1IP-XFRM(8) Linux IP-XFRM(8)
2
3
4
6 ip-xfrm - transform configuration
7
9 ip [ OPTIONS ] xfrm { COMMAND | help }
10
11
12 ip xfrm XFRM-OBJECT { COMMAND | help }
13
14
15 XFRM-OBJECT := state | policy | monitor
16
17
18 ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark
19 MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-win‐
20 dow SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ replay-seq-
21 hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELEC‐
22 TOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx
23 CTX ] [ extra-flag EXTRA-FLAG-LIST ] [ output-mark OUTPUT-MARK
24 ] [ if_id IF-ID ]
25
26 ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [
27 reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
28
29 ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]
30
31 ip [ -4 | -6 ] xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID
32 ] [ flag FLAG-LIST ]
33
34 ip [ -4 | -6 ] xfrm state list [ ID ] [ nokeys ] [ mode MODE ] [ reqid
35 REQID ] [ flag FLAG-LIST ]
36
37 ip xfrm state flush [ proto XFRM-PROTO ]
38
39 ip xfrm state count
40
41 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
42
43 XFRM-PROTO := esp | ah | comp | route2 | hao
44
45 ALGO-LIST := [ ALGO-LIST ] ALGO
46
47 ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
48 auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
49 aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
50 comp ALGO-NAME
51
52 MODE := transport | tunnel | beet | ro | in_trigger
53
54 FLAG-LIST := [ FLAG-LIST ] FLAG
55
56 FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec |
57 align4 | esn
58
59 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]
60 [ UPSPEC ]
61
62 UPSPEC := proto { PROTO |
63 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
64 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
65 NUMBER ] |
66 gre [ key { DOTTED-QUAD | NUMBER } ] }
67
68 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
69
70 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
71 ONDS |
72 { byte-soft | byte-hard } SIZE |
73 { packet-soft | packet-hard } COUNT
74
75 ENCAP := { espinudp | espinudp-nonike | espintcp } SPORT DPORT OADDR
76
77 EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
78
79 EXTRA-FLAG := dont-encap-dscp | oseq-may-wrap
80
81 ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark
82 MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action
83 ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ if_id IF-ID
84 ] [ LIMIT-LIST ] [ TMPL-LIST ]
85
86 ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [
87 ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ] [ if_id
88 IF-ID ]
89
90 ip [ -4 | -6 ] xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ]
91 [ dir DIR ] [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [
92 priority PRIORITY ] [ flag FLAG-LIST]
93
94 ip xfrm policy flush [ ptype PTYPE ]
95
96 ip xfrm policy count
97
98 ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]
99
100 SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [
101 UPSPEC ]
102
103 UPSPEC := proto { PROTO |
104 { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
105 { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
106 NUMBER ] |
107 gre [ key { DOTTED-QUAD | NUMBER } ] }
108
109 DIR := in | out | fwd
110
111 PTYPE := main | sub
112
113 ACTION := allow | block
114
115 FLAG-LIST := [ FLAG-LIST ] FLAG
116
117 FLAG := localok | icmp
118
119 LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
120
121 LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
122 ONDS |
123 { byte-soft | byte-hard } SIZE |
124 { packet-soft | packet-hard } COUNT
125
126 TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
127
128 TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
129
130 ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
131
132 XFRM-PROTO := esp | ah | comp | route2 | hao
133
134 MODE := transport | tunnel | beet | ro | in_trigger
135
136 LEVEL := required | use
137
138 ip xfrm monitor [ all-nsid ] [ nokeys ] [ all
139 | LISTofXFRM-OBJECTS ]
140
141 LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT
142
143 XFRM-OBJECT := acquire | expire | SA | policy | aevent | report
144
145
146
148 xfrm is an IP framework for transforming packets (such as encrypting
149 their payloads). This framework is used to implement the IPsec protocol
150 suite (with the state object operating on the Security Association
151 Database, and the policy object operating on the Security Policy Data‐
152 base). It is also used for the IP Payload Compression Protocol and fea‐
153 tures of Mobile IPv6.
154
155
156 ip xfrm state add add new state into xfrm
157 ip xfrm state update update existing state in xfrm
158 ip xfrm state allocspi allocate an SPI value
159 ip xfrm state delete delete existing state in xfrm
160 ip xfrm state get get existing state in xfrm
161 ip xfrm state deleteall delete all existing state in xfrm
162 ip xfrm state list print out the list of existing state in xfrm
163 ip xfrm state flush flush all state in xfrm
164 ip xfrm state count count all existing state in xfrm
165
166
167 ID is specified by a source address, destination address, transform
168 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
169 IP Payload Compression, the Compression Parameter Index or CPI
170 is used for SPI.)
171
172
173 XFRM-PROTO
174 specifies a transform protocol: IPsec Encapsulating Security
175 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
176 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
177 Mobile IPv6 Home Address Option (hao).
178
179
180 ALGO-LIST
181 contains one or more algorithms to use. Each algorithm ALGO is
182 specified by:
183
184 · the algorithm type: encryption (enc), authentication
185 (auth or auth-trunc), authenticated encryption with asso‐
186 ciated data (aead), or compression (comp)
187
188 · the algorithm name ALGO-NAME (see below)
189
190 · (for all except comp) the keying material ALGO-KEYMAT,
191 which may include both a key and a salt or nonce value;
192 refer to the corresponding RFC
193
194 · (for auth-trunc only) the truncation length ALGO-TRUNC-
195 LEN in bits
196
197 · (for aead only) the Integrity Check Value length ALGO-
198 ICV-LEN in bits
199
200 Encryption algorithms include ecb(cipher_null), cbc(des),
201 cbc(des3_ede), cbc(cast5), cbc(blowfish), cbc(aes),
202 cbc(serpent), cbc(camellia), cbc(twofish), and
203 rfc3686(ctr(aes)).
