test

IPsec and IKE Administration Guide

Keying Utilities

The IKE protocol is the automatic keying utility for IPv4 addresses. See Chapter 4, Internet Key Exchange (Task) for how to set up IKE. The manual keying utility is the ipseckey(1M) command.

You use the ipseckey command to manually manipulate the security association databases with the ipsecah(7P) and ipsecesp(7P) protection mechanisms. You can also use the ipseckey command to set up security associations between communicating parties when automated key management is not available. An example is communicating parties that have IPv6 addresses.

While the ipseckey command has only a limited number of general options, the command supports a rich command language. You can specify that requests should be delivered by means of a programmatic interface specific for manual keying. See the pf_key(7P) man page for additional information. When you invoke the ipseckey command with no arguments, the command enters an interactive mode that displays a prompt that enables you to make entries. Some commands require an explicit security association (SA) type, while others permit you to specify the SA type and act on all SA types.

Security Considerations for ipseckey

The ipseckey command enables a privileged user to enter sensitive cryptographic keying information. If an adversary gains access to this information, the adversary can compromise the security of IPsec traffic. You should consider the following issues when you handle keying material and use the ipseckey command:

  1. Have you refreshed the keying material? Periodic key refreshment is a fundamental security practice. Key refreshment guards against potential weaknesses of the algorithm and keys, and limits the damage of an exposed key.

  2. Is the TTY going over a network? Is the ipseckey command in interactive mode?

    • In interactive mode, the security of the keying material is the security of the network path for this TTY's traffic. You should avoid using the ipseckey command over a clear-text telnet or rlogin session.

    • Even local windows might be vulnerable to attacks by a concealed program that reads window events.

  3. Is the file being accessed over the network? Can the file be read by the world? Have you used the -f option?

    • An adversary can read a network-mounted file as the file is being read. You should avoid using a world-readable file that contains keying material.

    • Protect your naming system. If the following two conditions are met, then your host names are no longer trustworthy:

      • Your source address is a host that can be looked up over the network

      • Your naming system is compromised

Security weaknesses often lie in misapplication of tools, not the actual tools. You should be cautious when using the ipseckey command. Use a console or other hard-connected TTY for the safest mode of operation.