NAME

tcpkey — Manages the Security Association Database (SADB) for TCP

SYNOPSIS

tcpkey [-nvp]

tcpkey [-nvp] -f filename

tcpkey -c filename

tcpkey [-nvp] get {Extension value...}

tcpkey [-nvp] delete {Extension value...}

tcpkey [-nvp] flush

tcpkey [-nvp] dump

tcpkey [-nvp] save [filename]

DESCRIPTION

The tcpkey command is used to manually manipulate the tcp(4P) security association database.

While the tcpkey utility has only a limited number of general options, it supports a rich command language. The user may specify requests to be delivered by means of a programmatic interface specific for manual keying. See pf_key(4P). When tcpkey is invoked with no arguments, it will enter an interactive mode which prints a prompt (“tcpkey>”) to the standard output and accepts commands from the standard input until the end-of-file is reached.

tcpkey uses a PF_KEY socket and the message types SADB_ADD, SADB_DELETE, SADB_GET and SADB_FLUSH. Thus, you must have the PRIV_SYS_IP_CONFIG privilege to use this command.

OPTIONS

-c [filename]: Analogous to the -f option (see following), except that the input is not executed but only checked for syntactical correctness. Errors are reported to stderr. This option is provided to debug configurations without making changes.
-f [filename]: Read commands from an input file, filename. The lines of the input file are identical to the command line language. The save command can generate files readable by the -f argument.
-n: Prevent attempts to print host and network names symbolically when reporting actions. This is useful, for example, when all name servers are down or are otherwise unreachable.
-p: Paranoid. Do not print any keying material, even if saving. Instead of an actual hexadecimal digit, print an ‘X’ when this flag is turned on.
-v: Verbose. Print the messages being sent into the PF_KEY socket, and print raw seconds values for lifetimes.

COMMANDS

add: Add an SA. Because it involves the transfer of keying material, it cannot be invoked from the shell, lest the keys be visible in ps(1) output. It can be used either from the interactive tcpkey> prompt or in a command file specified by the -f option. The add command accepts all extension-value pairs described below.
delete: Delete a specific SA. This command requires the src extension, and the dest extension. If the SA is in use, it will be marked for deletion and no longer used for new connection setup. However, existing connections will continue to use it.
get: Look up and display a security association. Like delete, this command only requires src and dest.
flush: Remove all SAs.
dump: Will display all SAs. Because of the large amount of data generated by this command, there is no guarantee that all SA information will be successfully delivered, or that this command will even complete.
save: Is the command analog of the -s option.
help: Prints a brief summary of commands.

EXTENSION VALUE TYPES

Commands like add, delete, get, and update require that certain extensions and associated values be specified. The extensions will be listed here, followed by the commands that use them, and the commands that require them.

src addr | name: Source address of the SA.
src6 IPv6addr
dst addr | name: Destination address of the SA.
dst6 IPv6addr
sport port: Source port number. If unspecified, the SA will match any source port.
dport port: Destination port number. If unspecified, the SA will match any destination port.
authalg algorithm: Authentication algorithm. The only supported value is ‘md5’.
authstring string: Authentication string. Only ASCII characters are supported and the authentication string must be no longer than 80 characters.

FILES

/etc/inet/secret/tcpkeys: Default configuration file used at boot time.

EXAMPLES

Example 1 Empting Out All SAs

# tcpkey flush

Example 2 Saving All SAs To Standard Output

# tcpkey save

Example 3 Adding a pair of SAs

Note that the second SA specifies 179 as the source port so that it matches reply traffic.

# tcpkey
tcpkey> add src 192.168.1.1 dst 192.168.1.2 dport 179 \
    authalg md5 authstring s3kr1t
tcpkey> add src 192.168.1.2 dst 192.168.1.1 sport 179 \
    authalg md5 authstring s3kr1t
tcpkey> exit

Example 4 Displaying all SAs

# tcpkey dump
Base message (version 2) type DUMP, SA type TCPSIG.
Message length 112 bytes, seq=5, pid=649091.
SRC: Source address (proto=6/tcp)
SRC: AF_INET6: port 0, ::ffff:192.168.1.1/32 (host.example.com).
DST: Destination address (proto=6/tcp)
DST: AF_INET6: port 179, ::ffff:192.168.1.2/32 <unknown>.
AST: Authentication string.
AST: "s3kr1t"

INTERFACE STABILITY

The command line interface of tcpkey is Uncommitted. The command line interface of tcpkey is Not-An-Interface and may change at any time.