Module Name: src Committed By: ozaki-r Date: Wed Jun 13 03:28:36 UTC 2018
Modified Files: src/distrib/sets/lists/man: mi src/share/man/man4: Makefile hifn.4 ipsec.4 nsp.4 options.4 ubsec.4 Removed Files: src/share/man/man4: fast_ipsec.4 Log Message: Retire fast_ipsec.4 We switched to Fast IPsec at NetBSD 6.0 and that's the IPsec implementation of us now. So we don't need to have a separate manual. Merge fast_ipsec.4 into ipsec.4 and remove fast_ipsec.4. To generate a diff of this commit: cvs rdiff -u -r1.1593 -r1.1594 src/distrib/sets/lists/man/mi cvs rdiff -u -r1.655 -r1.656 src/share/man/man4/Makefile cvs rdiff -u -r1.14 -r0 src/share/man/man4/fast_ipsec.4 cvs rdiff -u -r1.7 -r1.8 src/share/man/man4/hifn.4 cvs rdiff -u -r1.43 -r1.44 src/share/man/man4/ipsec.4 cvs rdiff -u -r1.2 -r1.3 src/share/man/man4/nsp.4 cvs rdiff -u -r1.487 -r1.488 src/share/man/man4/options.4 cvs rdiff -u -r1.5 -r1.6 src/share/man/man4/ubsec.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/distrib/sets/lists/man/mi diff -u src/distrib/sets/lists/man/mi:1.1593 src/distrib/sets/lists/man/mi:1.1594 --- src/distrib/sets/lists/man/mi:1.1593 Thu May 31 00:25:38 2018 +++ src/distrib/sets/lists/man/mi Wed Jun 13 03:28:36 2018 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.1593 2018/05/31 00:25:38 kamil Exp $ +# $NetBSD: mi,v 1.1594 2018/06/13 03:28:36 ozaki-r Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -1088,7 +1088,7 @@ ./usr/share/man/cat4/ex.0 man-sys-catman .cat ./usr/share/man/cat4/exphy.0 man-sys-catman .cat ./usr/share/man/cat4/faith.0 man-sys-catman .cat -./usr/share/man/cat4/fast_ipsec.0 man-sys-catman .cat +./usr/share/man/cat4/fast_ipsec.0 man-obsolete obsolete ./usr/share/man/cat4/fd.0 man-sys-catman .cat ./usr/share/man/cat4/fea.0 man-sys-catman .cat ./usr/share/man/cat4/filemon.0 man-sys-catman .cat @@ -4233,7 +4233,7 @@ ./usr/share/man/html4/ex.html man-sys-htmlman html ./usr/share/man/html4/exphy.html man-sys-htmlman html ./usr/share/man/html4/faith.html man-sys-htmlman html -./usr/share/man/html4/fast_ipsec.html man-sys-htmlman html +./usr/share/man/html4/fast_ipsec.html man-obsolete obsolete ./usr/share/man/html4/fd.html man-sys-htmlman html ./usr/share/man/html4/fea.html man-sys-htmlman html ./usr/share/man/html4/filemon.html man-sys-htmlman html @@ -7150,7 +7150,7 @@ ./usr/share/man/man4/ex.4 man-sys-man .man ./usr/share/man/man4/exphy.4 man-sys-man .man ./usr/share/man/man4/faith.4 man-sys-man .man -./usr/share/man/man4/fast_ipsec.4 man-sys-man .man +./usr/share/man/man4/fast_ipsec.4 man-obsolete obsolete ./usr/share/man/man4/fd.4 man-sys-man .man ./usr/share/man/man4/fea.4 man-sys-man .man ./usr/share/man/man4/filemon.4 man-sys-man .man Index: src/share/man/man4/Makefile diff -u src/share/man/man4/Makefile:1.655 src/share/man/man4/Makefile:1.656 --- src/share/man/man4/Makefile:1.655 Sun May 27 05:31:20 2018 +++ src/share/man/man4/Makefile Wed Jun 13 03:28:36 2018 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.655 2018/05/27 05:31:20 thorpej Exp $ +# $NetBSD: Makefile,v 1.656 2018/06/13 03:28:36 ozaki-r Exp $ # @(#)Makefile 8.1 (Berkeley) 6/18/93 MAN= aac.4 ac97.4 acardide.4 aceride.4 acphy.4 \ @@ -23,7 +23,7 @@ MAN= aac.4 ac97.4 acardide.4 aceride.4 a dmphy.4 dpt.4 dpti.4 drm.4 drum.4 drvctl.4 dtv.4 dtviic.4 dwctwo.4 \ eap.4 ebus.4 edc.4 elmc.4 emuxki.4 en.4 envsys.4 ep.4 esh.4 \ esa.4 esiop.4 esm.4 eso.4 et.4 etherip.4 etphy.4 exphy.4 \ - fast_ipsec.4 fd.4 filemon.4 finsio.4 flash.4 fpa.4 fms.4 fss.4 \ + fd.4 filemon.4 finsio.4 flash.4 fpa.4 fms.4 fss.4 \ fujbp.4 full.4 fxp.4 \ gcscaudio.4 gem.4 genfb.4 gentbi.4 geodeide.4 \ glxtphy.4 gpib.4 gpio.4 gpioirq.4 gpiolock.4 gpiopps.4 gpiopwm.4 \ Index: src/share/man/man4/hifn.4 diff -u src/share/man/man4/hifn.4:1.7 src/share/man/man4/hifn.4:1.8 --- src/share/man/man4/hifn.4:1.7 Tue Mar 13 19:25:40 2012 +++ src/share/man/man4/hifn.4 Wed Jun 13 03:28:36 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: hifn.4,v 1.7 2012/03/13 19:25:40 njoly Exp $ +.