Chapter 4 Using the Command-Line Interface
This chapter describes how to use the command-line interface.
Note -
To use the command-line interface, you must be logged in as root.
SKIP Command-Line Interface
The SunScreen command-line interface commands follow, including a brief description of what they do. Many of these commands duplicate what can also be done using the GUI, while others are enabling commands for other commands. For a more complete discussion of the command-line interface, refer to the man pages for SunScreen SKIP.
|
print_cert |
Prints a certificate to standard output. |
|
certreq |
Requests and retrieves a certificate from a key server or other host. |
|
install_skip_keys |
Installs a private key and certificate received from a key server or from the SunCA. |
|
skipca |
Manages the SKIP Certificate Authorities Database. It is used to add, delete, or list CAs. |
|
skipd |
It is not a user command, but a system process not normally start by the user. The skipd daemon is started at system boot, and restarted when necessary with the skipd_restart command. Only one key manager may be running at a time. The key manager must be started by root. |
|
skipd.conf |
This is not a command but the SKIP Key Manager configuration file. |
|
skip_conf |
Changes the skipd.conf configuration parameters. |
|
skipd_restart |
Kills the existing running SKIP key-management daemon (skipd) and starts a new one. It is used after any changes in key configurations to make them permanent. |
|
skipdb |
Administers the SKIP database of certificates. SKIP stores the long-term certificates in the database so that the key manager can have access to them. |
|
skiphost |
Lists, adds, or deletes host, network, or nomadic (mobile) system information from SKIP's ACL. skiphost can be also used to enable or disable SKIP. |
|
skipif |
Adds or removes SKIP from the network interfaces. It is also used to save ACL status. |
|
skiplocal |
Used to manage the SKIP local keys for the workstation. It is used to add, delete, or print local keys. |
|
skiplog |
Displays security events for the local system. |
|
skipstat |
Displays statistical information about the use of SKIP on the local system. |
|
skipvar |
Allows you to displays and edit SKIP internal keystore variables. |
Using the Command-Line Interface
print_cert: Printing a Certificate to Standard Output
print_cert prints the contents of the certificate found in the certificate file specified. You can specify the type of certificate--the types of certificates supported are X.509 and UDH. The default is X.509.
Syntax
print_cert -[V|t]
Options
|
-V |
Prints the output in a machine readable form. |
|
-t |
Specifies the type of the certificate provided. Supported types X.509 (1) and UDH (4). |
certreq: Retrieving a Certificate From a Key Server
certreq is a maintenance command. It requests and retrieves a certificate from a key server or other host. You must specify the key ID and key server. This command is a debugging tool and is not meant for general use. The interface is cryptic and there is no way to specify a host name or IP address instead of the key ID, even if the key ID is identical to the IP address.
Syntax
certreq [-d] [-n NSID] [-h server] [keyid]
Options
|
-d |
Requests that the received certificate be decoded prior to output. Without the -d option, the raw certificate, suitable for saving into a file, is written to standard out. |
|
-n NSID |
By default NSID 1 is used for retrieves. Any NSID number may be specified with the -n option. |
|
-h server |
Specifies the key server. |
|
keyid |
The Master Key ID specified in hex. |
install_skip_keys: Installing Keys and Certificates From a Certificate Authority
install_skip_keys installs keys received from a key server (default) or from the SunCA (if -icg is specified). If you are installing a key package from a key server, the filename specifies the name of that package. The key file is a Pretty Good Privacy (PGP) or an encoded file containing: a Diffie-Hellman private key, a Diffie-Hellman signed public key, the common Diffie-Hellman parameters used by the certificate issuer, the certificate issuer's signed public key, and a MD5 checksum of the other four files. The filename is an encoded tar file usually received from a key server or other certificate issuer.
If you are installing a SunCA certificate, the filename is the name of the directory that contains the files. This is usually a diskette, so the path will often be similar to /floppy/floppy0
install_skip_keys verifies the MD5 checksums of the individual files with the checksum file. If they match, the files are copied into place.
The key manager must be restarted (see skipd_restart) in order for it to recognize the new keys.
