ip-xfrm - transform configuration

最新推荐文章于 2024-08-02 19:43:53 发布
最新推荐文章于 2024-08-02 19:43:53 发布
阅读量2.6k 收藏 2
点赞数
分类专栏: Linux IPSec
Linux 同时被 2 个专栏收录
194 篇文章 6 订阅
订阅专栏
IPSec
11 篇文章 4 订阅
订阅专栏 
IP-XFRM(8)                           Linux                          IP-XFRM(8)

NAME
       ip-xfrm - transform configuration

SYNOPSIS
       ip [ OPTIONS ] xfrm  { COMMAND | help }

       ip xfrm XFRM-OBJECT { COMMAND | help }

       XFRM-OBJECT := state | policy | monitor

       ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark
               MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ replay-win-
               dow SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ flag FLAG-
               LIST ] [ sel SELECTOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa
               ADDR[/PLEN] ] [ ctx CTX ]

       ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [
               reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]

       ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]

       ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ]
               [ flag FLAG-LIST ]

       ip xfrm state flush [ proto XFRM-PROTO ]

       ip xfrm state count

       ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]

       XFRM-PROTO := esp | ah | comp | route2 | hao

       ALGO-LIST := [ ALGO-LIST ] ALGO

       ALGO := { enc | auth | comp } ALGO-NAME ALGO-KEY |
               aead ALGO-NAME ALGO-KEY ALGO-ICV-LEN |
               auth-trunc ALGO-NAME ALGO-KEY ALGO-TRUNC-LEN

       MODE := transport | tunnel | ro | in_trigger | beet

       FLAG-LIST := [ FLAG-LIST ] FLAG

       FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec |
               align4

       SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ]
               [ UPSPEC ]

       UPSPEC := proto { PROTO |
               { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
               { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
               NUMBER ] |
               gre [ key { DOTTED-QUAD | NUMBER } ] }

       LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT

       LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC-
               ONDS |
               { byte-soft | byte-hard } SIZE |
               { packet-soft | packet-hard } COUNT

       ENCAP := { espinudp | espinudp-nonike } SPORT DPORT OADDR

       ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark
               MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action
               ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ LIMIT-LIST
               ] [ TMPL-LIST ]

       ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR [
               ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]

       ip xfrm policy { deleteall | list } [ SELECTOR ] [ dir DIR ] [ index
               INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority PRIORITY ]

       ip xfrm policy flush [ ptype PTYPE ]

       ip xfrm policy count

       SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [
               UPSPEC ]

       UPSPEC := proto { PROTO |
               { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |
               { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code
               NUMBER ] |
               gre [ key { DOTTED-QUAD | NUMBER } ] }

       DIR := in | out | fwd

       PTYPE := main | sub

       ACTION := allow | block

       FLAG-LIST := [ FLAG-LIST ] FLAG

       FLAG := localok | icmp

       LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT

       LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SEC-
               ONDS |
               { byte-soft | byte-hard } SIZE |
               { packet-soft | packet-hard } COUNT

       TMPL-LIST := [ TMPL-LIST ] tmpl TMPL

       TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]

       ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]

       XFRM-PROTO := esp | ah | comp | route2 | hao

       MODE := transport | tunnel | ro | in_trigger | beet

       LEVEL := required | use

       ip xfrm monitor [ all | LISTofXFRM-OBJECTS ]

DESCRIPTION
       xfrm is an IP framework for transforming packets  (such  as  encrypting
       their payloads). This framework is used to implement the IPsec protocol
       suite (with the state object  operating  on  the  Security  Association
       Database,  and the policy object operating on the Security Policy Data-
       base). It is also used for the IP Payload Compression Protocol and fea-
       tures of Mobile IPv6.

   ip xfrm state add - add new state into xfrm
   ip xfrm state update - update existing state in xfrm
   ip xfrm state allocspi - allocate an SPI value
   ip xfrm state delete - delete existing state in xfrm
   ip xfrm state get - get existing state in xfrm
   ip xfrm state deleteall - delete all existing state in xfrm
   ip xfrm state list - print out the list of existing state in xfrm
   ip xfrm state flush - flush all state in xfrm
   ip xfrm state count - count all existing state in xfrm
       ID     is specified by a source address, destination address, transform
              protocol XFRM-PROTO, and/or Security Parameter Index SPI.

