Remove the last entries to fast_ipsec.

Merge in parts of the old fast_ipsec.4 man page to ipsec.4 and start updating ipsec.4 man page. Reviewed by: brueffer, sam (slightly earlier versions), bmah Approved by: re (bmah)
2007-08-02 08:04:48 +00:00 · 2007-08-02 08:04:48 +00:00 · e0c9263157
commit e0c9263157
parent 409b3a00aa
6 changed files with 116 additions and 42 deletions
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@ -14,6 +14,8 @@
 # The file is partitioned: OLD_FILES first, then OLD_LIBS and OLD_DIRS last.
 #

+# 20070801: fast_ipsec.4 gone
+OLD_FILES+=usr/share/man/man4/fast_ipsec.4.gz
 # 20070715: netatm temporarily disconnected
 OLD_FILES+=rescue/atm
 OLD_FILES+=rescue/fore_dnld
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@ -76,7 +76,6 @@ MAN=	aac.4 \
 	esp.4 \
 	exca.4 \
 	faith.4 \
-	fast_ipsec.4 \
 	fatm.4 \
 	fd.4 \
 	fdc.4 \
--- a/share/man/man4/crypto.4
+++ b/share/man/man4/crypto.4
@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 16, 2004
+.Dd August 1, 2007
 .Dt CRYPTO 4
 .Os
 .Sh NAME
@ -105,8 +105,8 @@ asymmetric cryptographic features are potentially available from
 crypto access device
 .El
 .Sh SEE ALSO
-.Xr fast_ipsec 4 ,
 .Xr hifn 4 ,
+.Xr ipsec 4 ,
 .Xr padlock 4 ,
 .Xr safe 4 ,
 .Xr ubsec 4 ,
--- a/share/man/man4/enc.4
+++ b/share/man/man4/enc.4
@ -31,7 +31,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 16, 2006
+.Dd August 1, 2007
 .Dt ENC 4
 .Os
 .Sh NAME
@ -49,7 +49,7 @@ The
 .Nm
 interface is a software loopback mechanism that allows hosts or
 firewalls to filter
-.Xr fast_ipsec 4
+.Xr ipsec 4
 traffic using any firewall package that hooks in via the
 .Xr pfil 9
 framework.
@ -58,7 +58,7 @@ The
 .Nm
 interface allows an administrator
 to see outgoing packets before they have been processed by
-.Xr fast_ipsec 4 ,
+.Xr ipsec 4 ,
 or incoming packets after they have been similarly processed, via
 .Xr tcpdump 1 .
 .Pp
@ -74,14 +74,15 @@ on the
 interface.
 .Sh EXAMPLES
 To see all outgoing packets before they have been processed via
-.Xr fast_ipsec 4 ,
+.Xr ipsec 4 ,
 or all incoming packets after they have been similarly processed:
 .Pp
 .Dl "tcpdump -i enc0"
 .Sh SEE ALSO
 .Xr tcpdump 1 ,
 .Xr bpf 4 ,
-.Xr fast_ipsec 4 ,
 .Xr ipf 4 ,
 .Xr ipfw 4 ,
-.Xr pf 4
+.Xr ipsec 4 ,
+.Xr pf 4 ,
+.Xr tcpdump 8
--- a/share/man/man4/ipsec.4
+++ b/share/man/man4/ipsec.4
@ -29,44 +29,68 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 24, 2006
+.Dd August 1, 2007
 .Dt IPSEC 4
 .Os
 .Sh NAME
-.Nm ipsec
-.Nd IP security protocol
+.Nm IPsec
+.Nd Internet Protocol Security protocol
 .Sh SYNOPSIS
 .Cd "options IPSEC"
-.Cd "options IPSEC_DEBUG"
-.Cd "options IPSEC_ESP"
 .Cd "options IPSEC_FILTERGIF"
+.Cd "device crypto"
 .Pp
 .In sys/types.h
 .In netinet/in.h
-.In netinet6/ipsec.h
+.In netipsec/ipsec.h
+.In netipsec/ipsec6.h
 .Sh DESCRIPTION
 .Nm
 is a security protocol implemented within the Internet Protocol layer
-of the TCP/IP stack.
+of the networking stack.
 .Nm
 is defined for both IPv4 and IPv6
 .Xr ( inet 4
 and
 .Xr inet6 4 ) .
 .Nm
-contains two protocols,
-ESP, the encapsulated security payload protocol and
-AH, the authentication header protocol.
-ESP prevents unauthorized parties from reading the payload of an IP packet
-by encrypting it using
-secret key cryptography algorithms.
-AH both authenticates guarantees the integrity of an IP packet
+is a set of protocols,
+.Tn ESP
+(for Encapsulating Security Payload)
+.Tn AH
+(for Authentication Header),
+and
+.Tn IPComp
+(for IP Payload Compression Protocol)
+that provide security services for IP datagrams.
+AH both authenticates and guarantees the integrity of an IP packet
 by attaching a cryptographic checksum computed using one-way hash functions.
+ESP, in addition, prevents unauthorized parties from reading the payload of
+an IP packet by also encrypting it.
+IPComp tries to increase communication performance by compressing IP payload,
+thus reducing the amount of data sent.
+This will help nodes on slow links but with enough computing power.
 .Nm
-has operates in one of two modes: transport mode or tunnel mode.
+operates in one of two modes: transport mode or tunnel mode.
 Transport mode is used to protect peer-to-peer communication between end nodes.
