1 files changed, 342 insertions, 5 deletions

diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index e1e4dbe91..e56e786e0 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.2" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2011-07-26" "4.6.4" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -126,6 +126,13 @@ will return
 The following keys are currently defined (using dot notation). The default
 value (if any) is listed in brackets after the key.
 
+.SS attest section
+.TP
+.BR attest.database
+Path to database with file measurement information
+.TP
+.BR attest.load
+Plugins to load in ipsec attest tool
 .SS charon section
 .TP
 .BR charon.block_threshold " [5]"
@@ -151,6 +158,9 @@ Section to define file loggers, see LOGGER CONFIGURATION
 .BR charon.flush_auth_cfg " [no]"
 
 .TP
+.BR charon.half_open_timeout " [30]"
+Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+.TP
 .BR charon.hash_and_url " [no]"
 Enable hash and URL support
 .TP
@@ -166,6 +176,14 @@ Size of the IKE_SA hash table
 .BR charon.inactivity_close_ike " [no]"
 Whether to close IKE_SA if the only CHILD_SA closed due to inactivity
 .TP
+.BR charon.init_limit_half_open " [0]"
+Limit new connections based on the current number of half open IKE_SAs (see
+IKE_SA_INIT DROPPING).
+.TP
+.BR charon.init_limit_job_load " [0]"
+Limit new connections based on the number of jobs currently queued for
+processing (see IKE_SA_INIT DROPPING).
+.TP
 .BR charon.install_routes " [yes]"
 Install routes into a separate routing table for established IPsec tunnels
 .TP
@@ -295,6 +313,9 @@ Start phase2 EAP TNC protocol after successful client authentication
 Request peer authentication based on a client certificate
 