204
205 Authentication algorithms include digest_null, hmac(md5),
206 hmac(sha1), hmac(sha256), hmac(sha384), hmac(sha512),
207 hmac(rmd160), and xcbc(aes).
208
209 Authenticated encryption with associated data (AEAD) algorithms
210 include rfc4106(gcm(aes)), rfc4309(ccm(aes)), and
211 rfc4543(gcm(aes)).
212
213 Compression algorithms include deflate, lzs, and lzjh.
214
215
216 MODE specifies a mode of operation for the transform protocol. IPsec
217 and IP Payload Compression modes are transport, tunnel, and (for
218 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
219 modes are route optimization (ro) and inbound trigger (in_trig‐
220 ger).
221
222
223 FLAG-LIST
224 contains one or more of the following optional flags: noecn, de‐
225 cap-dscp, nopmtudisc, wildrecv, icmp, af-unspec, align4, or esn.
226
227
228 SELECTOR
229 selects the traffic that will be controlled by the policy, based
230 on the source address, the destination address, the network de‐
231 vice, and/or UPSPEC.
232
233
234 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
235 protocols, the source and destination port can optionally be
236 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
237 cols, the type and code numbers can optionally be specified.
238 For the gre protocol, the key can optionally be specified as a
239 dotted-quad or number. Other protocols can be selected by name
240 or number PROTO.
241
242
243 LIMIT-LIST
244 sets limits in seconds, bytes, or numbers of packets.
245
246
247 ENCAP encapsulates packets with protocol espinudp, espinudp-nonike, or
248 espintcp, using source port SPORT, destination port DPORT , and
249 original address OADDR.
250
251
252 MARK used to match xfrm policies and states
253
254
255 OUTPUT-MARK
256 used to set the output mark to influence the routing of the
257 packets emitted by the state
258
259
260 IF-ID xfrm interface identifier used to in both xfrm policies and
261 states
262
263
264
265 ip xfrm policy add add a new policy
266 ip xfrm policy update update an existing policy
267 ip xfrm policy delete delete an existing policy
268 ip xfrm policy get get an existing policy
269 ip xfrm policy deleteall delete all existing xfrm policies
270 ip xfrm policy list print out the list of xfrm policies
271 ip xfrm policy flush flush policies
272
273
274 nosock filter (remove) all socket policies from the output.
275
276
277 SELECTOR
278 selects the traffic that will be controlled by the policy, based
279 on the source address, the destination address, the network de‐
280 vice, and/or UPSPEC.
281
282
283 UPSPEC selects traffic by protocol. For the tcp, udp, sctp, or dccp
284 protocols, the source and destination port can optionally be
285 specified. For the icmp, ipv6-icmp, or mobility-header proto‐
286 cols, the type and code numbers can optionally be specified.
287 For the gre protocol, the key can optionally be specified as a
288 dotted-quad or number. Other protocols can be selected by name
289 or number PROTO.
290
291
292 DIR selects the policy direction as in, out, or fwd.
293
294
295 CTX sets the security context.
296
297
298 PTYPE can be main (default) or sub.
299
300
301 ACTION can be allow (default) or block.
302
303
304 PRIORITY
305 is a number that defaults to zero.
306
307
308 FLAG-LIST
309 contains one or both of the following optional flags: local or
310 icmp.
311
312
313 LIMIT-LIST
314 sets limits in seconds, bytes, or numbers of packets.
315
316
317 TMPL-LIST
318 is a template list specified using ID, MODE, REQID, and/or LEV‐
319 EL.
320
321
322 ID is specified by a source address, destination address, transform
323 protocol XFRM-PROTO, and/or Security Parameter Index SPI. (For
324 IP Payload Compression, the Compression Parameter Index or CPI
325 is used for SPI.)
326
327
328 XFRM-PROTO
329 specifies a transform protocol: IPsec Encapsulating Security
330 Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
331 pression (comp), Mobile IPv6 Type 2 Routing Header (route2), or
332 Mobile IPv6 Home Address Option (hao).
333
334
335 MODE specifies a mode of operation for the transform protocol. IPsec
336 and IP Payload Compression modes are transport, tunnel, and (for
337 IPsec ESP only) Bound End-to-End Tunnel (beet). Mobile IPv6
338 modes are route optimization (ro) and inbound trigger (in_trig‐
339 ger).
340
341
342 LEVEL can be required (default) or use.
343
344
345
346 ip xfrm policy count count existing policies
347
348
349 Use one or more -s options to display more details, including policy
350 hash table information.
351
352
353
354 ip xfrm policy set configure the policy hash table
355
356
357 Security policies whose address prefix lengths are greater than or
358 equal policy hash table thresholds are hashed. Others are stored in the
359 policy_inexact chained list.
360
361
362 LBITS specifies the minimum local address prefix length of policies
363 that are stored in the Security Policy Database hash table.
364
365
366 RBITS specifies the minimum remote address prefix length of policies
367 that are stored in the Security Policy Database hash table.
368
369
370
371 ip xfrm monitor state monitoring for xfrm objects
372
373
374 The xfrm objects to monitor can be optionally specified.
375
376
377 If the all-nsid option is set, the program listens to all network
378 namespaces that have a nsid assigned into the network namespace were
379 the program is running. A prefix is displayed to show the network
380 namespace where the message originates. Example:
381
382 [nsid 1]Flushed state proto 0
383
384
385
387 Manpage revised by David Ward <david.ward@ll.mit.edu>
388 Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
389 Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
390
391
392
393iproute2 20 Dec 2011 IP-XFRM(8)