1pf_key(7P) Protocols pf_key(7P)
2
6 pf_key - Security association database interface
7
9 #include <sys/types.h>
10 #include <sys/socket.h>
11 #include <net/pfkeyv2.h>
12 int socket(PF_KEY,SOCK_RAW,PF_KEY_V2);
16
19 Keying information for IPsec security services is maintained in secu‐
20 rity association databases (SADBs). The security associations (SAs)
21 are used to protect both inbound and outbound packets.
22 A user process (or possibly multiple co-operating processes) maintains
25 SADBs by sending messages over a special kind of socket. This is anal‐
26 ogous to the method described in route(7P). Only a superuser may access
27 an SADB.
28 SunOS applications that use PF_KEY include ipseckey(1M) and
31 in.iked(1M).
32 The operating system may spontaneously send pf_key messages to listen‐
35 ing processes, such as a request for a new SA for an outbound datagram
36 or to report the expiration of an existing SA.
37 One opens the channel for passing SADB control messages by using the
40 socket call shown in the section above. More than one key socket can
41 be open per system.
42 Messages are formed by a small base header, followed by zero or more
45 extension messages, some of which require additional data following
46 them. The base message and all extensions must be eight-byte aligned.
47 An example message is the GET message, which requires the base header,
48 the SA extension, and the ADDRESS_DST extension.
49 Messages
51 Messages include:
52 #define SADB_GETSPI /* Get a new SPI value from the system. */
54 #define SADB_UPDATE /* Update an SA. */
55 #define SADB_ADD /* Add a fully-formed SA. */
56 #define SADB_DELETE /* Delete an SA. */
57 #define SADB_GET /* Get an SA */
58 #define SADB_ACQUIRE /* Kernel needs a new SA. */
59 #define SADB_REGISTER /* Regis. to receive ACQUIRE msgs. */
60 #define SADB_EXPIRE /* SA has expired. */
61 #define SADB_FLUSH /* Flush all SAs. */
62 #define SADB_DUMP /* Get all SAs. (Unreliable) */
63 #define SADB_X_PROMISC /* Listen promiscuously */
64 #define SADB_X_INVERSE_ACQUIRE /* Query kernel policy,
65 get an ACQUIRE in return. */
66 #define SADB_X_UPDATEPAIR /* Update an SA and its pair SA */
67 #define SADB_X_DELPAIR /* Delete an SA pair. */
68 The base message header consists of:
72 struct sadb_msg {
74 uint8_t sadb_msg_version; /* Set to PF_KEY_V2, for compat. */
75 uint8_t sadb_msg_type; /* Msg. type */
76 uint8_t sadb_msg_errno; /* Why message failed */
77 uint8_t sadb_msg_satype; /* Which security service */
78 uint16_t sadb_msg_len; /* Length in 8-byte units */
79 uint16_t sadb_msg_reserved; /* Zero out */
80 #define sadb_x_msg_diagnostic sadb_msg_reserved
81 /* Extended diagnostics for errors */
82 uint32_t sadb_msg_seq; /* For msg. originator */
83 uint32_t sadb_msg_pid; /* ID originator */
84 };
85 Extension types include:
89 #define SADB_EXT_SA /* SA info */
91 #define SADB_EXT_LIFETIME_HARD /* Hard lifetime */
92 #define SADB_EXT_LIFETIME_SOFT /* Soft lifetime */
93 #define SADB_EXT_ADDRESS_SRC /* Source address */
94 #define SADB_EXT_ADDRESS_DST /* Destination address */
95 #define SADB_EXT_ADDRESS_PROXY /* Proxy address - DEPRECATED */
96 #define SADB_EXT_KEY_AUTH /* Authen. key */
97 #define SADB_EXT_KEY_ENCRYPT /* Encryption key */
98 #define SADB_EXT_IDENTITY_SRC /* Source certif. ID */
99 #define SADB_EXT_IDENTITY_DST /* Destination certif. ID */
100 #define SADB_EXT_SENSITIVITY /* Sensitivity info */
101 #define SADB_EXT_PROPOSAL /* Security proposal */
102 #define SADB_EXT_SUPPORTED_AUTH /* Supported authen. algo's */
103 #define SADB_EXT_SUPPORTED_ENCRYPT /* Supported encryption algo's */
104 #define SADB_EXT_SPIRANGE /* Range of possible SPIs *
105 #define SADB_X_EXT_EREG /* Reg. for extended ACQUIRE */
106 #define SADB_X_EXT_EPROP /* Extended ACQUIRE proposals */
107 #define SADB_X_EXT_KM_COOKIE /* Indicates which KM derived SA. */
108 #define SADB_X_EXT_ADDRESS_NATT_LOC /* NAT-Traversal local (my public) */
109 #define SADB_X_EXT_ADDRESS_NATT_REM /* NAT-T remote (peer's private) */
110 #define SADB_X_EXT_ADDRESS_INNER_SRC /* Tunnel-mode inner source */
111 #define SADB_X_EXT_ADDRESS_INNER_DST /* Tunnel-mode inner dest */
112 #define SADB_X_EXT_PAIR /* SA pair extension.
