Provided by: ion_3.2.1+dfsg-1.1_amd64 bug

NAME

       ionsecrc - ION security policy management commands file

DESCRIPTION

       ION security policy management commands are passed to ionsecadmin either in a file of text
       lines or interactively at ionsecadmin's command prompt (:).  Commands are interpreted
       line-by line, with exactly one command per line.  The formats and effects of the ION
       security policy management commands are described below.

       A parameter identifed as an eid_expr is an "endpoint ID expression."  For all commands,
       whenever the last character of an endpoint ID expression is the wild-card character '*',
       an applicable endpoint ID "matches" this EID expression if all characters of the endpoint
       ID expression prior to the last one are equal to the corresponding characters of that
       endpoint ID.  Otherwise an applicable endpoint ID "matches" the EID expression only when
       all characters of the EID and EID expression are identical.

       ION's security policy management encompasses both BP security and LTP authentication.

COMMANDS

       ?   The help command.  This will display a listing of the commands and their formats.  It
           is the same as the h command.

       #   Comment line.  Lines beginning with # are not interpreted.

       e { 1 | 0 }
           Echo control.  Setting echo to 1 causes all output printed by ionsecadmin to be logged
           as well as sent to stdout.  Setting echo to 0 disables this behavior.

       v   Version number.  Prints out the version of ION currently installed.  HINT: combine
           with e 1 command to log the version number at startup.

       1   The initialize command.  Until this command is executed, the local ION node has no
           security policy database and most ionsecadmin commands will fail.

       a key key_name file_name
           The add key command.  This command adds a named key value to the security policy
           database.  The content of file_name is taken as the value of the key.  Named keys can
           be referenced by other elements of the security policy database.

       c key key_name file_name
           The change key command.  This command changes the value of the named key, obtaining
           the new key value from the content of file_name.

       d key key_name
           The delete key command.  This command deletes the key identified by name.

       i key key_name
           This command will print information about the named key, i.e., the length of its
           current value.

       l key
           This command lists all keys in the security policy database.

       a bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }
           The add bspbabrule command.  This command adds a rule specifying the manner in which
           Bundle Authentication Block (BAB) validation will be applied to all bundles sent from
           any node whose endpoints' IDs match sender_eid_expr and received at any node whose
           endpoints' IDs match receiver_eid_expr.  Both sender_eid_expr and receiver_eid_expr
           should terminate in wild-card characters, because both the security source and
           security destination of a BAB are actually nodes rather than individual endpoints.

           If a zero-length string ('') is indicated instead of a ciphersuite_name then BAB
           validation is disabled for this sender/receiver EID expression pair: all bundles sent
           from nodes with matching administrative endpoint IDs to nodes with matching
           administrative endpoint IDs will be immediately deemed authentic.  Otherwise, a bundle
           from a node with matching administrative endpoint ID to a node with matching
           administrative endpoint ID will only be deemed authentic if it contains a BAB computed
           via the ciphersuite named by ciphersuite_name using a key value that is identical to
           the current value of the key named key_name in the local security policy database.

           NOTE: if the security policy database contains no BAB rules at all, then BAB
           authentication is disabled; all bundles received from all neighboring nodes are
           considered authentic.  Otherwise, BAB rules must be defined for all nodes from which
           bundles are to be received; all bundles received from any node for which no BAB rule
           is defined are considered inauthentic and are discarded.

       c bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }
           The change bspbabrule command.  This command changes the ciphersuite name and/or key
           name for the BAB rule pertaining to the sender/receiver EID expression pair identified
           by sender_eid_expr and receiver_eid_expr.  Note that the eid_exprs must exactly match
           those of the rule that is to be modified, including any terminating wild-card
           character.

       d bspbabrule sender_eid_expr receiver_eid_expr
           The delete bspbabrule command.  This command deletes the BAB rule pertaining to the
           sender/receiver EID expression pair identified by sender_eid_expr and
           receiver_eid_expr.  Note that the eid_exprs must exactly match those of the rule that
           is to be deleted, including any terminating wild-card character.

       i bspbabrule sender_eid_expr receiver_eid_expr
           This command will print information (the ciphersuite and key names) about the BAB rule
           pertaining to sender_eid_expr and receiver_eid_expr.

       l bspbabrule
           This command lists all BAB rules in the security policy database.

       a bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name
       key_name }
           The add bsppibrule command.  This command adds a rule specifying the manner in which
           Payload Integrity Block (PIB) validation will be applied to all bundles sent from any
           node whose administrative endpoint ID matches sender_eid_expr and received at any node
           whose administrative endpoint ID ID matches receiver_eid_expr.

