1ipsecalgs(1M) System Administration Commands ipsecalgs(1M)
2
6 ipsecalgs - configure the IPsec protocols and algorithms table
7
9 ipsecalgs
10 ipsecalgs -l
13 ipsecalgs -s
16 ipsecalgs -a [-P protocol-number | -p protocol-name] -k keylen-list
19 [-i inc] [-K default-keylen] -b blocklen-list -n alg-names
20 -N alg-number -m mech-name [-f] [-s]
21 ipsecalgs -P protocol-number -p protocol-name
24 [-e exec-mode] [-f] [-s]
25 ipsecalgs -r -p protocol-name [] -n alg-name [-s]
28 ipsecalgs -r -p protocol-name [] -N alg-number [-s]
31 ipsecalgs -R -P protocol-number [-s]
34 ipsecalgs -R -p protocol-name [-s]
37 ipsecalgs -e exec-mode -P protocol-number [-s]
40 ipsecalgs -e exec-mode -p protocol-name [-s]
43
46 Use the ipsecalgs command to query and modify the IPsec protocol and
47 algorithms stored in /etc/inet/ipsecalgs. You can use the ipsecalgs
48 command to do the following:
49 o list the currently defined IPsec protocols and algorithms
51 o modify IPsec protocols definitions
53 o modify IPsec algorithms definitions
55 Never edit the /etc/inet/ipsecalgs file manually. The valid IPsec pro‐
58 tocols and algorithms are described by the ISAKMP DOI. See RFC 2407. In
59 the general sense, a Domain of Interpretation (DOI) defines data for‐
60 mats, network traffic exchange types, and conventions for naming secu‐
61 rity-relevant information such as security policies or cryptographic
62 algorithms and modes. For ipsecalgs, the DOI defines naming and number‐
63 ing conventions for algorithms and the protocols they belong to. These
64 numbers are defined by the Internet Assigned Numbers Authority (IANA).
65 Each algorithm belongs to a protocol. Algorithm information includes
66 supported key lengths, block or MAC length, and the name of the crypto‐
67 graphic mechanism corresponding to that algorithm. This information is
68 used by the IPsec modules, ipsecesp(7P) and ipsecah(7P), to determine
69 the authentication and encryption algorithms that can be applied to
70 IPsec traffic.
71 The following protocols are predefined:
74 IPSEC_PROTO_ESP Defines the encryption algorithms (transforms) that
76 can be used by IPsec to provide data confidential‐
77 ity.
78 IPSEC_PROTO_AH Defines the authentication algorithms (transforms)
81 that can be used by IPsec to provide authentication.
82 The mechanism name specified by an algorithm entry must correspond to a
86 valid Solaris Cryptographic Framework mechanism. You can obtain the
87 list of available mechanisms by using the cryptoadm(1M) command.
88 Applications can retrieve the supported algorithms and their associated
91 protocols by using the functions getipsecalgbyname(3NSL), getipsecal‐
92 gbynum(3NSL), getipsecprotobyname(3NSL) and getipsecprotobynum(3NSL).
93 Modifications to the protocols and algorithm by default update only the
96 contents of the /etc/inet/ipsecalgs configuration file. In order for
97 the new definitions to be used for IPsec processing, the changes must
98 be communicated to the kernel using the -s option. See NOTES for a
99 description of how the ipsecalgs configuration is synchronized with the
100 kernel at system restart.
101 When invoked without arguments, ipsecalgs displays the list of mappings
104 that are currently defined in /etc/inet/ipsecalgs. You can obtain the
105 corresponding kernel table of protocols and algorithms by using the -l
106 option.
107
109 ipsecalgs supports the following options:
110 -a Adds an algorithm of the protocol specified by the -P option. The
112 algorithm name(s) are specified with the -n option. The supported
113 key lengths and block sizes are specified with the -k, -i, and -b
114 options.
115 -b Specifies the block or MAC lengths of an algorithm, in bytes. Set
118 more than one block length by separating the values with commas.
