ipsec.4 (141580) | ipsec.4 (141851) |
---|---|
1.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: --- 13 unchanged lines hidden (view full) --- 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" | 1.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: --- 13 unchanged lines hidden (view full) --- 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" |
30.\" $FreeBSD: head/share/man/man4/ipsec.4 141580 2005-02-09 18:07:17Z ru $ | 30.\" $FreeBSD: head/share/man/man4/ipsec.4 141851 2005-02-13 23:45:54Z ru $ |
31.\" 32.Dd January 11, 2005 33.Dt IPSEC 4 34.Os 35.Sh NAME 36.Nm ipsec 37.Nd IP security protocol 38.Sh SYNOPSIS --- 273 unchanged lines hidden (view full) --- 312.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require ) , 313tunnelled packets will be rejected. 314This is because we enforce policy check on inner packet on reception, 315and AH authenticates encapsulating 316(outer) 317packet, not the encapsulated 318(inner) 319packet | 31.\" 32.Dd January 11, 2005 33.Dt IPSEC 4 34.Os 35.Sh NAME 36.Nm ipsec 37.Nd IP security protocol 38.Sh SYNOPSIS --- 273 unchanged lines hidden (view full) --- 312.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require ) , 313tunnelled packets will be rejected. 314This is because we enforce policy check on inner packet on reception, 315and AH authenticates encapsulating 316(outer) 317packet, not the encapsulated 318(inner) 319packet |
320(so for the receiving kernel there's no sign of authenticity). | 320(so for the receiving kernel there is no sign of authenticity). |
321The issue will be solved when we revamp our policy engine to keep all the 322packet decapsulation history. 323.Pp 324Under certain condition, 325truncated result may be raised from the kernel 326against 327.Dv SADB_DUMP 328and 329.Dv SADB_SPDDUMP 330operation on 331.Dv PF_KEY 332socket. 333This occurs if there are too many database entries in the kernel 334and socket buffer for the 335.Dv PF_KEY 336socket is insufficient. 337If you manipulate many IPsec key/policy database entries, 338increase the size of socket buffer. | 321The issue will be solved when we revamp our policy engine to keep all the 322packet decapsulation history. 323.Pp 324Under certain condition, 325truncated result may be raised from the kernel 326against 327.Dv SADB_DUMP 328and 329.Dv SADB_SPDDUMP 330operation on 331.Dv PF_KEY 332socket. 333This occurs if there are too many database entries in the kernel 334and socket buffer for the 335.Dv PF_KEY 336socket is insufficient. 337If you manipulate many IPsec key/policy database entries, 338increase the size of socket buffer. |