.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{
.    if \nF \{
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "IONSECRC 5"
.TH IONSECRC 5 "2014-07-08" "perl v5.20.1" "ICI configuration files"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ionsecrc \- ION security policy management commands file
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1ION\s0 security policy management commands are passed to \fBionsecadmin\fR either
in a file of text lines or interactively at \fBionsecadmin\fR's command prompt
(:).  Commands are interpreted line-by line, with exactly one command per
line.  The formats and effects of the \s-1ION\s0 security policy management commands
are described below.
.PP
A parameter identifed as an \fIeid_expr\fR is an \*(L"endpoint \s-1ID\s0 expression.\*(R"  For
all commands, whenever the last character of an endpoint \s-1ID\s0 expression is
the wild-card character '*', an applicable endpoint \s-1ID \s0\*(L"matches\*(R" this \s-1EID\s0
expression if all characters of the endpoint \s-1ID\s0 expression prior to the last
one are equal to the corresponding characters of that endpoint \s-1ID. \s0 Otherwise
an applicable endpoint \s-1ID \s0\*(L"matches\*(R" the \s-1EID\s0 expression only when all characters
of the \s-1EID\s0 and \s-1EID\s0 expression are identical.
.PP
\&\s-1ION\s0's security policy management encompasses both \s-1BP\s0 security and \s-1LTP\s0
authentication.
.SH "COMMANDS"
.IX Header "COMMANDS"
.IP "\fB?\fR" 4
.IX Item "?"
The \fBhelp\fR command.  This will display a listing of the commands and their
formats.  It is the same as the \fBh\fR command.
.IP "\fB#\fR" 4
.IX Item "#"
Comment line.  Lines beginning with \fB#\fR are not interpreted.
.IP "\fBe\fR { 1 | 0 }" 4
.IX Item "e { 1 | 0 }"
Echo control.  Setting echo to 1 causes all output printed by ionsecadmin to
be logged as well as sent to stdout.  Setting echo to 0 disables this behavior.
.IP "\fBv\fR" 4
.IX Item "v"
Version number.  Prints out the version of \s-1ION\s0 currently installed.  \s-1HINT:\s0
combine with \fBe 1\fR command to log the version number at startup.
.IP "\fB1\fR" 4
.IX Item "1"
The \fBinitialize\fR command.  Until this command is executed, the local \s-1ION\s0
node has no security policy database and most \fIionsecadmin\fR commands will fail.
.IP "\fBa key\fR \fIkey_name\fR \fIfile_name\fR" 4
.IX Item "a key key_name file_name"
The \fBadd key\fR command.  This command adds a named key value to the
security policy database.  The content of \fIfile_name\fR is taken as the
value of the key.  Named keys can be referenced by other elements of the
security policy database.
.IP "\fBc key\fR \fIkey_name\fR \fIfile_name\fR" 4
.IX Item "c key key_name file_name"
The \fBchange key\fR command.  This command changes the value of the named
key, obtaining the new key value from the content of \fIfile_name\fR.
.IP "\fBd key\fR \fIkey_name\fR" 4
.IX Item "d key key_name"
The \fBdelete key\fR command.  This command deletes the key identified by \fIname\fR.
.IP "\fBi key\fR \fIkey_name\fR" 4
.IX Item "i key key_name"
This command will print information about the named key, i.e., the length of
its current value.
.IP "\fBl key\fR" 4
.IX Item "l key"
This command lists all keys in the security policy database.
.IP "\fBa bspbabrule\fR \fIsender_eid_expr\fR \fIreceiver_eid_expr\fR \fI{ '' | ciphersuite_name key_name }\fR" 4
.IX Item "a bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }"
The \fBadd bspbabrule\fR command.  This command adds a rule specifying the
manner in which Bundle Authentication Block (\s-1BAB\s0) validation will be applied
to all bundles sent from any node whose endpoints' IDs match
\&\fIsender_eid_expr\fR and received at any node whose endpoints' IDs
match \fIreceiver_eid_expr\fR.  Both \fIsender_eid_expr\fR and \fIreceiver_eid_expr\fR
should terminate in wild-card characters, because both the security source
and security destination of a \s-1BAB\s0 are actually nodes rather than individual
endpoints.
.Sp
If a zero-length string ('') is indicated instead of a \fIciphersuite_name\fR then
\&\s-1BAB\s0 validation is disabled for this sender/receiver \s-1EID\s0 expression pair: all
bundles sent from nodes with matching administrative endpoint IDs to nodes
with matching administrative endpoint IDs will be immediately deemed authentic.