\" $NetBSD: hifn.4,v 1.8 2018/06/13 03:28:36 ozaki-r Exp $ .\" $OpenBSD: hifn.4,v 1.32 2002/09/26 07:55:40 miod Exp $ .\" $FreeBSD: src/share/man/man4/hifn.4,v 1.1.2.2 2003/10/08 23:57:50 sam Exp $ .\" @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd October 8, 2003 +.Dd June 13, 2018 .Dt HIFN 4 .Os .Sh NAME @@ -68,7 +68,7 @@ AES (7955 and 7956 only), ARC4, MD5, MD5-HMAC, SHA1, and SHA1-HMAC operations for .Xr opencrypto 9 , and thus for -.Xr fast_ipsec 4 +.Xr ipsec 4 and .Xr crypto 4 . .Pp @@ -83,7 +83,7 @@ may also supply data to the kernel subsystem. .Sh SEE ALSO .Xr crypto 4 , -.Xr fast_ipsec 4 , +.Xr ipsec 4 , .Xr intro 4 , .Xr rnd 4 , .Xr opencrypto 9 Index: src/share/man/man4/ipsec.4 diff -u src/share/man/man4/ipsec.4:1.43 src/share/man/man4/ipsec.4:1.44 --- src/share/man/man4/ipsec.4:1.43 Wed Jan 10 12:16:39 2018 +++ src/share/man/man4/ipsec.4 Wed Jun 13 03:28:36 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: ipsec.4,v 1.43 2018/01/10 12:16:39 wiz Exp $ +.\" $NetBSD: ipsec.4,v 1.44 2018/06/13 03:28:36 ozaki-r Exp $ .\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $ .\" .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -28,12 +28,15 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd January 10, 2018 +.Dd June 13, 2018 .Dt IPSEC 4 .Os .Sh NAME .Nm ipsec .Nd IP security protocol +.Sh SYNOPSIS +.Cd "options IPSEC" +.Cd "options IPSEC_DEBUG" .Sh DESCRIPTION This manual pages describes the IPsec protocol. For the network device driver please see @@ -49,7 +52,7 @@ and .Xr inet6 4 .Pc . .Nm -consists of two sub-protocols: +consists of three sub-protocols: .Bl -hang .It Em Encapsulated Security Payload Pq ESP protects IP payloads from wire-tapping (interception) by encrypting them with @@ -58,6 +61,8 @@ secret key cryptography algorithms. guarantees the integrity of IP packets and protects them from intermediate alteration or impersonation, by attaching cryptographic checksums computed by one-way hash functions. +.It Em IP Payload Compression Protocol Pq IPComp +increases the communication performance by compressing the datagrams. .El .Pp .Nm @@ -70,13 +75,6 @@ includes IP-in-IP encapsulation operatio and is designed for security gateways, as in Virtual Private Network (VPN) configurations. .El -.Pp -Since version 6, -.Nx -uses the IPsec implementation formerly known as FAST_IPSEC. -Its specifics and kernel options are described in the -.Xr fast_ipsec 4 -manual page. .Ss Kernel interface .Nm is controlled by two engines in the kernel: one for key management @@ -252,6 +250,22 @@ Variables under the tree have similar meanings to their .Li net.inet.ipsec counterparts. +.Ss Cryptographic operations +The current IPsec implementation, formerly called Fast IPsec, +uses the +.Xr opencrypto 9 +subsystem to carry out cryptographic operations. +This means, in particular, that cryptographic hardware devices are +employed whenever possible to optimize the performance of sub-protocols. +.Pp +System configuration requires the +.Xr opencrypto 9 +subsystem. +When the +Fast IPsec +protocols are configured for use, all protocols are included in the system. +To selectively enable/disable protocols, use +.Xr sysctl 8 . .\" .Sh PROTOCOLS The @@ -282,7 +296,6 @@ routines from looking into IP payload. .Xr ioctl 2 , .Xr socket 2 , .Xr ipsec_set_policy 3 , -.Xr fast_ipsec 4 , .Xr icmp6 4 , .Xr intro 4 , .Xr ip6 4 , @@ -299,6 +312,40 @@ routines from looking into IP payload. .