       XFRM-PROTO
              specifies a transform  protocol:  IPsec  Encapsulating  Security
              Payload (esp), IPsec Authentication Header (ah), IP Payload Com-
              pression (comp), Mobile IPv6 Type 2 Routing Header (route2),  or
              Mobile IPv6 Home Address Option (hao).

       ALGO-LIST
              specifies  one  or  more algorithms ALGO to use. Algorithm types
              include encryption (enc), authentication (auth),  authentication
              with  a  specified truncation length (auth-trunc), authenticated
              encryption with associated data (aead), and compression  (comp).
              For  each algorithm used, the algorithm type, the algorithm name
              ALGO-NAME, and the key ALGO-KEY must be specified. For aead, the
              Integrity  Check  Value length ALGO-ICV-LEN must additionally be
              specified.  For  auth-trunc,  the  signature  truncation  length
              ALGO-TRUNC-LEN must additionally be specified.

       MODE   specifies a mode of operation: IPsec transport mode (transport),
              IPsec tunnel mode (tunnel), Mobile IPv6 route optimization  mode
              (ro),  Mobile  IPv6  inbound trigger mode (in_trigger), or IPsec
              ESP Bound End-to-End Tunnel Mode (beet).

       FLAG-LIST
              contains one or more of the  following  optional  flags:  noecn,
              decap-dscp, nopmtudisc, wildrecv, icmp, af-unspec, or align4.

       SELECTOR
              selects the traffic that will be controlled by the policy, based
              on the source address,  the  destination  address,  the  network
              device, and/or UPSPEC.

       UPSPEC selects  traffic  by  protocol.  For the tcp, udp, sctp, or dccp
              protocols, the source and destination  port  can  optionally  be
              specified.   For  the icmp, ipv6-icmp, or mobility-header proto-
              cols, the type and code numbers  can  optionally  be  specified.
              For  the  gre protocol, the key can optionally be specified as a
              dotted-quad or number.  Other protocols can be selected by  name
              or number PROTO.

       LIMIT-LIST
              sets limits in seconds, bytes, or numbers of packets.

       ENCAP  encapsulates  packets with protocol espinudp or espinudp-nonike,
              using source port SPORT, destination port DPORT ,  and  original
              address OADDR.

   ip xfrm policy add - add a new policy
   ip xfrm policy update - update an existing policy
   ip xfrm policy delete - delete an existing policy
   ip xfrm policy get - get an existing policy
   ip xfrm policy deleteall - delete all existing xfrm policies
   ip xfrm policy list - print out the list of xfrm policies
   ip xfrm policy flush - flush policies
   ip xfrm policy count - count existing policies
       SELECTOR
              selects the traffic that will be controlled by the policy, based
              on the source address,  the  destination  address,  the  network
              device, and/or UPSPEC.

       UPSPEC selects  traffic  by  protocol.  For the tcp, udp, sctp, or dccp
              protocols, the source and destination  port  can  optionally  be
              specified.   For  the icmp, ipv6-icmp, or mobility-header proto-
              cols, the type and code numbers  can  optionally  be  specified.
              For  the  gre protocol, the key can optionally be specified as a
              dotted-quad or number.  Other protocols can be selected by  name
              or number PROTO.

       DIR    selects the policy direction as in, out, or fwd.

       CTX    sets the security context.

       PTYPE  can be main (default) or sub.

       ACTION can be allow (default) or block.

       PRIORITY
              is a number that defaults to zero.

       FLAG-LIST
              contains  one  or both of the following optional flags: local or
              icmp.

       LIMIT-LIST
              sets limits in seconds, bytes, or numbers of packets.

       TMPL-LIST
              is a template list  specified  using  ID,  MODE,  REQID,  and/or
              LEVEL.

       ID     is specified by a source address, destination address, transform
              protocol XFRM-PROTO, and/or Security Parameter Index SPI.

       XFRM-PROTO
              specifies a transform  protocol:  IPsec  Encapsulating  Security
              Payload (esp), IPsec Authentication Header (ah), IP Payload Com-
              pression (comp), Mobile IPv6 Type 2 Routing Header (route2),  or
              Mobile IPv6 Home Address Option (hao).