119 -e Designates the execution mode of cryptographic requests for the
122 specified protocol in the absence of cryptographic hardware
123 provider. See cryptoadm(1M). exec-mode can be one of the follow‐
124 ing values:
125 sync Cryptographic requests are processed synchronously in
127 the absence of a cryptographic hardware provider. This
128 execution mode leads to better latency when no crypto‐
129 graphic hardware providers are available
130 async Cryptographic requests are always processed asyn‐
133 chronously in the absence of cryptographic hardware
134 provider. This execution can improve the resource uti‐
135 lization on a multi-CPU system, but can lead to higher
136 latency when no cryptographic hardware providers are
137 available.
138 This option can be specified when defining a new protocol or to
140 modify the execution mode of an existing protocol. By default,
141 the sync execution mode is used in the absence of a cryptographic
142 hardware provider.
143 -f Used with the -a option to force the addition of an algorithm or
146 protocol if an entry with the same name or number already exists.
147 -i Specifies the valid key length increments in bits. This option
150 must be used when the valid key lengths for an algorithm are
151 specified by a range with the -k option.
152 -K Specifies the default key lengths for an algorithm, in bits. If
155 the -K option is not specified, the minimum key length will be
156 determined as follows:
157 o If the supported key lengths are specified by range,
159 the default key length will be the minimum key length.
160 o If the supported key lengths are specified by enumera‐
162 tion, the default key length will be the first listed
163 key length.
164 -k Specifies the supported key lengths for an algorithm, in bits.
167 You can designate the supported key lengths by enumeration or by
168 range.
169 Without the -i option, -k specifies the supported key lengths by
171 enumeration. In this case, keylen-list consists of a list of one
172 or more key lengths separated by commas, for example:
173 128,192,256
175 The listed key lengths need not be increasing, and the first
178 listed key length will be used as the default key length for that
179 algorithm unless the -K option is used.
180 With the -i option, -k specifies the range of supported key
182 lengths for the algorithm. The minimum and maximum key lengths
183 must be separated by a dash ('-') character, for example:
184 32-448
186 -l Displays the kernel algorithm tables.
191 -m Specifies the name of the cryptographic framework mechanism name
194 corresponding to the algorithm. Cryptographic framework mecha‐
195 nisms are described in the cryptoadm(1M) man page.
196 -N Specifies an algorithm number. The algorithm number for a proto‐
199 col must be unique. IANA manages the algorithm numbers. See RFC
200 2407.
201 -n Specifies one or more names for an algorithm. When adding an
204 algorithm with the -a option, alg-names contains a string or a
205 comma-separated list of strings, for example:
206 des-cbs,des
208 When used with the -r option to remove an algorithm, alg-names
211 contains one of the valid algorithm names.
212 -P Adds a protocol of the number specified by protocol-number with
215 the name specified by the -p option. This option is also used to
216 specify an IPsec protocol when used with the -a and the -R
217 options. Protocol numbers are managed by the IANA. See RFC 2407.
218 -p Specifies the name of the IPsec protocol.
221 -R Removes and IPsec protocol from the algorithm table. The protocol
224 can be specified by number by using the -P option or by name by
225 using the -p option. The algorithms associated with the protocol
226 are removed as well.
227 -r Removes the mapping for an algorithm The algorithm can be speci‐
230 fied by algorithm number using the -N option or by algorithm name
231 using the -A option.
232 -s Synchronizes the kernel with the contents of /etc/inet/ipsecalgs.
235 The contents of /etc/inet/ipsecalgs are always updated, but new
236 information is not passed on to the kernel unless the -s is used.
237 See NOTES for a description of how the ipsecalgs configuration is
238 synchronized with the kernel at system restart.
