Seth Woolley's Man Viewer

Manual for spi - man 5 spi

([section] manual, -k keyword, -K [section] search, -f whatis)
man plain no title

IPSEC_SPI(5)                                                      IPSEC_SPI(5)

       ipsec_spi - list IPSEC Security Associations

       ipsec(5,8) spi(5,8)

       cat /proc(5,n)/net/ipsec_spi

       /proc(5,n)/net/ipsec_spi  is  a  read-only file(1,n) that lists the current IPSEC
       Security Associations.  A Security  Association  (SA)  is  a  transform
       through  which  packet  contents  are to be processed before being for-
       warded.  A transform can be an IPv4-in-IPv4 or IPv6-in-IPv6  encapsula-
       tion,  an  IPSEC  Authentication Header (authentication with no encryp-
       tion), or an IPSEC Encapsulation Security Payload (encryption, possibly
       including authentication).

       When a packet is passed from a higher networking layer through an IPSEC
       virtual(5,8)  interface,  a  search  in(1,8)  the  extended  routing  table  (see
       ipsec_eroute(5))  yields  a  IP protocol number , a Security Parameters
       Index (SPI) and an effective destination address When an  IPSEC  packet
       arrives  from the network, its ostensible destination, an SPI and an IP
       protocol specified by its outermost IPSEC header are used.  The  desti-
       nation/SPI/protocol  combination is used to select(2,7,2 select_tut) a relevant SA.  (See
       ipsec_spigrp(5) for discussion of  how  multiple  transforms  are  com-

       An  spi(5,8)  ,  proto,  daddr and address_family arguments specify an SAID.
       Proto is an ASCII string(3,n), "ah", "esp", "comp" or "tun", specifying  the
       IP  protocol.   Spi is a number, preceded by '.' indicating hexadecimal
       and IPv4 or by ':' indicating hexadecimal and IPv6, where each hexadec-
       imal digit represents 4 bits, between 0x100 and 0xffffffff; values from
       0x0 to 0xff are reserved.  Daddr is a dotted-decimal  IPv4  destination
       address or a coloned hex IPv6 destination address.

       An SAID combines the three parameters above, such as: "tun.101@"
       for IPv4 or "tun:101@3049:1::1" for IPv6

       A table entry consists of:

       +  SAID

       +  <transform name (proto,encalg,authalg)>:

       +  direction (dir=)

       +  source address (src=)

       +  source and destination addresses and masks for inner  header  policy
          check addresses (policy=), as dotted-quads or coloned hex, separated
          by '->', for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only

       +  initialisation vector length and value (iv_bits=, iv=) if(3,n) non-zero

       +  out-of-order window size, number of  out-of-order  errors,  sequence
          number, recently received packet bitmask, maximum difference between
          sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=)  if(3,n)
          SA is AH or ESP and if(3,n) individual items are non-zero

       +  extra flags (flags=) if(3,n) any are set(7,n,1 builtins)

       +  authenticator length in(1,8) bits (alen=) if(3,n) non-zero

       +  authentication key length in(1,8) bits (aklen=) if(3,n) non-zero

       +  authentication errors (auth_errs=) if(3,n) non-zero

       +  encryption key length in(1,8) bits (eklen=) if(3,n) non-zero

       +  encryption size errors (encr_size_errs=) if(3,n) non-zero

       +  encryption padding error(8,n) warnings (encr_pad_errs=) if(3,n) non-zero

       +  lifetimes  legend, c=Current status, s=Soft limit when exceeded will
          initiate  rekeying,  h=Hard  limit  will  cause  termination  of  SA

       +     number of connections to which the SA is allocated (c), that will
             cause a rekey (s), that will cause an expiry (h) (alloc=), if(3,n) any
             value is non-zero

       +     number  of  bytes  processesd  by  this SA (c), that will cause a
             rekey (s), that will cause an expiry (h) (bytes=), if(3,n)  any  value
             is non-zero

       +     time(1,2,n)  since  the  SA was added (c), until rekey (s), until expiry
             (h), in(1,8) seconds (add=)

       +     time(1,2,n) since the SA was first used  (c),  until  rekey  (s),  until
             expiry (h), in(1,8) seconds (used=), if(3,n) any value is non-zero

       +     number  of  packets  processesd by this SA (c), that will cause a
             rekey (s), that will cause an expiry (h) (packets=), if(3,n) any value
             is non-zero

       +  time(1,2,n)  since the last packet was processed, in(1,8) seconds (idle=), if(3,n) SA
          has been used

          average compression ratio (ratio=)

       tun.12a@ IPIP: dir=out src=

       is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set(7,n,1 builtins) up  between
       machines and with an SPI of 12a in(1,8) hexadeci-
       mal that has passed about 14 kilobytes of traffic in(1,8) 14  packets  since
       it  was  created,  269  seconds ago, first used 149 seconds ago and has
       been idle for 23 seconds.

       esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:
             dir=in(1,8) src=9a35fc02@3049:1::2
             ooowin=32 seq=7149 bit=0xffffffff
             alen=128 aklen=128 eklen=192

       is an inbound  Encapsulating  Security  Payload  (protocol  50)  SA  on
       machine 3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryp-
       tion cipher, HMAC MD5 as the authentication algorithm, an  out-of-order
       window  of  32 packets, a present sequence number of 7149, every one of
       the last 32 sequence numbers was received, the authenticator length and
       keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
       since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes  of  data  in(1,8)
       7149  packets,  was added 4593 seconds ago, first used 3858 seconds ago
       and has been idle for 23 seconds.

       /proc(5,n)/net/ipsec_spi, /usr/local/bin/ipsec(5,8)

       ipsec(5,8)(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),  ipsec_spi-
       grp(5),     ipsec_klipsdebug(5),     ipsec_spi(8),    ipsec_version(5),

       Written for the Linux FreeS/WAN project  <>  by
       Richard Guy Briggs.

       The  add  and use times are awkward, displayed in(1,8) seconds since machine
       start.  It would be better to display them in(1,8) seconds  before  now  for
       human readability.

                                  26 Jun 2000                     IPSEC_SPI(5)

References for this manual (incoming links)