%R RFC .%N 2367 .Re +.Sh HISTORY +The protocols draw heavily on the +.Ox +implementation of the +.Tn IPsec +protocols. +The policy management code is derived from the +.Tn KAME +implementation found in their +.Tn IPsec +protocols. +The +Fast IPsec +protocols are based on code which appeared in +.Fx 4.7 . +The +.Nx +version is a close copy of the +.Fx +original, and first appeared in +.Nx 2.0 . +.Pp +Support for IPv6 and +.Tn IPcomp +protocols has been added in +.Nx 4.0 . +.Pp +Support Network Address Translator Traversal as +described in RFCs 3947 and 3948 has been added in +.Nx 5.0 . +.Pp +Since +.Nx 6.0 , +the IPsec implementation formerly known as Fast IPsec is used. .Sh BUGS IPsec support is subject to change as the IPsec protocols develop. .Pp @@ -344,3 +391,8 @@ If you manipulate many IPsec key/policy increase the size of socket buffer or use .Xr sysctl 8 interface. +.Pp +Certain legacy authentication algorithms are not supported because of +issues with the +.Xr opencrypto 9 +subsystem. Index: src/share/man/man4/nsp.4 diff -u src/share/man/man4/nsp.4:1.2 src/share/man/man4/nsp.4:1.3 --- src/share/man/man4/nsp.4:1.2 Mon Nov 3 08:48:41 2008 +++ src/share/man/man4/nsp.4 Wed Jun 13 03:28:36 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: nsp.4,v 1.2 2008/11/03 08:48:41 wiz Exp $ +.\" $NetBSD: nsp.4,v 1.3 2018/06/13 03:28:36 ozaki-r Exp $ .\" .\" Copyright (c) 2008 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 2, 2008 +.Dd June 13, 2018 .Dt NSP 4 .Os .Sh NAME @@ -149,7 +149,7 @@ driver offer excellent performance for s achieving 75,000 or more such operations per second. .Sh SEE ALSO .Xr crypto 4 , -.Xr fast_ipsec 4 , +.Xr ipsec 4 , .Xr intro 4 , .Xr rnd 4 , .Xr opencrypto 9 Index: src/share/man/man4/options.4 diff -u src/share/man/man4/options.4:1.487 src/share/man/man4/options.4:1.488 --- src/share/man/man4/options.4:1.487 Fri May 11 14:38:28 2018 +++ src/share/man/man4/options.4 Wed Jun 13 03:28:36 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: options.4,v 1.487 2018/05/11 14:38:28 maxv Exp $ +.\" $NetBSD: options.4,v 1.488 2018/06/13 03:28:36 ozaki-r Exp $ .\" .\" Copyright (c) 1996 .\" Perry E. Metzger. All rights reserved. @@ -30,7 +30,7 @@ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" -.Dd May 11, 2018 +.Dd June 13, 2018 .Dt OPTIONS 4 .Os .Sh NAME @@ -1778,7 +1778,7 @@ relying on .Xr opencrypto 9 to carry out cryptographic operations. See -.Xr fast_ipsec 4 +.Xr ipsec 4 for details. .It Cd options IPSEC_DEBUG Enables debugging code in IPsec stack. Index: src/share/man/man4/ubsec.4 diff -u src/share/man/man4/ubsec.4:1.5 src/share/man/man4/ubsec.4:1.6 --- src/share/man/man4/ubsec.4:1.5 Sat Apr 19 12:29:24 2014 +++ src/share/man/man4/ubsec.4 Wed Jun 13 03:28:36 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: ubsec.4,v 1.5 2014/04/19 12:29:24 bad Exp $ +.\" $NetBSD: ubsec.4,v 1.6 2018/06/13 03:28:36 ozaki-r Exp $ .\" $FreeBSD: src/share/man/man4/ubsec.4,v 1.1.2.1 2002/11/21 23:57:24 sam Exp $ .\" $OpenBSD: ubsec.4,v 1.26 2003/09/03 15:55:41 jason Exp $ .\" @@ -26,7 +26,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 19, 2014 +.Dd June 13, 2018 .Dt UBSEC 4 .Os .Sh NAME @@ -74,7 +74,7 @@ driver registers itself to accelerate DE MD5-HMAC, and SHA1-HMAC operations for .Xr opencrypto 9 , and thus for -.Xr fast_ipsec 4 +.Xr ipsec 4 and .Xr crypto 4 . The driver also supports acceleration of AES-CBC with the BCM5823 or newer. @@ -90,7 +90,7 @@ registers itself to provide random data subsystem. .Sh SEE ALSO .Xr crypto 4 , -.Xr fast_ipsec 4 , +.Xr ipsec 4 , .Xr intro 4 , .Xr rnd 4 , .Xr opencrypto 9