Provided by: ion_3.2.1+dfsg-1.1_amd64 
NAME
ionsecrc - ION security policy management commands file
DESCRIPTION
ION security policy management commands are passed to ionsecadmin either in a file of text lines or
interactively at ionsecadmin's command prompt (:). Commands are interpreted line-by line, with exactly
one command per line. The formats and effects of the ION security policy management commands are
described below.
A parameter identifed as an eid_expr is an "endpoint ID expression." For all commands, whenever the last
character of an endpoint ID expression is the wild-card character '*', an applicable endpoint ID
"matches" this EID expression if all characters of the endpoint ID expression prior to the last one are
equal to the corresponding characters of that endpoint ID. Otherwise an applicable endpoint ID "matches"
the EID expression only when all characters of the EID and EID expression are identical.
ION's security policy management encompasses both BP security and LTP authentication.
COMMANDS
? The help command. This will display a listing of the commands and their formats. It is the same as
the h command.
# Comment line. Lines beginning with # are not interpreted.
e { 1 | 0 }
Echo control. Setting echo to 1 causes all output printed by ionsecadmin to be logged as well as
sent to stdout. Setting echo to 0 disables this behavior.
v Version number. Prints out the version of ION currently installed. HINT: combine with e 1 command
to log the version number at startup.
1 The initialize command. Until this command is executed, the local ION node has no security policy
database and most ionsecadmin commands will fail.
a key key_name file_name
The add key command. This command adds a named key value to the security policy database. The
content of file_name is taken as the value of the key. Named keys can be referenced by other
elements of the security policy database.
c key key_name file_name
The change key command. This command changes the value of the named key, obtaining the new key value
from the content of file_name.
d key key_name
The delete key command. This command deletes the key identified by name.
i key key_name
This command will print information about the named key, i.e., the length of its current value.
l key
This command lists all keys in the security policy database.
a bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }
The add bspbabrule command. This command adds a rule specifying the manner in which Bundle
Authentication Block (BAB) validation will be applied to all bundles sent from any node whose
endpoints' IDs match sender_eid_expr and received at any node whose endpoints' IDs match
receiver_eid_expr. Both sender_eid_expr and receiver_eid_expr should terminate in wild-card
characters, because both the security source and security destination of a BAB are actually nodes
rather than individual endpoints.
If a zero-length string ('') is indicated instead of a ciphersuite_name then BAB validation is
disabled for this sender/receiver EID expression pair: all bundles sent from nodes with matching
administrative endpoint IDs to nodes with matching administrative endpoint IDs will be immediately
deemed authentic. Otherwise, a bundle from a node with matching administrative endpoint ID to a node
with matching administrative endpoint ID will only be deemed authentic if it contains a BAB computed
via the ciphersuite named by ciphersuite_name using a key value that is identical to the current
value of the key named key_name in the local security policy database.
NOTE: if the security policy database contains no BAB rules at all, then BAB authentication is
disabled; all bundles received from all neighboring nodes are considered authentic. Otherwise, BAB
rules must be defined for all nodes from which bundles are to be received; all bundles received from
any node for which no BAB rule is defined are considered inauthentic and are discarded.
c bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }
The change bspbabrule command. This command changes the ciphersuite name and/or key name for the BAB
rule pertaining to the sender/receiver EID expression pair identified by sender_eid_expr and
receiver_eid_expr. Note that the eid_exprs must exactly match those of the rule that is to be
modified, including any terminating wild-card character.
d bspbabrule sender_eid_expr receiver_eid_expr
The delete bspbabrule command. This command deletes the BAB rule pertaining to the sender/receiver
EID expression pair identified by sender_eid_expr and receiver_eid_expr. Note that the eid_exprs
must exactly match those of the rule that is to be deleted, including any terminating wild-card
character.
i bspbabrule sender_eid_expr receiver_eid_expr
This command will print information (the ciphersuite and key names) about the BAB rule pertaining to
sender_eid_expr and receiver_eid_expr.
l bspbabrule
This command lists all BAB rules in the security policy database.
a bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name key_name }
The add bsppibrule command. This command adds a rule specifying the manner in which Payload
Integrity Block (PIB) validation will be applied to all bundles sent from any node whose
administrative endpoint ID matches sender_eid_expr and received at any node whose administrative
endpoint ID ID matches receiver_eid_expr.