Currently, the name of the certificate is hard coded into the code. Certificates are expected to come from the SKIP experimental Zero Assurance Certificate Issuer or the SunCA. Even if they do not, the certificate will have to be called ZeroAssurance_Cert. This release does not support multiple certificate issuers.
Syntax
install_skip_keys [-icg] filename
Options
|
-icg filename |
filename is the name of the directory that contains the files. |
skipca: Setting Up Trusted CAs
Certificates are the digital documents that testify to the binding of a public key to an individual or other entity for the purpose of preventing someone else from impersonating you. In order for two hosts running a security package to communicate, they must exchange certificates. The skipca command-line interface is used to designate a CA as trusted and to manage that database. skipca options are add, extract, init, list, delete, create, and revoke CA certificates.
You must restart the key manager with skipd_restart before any changes will take effect.
This command has broad security implications. By designating a CA, you are trusting the identity of all certificates signed by that CA. Since root CA certificates are self-signed, there is no automated way to verify that a CA certificate actually comes from that CA. Before adding a CA certificate, you must be absolutely certain that the certificate is valid. Validity may be checked by having the CA publish the hash of its certificate publicly and comparing that hash with the hash obtained from the certificate.
Syntax
skipca -[a|r|l|i|e|R|U] [...]
Options
|
-a [-c ca-file] |
--a ( add) option places new certificates into the trusted Certificate Authority database. The ca-file is an X.509 certificate which is either self-signed or signed by an existing trusted CA in this CA database. Note: The add option does not copy over a CA certificate if it already exists in the CA database. |
|
-e [-s ca-slot] |
The extract command writes the CA certificate in the specified slot number to the standard output. If the output is redirected to a file, the file is suitable for the skipca -a command. |
|
-i [-qo] |
Prior to use, the CA database must be initialized. The init option creates the database. The init option does not delete any of the CA certificates present when issued for an existing database. Use the init option with the -o operand to forcibly reinitialize the data base, destroying any existing certificates. The init option with the -q operand tells init to be as quiet as possible about initialization. |
|
-l [-VvxL] [-s ca-slot] |
The list option provides a listing of all the certificates in the CA database by slot number, Issuer, and Subject. If a slot number is specified, only the CA Certificate for that slot is printed. The -L flag enables printing of the Certificate validity periods. -v enables a verbose display of the entire certificate. If -V is specified, the output is displayed in a machine parseable manner. If -x is specified the manual revocation list for that CA is display. |
|
-R [-s ca-slot] [-S serialnumber] |
Each CA maintains a list of certificates which have been revoked by the user. This is different from a traditional CRL as it is not distributed by the CA and is manually maintained. The revoke command allows the user to add certificates to the per-CA list of revoked certificates. ca-slot specifies which CA to operate on. The ca-slot may be obtained through the skipca -l command. serialnumber is the serial number of the certificate which you wish revoke. Each X.509 Certificate produced by a CA is numbered uniquely with a serial number. |
|
-U [-s ca-slot] [-S serialnumber] |
The unrevoke command removes hosts from the per CA revocation list. ca-slot and serialnumber are the same as the arguments for the revoke command. |
|
-r[-s ca-slot] |
The -r option deletes the CA certificate in the specified slot number. |
skipdb: Managing Keys and Certificates
skipdb is used to manage certificates. Long-term certificates are stored in a database for access by the key manager. The skipdb command allows the manual administration of the certificate database.
X.509 certificates without proper signatures will not be added to the skipdb database. The CA's certificate must be added to the CA certificate database using the skipca command before adding certificates signed by that CA to the skipdb database.
Unsigned public keys are added with the appropriate hash of the contents as the name.
