is
181              specified by:
182
183              ·      the  algorithm  type:  encryption  (enc),  authentication
184                     (auth or auth-trunc), authenticated encryption with asso‐
185                     ciated data (aead), or compression (comp)
186
187              ·      the algorithm name ALGO-NAME (see below)
188
189              ·      (for all except comp) the  keying  material  ALGO-KEYMAT,
190                     which  may  include both a key and a salt or nonce value;
191                     refer to the corresponding RFC
192
193              ·      (for auth-trunc only) the truncation  length  ALGO-TRUNC-
194                     LEN in bits
195
196              ·      (for  aead  only)  the Integrity Check Value length ALGO-
197                     ICV-LEN in bits
198
199              Encryption  algorithms   include   ecb(cipher_null),   cbc(des),
200              cbc(des3_ede),      cbc(cast5),     cbc(blowfish),     cbc(aes),
201              cbc(serpent),       cbc(camellia),       cbc(twofish),       and
202              rfc3686(ctr(aes)).
203
204              Authentication   algorithms   include   digest_null,  hmac(md5),
205              hmac(sha1),    hmac(sha256),     hmac(sha384),     hmac(sha512),
206              hmac(rmd160), and xcbc(aes).
207
208              Authenticated  encryption with associated data (AEAD) algorithms
209              include      rfc4106(gcm(aes)),      rfc4309(ccm(aes)),      and
210              rfc4543(gcm(aes)).
211
212              Compression algorithms include deflate, lzs, and lzjh.
213
214
215       MODE   specifies  a mode of operation for the transform protocol. IPsec
216              and IP Payload Compression modes are transport, tunnel, and (for
217              IPsec  ESP  only)  Bound  End-to-End Tunnel (beet).  Mobile IPv6
218              modes are route optimization (ro) and inbound trigger  (in_trig‐
219              ger).
220
221
222       FLAG-LIST
223              contains one or more of the following optional flags: noecn, de‐
224              cap-dscp, nopmtudisc, wildrecv, icmp, af-unspec, align4, or esn.
225
226
227       SELECTOR
228              selects the traffic that will be controlled by the policy, based
229              on  the source address, the destination address, the network de‐
230              vice, and/or UPSPEC.
231
232
233       UPSPEC selects traffic by protocol. For the tcp,  udp,  sctp,  or  dccp
234              protocols,  the  source  and  destination port can optionally be
235              specified.  For the icmp, ipv6-icmp, or  mobility-header  proto‐
236              cols,  the  type  and  code numbers can optionally be specified.
237              For the gre protocol, the key can optionally be specified  as  a
238              dotted-quad  or number.  Other protocols can be selected by name
239              or number PROTO.
240
241
242       LIMIT-LIST
243              sets limits in seconds, bytes, or numbers of packets.
244
245
246       ENCAP  encapsulates packets with protocol espinudp or  espinudp-nonike,
247              using  source  port SPORT, destination port DPORT , and original
248              address OADDR.
249
250
251       MARK   used to match xfrm policies and states
252
253
254       OUTPUT-MARK
255              used to set the output mark to  influence  the  routing  of  the
256              packets emitted by the state
257
258
259
260       ip xfrm policy add         add a new policy
261       ip xfrm policy update      update an existing policy
262       ip xfrm policy delete      delete an existing policy
263       ip xfrm policy get         get an existing policy
264
265       ip xfrm policy deleteall   delete all existing xfrm policies
266       ip xfrm policy list        print out the list of xfrm policies
267       ip xfrm policy flush       flush policies
268
269
270       nosock filter (remove) all socket policies from the output.
271
272
273       SELECTOR
274              selects the traffic that will be controlled by the policy, based
275              on the source address, the destination address, the network  de‐
276              vice, and/or UPSPEC.
277
278
279       UPSPEC selects  traffic  by  protocol.  For the tcp, udp, sctp, or dccp
280              protocols, the source and destination  port  can  optionally  be
281              specified.   For  the icmp, ipv6-icmp, or mobility-header proto‐
282              cols, the type and code numbers  can  optionally  be  specified.
283              For  the  gre protocol, the key can optionally be specified as a
284              dotted-quad or number.  Other protocols can be selected by  name
285              or number PROTO.
286
287
288       DIR    selects the policy direction as in, out, or fwd.
289
290
291       CTX    sets the security context.
292
293
294       PTYPE  can be main (default) or sub.
295
296
297       ACTION can be allow (default) or block.
298
299
300       PRIORITY
301              is a number that defaults to zero.
302
303
304       FLAG-LIST
305              contains  one  or both of the following optional flags: local or
306              icmp.
307
308
309       LIMIT-LIST
310              sets limits in seconds, bytes, or numbers of packets.
311
312
313       TMPL-LIST
314              is a template list specified using ID, MODE, REQID, and/or  LEV‐
315              EL.
316
317
318       ID     is specified by a source address, destination address, transform
319              protocol XFRM-PROTO, and/or Security Parameter Index SPI.   (For
320              IP  Payload  Compression, the Compression Parameter Index or CPI
321              is used for SPI.)
322
323
324       XFRM-PROTO
325              specifies a transform  protocol:  IPsec  Encapsulating  Security
326              Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
327              pression (comp), Mobile IPv6 Type 2 Routing Header (route2),  or
328              Mobile IPv6 Home Address Option (hao).
329
330
331       MODE   specifies  a mode of operation for the transform protocol. IPsec
332              and IP Payload Compression modes are transport, tunnel, and (for
333              IPsec  ESP  only)  Bound  End-to-End Tunnel (beet).  Mobile IPv6
334              modes are route optimization (ro) and inbound trigger  (in_trig‐
335              ger).
336
337
338       LEVEL  can be required (default) or use.
339
340
341
342       ip xfrm policy count   count existing policies
343
344
345       Use  one  or  more -s options to display more details, including policy
346       hash table information.
347
348
349
350       ip xfrm policy set   configure the policy hash table
351
352
353       Security policies whose address prefix  lengths  are  greater  than  or
354       equal policy hash table thresholds are hashed. Others are stored in the
355       policy_inexact chained list.
356
357
358       LBITS  specifies the minimum local address prefix  length  of  policies
359              that are stored in the Security Policy Database hash table.
360
361
362       RBITS  specifies  the  minimum remote address prefix length of policies
363              that are stored in the Security Policy Database hash table.
364
365
366
367       ip xfrm monitor    state monitoring for xfrm objects
368
369
370       The xfrm objects to monitor can be optionally specified.
371
372
373       If the all-nsid option is set,  the  program  listens  to  all  network
374       namespaces  that  have  a nsid assigned into the network namespace were
375       the program is running.  A prefix is  displayed  to  show  the  network
376       namespace where the message originates. Example:
377
378         [nsid 1]Flushed state proto 0
379
380
381

AUTHOR

383       Manpage revised by David Ward <david.ward@ll.mit.edu>
384       Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
385       Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
386
387
388
389iproute2                          20 Dec 2011                       IP-XFRM(8)
Impressum