*** ipseckey.txt Wed Feb 21 17:16:26 2007 --- ipseckey.txt.new Tue Feb 27 13:43:33 2007 *************** *** 14,19 **** --- 14,21 ---- ipseckey [-nvp] -f filename + ipseckey -c filename + ipseckey [-nvp] [delete | get] SA_TYPE {EXTENSION value...} ipseckey [-np] [monitor | passive_monitor | pmonitor] *************** *** 85,93 **** the input file are identical to the command line language. The load command provides similar functional- ity. The -s option or the save command can generate ! files readable by the -f argument. -n --- 87,102 ---- the input file are identical to the command line language. The load command provides similar functional- ity. The -s option or the save command can generate ! files readable by the -f argument. See SECURITY and SMF for ! more information. + -c [filename] + As the -f option except that the input is only checked + for syntactical correctness, errors are reported to + stderr. This option is provided to debug configurations + without making changes. See SECURITY and SMF for more + information. -n *************** *** 287,293 **** ! SECURITY all --- 296,302 ---- ! SA_TYPE all *************** *** 806,819 **** - Keying material is very sensitive and should be generated as - randomly as possible. Some algorithms have known weak keys. - IPsec algorithms have built-in weak key checks, so that if a - weak key is in a newly added SA, the add command will fail - with an invalid value. - - - Certificate identities are very useful in the context of automated key management, as they tie the SA to the public key certificates used in most automated key management pro- --- 815,820 ---- *************** *** 909,914 **** --- 910,922 ---- SECURITY + + Keying material is very sensitive and should be generated as + randomly as possible. Some algorithms have known weak keys. + IPsec algorithms have built-in weak key checks, so that if a + weak key is in a newly added SA, the add command will fail + with an invalid value. + The ipseckey command allows a privileged user to enter cryp- tographic keying information. If an adversary gains access to such information, the security of IPsec traffic is *************** *** 962,971 **** --- 970,992 ---- adversary as it is being read. A world-readable file with keying material in it is also risky. + 3. The ipseckey command is designed to be managed by the + 'manual-key' smf(5) service. Because the smf(5) log + files are world-readable, the ipseckey will not record + any syntax errors in the log files as these errors might + include secret information. + If a syntax error is found when the 'manual-key' smf(5) + service is enabled, the service will enter maintenance + mode. The log file will indicate that there was a syntax + error, but won't specify what the error was. + The administrator should use ipeckey -c filename from + the command line to discover the cause of the errors. + See OPTIONS. + If your source address is a host that can be looked up over the network, and your naming system itself is compromised, then any names used will no longer be trustworthy. *************** *** 1173,1178 **** --- 1194,1276 ---- + SMF + IPsec manual keys are managed by the service management + facility, smf(5). The following group of services manage + the components of IPsec: + + + + svc:/network/ipsec/ipsecalgs (See ipsecalgs(1M)) + svc:/network/ipsec/policy (See ipsecconf(1M)) + svc:/network/ipsec/manual-key (See ipseckey(1M)) + svc:/network/ipsec/ike (see ike.config(4)) + + The manual-key and policy services are delivered 'disabled' + because the system administrator needs to create configuration + files for each service as described in the respective man pages. + + Correct administrative proceedure is to create the + configuration file for each service then enable each + service using svcadm(1M). + + If the configuration needs to be changed, edit the + configuration file then refresh the service. + + example# svcadm refresh manual-key + + WARNING: To prevent ipseckey complaining about duplicate + Association's, the ipseckey command flushes the Security + Association Data Base (SADB) when the ipseckey command is + run from smf(5), before adding any new Security Association's + defined in the configuration file. + + This differs from the command line behaviour where the + SADB is not flushed before adding new Security Association's. + + The smf(5) framework will record any errors in the service + specific logfile. Use any of the following commands to + examine the 'logfile' property: + + + example# svcs -l manual-key + example# svcprop manual-key + example# svccfg -s manual-key listprop + + The following property is defined for the 'manual-key' service: + + config/config_file + + This property can be modified using svccfg(1M) by users + who have been assigned the following authorization: + + solaris.smf.value.ipsec + + See auths(1), user_attr(4), rbac(5). + + The service needs to be refreshed using svcadm(1M) before + the new property is effective. General non-modifiable properties + can be viewed with the svcprop(1M) command. + + example# svccfg -s ipsec/manual-key setprop config/config_file = /new/config_file + example# svcadm refresh manual-key + + Administrative actions on this service, such as enabling, + disabling, refreshing or requesting restart, can be performed + using svcadm(1M). A user who has been assigned the following + authorization can perform these actions: + + solaris.smf.manage.ipsec + + The service's status can be queried using the svcs(1) command. + + The ipseckey command is designed to be run under smf(5) management. + It is possible to run ipseckey from the command line although + this is discouraged. Before attempting to run ipseckey from the + command line, make sure the 'manual-key' smf(5) service is + disabled first. See svcadm(1M). + + ATTRIBUTES See attributes(5) for descriptions of the following attri- butes: *************** *** 1205,1211 **** /etc/inet/secret/ipseckeys ! Configuration file used at boot time --- 1303,1310 ---- /etc/inet/secret/ipseckeys ! The default configuration file used at boot time. See ! SMF and SECURITY for more information. *************** *** 1212,1218 **** SEE ALSO ps(1), ipsecconf(1M), ipsecalgs(1M), route(1M), attri- ! butes(5), ipsec(7P), ipsecah(7P), ipsecesp(7P), pf_key(7P) --- 1311,1318 ---- SEE ALSO ps(1), ipsecconf(1M), ipsecalgs(1M), route(1M), attri- ! butes(5), ipsec(7P), ipsecah(7P), ipsecesp(7P), pf_key(7P), ! svcadm(1M), smf(5), svccfg(1M) *************** *** 1223,1234 **** DIAGNOSTICS - Parse error on line N. If an interactive use of ipseckey would print usage information, this would print instead. Usually proceeded ! by another diagnostic. --- 1323,1354 ---- DIAGNOSTICS + The ipseckey command will parse the configuration file and + report any errors. In the case of multiple errors, ipseckey + will report as many of these as possible. + The ipseckey command will not attempt to use a COMMAND that + has a syntax error. A COMMAND may be syntactically correct + but may generate an error because the kernel rejected the + request made to pf_key(7), this might occur because a key + had an invalid length or because an unsupported algorithm + was specified. + + If there were any errors in the configuration file, ipseckey + will report the number of valid COMMANDS and the total + number of COMMANDS parsed. + + Parse error near line N. + + If an interactive use of ipseckey would print usage information, this would print instead. Usually proceeded ! by another diagnostic. Because COMMANDS can cover more ! than a single line in the configuration file by using ! the back-slash character to delimit lines, its not always ! possible to pinpoint the exact line in the config file ! which caused the error. *************** *** 1292,1299 **** --- 1412,1444 ---- An extension not used by a command was used. + Association (type = xx) with spi 0xNNNN and addr y.y.y.y already exists. + Each Security Association must be unique, the kernel looks + up each Security association using a tuple made from: + The Protocol or type (ah or esp). + The SPI value. + The destination IP address. + + The error message warns the user that an attempt was made to add + a new Security Association which has the same tuple as an existing + entry in the Security Assocation Data Base. This error is most + likely to occur when the ipseckey command is run mutiple times + with the -f flag and the same configuration file. + + WARNING: Existing Security Associations are NOT replaced. + + If the values associated with each Protocol/SPI/Address tuple + in the configuration file are the same as those loaded into + the kernel, then this error can be ignored. If the values have + been updated, then the administrator needs to remove the existing + Security Association(s) with the delete or flush commands and + then add the new Security Association(s) again using the -f flag. + + See SMF for more information. + + One of the entered values is incorrect: Diagnostic code NN: