1IP-XFRM(8)                           Linux                          IP-XFRM(8)
2
3
4

NAME

6       ip-xfrm - transform configuration
7

SYNOPSIS

9       ip [ OPTIONS ] xfrm  { COMMAND | help }
10
11
12       ip xfrm XFRM-OBJECT { COMMAND | help }
13
14
15       XFRM-OBJECT := state | policy | monitor
16
17
18       ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark
19               MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-win‐
20               dow SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ replay-seq-
21               hi SEQ ] [ replay-oseq-hi SEQ ] [ flag FLAG-LIST ] [ sel SELEC‐
22               TOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx
23               CTX ] [ extra-flag EXTRA-FLAG-LIST ] [ output-mark OUTPUT-MARK
24               [ mask MASK ] ] [ if_id IF-ID ] [ tfcpad LENGTH ]
25
26       ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [
27               reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]
28
29       ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]
30
31       ip [ -4 | -6 ] xfrm state deleteall [ ID ] [ mode MODE ] [ reqid REQID
32               ] [ flag FLAG-LIST ]
33
34       ip [ -4 | -6 ] xfrm state list [ ID ] [ nokeys ] [ mode MODE ] [ reqid
35               REQID ] [ flag FLAG-LIST ]
36
37       ip xfrm state flush [ proto XFRM-PROTO ]
38
39       ip xfrm state count
40
41       ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
42
43       XFRM-PROTO := esp | ah | comp | route2 | hao
44
45       ALGO-LIST := [ ALGO-LIST ] ALGO
46
47       ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |
48               auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |
49               aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |
50               comp ALGO-NAME
51
52       MODE := transport | tunnel | beet | ro | in_trigger
53
54       FLAG-LIST := [ FLAG-LIST ] FLAG
55
56       FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec |
57               align4 | esn
58
59       SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]
60               [ UPSPEC ]
61
62       UPSPEC := proto { PROTO |
63               { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
64               { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
65               NUMBER ] |
66               gre [ key { DOTTED-QUAD | NUMBER } ] }
67
68       LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
69
70       LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
71               ONDS |
72               { byte-soft | byte-hard } SIZE |
73               { packet-soft | packet-hard } COUNT
74
75       ENCAP := { espinudp | espinudp-nonike | espintcp } SPORT DPORT OADDR
76
77       EXTRA-FLAG-LIST := [ EXTRA-FLAG-LIST ] EXTRA-FLAG
78
79       EXTRA-FLAG := dont-encap-dscp | oseq-may-wrap
80
81       ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark
82               MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action
83               ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ if_id IF-ID
84               ] [ LIMIT-LIST ] [ TMPL-LIST ]
85
86       ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [
87               ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ] [ if_id
88               IF-ID ]
89
90       ip [ -4 | -6 ] xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ]
91               [ dir DIR ] [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [
92               priority PRIORITY ] [ flag FLAG-LIST]
93
94       ip xfrm policy flush [ ptype PTYPE ]
95
96       ip xfrm policy count
97
98       ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]
99
100       SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UP‐
101               SPEC ]
102
103       UPSPEC := proto { PROTO |
104               { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
105               { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
106               NUMBER ] |
107               gre [ key { DOTTED-QUAD | NUMBER } ] }
108
109       DIR := in | out | fwd
110
111       PTYPE := main | sub
112
113       ACTION := allow | block
114
115       FLAG-LIST := [ FLAG-LIST ] FLAG
116
117       FLAG := localok | icmp
118
119       LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT
120
121       LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC‐
122               ONDS |
123               { byte-soft | byte-hard } SIZE |
124               { packet-soft | packet-hard } COUNT
125
126       TMPL-LIST := [ TMPL-LIST ] tmpl TMPL
127
128       TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]
129
130       ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]
131
132       XFRM-PROTO := esp | ah | comp | route2 | hao
133
134       MODE := transport | tunnel | beet | ro | in_trigger
135
136       LEVEL := required | use
137
138       ip xfrm monitor [ all-nsid ] [ nokeys ] [ all
139                | LISTofXFRM-OBJECTS ]
140
141       LISTofXFRM-OBJECTS := [ LISTofXFRM-OBJECTS ] XFRM-OBJECT
142
143       XFRM-OBJECT := acquire | expire | SA | policy | aevent | report
144
145
146