113 Security Association Information Extension flags:
117 #define SADB_SAFLAGS_PFS 0x1 /* Perfect forward secrecy? */
119 #define SADB_SAFLAGS_NOREPLAY 0x2 /* Replay field NOT PRESENT. */
120 #define SADB_X_SAFLAGS_USED 0x80000000 /* SA used/not used */
121 #define SADB_X_SAFLAGS_UNIQUE 0x40000000 /* SA unique/reusable */
122 #define SADB_X_SAFLAGS_AALG1 0x20000000 /* Auth-alg specif. flag 1 */
123 #define SADB_X_SAFLAGS_AALG2 0x10000000 /* Auth-alg specif. flag 2 */
124 #define SADB_X_SAFLAGS_EALG1 0x8000000 /* Encr-alg specif. flag 1 */
125 #define SADB_X_SAFLAGS_EALG2 0x4000000 /* Encr-alg specif. flag 2 */
126 #define SADB_X_SAFLAGS_KM1 0x2000000 /* Key mgmt. specif. flag 1 */
127 #define SADB_X_SAFLAGS_KM2 0x1000000 /* Key mgmt. specif. flag 2 */
128 #define SADB_X_SAFLAGS_KM3 0x800000 /* Key mgmt. specif. flag 3 */
129 #define SADB_X_SAFLAGS_KM4 0x400000 /* Key mgmt. specif. flag 4 */
130 #define SADB_X_SAFLAGS_KRES1 0x200000 /* Reserved by the kernel */
131 #define SADB_X_SAFLAGS_NATT_LOC 0x100000 /* this has a natted srcSA */
132 #define SADB_X_SAFLAGS_NATT_REM 0x80000 /* this has a natted dstSA */
133 #define SADB_X_SAFLAGS_KRES2 0x40000 /* Reserved by the kernel */
134 #define SADB_X_SAFLAGS_TUNNEL 0x20000 /* tunnel mode */
135 #define SADB_X_SAFLAGS_PAIRED 0x10000 /* inbound/outbound pair*/
136 #define SADB_X_SAFLAGS_OUTBOUND 0x8000 /* SA direction bit */
137 #define SADB_X_SAFLAGS_INBOUND 0x4000 /* SA direction bit */
138 Extension headers include:
142 Generic Extension Header
144 struct sadb_ext {
145 uint16_t sadb_ext_len; /* In 64-bit words, inclusive */
146 uint16_t sadb_ext_type; /* 0 is reserved */
147 };
148 Security Association Information Extension
151 struct sadb_sa {
152 uint16_t sadb_sa_len;
153 uint16_t sadb_sa_exttype; /* ASSOCIATION */
154 uint32_t sadb_sa_spi;
155 uint8_t sadb_sa_replay;
156 uint8_t sadb_sa_state;
157 uint8_t sadb_sa_auth;
158 uint8_t sadb_sa_encrypt;
159 uint32_t sadb_sa_flags;
160 };
161 Lifetime Extension
164 struct sadb_lifetime {
165 uint16_t sadb_lifetime_len;
166 uint16_t sadb_lifetime_exttype; /* SOFT, HARD, CURRENT */
167 uint32_t sadb_lifetime_allocations;
168 uint64_t sadb_lifetime_bytes;
169 uint64_t sadb_lifetime_addtime;
170 uint64_t sadb_lifetime_usetime;
171 };
172 Address Extension
175 struct sadb_address {
176 uint16_t sadb_address_len;
177 uint16_t sadb_address_exttype; /* SRC, DST, NATT_*, INNER_* */
178 uint8_t sadb_address_proto; /* Proto for ports... */
179 uint8_t sadb_address_prefixlen; /* Prefix length for INNER_*. */
180 uint16_t sadb_address_reserved; /* Padding */
181 /* Followed by a sockaddr
182 structure.*/
183 };
184 Keying Material Extension
187 struct sadb_key {
188 uint16_t sadb_key_len;
189 uint16_t sadb_key_exttype; /* AUTH, ENCRYPT */
190 uint16_t sadb_key_bits;
191 uint16_t sadb_key_reserved;
192 /* Followed by actual key(s) in
193 canonical (outbound proc.) order. */
194 };
195 Indentity Extension
