JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: IP Services     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information


Part I Introducing System Administration: IP Services

1.  Oracle Solaris TCP/IP Protocol Suite (Overview)

Part II TCP/IP Administration

2.  Planning Your TCP/IP Network (Tasks)

3.  Introducing IPv6 (Overview)

4.  Planning an IPv6 Network (Tasks)

5.  Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)

6.  Administering Network Interfaces (Tasks)

7.  Configuring an IPv6 Network (Tasks)

8.  Administering a TCP/IP Network (Tasks)

9.  Troubleshooting Network Problems (Tasks)

10.  TCP/IP and IPv4 in Depth (Reference)

11.  IPv6 in Depth (Reference)


12.  About DHCP (Overview)

13.  Planning for DHCP Service (Tasks)

14.  Configuring the DHCP Service (Tasks)

15.  Administering DHCP (Tasks)

16.  Configuring and Administering the DHCP Client

17.  Troubleshooting DHCP (Reference)

18.  DHCP Commands and Files (Reference)

Part IV IP Security

19.  IP Security Architecture (Overview)

20.  Configuring IPsec (Tasks)

21.  IP Security Architecture (Reference)

IPsec Service Management Facility

ipsecconf Command

ipsecinit.conf File

Sample ipsecinit.conf File

Security Considerations for ipsecinit.conf and ipsecconf

ipsecalgs Command

Security Associations Database for IPsec

Utilities for Key Generation in IPsec

Security Considerations for ipseckey

IPsec Extensions to Other Utilities

ifconfig Command and IPsec

auth_algs Security Option

encr_auth_algs Security Option

encr_algs Security Option

snoop Command and IPsec

22.  Internet Key Exchange (Overview)

23.  Configuring IKE (Tasks)

24.  Internet Key Exchange (Reference)

25.  IP Filter in Oracle Solaris (Overview)

26.  IP Filter (Tasks)

Part V Mobile IP

27.  Mobile IP (Overview)

28.  Administering Mobile IP (Tasks)

29.  Mobile IP Files and Commands (Reference)


30.  Introducing IPMP (Overview)

31.  Administering IPMP (Tasks)

Part VII IP Quality of Service (IPQoS)

32.  Introducing IPQoS (Overview)

33.  Planning for an IPQoS-Enabled Network (Tasks)

34.  Creating the IPQoS Configuration File (Tasks)

35.  Starting and Maintaining IPQoS (Tasks)

36.  Using Flow Accounting and Statistics Gathering (Tasks)

37.  IPQoS in Detail (Reference)



Utilities for Key Generation in IPsec

The IKE protocol provides automatic key management for IPv4 and IPv6 addresses. See Chapter 23, Configuring IKE (Tasks) for instructions on how to set up IKE. The manual keying utility is the ipseckey command, which is described in the ipseckey(1M) man page.

You use the ipseckey command to manually populate the security associations database (SADB). Typically, manual SA generation is used when IKE is unavailable for some reason. However, if the SPI values are unique, manual SA generation and IKE can be used at the same time.

The ipseckey command can be used to view all SAs that are known to the system, whether the keys were added manually or by IKE. Starting in the Solaris 10 4/09 release, with the -c option, the ipseckey command checks the syntax of the keys file that you provide as an argument.

IPsec SAs that are added by the ipseckey command are not persistent over system reboot. In the current release, to enable manually added SAs at system boot, add entries to the /etc/inet/secret/ipseckeys file, then enable the svc:/network/ipsec/manual-key:default service. For the procedure, see How to Manually Create IPsec Security Associations.

While the ipseckey command has only a limited number of general options, the command supports a rich command language. You can specify that requests be delivered by means of a programmatic interface specific for manual keying. For additional information, see the pf_key(7P) man page.

Security Considerations for ipseckey

The ipseckey command enables superuser or a role with the Network Security or Network IPsec Management rights profile to enter sensitive cryptographic keying information. If an adversary gains access to this information, the adversary can compromise the security of IPsec traffic.

You should consider the following issues when you handle keying material and use the ipseckey command:

Security weaknesses often arise from the misapplication of tools, not from the actual tools. You should be cautious when using the ipseckey command. Use a console or other hard-connected TTY for the safest mode of operation.