239
242 Example 1 Adding a Protocol for IPsec Encryption
243 The following example shows how to add a protocol for IPsec encryption:
246 example# ipsecalgs -P 3 -p "IPSEC_PROTO_ESP"
249 Example 2 Adding the Blowfish Algorithm
253 The following example shows how to add the Blowfish algorithm:
256 example# ipsecalgs -a -P 3 -k 32-488 -K 128 -i 8 -n "blowfish" \
259 -b 8 -N 7 -m CKM_BF_CBC
260 Example 3 Updating the Kernel Algorithm Table
264 The following example updates the kernel algorithm table with the cur‐
267 rently defined protocol and algorithm definitions:
268 example# svcadm refresh ipsecalgs
271
275 /etc/inet/ipsecalgs
276 File that contains the configured IPsec protocols and algorithm
278 definitions. Never edit this file manually.
279
282 See attributes(5) for descriptions of the following attributes:
283 ┌─────────────────────────────┬─────────────────────────────┐
288 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
289 ├─────────────────────────────┼─────────────────────────────┤
290 │Availability │SUNWcsu │
291 ├─────────────────────────────┼─────────────────────────────┤
292 │Interface Stability │Evolving │
293 └─────────────────────────────┴─────────────────────────────┘
294
296 cryptoadm(1M), ipsecconf(1M), ipseckey(1M), svcadm(1M), getipsecalgby‐
297 name(3NSL), getipsecprotobyname(3NSL), ike.config(4), attributes(5),
298 smf(5), ipsecah(7P), ipsecesp(7P)
299 Piper, Derrell, RFC 2407, The Internet IP Security Domain of Interpre‐
302 tation for ISAKMP. Network Working Group. November 1998.
303
305 When protocols or algorithm definitions that are removed or altered,
306 services that rely upon these definitions can become unavailable. For
307 example, if the IPSEC_PROTO_ESP protocol is removed, then IPsec cannot
308 encrypt and decrypt packets.
309 Synchronization of the ipsecalgs configuration with the kernel at sys‐
312 tem startup is provided by the following smf(5) service:
313 svc:/network/ipsec/ipsecalgs:default
315 The IPsec services are delivered as follows:
320 svc:/network/ipsec/policy:default (enabled)
322 svc:/network/ipsec/ipsecalgs:default (enabled)
323 svc:/network/ipsec/manual-key:default (disabled)
324 svc:/network/ipsec/ike:default (disabled)
325 Services that are delivered disabled are delivered that way because the
330 system administrator must create configuration files for those services
331 before enabling them. See ipseckey(1M) and ike.config(4). The default
332 policy for the policy service is to allow all traffic to pass without
333 IPsec protection. See ipsecconf(1M).
334 The correct administrative procedure is to create the configuration
337 file for each service, then enable each service using svcadm(1M), as
338 shown in the following example:
339 example# svcadm enable ipsecalgs
341 The service's status can be queried using the svcs(1) command.
346 If the ipsecalgs configuration is modified, the new configuration
349 should be resynchronized as follows:
350 example# svcadm refresh ipsecalgs
352 Administrative actions on this service, such as enabling, disabling,
357 refreshing, and requesting restart can be performed using svcadm(1M). A
358 user who has been assigned the authorization shown below can perform
359 these actions:
360 solaris.smf.manage.ipsec
362 See auths(1), user_attr(4), rbac(5).
367 The ipsecalgs smf(5) service does not have any user-configurable prop‐
370 erties.
371 The smf(5) framework records any errors in the service-specific log
374 file. Use any of the following commands to examine the logfile prop‐
375 erty:
376 example# svcs -l ipsecalgs
378 example# svcprop ipsecalgs
379 example# svccfg -s ipsecalgs listprop
380 This command requires sys_ip_config privilege to operate and thus can
385 run in the global zone and in exclusive-IP zones. All shared-IP zones
386 share the same available set of algorithms; however, you can use ipsec‐
387 conf(1M) to set up system policy that uses differing algorithms for
388 various shared-IP zones. All exclusive-IP zones have their own set of
389 algorithms.
390SunOS 5.11 5 Jul 2007 ipsecalgs(1M)