 .TP
+.BR charon.plugins.eap-radius.accounting " [no]"
+Send RADIUS accounting information to RADIUS servers.
+.TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
 .I class
@@ -449,20 +470,57 @@ Section to configure the load-tester plugin, see LOAD TESTS
 .BR charon.plugins.resolve.file " [/etc/resolv.conf]"
 File where to add DNS server entries
 .TP
+.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]"
+Prefix used for interface names sent to resolvconf(8). The nameserver address
+is appended to this prefix to make it unique.  The result has to be a valid
+interface name according to the rules defined by resolvconf.  Also, it should
+have a high priority according to the order defined in interface-order(5).
+.TP
 .BR charon.plugins.sql.database
 Database URI for charons SQL plugin
 .TP
 .BR charon.plugins.sql.loglevel " [-1]"
 Loglevel for logging to SQL database
 .TP
+.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
+Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
+certificates even if they don't contain a CA basic constraint.
+.TP
+.BR charon.plugins.stroke.max_concurrent " [4]"
+Maximum number of stroke messages handled concurrently
+.TP
+.BR charon.plugins.tnc-ifmap.device_name
+Unique name of strongSwan as a PEP and/or PDP device
+.TP
+.BR charon.plugins.tnc-ifmap.key_file
+Concatenated client certificate and private key
+.TP
+.BR charon.plugins.tnc-ifmap.password
+Authentication password of strongSwan MAP client
+.TP
+.BR charon.plugins.tnc-ifmap.server_cert
+Certificate of MAP server
+.TP
+.BR charon.plugins.tnc-ifmap.ssl_passphrase
+Passphrase protecting the private key
+.TP
+.BR charon.plugins.tnc-ifmap.username
+Authentication username of strongSwan MAP client
+.TP
 .BR charon.plugins.tnc-imc.preferred_language " [en]"
 Preferred language for TNC recommendations
 .TP
-.BR charon.plugins.tnc-imc.tnc_config " [/etc/tnc_config]"
-TNC IMC configuration directory
+.BR charon.plugins.tnc-pdp.method " [ttls]"
+EAP tunnel method to be used
 .TP
-.BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
-TNC IMV configuration directory
+.BR charon.plugins.tnc-pdp.port " [1812]"
+RADIUS server port the strongSwan PDP is listening on
+.TP
+.BR charon.plugins.tnc-pdp.secret
+Shared RADIUS secret between strongSwan PDP and NAS
+.TP
+.BR charon.plugins.tnc-pdp.server
+name of the strongSwan PDP as contained in the AAA certificate
 .TP
 .BR charon.plugins.whitelist.enable " [yes]"
 enable loaded whitelist plugin
@@ -502,6 +560,10 @@ Check daemon, libstrongswan and plugin integrity at startup
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
 .TP
+.BR libstrongswan.processor.priority_threads
+Subsection to configure the number of reserved threads per priority class
+see JOB PRIORITY MANAGEMENT
+.TP
 .BR libstrongswan.x509.enforce_critical " [yes]"
 Discard certificates with unsupported or unknown critical extensions
 .SS libstrongswan.plugins subsection
@@ -519,8 +581,96 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 ENGINE ID to use in the OpenSSL plugin
 .TP
 .BR libstrongswan.plugins.pkcs11.modules
+List of available PKCS#11 modules
+.TP
+.BR libstrongswan.plugins.pkcs11.use_dh " [no]"
+Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
+.TP
+.BR libstrongswan.plugins.pkcs11.use_ecc " [no]"
+Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
+operations. ECDSA private keys can be used regardless of this option
 .TP
 .BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
+Whether the PKCS#11 modules should be used to hash data
+.TP
+.BR libstrongswan.plugins.pkcs11.use_pubkey " [no]"
+Whether the PKCS#11 modules should be used for public key operations, even for
+keys not stored on tokens
+.TP
+.BR libstrongswan.plugins.pkcs11.use_rng " [no]"
+Whether the PKCS#11 modules should be used as RNG
+.SS libtnccs section
+.TP
+.BR libtnccs.tnc_config " [/etc/tnc_config]"
+TNC IMC/IMV configuration directory
+.SS libimcv section
+.TP
+.BR libimcv.debug_level " [1]"
+Debug level for a stand-alone libimcv library
+.TP
+.BR libimcv.stderr_quiet " [no]"
+Disable output to stderr with a stand-alone libimcv library
+.SS libimcv plugins section
+.TP
+.BR libimcv.plugins.imc-attestation.platform_info
+Information on operating system and hardware platform
+.TP
+.BR libimcv.plugins.imc-attestation.aik_blob
+AIK encrypted private key blob file
+.TP
+.BR libimcv.plugins.imc-attestation.aik_cert
+AIK certificate file
+.TP
+.BR libimcv.plugins.imc-attestation.aik_key
+AIK public key file
+.TP
+.BR libimcv.plugins.imv-attestation.nonce_len " [20]"
+DH nonce length
+.TP
+.BR libimcv.plugins.imv-attestation.use_quote2 " [yes]"
+Use Quote2 AIK signature instead of Quote signature
+.TP
+.BR libimcv.plugins.imv-attestation.cadir
+Path to directory with AIK cacerts
+.TP
+.BR libimcv.plugins.imv-attestation.database
+Path to database with file measurement information
+.TP
+.BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
+Preferred Diffie-Hellman group
+.TP
+.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]"
+Preferred measurement hash algorithm
+.TP
+.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
+DH minimum nonce length
+.TP
+.BR libimcv.plugins.imv-attestation.platform_info
+Information on operating system and hardware platform
+.TP
+.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
+By default all ports must be closed (yes) or can be open (no)
+.TP
+.BR libimcv.plugins.imv-scanner.tcp_ports
+List of TCP ports that can be open or must be closed
+.TP
+.BR libimcv.plugins.imv-scanner.udp_ports
+List of UDP ports that can be open or must be closed
+.TP
+.BR libimcv.plugins.imc-test.additional_ids " [0]"
+Number of additional IMC IDs
+.TP
+.BR libimcv.plugins.imc-test.command " [none]"
+Command to be sent to the Test IMV
+.TP
+.BR libimcv.plugins.imc-test.retry " [no]"
+Do a handshake retry
+.TP
+.BR libimcv.plugins.imc-test.retry_command
+Command to be sent to the Test IMV in the handshake retry
+.TP
+.BR libimcv.plugins.imv-test.rounds " [0]"
+Number of IMC-IMV retry rounds
 .SS libtls section
 .TP
 .BR libtls.cipher
@@ -637,6 +787,9 @@ Plugins to load in ipsec pool tool
 Plugins to load in ipsec scepclient tool
 .SS starter section
 .TP
+.BR starter.load
+Plugins to load in starter
+.TP
 .BR starter.load_warning " [yes]"
 Disable charon/pluto plugin load option warning
 
@@ -700,6 +853,14 @@ identifier for each IKE_SA.
 Prefix each log entry with a timestamp. The option accepts a format string as
 passed to
 .BR strftime (3).
+.TP
+.BR charon.syslog.identifier
+Global identifier used for an
+.BR openlog (3)
+call, prepended to each log message by syslog.  If not configured,
+.BR openlog (3)
+is not called, so the value will depend on system defaults (often the program
+name).
 
