Provided by: ion_3.2.0~dfsg1-1_amd64 bug

NAME

       ionsecrc - ION security policy management commands file

DESCRIPTION

       ION security policy management commands are passed to ionsecadmin either in a file of text
       lines or interactively at ionsecadmin's command prompt (:).  Commands are interpreted
       line-by line, with exactly one command per line.  The formats and effects of the ION
       security policy management commands are described below.

       A parameter identifed as an eid_expr is an "endpoint ID expression."  For all commands,
       whenever the last character of an endpoint ID expression is the wild-card character '*',
       an applicable endpoint ID "matches" this EID expression if all characters of the endpoint
       ID expression prior to the last one are equal to the corresponding characters of that
       endpoint ID.  Otherwise an applicable endpoint ID "matches" the EID expression only when
       all characters of the EID and EID expression are identical.

COMMANDS

       ?   The help command.  This will display a listing of the commands and their formats.  It
           is the same as the h command.

       #   Comment line.  Lines beginning with # are not interpreted.

       e { 1 | 0 }
           Echo control.  Setting echo to 1 causes all output printed by ionsecadmin to be logged
           as well as sent to stdout.  Setting echo to 0 disables this behavior.

       v   Version number.  Prints out the version of ION currently installed.  HINT: combine
           with e 1 command to log the version number at startup.

       1   The initialize command.  Until this command is executed, the local ION node has no
           security policy database and most ionsecadmin commands will fail.

       a key key_name file_name
           The add key command.  This command adds a named key value to the security policy
           database.  The content of file_name is taken as the value of the key.  Named keys can
           be referenced by other elements of the security policy database.

       c key key_name file_name
           The change key command.  This command changes the value of the named key, obtaining
           the new key value from the content of file_name.

       d key key_name
           The delete key command.  This command deletes the key identified by name.

       i key key_name
           This command will print information about the named key, i.e., the length of its
           current value.

       l key
           This command lists all keys in the security policy database.

       a bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }
           The add bspbabrule command.  This command adds a rule specifying the manner in which
           Bundle Authentication Block (BAB) validation will be applied to all bundles sent from
           any node whose endpoints' IDs match sender_eid_expr and received at any node whose
           endpoints' IDs match receiver_eid_expr.  Both sender_eid_expr and receiver_eid_expr
           should terminate in wild-card characters, because both the security source and
           security destination of a BAB are actually nodes rather than individual endpoints.

           If a zero-length string ('') is indicated instead of a ciphersuite_name then BAB
           validation is disabled for this sender/receiver EID expression pair: all bundles sent
           from nodes with matching administrative endpoint IDs to nodes with matching
           administrative endpoint IDs will be immediately deemed authentic.  Otherwise, a bundle
           from a node with matching administrative endpoint ID to a node with matching
           administrative endpoint ID will only be deemed authentic if it contains a BAB computed
           via the ciphersuite named by ciphersuite_name using a key value that is identical to
           the current value of the key named key_name in the local security policy database.

           NOTE: if the security policy database contains no BAB rules at all, then BAB
           authentication is disabled; all bundles received from all neighboring nodes are
           considered authentic.  Otherwise, BAB rules must be defined for all nodes from which
           bundles are to be received; all bundles received from any node for which no BAB rule
           is defined are considered inauthentic and are discarded.

       c bspbabrule sender_eid_expr receiver_eid_expr { '' | ciphersuite_name key_name }
           The change bspbabrule command.  This command changes the ciphersuite name and/or key
           name for the BAB rule pertaining to the sender/receiver EID expression pair identified
           by sender_eid_expr and receiver_eid_expr.  Note that the eid_exprs must exactly match
           those of the rule that is to be modified, including any terminating wild-card
           character.

       d bspbabrule sender_eid_expr receiver_eid_expr
           The delete bspbabrule command.  This command deletes the BAB rule pertaining to the
           sender/receiver EID expression pair identified by sender_eid_expr and
           receiver_eid_expr.  Note that the eid_exprs must exactly match those of the rule that
           is to be deleted, including any terminating wild-card character.

       i bspbabrule sender_eid_expr receiver_eid_expr
           This command will print information (the ciphersuite and key names) about the BAB rule
           pertaining to sender_eid_expr and receiver_eid_expr.

       l bspbabrule
           This command lists all BAB rules in the security policy database.

       a bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name
       key_name }
           The add bsppibrule command.  This command adds a rule specifying the manner in which
           Payload Integrity Block (PIB) validation will be applied to all bundles sent from any
           node whose administrative endpoint ID matches sender_eid_expr and received at any node
           whose administrative endpoint ID ID matches receiver_eid_expr.

           If a zero-length string ('') is indicated instead of a ciphersuite_name then PIB
           validation is disabled for this sender/receiver EID expression pair: all bundles sent
           from nodes with matching administrative endpoint IDs to nodes with matching
           administrative endpoint IDs will be immediately deemed secure.  Otherwise, a bundle
           from a node with matching administrative endpoint ID to a node with matching
           administrative endpoint ID will only be deemed secure if it contains a PIB computed
           via the ciphersuite named by ciphersuite_name using a key value that is identical to
           the current value of the key named key_name in the local security policy database.

       c bsppibrule sender_eid_expr receiver_eid_expr block type number { '' | ciphersuite_name
       key_name }
           The change bsppibrule command.  This command changes the ciphersuite name and/or key
           name for the PIB rule pertaining to the sender/receiver EID expression pair identified
           by sender_eid_expr and receiver_eid_expr.  Note that the eid_exprs must exactly match
           those of the rule that is to be modified, including any terminating wild-card
           character.

       d bsppibrule sender_eid_expr receiver_eid_expr block type number
           The delete bsppibrule command.  This command deletes the PIB rule pertaining to the
           sender/receiver EID expression pair identified by sender_eid_expr and
           receiver_eid_expr.  Note that the eid_exprs must exactly match those of the rule that
           is to be deleted, including any terminating wild-card character.

       i bsppibrule sender_eid_expr receiver_eid_expr block type number
           This command will print information (the ciphersuite and key names) about the PIB rule
           pertaining to sender_eid_expr and receiver_eid_expr.

       l bsppibrule
           This command lists all PIB rules in the security policy database.

       x [ { ~ | sender_eid_expr } [ { ~ | receiver_eid_expr} [ { ~ | bab | pib | pcb | esb } ] ]
       ]
           This command will clear all rules for the indicated type of security block between the
           indicated security source and security destination.  If block type is omitted it
           defaults to ~ signifying "all security blocks".  If both block type and security
           destination are omitted, security destination defaults to ~ signifying "all security
           destinations".  If all three command-line parameters are omitted, then security source
           defaults to ~ signifying "all security sources".

       h   The help command.  This will display a listing of the commands and their formats.  It
           is the same as the ? command.

EXAMPLES

       a key BABKEY ./babkey.txt
           Adds a new key named "BABKEY" whose value is the content of the file "./babkey.txt".

       a bspbabrule ipn:19.* ipn:11.* HMAC_SHA1 BABKEY
           Adds a BAB rule requiring that all bundles sent from node number 19 to node number 11
           contain Bundle Authentication Blocks computed via the HMAC_SHA1 ciphersuite using a
           key value that is identical to the current value of the key named "BABKEY" in the
           local security policy database.

       c bspbabrule ipn:19.* ipn:11.* ''
           Changes the BAB rule pertaining to all bundles sent from node number 19 to node number
           11.  BAB checking is disabled; these bundles will be automatically deemed authentic.

SEE ALSO

       ionsecadmin(1)