IPSEC_SPI(5) IPSEC_SPI(5)
NAME
ipsec_spi - list IPSEC Security Associations
SYNOPSIS
ipsec(5,8) spi(5,8)
cat /proc(5,n)/net/ipsec_spi
DESCRIPTION
/proc(5,n)/net/ipsec_spi is a read-only file(1,n) that lists the current IPSEC
Security Associations. A Security Association (SA) is a transform
through which packet contents are to be processed before being for-
warded. A transform can be an IPv4-in-IPv4 or IPv6-in-IPv6 encapsula-
tion, an IPSEC Authentication Header (authentication with no encryp-
tion), or an IPSEC Encapsulation Security Payload (encryption, possibly
including authentication).
When a packet is passed from a higher networking layer through an IPSEC
virtual(5,8) interface, a search in(1,8) the extended routing table (see
ipsec_eroute(5)) yields a IP protocol number , a Security Parameters
Index (SPI) and an effective destination address When an IPSEC packet
arrives from the network, its ostensible destination, an SPI and an IP
protocol specified by its outermost IPSEC header are used. The desti-
nation/SPI/protocol combination is used to select(2,7,2 select_tut) a relevant SA. (See
ipsec_spigrp(5) for discussion of how multiple transforms are com-
bined.)
An spi(5,8) , proto, daddr and address_family arguments specify an SAID.
Proto is an ASCII string(3,n), "ah", "esp", "comp" or "tun", specifying the
IP protocol. Spi is a number, preceded by '.' indicating hexadecimal
and IPv4 or by ':' indicating hexadecimal and IPv6, where each hexadec-
imal digit represents 4 bits, between 0x100 and 0xffffffff; values from
0x0 to 0xff are reserved. Daddr is a dotted-decimal IPv4 destination
address or a coloned hex IPv6 destination address.
An SAID combines the three parameters above, such as: "tun.101@1.2.3.4"
for IPv4 or "tun:101@3049:1::1" for IPv6
A table entry consists of:
+ SAID
+ <transform name (proto,encalg,authalg)>:
+ direction (dir=)
+ source address (src=)
+ source and destination addresses and masks for inner header policy
check addresses (policy=), as dotted-quads or coloned hex, separated
by '->', for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only
+ initialisation vector length and value (iv_bits=, iv=) if(3,n) non-zero
+ out-of-order window size, number of out-of-order errors, sequence
number, recently received packet bitmask, maximum difference between
sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if(3,n)
SA is AH or ESP and if(3,n) individual items are non-zero
+ extra flags (flags=) if(3,n) any are set(7,n,1 builtins)
+ authenticator length in(1,8) bits (alen=) if(3,n) non-zero
+ authentication key length in(1,8) bits (aklen=) if(3,n) non-zero
+ authentication errors (auth_errs=) if(3,n) non-zero
+ encryption key length in(1,8) bits (eklen=) if(3,n) non-zero
+ encryption size errors (encr_size_errs=) if(3,n) non-zero
+ encryption padding error(8,n) warnings (encr_pad_errs=) if(3,n) non-zero
+ lifetimes legend, c=Current status, s=Soft limit when exceeded will
initiate rekeying, h=Hard limit will cause termination of SA
(life(c,s,h)=)
+ number of connections to which the SA is allocated (c), that will
cause a rekey (s), that will cause an expiry (h) (alloc=), if(3,n) any
value is non-zero
+ number of bytes processesd by this SA (c), that will cause a
rekey (s), that will cause an expiry (h) (bytes=), if(3,n) any value
is non-zero
+ time(1,2,n) since the SA was added (c), until rekey (s), until expiry
(h), in(1,8) seconds (add=)
+ time(1,2,n) since the SA was first used (c), until rekey (s), until
expiry (h), in(1,8) seconds (used=), if(3,n) any value is non-zero
+ number of packets processesd by this SA (c), that will cause a
rekey (s), that will cause an expiry (h) (packets=), if(3,n) any value
is non-zero
+ time(1,2,n) since the last packet was processed, in(1,8) seconds (idle=), if(3,n) SA
has been used
average compression ratio (ratio=)
EXAMPLES
tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2
life(c,s,h)=bytes(14073,0,0)add(269,0,0)
use(149,0,0)packets(14,0,0)
idle=23
is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set(7,n,1 builtins) up between
machines 192.168.43.2 and 192.168.43.1 with an SPI of 12a in(1,8) hexadeci-
mal that has passed about 14 kilobytes of traffic in(1,8) 14 packets since
it was created, 269 seconds ago, first used 149 seconds ago and has
been idle for 23 seconds.
esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:
dir=in(1,8) src=9a35fc02@3049:1::2
ooowin=32 seq=7149 bit=0xffffffff
alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)
use(3858,0,0)packets(7149,0,0)
idle=23
is an inbound Encapsulating Security Payload (protocol 50) SA on
machine 3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryp-
tion cipher, HMAC MD5 as the authentication algorithm, an out-of-order
window of 32 packets, a present sequence number of 7149, every one of
the last 32 sequence numbers was received, the authenticator length and
keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in(1,8)
7149 packets, was added 4593 seconds ago, first used 3858 seconds ago
and has been idle for 23 seconds.
FILES
/proc(5,n)/net/ipsec_spi, /usr/local/bin/ipsec(5,8)
SEE ALSO
ipsec(5,8)(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5), ipsec_spi-
grp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5),
ipsec_pf_key(5)
HISTORY
Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by
Richard Guy Briggs.
BUGS
The add and use times are awkward, displayed in(1,8) seconds since machine
start. It would be better to display them in(1,8) seconds before now for
human readability.
26 Jun 2000 IPSEC_SPI(5)