 Tunnel mode encapsulates IP packets within other IP packets
 and is designed for security gateways such as VPN endpoints.
+.Pp
+System configuration requires the
+.Xr crypto 4
+subsystem.
+.Pp
+The packets can be passed to a virtual
+.Xr enc 4
+interface,
+to perform packet filtering before outbound encryption and after decapsulation
+inbound.
+.Pp
+To properly filter on the inner packets of an
+.Nm
+tunnel with firewalls, add
+.Cd "options IPSEC_FILTERGIF"
+to the kernel configuration file.
 .\"
 .Ss Kernel interface
 .Nm
@ -95,7 +119,7 @@ interface.
 The kernel implements
 an extended version of the
 .Dv PF_KEY
-interface, and allows the programmer to define IPsec policies
+interface and allows the programmer to define IPsec policies
 which are similar to the per-packet filters.
 The
 .Xr setsockopt 2
@ -119,19 +143,18 @@ policies using the
 .Dv PF_KEY
 interface, via the
 .Xr setkey 8
-command.
-In either case, IPsec policies must be specified using the syntax described in
-.Xr ipsec_set_policy 3 .
-Please refer to the
+you can define IPsec policies against packets using rules similar to packet
+filtering rules.
+Refer to
 .Xr setkey 8
-man page for instructions on its use.
+on how to use it.
 .Pp
 When setting policies using the
 .Xr setkey 8
-command the
+command, the
 .Dq Li default
-option you can have the system use its default policy, explained
-below, for processing packets.
+option instructs the system to use its default policy, as
+explained below, for processing packets.
 The following sysctl variables are available for configuring the
 system's IPsec behavior.
 The variables can have one of two values.
@ -181,7 +204,19 @@ means
 .El
 .\"
 .Ss Miscellaneous sysctl variables
-The following variables are accessible via
+When the
+.Nm
+protocols are configured for use, all protocols are included in the system.
+To selectively enable/disable protocols, use
+.Xr sysctl 8 .
+.Bl -column net.inet.ipcomp.ipcomp_enable
+.It Sy "Name	Default"
+.It "net.inet.esp.esp_enable	On"
+.It "net.inet.ah.ah_enable	On"
+.It "net.inet.ipcomp.ipcomp_enable	Off"
+.El
+.Pp
+In addition the following variables are accessible via
 .Xr sysctl 8 ,
 for tweaking the kernel's IPsec behavior:
 .Bl -column net.inet6.ipsec6.inbonud_call_ike integerxxx
@ -266,7 +301,8 @@ routines from looking into the IP payload.
 .Xr ioctl 2 ,
 .Xr socket 2 ,
 .Xr ipsec_set_policy 3 ,
-.Xr fast_ipsec 4 ,
+.Xr crypto 4 ,
+.Xr enc 4 ,
 .Xr icmp6 4 ,
 .Xr intro 4 ,
 .Xr ip6 4 ,
@ -303,12 +339,42 @@ routines from looking into the IP payload.
 .%O work in progress material
 .Re
 .Sh HISTORY
-The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.
-.Sh BUGS
-The IPsec support is subject to change as the IPsec protocols develop.
+The original
+.Nm
+implementation appeared in the WIDE/KAME IPv6/IPsec stack.
 .Pp
+For
+.Fx 5.0
+a fully locked IPsec implementation called fast_ipsec was brought in.
+The protocols drew heavily on the
+.Ox
+implementation of the
+.Tn IPsec
+protocols.
+The policy management code was derived from the
+.Tn KAME
+implementation found
+in their
+.Tn IPsec
+protocols.
+The fast_ipsec implementation lacked
+.Xr ip6 4
+support but made use of the
+.Xr crypto 4
+subsystem.
+.Pp
+For
+.Fx 7.0
+.Xr ip6 4
+support was added to fast_ipsec.
+After this the old KAME IPsec implementation was dropped and fast_ipsec
+became what now is the only
+.Nm
+implementation in
+.Fx .
+.Sh BUGS
 There is no single standard for the policy engine API,
-so the policy engine API described herein is just for KAME implementation.
+so the policy engine API described herein is just for this implementation.
 .Pp
 AH and tunnel mode encapsulation may not work as you might expect.
 If you configure inbound
@ -337,3 +403,9 @@ operations on
 sockets may fail due to lack of space.
 Increasing the socket buffer
 size may alleviate this problem.
+.Pp
+The
+.Tn IPcomp
+protocol support is currently broken.
+.Pp
+This documentation needs more review.
--- a/share/man/man4/man4.i386/padlock.4
+++ b/share/man/man4/man4.i386/padlock.4
@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 28, 2006
+.Dd August 1, 2007
 .Dt PADLOCK 4 i386
 .Os
 .Sh NAME
@ -61,7 +61,7 @@ there is no hardware acceleration for those algorithms.
 This is only needed so
 .Nm
 can work with
-.Xr fast_ipsec 4 .
+.Xr ipsec 4 .
 .Pp
 The hardware random number generator supplies data for the kernel
 .Xr random 4
@ -69,8 +69,8 @@ subsystem.
 .Sh SEE ALSO
 .Xr crypt 3 ,
 .Xr crypto 4 ,
-.Xr fast_ipsec 4 ,
 .Xr intro 4 ,
+.Xr ipsec 4 ,
 .Xr random 4 ,
 .Xr crypto 9
 .Sh HISTORY