 .SS Subsystems
 .TP
@@ -727,6 +888,9 @@ IPsec/Networking kernel interface
 .B net
 IKE network communication
 .TP
+.B asn
+Low-level encoding/decoding (ASN.1, X.509 etc.)
+.TP
 .B enc
 Packet encoding/decoding encryption/decryption operations
 .TP
@@ -735,6 +899,18 @@ libtls library messages
 .TP
 .B lib
 libstrongwan library messages
+.TP
+.B tnc
+Trusted Network Connect
+.TP
+.B imc
+Integrity Measurement Collector
+.TP
+.B imv
+Integrity Measurement Verifier
+.TP
+.B pts
+Platform Trust Service
 .SS Loglevels
 .TP
 .B -1
@@ -783,6 +959,149 @@ Also include sensitive material in dumps, e.g. keys
 	}
 .EE
 
+.SH JOB PRIORITY MANAGEMENT
+Some operations in the IKEv2 daemon charon are currently implemented
+synchronously and blocking. Two examples for such operations are communication
+with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during
+certificate chain verification. Under high load conditions, the thread pool may
+run out of available threads, and some more important jobs, such as liveness
+checking, may not get executed in time.
+.PP
+To prevent thread starvation in such situations job priorities were introduced.
+The job processor will reserve some threads for higher priority jobs, these
+threads are not available for lower priority, locking jobs.
+.SS Implementation
+Currently 4 priorities have been defined, and they are used in charon as
+follows:
+.TP
+.B CRITICAL
+Priority for long-running dispatcher jobs.
+.TP
+.B HIGH
+INFORMATIONAL exchanges, as used by liveness checking (DPD).
+.TP
+.B MEDIUM
+Everything not HIGH/LOW, including IKE_SA_INIT processing.
+.TP
+.B LOW
+IKE_AUTH message processing. RADIUS and CRL fetching block here
+.PP
+Although IKE_SA_INIT processing is computationally expensive, it is explicitly
+assigned to the MEDIUM class. This allows charon to do the DH exchange while
+other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more
+IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING.
+.PP
+The thread pool processes jobs strictly by priority, meaning it will consume all
+higher priority jobs before looking for ones with lower priority. Further, it
+reserves threads for certain priorities. A priority class having reserved
+.I n
+threads will always have
+.I n
+threads available for this class (either currently processing a job, or waiting
+for one).
+.SS Configuration
+To ensure that there are always enough threads available for higher priority
+tasks, threads must be reserved for each priority class.
+.TP
+.BR libstrongswan.processor.priority_threads.critical " [0]"
+Threads reserved for CRITICAL priority class jobs
+.TP
+.BR libstrongswan.processor.priority_threads.high " [0]"
+Threads reserved for HIGH priority class jobs
+.TP
+.BR libstrongswan.processor.priority_threads.medium " [0]"
+Threads reserved for MEDIUM priority class jobs
+.TP
+.BR libstrongswan.processor.priority_threads.low " [0]"
+Threads reserved for LOW priority class jobs
+.PP
+Let's consider the following configuration:
+.PP
+.EX
+	libstrongswan {
+		processor {
+			priority_threads {
+				high = 1
+				medium = 4
+			}
+		}
+	}
+.EE
+.PP
+With this configuration, one thread is reserved for HIGH priority tasks. As
+currently only liveness checking and stroke message processing is done with
+high priority, one or two threads should be sufficient.
+.PP
+The MEDIUM class mostly processes non-blocking jobs. Unless your setup is
+experiencing many blocks in locks while accessing shared resources, threads for
+one or two times the number of CPU cores is fine.
+.PP
+It is usually not required to reserve threads for CRITICAL jobs. Jobs in this
+class rarely return and do not release their thread to the pool.
+.PP
+The remaining threads are available for LOW priority jobs. Reserving threads
+does not make sense (until we have an even lower priority).
+.SS Monitoring
+To see what the threads are actually doing, invoke
+.IR "ipsec statusall" .
+Under high load, something like this will show up:
+.PP
+.EX
+	worker threads: 2 or 32 idle, 5/1/2/22 working,
+		job queue: 0/0/1/149, scheduled: 198
+.EE
+.PP
+From 32 worker threads,
+.IP 2
+are currently idle.
+.IP 5
+are running CRITICAL priority jobs (dispatching from sockets, etc.).
+.IP 1
+is currently handling a HIGH priority job. This is actually the thread currently
