1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
|
.TH IPSEC_SPI 5 "26 Jun 2000"
.\"
.\" RCSID $Id: spi.5,v 1.1 2004/03/15 20:35:31 as Exp $
.\"
.SH NAME
ipsec_spi \- list IPSEC Security Associations
.SH SYNOPSIS
.B ipsec
.B spi
.PP
.B cat
.B /proc/net/ipsec_spi
.PP
.SH DESCRIPTION
.I /proc/net/ipsec_spi
is a read-only file that lists the current IPSEC Security Associations.
A Security Association (SA) is a transform through which packet contents
are to be processed before being forwarded. A transform can be an
IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication
with no encryption), or an IPSEC Encapsulation Security Payload
(encryption, possibly including authentication).
.PP
When a packet is passed from a higher networking layer through an IPSEC
virtual interface, a search in the extended routing table (see
.IR ipsec_eroute (5))
yields
a IP protocol number
,
a Security Parameters Index (SPI)
and
an effective destination address
.
When an IPSEC packet arrives from the network,
its ostensible destination, an SPI and an IP protocol
specified by its outermost IPSEC header are used.
The destination/SPI/protocol combination is used to select a relevant SA.
(See
.IR ipsec_spigrp (5)
for discussion of how multiple transforms are combined.)
.PP
An
.I spi ,
.I proto,
.I daddr
and
.IR address_family
arguments specify an SAID.
.I Proto
is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
.I Spi
is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6,
where each hexadecimal digit represents 4 bits,
between
.B 0x100
and
.BR 0xffffffff ;
values from
.B 0x0
to
.B 0xff
are reserved.
.I Daddr
is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address.
.PP
An
.I SAID
combines the three parameters above, such as: "tun.101@1.2.3.4" for IPv4 or "tun:101@3049:1::1" for IPv6
.PP
A table entry consists of:
.IP + 3
.BR SAID
.IP +
<transform name (proto,encalg,authalg)>:
.IP +
direction (dir=)
.IP +
source address (src=)
.IP +
source and destination addresses and masks for inner header policy check
addresses (policy=), as dotted-quads or coloned hex, separated by '->',
for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only
.IP +
initialisation vector length and value (iv_bits=, iv=) if non-zero
.IP +
out-of-order window size, number of out-of-order errors, sequence
number, recently received packet bitmask, maximum difference between
sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA
is AH or ESP and if individual items are non-zero
.IP +
extra flags (flags=) if any are set
.IP +
authenticator length in bits (alen=) if non-zero
.IP +
authentication key length in bits (aklen=) if non-zero
.IP +
authentication errors (auth_errs=) if non-zero
.IP +
encryption key length in bits (eklen=) if non-zero
.IP +
encryption size errors (encr_size_errs=) if non-zero
.IP +
encryption padding error warnings (encr_pad_errs=) if non-zero
.IP +
lifetimes legend, c=Current status, s=Soft limit when exceeded will
initiate rekeying, h=Hard limit will cause termination of SA (life(c,s,h)=)
.IP + 6
number of connections to which the SA is allocated (c), that will cause a
rekey (s), that will cause an expiry (h) (alloc=), if any value is non-zero
.IP +
number of bytes processesd by this SA (c), that will cause a rekey (s), that
will cause an expiry (h) (bytes=), if any value is non-zero
.IP +
time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=)
.IP +
time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=),
if any value is non-zero
.IP +
number of packets processesd by this SA (c), that will cause a rekey (s), that
will cause an expiry (h) (packets=), if any value is non-zero
.IP + 3
time since the last packet was processed, in seconds (idle=), if SA has
been used
.IP
average compression ratio (ratio=)
.SH EXAMPLES
.B "tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2"
.br
.B " life(c,s,h)=bytes(14073,0,0)add(269,0,0)"
.br
.B " use(149,0,0)packets(14,0,0)"
.br
.B " idle=23
.LP
is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines
192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has
passed about 14 kilobytes of traffic in 14 packets since it was created,
269 seconds ago, first used 149 seconds ago and has been idle for 23
seconds.
.LP
.B "esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:"
.br
.B " dir=in src=9a35fc02@3049:1::2"
.br
.B " ooowin=32 seq=7149 bit=0xffffffff"
.br
.B " alen=128 aklen=128 eklen=192"
.br
.B " life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)"
.br
.B " use(3858,0,0)packets(7149,0,0)"
.br
.B " idle=23"
.LP
is an inbound Encapsulating Security Payload (protocol 50) SA on machine
3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption
cipher, HMAC MD5 as the authentication algorithm, an out-of-order
window of 32 packets, a present sequence number of 7149, every one of
the last 32 sequence numbers was received, the authenticator length and
keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in
7149 packets, was added 4593 seconds ago, first used
3858 seconds ago and has been idle for 23 seconds.
.LP
.SH FILES
/proc/net/ipsec_spi, /usr/local/bin/ipsec
.SH "SEE ALSO"
ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5),
ipsec_pf_key(5)
.SH HISTORY
Written for the Linux FreeS/WAN project
<http://www.freeswan.org/>
by Richard Guy Briggs.
.SH BUGS
The add and use times are awkward, displayed in seconds since machine
start. It would be better to display them in seconds before now for
human readability.
.\"
.\" $Log: spi.5,v $
.\" Revision 1.1 2004/03/15 20:35:31 as
.\" added files from freeswan-2.04-x509-1.5.3
.\"
.\" Revision 1.9 2002/04/24 07:35:39 mcr
.\" Moved from ./klips/utils/spi.5,v
.\"
.\" Revision 1.8 2001/08/01 23:22:44 rgb
.\" Fix inconsistancies between manpage and output.
.\"
.\" Revision 1.7 2000/11/30 16:47:28 rgb
.\" Added src= to /proc/net/ipsec_spi manpage.
.\"
.\" Revision 1.6 2000/09/17 18:56:48 rgb
.\" Added IPCOMP support.
.\"
.\" Revision 1.5 2000/09/13 15:54:32 rgb
.\" Added Gerhard's ipv6 updates.
.\"
.\" Revision 1.4 2000/07/05 17:24:03 rgb
.\" Updated for relative, rather than absolute values for addtime and
.\" usetime.
.\"
.\" Revision 1.3 2000/06/30 18:21:55 rgb
.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
.\" and correct FILES sections to no longer refer to /dev/ipsec which has
.\" been removed since PF_KEY does not use it.
.\"
.\" Revision 1.2 2000/06/28 12:44:12 henry
.\" format touchup
.\"
.\" Revision 1.1 2000/06/28 05:43:00 rgb
.\" Added manpages for all 5 klips utils.
.\"
.\"
|