ionsecrc(5) ION security policy management commands file

DESCRIPTION

ION security policy management commands are passed to ionsecadmin either in a file of text lines or interactively at ionsecadmin's command prompt (:). Commands are interpreted line-by line, with exactly one command per line. The formats and effects of the ION security policy management commands are described below.

A parameter identifed as an eid_expr is an ``endpoint ID expression.'' For all commands, whenever the last character of an endpoint ID expression is the wild-card character '*', an applicable endpoint ID ``matches'' this EID expression if all characters of the endpoint ID expression prior to the last one are equal to the corresponding characters of that endpoint ID. Otherwise an applicable endpoint ID ``matches'' the EID expression only when all characters of the EID and EID expression are identical.

ION's security policy management encompasses both BP security and LTP authentication.

COMMANDS

?
The help command. This will display a listing of the commands and their formats. It is the same as the h command.
#
Comment line. Lines beginning with # are not interpreted.
e { 1 | 0 }
Echo control. Setting echo to 1 causes all output printed by ionsecadmin to be logged as well as sent to stdout. Setting echo to 0 disables this behavior.
v
Version number. Prints out the version of ION currently installed. HINT: combine with e 1 command to log the version number at startup.
1
The initialize command. Until this command is executed, the local ION node has no security policy database and most ionsecadmin commands will fail.
a key key_name file_name
The add key command. This command adds a named key value to the security policy database. The content of file_name is taken as the value of the key. Named keys can be referenced by other elements of the security policy database.
c key key_name file_name
The change key command. This command changes the value of the named key, obtaining the new key value from the content of file_name.
d key key_name
The delete key command. This command deletes the key identified by name.
i key key_name
This command will print information about the named key, i.e., the length of its current value.
l key
This command lists all keys in the security policy database.
a bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }
The add bspbabrule command. This command adds a rule specifying the manner in which Bundle Authentication Block (BAB) validation will be applied to all bundles sent from any node whose endpoints' IDs match sender_eid_expr and received at any node whose endpoints' IDs match receiver_eid_expr. Both sender_eid_expr and receiver_eid_expr should terminate in wild-card characters, because both the security source and security destination of a BAB are actually nodes rather than individual endpoints.

If a zero-length string ('') is indicated instead of a ciphersuite_name then BAB validation is disabled for this sender/receiver EID expression pair: all bundles sent from nodes with matching administrative endpoint IDs to nodes with matching administrative endpoint IDs will be immediately deemed authentic. Otherwise, a bundle from a node with matching administrative endpoint ID to a node with matching administrative endpoint ID will only be deemed authentic if it contains a BAB computed via the ciphersuite named by ciphersuite_name using a key value that is identical to the current value of the key named key_name in the local security policy database.

NOTE: if the security policy database contains no BAB rules at all, then BAB authentication is disabled; all bundles received from all neighboring nodes are considered authentic. Otherwise, BAB rules must be defined for all nodes from which bundles are to be received; all bundles received from any node for which no BAB rule is defined are considered inauthentic and are discarded.

c bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }
The change bspbabrule command. This command changes the ciphersuite name and/or key name for the BAB rule pertaining to the sender/receiver EID expression pair identified by sender_eid_expr and receiver_eid_expr. Note that the eid_exprs must exactly match those of the rule that is to be modified, including any terminating wild-card character.
d bspbabrule sender_eid_expr receiver_eid_expr
The delete bspbabrule command. This command deletes the BAB rule pertaining to the sender/receiver EID expression pair identified by sender_eid_expr and receiver_eid_expr. Note that the eid_exprs must exactly match those of the rule that is to be deleted, including any terminating wild-card character.
i bspbabrule sender_eid_expr receiver_eid_expr
This command will print information (the ciphersuite and key names) about the BAB rule pertaining to sender_eid_expr and receiver_eid_expr.
l bspbabrule
This command lists all BAB rules in the security policy database.
a bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name key_name }
The add bsppibrule command. This command adds a rule specifying the manner in which Payload Integrity Block (PIB) validation will be applied to all bundles sent from any node whose administrative endpoint ID matches sender_eid_expr and received at any node whose administrative endpoint ID ID matches receiver_eid_expr.