Syntax
skipdb -[a|r|l|i|e|C] [action specific arguments]
Options
|
-a [-t certtype] [-n nsid] [-c filename] |
Adds certificates to SKIP certificate database. The certtype argument sets the type of the certificate to be added. Certificate types are X.509 and UDH (unsigned Diffie-Hellman). The nsid argument is a decimal number which corresponds to the namespace of the certificate. Common nsid values are 1 IPv4 and 8 (UDH). filename is the certificate file you wish to add to the database. |
|
-e [-n nsid] [-k keyid] |
Extracts a certificate to the standard output. The first certificate which matches nsid and keyid will be written. The extracted form is suitable for addition to a database using the skipdb -a command. This subcommand writes only one certificate to the standard output, even if there are multiple certificates which match the nsid, keyid pair. |
|
-i [-qo] |
Prior to being used, the certificate database must be initialized through the init subcommand. If the database exists, the -o option will delete the contents of the database. The -q option suppresses warning messages. |
|
-l [-VvL] [-n nsid] [-k keyid] |
Lists the certificates in the Certificate database. -V switches the output to a format more easily parsed by machines. -L lists expiration times along with the Name Space and Master KeyId. -v switches the output to a verbose mode where the entire certificate is printed. -n and -k limit the listing to certificates whose name matches the specified keyid and nsid. |
|
-r -n nsid -k keyid |
Deletes certificates in the certificate database. Certificates with the specified nsid and keyid will be deleted. |
|
-C |
Checks existence of the certificate database. Returns true upon existence. |
skipd_restart: Activating the Changes
skipd_restart reinitializes the SKIP key manager in order for the changes that you made though skipca, skipdb, and skiplocal to take effect. Any options supplied are passed through to the skipd daemon.
Syntax
skipd_restart [options]
skiphost: Setting Up the ACL
The functionality of skiphost is the same as the skiptool GUI.
Use skiphost to list, add, and delete host, network, or nomadic (mobile) systems from the ACL, as well as to enable and disable SKIP. Without arguments, it lists the state of the SKIP interface and authorized or unauthorized hosts, networks, and nomadic systems for the default interface.
The ACL allows the user to configure which remote systems can obtain access to the local host and the type of access granted. Access control is usually based on the IP address of the remote host or by the remote system's key ID.
Remote systems can be specified either as individual hosts, networks, or nomadic systems.
Hosts are specified by their host name or IP address. Networks of subnetworks are specified by a network address plus a mask similar to that used in subnetworking. Nomadic systems can be specified in SKIP and in SKIP Version 1. They are specified by a key identifier (that is, any IP address with the key ID "x").
The order of processing ACL entries is as follows. A search is made for an ACL entry specifying the remote host. If one exists, it will be used. If no entry containing the IP address can be found, then a search is made for a nomadic ACL entry containing the sender's key ID in the SKIP protocol header. If one is found and the packet is correctly authenticated, then the sender's IP address is stored for future reference.
If no corresponding ACL entry can be found for a remote system, the default is used. The default may be configured to allow access or to deny access. This method is similar to the method used by the IP when it is deciding how to route a packet to a destination (that is, host routes take precedence over network routes, and, in the absence of anything better, the default route is used).
When applying access control, the system treats the lists of authorized and excluded systems as a global list and always selects the best match.
A default entry can be specified to indicate all other hosts not specifically covered by other access-control entries.
Note -
Before you enable SKIP, any hosts needed for operation of the local system must be present in the ACL. Verify that any NFS file servers, NIS servers, or any local broadcast addresses for your network are on the ACL.