+providing this information via stroke.
+.IP 2
+are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA
+messages.
+.IP 22
+are handling LOW priority jobs, probably waiting for an EAP-RADIUS response
+while processing IKE_AUTH messages.
+.PP
+The job queue load shows how many jobs are queued for each priority, ready for
+execution. The single MEDIUM priority job will get executed immediately, as
+we have two spare threads reserved for MEDIUM class jobs.
+
+.SH IKE_SA_INIT DROPPING
+If a responder receives more connection requests per seconds than it can handle,
+it does not make sense to accept more IKE_SA_INIT messages. And if they are
+queued but can't get processed in time, an answer might be sent after the
+client has already given up and restarted its connection setup. This
+additionally increases the load on the responder.
+.PP
+To limit the responder load resulting from new connection attempts, the daemon
+can drop IKE_SA_INIT messages just after reception. There are two mechanisms to
+decide if this should happen, configured with the following options:
+.TP
+.BR charon.init_limit_half_open " [0]"
+Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in
+connecting state, but not yet established.
+.TP
+.BR charon.init_limit_job_load " [0]"
+Limit based on the number of jobs currently queued for processing (sum over all
+job priorities).
+.PP
+The second limit includes load from other jobs, such as rekeying. Choosing a
+good value is difficult and depends on the hardware and expected load.
+.PP
+The first limit is simpler to calculate, but includes the load from new
+connections only. If your responder is capable of negotiating 100 tunnels/s, you
+might set this limit to 1000. The daemon will then drop new connection attempts
+if generating a response would require more than 10 seconds. If you are
+allowing for a maximum response time of more than 30 seconds, consider adjusting
+the timeout for connecting IKE_SAs
+.RB ( charon.half_open_timeout ).
+A responder, by default, deletes an IKE_SA if the initiator does not establish
+it within 30 seconds. Under high load, a higher value might be required.
+
 .SH LOAD TESTS
 To do stability testing and performance optimizations, the IKEv2 daemon charon
 provides the load-tester plugin. This plugin allows to setup thousands of
@@ -802,9 +1121,15 @@ Delay between initiatons for each thread
 .BR charon.plugins.load-tester.delete_after_established " [no]"
 Delete an IKE_SA as soon as it has been established
 .TP
+.BR charon.plugins.load-tester.dpd_delay " [0]"
+DPD delay to use in load test
+.TP
 .BR charon.plugins.load-tester.dynamic_port " [0]"
 Base port to be used for requests (each client uses a different port)
 .TP
+.BR charon.plugins.load-tester.eap_password " [default-pwd]"
+EAP secret to use in load test
+.TP
 .BR charon.plugins.load-tester.enable " [no]"
 Enable the load testing plugin
 .TP
@@ -814,18 +1139,27 @@ Fake the kernel interface to allow load-testing against self
 .BR charon.plugins.load-tester.ike_rekey " [0]"
 Seconds to start IKE_SA rekeying after setup
 .TP
+.BR charon.plugins.load-tester.init_limit " [0]"
+Global limit of concurrently established SAs during load test
+.TP
 .BR charon.plugins.load-tester.initiators " [0]"
 Number of concurrent initiator threads to use in load test
 .TP
 .BR charon.plugins.load-tester.initiator_auth " [pubkey]"
 Authentication method(s) the intiator uses
 .TP
+.BR charon.plugins.load-tester.initiator_id
+Initiator ID used in load test
+.TP
 .BR charon.plugins.load-tester.iterations " [1]"
 Number of IKE_SAs to initate by each initiator in load test
 .TP
 .BR charon.plugins.load-tester.pool
 Provide INTERNAL_IPV4_ADDRs from a named pool
 .TP
+.BR charon.plugins.load-tester.preshared_key " [default-psk]"
+Preshared key to use in load test
+.TP
 .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
 IKE proposal to use in load test
 .TP
@@ -835,6 +1169,9 @@ Address to initiation connections to
 .BR charon.plugins.load-tester.responder_auth " [pubkey]"
 Authentication method(s) the responder uses
 .TP
+.BR charon.plugins.load-tester.responder_id
+Responder ID used in load test
+.TP
 .BR charon.plugins.load-tester.request_virtual_ip " [no]"
 Request an INTERNAL_IPV4_ADDR from the server
 .TP