       MODE   specifies a mode of operation: IPsec transport mode (transport),
              IPsec tunnel mode (tunnel), Mobile IPv6 route optimization  mode
              (ro),  Mobile  IPv6  inbound trigger mode (in_trigger), or IPsec
              ESP Bound End-to-End Tunnel Mode (beet).

       LEVEL  can be required (default) or use.

   ip xfrm monitor - state monitoring for xfrm objects
       The xfrm objects to monitor can be optionally specified.

AUTHOR
       Manpage by David Ward

iproute2                          20 Dec 2011                       IP-XFRM(8)
dolphin98629
关注
专栏目录
XFRM -- ipsec协议的内核实现框架
01-24 3608
目录 1 Overview 1.1 XFRM 实例 1.2 Netlink 通道 1.3 XFRM State 1.3 XFRM Policy 2 接收发送IPsec报文 2.1 接收 2.2 发送 IPsec协议帮助IP层建立安全可信的数据包传输通道。当前已经有了如StrongSwan、OpenSwan等比较成熟的解决方案,而它们都使用了Linux内核中的XFRM框架进行报文接收发送。 XFRM的正确读音是transform(转换), 这表示内核协议栈收到的IPsec报文需要经过转换才
linux内核实现ipsec,IP XFRM配置示例:利用linux kernel自带的IPSec实现,手动配置IPSec...
weixin_39559277的博客
04-29 1706
1、拓扑192.168.18.101 <=======> 192.168.18.1022、配置192.168.18.101ip xfrm state add src 192.168.18.101 dst 192.168.18.102 proto esp spi 0x00000301 mode tunnel auth md5 0x96358c90783bbfa3d7b196ceabe05...
IP xfrm 配置IPSec实例。
lemon181375的博客
12-27 1044
IP xfrm 配置IPSec实例。
IP xfrm 命令说明1-sa
funtasty的专栏
07-23 920
对数据加密、认证的算法ipsec能使用的算法跟内核算法模块支持的算法不同,是其子集。不同版本的内核支持的算法列表页不同,详见附录1: 内核支持的算法列表。封装模式,ESP封装协议支持隧道和传输模式,一般使用隧道模式(过NAT)原地址、目的地址、协议(IPsec封装协议)和spi共同决定一个sa。带封装的ESP,比如espinudp 、espintcp。sa的限制,可以通过时间、数据包、数据量来更新sa。ID 是键值, 用来区分不同SA。关联sp,选择进入隧道的数据流。数据流的协议等特征。
Linux 内核网络教程(五)
最新发布
龙哥盟
08-02 847
协议:CC BY-NC-SA 4.0。
linux 通过ip add 配置GRE隧道
liuhaoy的博客
05-11 2520
配置两台主机的 lo地址,用来测试用,如果不做gre的话,互相是ping不同对方的回环地址的。 注意环境是 主机1的ip:192.168.1.1 lo地址:1.1.1.1 主机2的ip:192.168.1.2 lo地址: 2.2.2.1root@liuhao1:~# ip addr add 1.1.1.1/24 dev lo root@liuhao2:~# ip addr add 2.2.2.1/24 dev lo 配置gre# 开启两个主机的 ip_forward ,可以写在sysctl.con.
一文带你走进Linux内核之XFRM框架
m0_73494896的博客
09-02 1502
XFRM的正确读音是transform(转换), 这表示内核协议栈收到的IPsec报文需要经过转换才能还原为原始报文;同样地,要发送的原始报文也需要转换为IPsec报文才能发送出去。Psec(Internet协议安全)应该很多人都听过,IPsec是一组协议,他们通过对通信会话中的每个数据包进行身份验证和加密,以确保IP流量的安全。XFRM框架是IPsec的“基础设施”,IPsec通过XFRM框架实现的。XFRM源自USAGI项目,该项目旨在提供适用于生产环境的IPv6和IPsec协议栈。
Linux 内核IPSec(xfrm)协议栈源码分析
06-21
它基于XFRM(eXtensible Framework for Security Policies and Mechanisms)框架,用于实现AH(Authentication Header)、ESP(Encapsulating Security Payload)和IPCOMP(IP Compression Protocol)等协议。...
