Re: linux-ipsec: args from files

From: William Allen Simpson <wsimpson(at)greendragon.com>
Date: Thu Jul 23 1998 - 10:24:19 EDT

> From: Paul Koning 
> So I'd suggest to allow parameters to be specified via individual
> options (e.g., "--spi 65") and *also* via entries in an options file
> (e.g., "--options optfile", and then optfile contains a line "spi
> 65").  The usual ordering rules would apply, i.e., with that optfile,
> if you say "--options optfile --spi 10" you get spi 10, if you say
> "--spi 10 --options optfile" you get spi 65.
>

To be honest, I find this terribly confusing. And this still has the problems with syntax parsing and various shells.

Also, I just don't see why we would be installing these on the fly. I'd prefer a nice fstab model, where the files are read at boot, and you can tell it to deinstall/reinstall any time later.

I promised last week some man pages, but got sidetracked with the DES crack, and updating my internet-drafts. Here is my first attempt at the file format manual for ipsecure(5). It is formatted for BSDish, but I'm sure that we'd be happy to insert GNUish boilerplate:

.\" $OpenBSD: ipsecure.5,v 0.0 1998/07/22 00:00:00 provos Exp $
.\" Copyright 1998 William Allen Simpson <wsimpson@greendragon.com>

.Dd July 22, 1998
.Dt IPSECURE 5
.Os
.Sh NAME
.Nm ipsecure ,
.Nm ipsec ,
.Nm ips
.Nd static information about IP Network-Layer Security
.Sh SYNOPSIS
.Fd #include 
.Nm target
.Cm kind
.Aq Cm value
.Cm attribute
.Op Aq Cm value
.Op ...
.Sh DESCRIPTION

The file
.Pa /etc/ipsecure/rules
contains the system policy and keys used by IP Network-Layer Security. This file is only read by programs, and not written. It is the duty of the system administrator to properly maintain this file. .Pp
Each target IP node and its rules are described on separate lines. Fields on each line are separated by tabs or spaces. Continuation lines are indicated by a trailing .Ql \(rs ,
followed by a line with leading tabs or spaces. Comment lines begin with any special,
non-alphanumeric,
non-whitespace character,
such as

.Ql \&! ,
.Ql \&# ,
.Ql \&. ,

or
.Ql \&; .
Special characters found after the first position on a line are not interpreted as trailing comments. .Pp
Within each line,
character strings are enclosed in quotes .Ql \*q
with C notation
.Ql \(rs
escaping,
while
hexadecimal fields are enclosed in octothorps .Ql \&# ,
and
base64 fields are enclosed in vertical bars .Ql \*(Ba .
.Pp
The order of lines in
.Pa rules
is important because

.Xr ipsecure 8 ,
.Xr photuris 8 ,
.Xr oakley 8 ,

and other optional security association management utilities sequentially iterate through
.Pa rules
doing their thing.
.Pp
The first field,
.Nm target ,
indicates the target host or security gateway. This may be a fully qualified domain name (FQDN), or a single numeric IP address.
When more than one IP address is associated with a single FQDN, the entry is replicated in the kernel security database. Zero (0) indicates any local IP interface, including
.Em localhost .
.Pp
The second field,
.Cm kind ,
indicates the form of protection given to the target. The available kinds are:
.Bl -tag -width indent -offset indent -compact .It Em ah Aq Em spi
An Authentication Header.
.It Em esp Aq Em spi
An Encapsulating Security Payload.
.It Em photuris Aq Em strength
Negotiate using Photuris.
.It Em oakley Aq Em whatever
Negotiate using ISAKMP with Oakley.
.El
.Pp
The
.Aq Em spi
.Pq Security Parameters Index
is a 32-bit
.Pq 4 byte
unsigned value
identifying the Security Association parameters. This value is always expressed in hex.
The values #0# to #ff# are reserved.
Values in the range #100# to #ffff# are recommended for manual configuration. .Pp
The
.Aq Em strength
is a 16-bit
.Pq 2 byte
unsigned value
indicating the minimum acceptable cryptographic strength to select during negotiation.
For convenience,
this value is always expressed in hex.
The minimum value is #40# (64).
Other common values are #50# (80) and #70# (112) Care should be taken not to indicate a value that is higher than supported. .Pp
The
.Aq Em whatever
is currently undefined.
.Pp
The third field is followed by one or more .Cm attribute
.Op Aq Cm value
pairs:

.Bl -tag -width indent -offset indent -compact
.It Em 96
.Pq AH or ESP

Truncate MAC to 96 bits;
not followed by any value.
The default is to generate a 128-bit MAC for AH, and the native length MAC for ESP.
.It Em check-padding
.Pq ESP
Check self-describing-padding;
not followed by any value.
The default is to ignore padding.
.It Em group Aq Em target
.Pq AH or ESP
Group bi-directional Security Associations; the
.Aq Em target
must match a previously specified
.Cm target ,
and the next
.Cm attribute
.Aq Cm value
pair must be
.Em ah
or

.Em esp .
.It Em des-ede3 Aq Em key
.Pq ESP

Confidentiality with Triple DES CBC;
followed by 192-bit
.Pq 24 byte
.Aq Em key
value,
with parity correctly specified.
.It Em des-xex3 Aq Em key
.Pq ESP
Confidentiality with DESX CBC;
followed by 192-bit
.Pq 24 byte
.Aq Em key
value,
with parity correctly specified
for the middle 64-bits

.Pq 8 bytes .
.It Em md5h Aq Em key
.Pq AH or ESP

Authentication/integrity with MD5 HMAC.
.It Em md5ip Aq Em key
.Pq AH or ESP
Authentication/integrity with MD5 Interleaved Padding MAC. .It Em md5kp Aq Em key
.Pq AH or ESP
Authentication/integrity with MD5 Leading Key Padding MAC

.Bq RFC-1829 .
.It Em md5l Aq Em key
.Pq AH or ESP

Authentication/integrity with MD5 Leading Length MAC. .It Em sha1h Aq Em key
.Pq AH or ESP
Authentication/integrity with SHA1 HMAC. .It Em sha1ip Aq Em key
.Pq AH or ESP
Authentication/integrity with SHA1 Interleaved Padding MAC. .It Em sha1kp Aq Em key
.Pq AH or ESP
Authentication/integrity with SHA1 Leading Key Padding MAC

.Bq RFC-1850 .
.It Em sha1l Aq Em key
.Pq AH or ESP

Authentication/integrity with SHA1 Leading Length MAC. .El
.Pp
The
.Aq Em key
is a base64, hexadecimal, or quoted string value. .Sh SEE ALSO
.Xr ipsecure 8

WSimpson@UMich.edu

    Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 Received on Thu Jul 23 18:10:46 1998