Syntax
skiphost -[i|h|o|P|V|f|d|x|a][hostname/IP address][option specific arguments...] |
Options
| -i |
The -i option takes the interface name as an argument and is used with the -o option to enable or disable SKIP for a particular interface. If this option is not specified skiphost operates on the system's primary network interface. |
|
-f |
This option is used to remove (flush) all ACL entries from a given network interface. This option will automatically disable SKIP. |
|
-h |
This option is used to display the SKIP statistics for a given network interface. |
|
-o |
This option enables and disables SKIP. To enable SKIP, use -o on, to disable SKIP use -o off. |
|
-P |
Adding this option to skiphost prints the current access control list in a format that is suitable for execution in a shell script. |
|
-V |
Adding this option to skiphost prints the current access control list in a name=value verbose format. |
|
hostname/IP addresss |
Takes the -M mask argument. skiphost used without any options, checks if the system hostname or network exists in the access control list and displays its parameters. |
|
-a |
Adds the hostname or network (specified using the hostname/address -M-M mask argument) to the access control list and enables traffic between the hosts in the clear. To add hostname or network and enable encrypted and/or authenticated traffic to the host, use the -k, -m and/or -t options. For more arguments, see the description of *. |
|
-d |
Removes hostname, network or nomadic system from the access control list. Also takes hostname/IP address/* -M mask as well as other option specific arguments. For more arguments, see the description of *. |
|
-x |
Excludes hostname, network or nomadic system from the access control list. Also takes hostname/IP address/* -M mask as well as other option specific arguments. For more arguments, see the description of *. |
|
-a '*' |
This option is used to specify a nomadic system. It must be used in conjunction with the authentication and receiver key ID options. To encrypt and/or authenticate communications with a remote system the following options should be used: -k key algorithm Specifies the key encryption algorithm or encrypting keys. A list of supported algorithms is available using the skipstat(1M) command. -t crypt algorithm Specifies the traffic encryption algorithm for encrypting traffic (bulk data). -m mac algorithm Specifies the authentication algorithm. -c comp algorithm Specifies the compression algorithm. Not currently implemented.
-r receiver NSID -R Receiver keyID -s sender NSID -S Sender keyID The Key Name Space Identifier (NSID) options (-r and -s) are used to control the identification of keying information in the SKIP protocol. They take numeric values from 0 to 11. The remote keyId option (-R) and local keyIDoption (-S) take a hexadecimal value of different lengths, depending on the name space being used. The default NSID values (0, "Not Present") are normally acceptable for most applications. Currently only name spaces 0 ("Not Present"), 1 ("IPv4 address" and 8 ("MD5 DH public values") are supported. -v SKIP version SKIP can use an old version of the protocol to communicate with SunScreen SPF-100 and Sun Screen SPF-100G systems. To use this mode, specify the -v 1 option. If no version is specified, skiphost will use SKIP version 2 by default.
-A tunnel address This option is used in tunneling mode to replace the destination address in outgoing packets with the supplied value. This permits hiding of network topology. By default, the tunnel address is set to the destination address. -T Encrypt or authenticate only the data part of the IP packet. By default, SKIP uses tunneling mode and protects the whole packet. |
See the man pages for more detail.
skipif: Managing Network Interfaces
skipif is used to add or delete SKIP from network interfaces.skipif is also used to save SKIP's ACL for a given network interface so that it is permanent across system reboots. In addition, skipif is used to list the network interfaces present in the system and optionally to print the current access control configuration for each network interface.
SKIP's ACL for each network interface is stored as a text file (as a series of skiphost commands to be executed during SKIP start-up). SKIP's ACL files are under the /etc/skip directory and the ACL file name for a given interface is acl.interface_name (for example, acl.le0, acl.hme0, and acl.qe1). If an incorrect or incomplete ACL prevents the system from operating, it may be necessary to modify the file manually or remove the appropriate file. Some non-LAN interfaces (PPP, for example) will not be configured at boot time even if an ACL exists for these interfaces. It is the responsibility of the user in the interface configuration procedure to use the SKIP configuration file for this interface.
skipif notifies the user if it is necessary to reboot the system so that any changes will take effect.
Syntax
skipif -[i ifname|all|a|d|s|l|h]
Options
|
-i [interface] |
The -i option is used to specify the name of the inter face for which the command is applicable. If this option is not specified skipif operates on the system's primary network interface. If the interface name all is used, the command will be applied to all the network interfaces present in the system. The loopback inter face "lo0" is excluded. |
|
-a |
This option is used to add SKIP to a network interface. The access control list is initialized as empty with SKIP present on the interface but disabled (off). |
|
-s |
This option is used to make the current access control list permanent across system reboots. This option must be used with care as an incorrect or incomplete access control list can stop the system from functioning correctly. |
|
-d |
Deletes SKIP from a network interface. The network interface is returned to normal non protected operation. |
|
-l |
This option lists all the network interfaces present in the system. If the interface has SKIP added it will be tagged [skip]. If the access control list for the interface has been modified but not saved, the inter face will be tagged with [ACL not saved]. Using the -v option will cause skipif to print the access control list for each interface along with its status. |
|
-h |
This option displays the skipif usage message. |
See the man pages for more detail.