198 struct sadb_ident {
199 uint16_t sadb_ident_len;
200 uint16_t sadb_ident_exttype; /* SRC, DST, PROXY */
201 uint16_t sadb_ident_type; /* FQDN, USER_FQDN, etc. */
202 uint16_t sadb_ident_reserved; /* Padding */
203 uint64_t sadb_ident_id; /* For userid, etc. */
204 /* Followed by an identity null-terminate C string if present. */
205 };
206 Sensitivity/Integrity Extension
209 struct sadb_sens {
210 uint16_t sadb_sens_len;
211 uint16_t sadb_sens_exttype; /* SENSITIVITY */
212 uint32_t sadb_sens_dpd;
213 uint8_t sadb_sens_sens_level;
214 uint8_t sadb_sens_sens_len; /* 64-bit words */
215 uint8_t sadb_sens_integ_level;
216 uint8_t sadb_sens_integ_len; /* 64-bit words */
217 uint32_t sadb_sens_reserved;
218 /*
219 * followed by two uint64_t arrays
220 * uint64_t sadb_sens_bitmap[sens_bitmap_len];
221 * uint64_t integ_bitmap[integ_bitmap_len];
222 */
223 };
224 Proposal Extension
227 struct sadb_prop {
228 uint16_t sadb_prop_len;
229 uint16_t sadb_prop_exttype; /* PROPOSAL, X_EPROP */
230 uint8_t sadb_prop_replay;
231 uint8_t sadb_X_prop_ereserved;
232 uint16_t sadb_x_prop_numecombs;
233 /* Followed by sadb_comb[] array or sadb_ecomb[] array. */
234 };
235 Combination Instance for a Proposal
238 struct sadb_comb {
239 uint8_t sadb_comb_auth;
240 uint8_t sadb_comb_encrypt;
241 uint16_t sadb_comb_flags;
242 uint16_t sadb_comb_auth_minbits;
243 uint16_t sadb_comb_auth_maxbits;
244 uint16_t sadb_comb_encrypt_minbits;
245 uint16_t sadb_comb_encrypt_maxbits;
246 uint32_t sadb_comb_reserved;
247 uint32_t sadb_comb_soft_allocations;
248 uint32_t sadb_comb_hard_allocations;
249 uint64_t sadb_comb_soft_bytes;
250 uint64_t sadb_comb_hard_bytes;
251 uint64_t sadb_comb_soft_addtime;
252 uint64_t sadb_comb_hard_addtime;
253 uint64_t sadb_comb_soft_usetime;
254 uint64_t sadb_comb_hard_usetime;
255 };
256 Extended Combination
259 struct sadb_x_ecomb {
260 uint8_t sadb_x_ecomb_numalgs;
261 uint8_t sadb_x_ecomb_reserved;
262 uint16_t sadb_x_ecomb_flags; /* E.g. PFS? */
263 uint32_t sadb_x_ecomb_reserved2;
264 uint32_t sadb_x_ecomb_soft_allocations;
265 uint32_t sadb_x_ecomb_hard_allocations;
266 uint64_t sadb_x_ecomb_soft_bytes;
267 uint64_t sadb_x_ecomb_hard_bytes;
268 uint64_t sadb_x_ecomb_soft_addtime;
269 uint64_t sadb_x_ecomb_hard_addtime;
270 uint64_t sadb_x_ecomb_soft_usetime;
271 uint64_t sadb_x_ecomb_hard_usetime;
272 };
273 Extended Combination Algorithm Descriptors
276 struct sadb_x_algdesc {
277 uint8_t sadb_x_algdesc_satype; /* ESP, AH, etc. */
278 uint8_t sadb_x_algdesc_algtype; /* AUTH, CRYPT, COMPRESS */
279 uint8_t sadb_x_algdesc_alg; /* DES, 3DES, MD5, etc. */
280 uint8_t sadb_x_algdesc_reserved;
281 uint16_t sadb_x_algdesc_minbits; /* Bit strengths. */
282 uint16_t sadb_x_algdesc_maxbits;
283 };
284 Extended Register
287 struct sadb_x_ereg {
288 uint16_t sadb_x_ereg_len;
289 uint16_t sadb_x_ereg_exttype; /* X_EREG */
290 uint8_t sadb_x_ereg_satypes[4]; /* Array of SA types, 0-terminated.