Otherwise, a bundle from a node with matching administrative endpoint \s-1ID\s0 to a
node with matching administrative endpoint \s-1ID\s0 will only be deemed authentic
if it contains a \s-1BAB\s0 computed via the ciphersuite named by \fIciphersuite_name\fR
using a key value that is identical to the current value of the key named
\&\fIkey_name\fR in the local security policy database.
.Sp
\&\fB\s-1NOTE\s0\fR: if the security policy database contains no \s-1BAB\s0 rules at all, then
\&\s-1BAB\s0 authentication is disabled; all bundles received from all neighboring
nodes are considered authentic.  Otherwise, \s-1BAB\s0 rules \fBmust\fR be defined
for all nodes from which bundles are to be received; all bundles received
from any node for which no \s-1BAB\s0 rule is defined are considered inauthentic
and are discarded.
.IP "\fBc bspbabrule\fR \fIsender_eid_expr\fR \fIreceiver_eid_expr\fR \fI{ '' | ciphersuite_name key_name }\fR" 4
.IX Item "c bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }"
The \fBchange bspbabrule\fR command.  This command changes the ciphersuite
name and/or key name for the \s-1BAB\s0 rule pertaining to the sender/receiver \s-1EID\s0
expression pair identified by \fIsender_eid_expr\fR and \fIreceiver_eid_expr\fR.
Note that the \fIeid_expr\fRs must exactly match those of the rule that is to
be modified, including any terminating wild-card character.
.IP "\fBd bspbabrule\fR \fIsender_eid_expr\fR \fIreceiver_eid_expr\fR" 4
.IX Item "d bspbabrule sender_eid_expr receiver_eid_expr"
The \fBdelete bspbabrule\fR command.  This command deletes the \s-1BAB\s0 rule
pertaining to the sender/receiver \s-1EID\s0 expression pair identified by
\&\fIsender_eid_expr\fR and \fIreceiver_eid_expr\fR.  Note that the \fIeid_expr\fRs
must exactly match those of the rule that is to be deleted, including any
terminating wild-card character.
.IP "\fBi bspbabrule\fR \fIsender_eid_expr\fR \fIreceiver_eid_expr\fR" 4
.IX Item "i bspbabrule sender_eid_expr receiver_eid_expr"
This command will print information (the ciphersuite and key names) about the
\&\s-1BAB\s0 rule pertaining to \fIsender_eid_expr\fR and \fIreceiver_eid_expr\fR.
.IP "\fBl bspbabrule\fR" 4
.IX Item "l bspbabrule"
This command lists all \s-1BAB\s0 rules in the security policy database.
.IP "\fBa bsppibrule\fR \fIsender_eid_expr\fR \fIreceiver_eid_expr\fR \fIblock type number\fR \fI{ '' | ciphersuite_name key_name }\fR" 4
.IX Item "a bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name key_name }"
The \fBadd bsppibrule\fR command.  This command adds a rule specifying the
manner in which Payload Integrity Block (\s-1PIB\s0) validation will be applied
to all bundles sent from any node whose administrative endpoint \s-1ID\s0 matches
\&\fIsender_eid_expr\fR and received at any node whose administrative endpoint \s-1ID
ID\s0 matches \fIreceiver_eid_expr\fR.
.Sp
If a zero-length string ('') is indicated instead of a \fIciphersuite_name\fR then
\&\s-1PIB\s0 validation is disabled for this sender/receiver \s-1EID\s0 expression pair: all
bundles sent from nodes with matching administrative endpoint IDs to nodes
with matching administrative endpoint IDs will be immediately deemed valid.
Otherwise, a bundle from a node with matching administrative endpoint \s-1ID\s0 to a
node with matching administrative endpoint \s-1ID\s0 will only be deemed valid
if it contains a \s-1PIB\s0 computed via the ciphersuite named by \fIciphersuite_name\fR
using a key value that is identical to the current value of the key named
\&\fIkey_name\fR in the local security policy database.
.IP "\fBc bsppibrule\fR \fIsender_eid_expr\fR \fIreceiver_eid_expr\fR \fIblock type number\fR \fI{ '' | ciphersuite_name key_name }\fR" 4
.IX Item "c bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name key_name }"
The \fBchange bsppibrule\fR command.  This command changes the ciphersuite
name and/or key name for the \s-1PIB\s0 rule pertaining to the sender/receiver \s-1EID\s0
expression pair identified by \fIsender_eid_expr\fR and \fIreceiver_eid_expr\fR.