If a zero-length string ('') is indicated instead of a ciphersuite_name then PIB validation is disabled for this sender/receiver EID expression pair: all bundles sent from nodes with matching administrative endpoint IDs to nodes with matching administrative endpoint IDs will be immediately deemed valid. Otherwise, a bundle from a node with matching administrative endpoint ID to a node with matching administrative endpoint ID will only be deemed valid if it contains a PIB computed via the ciphersuite named by ciphersuite_name using a key value that is identical to the current value of the key named key_name in the local security policy database.

c bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name key_name }
The change bsppibrule command. This command changes the ciphersuite name and/or key name for the PIB rule pertaining to the sender/receiver EID expression pair identified by sender_eid_expr and receiver_eid_expr. Note that the eid_exprs must exactly match those of the rule that is to be modified, including any terminating wild-card character.
d bsppibrule sender_eid_expr receiver_eid_expr block type number
The delete bsppibrule command. This command deletes the PIB rule pertaining to the sender/receiver EID expression pair identified by sender_eid_expr and receiver_eid_expr. Note that the eid_exprs must exactly match those of the rule that is to be deleted, including any terminating wild-card character.
i bsppibrule sender_eid_expr receiver_eid_expr block type number
This command will print information (the ciphersuite and key names) about the PIB rule pertaining to sender_eid_expr and receiver_eid_expr.
l bsppibrule
This command lists all PIB rules in the security policy database.
a ltprecvauthrule ltp_engine_id ciphersuite_nbr [key_name]
The add ltprecvauthrule command. This command adds a rule specifying the manner in which LTP segment authentication will be applied to LTP segments received from the indicated LTP engine.

A segment from the indicated LTP engine will only be deemed authentic if it contains an authentication extension computed via the ciphersuite identified by ciphersuite_nbr using the applicable key value. If ciphersuite_nbr is 255 then the applicable key value is a hard-coded constant and key_name must be omitted; otherwise key_name is required and the applicable key value is the current value of the key named key_name in the local security policy database.

Valid values of ciphersuite_nbr are:

0: HMAC-SHA1-80 1: RSA-SHA256 255: NULL
c ltprecvauthrule ltp_engine_id ciphersuite_nbr [key_name]
The change ltprecvauthrule command. This command changes the parameters of the LTP segment authentication rule for the indicated LTP engine.
d ltprecvauthrule ltp_engine_id
The delete ltprecvauthrule command. This command deletes the LTP segment authentication rule for the indicated LTP engine.
i ltprecvauthrule ltp_engine_id
This command will print information (the LTP engine id, ciphersuite number, and key name) about the LTP segment authentication rule for the indicated LTP engine.
l ltprecvauthrule
This command lists all LTP segment authentication rules in the security policy database.
a ltpxmitauthrule ltp_engine_id ciphersuite_nbr [key_name]
The add ltpxmitauthrule command. This command adds a rule specifying the manner in which LTP segments transmitted to the indicated LTP engine must be signed.

Signing a segment destined for the indicated LTP engine entails computing an authentication extension via the ciphersuite identified by ciphersuite_nbr using the applicable key value. If ciphersuite_nbr is 255 then the applicable key value is a hard-coded constant and key_name must be omitted; otherwise key_name is required and the applicable key value is the current value of the key named key_name in the local security policy database.

Valid values of ciphersuite_nbr are:

0: HMAC_SHA1-80 1: RSA_SHA256 255: NULL
c ltpxmitauthrule ltp_engine_id ciphersuite_nbr [key_name]
The change ltpxmitauthrule command. This command changes the parameters of the LTP segment signing rule for the indicated LTP engine.
d ltpxmitauthrule ltp_engine_id
The delete ltpxmitauthrule command. This command deletes the LTP segment signing rule for the indicated LTP engine.
i ltpxmitauthrule ltp_engine_id
This command will print information (the LTP engine id, ciphersuite number, and key name) about the LTP segment signing rule for the indicated LTP engine.
l ltpxmitauthrule
This command lists all LTP segment signing rules in the security policy database.
x [ { ~ | sender_eid_expr } [ { ~ | receiver_eid_expr} [ { ~ | bab | pib | pcb | esb } ] ] ]
This command will clear all rules for the indicated type of bundle security block between the indicated security source and security destination. If block type is omitted it defaults to ~ signifying ``all BSP blocks''. If both block type and security destination are omitted, security destination defaults to ~ signifying ``all BSP security destinations''. If all three command-line parameters are omitted, then security source defaults to ~ signifying ``all BSP security sources''.
h
The help command. This will display a listing of the commands and their formats. It is the same as the ? command.

EXAMPLES

a key BABKEY ./babkey.txt
Adds a new key named ``BABKEY'' whose value is the content of the file ``./babkey.txt''.
a bspbabrule ipn:19.* ipn:11.* HMAC_SHA1 BABKEY
Adds a BAB rule requiring that all bundles sent from node number 19 to node number 11 contain Bundle Authentication Blocks computed via the HMAC_SHA1 ciphersuite using a key value that is identical to the current value of the key named ``BABKEY'' in the local security policy database.
c bspbabrule ipn:19.* ipn:11.* ''
Changes the BAB rule pertaining to all bundles sent from node number 19 to node number 11. BAB checking is disabled; these bundles will be automatically deemed authentic.