291 |};
292 Key Management Cookie
295 struct sadb_x_kmc {
296 uint16_t sadb_x_kmc_len;
297 uint16_t sadb_x_kmc_exttype; /* X_KM_COOKIE */
298 uint32_t sadb_x_kmc_proto; /* KM protocol */
299 uint32_t sadb_x_kmc_cookie; /* KMP-specific */
300 uint32_t sadb_x_kmc_reserved; /* Reserved; must be zero */
301 };
302 Supported Algorithms Extension
305 struct sadb_supported {
306 uint16_t sadb_supported_len;
307 uint16_t sadb_supported_exttype;
308 uint32_t sadb_supported_reserved;
309 };
310 Algorithm Instance
313 struct sadb_alg {
314 uint8_t sadb_alg_id; /* Algorithm type. */
315 uint8_t sadb_alg_ivlen; /* IV len, in bits */
316 uint16_t sadb_alg_minbits; /* Min. key len (in bits) */
317 uint16_t sadb_alg_maxbits; /* Max. key length */
318 uint16_t sadb_alg_reserved;
319 };
320 SPI Extension Range
323 struct sadb_spirange {
324 uint16_t sadb_spirange_len;
325 uint16_t sadb_spirange_exttype; /* SPI_RANGE */
326 uint32_t sadb_spirange_min
327 uint32_t sadb_spirange_max;
328 uint32_t sadb_spirange_reserved;
329 };
330 Security Association Pair Extension
333 struct sadb_x_pair {
334 uint16_t sadb_x_pair_len;
335 uint16_t sadb_x_pair_exttype; /* SADB_X_EXT_PAIR */
336 uint32_t sadb_x_pair_spi; /* SPI of paired SA */
337 };
338 Message Use and Behavior
341 Each message has a behavior. A behavior is defined as where the initial
342 message travels, for example, user to kernel, and what subsequent
343 actions are expected to take place. Contents of messages are illus‐
344 trated as:
345 <base, REQUIRED EXTENSION, REQ., (OPTIONAL EXTENSION,) (OPT)>
347 The SA extension is sometimes used only for its SPI field. If all other
351 fields must be ignored, this is represented by SA(*).
352 The lifetime extensions are represented with one to three letters after
355 the word lifetime, representing (H)ARD, (S)OFT, and (C)URRENT.
356 The address extensions are represented with one to three letters after
359 the word "address," representing (S)RC, (D)ST, (Nl)NAT-T local,
360 (Nr)NAT-T remote, (Is)Inner source, and (Id)Inner destination.
361 Source and destination address extensions reflect outer-header selec‐
364 tors for an IPsec SA. An SA is inbound or outbound depending on which
365 of the source or destination address is local to the node. Inner-source
366 and inner-destination selectors represent inner-header selectors for
367 Tunnel Mode SAs. A Tunnel Mode SA must have either IPPROTO_ENCAP or
368 IPPROTO_IPV6 in its outer-headers as protocol selector, in addition to
369 filled-in Inner-address extensions.
370 NAT-T local and NAT-T remote addresses store local and remote ports
373 used for ESP-in-UDP encapsulation. A non-zero local NAT-T address
374 extension represents the local node's external IP address if it is not
375 equivalent to the SA's local address. A non-zero remote NAT-T address
376 represents a peer's behind-a-NAT address if it is not equivalent to the
377 SA's remote address. An SA with NAT-T extensions will protect-and-
378 transmit outbound traffic. Processing of inbound NAT-T traffic
379 requires a UDP socket bound to the appropriate local port and it must
380 have the UDP_NAT_T_ENDPOINT (see udp(7P)) socket option enabled.
