System Administration Guide: IP Services

IPsec Utilities and Files

This section describes the IPsec initialization configuration file and various commands that enable you to manage IPsec within your network. For instructions about how to implement IPsec within your network, see Implementing IPsec Task Map.

Table 19–3 List of Selected IPsec Files and Commands


IPsec File or Command	Description
`/etc/inet/ipsecinit.conf` file	IPsec policy file. If this file exists, IPsec is activated at boot time.
`ipsecconf` command	IPsec activation command. `ipsecconf` activates IPsec policy when invoked with the `ipsecinit.conf` file as an argument. Useful for viewing and modifying current IPsec policy, and for testing.
`pf_key()` interface	Interface for security association database. Handles manual and automatic key management.
`ipseckey` command	Activation command for keys that are used in IPsec security associations. `ipseckey` provides keying material for IPsec security associations.
`/etc/inet/secret/ipseckeys` file	Keys for IPsec security associations. If the `ipsecinit.conf` exists, this file is automatically read at boot time.
`/etc/inet/ike/config` file	IKE configuration and policy file. If this file exists, the IKE daemon, in.iked(1M) starts and loads the `/etc/inet/ike/config` file. See IKE Utilities and Files.

IPsec Policy Command

You use the ipsecconf(1M) command to configure the IPsec policy for a host. When you run the command to configure policy, the system creates a temporary file named ipsecpolicy.conf to hold the IPsec policy entries. The system immediately uses the file to check all outbound and inbound IP datagrams for policy. Forwarded datagrams are not subjected to policy checks that are added by using this command. See ifconfig(1M) and tun(7M) for information on how to protect forwarded packets.

You must become superuser to invoke the ipsecconf command. The command accepts entries that protect traffic in both directions, and entries that protect traffic in only one direction.

Policy entries that do not specify a direction and contain the patterns laddr host1 (local address) and raddr host2 (remote address) protect traffic in both directions for the named host. Thus, you need only one entry for each host. A policy entry of the pattern saddr host1 daddr host2 (source address to destination address) protects traffic in only one direction, that is, either outbound or inbound. Thus, to protect traffic in both directions, you need to pass the ipsecconf command another entry, as in saddr host2 daddr host1.

You can see the policies that are configured in the system when you issue the ipsecconf command without any arguments. The command displays each entry with an index followed by a number. You can use the -d option with the index to delete a particular policy in the system. The command displays the entries in the order that they were added, which is not necessarily the order in which the traffic match occurs. To view the order in which the traffic match occurs, use the -l option.

The ipsecpolicy.conf file is deleted when the system shuts down. To ensure that IPsec policy is active when the machine boots, you can create an IPsec policy file, /etc/inet/ipsecinit.conf, that the inetinit script reads during startup.

IPsec Policy File

To invoke IPsec security policies when you start the Solaris operating environment, you create an IPsec initialization configuration file with your specific IPsec policy entries. You should name the file /etc/inet/ipsecinit.conf. See the ipsecconf(1M) man page for details about policy entries and their format. After policies are configured, you can use the ipsecconf command to delete a policy temporarily, or to view the existing configuration.

Example—`ipsecinit.conf` File

The Solaris software includes a sample IPsec policy file that you can use as a template to create your own ipsecinit.conf file. This sample file is named ipsecinit.sample and it contains the following entries:

#
#ident	"@(#)ipsecinit.sample	1.6  01/10/18 SMI"
#
# Copyright (c) 1999,2001 by Sun Microsystems, Inc.
# All rights reserved.
#
# This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec
# systemwide policy (and as a side-effect, load IPsec kernel modules).
# Even if this file has no entries, IPsec will be loaded if
# /etc/inet/ipsecinit.conf exists.
#
# Add entries to protect the traffic using IPsec. The entries in this
# file are currently configured using ipsecconf from inetinit script
# after /usr is mounted.
#
# For example,
#
#	 {rport 23} ipsec {encr_algs des encr_auth_algs md5}
#
# Or, in the older (but still usable) syntax
#
#    {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared}
#    {sport 23} permit {encr_algs des encr_auth_algs md5}
#
# will protect the telnet traffic originating from the host with ESP using
# DES and MD5. Also:
#
#	 {raddr 10.5.5.0/24} ipsec {auth_algs any}
#
# Or, in the older (but still usable) syntax
#
#    {daddr 10.5.5.0/24} apply {auth_algs any sa shared}
#    {saddr 10.5.5.0/24} permit {auth_algs any}
#
# will protect traffic to or from the 10.5.5.0 subnet with AH 
# using any available algorithm.
#
#
# To do basic filtering, a drop rule may be used. For example:
#
#    {lport 23 dir in} drop {}
#    {lport 23 dir out} drop {}
#
# will disallow any remote system from telnetting in.
#
#
# WARNING:	This file is read before default routes are established, and
#		before any naming services have been started. The
#		ipsecconf(1M) command attempts to resolve names, but it will
#		fail unless the machine uses files, or DNS and the DNS server
#		is reachable via routing information before ipsecconf(1M)
#		invocation.  (that is, the DNS server is on-subnet, or DHCP
#		has loaded up the default router already.)
#
#		It is suggested that for this file, use hostnames only if
#		they are in /etc/hosts, or use numeric IP addresses.
#
#		If DNS gets used, the DNS server is implicitly trusted, which
#		could lead to compromise of this machine if the DNS server
#		has been compromised.
#

Security Considerations

If, for example, the /etc/inet/ipsecinit.conf file is sent from an NFS-mounted file system, an adversary can modify the data contained in the file. The outcome would be a change to the configured policy. Consequently, you should use extreme caution if transmitting a copy of the ipsecinit.conf file over a network.

Policy cannot be changed (is “latched”) for TCP/UDP sockets on which a connect(3SOCKET) or accept(3SOCKET) has been issued. Adding new policy entries does not affect the latched sockets. This latching feature might change in the future, so you should not depend on this feature.

Ensure that you set up the policies before starting any communications, because existing connections might be affected by the addition of new policy entries. Similarly, do not change policies in the middle of a communication.

If your source address is a host that can be looked up over the network, and your naming system itself is compromised, then any names that are used are no longer trustworthy.

Security weaknesses often lie in misapplication of tools, not the tools themselves. You should be cautious when using the ipsecconf command. Use a console or other hard-connected TTY for the safest mode of operation.

IPsec Security Associations Database

Keying information for IPsec security services is maintained in a security association database (SADB). Security associations protect both inbound and outbound packets. A user process (or possibly multiple cooperating processes) maintains SADBs by sending messages over a special kind of socket. This is analogous to the method that is described in the route(7P) man page. Only a superuser can access an SADB.

The operating system might spontaneously emit messages in response to external events, such as a request for a new SA for an outbound datagram, or to report the expiration of an existing SA. You open the channel for passing SADB control messages by using the socket call that is described in the previous section. More than one key socket can be open per system.

Messages include a small base header, followed by a number of extension messages (zero or more). Some messages require additional data. The base message and all extensions must be 8-byte aligned. The GET message serves as an example. This message requires the base header, the SA extension, and the ADDRESS_DST extension. See the pf_key(7P) man page for details.

Keying Utilities

The IKE protocol is the automatic keying utility for IPv4 addresses. See Chapter 21, Internet Key Exchange for how to set up IKE. The manual keying utility is the ipseckey(1M) command.

You use the ipseckey command to manually manipulate the security association databases with the ipsecah(7P) and ipsecesp(7P) protection mechanisms. You can also use the ipseckey command to set up security associations between communicating parties when automated key management is not available. An example is communicating parties that have IPv6 addresses.