skiplocal: Managing Local Identities
skiplocal is the utility for managing SKIP identities on a workstation. A host may wish to have multiple identities if it must interoperate with other hosts that have incompatible Diffie-Hellman parameters (for instance, a U.S. host may wish to communicate with other U.S. hosts with a 1024-bit modulus, but must also communicate with a host outside the U.S. that is limited to a 512-bit modulus). Each local identity has a secret, a certificate, and a unique name. The name is extracted from the certificate and used as a local identity.skiplocal is the primary tool for administering local identities. With skiplocal, you can create, delete, and list local identities based on the command option specified. When you create a new certificate, its creation date will be assigned as the day before you actually created it. This is a product feature.
You can use skiplocal to set or remove a passphrase that is used to encrypt SKIP locally stored secrets. See the -P and -R sections of the command description for more information.
Caution - Beware of electronically transmitting access control commands to remote hosts. For complete security, the receiving system should verify the remote key ID out of band.
Note -
After adding a local ID, the key manager must be restarted using skipd_restart, in order for any changes to take effect.
Caution - skiplocal -x does not work well for communicating with multiple keys. Since the local system does not know which key on the remote system should be used, incorrect bindings can occur. Therefore, it is recommended that the skiplocal-x command be used carefully.
Syntax
skiplocal -[a|r|l|i|e|k|x|P|R][subcommand specific arguments]...
Options
|
Note: |
The -d directory specifies an alternate directory to store or retrieve localID information. The default directory is /etc/skip/localid. (This option applies to all the subcommands below.) |
|
-a [-T slot type] [-t cert type] [-n nsid] [-Z secretfile] [-c certfile] |
The add command is used to add local identities to the trusted Certificate Authority database. All parameters above are required. -T specifies the type of slot. Currently, only soft, for a software slot, is implemented. -t specifies a certificate type. Currently, X.509 and UDH are implemented. -n specifies the name space in which the certificate's name lives. -Z specifies the file containing the Diffie-Hellman private key. -c specifies the certificate used to establish identity.
When a local ID is added, the certificate is checked for validity. Therefore, the local certificate's CA must have been previously added to the CA database with the skipca command.
If a password has been assigned for encryption of secrets using the skiplocal passwd subcommand, the user will be prompted for that password prior to adding any local ids. |
|
-R |
The rmpasswd subcommand removes the password which is used to encrypt locally stored secrets. The user is prompted for the old password, and if it matches, all secrets are decrypted and stored and the password feature is disabled. |
|
-x [-s slot] [-n nsid] |
Creates an "exportable" skiphost command line which could be used to add an access control entry for the local host on a remote system (that is, in the remote /etc/skip/acl.interface file).
By default, -x will choose first slot in the local identity database. A slot may be specified with the -s option. If the -n option is provided, the first slot with an identity in the given namespace will be used.
An attempt is made to determine the local hostname for inclusion in the generated skiphost command. This hostname may be overridden by setting the SKIPLOCAL_EXPORT_HOST environment variable.
The default arguments provided for skiphost specify DES for key and traffic encryption, and MD5 for authentication. These arguments may be overridden setting the environment variable SKIPLOCAL_EXPORT_ARGS. |
|
-r [-v] [-s slot-number] |
Deletes the LocalID in the specified slot number. The control, secret and certificate files are all deleted. |
|
-l [-Vv] [-s slot-number] |
The list command lists the local ids present on the system. By default, slot number, slot type, NSID, MKID (name) and validity periods are printed. The -v options specifies that the local certificate for that slot should be printed, as well. -V produces output more easily machine parseable. |
|
-k [-m mod_size] [-E exponent_size] [-L lifetime] [-f] [-V] [-M] |
Generate a new secret key and a UDH (unsigned) certificate and adds them as a new slot to the set of local identities. -V produces output more easily machine parseable.