381 Note that when an error occurs, only the base header is sent. In the
384 event of an error, an extended diagnostic may be set (see DIAGNOSTICS).
385 Typical errors include:
386 EINVAL Various message improprieties, including SPI ranges that are
388 malformed, weak keys, and others. If EINVAL is returned, an
389 application should look at the sadb_x_msg_diagnostic field
390 of the sadb_msg structure. It contains one of many possible
391 causes for EINVAL. See net/pfkeyv2.h for values, all of the
392 form SADB_X_DIAGNOSTIC_.
393 ENOMEM Needed memory was not available.
396 ENSGSIZ Message exceeds the maximum length allowed.
399 EEXIST SA (that is being added or created with GETSPI) already
402 exists.
403 ESRCH SA could not be found.
406 The following are examples of message use and behavior:
410 SADB_GETSPI
412 Send a SADB_GETSPI message from a user process to the kernel.
413 <base, address, SPI range>
415 The kernel returns the SADB_GETSPI message to all listening processes.
419 <base, SA(*), address (SD)>
421 SADB_UPDATE
424 Send a SADB_UPDATE message from a user process to the kernel.
425 <base, SA, (lifetime(HS),) address(SD), (address(Is,Id),
427 address(Nl,Nr), key (AE), (identity(SD),) (sensitivity)>
428 The kernel returns the SADB_UPDATE message to all listening processes.
432 <base, SA(*), address (SD), (pair)>
434 Adding a sadb_x_pair extension to an SADB_UPDATE or SADB_ADD message
438 will update the security association pair linkage with the SPI of the
439 security association contained in that extension. The resulting secu‐
440 rity association "pair" can be updated or as a single entity using the
441 SADB_X_UPDATEPAIR or SADB_X_DELPAIR message types.
442 SADB_ADD
444 Send a SADB_ADD message from a user process to the kernel.
445 <base, SA, (lifetime(HS),) address(SD), (address(Is,Id),)
447 (address(Nl,Nr),) key (AE), (identity(SD),) (sensitivity) (pair)>
448 The kernel returns the SADB_ADD message to all listening processes.
452 <base, SA, (lifetime(HS),) address (SD), (address(Is,Id),)
454 (address(Nl,Nr),) (identity (SD),) (sensitivity)>
455 SADB_X_UPDATEPAIR
458 Send a SADB_X_UPDATEPAIR message from a user process to the kernel.
459 This message type is used to update the lifetime values of a security
460 association and the lifetime values of the security association it is
461 paired with.
462 <base, SA, lifetime(HS), address(SD)>
464 SADB_DELETE | SADB_X_DELPAIR
467 Send a SADB_DELETE message from a user process to the kernel. The
468 SADB_X_DELPAIR message type will request deletion of the security asso‐
469 ciation and the security association it is paired with.
470 <base, SA (*), address (SD)>
472 The kernel returns the SADB_DELETE message to all listening processes.
476 <base, SA (*), address (SD)>
478 SADB_GET
481 Send a SADB_GET message from a user process to the kernel.
482 <base, SA (*), address (SD)>
484 The kernel returns the SADB_GET message to the socket that sent the
488 SADB_GET message.
489 <base, SA , (lifetime (HSC),) address SD), (address (P),) key (AE),
491 (identity (SD),) (sensitivity)>
492 SADB_ACQUIRE
495 The kernel sends a SADB_ACQUIRE message to registered sockets. Note
496 that any GETSPI, ADD, or UPDATE calls in reaction to an ACQUIRE must
497 fill in the sadb_msg_seq of those messages with the one in the ACQUIRE
498 message. The address (SD) extensions must have the port fields filled
499 in with the port numbers of the session requiring keys if appropriate.
500 <base, address (SD), (address(Is,Id)), (identity(SD),)
502 (sensitivity,) proposal>
503 Extended ACQUIRE will have a slightly different format. The
507 sadb_msg_satype field is 0, and the extension contains the desired com‐
508 bination(s) of security protocols.