xfrm_poc:Linux内核XFRM UAF POC(3.x-5.x内核)
03-12
Linux内核3.x-5.x XFRM UAF PoC 这是去年报告的。 CentOS是2020年1月修补该错误的最后一个发行版。 技术报告在这里 在以下发行版中,应在构建日期为2019年7月至11月之前的所有内核上工作: Ubuntu 14.04 / 16.04...
IP XFRM配置示例:利用linux kernel自带的IPSec实现,手动配置IPSec
热门推荐
王以山的专栏
04-20 1万+
1、拓扑 192.168.18.101 192.168.18.102 2、配置192.168.18.101 ip xfrm state add src 192.168.18.101 dst 192.168.18.102 proto esp spi 0x00000301 mode tunnel auth md5 0x96358c90783bbfa3d7b196ceabe0536b enc
IPsec配置工具IP xfrm
funtasty的专栏
07-23 1397
ip xfrm 的命令全部内容
IPX FOR WINDOWS7
07-23
将INF和system32两个文件夹直接解压到Windows7 位系统安装盘的Windows文件夹内.然就可以在网络适配器属性页面中安装IPX/spx协议了.当安装完IPX协议重启系统后就可以玩星际争霸.cs.红警等协议ipx/spx协议支持局域网对战游戏了。
ipsec内核实现分析
07-04
linux的ipsec内核实现源码分析,本人的源码阅读笔记,主要讲解了xfrm模块的实现和源码流程,有需要的可以下载参考
linux XFRM整体框架简单分析
weixin_34026276的博客
10-12 709
author: jonathan本文档的CopyRight归jonathan所有,可自由转载,转载时请保持文档的完整性。/*----------------------------------------------------------------------------------------------------------------------------*/L...
XFRM--IPsec协议的内核实现框架
maimang1001的专栏
12-20 541
IPsec有两个重要的概念:安全关联(Security Association)和安全策略(Security Policy)。这两种类型的信息都需要储存在内核的XFRMTransform)中。核心XFRM使用netns_xfrm结构来组织这些信息,也被称为xfrm实例( instance)(例子)。从名称可以看出,该实例与网络命名空间(network namespace)相关,每个命名空间都有一个彼此独立的实例。所以同一主机上的不同容器可以在没有干扰的情况下使用XFRM。struct net。
XFRM -- IPsec协议的内核实现框架
品学楼A107
09-30 3387
IPsec协议帮助IP层建立安全可信的数据包传输通道。当前已经有了如StrongSwan、OpenSwan等比较成熟的解决方案,而它们都使用了Linux内核中的XFRM框架进行报文接收发送。 XFRM的正确读音是transform(转换), 这表示内核协议栈收到的IPsec报文需要经过转换才能还原为原始报文;同样地,要发送的原始报文也需要转换为IPsec报文才能发送出去。 Overview X...
Linux网络协议栈9--ipsec收发包流程
bigsheng2的博客
02-04 2606
IPSec协议帮助IP层建立安全可信的数据包传输通道。当前已经如strongswan、openswan等比较成熟稳定的开源项目做协议层的控制。但他们最终都是使用的内核的XFRM框架做报文的封装发送和接收解封,只不过内核的转发表项数据是由他们生成的。 XFRM,是transfrom的简写。 ######IPSec收包解封流程 流程路径:ip_rcv() --> ip_rcv_finish() --> ip_local_deliver() --> ip_local_deliver_fini
N天学习一个linux命令之ip
weixin_30477797的博客
04-16 335
用途 show / manipulate routing, devices, policy routing and tunnels 用法 通用格式 ip [ OPTIONS ] OBJECT { COMMAND | help } OBJECT := { link | addr | addrlabel | route | rule | neigh | tunnel | maddr | mroute...
Linux内核之XFRM框架
m0_74282605的博客
03-04 433
要添加XFRM状态,可从用户空间套接字发送请求XFRM_MSG_NEWSA,在内核中,这种请求方法由xfrm_state_add()处理(位于文件net/xfrm/xfrm_user.c)。XFRM框架支持网络命名空间。从用户空间发出的消息(比如XFRM_MSG_NEWPOLICY创建新的安全策略或者XFRM_MSG_NEWSA创建新的安全联盟)会被xfrm_netlink_rcv()方法处理,该方法又会被xfrm_user_rcv_msg()方法调用(第二章曾讨论过netlink套接字)。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值