Note that the \fIeid_expr\fRs must exactly match those of the rule that is to
be modified, including any terminating wild-card character.
.IP "\fBd bsppibrule\fR \fIsender_eid_expr\fR \fIreceiver_eid_expr\fR \fIblock type number\fR" 4
.IX Item "d bsppibrule sender_eid_expr receiver_eid_expr block type number"
The \fBdelete bsppibrule\fR command.  This command deletes the \s-1PIB\s0 rule
pertaining to the sender/receiver \s-1EID\s0 expression pair identified by
\&\fIsender_eid_expr\fR and \fIreceiver_eid_expr\fR.  Note that the \fIeid_expr\fRs
must exactly match those of the rule that is to be deleted, including any
terminating wild-card character.
.IP "\fBi bsppibrule\fR \fIsender_eid_expr\fR \fIreceiver_eid_expr\fR \fIblock type number\fR" 4
.IX Item "i bsppibrule sender_eid_expr receiver_eid_expr block type number"
This command will print information (the ciphersuite and key names) about the
\&\s-1PIB\s0 rule pertaining to \fIsender_eid_expr\fR and \fIreceiver_eid_expr\fR.
.IP "\fBl bsppibrule\fR" 4
.IX Item "l bsppibrule"
This command lists all \s-1PIB\s0 rules in the security policy database.
.IP "\fBa ltprecvauthrule\fR \fIltp_engine_id\fR \fIciphersuite_nbr\fR \fI[key_name]\fR" 4
.IX Item "a ltprecvauthrule ltp_engine_id ciphersuite_nbr [key_name]"
The \fBadd ltprecvauthrule\fR command.  This command adds a rule specifying the
manner in which \s-1LTP\s0 segment authentication will be applied to \s-1LTP\s0 segments
received from the indicated \s-1LTP\s0 engine.
.Sp
A segment from the indicated \s-1LTP\s0 engine will only be deemed authentic if it
contains an authentication extension computed via the ciphersuite identified
by \fIciphersuite_nbr\fR using the applicable key value.  If \fIciphersuite_nbr\fR
is 255 then the applicable key value is a hard-coded constant and \fIkey_name\fR
must be omitted; otherwise \fIkey_name\fR is required and the applicable key
value is the current value of the key named \fIkey_name\fR in the local security
policy database.
.Sp
Valid values of \fIciphersuite_nbr\fR are:
.RS 4
.Sp
.RS 4
0: \s-1HMAC\-SHA1\-80
1: RSA\-SHA256
255: NULL\s0
.RE
.RE
.RS 4
.RE
.IP "\fBc ltprecvauthrule\fR \fIltp_engine_id\fR \fIciphersuite_nbr\fR \fI[key_name]\fR" 4
.IX Item "c ltprecvauthrule ltp_engine_id ciphersuite_nbr [key_name]"
The \fBchange ltprecvauthrule\fR command.  This command changes the parameters
of the \s-1LTP\s0 segment authentication rule for the indicated \s-1LTP\s0 engine.
.IP "\fBd ltprecvauthrule\fR \fIltp_engine_id\fR" 4
.IX Item "d ltprecvauthrule ltp_engine_id"
The \fBdelete ltprecvauthrule\fR command.  This command deletes the \s-1LTP\s0 segment
authentication rule for the indicated \s-1LTP\s0 engine.
.IP "\fBi ltprecvauthrule\fR \fIltp_engine_id\fR" 4
.IX Item "i ltprecvauthrule ltp_engine_id"
This command will print information (the \s-1LTP\s0 engine id, ciphersuite
number, and key name) about the \s-1LTP\s0 segment authentication rule for the
indicated \s-1LTP\s0 engine.
.IP "\fBl ltprecvauthrule\fR" 4
.IX Item "l ltprecvauthrule"
This command lists all \s-1LTP\s0 segment authentication rules in the security policy
database.
.IP "\fBa ltpxmitauthrule\fR \fIltp_engine_id\fR \fIciphersuite_nbr\fR \fI[key_name]\fR" 4
.IX Item "a ltpxmitauthrule ltp_engine_id ciphersuite_nbr [key_name]"
The \fBadd ltpxmitauthrule\fR command.  This command adds a rule specifying the
manner in which \s-1LTP\s0 segments transmitted to the indicated \s-1LTP\s0 engine must be
signed.
