NAME¶
ionsecrc - ION security policy management commands file
DESCRIPTION¶
ION security policy management commands are passed to
ionsecadmin either
in a file of text lines or interactively at
ionsecadmin's command
prompt (:). Commands are interpreted line-by line, with exactly one command
per line. The formats and effects of the ION security policy management
commands are described below.
A parameter identifed as an
eid_expr is an "endpoint ID
expression." For all commands, whenever the last character of an endpoint
ID expression is the wild-card character '*', an applicable endpoint ID
"matches" this EID expression if all characters of the endpoint ID
expression prior to the last one are equal to the corresponding characters of
that endpoint ID. Otherwise an applicable endpoint ID "matches" the
EID expression only when all characters of the EID and EID expression are
identical.
COMMANDS¶
- ?
- The help command. This will display a listing of the
commands and their formats. It is the same as the h command.
- #
- Comment line. Lines beginning with # are not
interpreted.
- e { 1 | 0 }
- Echo control. Setting echo to 1 causes all output printed
by ionsecadmin to be logged as well as sent to stdout. Setting echo to 0
disables this behavior.
- 1
- The initialize command. Until this command is
executed, the local ION node has no security policy database and most
ionsecadmin commands will fail.
- a key key_name file_name
- The add key command. This command adds a named key
value to the security policy database. The content of file_name is
taken as the value of the key. Named keys can be referenced by other
elements of the security policy database.
- c key key_name file_name
- The change key command. This command changes the
value of the named key, obtaining the new key value from the content of
file_name.
- d key key_name
- The delete key command. This command deletes the key
identified by name.
- i key key_name
- This command will print information about the named key,
i.e., the length of its current value.
- l key
- This command lists all keys in the security policy
database.
- a bspbabrule sender_eid_expr
receiver_eid_expr { '' | ciphersuite_name key_name }
- The add bspbabrule command. This command adds a rule
specifying the manner in which Bundle Authentication Block (BAB)
validation will be applied to all bundles sent from any node whose
endpoints' IDs match sender_eid_expr and received at any node whose
endpoints' IDs match receiver_eid_expr. Both sender_eid_expr
and receiver_eid_expr should terminate in wild-card characters,
because both the security source and security destination of a BAB are
actually nodes rather than individual endpoints.
If a zero-length string ('') is indicated instead of a
ciphersuite_name then BAB validation is disabled for this
sender/receiver EID expression pair: all bundles sent from nodes with
matching administrative endpoint IDs to nodes with matching administrative
endpoint IDs will be immediately deemed authentic. Otherwise, a bundle
from a node with matching administrative endpoint ID to a node with
matching administrative endpoint ID will only be deemed authentic if it
contains a BAB computed via the ciphersuite named by
ciphersuite_name using a key value that is identical to the current
value of the key named key_name in the local security policy
database.
NOTE: if the security policy database contains no BAB rules at all,
then BAB authentication is disabled; all bundles received from all
neighboring nodes are considered authentic. Otherwise, BAB rules
must be defined for all nodes from which bundles are to be
received; all bundles received from any node for which no BAB rule is
defined are considered inauthentic and are discarded.
- c bspbabrule sender_eid_expr
receiver_eid_expr { '' | ciphersuite_name key_name }
- The change bspbabrule command. This command changes
the ciphersuite name and/or key name for the BAB rule pertaining to the
sender/receiver EID expression pair identified by sender_eid_expr
and receiver_eid_expr. Note that the eid_exprs must exactly
match those of the rule that is to be modified, including any terminating
wild-card character.
- d bspbabrule sender_eid_expr
receiver_eid_expr
- The delete bspbabrule command. This command deletes
the BAB rule pertaining to the sender/receiver EID expression pair
identified by sender_eid_expr and receiver_eid_expr. Note
that the eid_exprs must exactly match those of the rule that is to
be deleted, including any terminating wild-card character.
- i bspbabrule sender_eid_expr
receiver_eid_expr
- This command will print information (the ciphersuite and
key names) about the BAB rule pertaining to sender_eid_expr and
receiver_eid_expr.
- l bspbabrule
- This command lists all BAB rules in the security policy
database.
- a bsppibrule sender_eid_expr
receiver_eid_expr block type number { '' | ciphersuite_name
key_name }
- The add bsppibrule command. This command adds a rule
specifying the manner in which Payload Integrity Block (PIB) validation
will be applied to all bundles sent from any node whose administrative
endpoint ID matches sender_eid_expr and received at any node whose
administrative endpoint ID ID matches receiver_eid_expr.
If a zero-length string ('') is indicated instead of a
ciphersuite_name then PIB validation is disabled for this
sender/receiver EID expression pair: all bundles sent from nodes with
matching administrative endpoint IDs to nodes with matching administrative
endpoint IDs will be immediately deemed secure. Otherwise, a bundle from a
node with matching administrative endpoint ID to a node with matching
administrative endpoint ID will only be deemed secure if it contains a PIB
computed via the ciphersuite named by ciphersuite_name using a key
value that is identical to the current value of the key named
key_name in the local security policy database.
- c bsppibrule sender_eid_expr
receiver_eid_expr block type number { '' | ciphersuite_name
key_name }
- The change bsppibrule command. This command changes
the ciphersuite name and/or key name for the PIB rule pertaining to the
sender/receiver EID expression pair identified by sender_eid_expr
and receiver_eid_expr. Note that the eid_exprs must exactly
match those of the rule that is to be modified, including any terminating
wild-card character.
- d bsppibrule sender_eid_expr
receiver_eid_expr block type number
- The delete bsppibrule command. This command deletes
the PIB rule pertaining to the sender/receiver EID expression pair
identified by sender_eid_expr and receiver_eid_expr. Note
that the eid_exprs must exactly match those of the rule that is to
be deleted, including any terminating wild-card character.
- i bsppibrule sender_eid_expr
receiver_eid_expr block type number
- This command will print information (the ciphersuite and
key names) about the PIB rule pertaining to sender_eid_expr and
receiver_eid_expr.
- l bsppibrule
- This command lists all PIB rules in the security policy
database.
- h
- The help command. This will display a listing of the
commands and their formats. It is the same as the ? command.
EXAMPLES¶
- a key BABKEY ./babkey.txt
- Adds a new key named "BABKEY" whose value is the
content of the file "./babkey.txt".
- a bspbabrule ipn:19.* ipn:11.* HMAC_SHA1 BABKEY
- Adds a BAB rule requiring that all bundles sent from node
number 19 to node number 11 contain Bundle Authentication Blocks computed
via the HMAC_SHA1 ciphersuite using a key value that is identical to the
current value of the key named "BABKEY" in the local security
policy database.
- c bspbabrule ipn:19.* ipn:11.* ''
- Changes the BAB rule pertaining to all bundles sent from
node number 19 to node number 11. BAB checking is disabled; these bundles
will be automatically deemed authentic.
SEE ALSO¶
ionsecadmin(1)