The -m option specifies the modulus size in bits. Modulus sizes of 512, 1024, 2048, and 4096 bits are supported in the US domestic release. The highest number of bits allowed by the export control limitations of the software is the default. The -L option specifies the lifetime of the UDH certificate, in days. The default is 5 years. The -f option suppresses the prompt for keyboard input to obtain better random numbers.
The -E option specifies how large of a random exponent will be generated. The default is 256 bits. The -M option simply reports the modulus of the key that would have been generated. (No key is actually generated.)
If a password has been assigned for encryption of secrets using the skiplocal passwd subcommand, the user will be prompted for that password prior to adding any local IDs. |
|
-e [-s slotnumber] |
The extract command writes the certificate in the specified slot number to the standard output. If the output is redirected to a file, the file is suitable for the skipdb command. |
|
-i [-qo] |
Prior to use, the local ID database must be initialized. The init command creates the database. By default, if the database exists, the init command will not delete any of the Local Identities present. The user may force reinitialization the database and destruction of all identities by specifying the -o option. -q tells init to be as quiet as possible about initialization. |
|
-P |
Assigns or changes the password which is used to encrypt locally stored secrets. If no password as present, you will be prompted for a new one. If a password already exists, you will be prompted for the old password prior to the new one. |
See the man pages for more detail.
skiplog: Viewing Security Events
skiplog displays security events for the local system. It displays the types of events presented below. In all cases, the date and time of the event, as well as the IP address information, are logged.
Unknown Source--A packet was received from a system that is not currently in the ACL. The packet is dropped.
Unknown Destination--The local system sent a packet to a system that is not currently in the ACL. The packet is dropped.
Excluded Source--A packet was received from a system explicitly excluded by the ACL. The packet is dropped.
Excluded Destination --The local system sent a packet to a system that was explicitly excluded by the ACL. The packet is dropped.
Bad Parameters--A packet was received that contained security parameters that were incompatible with the ACL entry.
Syntax
skiplog [-i interface]
Options
|
-i [interface] |
Display events for the specified network interface. By default, skiplog displays events for the system's principal network interface. |
See the man pages for more detail.
skipstat: Viewing SunScreen Statistics
skipstat is the command-line interface for viewing SKIP statistics. Because skipstat is a skipstat command-line interface, the information that is displayed does not update on screen with the results of the latest sampling as skiptool does.
The following statistics are available in SunScreen:
-
SKIP Network Interface Statistics
-
SKIP Header Statistics
-
SKIP Key Statistics
-
SKIP Encryption Statistics (for Versions 1 and 2)
-
SKIP Authentication Statistics
Syntax
skiplog -[a|C|c|m|k|K|h] [option specific arguments]
Options
|
-a |
Displays all information available. |
|
-C |
Display cryptographic algorithms supported by the local system. Each algorithm is listed with its module identifier and name. |
|
-c [version] |
Displays cryptographic algorithm statistics for SKIP version; 1= SKIP V1, 2=SKIP |
|
-m |
Displays MAC algorithms statistics. |
|
-k |
Displays SKIP key statistics. |
|
-K |
Displays local key information. |
|
-h |
Displays SKIP header statistics. |
See the man pages for more detail.
The following is a breakdown of skipstat output for each of the main options:
SKIP Network Interface Statistics
Note -
The skipstat -i command is no longer supported.
New Command :skiphost -h
SKIP interface (le0) statistics:
|
skip_if_ipkts: |
number of packets received by interface |
|
skip_if_opkts: |
number of packets sent by interface |
|
skip_if_encrypts: |
number of packets encrypted |
|
skip_if_decrypts: |
number of packets decrypted |
|
skip_if_drops: |
number of packets dropped |
|
skip_if_notv4: |
number of non-IPv4 packets |
|
skip_if_bypasses: |
number of certificate packets |
|
skip_if_raw_in: |
number of raw packets received |
|
skip_if_raw_out: |
number of raw packets sent |
SKIP Header Statistics:
Command: skipstat -h
Note -
In the description below, V1 refers to SKIP's SunScreen SPF-100 and SPF-100G compatibility mode (based on an earlier version of the SKIP protocol).