.Sp
Signing a segment destined for the indicated \s-1LTP\s0 engine entails computing an
authentication extension via the ciphersuite identified by \fIciphersuite_nbr\fR
using the applicable key value.  If \fIciphersuite_nbr\fR is 255 then the
applicable key value is a hard-coded constant and \fIkey_name\fR must be
omitted; otherwise \fIkey_name\fR is required and the applicable key
value is the current value of the key named \fIkey_name\fR in the local security
policy database.
.Sp
Valid values of \fIciphersuite_nbr\fR are:
.RS 4
.Sp
.RS 4
0: \s-1HMAC_SHA1\-80
1: RSA_SHA256
255: NULL\s0
.RE
.RE
.RS 4
.RE
.IP "\fBc ltpxmitauthrule\fR \fIltp_engine_id\fR \fIciphersuite_nbr\fR \fI[key_name]\fR" 4
.IX Item "c ltpxmitauthrule ltp_engine_id ciphersuite_nbr [key_name]"
The \fBchange ltpxmitauthrule\fR command.  This command changes the parameters
of the \s-1LTP\s0 segment signing rule for the indicated \s-1LTP\s0 engine.
.IP "\fBd ltpxmitauthrule\fR \fIltp_engine_id\fR" 4
.IX Item "d ltpxmitauthrule ltp_engine_id"
The \fBdelete ltpxmitauthrule\fR command.  This command deletes the \s-1LTP\s0 segment
signing rule for the indicated \s-1LTP\s0 engine.
.IP "\fBi ltpxmitauthrule\fR \fIltp_engine_id\fR" 4
.IX Item "i ltpxmitauthrule ltp_engine_id"
This command will print information (the \s-1LTP\s0 engine id, ciphersuite
number, and key name) about the \s-1LTP\s0 segment signing rule for the indicated
\&\s-1LTP\s0 engine.
.IP "\fBl ltpxmitauthrule\fR" 4
.IX Item "l ltpxmitauthrule"
This command lists all \s-1LTP\s0 segment signing rules in the security policy
database.
.IP "\fBx\fR \fI[ { ~ | sender_eid_expr } [ { ~ | receiver_eid_expr} [ { ~ | bab | pib | pcb | esb } ] ] ]\fR" 4
.IX Item "x [ { ~ | sender_eid_expr } [ { ~ | receiver_eid_expr} [ { ~ | bab | pib | pcb | esb } ] ] ]"
This command will clear all rules for the indicated type of bundle security
block between the indicated security source and security destination.  If
block type is omitted it defaults to \fB~\fR signifying \*(L"all \s-1BSP\s0 blocks\*(R".  If
both block type and security destination are omitted, security destination
defaults to \fB~\fR signifying \*(L"all \s-1BSP\s0 security destinations\*(R".  If all three
command-line parameters are omitted, then security source defaults to \fB~\fR
signifying \*(L"all \s-1BSP\s0 security sources\*(R".
.IP "\fBh\fR" 4
.IX Item "h"
The \fBhelp\fR command.  This will display a listing of the commands and their
formats.  It is the same as the \fB?\fR command.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.IP "a key \s-1BABKEY \s0./babkey.txt" 4
.IX Item "a key BABKEY ./babkey.txt"
Adds a new key named \*(L"\s-1BABKEY\*(R"\s0 whose value is the content of the file
\&\*(L"./babkey.txt\*(R".
.IP "a bspbabrule ipn:19.* ipn:11.* \s-1HMAC_SHA1 BABKEY\s0" 4
.IX Item "a bspbabrule ipn:19.* ipn:11.* HMAC_SHA1 BABKEY"
Adds a \s-1BAB\s0 rule requiring that all bundles sent from node number 19 to node
number 11 contain Bundle Authentication Blocks computed via the \s-1HMAC_SHA1\s0
ciphersuite using a key value that is identical to the current value of the
key named \*(L"\s-1BABKEY\*(R"\s0 in the local security policy database.
.IP "c bspbabrule ipn:19.* ipn:11.* ''" 4
.IX Item "c bspbabrule ipn:19.* ipn:11.* ''"
Changes the \s-1BAB\s0 rule pertaining to all bundles sent from node number 19 to
node number 11.  \s-1BAB\s0 checking is disabled; these bundles will be automatically
deemed authentic.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIionsecadmin\fR\|(1)