           If a zero-length string ('') is indicated instead of a ciphersuite_name then PIB
           validation is disabled for this sender/receiver EID expression pair: all bundles sent
           from nodes with matching administrative endpoint IDs to nodes with matching
           administrative endpoint IDs will be immediately deemed valid.  Otherwise, a bundle
           from a node with matching administrative endpoint ID to a node with matching
           administrative endpoint ID will only be deemed valid if it contains a PIB computed via
           the ciphersuite named by ciphersuite_name using a key value that is identical to the
           current value of the key named key_name in the local security policy database.

       c bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name
       key_name }
           The change bsppibrule command.  This command changes the ciphersuite name and/or key
           name for the PIB rule pertaining to the sender/receiver EID expression pair identified
           by sender_eid_expr and receiver_eid_expr.  Note that the eid_exprs must exactly match
           those of the rule that is to be modified, including any terminating wild-card
           character.

       d bsppibrule sender_eid_expr receiver_eid_expr block type number
           The delete bsppibrule command.  This command deletes the PIB rule pertaining to the
           sender/receiver EID expression pair identified by sender_eid_expr and
           receiver_eid_expr.  Note that the eid_exprs must exactly match those of the rule that
           is to be deleted, including any terminating wild-card character.

       i bsppibrule sender_eid_expr receiver_eid_expr block type number
           This command will print information (the ciphersuite and key names) about the PIB rule
           pertaining to sender_eid_expr and receiver_eid_expr.

       l bsppibrule
           This command lists all PIB rules in the security policy database.

       a ltprecvauthrule ltp_engine_id ciphersuite_nbr [key_name]
           The add ltprecvauthrule command.  This command adds a rule specifying the manner in
           which LTP segment authentication will be applied to LTP segments received from the
           indicated LTP engine.

           A segment from the indicated LTP engine will only be deemed authentic if it contains
           an authentication extension computed via the ciphersuite identified by ciphersuite_nbr
           using the applicable key value.  If ciphersuite_nbr is 255 then the applicable key
           value is a hard-coded constant and key_name must be omitted; otherwise key_name is
           required and the applicable key value is the current value of the key named key_name
           in the local security policy database.

           Valid values of ciphersuite_nbr are:

               0: HMAC-SHA1-80 1: RSA-SHA256 255: NULL

       c ltprecvauthrule ltp_engine_id ciphersuite_nbr [key_name]
           The change ltprecvauthrule command.  This command changes the parameters of the LTP
           segment authentication rule for the indicated LTP engine.

       d ltprecvauthrule ltp_engine_id
           The delete ltprecvauthrule command.  This command deletes the LTP segment
           authentication rule for the indicated LTP engine.

       i ltprecvauthrule ltp_engine_id
           This command will print information (the LTP engine id, ciphersuite number, and key
           name) about the LTP segment authentication rule for the indicated LTP engine.

       l ltprecvauthrule
           This command lists all LTP segment authentication rules in the security policy
           database.

       a ltpxmitauthrule ltp_engine_id ciphersuite_nbr [key_name]
           The add ltpxmitauthrule command.  This command adds a rule specifying the manner in
           which LTP segments transmitted to the indicated LTP engine must be signed.

           Signing a segment destined for the indicated LTP engine entails computing an
           authentication extension via the ciphersuite identified by ciphersuite_nbr using the
           applicable key value.  If ciphersuite_nbr is 255 then the applicable key value is a
           hard-coded constant and key_name must be omitted; otherwise key_name is required and
           the applicable key value is the current value of the key named key_name in the local
           security policy database.

           Valid values of ciphersuite_nbr are:

               0: HMAC_SHA1-80 1: RSA_SHA256 255: NULL

       c ltpxmitauthrule ltp_engine_id ciphersuite_nbr [key_name]
           The change ltpxmitauthrule command.  This command changes the parameters of the LTP
           segment signing rule for the indicated LTP engine.

       d ltpxmitauthrule ltp_engine_id
           The delete ltpxmitauthrule command.  This command deletes the LTP segment signing rule
           for the indicated LTP engine.

       i ltpxmitauthrule ltp_engine_id
           This command will print information (the LTP engine id, ciphersuite number, and key
           name) about the LTP segment signing rule for the indicated LTP engine.

       l ltpxmitauthrule
           This command lists all LTP segment signing rules in the security policy database.

       x [ { ~ | sender_eid_expr } [ { ~ | receiver_eid_expr} [ { ~ | bab | pib | pcb | esb } ] ]
       ]
           This command will clear all rules for the indicated type of bundle security block
           between the indicated security source and security destination.  If block type is
           omitted it defaults to ~ signifying "all BSP blocks".  If both block type and security
           destination are omitted, security destination defaults to ~ signifying "all BSP
           security destinations".  If all three command-line parameters are omitted, then
           security source defaults to ~ signifying "all BSP security sources".

       h   The help command.  This will display a listing of the commands and their formats.  It
           is the same as the ? command.

EXAMPLES

       a key BABKEY ./babkey.txt
           Adds a new key named "BABKEY" whose value is the content of the file "./babkey.txt".

       a bspbabrule ipn:19.* ipn:11.* HMAC_SHA1 BABKEY
           Adds a BAB rule requiring that all bundles sent from node number 19 to node number 11
           contain Bundle Authentication Blocks computed via the HMAC_SHA1 ciphersuite using a
           key value that is identical to the current value of the key named "BABKEY" in the
           local security policy database.

       c bspbabrule ipn:19.* ipn:11.* ''
           Changes the BAB rule pertaining to all bundles sent from node number 19 to node number
           11.  BAB checking is disabled; these bundles will be automatically deemed authentic.

SEE ALSO

       ionsecadmin(1)