|
skip_hdr_encodes: |
number of SKIP V1 headers encoded |
|
skip_hdr_decodes: |
number of SKIP V1 headers decoded |
|
skip_ipsp_encodes: |
number of SKIP V2 headers encoded |
|
skip_ipsp_decodes: |
number of SKIP V2 headers decoded |
Header decode error statistics:
|
skip_hdr_bad_versions: |
invalid protocol version |
|
skip_hdr_short_ekps: |
short eKp fields |
|
skip_hdr_short_mids: |
short MID fields |
|
skip_hdr_bad_kp_algs: |
unknown crypto algorithms |
|
skip_hdr_bad_kij_algs: |
unknown key encryption algorithms |
|
skip_hdr_runts: |
short SKIP V1 packets |
|
skip_hdr_short_nodeids: |
short SKIP V1 node ids |
|
skip_hdr_bad_nsid: |
bad V2 namespace ID |
|
skip_hdr_bad_mac_alg: |
bad MAC algorithm |
|
skip_hdr_bad_mac_size: |
bad MAC data size |
|
skip_hdr_bad_mac_val: |
bad MAC value |
|
skip_hdr_bad_next: |
bad V2 next protocol field |
|
skip_hdr_bad_esp_spi: |
bad V2 encryption SPI field |
|
skip_hdr_bad_ah_spi: |
bad V2 MAC SPI field |
|
skip_hdr_bad_iv: |
bad V2 initialization vector |
|
skip_hdr_short_r_mkeyid: |
short V2 receiver key ID |
|
skip_hdr_short_s_mkeyid: |
short V2 sender key ID |
|
skip_hdr_bad_r_mkeyid: |
bad V2 receiver key ID |
|
skip_ah_nat_in: |
# MD5-NAT packets received |
|
skip_ah_nat_out: |
# MD5-NAT packets sent |
Key Statistics
Command: skipstat -k
|
skip_key_max_idle: |
unused key time-out |
|
skip_key_max_bytes: |
maximum bytes to encrypt |
|
skip_encrypt_keys_active: |
encrypt keys in cache |
|
skip_decrypt_keys_active: |
decrypt keys in cache |
|
skip_key_lookups: |
key cache lookups |
|
skip_keymgr_requests: |
key cache misses |
|
skip_key_reclaims: |
cache entries reclaimed |
|
skip_hash_collisions: |
hash table collisions |
SKIP Encryption Statistics:
Command: skipstat -c
(requires the version of SKIP as part of the argument; 1= SKIP V1, 2=SKIP.)
Cryptographic algorithm stats (SKIP Version 1)
Crypto Module Name: DES-CBC
|
encrypts: |
number of successful encryptions |
|
encrypterrs: |
number of failed decryptions |
|
decrypts: |
number of successful decryptions |
|
decrypterrs: |
number of failed decryptions |
Cryptographic algorithm stats (SKIP)
Crypto Module Name: DES-EDE-K3-CBC
|
encrypts: |
number of successful encryptions |
|
encrypterrs: |
number of failed decryptions |
|
decrypts: |
number of successful decryptions |
|
decrypterrs: |
number of failed decryptions |
SKIP Authentication Statistics
Command: skipstat -m
MAC algorithm statistics (SKIP)
MAC Module Name: MD5
|
in_mac: |
number of received MAC calculation |
|
in_mac_errs: |
number of failed received MAC calculation |
|
out_mac: |
number of successful sent MAC calculation |
|
out_mac_errs: |
number of failed sent MAC calculation |
MAC Module Name: MD5-NAT
|
in_mac: |
number of received MAC calculation |
|
in_mac_errs: |
number of failed received MAC calculation |
|
out_mac: |
number of successful sent MAC calculation |
|
out_mac_errs: |
number of failed sent MAC calculation |
For more information using skipstat, refer to the man pages for SunScreen SKIP.
- © 2010, Oracle Corporation and/or its affiliates