While the ipseckey command has only a limited number of general options, it supports a rich command language. You can specify that requests should be delivered by means of a programmatic interface specific for manual keying. See the pf_key(7P) man page for additional information. When you invoke ipseckey with no arguments, it enters an interactive mode that displays a prompt that enables you to make entries. Some commands require an explicit security association (SA) type, while others permit you to specify the SA type and act on all SA types.

Security Considerations

The ipseckey command enables a privileged user to enter sensitive cryptographic keying information. If an adversary gains access to this information, the adversary can compromise the security of IPsec traffic. You should consider the following issues when you handle keying material and use the ipseckey command:

Have you refreshed the keying material? Periodic key refreshment is a fundamental security practice. Changing keys guards against potential weaknesses of the algorithm and keys, and limits the damage of an exposed key.
Is the TTY going over a network (interactive mode)?
- If the TTY is in interactive mode, then the security of the keying material is the security of the network path for this TTY's traffic. You should avoid using the ipseckey command over a clear-text telnet or rlogin session.
- Even local windows might be vulnerable to attacks by a concealed program that reads window events.
Is the file accessed over the network or readable to the world (-f option)?
- An adversary can read a network-mounted file as it is being read. You should avoid using a world-readable file with keying material in it.
- If your source address is a host that can be looked up over the network, and your naming system is compromised, then any names used are no longer trustworthy.

Security weaknesses often lie in misapplication of tools, not the tools themselves. You should be cautious when using the ipseckey command. Use a console or other hard-connected TTY for the safest mode of operation.

IPsec Extensions to Other Utilities

The ifconfig command has options to manage IPsec policy on a tunnel interface, and the snoop command can parse AH and ESP headers.

`ifconfig` Command

To support IPsec, the following security options have been added to the ifconfig(1M) command:

auth_algs
encr_auth_algs
encr_algs

`auth_algs`

This option enables IPsec AH for a tunnel, with the authentication algorithm specified. The auth_algs option has the following format:

auth_algs authentication_algorithm

The algorithm can be either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. You must specify all IPsec tunnel properties on the same command line. To disable tunnel security, specify the following option:

auth_alg none

See Table 19–1 for a list of available authentication algorithms and for pointers to the algorithm man pages.

`encr_auth_algs`

This option enables IPsec ESP for a tunnel, with the authentication algorithm specified. The encr_auth_algs option has the following format:

encr_auth_algs authentication_algorithm

For the algorithm, you can specify either a number or an algorithm name, including the parameter any, to express no specific algorithm preference. If you specify an ESP encryption algorithm, but you do not specify the authentication algorithm, the ESP authentication algorithm value defaults to the parameter, any.

See Table 19–1 for a list of available authentication algorithms and for pointers to the algorithm man pages.

`encr_algs`

This option enables IPsec ESP for a tunnel with the encryption algorithm specified. The option has the following format:

encr_algs encryption_algorithm

For the algorithm, you can specify either a number or an algorithm name. You must specify all IPsec tunnel properties on the same command line. To disable tunnel security, specify the following option:

encr_alg none

If you specify an ESP authentication algorithm, but not an encryption algorithm, the ESP encryption value defaults to the parameter null.

See the ipsecesp(7P) man page or Table 19–2 for a list of available encryption algorithms and for pointers to the algorithm man pages.

`snoop` Command

The snoop command can now parse AH and ESP headers. Because ESP encrypts its data, snoop cannot see encrypted headers that are protected by ESP. AH does not encrypt data, so traffic can still be inspected with snoop. The snoop -V option shows when AH is in use on a packet. See the snoop(1M) man page for more details.

IPsec Utilities and Files

IPsec Policy Command

IPsec Policy File

Example—ipsecinit.conf File

Security Considerations

IPsec Security Associations Database

Keying Utilities

Security Considerations

IPsec Extensions to Other Utilities

ifconfig Command

auth_algs

encr_auth_algs

encr_algs

snoop Command

Example—`ipsecinit.conf` File

`ifconfig` Command

`auth_algs`

`encr_auth_algs`

`encr_algs`

`snoop` Command