DESCRIPTION

148       xfrm  is  an  IP framework for transforming packets (such as encrypting
149       their payloads). This framework is used to implement the IPsec protocol
150       suite  (with  the  state  object  operating on the Security Association
151       Database, and the policy object operating on the Security Policy  Data‐
152       base). It is also used for the IP Payload Compression Protocol and fea‐
153       tures of Mobile IPv6.
154
155
156       ip xfrm state add         add new state into xfrm
157       ip xfrm state update      update existing state in xfrm
158       ip xfrm state allocspi    allocate an SPI value
159       ip xfrm state delete      delete existing state in xfrm
160       ip xfrm state get         get existing state in xfrm
161       ip xfrm state deleteall   delete all existing state in xfrm
162       ip xfrm state list        print out the list of existing state in xfrm
163       ip xfrm state flush       flush all state in xfrm
164       ip xfrm state count       count all existing state in xfrm
165
166
167       ID     is specified by a source address, destination address, transform
168              protocol  XFRM-PROTO, and/or Security Parameter Index SPI.  (For
169              IP Payload Compression, the Compression Parameter Index  or  CPI
170              is used for SPI.)
171
172
173       XFRM-PROTO
174              specifies  a  transform  protocol:  IPsec Encapsulating Security
175              Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
176              pression  (comp), Mobile IPv6 Type 2 Routing Header (route2), or
177              Mobile IPv6 Home Address Option (hao).
178
179
180       ALGO-LIST
181              contains one or more algorithms to use. Each algorithm  ALGO  is
182              specified by:
183
184              •      the  algorithm  type:  encryption  (enc),  authentication
185                     (auth or auth-trunc), authenticated encryption with asso‐
186                     ciated data (aead), or compression (comp)
187
188              •      the algorithm name ALGO-NAME (see below)
189
190              •      (for  all  except  comp) the keying material ALGO-KEYMAT,
191                     which may include both a key and a salt or  nonce  value;
192                     refer to the corresponding RFC
193
194              •      (for  auth-trunc  only) the truncation length ALGO-TRUNC-
195                     LEN in bits
196
197              •      (for aead only) the Integrity Check  Value  length  ALGO-
198                     ICV-LEN in bits
199
200              Encryption   algorithms   include   ecb(cipher_null),  cbc(des),
201              cbc(des3_ede),     cbc(cast5),     cbc(blowfish),      cbc(aes),
202              cbc(serpent),       cbc(camellia),       cbc(twofish),       and
203              rfc3686(ctr(aes)).
204
205              Authentication  algorithms   include   digest_null,   hmac(md5),
206              hmac(sha1),     hmac(sha256),     hmac(sha384),    hmac(sha512),
207              hmac(rmd160), and xcbc(aes).
208
209              Authenticated encryption with associated data (AEAD)  algorithms
210              include      rfc4106(gcm(aes)),      rfc4309(ccm(aes)),      and
211              rfc4543(gcm(aes)).
212
213              Compression algorithms include deflate, lzs, and lzjh.
214
215
216       MODE   specifies a mode of operation for the transform protocol.  IPsec
217              and IP Payload Compression modes are transport, tunnel, and (for
218              IPsec ESP only) Bound End-to-End  Tunnel  (beet).   Mobile  IPv6
219              modes  are route optimization (ro) and inbound trigger (in_trig‐
220              ger).
221
222
223       FLAG-LIST
224              contains one or more of the following optional flags: noecn, de‐
225              cap-dscp, nopmtudisc, wildrecv, icmp, af-unspec, align4, or esn.
226
227
228       SELECTOR
229              selects the traffic that will be controlled by the policy, based
230              on the source address, the destination address, the network  de‐
231              vice, and/or UPSPEC.
232
233
234       UPSPEC selects  traffic  by  protocol.  For the tcp, udp, sctp, or dccp
235              protocols, the source and destination  port  can  optionally  be
236              specified.   For  the icmp, ipv6-icmp, or mobility-header proto‐
237              cols, the type and code numbers  can  optionally  be  specified.
238              For  the  gre protocol, the key can optionally be specified as a
239              dotted-quad or number.  Other protocols can be selected by  name
240              or number PROTO.
241
242
243       LIMIT-LIST
244              sets limits in seconds, bytes, or numbers of packets.
245
246
247       ENCAP  encapsulates packets with protocol espinudp, espinudp-nonike, or
248              espintcp, using source port SPORT, destination port DPORT ,  and
249              original address OADDR.
250
251