509 <base, address (SD), (address(Is,Id)), (identity(SD),)
511 (sensitivity,) eprop>
512 If key management fails, send an SADB_ACQUIRE to indicate failure.
516 <base>
518 SADB_X_INVERSE_ACQUIRE
521 For inbound Key Management processing, a Key Management application may
522 wish to consult the kernel for its policy. The application should send
523 to the kernel:
524 <base, address (SD), (address(Is,Id))>
526 The kernel returns a message similar to a kernel-generated extended
530 ACQUIRE:
531 <base, address (SD), (address(Is,Id)), (identity(SD),)
533 (sensitivity,) eprop>
534 SADB_REGISTER
537 Send a SADB_REGISTER message from a user process to the kernel.
538 <base>
540 The kernel returns the SADB_REGISTER message to registered sockets,
544 with algorithm types supported by the kernel being indicated in the
545 supported algorithms field. Note that this message may arrive asyn‐
546 chronously due to an algorithm being loaded or unloaded into a dynami‐
547 cally linked kernel.
548 <base, supported>
550 There is also the extended REGISTER, which will allow this process to
554 receive extended ACQUIREs.
555 <base, ereg>
557 Which returns a series of SADB_REGISTER replies (one for each security
561 protocol registered) from the kernel.
562 SADB_EXPIRE
564 The kernel sends a SADB_EXPIRE message to all listeners when the soft
565 limit of a security association has been expired.
566 <base, SA, lifetime (C and one of HS), address (SD)>
568 SADB_FLUSH
571 Send a SADB_FLUSH message from a user process to the kernel.
572 <base>
574 The kernel returns the SADB_FLUSH message to all listening sockets.
578 <base>
580 SADB_DUMP
583 Send a SADB_DUMP message from a user process to the kernel.
584 <base>
586 Several SADB_DUMP messages will return from the kernel to the sending
590 socket.
591 <base, SA, (lifetime (HSC),) address (SD), (address (Is,Id),)
593 (address (Nl,Nr),) key (AE), (identity (SD),) sensitivity)>
594 To mark the end of a dump a single base header arrives with its
598 sadb_mdg_seq set to 0.
599 <base>
601 SADB_X_PROMISC
604 Send a SADB_X_PROMISC message from a user process to the kernel.
605 <base>
607 The kernel returns the SADB_X_PROMISC message to all listening pro‐
611 cesses.
612 <base>
614
617 The message returning from the kernel will contain a diagnostic value
618 in the base message header, the diagnostic value will indicate if
619 action requested by the original message was a success.
620 Diagnostic Values:
623 #define SADB_X_DIAGNOSTIC_NONE 0
625 #define SADB_X_DIAGNOSTIC_UNKNOWN_MSG 1
626 #define SADB_X_DIAGNOSTIC_UNKNOWN_EXT 2
627 #define SADB_X_DIAGNOSTIC_BAD_EXTLEN 3
628 #define SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE 4
629 #define SADB_X_DIAGNOSTIC_SATYPE_NEEDED 5
630 #define SADB_X_DIAGNOSTIC_NO_SADBS 6
631 #define SADB_X_DIAGNOSTIC_NO_EXT 7
632 /* Bad address family value */
633 #define SADB_X_DIAGNOSTIC_BAD_SRC_AF 8
634 /* in sockaddr->sa_family. */
635 #define SADB_X_DIAGNOSTIC_BAD_DST_AF 9
636 /* These two are synonyms. */
637 #define SADB_X_DIAGNOSTIC_BAD_PROXY_AF 10
638 #define SADB_X_DIAGNOSTIC_BAD_INNER_SRC_AF 10
639 #define SADB_X_DIAGNOSTIC_AF_MISMATCH 11
641 #define SADB_X_DIAGNOSTIC_BAD_SRC 12
643 #define SADB_X_DIAGNOSTIC_BAD_DST 13
644 #define SADB_X_DIAGNOSTIC_ALLOC_HSERR 14
646 #define SADB_X_DIAGNOSTIC_BYTES_HSERR 15
647 #define SADB_X_DIAGNOSTIC_ADDTIME_HSERR 16
648 #define SADB_X_DIAGNOSTIC_USETIME_HSERR 17
649 #define SADB_X_DIAGNOSTIC_MISSING_SRC 18
651 #define SADB_X_DIAGNOSTIC_MISSING_DST 19
652 #define SADB_X_DIAGNOSTIC_MISSING_SA 20
653 #define SADB_X_DIAGNOSTIC_MISSING_EKEY 21
654 #define SADB_X_DIAGNOSTIC_MISSING_AKEY 22
655 #define SADB_X_DIAGNOSTIC_MISSING_RANGE 23
656 #define SADB_X_DIAGNOSTIC_DUPLICATE_SRC 24
