IPsec Extensions to Existing Utilities
ifconfig
To support IPsec, the following security options have been added to ifconfig(1M):
auth_algs
This option enables IPsec AH for a tunnel, with the authentication algorithm specified. It has the following format:
auth_algs authentication_algorithm |
The algorithm can be either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. You must specify all IPsec tunnel properties on the same command line. To disable tunnel security, specify the following option:
auth_alg none |
encr_auth_algs
This option enables IPsec ESP for a tunnel, with the authentication algorithm specified. It has the following format:
encr_auth_algs authentication_algorithm |
For the algorithm, you can specify either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. If you specify an ESP encryption algorithm, but you do not specify the authentication algorithm, the ESP authentication algorithm value defaults to the parameter, any.
encr_algs
This option enables IPsec ESP for a tunnel with the encryption algorithm specified. It has the following format:
encr_auth_algs encryption_algorithm |
For the algorithm, you can specify either a number or an algorithm name. You must specify all IPsec tunnel properties on the same command line. To disable tunnel security, specify the following option:
encr_alg none |
If you specify an ESP authentication algorithm, but not encryption algorithm, the ESP encryption value defaults to the parameter null.
snoop(1M)
The snoop command can now parse AH and ESP headers. Since ESP encrypts its data, snoop cannot see encrypted headers protected by ESP. AH does not encrypt data, so traffic can still be inspected with snoop. The snoop -V option can show when AH is in use on a packet. See the snoop(1M) man page for more details.
- © 2010, Oracle Corporation and/or its affiliates