If a zero-length string ('') is indicated instead of a ciphersuite_name then PIB validation is
disabled for this sender/receiver EID expression pair: all bundles sent from nodes with matching
administrative endpoint IDs to nodes with matching administrative endpoint IDs will be immediately
deemed valid. Otherwise, a bundle from a node with matching administrative endpoint ID to a node
with matching administrative endpoint ID will only be deemed valid if it contains a PIB computed via
the ciphersuite named by ciphersuite_name using a key value that is identical to the current value of
the key named key_name in the local security policy database.
c bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name key_name }
The change bsppibrule command. This command changes the ciphersuite name and/or key name for the PIB
rule pertaining to the sender/receiver EID expression pair identified by sender_eid_expr and
receiver_eid_expr. Note that the eid_exprs must exactly match those of the rule that is to be
modified, including any terminating wild-card character.
d bsppibrule sender_eid_expr receiver_eid_expr block type number
The delete bsppibrule command. This command deletes the PIB rule pertaining to the sender/receiver
EID expression pair identified by sender_eid_expr and receiver_eid_expr. Note that the eid_exprs
must exactly match those of the rule that is to be deleted, including any terminating wild-card
character.
i bsppibrule sender_eid_expr receiver_eid_expr block type number
This command will print information (the ciphersuite and key names) about the PIB rule pertaining to
sender_eid_expr and receiver_eid_expr.
l bsppibrule
This command lists all PIB rules in the security policy database.
a ltprecvauthrule ltp_engine_id ciphersuite_nbr [key_name]
The add ltprecvauthrule command. This command adds a rule specifying the manner in which LTP segment
authentication will be applied to LTP segments received from the indicated LTP engine.
A segment from the indicated LTP engine will only be deemed authentic if it contains an
authentication extension computed via the ciphersuite identified by ciphersuite_nbr using the
applicable key value. If ciphersuite_nbr is 255 then the applicable key value is a hard-coded
constant and key_name must be omitted; otherwise key_name is required and the applicable key value is
the current value of the key named key_name in the local security policy database.
Valid values of ciphersuite_nbr are:
0: HMAC-SHA1-80 1: RSA-SHA256 255: NULL
c ltprecvauthrule ltp_engine_id ciphersuite_nbr [key_name]
The change ltprecvauthrule command. This command changes the parameters of the LTP segment
authentication rule for the indicated LTP engine.
d ltprecvauthrule ltp_engine_id
The delete ltprecvauthrule command. This command deletes the LTP segment authentication rule for the
indicated LTP engine.
i ltprecvauthrule ltp_engine_id
This command will print information (the LTP engine id, ciphersuite number, and key name) about the
LTP segment authentication rule for the indicated LTP engine.
l ltprecvauthrule
This command lists all LTP segment authentication rules in the security policy database.
a ltpxmitauthrule ltp_engine_id ciphersuite_nbr [key_name]
The add ltpxmitauthrule command. This command adds a rule specifying the manner in which LTP
segments transmitted to the indicated LTP engine must be signed.
Signing a segment destined for the indicated LTP engine entails computing an authentication extension
via the ciphersuite identified by ciphersuite_nbr using the applicable key value. If ciphersuite_nbr
is 255 then the applicable key value is a hard-coded constant and key_name must be omitted; otherwise
key_name is required and the applicable key value is the current value of the key named key_name in
the local security policy database.
Valid values of ciphersuite_nbr are:
0: HMAC_SHA1-80 1: RSA_SHA256 255: NULL
c ltpxmitauthrule ltp_engine_id ciphersuite_nbr [key_name]
The change ltpxmitauthrule command. This command changes the parameters of the LTP segment signing
rule for the indicated LTP engine.
d ltpxmitauthrule ltp_engine_id
The delete ltpxmitauthrule command. This command deletes the LTP segment signing rule for the
indicated LTP engine.
i ltpxmitauthrule ltp_engine_id
This command will print information (the LTP engine id, ciphersuite number, and key name) about the
LTP segment signing rule for the indicated LTP engine.
l ltpxmitauthrule
This command lists all LTP segment signing rules in the security policy database.
x [ { ~ | sender_eid_expr } [ { ~ | receiver_eid_expr} [ { ~ | bab | pib | pcb | esb } ] ] ]
This command will clear all rules for the indicated type of bundle security block between the
indicated security source and security destination. If block type is omitted it defaults to ~
signifying "all BSP blocks". If both block type and security destination are omitted, security
destination defaults to ~ signifying "all BSP security destinations". If all three command-line
parameters are omitted, then security source defaults to ~ signifying "all BSP security sources".
h The help command. This will display a listing of the commands and their formats. It is the same as
the ? command.
EXAMPLES
a key BABKEY ./babkey.txt
Adds a new key named "BABKEY" whose value is the content of the file "./babkey.txt".
a bspbabrule ipn:19.* ipn:11.* HMAC_SHA1 BABKEY
Adds a BAB rule requiring that all bundles sent from node number 19 to node number 11 contain Bundle
Authentication Blocks computed via the HMAC_SHA1 ciphersuite using a key value that is identical to
the current value of the key named "BABKEY" in the local security policy database.
c bspbabrule ipn:19.* ipn:11.* ''
Changes the BAB rule pertaining to all bundles sent from node number 19 to node number 11. BAB
checking is disabled; these bundles will be automatically deemed authentic.
SEE ALSO
ionsecadmin(1)