658 #define SADB_X_DIAGNOSTIC_DUPLICATE_DST 25
659 #define SADB_X_DIAGNOSTIC_DUPLICATE_SA 26
660 #define SADB_X_DIAGNOSTIC_DUPLICATE_EKEY 27
661 #define SADB_X_DIAGNOSTIC_DUPLICATE_AKEY 28
662 #define SADB_X_DIAGNOSTIC_DUPLICATE_RANGE 29
663 #define SADB_X_DIAGNOSTIC_MALFORMED_SRC 30
665 #define SADB_X_DIAGNOSTIC_MALFORMED_DST 31
666 #define SADB_X_DIAGNOSTIC_MALFORMED_SA 32
667 #define SADB_X_DIAGNOSTIC_MALFORMED_EKEY 33
668 #define SADB_X_DIAGNOSTIC_MALFORMED_AKEY 34
669 #define SADB_X_DIAGNOSTIC_MALFORMED_RANGE 35
670 #define SADB_X_DIAGNOSTIC_AKEY_PRESENT 36
672 #define SADB_X_DIAGNOSTIC_EKEY_PRESENT 37
673 #define SADB_X_DIAGNOSTIC_PROP_PRESENT 38
674 #define SADB_X_DIAGNOSTIC_SUPP_PRESENT 39
675 #define SADB_X_DIAGNOSTIC_BAD_AALG 40
676 #define SADB_X_DIAGNOSTIC_BAD_EALG 41
677 #define SADB_X_DIAGNOSTIC_BAD_SAFLAGS 42
678 #define SADB_X_DIAGNOSTIC_BAD_SASTATE 43
679 #define SADB_X_DIAGNOSTIC_BAD_AKEYBITS 44
681 #define SADB_X_DIAGNOSTIC_BAD_EKEYBITS 45
682 #define SADB_X_DIAGNOSTIC_ENCR_NOTSUPP 46
684 #define SADB_X_DIAGNOSTIC_WEAK_EKEY 47
686 #define SADB_X_DIAGNOSTIC_WEAK_AKEY 48
687 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMP 49
689 #define SADB_X_DIAGNOSTIC_DUPLICATE_KMC 50
690 #define SADB_X_DIAGNOSTIC_MISSING_NATT_LOC 51
692 #define SADB_X_DIAGNOSTIC_MISSING_NATT_REM 52
693 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC 53
694 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM 54
695 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC 55
696 #define SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM 56
697 #define SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS 57
698 #define SADB_X_DIAGNOSTIC_MISSING_INNER_SRC 58
700 #define SADB_X_DIAGNOSTIC_MISSING_INNER_DST 59
701 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC 60
702 #define SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST 61
703 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC 62
704 #define SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST 63
705 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC 64
707 #define SADB_X_DIAGNOSTIC_PREFIX_INNER_DST 65
708 #define SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF 66
709 #define SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH 67
710 #define SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF 68
712 #define SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF 69
713 #define SADB_X_DIAGNOSTIC_PROTO_MISMATCH 70
715 #define SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH 71
716 #define SADB_X_DIAGNOSTIC_DUAL_PORT_SETS 72
718 #define SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE 73
720 #define SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH 74
721 #define SADB_X_DIAGNOSTIC_PAIR_ALREADY 75
722 #define SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND 76
723 #define SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION 77
724 #define SADB_X_DIAGNOSTIC_SA_NOTFOUND 78
726 #define SADB_X_DIAGNOSTIC_SA_EXPIRED 79
727
730 See attributes(5) for descriptions of the following attributes:
731 ┌─────────────────────────────┬─────────────────────────────┐
736 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
737 ├─────────────────────────────┼─────────────────────────────┤
738 │Availability │SUNWcsr │
739 │Interface Stability │Evolving │
740 └─────────────────────────────┴─────────────────────────────┘
741
743 in.iked(1M), ipseckey(1M), ipsec(7P), ipsecah(7P), ipsecesp(7P),
744 route(7P), udp(7P)
745 McDonald, D.L., Metz, C.W., and Phan, B.G., RFC 2367, PF_KEY Key Man‐
748 agement API, Version 2, The Internet Society, July 1998.
749
751 Time-based lifetimes may not expire with exact precision in seconds
752 because kernel load may affect the aging of SA's.
753SunOS 5.11 6 May 2008 pf_key(7P)