252       MARK   used to match xfrm policies and states
253
254
255       OUTPUT-MARK
256              used  to  set  the  output  mark to influence the routing of the
257              packets emitted by the state
258
259
260       IF-ID  xfrm interface identifier used to  in  both  xfrm  policies  and
261              states
262
263
264
265       ip xfrm policy add         add a new policy
266       ip xfrm policy update      update an existing policy
267       ip xfrm policy delete      delete an existing policy
268       ip xfrm policy get         get an existing policy
269       ip xfrm policy deleteall   delete all existing xfrm policies
270       ip xfrm policy list        print out the list of xfrm policies
271       ip xfrm policy flush       flush policies
272
273
274       nosock filter (remove) all socket policies from the output.
275
276
277       SELECTOR
278              selects the traffic that will be controlled by the policy, based
279              on the source address, the destination address, the network  de‐
280              vice, and/or UPSPEC.
281
282
283       UPSPEC selects  traffic  by  protocol.  For the tcp, udp, sctp, or dccp
284              protocols, the source and destination  port  can  optionally  be
285              specified.   For  the icmp, ipv6-icmp, or mobility-header proto‐
286              cols, the type and code numbers  can  optionally  be  specified.
287              For  the  gre protocol, the key can optionally be specified as a
288              dotted-quad or number.  Other protocols can be selected by  name
289              or number PROTO.
290
291
292       DIR    selects the policy direction as in, out, or fwd.
293
294
295       CTX    sets the security context.
296
297
298       PTYPE  can be main (default) or sub.
299
300
301       ACTION can be allow (default) or block.
302
303
304       PRIORITY
305              is a number that defaults to zero.
306
307
308       FLAG-LIST
309              contains  one  or both of the following optional flags: local or
310              icmp.
311
312
313       LIMIT-LIST
314              sets limits in seconds, bytes, or numbers of packets.
315
316
317       TMPL-LIST
318              is a template list specified using ID, MODE, REQID, and/or  LEV‐
319              EL.
320
321
322       ID     is specified by a source address, destination address, transform
323              protocol XFRM-PROTO, and/or Security Parameter Index SPI.   (For
324              IP  Payload  Compression, the Compression Parameter Index or CPI
325              is used for SPI.)
326
327
328       XFRM-PROTO
329              specifies a transform  protocol:  IPsec  Encapsulating  Security
330              Payload (esp), IPsec Authentication Header (ah), IP Payload Com‐
331              pression (comp), Mobile IPv6 Type 2 Routing Header (route2),  or
332              Mobile IPv6 Home Address Option (hao).
333
334
335       MODE   specifies  a mode of operation for the transform protocol. IPsec
336              and IP Payload Compression modes are transport, tunnel, and (for
337              IPsec  ESP  only)  Bound  End-to-End Tunnel (beet).  Mobile IPv6
338              modes are route optimization (ro) and inbound trigger  (in_trig‐
339              ger).
340
341
342       LEVEL  can be required (default) or use.
343
344
345
346       ip xfrm policy count   count existing policies
347
348
349       Use  one  or  more -s options to display more details, including policy
350       hash table information.
351
352
353
354       ip xfrm policy set   configure the policy hash table
355
356
357       Security policies whose address prefix  lengths  are  greater  than  or
358       equal policy hash table thresholds are hashed. Others are stored in the
359       policy_inexact chained list.
360
361
362       LBITS  specifies the minimum local address prefix  length  of  policies
363              that are stored in the Security Policy Database hash table.
364
365
366       RBITS  specifies  the  minimum remote address prefix length of policies
367              that are stored in the Security Policy Database hash table.
368
369
370
371       ip xfrm monitor    state monitoring for xfrm objects
372
373
374       The xfrm objects to monitor can be optionally specified.
375
376
377       If the all-nsid option is set, the program listens to all network name‐
378       spaces  that  have  a nsid assigned into the network namespace were the
379       program is running.  A prefix is displayed to show  the  network  name‐
380       space where the message originates. Example:
381
382         [nsid 1]Flushed state proto 0
383
384
385

AUTHOR

387       Manpage revised by David Ward <david.ward@ll.mit.edu>
388       Manpage revised by Christophe Gouault <christophe.gouault@6wind.com>
389       Manpage revised by Nicolas Dichtel <nicolas.dichtel@6wind.com>
390
391
392
393iproute2                          20 Dec 2011                       IP-XFRM(8)
Impressum